An increase of card not present fraud in HSBC causes implementations

As an international bank and a top leading credit card issuer in Vietnam, HSBC has faced with CNP fraud increase from beginning of 2016, which not only pose a threat on operation risk bu

VO THI KIM THOA

AN INCREASE OF CARD-NOT-PRESENT FRAUD

IN HSBC: CAUSES & IMPLEMENTATIONS

Ho Chi Minh City – 2019

VO THI KIM THOA

AN INCREASE OF CARD-NOT-PRESENT FRAUD

IN HSBC: CAUSES & IMPLEMENTATIONS

Major: Finance – Banking (Financial Instruments and Markets) Code: 8340201

Master Thesis in Economics (by coursework)

SUPERVISOR: Dr PHAM PHU QUOC

Ho Chi Minh City – 2019

“I the undersigned declare that all material presented in this paper is my own work

or fully and specifically acknowledged wherever adapted from other sources

I understand that if at any time it is shown that I have significantly misrepresented material presented here, any degree or credits awarded to me on the basis of that material may be revoked

I declare that all statements and information contained herein are true, correct and accurate to the best of my knowledge and belief.”

Vo Thi Kim Thoa

HSBC Vietnam: Hong Kong and Sanghai Bank Corporation Vietnam EVM: Europay, MasterCard, and Visa

MPI: Merchant Plug-In

POS: Point Of Sale

Visa: Visa International Service Association

MOTO: Mail Orders, Telephone Orders

CVV: Card Verification Value

US: United State of America

SBV: State Bank of Vietnam

RBWM: Retail Banking and Wealth Management

Figure 2.2: The four-party model 12

Figure 2.3: Vietnamese internet users (unit million users) 17

Figure 2.4: HSBC Chargeback ratio from 2013 – 2017 19

Figure 2.5: HSBC fraud type from 2013 - 2017 21

Figure 3.1: HSBC CNP fraud ratio by merchant type in 2016 & 2017 38

Figure 3.2: Respondent survey on factors of transactional behaviour 39

Figure 3.3: The relative importance of variable types 41

Figure 3.4: Global Fraud Rates by Merchant Type 41

Figure 3.5: The effectiveness of current system authentication in HSBC 44

Figure 3.6: Transaction Validation Services Currently Used and Anticipated to be Used 45

Figure 3.7: The Most Effective fraud Tools 47

Figure 3.8: Respondent survey on factors of system authentication 49

Figure 3.9: Respondent survey on factors of personal information security 50

Table 2.1: Summary of researches about credit card fraud………8

Picture 2.2: Verified by Visa service on website 25

Picture 2.3: Screen of blocking status 26

Picture 2.4: Screen of unlock 3D service 26

Picture 2.5: Screen of card has no VbV service 27

Flowchart 2.1: Account at risk procedure of HSBC Vietnam 2014 31

paid That requires the payments ecosystem has to continuously evolve and change

to provides users a safe, convenient and effective tool Therefore, eCommerce merchants not only focusing mostly on the point of transaction and session and behavioral monitoring, validating the identity of a user before any transaction, but also pressing role in preventing CNP fraud because it is predicted that retailers will lose around $130 billion in digital CNP (Card-not-Present) fraud between 2018 and

2023

CNP fraud is a topical question of financial providers As an international bank and a top leading credit card issuer in Vietnam, HSBC has faced with CNP fraud increase from beginning of 2016, which not only pose a threat on operation risk but also in reputation risk of the Bank This is the reason why the author decided to choose the problem “An increase of card-not-present fraud in HSBC: Causes and implementations” as a thesis topic to investigate and recommend its solutions

Keywords: Card-Not-Present Fraud, Transactional Behaviour, System

Authentication, Personal Information Security, Legislation

toàn và hiệu quả Điều đó buộc hệ sinh thái thanh toán điện tử phải liên tục phát triển và thay đổi để cung cấp cho người dùng một công cụ thanh toán an toàn, tiện lợi và hiệu quả Do đó, hoạt động thương mại điện tử không chỉ tập trung chủ yếu tập trung vào thời điểm, phiên giao dịch, hành vi, cũng như danh tính của người dùng của giao dịch, mà còn phải tập trung vào việc ngăn chặn gian lận không xuất trình thẻ, bởi vì thị trường bán lẻ được dự báo sẽ mất hoảng 130 tỷ đô la do thực trạng gian lận không xuất trình thẻ gây ra từ năm 2018 và 2023

Gian lận CNP là vấn đề mang tính thời sự của ngành dịch vụ tài chính Là một ngân hàng quốc tế đồng thời là tổ chức phát hành thẻ tín dụng hàng đầu tại Việt Nam, HSBC đã phải đối mặt với sự gia tăng của tình trang gian lận không xuất trình thẻ từ đầu năm 2016, điều này không chỉ đe dọa đến rủi ro hoạt động mà có nguy cơ ảnh hưởng đến danh tiếng Ngân hàng Đó là lý do tác giả chọn đề tài “Sự gia tăng tỷ

lệ gian lận thanh toán giao dịch không xuất trình thẻ tại HSBC: Nguyên nhân và giải pháp khắc phục” là chủ đề nghiên cứu của luận văn tốt nghiệp

