Online Payment Security

If cybercrime were its own country, it would be a $8 trillion economy, larger than almost all countries on earth. That is why job #1 for me and everyone at Visa is cyber & payment security. 24x7x365 days a year we are focused on protecting cardholders, merchants and our infrastructure. We are at the very front lines in protecting payment flows and use the most sophisticated technologies, many of which we have invented ourselves – from finger printing typing/mouse movements to deep inspection of every transaction in near real time. We have thousands of the best engineers in the world working on this across every major time zone, and our multiple operations command centers monitor every aspect of the payment flow and our global infrastructure. On a normal day we collect and analyze billions of data points and use the most sophisticated AI techniques to assist us in ensuring the security of the ecosystem we are so privileged to serve. On Cyber Monday this year, we blocked 85% more suspected fraud globally compared to last year. Our newest tools like Visa Account Attack Intelligence Score, which launched earlier this year, leverages gen AI to stop enumeration attacks even before they commence. Last year we proactively blocked $40B of suspected fraudulent transactions, and our focus on continued investment is relentless and reflected in the $11B we have spent on this over the last 5 years. With that said, the hackers are not resting. They are using cutting edge tools, AI and other social engineering techniques to try and scam you directly. The best way to stay protected is to be aware of these methods, remain vigilant and ensure you are practicing good cybersecurity habits: - Always activate every alert on all your accounts – bank, cards, emails, social media, etc. - Always have strong passwords, change them regularly and don’t use the same credentials on different sites. Ideally use a good password manager. - Activate multi-factor authentication (MFA), and better still, use authenticators from reputable companies like Microsoft, Google, or Symantec. Passkeys are another form of MFA and are supported by many organizations including Visa. Passkeys eliminate passwords and are phishing-resistant. - Lock down money transfers in your bank/brokerage accounts when you are not planning to transact. - Establish SIM PINs with your telecom providers. - Do not click on hyperlinks in emails and text messages from anyone unknown - Use a good antivirus/anti malware on your devices - Keep your applications and operating system always up to date and patched - Always confirm legitimacy of the site you are on and it is a secure ‘s’ connection (ensure the url begins with https://) As we approach peak shopping season, I encourage everyone to be aware of the latest threats and read the recent report published by Visa (link in the comments). Please stay safe and enjoy the holidays. Rest assured we will be working behind the scenes to do our part to protect you 24x7.

