Fraud Prevention and Risk:

Protecting Your Procurement Card Program

Presented By
Patricia Larkin Green, VP, Relationship Manager
J.P.Morgan, Wholesale Card & Procurement Services

Betty Heimansohn, CPPB, Procurement Card Manager

University of Colorado
April 20, 2009
Overview
 Patricia Larkin Green, J.P.Morgan

 Evolving History and Trends

 Steps J.P.Morgan is taking to Combat Fraud

 Betty Heimansohn, University of Colorado

 How CU is Keeping Credit Card Fraud at Bay

 Addendum

 Questions, Concerns
Types of Fraud
 Lost: Recovery varies

 Stolen: Recovery varies

 Non-receipt: NRI - Non-receipt of card

 Internet: Card Not Present/MOTO/Internet: Recovery is good

 Counterfeit/skimming: Card present - Recovery unlikely thru

chargeback process

 Stolen/compromised number: Recovery varies

 Account takeover: True name fraud

3
 Fraud by Type 4Q06 – 3Q07
Counterfeit and Card Not Present Fraud are the fastest growing fraud type today

$15

$13
Card
Not
$10 Present

$8
Counterfeit

$5

Lost
$3
NRI
Stolen Acct Takeover
$0
Sept Misc
Jan
May
Sept
Consumer Credit and
Commercial Card

4
Fraud Trends
 Increase in Counterfeit Cases –
1Q09 trending higher than FY08.
 Test Merchants –
Method in which fraudsters test the status of the card.
 Gift Cards –
Counterfeit card used to purchase gift cards from a retail merchant.
 Day to Day Living Expenses –
Not easily detected in the tools.
 Gas Pumps –
Focused on states with fewer controls.

5
 Fraud activity - Dynamic and nimble.
 “Carder” Sites - Well organized with business like structures.
 Wireless Technology - One of the leading drivers in hacking
events.
 Skimming - Continues to challenge the industry.
 Four step process is followed to validate a compromise occurred.
 Issued after confirmation that account data has been accessed by an intruder.
 JPM Commercial Card handles about twelve alerts per week.
 Not a breach involving JPM systems.
 Assessment is done by JPM to determine level of risk and strategy.
 JPM cannot reveal the name of the merchant or company involved in the breach.
 Fraud Strategy and Case Analytics

 Review of fraud cases to identify fraud trends and patterns of test (probe) merchants.
 Adjust fraud tools and strategies to target the most recent trends or test merchants.
 Review false positive fraud ratios weekly and revise strategies if needed to reduce fraud
exposure without impacting spend
 Participate in regular meetings with processors, Associations and other issuers to
validate industry trending.
 Identify Common Points of Purchase(CPP) in relation to confirmed fraud cases. We
turn this over to the Associations for forensic investigation.
 Work with law enforcement on large fraud cases that involve suspected fraud rings.
 Suggest and implement enhancements to further refine fraud detection tools.
 Analyze accounts queued in the Fraud Detection Systems or via
Association Alerts to detect fraud, misuse or credit related risks (i.e. NSF
Payments).
 Contact Cardholders to validate transactional activity.
 Work with the Program Administrators in reaching card members.
 Block accounts, flag fraud transaction(s), fraud report confirmed fraud to
Associations.
 Process replacement card requests.
 Initiate recommendations on strategic opportunities related to trends and
test merchants.
 Handle Inbound calls to verify transaction activity.
 Partner with Program Coordinators on potential misuse in escalation to the
Program Administrators.
What is J.P.Morgan Doing to Prevent Fraud?

 Hologram

 Tamper-evident signature panel

 Unique Magnetic strip encoding

10
What is J.P.Morgan Doing to Prevent Fraud?

 E-mail alerts are generated from Visa/MasterCard notifying of

account number compromise

 J.P.Morgan security representatives review accounts and make proper

contact with cardholders or administrators based on information
obtained from Visa and MC alerts

 J.P.Morgan security representatives contacts appropriate agency –

FBI, Secret Service, or other law enforcement agencies with pertinent
fraud information based on requirements within the Visa or MC alert

11
What is J.P.Morgan Doing to Prevent Fraud?

3. Cardholder and client awareness

 J.P.Morgan works with program administrators to develop proper

card control to reduce risk i.e:

 MCC codes

 credit limits

 purchase velocity limits

 Participate at conferences and forums to educate cardholders and

clients on current trends and fraud prevention

12
What is J.P.Morgan Doing to Prevent Fraud?

4. Fraud detection systems

 Flexible Fraud detection systems are used that provide the ability to
target both general fraud trends as well as specific trends

 Criteria/rules dynamically defined based on analysis of current fraud

trends

 Fraud patterns
 Specific MCC
 Dollar amounts
 Geographic location
 Specific merchants
13
What is J.P.Morgan Doing to Prevent Fraud?

4. Fraud detection systems (cont)

 When authorizations meet these pre-defined criteria, the account is

sent to queue

 J.P.Morgan security representatives analyze account and determine if

contact with cardholder and/or program administrator is needed

 Merchant referral status put on account if appropriate

14
 Fraud Department Structure

 Partner with Program Coordinators on potential misuse in escalation to

Program Administrators.

 Initiate recommendations to Clients on strategic opportunities related to

improved authorization controls.

