Green Team October 16, 2006 Product: Customizable Credit Card Protection (C 3 P)

Green Team

October 16, 2006

Product: Customizable Credit Card Protection (C3 P)

October 18, 2006 Green Team 2

Organization Chart


This family received food stamps

www.co.kern.ca.us/dhs/images/0987.jpg


This family received money from FEMA

www.katrinapictures.blogspot.com/


This family received both

http://www.spasearch.org/admin/images/fld_main_photo/fld_main_photo_38.jpg


What do these families have in common?

• All these families received Government money

• The first two used the money as intended

• The third is guilty of spending government money on things other than the intended purpose


FEMA Fraud

• Hurricane Katrina victims– 900,000 of 2.5

Million aid applicants were fraudulent*

* http://www.msnbc.msn.com/id/11326973/

Obtainedfundsthroughfraud

Obtainedfundslegally


Problem Statement

Government organizations and private businesses have inadequate protection

against unauthorized purchases by authorized cardholders, which results in a

loss of funds.


Problem Analysis

• Out of a $2.5 trillion government budget**

– $14 billion was spent on private purchases by employees

–$2 billion was spent on unauthorized purchases by employees*

* Foiling credit card fraud by Jenny C. McCune • Bankrate.com

** http://www.gpoaccess.gov/usbudget/


Problem Characteristics•Tracking physical receipts

–Archaic–Inaccurate–Unreliable–Easy to lose

•Employees produced 20% of all transaction receipts*

•Cards can be stolen•Organization loses money

–Money spent unwisely by an authorized user of the card is not covered under fraud protection

* http://www.dallasnews.com


Solution Characteristics

• Prevention of lost corporate funds– Reduces personal, unwarranted spending

• Biometrics– Prevents unauthorized use

• Uses customizable database– Allows different business to have different

options


C3 Protection Card

•So what is C3P? – Customizable Credit Card Protection


Objectives

• Develop a customizable credit card system to prevent unauthorized purchases by employees – Customizable database to hold prohibited

purchases• GUI to allow customization of database

– Uses Merchant Commercial Codes (MCCs)– Use Universal Product Codes (UPCs)

• Implement latest security technology for card protection


Features

•Secure Credit card

–128-bit DES encryption

–Biometrics

•Fingerprint

•Photo ID

–Allows customizable control over card’s use

–Controlled by a user interface to each business’ personal database


Customers

•Hard Customers

-Visa

-MasterCard

-Discover

-American Express

•Soft Customers

-Every business that holds a business credit card

-Caring and concerned parents who issue credit cards to their children


Customer Characteristics

•Credit Card Companies

-Spend millions each year on securing their credit cards*

-Minors are Credit Card Company’s new target consumer**

•Credit Card Company’s Consumers

-Small businesses report billions of dollars in losses through embezzlement each year***

-Parents are concerned with giving children control of a credit card yet are even more concerned about giving a child real cash**

* http://news.com.com/Retailers+feel+security+heat/2100-7349_3-5680788.html

** http://www.bankrate.com/fox/news/cc/20000508.asp

*** http://www.fbi.gov/publications/financial/fcs_report052005/fcs_report052005.htm


Why does the customer need this?

•Soft customer

–Secure and efficient control of company funds

–Reduced costs to prevent and lesson the effects of fraud

–Parental control of children's spending

•Hard Customer

–Offer safer card services to credit users

–Larger customer base

•Increase of large, reliable customers


Major Functional Component Diagram


RFID Card Specifications

• An embedded antenna that is attached to the chip is used to transfer information stored in the chip's memory

• The range of operation is 2.5" to 3.9“

• Information can be written to the card the same way it is read.

• The fingerprint scanner can be added


Software Features

• Intuitive web-based GUI Interface– Able to customize MCCs and/or UPCs by

creating an ‘acceptance’ list– Able to analyze and graph employee

spending habits

• Incoming UPCs and MCCS are compared with an ‘acceptable’ database of allowed codes


Receipt Tracking

• For each business, all employee purchases are tracked and listed by employee

• Receipts will list accepted and rejected purchases

• Receipts can be grouped by purchaser, date, and/or MCC


Smart Card Setup

• User account access information added to smart card memory by C3P

• 1st user finger scan saves a three-dimensional electrical image of the fingerprint's unique pattern using small variations in finger surface capacitance.


Authentication ProcessCurrent Process NEW Process

Vendor must take the credit card and ID from customer

Then vendor must authenticate the

customer by judgment alone.

If the customer matches the

identification, the transaction is made.

Hold your thumb over the fingerprint

scanner to prove your identity.

If your fingerprint matches, the Smart Card & RFID chip will be activated

Touch the card to the card

reader and the transaction will be processed.


Payment ProcessCurrent Process NEW Process

Vendor swipes your card at

the point-of-sale register.

The data is sent to a computer to verify your

credit.

If you have the funds, your

purchase is allowed.

You swipe your card at the point-of-sale register.

Your data is sent to our servers for verification.