In the first half of 2024, £571 million was lost to card payment fraud in the UK alone, much of it driven by scams on social media. Fraud has clearly evolved, adopting more modern and sophisticated tactics. In payment, one standard governing how card data is protected, namely how it is stored, processed, and transmitted, is the PCI DSS directives. The Payment Card Industry Data Security Standard was created in 2004 and has been the backbone of payment security for nearly 20 years. This year marks a big shift. Its latest version, PCI DSS v4.0, will become mandatory in March 2025. This is the first major update in over a decade, so worth taking a closer look at the key changes. Overall, PCI DSS v4.0 focuses on critical aspects such as encryption, authentication, network segmentation, and vulnerability testing, ensuring businesses are better equipped to handle the 'modern' security threats that are increasingly sophisticated too. ◾As such one of the key changes is the introduction of a flexible compliance approach. This means merchants can choose security measures that best fit their specific needs and risks. This approach is well-aligned with how businesses today manage their security challenges. In the same way that authentication frameworks are becoming more adaptive to varying levels of risk, other security measures are also evolving to be more context-specific and scalable. ◾Another key update focuses on the Stronger Authentication framework. Multi-factor authentication (MFA) is now mandatory for all accounts accessing sensitive payment systems, including remote administrative access. Specifically, MFA is required for all accounts that interact with the Cardholder Data Environment (CDE). ◾Stronger encryption and better key management are now essential. Businesses must use modern encryption methods instead of outdated ones. They also need to improve how encryption keys are created, shared, and stored to reduce the risk of data breaches and unauthorised access. ◾Given the industry’s shift towards real-time data processing, the latest guidelines also encourage automated monitoring and the use of tools that enable businesses to detect and flag non-compliance in real time. 👉🏽#Paymentexperts any perspectives to share on #pcidss🎙️? --- 𝑾𝒐𝒏𝒅𝒆𝒓 𝒘𝒉𝒐 𝒘𝒆 𝒂𝒓𝒆? 𝑊𝑒 𝑎𝑟𝑒 𝑎 𝑡𝑒𝑎𝑚 𝑜𝑓 𝑃𝑎𝑦𝑚𝑒𝑛𝑡𝑠 𝑆𝑡𝑟𝑎𝑡𝑒𝑔𝑖𝑠𝑡𝑠, 𝑏𝑙𝑒𝑛𝑑𝑖𝑛𝑔 𝑐𝑜𝑟𝑒 𝑡𝑒𝑐ℎ𝑛𝑖𝑐𝑎𝑙, 𝑜𝑝𝑒𝑟𝑎𝑡𝑖𝑜𝑛𝑎𝑙, 𝑎𝑛𝑑 𝑐𝑜𝑚𝑚𝑒𝑟𝑐𝑖𝑎𝑙 𝑒𝑥𝑝𝑒𝑟𝑡𝑖𝑠𝑒 𝑤𝑖𝑡ℎ 𝑎 𝑐𝑟𝑒𝑎𝑡𝑖𝑣𝑒 𝑎𝑝𝑝𝑟𝑜𝑎𝑐ℎ. 𝑊𝑒 𝑎𝑠𝑠𝑖𝑠𝑡 𝑐𝑙𝑖𝑒𝑛𝑡𝑠 𝑡ℎ𝑟𝑜𝑢𝑔ℎ 𝐶𝑜𝑛𝑠𝑢𝑙𝑡𝑖𝑛𝑔, 𝑆𝑡𝑟𝑎𝑡𝑒𝑔𝑦, 𝑅𝑒𝑠𝑒𝑎𝑟𝑐ℎ, 𝑎𝑛𝑑 𝑇ℎ𝑜𝑢𝑔ℎ𝑡 𝐿𝑒𝑎𝑑𝑒𝑟𝑠ℎ𝑖𝑝 𝑝𝑟𝑜𝑗𝑒𝑐𝑡𝑠. 𝑳𝒐𝒐𝒌𝒊𝒏𝒈 𝒇𝒐𝒓 𝒑𝒂𝒚𝒎𝒆𝒏𝒕 𝒍𝒆𝒂𝒓𝒏𝒊𝒏𝒈 𝒓𝒆𝒔𝒐𝒖𝒓𝒄𝒆? ◼️ Sign up to our unique Payment Assets Library here: https://lnkd.in/dVXjGkzB ◼️Follow Paypr.work [ˈpeɪpəwəːk] for more #paymentinfographics #paymentstrategy #payprwork #paymentinsights

Interesting comparison between Apple Pay and Google Pay security models. Apple Pay keeps the entire transaction process more local: The credit card info is stored directly in the Secure Element on the device. A Device Account Number (DAN) is created and used for transactions. Apple doesn’t store your card data on its servers the bank and ecommerce server only see the DAN. Google Pay uses a cloud-based model: Card info is stored on Google’s servers. Google generates a payment token when you make a transaction. This token is then passed to the e-commerce server and ultimately to the bank. Both systems are secure, but Apple’s on-device approach reduces server exposure, which can offer stronger privacy, especially in sensitive contexts. Google’s model allows more server-side flexibility and features like cross-device syncing.

