WO2024091139A1 - Identifying a point of compromise during payment processing - Google Patents

Abstract

The inventions relate to a system and method for reducing fraud in a payment processing system. A measure of compromise is determined for each entity involved in accessing or processing payment transaction data, a payment account measure is evaluated to determine whether it satisfies a pre-determined condition indicating that the account is at risk for fraud, and a notification is generated or the operation of the account is altered if the payment account measure indicates that the account is at risk. The inventions are directed toward more effectively identifying a potential point of compromise by using machine learning algorithms.

Description

IDENTIFYING POINTS OF COMPROMISE DURING PAYMENT PROCESSING

TECHNICAL FIELD

[001] This technical solution relates to systems and methods for reducing fraud in payment transactions, and more specifically, to an apparatus and method that attempts to reduce fraud by identifying a point of compromise in a payment transaction processing system.

BACKGROUND OF THE ART

[002] Portable consumer payment devices, such as debit or credit cards, are used by millions of people around the world to facilitate various types of business transactions. In a typical transaction involving the purchase of a product or service at a retail location, a portable consumer device is provided through a point-of-sale terminal (“POS terminal”) located at the merchant's location of business. The POS terminal may be a card reader or similar device that can access data stored on the device, which data may include consumer identification data, authentication data, or account data, for example. Some or all of the data read from the device is transmitted to the merchant's transaction or data processing system and then to the acquirer, which is typically the bank or other institution that manages the merchant's account. Transactions in which a consumer device is presented to a merchant or accesses a point-of-sale terminal are called card transactions because the payment device is located in the same physical location as the merchant or terminal.

[003] In addition to card transactions, a consumer may also initiate a transaction in a situation where the payment device is not located in the same physical location as the merchant or terminal, and instead the relevant data is provided to the merchant over a communications network (so called cardless transaction"). For example, a cardless transaction involving the purchase of a product or service may be initiated by a consumer providing payment information from a remote location to a merchant over a network such as the Internet. Transactions of this type are typically initiated using a computing device such as a personal computer or laptop. Cardless transactions may also be initiated or completed using a mobile device, such as a mobile phone, in which case communication with the merchant or data processing system may be via a cellular or wireless network.

[004] Given the large number of payment transactions, the variety of ways in which such transactions can be carried out, and the amount of money involved, fraud detection and prevention is an important consideration for any payment transaction processing system. This is done both to reduce losses and to ensure the integrity of the system so that consumers continue to use it. In this regard, there are many organizations involved in processing payment transaction data that could serve as a potential point of compromise. These include merchants, card readers, point-of-sale terminals (whether contact or contactless consumer handheld devices), data processors, acquirers, issuers, etc. If such a compromise occurs, it could lead to subsequent incidents of fraud in transactions processed by this or other organizations. For example, a compromise of one organization that processes payment transaction data could result in a security breach in which payment account numbers and other information that could be used to complete a transaction are stolen. Stolen data can be used to commit fraudulent transactions at retail outlets that are not associated with the location from which the data was stolen. For example, if a security breach (such as unauthorized disclosure of data or other form of "identity theft") occurs at a merchant or processor data, then multiple payment accounts may be subject to the possibility of subsequent fraudulent use.

[005] Thus, an important component of any technology solution aimed at reducing fraud in payment transactions is the ability to identify actual or perceived points of compromise in transaction processing. This may include identifying merchants or data processing organizations with characteristics that indicate they have been an actual point of compromise in the past, such that consumers who transact with that merchant or organization may have an increased risk of more frequent occurrences fraud on their payment accounts.

[006] While traditional methods exist to determine the point of compromise in a transaction processing system after a fraud has occurred, they typically examine a very limited set of data or characteristics of the organizations involved in processing payment transaction data. Thus, conventional methods do not provide a robust platform for examining multiple factors or potential attributes of a trade-off point and, therefore, may not be as effective as desired. Additionally, traditional methods do not provide a mechanism to monitor payments account transactions to identify accounts at risk of future fraudulent transactions based on the risk of compromise of the individuals involved in the transactions.

[007] An apparatus and method for identifying points of compromise and thereby helping to reduce fraud in payment transactions is desirable. The methods of implementing the invention eliminate the limitations of conventional approaches and other problems.