Your data is then sent to the credit servers to verify.

If your card is accepted and your purchases are valid, sale is complete.


What’s In The Box

What’s in the Box?

Loading Station

What’s In The Box What’s Not In The Box

IF REQUESTED:

•Authentication code for website

•Website URL (holds database)

•Requirements for submission of pictures and info

Credit card customer information

Computer with Internet connection

Businesses

Credit Card Companies


Flow of Information/Hardware

a. Request CC w/C3P

b1. Camera? How many cards?

b2. Reply

e. Send camera (opt.) & authentication code

f. Send photos

h. Send cards with CC logo & photo ID

Business accesses C3P

database online

c. Send notification of request

d. Sell camera (opt.) & authentication code

g. Sell cards with C3P (RFID chip/C3P logo/biometrics

C3P makes RFID smart cards w/

biometrics


What this product does not do

• Provide point-of-sale RFID readers

• Protect against blocking of authorized purchases– Will mostly be a result of human error– Will decrease in occurrence as more

businesses use product

• Provide credit for businesses


Competition Matrix

MTU Purchasing X X X X X

Government Credit X X X

Food Stamps X X X X X X

Worldwide Purchasing X X X X X X

LeCarte Purchase X X X X X

NASA SmartPay X X X

Smart X

C3P X X X X X X X X X X X X

Cards Uses existing card

readers

Tracks purchases and pattern

s

Uses existing card

readers

Customizable purchase re

strictio

ns

Can set Spending Lim

its

Blacks-out MCC codes

Blacks out UPC codes

Biometric ID

(photo and fin

gerprin

t)

Prevents Duplic

ation

For Govern

ment Use

For Personal U

se

For Business U

se


Cost (Soft Customer)

Components Number Required Price Cost

Camera (optional) 1 $110.00 $110.00

Access to website 1 FREE FREE

Authentication code (convenience fee)

1 $10.00 $10.00

RFID smart card w/biometrics* 1 per member $20.00 $20.00/member

Total Cost (Max) $120.00

+ $20.00/member

Total Cost (Min) $10.00

+ $20.00/member

* http://www.processor.com/editorial/article.asp?article=articles/P2716/30p16.asp&guid=


Cost (Hard Customer)

ComponentsNumber

RequiredPrice Cost

Initial Training 1 day per store $3,000.00 $3,000.00 per day per company

Server* (incl. add’l features)

1 (for C3P use only)

$8,162.00 $8,162

RFID smart card printer 1 (for C3P use only)

$4,000.00 $4,000.00

RFID smart cards 1 per member (for C3P manufacturing)

$15.00 $15.00/card

Total Cost for C3P $12,162.00

+ 3,000/day of training

+ $15.00/card

* http://configure.us.dell.com/dellstore/config.aspx?c=us&cs=04&kc=6W300&l=en&oc=pe1950-max&s=bsd


Pros• Smart Card Technology

– Quick– Uses Biometrics

• Safe and Secure• Customizable

– Spending limits– Tracks Items Bought– Tracks Vendors Bought From

• More Efficient– Saves Time Spent On Accounting

• Saves money• Keeps better records

– Automatic record of exact item bought and vendor shopped at– Better information for routine audits


Cons

• Uses fingerprints– People are afraid of giving up such information

• Solved with encryption and marketing

• Vendors need RFID readers– Requires New Technology

• Many vendors are getting scanners– 7-11 is adding 5,600 RFID scanners this year*

• Accidental blocking of necessary purchases– Solved with training and research

• 24/7 Server/Website Maintenance

* mastercard.com


Risk Probability/Impact Matrix

P81-100%

r

o61 - 80%

b

a41 - 60%

b

i21-40% 7 4 1, 2

l

i1-20% 6 5 3

t

y 1 2 3 4 5

Impact: 1(Low) - 5(high)

1Access to credit card

info

2 Hardware malfunction

3 Cards are not delivered

4 Software Malfunction

5 Insulting to Employee

6Employees won't give

up finger prints

7UPC database is

unavailable


Risks

Risk# Risk Description Mitigation Actions

1 Access to Personal Info from Credit Card Companies

Encryption, policy of not reading the information

2 Hardware Malfunction or Viruses Out of our control

3 Cards are not delivered by contracted company

Out of our control

4 Software Malfunction Thorough testing and 24/7 support


Risks

Risk# Risk Description Mitigation Actions

5 Insults Employee (can not be trusted)

Marketing plan and training to avoid insulting employees

6 Employees are reluctant to give up fingerprints due to privacy issues and fear of ‘Big Brother’

128-bit DES encryption, need of access to the money by user

7 UPC Database is unavailable Drop UPC solution from initial launch and use only MCCs


Return on Investment

• Improves reputation of credit card company

• Reduces loss of money due to unscrupulous purchases

• Saves time used to perform manual audits

• Reduces fraud

• Reduces the number of investigations required


Conclusion

• Regulates how funds are spent

• Uses biometrics

–Prevents the use or selling of stolen cards

•Vendors, credit customers, and card companies will benefit

–Vendors will get higher quantity and more efficient business

–Credit customers are protected and have less wait-time in line

–Card companies get to sell cards and RFID sensors to vendors while increasing their number of users

•C3P will revolutionize the credit system world wide


Questions

At this time, we welcome any questions you may have.