I've built payment systems for years. The dirty secret is that we knew OTPs were broken, but we kept using them anyway. Every time an OTP fails, a merchant business loses money and blames the customer for abandoning their cart. And customers blame the merchant for poor systems. When a customer makes a purchase with a card, the issuing bank is responsible for authenticating - via OTP - whether the card is actually being used by its rightful owner.  So even banks face liability for OTP failures. Money and trust lost, never to return. During my years building payment infrastructure, I've watched businesses optimise every millisecond of their checkout flow, A/B test button colours, reduce form fields, then lose a third of their transactions to a six-digit code that may or may not arrive in time. That's not a minor inconvenience. That's a fundamental breakdown in how digital payments work. But thankfully, now we finally have a landmark regulatory approval to patch this broken system with biometric-integrated 2-factor authentication.  Now you can simply pay with a face scan or a fingerprint. And leading that change is Razorpay with the launch of India's first biometric-ready ACS, within just a few days after RBI's future-ready mandate.  This is huge for a fintech - amidst all the regulatory and compliance storms in fintech, fast execution is the biggest competitive advantage. Kudos to Harshil Mathur, Shashank Kumar and their team.  https://lnkd.in/g34xbKRi? It shows that fixing broken systems is possible when teams prioritise user experience over maintaining legacy infrastructure. My take? Authentication shouldn't be a hurdle. It should be invisible. Card payments are finally built for how we actually shop online: seamless, secure, and here to stay. What's one checkout experience that made you abandon a purchase? I'm curious how often authentication friction shows up in those stories.

Cybercriminals are exploiting a Microsoft 365 feature to impersonate PayPal, sending legitimate-looking payment requests that deceive users into revealing their login credentials. By creating test domains and email distribution lists within Microsoft 365, attackers bypass standard email security checks, making their fraudulent messages appear authentic. When users attempt to make the requested payment, they are redirected to a fake PayPal login page, where entering their credentials grants attackers access to their accounts. This sophisticated phishing tactic underscores the importance of vigilance when handling unexpected payment requests. Users should verify the legitimacy of such requests through official channels and avoid clicking on links or entering credentials via email prompts. Implementing robust email security measures and educating users about emerging phishing strategies are crucial steps in defending against these evolving cyber threats.

Welcome to 𝐓𝐡𝐞 𝐏𝐚𝐲𝐦𝐞𝐧𝐭𝐬 𝐀𝐜𝐚𝐝𝐞𝐦𝐲 by Checkout.com — Episode 16 👋 𝟑𝐃 𝐒𝐞𝐜𝐮𝐫𝐞 — The Authentication Layer in Card-Not-Present Transactions 3D Secure (3DS) is a security protocol developed by EMVCo to authenticate online cardholders in real time. It facilitates risk-based authentication between the issuer, merchant, cardholder, and Access Control Server (ACS)—creating an added layer of trust in card-not-present (CNP) transactions. — 𝐇𝐨𝐰 𝐝𝐨𝐞𝐬 𝟑𝐃 𝐒𝐞𝐜𝐮𝐫𝐞 𝐰𝐨𝐫𝐤? 3DS dynamically adapts to the transaction risk profile using one of two core flows: 1️⃣ 𝐅𝐫𝐢𝐜𝐭𝐢𝐨𝐧𝐥𝐞𝐬𝐬 𝐅𝐥𝐨𝐰 ✔ No customer interaction ✔ The issuer’s ACS validates the cardholder silently using contextual signals (device ID, IP, geolocation, past behavior) ✔ Ideal for low-risk transactions and returning users 2️⃣ 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞 𝐅𝐥𝐨𝐰 ✔ Issuer actively authenticates the cardholder ✔ Methods may include OTP, face ID, fingerprint, or app push notification ✔ Used when risk is elevated or regulatory thresholds require stronger SCA (e.g., PSD2 in Europe) — 𝐖𝐡𝐚𝐭 𝐢𝐬 𝐋𝐢𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐒𝐡𝐢𝐟𝐭? When 3DS is applied (and the issuer approves the authentication), liability for fraud-related chargebacks shifts from the merchant to the issuer. This is especially critical for: → High-value CNP transactions → Cross-border payments → SCA-mandated regions (e.g., EU, UK, India) — 𝐒𝐭𝐚𝐧𝐝𝐚𝐥𝐨𝐧𝐞 𝟑𝐃𝐒 𝐯𝐬. 𝐏𝐒𝐏-𝐞𝐧𝐚𝐛𝐥𝐞𝐝 𝟑𝐃𝐒 📌 Standalone 3DS - Merchants directly integrate with a 3DS provider or ACS (VGS, Forter...) → Full control over routing, rules, and orchestration → More complex setup, ongoing maintenance, and liability handling → Best for technology-driven & enterprise merchants 📌 PSP-enabled 3DS - the PSP(Checkout.com, Adyen...) manages the 3DS flow → Simpler integration, streamlined performance → Embedded in the PSP’s payment flow → Built-in liability management and reporting → Less granular control over ACS selection or custom rule logic → Best for traditional merchants or start/scale-ups. — 𝐖𝐡𝐲 𝐌𝐞𝐫𝐜𝐡𝐚𝐧𝐭𝐬 𝐬𝐡𝐨𝐮𝐥𝐝 𝐜𝐚𝐫𝐞 ► Seamless user experience with risk-based friction reduction ► Increased authorization rates through dynamic routing ► Fraud reduction + chargeback liability protection ► Regulatory compliance with PSD2, RBI, and global SCA mandates — Source: Checkout.com ► Sign up to 𝐓𝐡𝐞 𝐏𝐚𝐲𝐦𝐞𝐧𝐭𝐬 𝐁𝐫𝐞𝐰𝐬: https://lnkd.in/g5cDhnjC ► Connecting the dots in payments... and Marcel van Oost