Từ khóa: Gian lận thanh toán giao dịch không xuất trình thẻ, đặc điểm giao

dịch, hệ thống xác thực giao dịch trực tuyến, bảo mật thông tin cá nhân, quy định

pháp lý

ABBREVIATIONS

LIST OF TABLES AND FIGURES

LIST OF AND PICTURES

ABSTRACT

TABLE OF CONTENT

CHAPTER 1: INTRODUCTION 1

1.1 Statement of the problem 1

1.2 Research objective and scope 3

1.3 Research methodology 3

1.4 Research contribution 4

1.5 Research structure 5

CHAPTER 2: AN INCREASE IN CARD-NOT-PRESENT FRAUD AND THE LIMITTATIONS IN CURRENT RISK MANAGEMENT 6

2.1 Background of CNP fraud in HSBC 6

2.1.1. Overview about HSBC Vietnam 6

2.1.2. Definition of Card-not-present fraud 8

2.1.2.1 Literature review 8

2.1.2.2 Online payment processing 11

2.1.2.3 About card-not-present fraud 13

2.2.1.3-D secure pay 22

2.2.2.Account at risk procedure 29

2.2.3.Fraud risk monitoring system 32

2.2.4.Other methods 34

CHAPTER 3: CNP FRAUD CAUSES ANALYSIS 36

3.1 Cross-border frequence in transactional behaviour 36

3.2 Inappropriate approval protocols in fraud monitoring and system authentication 43

3.3 Lower consumer awareness in personal information security 50

3.4 Lack of online purchase compliance in legislation 53

CHAPTER 4: SOLUTIONS AND LIMITATIONS 56

4.1 Adopt advanced authentication techniques for online transaction tracking 56 4.2 Inhance consumer awareness 59

4.3 Formulate policies address cybersecurity 59

4.4 Limitation and suggestions for future research 60

CONCLUSION 61 REFERENCES

APPENDIX 1

APPENDIX 2

CHAPTER 1: INTRODUCTION

This chapter states the problem of research with its symptoms and summarize causes and implementations provided In addition, an organization of this study will be outlined to brief the content of thesis

1.1 Statement of the problem

In HSBC, a report on fraudulent transactions 2017 illustrates an increase in CNP fraud by 25.38% from 2013 to 2017, especially a dramatic growth in 2016,

2017 at 68.3% and 72.6% The proportion of CNP fraud was under three times as high as the remaining types Another noticeable point is a chargeback rate in 2017 accounted for 1.12%, which exceeded acceptable rate is 1% and over controlled rate recommendation (0.8%) An increase in CNP fraud ratio, both in volume of chargeback cases and total amount of loss questions about the adoption of current risk management in term of CNP transaction Therefore, causes and implementations to reduce CNP fraud ratio will be investigated to prevent HSBC cardholders from fraudulent transaction

Card-not-present fraud is also a global challenge of non-cash payment industry It will cost retailers worldwide $130 billion between 2018 and 2023, a new report from Juniper Research predicts This fraud is growing faster than CNP transactions because of the increasing sophistication of fraudsters' techniques (Steffen Sorrell, 2019) The current global recession is highlighting the fragility of the international banking and finance system that subject to greater risks and acts of fraud Fraud prevention remains the biggest challenge in addressing fraud stemming from a fast changing information technology environment, where the internet has become one of the most important channels for retail sector Technology gives criminals new tools for gaining access to information and funds with the more complicated approach, through many forms without using physical cards

In Vietnam, from 2014 to 2017, the percentage of CNP fraud has increased from 75 per cent to 83 per cent, and one of the reasons for this is the adoption of EMV chip in the market, which helps to prevent counterfeit (CFT) frauds, and as such, frauds have migrated from the counterfeit (CFT) to the CNP channel Globally, the fraud rate is less than 10 basis points, meaning out of every $100 spent, $0.10 is reported as fraud For the Vietnamese market, it is only $0.03 out of every $100 spent The fraud rate for Vietnam has remained low due to the collective efforts of the Vietnamese government, payment networks, financial institutions, merchants, and law enforcement Nevertheless, in light of promoting cashless transactions, the Vietnamese government has launched an ambitious plan to reduce cash transactions in the country to less than 10% of total market transactions by

2020 As per the plan, at least 70% of water, electronics, and telecommunication service providers will accept cash-free payments; at least 50% of total urban households use electronic payments for daily transactions by 2020 Along with electronic payments, the government is also focusing on increasing the use of credit cards by ensuring that all supermarkets, shopping malls, and distributors accept credit cards Together with the boom of E- commerce, these tendencies will attract more organized cyber criminals and pose a serious threat on CNP fraud prevention

In conclusion, the workload burden of operation team in chargeback handling and an increase in loss volume of card-not-present fraud were a symptom

of the gap in the current cybercrime risk management to prevent HSBC cardholders from cybercrime attack Hence, the purpose of this research is identifies particular causes and proposes implementations in order to reduce monitoring cost Furthermore, CNP fraud is also a mutual challenge of banking system, pioneering in fraud prevention helps HSBC maintain its leading branch in credit card market not only in quantity of card number but also in quality of card spending revenue

1.2 Research objective and scope

The study was guided by the following objectives:

- To analyse causes influencing card-not-present fraud in HSBC Vietnam

- To determine how transaction characteristic influences potential of online fraud on credit card

- To discover how authentication method influences potential of online fraud

on credit card

- To recommend solutions to tackle this issue from the Bank perspective

The scope of this thesis is the reality of CNP fraud consequences in HSBC Vietnam Besides that, CNP fraud in this research is investigated for transactions which cards are not physically presented at POS only

1.3 Research methodology

The thesis uses quantitative methods to emphasize and analyse research objectives The author collected data through HSBC Vietnam fraud report and questionnaire survey to gather numerical data and generalize causes and solution for the research problem Survey result conducted through face-to-face interviews, website interceptors and online polls

This survey questionnaire is originally developed in English, and then translated into Vietnamese The in-depth interview is conducted to modify the measurement scale After the qualitative phase, a quantitative pilot study is conducted in which individual dace to face interviews and online survey are undertaken to test interviewee’ understanding on the contents of the questions in this questionnaires as well as to make sure the properly running of online survey The final questionnaire is launched in the following main survey The questionnaire

is sent to respondents by using Google Survey toll and paper

This thesis focused on the credit cardholders living in Ho Chi Minh City The author selects this city for research purpose, because it is the biggest credit card

issue and usage area and favourite target market of frauds as well The study is conducted to gain better understanding of the factors influencing CNP frauds Respondents of this study are people who live in HCMC and know about credit cards

From customer perspective, this study will assist the customers understand the various factors influencing CNP fraud; enhance their awareness about fraud prevention and how to mitigate them

From research perspective, there is very limited previous research in Vietnamese CNP fraud rate Although fraud prevention and detection, particularly CNP fraud in credit card industry are a much-discussed topic that receives a lot of attention, the number of publicly available works is rather limited Through a multi-faced framework, the study extends the literature of transactional behavior, system authentication, personal information security, legislation in the context of credit card fraud among Vietnamese cardholders The research results not only contribute the literature in terms of the factors affecting CNP fraud rate but also serves to motivate similar studies are like to conduct to determine whether the correlate of factors reported here are similar or different

In conclusion, the payments ecosystem continues to evolve and change; as a result, streamlining and improving the overall payment process requires a compliant foundation supported by industry best practices CNP fraud detection and

prevention must continue to effectively address obstacles on reducing fraud loss and maintain pace with current and emerging solutions to optimize fraud monitoring and authorization.”

Chapter 3 presents the causes of the problem

The final chapter discusses summarily recommendation to solve problem statement

CHAPTER 2: AN INCREASE IN CARD-NOT-PRESENT FRAUD AND THE

LIMITTATIONS IN CURRENT RISK MANAGEMENT

This chapter presents an overview about an increase of CNP fraud in HSBC

by an increase in chargeback and CNP loss ratio Through workload burden in chargeback handling and increase in loss of card-not-present fraud, which were symptoms of the gap in the current risk management solution to prevent HSBC cardholders from cybercrime

2.1 Background of CNP fraud in HSBC

2.1.1 Overview about HSBC Vietnam

“HSBC Vietnam opened its first office in Saigon (now Ho Chi Minh City) in

1870 In August 1995, HSBC opened a full-service branch in Ho Chi Minh City HSBC also opened its second branch in Hanoi and established a representative office in Can Tho City in 2005 On 1 January 2009, HSBC became the first foreign bank to incorporate in Vietnam The new entity, HSBC Bank (Vietnam) Ltd is 100 per cent owned by The Hongkong and Shanghai Banking Corporation Limited HSBC Bank (Vietnam) Ltd is also the first wholly foreign-owned bank to operate both branches and transaction offices in Vietnam HSBC is currently one of the largest foreign banks in Vietnam.”

HSBC introduced the first credit card in 2008 which remarks its pioneering

in Card industry in Vietnam From that time, HSBC has been developing credit card business as a top priority sector of Retail Banking and honoured by great of rewards such as Best Foreign Bank in Vietnam 2006 – 2012, 2014, 2015, 2016, 2017, 2018

by FinanceAsia, Leadership in Payment Volume 2011-2016 and Leadership in Credit Payment Volume 2011–2017 by Visa, Top 3 Payment Volume by MasterCard in 2015, etc

About credit card product, depending on customer income and demand, HSBC is currently offer Visa Classis, Visa Gold (or Visa Cashback from June 2018), Visa Platinum and Premier Master Card By continuously promoting card

opening campaign, card usage as well as well brand in global, the volume of credit card issuer increased in period of 2012-2017 The volume of new card issuer is indicated in Figure 2.1

Figure 2.1: HSBC new card issue number from 2012 – 2017

Source: HSBC Internal Fraud report 2017

HSBC witnessed a significant increase in new card issue number from 2012

to 2017 and reach the peak in 2017 This achievement was supported by impact of internal and external factors In terms of internal factors, together with an advantage of international well-known branch, HSBC RMWM has continuously promoted campaigns for new cards, in deed, cashback refund up to VND2 mio, free first year membership fee, widely relationship to expand customer networks such as Nguyen Kim, Tiki, Lazada, Adayroi, Shooppe …and other appealing promotion for salary account holders It goes without to saying that HSBC marketing strategy effectively supports for sale performance in recent years

