Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.

Published byTodd Griffith Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005."— Presentation transcript:

1 1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005

2 2 CONTENT Credit card system overview The CardSystems incident Impact on credit cardholders in Hong Kong Liability for financial loss Follow-up actions by the HKMA –Impact assessment –Risk evaluation

3 3 CREDIT CARD SYSTEM OVERVIEW Network operators (Visa, MasterCard, American Express, Diners, JCB, China UnionPay) Card issuers (mainly banks) Merchant acquirers (mainly banks) Merchants Cardholders Third party service providers –Third-party processors –IT processors

4 4 AUTHORISATION FLOW Merchant Third- party processor Merchant acquirer Network operatorCard issuer Cardholder (1) Transaction (2) Seek authorisation (3) Transaction information (4) Transaction information (5) Requests authorisation for purchase (6) Authorisation for purchase (7) Authorisation (8)Authorisation (9)Authorisation(10) Completes purchase Third-party’s network Network operator’s network

5 5 Network operator Settlement bank of network operator Merchant acquirer (1)Transaction details(2) Net Obligation Settlement report Network operator’s network Card issuer (3) Settlement notification Clearing (usually within 1 day) Settlement (usually within 3 days) Settlement bank of network operator Merchant acquirer Card issuer (1) Payment via local RTGS Merchant (3) Credit to merchant account (2) Payment via local RTGS Bill cardholder CLEARING AND SETTLEMENT FLOW

6 6 THE CARDSYSTEMS INCIDENT CardSystems is a third-party processor providing authorisation and validation processes on behalf of the merchant/merchant acquirer Cardholder information stored after completion of authorisation and system hacked Compromised data could be used for fraudulent transactions

7 7 THE CARDSYSTEMS INCIDENT CardSystems reportedly breached the security standards set by the network operators: –NOT to retain sensitive cardholder information after completion of authorisation process –to encrypt the information should such information be retained for special business, legal or regulatory purposes

8 8 IMPACT ON CARDHOLERS IN HK Cardholders in HK may be affected if –purchase retail outlets in the US (at the point-of-sale or through Internet); and –retail outlets in the US submit transaction information to merchant acquirer through CardSystems About 12,000 credit cards issued by AIs in Hong Kong potentially affected No financial loss to cardholders in this case

9 9 LIABILITY FOR FINANCIAL LOSS Card issuers will bear the full loss incurred: when faults have occurred in the terminals, or other systems used, which cause cardholders to suffer direct loss (section 30.1(c) of the Code of Banking Practice); and when transactions are made through the use of counterfeit cards (section 30.1(d)).

10 10 FOLLOW-UP ACTIONS OF THE HKMA - IMPACT ASSESSMENT AIs contacted most of the potentially affected cardholders for card replacement For cardholders who cannot be contacted, transactions conducted through their cards are monitored closely

11 11 FOLLOW-UP ACTIONS OF THE HKMA - EVALUATION OF RISK Risk of occurrence of similar incident in Hong Kong is relatively low –Comprehensive guidance issued to AIs, including:  Outsourcing  Technology risk management  Supervision of Internet banking –Prior approval from the HKMA before entering into an outsourcing contract –Submission of annual IT controls self-assessment reports to the HKMA by all major AIs HKMA’s specialist IT on-site examinations cover the review of IT controls of AIs and their service providers

12 12 FOLLOW-UP ACTIONS OF THE HKMA - EVALUATION OF RISK AND STRENGTHENING OF SECURITY SYSTEM Letters issued to AIs and credit card companies, and other companies handling credit card/debit card data: –Requesting AIs to re-assess the adequacy and effectiveness of controls over customer data security, retention and confidentiality (including AIs and their service providers) –Requesting credit card companies, consumer credit bureau and debit card operators to assess the security controls over internal and outsourced processing of consumer and transaction data and to strengthen their companies’ security system where necessary –Liaising with Privacy Commissioner’s Office

13 13 End of Presentation

Download ppt "1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005."

Similar presentations

Credit Card Processing 101

Credit Card Processing 101
Weighing the Risks and Benefits of Online Financial Transactions

Weighing the Risks and Benefits of Online Financial Transactions
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
Learning Objectives Understand the shifts that are occurring with regard to online payments. Discuss the players and processes involved in using credit.

Learning Objectives Understand the shifts that are occurring with regard to online payments. Discuss the players and processes involved in using credit.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Www.rbi.org.in RESERVE BANK OF INDIA. Developments in Payment and Settlement Systems Introduction of MICR Introduction of MICR Electronic Funds Transfer.

RESERVE BANK OF INDIA. Developments in Payment and Settlement Systems Introduction of MICR Introduction of MICR Electronic Funds Transfer.
This refresher course will:

This refresher course will:
ETA UNIVERSITY MARCH 19, 2015 Deana Rich R ICH C ONSULTING, I NC. Edward A. Marshall A RNALL G OLDEN G REGORY LLP Payments 101: Overview of the Payments.

ETA UNIVERSITY MARCH 19, 2015 Deana Rich R ICH C ONSULTING, I NC. Edward A. Marshall A RNALL G OLDEN G REGORY LLP Payments 101: Overview of the Payments.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Credit Card Fraud The Scale of the Problem Michael Moore Regional Security & Fraud Investigation Manager 14 – 17 Nov 2005 Security & Safety – Middle East.

Credit Card Fraud The Scale of the Problem Michael Moore Regional Security & Fraud Investigation Manager 14 – 17 Nov 2005 Security & Safety – Middle East.
Introduction to Electronic Processing College of General Studies.

Introduction to Electronic Processing College of General Studies.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
LECTURE 7 REF: CHAPTER 11 ELECTRONIC COMMERCE PAYMENT SYSTEMS PREPARED BY : L. Nouf Almujally Copyright © 2010 Pearson Education, Inc. 1.

LECTURE 7 REF: CHAPTER 11 ELECTRONIC COMMERCE PAYMENT SYSTEMS PREPARED BY : L. Nouf Almujally Copyright © 2010 Pearson Education, Inc. 1.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Consumers Online: Privacy, Security and Identity Professor Margaret Jackson and Marita Shelly Presentation to the RMIT Financial Literacy, Banking & Identity.

Consumers Online: Privacy, Security and Identity Professor Margaret Jackson and Marita Shelly Presentation to the RMIT Financial Literacy, Banking & Identity.
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)

Similar presentations

Ads by Google