Who's responsible for stopping payment frauds? Is it the banks, the customer, or the RBI? The reality is safe payments are a shared responsibility. While regulations provide robust consumer protections, the weakest link can often be our own psychology. Fraudsters exploit emotions, not just technology. 🔒 Protect yourself from payment frauds. Use my C.H.E.C.K framework.   🔍 C – Credibility: Verify your payee. 🚫 H – Haste: Never be rushed into a payment. 📊 E – Excess Information: Be wary of sharing sensitive details. 🛠️ C – Control: Did you initiate a transaction yourself? 🎓 K – Knowledge: Know if the platform you’re on is safe to transact on. Watch this video to learn more. Download a free copy of our new report, Secure Payments, to go deep into the issue. - https://bit.ly/3W7XkUp Stay vigilant, stay informed, and protect your finances.  #SecurePayments #FraudPrevention #CHECKFramework  

Payment fraud is plaguing Latam. Merchants risk losing millions due to denied transactions and fraudulent payments. The only solution for businesses is: Prioritizing fraud detection. Some interesting facts: - Merchants are projected to lose $130 billion to online payment fraud between 2023 and 2028. - In the region, 1.3% of all revenue is lost to fraud - While 2.8% of transactions are blocked due to fraud suspicion. Besides financial damage, fraudulent payments can damage a business's reputation and strain customer relationships. Key actions to mitigate this issue: - Implement network tokenization - Invest in modern systems that can better detect and prevent fraud. - Work with companies like Yuno that offer advanced fraud detection and prevention solutions - Use machine learning and AI to analyze transaction patterns and flag suspicious activity in real-time. - Regularly update security protocols. - Educate customers about safe online shopping practices to reduce the risk of fraud. - Implement multi-factor authentication to add an extra layer of security. By proactively detecting and preventing fraud, businesses can protect their bottom line and ensure a positive customer experience.