Fraud attack begins with data information In addition, customer is more and more familiar with credit card payment convenient, therefore a period data review and back up should be taken into consideration In another words, data review procedures need to be modified to adopt with new customers and a change in their habit

2.1.2 Definition of Card-not-present fraud

2.1.2.1 Literature review

“A credit card is a thin rectangular slab of plastic issued by a financial company, that lets cardholders borrow funds with which to pay for goods and services Credit cards impose the condition that cardholders pay back the borrowed money, plus interest, as well as any additional agreed-upon charges Credit card is being used widely nowadays thanks it’s convenient in payment Because of credit card roles in payment system, it becomes a target of fraudster in recent years In general, Fraud is defined as unauthorized use of an account The assumption of another person’s identity for the purpose of opening, taking over an account or executing unauthorized transactions Fraud on credit card transactions can be included (1) Lost or stolen cards that are used by criminals, (2) Counterfeit card and (3) Cards not physically presented at POS In this research, the author just focuses

on fraud occurs when cards not physically presented at POS, in other word, it is called card-not-present fraud.”

Card-not-present fraud is increasing with the expansion of modern technology and global communication This increase in the fraudulent transactions, resulting in substantial losses to the business, and therefore, fraud detection has become an important issue to be considered

Table 2.1: Summary of researches about credit card fraud

Researcher Country Findings

Kingsley Chibuzor

Aguoru (2015)

UK 3D Secure often triggers confusion to

cardholders and this solution escapes academic scrutiny

The major cause of CNP transaction fraud is attributed to identity theft, and future researches concentrate on more tackling identity theft Page

80

Renguga Devi T et

al (2014)

India The credit score of transaction is one of the

most important factors used to predict the transaction, detect fraudulent transactions

Haron Alex K

Sitienei (2012)

Kenya Skimming is a factor influencing credit card

fraud due to lack of training of bank employees System security and a lop hole of document authentication contribute for credit card fraud

Adnan M AI –

Khatib (2012)

Jordan Data mining using AI techniques achieved

better performance than traditional statistical methods

Fraud detection processing classifies transactions into two classes: Legitimate & fraudulent

Fraud detection system should have some properties to perform good results, and take into account the cost of fraudulent behavior

Tetro et al (2004) USA Two types of security measure developed for

electronic card transactions is billing address and automated number identification blocking

U.S Payments

forum

USA Subscription services witnessed the highest rate

of CNP fraud by type of merchant

The two most commonly used method for authenticating online transactions are card verification numbers and negative lists

There is no global legislation governing CNP fraud, and this situation will likely persist

Richard J.Bolton &

David J.Hand

(2002)

UK Suspicion scores to detect compromised account

can be based on customer’s previous usage patterns

Peter Burns Anne

Stanley (2002)

USA Transaction behavior monitoring is proactive

attempt to prevent fraudulent transactions

A coordinated approach to consumer education should be provided because victims of credit card fraud were unaware of account and personal information disclosure

Veronique Van

Vlasselaer et al

(2015)

Belgium Hourly behavior increase the odds of fraud,

when there are short-term increase in purchasing there is a higher risk of fraud

The inclusion of transaction averages, currency and country variable has a minor, albeit positive, impact on the description of fraud for data set

Marianne Crowe &

Susan Pandy

(2016)

USA Mobile wallets can offer enhanced security over

traditional online e-commerce

Aihua Shen (2007) investigated the efficacy of applying classification models to detect credit card fraud problems and recognize the credit card fraud risk Besides that, Aite Group LLC reports annually about consumer fraud by conducing survey in the globe This study uses questionnaire to collect data together with data from HSBC Vietnam report The questionnaire is originally developed in English

and sample questions are based on theories of classification models to credit card fraud detection problems and sample questions of Global Consumer Card Fraud by Aite Group LLC for interviewers who meet HSBC conditions about credit opening owners

2.1.2.2 Online payment processing

Participants in online payment processing is operated under the Four-party model according to Visa and Master Corporation The four parties are:

- The Cardholder: The inividual in possession of a payment card

- The Issuer: The bank or organisation that issues the credit card involved in the transaction It receives the payment authorization request from the credit card network and either approves or declines the transaction

- The Acquirer: The bank which is responsible for receiving payment authorization requests from the merchant and sending them to the issuing bank through the appropriate channels It then relays the issuing bank’s response to the merchant

- The Merchant: The entity with goods or services to sell that receives payment instructions and details from the cardholder – to be settled by their acquirer (via the scheme network) with the issuer

The flow of transaction and involving of each participant illustrates in Figure2.1

Figure 2.2: The four-party model

Source: Visa handout for merchant

“Figure 2.2 illustrates the four-party model, including the transaction flow and related charges Merchants typically bear the cost of both a payment-processing fee by the acquiring bank as well as an interchange fee The interchange fee is designed to recover the costs of operating the scheme network, as well as correct the imbalance in costs incurred between the issuer and acquirer While the acquirer will typically have payment devices at point of sale – a terminal or card reader, capable

of accepting payments from many cardholders – the issuer will bear the greater cost

of issuing and managing payment cards and transactions for every cardholder

Interchange fees range from 1-3% of the transaction value, with fixed caps in place for certain transactions However, for online payment processing payment processors may charge as much as 6% of the transaction value The four-party model allows for scalable “trust relationships” between multiple acquirers and issuers that are members of a single scheme or network – such as Visa or MasterCard – while allowing merchants and cardholders to establish their own accounts and trust relationships with merchant or issuing banks of their choice.”