References• DISD credit card oversight lax:

http://www.dallasnews.com• Picture 1:

www.co.kern.ca.us/dhs/images/0987.jpg • Picture 2:

www.katrinapictures.blogspot.com/• Picture 3:

http://www.spasearch.org/admin/images/fld_main_photo/fld_main_photo_38.jpg• FEMA Fraud, http://www.msnbc.msn.com/id/11326973/• IEEE Feasibility Study on biometric credit cards:

http://www.ee.ucla.edu/faculty/papers/ingridv_TransCE_nov04.pdf#search=%2 2Portable%20Biometrics%22

• Smart Card technology with localized, portable biometrics:

http://www.biometricassociates.com/smartcard.php

• Open source smart card technology, both software and hardware:

• http://www.smartcardalliance.org/industry_news/industry_news_item.cfm?itemID=1596


References• Food stamp fraud:

http://www.frac.org/html/federal_food_programs/programs/fsp_faq.html#4• Food stamp info: http://www.fns.usda.gov/fsp/faqs.htm#9 • Data on food stamp fraud:

(http://www.eweek.com/article2/0,1895,1972079,00.asp) (http://www.foodstampfraud.org/) (http://www.cioinsight.com/article2/0,1540,1850300,00.asp)• FEMA Fraud data: http://www.cnn.com/2006/US/09/13/katrina.fraud/index.html?section=cnn_topstories)(http://www.msnbc.msn.com/id/11326973/)• Lockout codes http://www.admin.mtu.edu/acct/dept/pur/purchcard/lockout.htm

• Info on why this is a problem:http://www.dallasnews.com/sharedcontent/dws/news/localnews/stories/

070206dnmetpcards.192c71f.htmlhttp://financialplan.about.com/od/studentsandmoney/a/TeenCreditCards.htm

• Info on current program in place: http://arc.publicdebt.treas.gov/DWP/fs/fscredcard.htm#1

• Data and why this is needed – EPA’s complaint paper on current system!!!http://www.epa.gov/oig/reports/1995/bankrep.htm#CHAPTER%204

• How credit cards work: http://money.howstuffworks.com/credit-card2.htm


Appendix A

Expert Testimony from Admiral Julius Caesar from SAIC


Expert Testimony – Current Problems

• Navy sailors are given credit cards for travel because they do not have enough personal cash– Spending money in “Girly Bars”– Tabs in excess of $15,000

• Private Business– Employee used company credit card to put $14,000

down payment on a house– Employee bought several $1,500 airline tickets, and

canceled the flight to collect the cash refund, which he used to finance his private company

– Employee bought $1,500 in thongs at Victoria Secret


Expert Testimony - Current Solutions

• Only activating the credit card for the duration of the travel

• Background credit checks on employees to be entrusted with company funds


Expert Testimony – Loose ends left by current solution

• Can’t regulate purchases

• Company liable for purchases– Employees can’t pay the company back

• Must be taken to court


Expert testimony – Time and Money spent on problem

• ~$25,000 per division per year

• 20 Divisions

• ~$250,000 per year for this company

• Credit card companies dropped the Navy as a customer because of fraud problems


Expert Testimony - Data

• 2002: 1.4 million Government Travel Cards in use– $ 3.4 billion spent on purchases with these

cards

• One man made $262,800 in charges on 13 Government Credit Cards


Expert Testimony – On C3P

• Target “high risk” employees– In the 18-25 year-old bracket

• Don’t know how to use credit

– Employees with bad credit


AuthenticationMethods

Sec

ure

Inex

pens

ive

No

Mem

oriz

atio

n R

equi

red

Hig

h de

gree

of f

raud

pro

tect

ion

No

Hum

an V

erifi

catio

n R

equi

red

Eas

e of

use

Eas

e of

Impl

emen

tatio

n

Fingerprint Photo ID

PIN Password

Retinal Scan Signature

Authentication


Fingerprints

Advantages: • Relatively Mature

Technology

• Low Cost

• Highly Portable Technology

Distinctiveness High

Permanence High

Collectibility Medium

Performance High

Acceptability Medium

Potential for Circumvention

Low


Biometric Fingerprints

• Finger Print Characteristics– Genetic and environmental factors– Never the same– Biometric image cannot be

reproduced

• Finger Print Scanner– Capacitive Scanner– Electric Current


Appendix B

Merchant Commercial Code (MCC) – A specialized code that categorizes a store based on what it sells (e.g. Target and Wal-Mart have the same MCC)

Universal Product Code (UPC) – A code that designates a specific product, different for every brand and variation of a product (Lay’s and Pringle’s potato chips still have different UPCs)

Documents

Green Team October 16, 2006 Product: Customizable Credit Card Protection (C 3 P)