 Open Fraud Cases

 Fraud Report to the Associations
 Send Affidavit
 Request and initiate chargeback for recoveries via Association regulations
 Investigate High Risk Merchant Category Codes to identify potential suspect
 Analyze for account history for potential point of compromise
 Work with various law enforcement agencies

15
 Fraud Chargeback Process
J.P.Morgan puts temporary credit on
account
Orders copy of sales draft-30 days

Affidavitsent and customer to return

within 30 days

Customer calls to report fraud

SALE

Ifmerchant contests, case in

arbitration with Visa-30 days
Representment of charge to merchant
Merchant can dispute-45 days
Settlement of decision by Visa

Second representment of charge

to merchant-30 days
16
Fraud Department Structure

 Recovery Investigations

 Upon receipt of the signed affidavit the Recovery Investigator will

initiate request to the merchant(s) to obtain documentation on the fraud
transaction(s) (This process takes approximately 45-90 days)

 If JPMorgan Chase recovers the loss via the Association Regulations the
Recovery Investigator will issue credit(s) for the fraud dollars to the old
(lost/stolen) account to offset the initial debit that was placed on the old
account when the case was initially opened.

17
Use card controls available:
 Restrict MCCs when possible, especially high risk MCCs.
 Set daily velocity and dollar limits on MCCs.
 Review the credit limits and determine based on usage.
 Set limits for the expected usage.
 Cash access should only be granted as needed.
 Flag can be set to restrict all foreign transactions in some cases.
Program Monitoring:

 Review transactions for exceptions and declines.

 Educate your cardholders to:
 review their transactions and statements.
 go into a bank to get cash or use a bank owned ATM.
 Use account blocking for temporary leaves or infrequent travelers.
 Company A Fraud Losses
2006 $88,000
2007 $86,000
2008(YTD) $18,448

 Increase in fraud loss trend detected.

 MCC changes implemented May, 2007.
 Over $50,000 in fraud losses avoided in two months.
 Common point of compromise identified and reported to Association.
 Investigation resulted in confirmation of a merchant breach.
 Denver
campus
Anschutz
Medical
campus
Colorado
Springs
campus

Boulder campus
CU’s Procurement Card Program

 $83M in Spend Last Year

 309,000 Transactions
 5000 Cardholders
 900 Approvers
 Unrecoverable Fraud is Minimal
 Controls on the Cards
 Merchant Category Codes (MCC) Groups
 Include Groups
 No Gas or Travel

 Cardholder Limits
 Maximum Single Purchase Limit
 $ Limit per Cycle
 # of Transactions per Day
 Keep the End-Users Informed

 Bi-Weekly Newsletter

 Email Alerts
 Ad Hoc
 Immediate Notification of Transactions

 Procurement Card Program Handbook
Special Section in the CU
Procurement Card Handbook on
Security Considerations:
 Watch for Red Flags
 Excessive Declines
 Unusual Merchants

 Cardholder Awareness
 Small $ Purchases
 Pay Attention to Notifications of Charges
 Phishing Emails
 Guarding the Data
 Use Encryption Program (Some are free!)

 Don’t Keep Card #s or Personal Information on the Desktop

 Work with IT to Make Sure Systems are PCI Compliant

Betty Heimansohn, CPPB
University of Colorado
Procurement Card Manager
303-315-2778
[email protected]

CU Procurement Card Program

https://www.cusys.edu/psc/purchasing/procurementcard/

Patricia Green, VP Product Specialist

JPMorgan
[email protected]
[email protected] to report scams
 High Risk MCCs
Top Merchant Category Codes – Fraud Losses
 5310 Discount Stores
 5411 Grocery Stores and Supermarkets
 5200 Home Supply Warehouse
 5941 Sporting Goods Block or Data-Mine
 5311 Department Stores
These MCCs
 5541 Service Station
 5542 Automated Gas Pump
 5912 Drug Store and Pharmacy (Gift Cards)
Other High Risk Merchant Category Codes
 5732 Electronic
 5944 Jewelry Watch and Clocks
 5945 Hobby Toy and Game Store
 5948 Luggage and Leather Goods
 5722 Household Appliances
 5300 Wholesale Clubs
 5734 Computer Software
 4812 Telecommunication Equipment Including Telephone Sales
 Why are my passwords so complex?

Six Characters Example Combinations Days

All numbers 123456 1,000,000 58

All letters abcdef 309,000,000 17,882

Numbers & letters 1a2b3c 2,180,000,000 126,157

Numbers, letters and special characters 1a#2b$ 3,520,000,000 203,704

19,600,000,00
Lower and upper case letters ABcDeF 0 1,134,259
56,800,000,00
Lower and upper case letters and numbers AB1dE2 0 3,287,037
Lower and upper case letters, numbers and special 690,000,000,0 39,930,55
characters AB1#cD 00 6

Did you know how long it tacks a hacker to crack a

password?
 Where can I go for more information?

http://www.ic3.gov
http://www.fbi.gov
http://www.ftc.gov
http://www.lookstoogoodtobetrue.com/

We can all play a significant part in thwarting Fraudulent

activity by practicing strong computer security habits such
as updating anti-virus software, using strong passwords and
employing good email and web security practices.