2.1.2.3 About card-not-present fraud

HSBC and Visa define a card-not-present transaction as a transaction that takes place remotely – over the internet, by telephone or by post Card-not-present fraud is defined as the fraud committed by criminals online, by phone, or by mail suing information obtained fraudulently Marianne Crowe & Susan Pandy (2016) Card-not-present fraud is an involving the authorized use of a payment card number, card verification code (CVC) code, and the cardholder’s address details to purchase products or services wither online, through call centre, on mobile device

or by mail order CNP transactions are particularly vulnerable to fraud for three significant reasons:

- The card data cannot be verified via a magnetic stripe or EMV chip

- The cardholder cannot be verified by comparing a signature with the signature stripe by entering a PIN into an EMV terminal

- The cardholder may initially be unaware that their card details are being used fraudulently in CNP transactions (unlike the physical theft of payment card) and CNP fraud can be approached through 5 common methods:

“ Phishing: Phishing is a serious and increasing problem that occurs when

fraudsters try to obtain sensitive information (usually usernames and passwords or credit card or bank account numbers) in an attempt to utilize this confidential data

to make fraudulent purchases or steal a personal’s identity The attempt to steal information is made via electronic communication like an email or instant message and leads victims to a website asking to submit this sensitive data

Account takeover: Account takeover is another serious type of fraud that

compromises a user account and puts sensitive information at risk Fraudsters target web users while the users are accessing their various accounts, email addresses and social networks with the goal of stealing these credentials to make fraudulent purchases

Carding: Carding happens when fraudsters use websites with real-time

transaction processing to validate stolen card information (credit card numbers and personal data) by making a small purchase so as to not attract attention onto their activity If their fraudulent purchase goes through, signaling that the card is good, fraudsters will use the stolen card number to make additional purchases or will sell the information to other criminals

Malware: Potential attackers can either use phishing to mislead the victim to

install a malicious app or exploit another remote vulnerability of some app and conduct background monitoring A malicious app can disguise itself as an app that runs in the background (e.g music) to conduct monitoring, disrupt computer operation, gather sensitive information, or gain access to private computer systems

Location masking: This threat does not directly affect cardholders but occurs when a fraudster masks their true location and computer characteristics The fraudster’s machine typically masks many of its features For example, the browser being used may be Firefox but may be reported as IE9, the operating system may be Linux but may be reported as Windows, and the IP address may be misrepresented, hiding the true location of the fraudster Online services, websites and applications typically rely heavily on IP location information to function – e.g a business may provide general information over the web, but completely deny online service requests from locations where it does not have a presence.”

Although current bank card fraud operations are numerous and varied, several schemes account for the majority of the industry’s losses by taking advantage of dated technology, customer negligence, and laws peculiar to the industry (Hutchins, 2002) As card business transactions have being increased in recent years, so too do frauds Clearly, global networking presents as many new opportunities for criminals as it does for business While offering numerous advantages and opening new channels for transaction business, the internet has also brought in increased probability of fraud in credit card transactions Credit card

fraud detection is a widely studied research domain in global to find the root causes

of fraud Bhatla et al (2003) and Delamarie et al (2009) Delamaire et at (2009) distinguishes between various types of fraud like application fraud (ie.,acquiring a credit card with false information), stolen or lost card, counterfeit card (i.e., card copying or using a card which does not belong to the owner) and card-not-present (CNP) fraud (i.e , using credit card details to make distance purchases) This study focused on CNP fraud perpetrated through online transaction

To the best of knowledge author, regarding to fraud and CNP fraud on credit card, most of academic works would focus mainly on credit card fraud detection techniques In other words, studies focus on transaction - what happens after payment processing to predict the potential fraud of this profile, not what affects and causes such transaction happens In particular, credit card fraud detection techniques can be divided into two broad categories: supervised and unsupervised methods Supervised techniques where past known legitimate/fraud cases are used

to build a model which will produce a suspicion score for the new transactions; and unsupervised ones where there are no prior sets in which the state of the transactions are known to be fraud or legitimate Ghosh, Reilly (1994) used a large sample of credit card account transactions to detect fraud account Hanagandi, Dhar and Buescher (1996) used historical information on credit card transactions to generate a fraud score model Aihua Shen, Rencheng Tong and Yaochen Deng (2007) applied forecast data used for the fraud models were mainly from the real-time transaction authorized information and history database

2.1.3 Card-not-present fraud in HSBC

This section presents the reality of CNP fraud in HSBC Vietnam from 2013

to 2017 by two symptoms: The first symptom is an increase in chargeback ratio and the second is an increase in the percentage of CNP fraud type The rises in volume

of new card issue and the increasing accessibility to the Internet are general background explaining for symptoms

