JPMorgan Chase and Bank One DAY ONE

1
Fraud Prevention and Risk Protecting Your
Procurement Card Program
Presented By Patricia Larkin Green, VP,
Relationship Manager J.P.Morgan, Wholesale Card
Procurement Services Betty Heimansohn, CPPB,
Procurement Card Manager University of
Colorado April 20, 2009
2
Overview

• Patricia Larkin Green, J.P.Morgan
• Evolving History and Trends
• Steps J.P.Morgan is taking to Combat Fraud
• Betty Heimansohn, University of Colorado
• How CU is Keeping Credit Card Fraud at Bay
• Addendum
• Questions, Concerns

3
Types of Fraud

• Lost Recovery varies
• Stolen Recovery varies
• Non-receipt NRI - Non-receipt of card
• Internet Card Not Present/MOTO/Internet
  Recovery is good
• Counterfeit/skimming Card present - Recovery
  unlikely thru chargeback process
• Stolen/compromised number Recovery varies
• Account takeover True name fraud

4
Fraud by Type 4Q06 3Q07
Counterfeit and Card Not Present Fraud are the
fastest growing fraud type today
Card Not Present
Counterfeit
Lost
NRI
Acct Takeover
Stolen
Misc
Consumer Credit and Commercial Card
5
Fraud types change and continue to evolve
Fraud Trends

• Increase in Counterfeit Cases
• 1Q09 trending higher than FY08.
• Test Merchants
• Method in which fraudsters test the status of the
  card.
• Gift Cards
• Counterfeit card used to purchase gift cards from
  a retail merchant.
• Day to Day Living Expenses
• Not easily detected in the tools.
• Gas Pumps
• Focused on states with fewer controls.

6
Industry Landscape

• Fraud activity - Dynamic and nimble.
• Carder Sites - Well organized with business
  like structures.
• Wireless Technology - One of the leading drivers
  in hacking events.
• Skimming - Continues to challenge the industry.

7
Association Alerts

• Four step process is followed to validate a
  compromise occurred.
• Issued after confirmation that account data has
  been accessed by an intruder.
• JPM Commercial Card handles about twelve alerts
  per week.
• Not a breach involving JPM systems.
• Assessment is done by JPM to determine level of
  risk and strategy.
• JPM cannot reveal the name of the merchant or
  company involved in the breach.

8
Fraud Strategy and Case Analytics

• Review of fraud cases to identify fraud trends
  and patterns of test (probe) merchants.
• Adjust fraud tools and strategies to target the
  most recent trends or test merchants.
• Review false positive fraud ratios weekly and
  revise strategies if needed to reduce fraud
  exposure without impacting spend
• Participate in regular meetings with processors,
  Associations and other issuers to validate
  industry trending.
• Identify Common Points of Purchase(CPP) in
  relation to confirmed fraud cases. We turn this
  over to the Associations for forensic
  investigation.
• Work with law enforcement on large fraud cases
  that involve suspected fraud rings.
• Suggest and implement enhancements to further
  refine fraud detection tools.

9
What is JPMC Doing?

• Analyze accounts queued in the Fraud Detection
  Systems or via Association Alerts to detect
  fraud, misuse or credit related risks (i.e. NSF
  Payments).
• Contact Cardholders to validate transactional
  activity.
• Work with the Program Administrators in reaching
  card members.
• Block accounts, flag fraud transaction(s), fraud
  report confirmed fraud to Associations.
• Process replacement card requests.
• Initiate recommendations on strategic
  opportunities related to trends and test
  merchants.
• Handle Inbound calls to verify transaction
  activity.
• Partner with Program Coordinators on potential
  misuse in escalation to the Program
  Administrators.

10
1. Unique designed credit card
What is J.P.Morgan Doing to Prevent Fraud?

• Hologram
• Tamper-evident signature panel
• Unique Magnetic strip encoding

11
2. Partner with Visa and MasterCard
What is J.P.Morgan Doing to Prevent Fraud?

• E-mail alerts are generated from Visa/MasterCard
  notifying of account number compromise
• J.P.Morgan security representatives review
  accounts and make proper contact with cardholders
  or administrators based on information obtained
  from Visa and MC alerts
• J.P.Morgan security representatives contacts
  appropriate agency FBI, Secret Service, or
  other law enforcement agencies with pertinent
  fraud information based on requirements within
  the Visa or MC alert

12
What is J.P.Morgan Doing to Prevent Fraud?
3. Cardholder and client awareness

• J.P.Morgan works with program administrators to
  develop proper card control to reduce risk i.e
• MCC codes
• credit limits
• purchase velocity limits
• Participate at conferences and forums to educate
  cardholders and clients on current trends and
  fraud prevention

13
What is J.P.Morgan Doing to Prevent Fraud?
4. Fraud detection systems

• Flexible Fraud detection systems are used that
  provide the ability to target both general fraud
  trends as well as specific trends
• Criteria/rules dynamically defined based on
  analysis of current fraud trends
• Fraud patterns
• Specific MCC
• Dollar amounts
• Geographic location
• Specific merchants

14
What is J.P.Morgan Doing to Prevent Fraud?
4. Fraud detection systems (cont)

• When authorizations meet these pre-defined
  criteria, the account is sent to queue
• J.P.Morgan security representatives analyze
  account and determine if contact with cardholder
  and/or program administrator is needed
• Merchant referral status put on account if
  appropriate

15
Fraud Investigations and Recovery
Fraud Department Structure

• Partner with Program Coordinators on potential
  misuse in escalation to Program Administrators.
• Initiate recommendations to Clients on strategic
  opportunities related to improved authorization
  controls.
• Open Fraud Cases
• Fraud Report to the Associations
• Send Affidavit
• Request and initiate chargeback for recoveries
  via Association regulations
• Investigate High Risk Merchant Category Codes to
  identify potential suspect
• Analyze for account history for potential point
  of compromise
• Work with various law enforcement agencies