In this episode, I highlighted a rising threat targeting non-technical users on Facebook and Instagram: 🔺 Fake pages mimicking real brands 🔺 Ads offering too-good-to-be-true prices 🔺 Redirecting users to professional-looking websites (even with HTTPS and SSL) that are actually scam platforms designed to steal credit card and banking data. 💳 These scams exploit the trust we place in digital storefronts. These scams are increasingly sophisticated and misleading. 🚨 I emphasized the importance of never blindly trusting “verified”-looking pages, and always being cautious before entering personal or payment information. 🛡️ For our Moroccan audience, I explained that secure e-payments are supported only through certified APIs like CMI and NAPS, and that all banks support 3D Secure. 🔐 🔐 I also encouraged users to manually enable/disable their cards for online payments and travel, to reduce exposure to fraud. 🏦 Banks carry a significant responsibility when it comes to digital awareness. Their role isn’t limited to offering secure payment infrastructure , they must also educate and alert customers, especially those who are not tech-savvy, about the risks of online fraud, fake pages, and phishing attempts. 🔔👇🏼 💡 A message to my tech & infosec peers: This TV segment i host is intentionally simplified and designed for our parents, siblings, and everyday users, those who aren’t in our field but are exposed daily to these digital risks. Awareness starts at home. #CyberSecurityAwareness #InfoSec #DigitalFraud #3DSecure #CMI #NAPS #OnlinePayments #PhishingScams #SocialMediaFraud #CyberSecurityMorocco #2MTV #صباحيات_2M #ProtectionDesDonnées #SécuritéNumérique #FintechMorocco #OnlineShoppingScams #DigitalSafety #TechForEveryone #CyberAwareness #FakePages #CyberÉducation #امن_رقمي #FraudeEnLigne

𝗪𝗵𝗮𝘁 𝗜𝘀 𝗖𝗹𝗶𝗰𝗸 𝗧𝗼 𝗣𝗮𝘆? Online checkout can feel repetitive, typing the same card details over and over again. Click to Pay is designed to change that It’s a secure, one-click checkout experience backed by the major card networks (Visa, Mastercard, Amex, Discover) Here’s the breakdown 👇 𝗪𝗵𝗮𝘁 𝗶𝘁 𝗱𝗼𝗲𝘀 Click to Pay lets shoppers check out online without entering card details manually Instead, they use a network-backed, tokenized card profile that’s recognized across participating merchants Customers can pay with: → Visa, Mastercard, Amex, or Discover → Any device (desktop, mobile, tablet) → Browsers or merchant apps that support the feature 𝗛𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀 𝗮𝘁 𝗮 𝗴𝗹𝗮𝗻𝗰𝗲 1️⃣ Shopper clicks the Click to Pay icon at checkout 2️⃣ They confirm their saved card, no manual entry 3️⃣ The transaction is processed using network tokenization for added security No more storing card details on each merchant’s site 𝗪𝗵𝗼’𝘀 𝗯𝗲𝗵𝗶𝗻𝗱 𝗶𝘁? Click to Pay is a joint initiative by the four major card networks, designed to replace earlier “checkout wallets” with a standardized, secure experience that works across the web → Built on the EMV® Secure Remote Commerce (SRC) standard → Uses tokenization to protect card numbers → Works with both guest checkout and logged-in shoppers 𝗪𝗵𝘆 𝗺𝗲𝗿𝗰𝗵𝗮𝗻𝘁𝘀 𝗰𝗮𝗿𝗲 Key benefits for businesses: ▪️Faster checkout = reduced cart abandonment ▪️A uniform UX across sites = easier customer adoption ▪️Network-backed fraud prevention via tokenization & device recognition 𝗧𝗵𝗲 𝗱𝗿𝗮𝘄𝗯𝗮𝗰𝗸𝘀 → Merchant adoption isn’t universal yet → Dependent on browser/device support for smooth UX → Limited consumer awareness, many people still don’t know it exists 𝗧𝗵𝗲 𝗯𝗶𝗴 𝗽𝗶𝗰𝘁𝘂𝗿𝗲 Click to Pay aims to be the online version of tapping your card in-store fast, secure, and universal. As adoption grows, it could replace guest checkout entirely for card payments Source: EMVCo, Computop - the payment people 🔔 Follow Jason Heister for daily #Fintech and #Payments guides, technical breakdowns, and industry insights