HSBC has witnessed a significant increase in new credit card issue from

2017 to 2017 The mode of payment of an individual has changed significantly thanks to the advance of modern technology The use of credit cards had become popular and inseparable in day-to-day activities At the same time, credit card frauds pose a serious threat for issuers as well as cardholders In every year, the issuers suffer loss in millions Apart from money, the trust between end users and the issuers is weakened While the fraudulent issues related to card present transactions are tracked faster as soon as the physical absence of the card, the possibility of the fraud committed through CNP via online or other electronic-oriented methods has shown an significant upward trend and continuously posing a tremendous threat to participants for several years Regrettably, the chip and pin technology has done nothing to combat this type of fraud (Furnell, 2006)

From economic perspective, an increase in CNP fraud can be explained by the increasing accessibility to the Internet Vietnam first connected to the Internet in November 1997 In the last 20 years, Vietnam has witnessed a dramatic rise in the number of Internet users An increase of Vietnamese internet users is indicated in Figure 2.2

Figure 2.3: Vietnamese internet users

Source: Ministry of Information & Communication

The chart shows a tremendous increase in the number of Internet user in the period shown Vietnam had approximately 52 million Internet user in 2017, accounted for 54% Internet penetration rate, which is above the global average of 46.5% This puts Vietnam at the top of Asian countries and the numbers are expected to continue rising at a fast pace, thanks to relatively flexible bandwidths services and low cellular data cost This is a positive signal for a development of payment industry, particularly non-cash payment industry – the services behind the senses of E-commerce However, an increase of payment processing without keep updated with the rise of sophisticated of cybercrime leads to an increase in CNP fraud

From organizational perspective, an increase in CNP fraud is investigated and explained by a combination of internal and external factors depending on each businesses In HSBC, an investigation for this problem will be approached from

perspective of transactional behaviour, system authentication, personal information security and legislation In general, cross-border frequency of transactional behaviour, inappropriate approval protocols in fraud monitoring system and applying of system authentication, lower consumer awareness in personal information security and lack of online purchase compliance in legislation are main causes of an increase in card-not-present fraud ratio in recent years An inclusive analysis will be deeply explained in Chapter 3 of this research

In order to maintain and expand credit card market, HSBC primarily protects consumers from fraudulent credit card activities, a chargeback is initiated when a customer disputes a charge from unauthorized merchants and asks the issuer (herein HSBC) to reverse it It takes 45 days to 60 days to complete a dispute case In HSBC, dispute transactions applied in case (i) Cardholder has neither made nor authorized dispute transactions The card was in cardholder possession at the time

of transaction (ii) Cardholder did not make any reservation with the merchant (iii) Cardholder has neither made nor authorized dispute transaction Cardholder only authorized a specific transaction Credit card chargebacks were originally invented

as a consumer protection and, a merchant's chargeback rate is generally calculated using the following equation:

𝑇𝑜𝑡𝑎𝑙 𝑐ℎ𝑎𝑟𝑔𝑒𝑏𝑎𝑐𝑘 𝑐𝑎𝑠𝑒𝑠 𝑝𝑒𝑟 𝑚𝑜𝑛𝑡ℎ

𝑇𝑜𝑡𝑎𝑙 𝑡𝑟𝑎𝑛𝑠𝑎𝑡𝑖𝑜𝑛𝑠 𝑝𝑒𝑟 𝑚𝑜𝑛𝑡ℎ = 𝐶ℎ𝑎𝑟𝑔𝑒𝑏𝑎𝑐𝑘 𝑟𝑎𝑡𝑒 Each of the card schemes imposes their own maximum chargeback rate, known as a chargeback threshold The standard chargeback threshold is 1% of transactions in most cases

The chargeback ratio in HSBC from 2013 to 2017 is recorded in Figure 2.4

Figure 2.4: HSBC Vietnam Chargeback ratio from 2013 – 2017

Source: HSBC Vietnam Internal Fraud report 2017

HSBC witnessed a significant increase in chargeback applications in 2016 and reached the peak in 2017 at 1.12%, in which CNP fraud application was accounted more than 70% (Figure 2.3) This ratio was calculated according quantity

of cases and chargeback applications was handle and responded mainly by chargeback team, with nine headcounts for this operation from Da Nang to Ho Chi Minh City (8 branches & transaction offices) It creates a workload burden for this team influencing not only in job effective but also in job satisfaction Therefore, it is necessary to urgently review current fraud management procedures to support for operation team and adopt with high-tech fraud prevention

“In the payment cycle, the issuing bank is the customer’s representative while the acquiring bank is the merchant’s representative in card networks’ associations in card networks’ associations (or card schemes) like Visa or Mastercard and being controlled by mutual agreement of payment processing In Merchant Chargeback Monitoring Program (MCMP) by Visa, first notification of excessive chargebacks for a specific merchant is considered a warning If actions are not taken with an appropriate period of time to return chargeback rates to

acceptable levels, Visa may impose financial penalties on acquirers that fail to reduce excessive merchant-chargeback rates In addition, if the acquirer or Mastercard determines that a merchant is an excessive chargeback program (ECM) and the acquirer fails to submit a timely ECM report to Mastercard for that ECM, Mastercard may assess the acquirer up to USD 500 per day for each of the first 15 days that the ECM report for that an ECM is overdue and up to USD 1,000 per day thereafter until the delinquent ECM report is submitted.”