16
Fraud Chargeback Process

• J.P.Morgan puts temporary credit on account
• Orders copy of sales draft-30 days

• Affidavit sent and customer to return within 30
  days

• Customer calls to report fraud

• If merchant contests, case in arbitration with
  Visa-30 days

• Representment of charge to merchant
• Merchant can dispute-45 days

• Settlement of decision by Visa

• Second representment of charge to merchant-30 days

17
Fraud Investigations and Recovery
Fraud Department Structure

• Recovery Investigations
• Upon receipt of the signed affidavit the Recovery
  Investigator will initiate request to the
  merchant(s) to obtain documentation on the fraud
  transaction(s) (This process takes approximately
  45-90 days)
• If JPMorgan Chase recovers the loss via the
  Association Regulations the Recovery Investigator
  will issue credit(s) for the fraud dollars to the
  old (lost/stolen) account to offset the initial
  debit that was placed on the old account when the
  case was initially opened.

18
Minimize Risk Your Role

• Use card controls available
• Restrict MCCs when possible, especially high risk
  MCCs.
• Set daily velocity and dollar limits on MCCs.
• Review the credit limits and determine based on
  usage.
• Set limits for the expected usage.
• Cash access should only be granted as needed.
• Flag can be set to restrict all foreign
  transactions in some cases.

19
Minimize Risk Your Role

• Program Monitoring
• Review transactions for exceptions and declines.
• Educate your cardholders to
• review their transactions and statements.
• go into a bank to get cash or use a bank owned
  ATM.
• Use account blocking for temporary leaves or
  infrequent travelers.

20
Case Study

• Company A Fraud Losses
• 2006 88,000
• 2007 86,000
• 2008(YTD) 18,448
• Increase in fraud loss trend detected.
• MCC changes implemented May, 2007.
• Over 50,000 in fraud losses avoided in two
  months.
• Common point of compromise identified and
  reported to Association.
• Investigation resulted in confirmation of a
  merchant breach.

21
University of Colorado
Denver campus
Anschutz Medical campus
Colorado Springs campus
Boulder campus
22

CUs Procurement Card Program

• 83M in Spend Last Year
• 309,000 Transactions
• 5000 Cardholders
• 900 Approvers
• Unrecoverable Fraud is Minimal

23
Protecting CUs Procurement Card Program

• Controls on the Cards
• Merchant Category Codes (MCC) Groups
• Include Groups
• No Gas or Travel
• Cardholder Limits
• Maximum Single Purchase Limit
• Limit per Cycle
• of Transactions per Day

24
Protecting CUs Procurement Card Program

• Keep the End-Users Informed
• Bi-Weekly Newsletter
• Email Alerts
• Ad Hoc
• Immediate Notification of Transactions
• Procurement Card Program Handbook

25
Special Section in the CU Procurement Card
Handbook on Security Considerations
26
Protecting CUs Procurement Card Program

• Watch for Red Flags
• Excessive Declines
• Unusual Merchants
• Cardholder Awareness
• Small Purchases
• Pay Attention to Notifications of Charges
• Phishing Emails

27
Protecting CUs Procurement Card Program

• Guarding the Data
• Use Encryption Program (Some are free!)
• Dont Keep Card s or Personal Information on the
  Desktop
• Work with IT to Make Sure Systems are PCI
  Compliant

28
Resources

• Betty Heimansohn, CPPB
• University of Colorado
• Procurement Card Manager
• 303-315-2778
• betty.heimansohn_at_cu.edu
• CU Procurement Card Program
• https//www.cusys.edu/psc/purchasing/procurementca
  rd/
• Patricia Green, VP Product Specialist
• JPMorgan
• patricia.m.green_at_jpmchase.com
• abuse_at_jpmc.com to report scams

29
Resources
High Risk MCCs

• Top Merchant Category Codes Fraud Losses
• 5310 Discount Stores
• 5411 Grocery Stores and Supermarkets
• 5200 Home Supply Warehouse
• 5941 Sporting Goods
• 5311 Department Stores
• 5541 Service Station
• 5542 Automated Gas Pump
• 5912 Drug Store and Pharmacy (Gift Cards)
• Other High Risk Merchant Category Codes
• 5732 Electronic
• 5944 Jewelry Watch and Clocks
• 5945 Hobby Toy and Game Store
• 5948 Luggage and Leather Goods
• 5722 Household Appliances
• 5300 Wholesale Clubs
• 5734 Computer Software
• 4812 Telecommunication Equipment Including
  Telephone Sales

Block or Data-Mine These MCCs
30
Resources
Why are my passwords so complex?
Six Characters Example Combinations Days
All numbers 123456 1,000,000 58
All letters abcdef 309,000,000 17,882
Numbers letters 1a2b3c 2,180,000,000 126,157
Numbers, letters and special characters 1a2b 3,520,000,000 203,704
Lower and upper case letters ABcDeF 19,600,000,000 1,134,259
Lower and upper case letters and numbers AB1dE2 56,800,000,000 3,287,037
Lower and upper case letters, numbers and special characters AB1cD 690,000,000,000 39,930,556
Did you know how long it tacks a hacker to crack
a password?
31
Resources
Where can I go for more information?

• http//www.ic3.gov
• http//www.fbi.gov
• http//www.ftc.gov
• http//www.lookstoogoodtobetrue.com/

We can all play a significant part in thwarting
Fraudulent activity by practicing strong computer
security habits such as updating anti-virus
software, using strong passwords and employing
good email and web security practices.