Not only in HSBC, a rise in online retail market also cause a higher loss value in other countries According to the Global Fraud Index™, global e-commerce fraud peaked during the Q4 2015 and Q1 2016 period at 5.5% of sales and as of the Q1 2017 and Q2 2017 period stood at 3.85% of sales Publicly available estimates of the actual cost of CNP fraud vary considerably, with estimates of the global scale of e-commerce fraud losses ranging from $25 to $40 billion The US – the biggest market of HSBC card spending is currently facing a significant increase in CNP fraud due to the EMV rollout The report of fraud type from 2013 to 2017 is indicated in Figure 2.5

Figure 2.5: HSBC Vietnam fraud type from 2013 - 2017

Source: HSBC Vietnam Internal Fraud report 2017

It is noticeable that CNP fraud loss accounted for the proportion of fraud type from 2013 to 2017 while counterfeit loss decreased rapidly from 28.15% in

2013 to only 9.3% in 2017 The main reason could be explained for this tendency is applying Europay Mastercard Visa (EVM) standard – the global standard for chip-based security Another reason is card issue service provider, before 2018, HSBC cards were issued in Thailand following HSBC group compliance It helps HSBC Vietnam take advantage of lasted technology in physical card and mitigate risks related to information exposure

In conclusion, on the rise of the E-commerce industry in Vietnam and strategy of expanding retail market share, the growth of CNP is an integral part unless upgrading risk management Because the higher technology is the more sophisticated of cybercrime increases, hence, causes and according implementations

to improve CNP fraud prevention should be taken into consideration and investigate

2.2 CNP fraud management in HSBC

HSBC Vietnam commits to bring out the best services to protect credit card

of customer from fraudulent With advantages in international Bank, HSBC has applied a strict procedures and systematization for fraud data tracking Nevertheless, the more advanced technology is the more sophisticated fraud is, a gap between current procedures and system in fraud monitoring occurs In this

section, limitations of secure pay, account at risk procedure, fraud risk monitoring

system and other methods are presented besides its advantages

2.2.1 3-D secure pay

This section presents a brief of 3-D secure pay system operates to authenticate online transaction in terms of technical overview After that, a summary of how HSBC credit card performs with this authenticated method is provided to judge its advantages and disadvantages from the cardholder perspective and the Bank perspective

“3-D secure pay system is a set of security standards developed by Visa, but implemented also by other card organizations The Visa system is called Verified by Visa and the MasterCard system is offered as MasterCard SecureCode In a nutshell, if 3-D Secure is implemented then straight after entering customer’s card information, he or she is asked to enter a password which helps the card issuer to identify the card holder.”

“In case of a transaction completed with 3-D Secure, it is the card issuing bank that assumes the risk, not the merchant And most importantly, chargebacks are not permitted if the merchant complies with the acquirer’s legal requirements (3-D Secure has been activated for the card; the payer has been redirected by the merchant to a website where the card authentication takes place; the authentication process was successful) 3-D Secure definitely reduces the risk of fraudulent transactions and decreases the number of disputed transactions It also boosts consumer confidence which can result in increased sales.”

“3-D Secure requires that cardholders ‘enrol’ in an issuer-managed service, either while making a purchase online, or in advance The cardholder will typically

be asked to choose a password as well as a personal assurance message During a purchase transaction, the cardholder will be prompted to enter their 3-D Secure enrolment password in order to ‘prove’that it is in fact the legitimate cardholder making the transaction, and not another party fraudulently using the cardholder’s details The enrolment credentials are kept completely separate from the payment card and merchant systems and so should not be vulnerable to casual observation or collection (as is the case with the CVV2 value) The ‘3-D’ in 3-D Secure refers to the ‘Three Domain’ model of the scheme which includes:”

 “ The Issuer Domain: This domain includes the cardholder and their card

issuing bank In the issuer domain, the issuer manages the enrolment of the cardholder into the scheme as well as the authentication of the cardholder during a purchase

 The Acquirer Domain: This domain includes the merchant and their acquiring bank The acquirer provides transaction processing services and ensures that the merchants are operating under the agreement of the scheme

 The Interoperability Domain: This is a conceptual domain that describes the

‘interconnect’ between the issuer and acquirer domains As we’ll see below, a unique feature of the Interoperability Domain is that it relies on the Internet in addition to the traditional and proprietary payment card networks.”

There are three core requirements for the successful initiation of a 3-D Secure authentication attempt These are:

 The first is that the card issuer must implement an Access Control Server (ACS), including choosing an enrolment and authentication strategy The payment card brand (Visa or MasterCard) may establish region-specific rules that require issuers to use specific authentication strategies

 The second is that the merchant (or services acquired by the merchant) must implement a merchant plug-in (MPI) – allowing the merchant to determine if the cardholder is enrolled in 3-D Secure, and if so, initiate the 3-D Secure cardholder authentication process

 The third is that the cardholder must be enrolled in 3-D Secure Users may be asked to enrol ‘on the spot’ – in what is referred to as ‘activation during shopping’ or Activation Anytime [ as part of the payment transaction – or they may be asked to enrol in advance at the issuer’s site Authentication schemes include static passwords, chip and PIN (via a portable reader), and even one-time passwords (OTP) sent via SMS to the cardholder’s mobile phone

In order to register this service customer has to have Internet Banking of HSBC Vietnam Customers who use it will create a password and must input it into

the website before completing transaction Verified by Visa/ MasterScure Code is

for card CNP transactions only (excluding Mail order, Telephone order transaction)

The first scenario is Cardholder, Issuer and Merchant register VbV The merchant registers 3D secure by Visa/Master, the logo will be appeared in website

or at payment screen as Picture 2.1 The authentication payment will be processed at merchant’s site as following

Picture 2.1: 3D secure logo on website

Source: HSBC credit card Q&A handling

To purchase, the customer selects a credit card as their payment method and enters their payment card detail such as name, card number, CVV code, after finishing the other page will display and request customer fill in password of Verified by Visa service or Master secure code depend on their card type Picture 2.2 shows an example of screen of Verified by Visa service on website

Picture 2.2: Verified by Visa service on website

Source: HSBC credit card Q&A handling

“Once cardholder correctly input password, authentication is complete, payment authorisation occurs via the normal merchant acquirer path using a payment card brand proprietary network (e.g VisaNet or Banknet) to submit an authorisation request to the acquirer for settlement MasterCard correctly refers to the 3-D Secure component of a payment transaction as “Cardholder Authentication”.”

The purchasing just complete if the password is correct In case customer does not remember or user is blocked because of wrong password 3 times, they have to access Internet banking of HSBC to unblock and reset password Picture 2.3 shows a screen of block status and Picture 2.4 illustrates how to unlock status on internet banking In HSBC, internet banking is the only way to unlock status of Verified by Visa or Master Secure status

Picture 2.3: Screen of blocking status

Source: HSBC credit card Q&A handling

Picture 2.4: Screen of unlock 3D service

Source: HSBC credit card Q&A handling

The second scenario is website and the bank have VbV but customer does not, the first step is the same as above but at the second instead of inputting password of VBV customer must insert the information which shows in Picture 2.5

Picture 2.5: Screen of card has no VbV service

Source: HSBC credit card Q&A handling

If all information is correct transactions will process successfully, otherwise payment will be rejected System requires customer to register VbV and makes transaction after registration However, in some merchant websites or sometimes, addition verification replacing for VbV password like the screen in picture 2.5 will not appears For example <https://vietnamairlines-online.vn> Transaction is rejected due to no VbV service, an alert will be sent to Fraud monitoring system, now analysis will contact to confirm transaction and advise the step to register VbV

In this situation, VbV password is mandatory for successful payment

The third scenario is customer has VbV but website not or both of them not, customer just need to finish the 1st step (Picture 2.1) with correct information and transaction will go through

VbV/MasterSecureCode services help customer increase the security when performing transaction online in Vietnam and on the world However due to some reason the other banks such as Vietcombanks, Citibank Vietnam are currently using

“One time password - OTP“, but VbV and Master secure code is being processed

to applied for CNP transactions as Visa/Master regulation OTP provides a sms containing a password to registered cell phone number, customer must input this OTP code into the website before completing the transaction online It is also a service to protect credit card from fraudulence but the advantage is cannot be used outside of Vietnam if customer do not use roaming service for their cell phone From customer perspective, 3D secure pay system supports:

 More security as customer need a password which create by themselves before making payment

 Easily to register of customer have Internet Banking

 Easily to change password

 Can be unblocked by yourself on Internet banking

However there are some disadvantages of this technique, especially replaced verify information method which is the biggest challenge in way of authentication online transactions in recent year

 Customer must use Internet banking Some case customer is in urgently sittuation they can not complete transaction because unable to access Internet banking (unregister or forgot password)

 Not working smoothly on smart phone with old version like: Iphone 4, 4s

 Both of the bank, customer and merchanrt have to have VbV

“From the Bank perspective, 3D secure is still one of the most effective authentication until now The most significant advantage to the issuer in the use of 3-D Secure is the protection of the “credit card brand” A reduction in CNP payment card fraud means that merchants will continue to accept payment cards, and cardholders will continue to use their payment cards online Credit cards – with

an annual percentage rate on unpaid balances between 16% and 20%– are a valuable part of the issuer’s portfolio of financial services and products Another significant advantage is the reduction in administrative costs for disputed transactions with the acquirer It is unclear however if this benefit may be offset in part by administrative costs in dispute resolution with the cardholder instead.”

However, there are significant disadvantages to the issuer in implementing

3-D Secure which includes:

 The costs of implementing the ACS, whether through the use of managed services,

 or the development of in-house enrolment and ACS – including the integration with back-office systems

 The cost of supporting the ACS, including cardholder customer support

 The potential for financial losses from unmitigated security vulnerabilities in the

 scheme that result in issuer-liable fraudulent activity

 The potential for reputational damage if the scheme is not clearly communicated to ncardholders

 The potential for reputational damage from “cardholder onerous” dispute resolution mechanisms

2.2.2 Account at risk procedure

Account at risk means card has potential fraud This card is given basing on monitoring system from Visa and need to be replaced as soon as possible to avoid risk Normally, HSBC receives around 5-10 cases each week but sometime it is more than 100 cases If that is a short list - less than 20 cases- HSBC will contact with customer by phone to advice new card right after receiving If that is a long list, cards will be blocked immediately (exclude card is in overseas trip) and connection to customer will do after that