ESSENCE OF THE TECHNICAL SOLUTION

[008] The technical task or problem solved in this technical solution is to identify a possible point of compromise (POC) in the transaction processing system. [009] The technical result achieved by solving the above problem is to increase the efficiency of identifying a possible point of compromise through the use of machine learning algorithms.

[0010] There has also been a reduction in fraud as a result of investigating the identified organization and taking action to ensure legal compliance, as well as corrective actions to prevent a similar type of compromise in the future.

[0011] If the investigation confirms that the entity was indeed a POS, the consumer or issuer may be notified of the possibility of a payment account being compromised as a result of a transaction that was entered into or processed by the POS. This may result in the notified party canceling its payment account, placing its account under surveillance, or otherwise monitoring its payment account(s) for signs of fraudulent activity. Embodiments of the invention also provide a system, apparatus, and method for determining the types of data or transaction characteristics that may be most effective for use in identifying a point of compromise or to confirm that a suspected point of compromise is indeed the source of the problem.

[0012] Embodiments of the invention may also be used to identify a payment account that may be susceptible to fraud as a result of a history of transactions with entities that pose an increased risk of becoming a point of compromise. In such a situation, the invention can be used to prospectively reduce possible future fraudulent transactions by notifying the account holder or issuer, or by imposing a restriction on the account.

[0013] Embodiments of the invention are directed to an apparatus and method for reducing fraud in payment transactions by identifying a suspected point of compromise (POC) in a transaction processing system that could be the source of the information used to carry out fraudulent transactions. Embodiments of the invention also relate to systems, devices and methods for reducing fraud in payment transactions by identifying a payment account that may be at risk for future fraudulent transactions. In addition, embodiments of the invention are also directed to systems, devices and methods for identifying transaction data or characteristics that can be used to most effectively identify a point of compromise in a payment transaction system. In some embodiments, once a point of compromise or account at risk has been identified, other participants in the transaction processing system may be notified of the possible compromise of payment account data and take appropriate corrective action.

[0014] Unlike conventional methods, embodiments of the invention can be used both retrospectively (to determine a likely point of compromise after fraud has already occurred) and prospectively (to identify accounts that may be subject to fraudulent transactions in the future). Thus, embodiments of the invention can be used as part of the fight against fraud. Once such a promising trade-off point is identified, consumers with payment accounts that are now at greater risk of fraud can be notified and corrective actions can be taken to protect those consumers.

[0015] In one embodiment, the invention is directed to an apparatus for reducing fraud in a payment transaction system, wherein the apparatus includes: an electronic processor programmed to execute a set of instructions; and a data storage device coupled to the electronic processor and having a set of instructions stored therein, where upon execution of the set of instructions programmed by the electronic processor, the apparatus determines a point of compromise measure for each of the one or more entities involved in accessing or processing payment transaction data; defines the payment transaction measure for a payment transaction, and the payment transaction measure is obtained by aggregating the point of compromise for each of the organizations involved in accessing or processing data for the payment transaction; defines a payment account measure for a payment account, where the payment account measure is obtained by combining the payment transaction measures for each of a plurality of payment transactions conducted using the payment account; evaluates the payment account measure to determine whether it satisfies a predetermined condition indicating that the account is at risk of future fraud; and generates a notification or changes account operation if the payment account measure satisfies a predetermined condition.

[0016] In another embodiment, the invention is directed to a method for reducing fraud in a payment transaction system, where the method includes determining a point of compromise for each of one or more entities involved in a transaction, the payment transaction measure obtained by combining data access about payment transactions or their processing; determining a payment transaction measure for the payment transaction, a payment measure obtained by combining the point of compromise for each of the organizations involved in accessing or processing data for the payment transaction; determining a payment account measure for a payment account, where the payment account measure is obtained by combining payment transaction measures for each of a plurality of payment transactions conducted using the payment account; evaluating the payment account measure to determine whether it satisfies a predetermined condition indicating that the account is at risk of future fraud; and generating a notification or changing account operation if the payment account measure satisfies a predetermined condition.

[0017] In yet another embodiment, the invention relates to a method for identifying a point of compromise in a transaction processing system, where the method includes selecting a set of input data; selection of the signal obtained as a result of processing the input data; determining the point of compromise measure for an object based on a signal; assessing whether the point of compromise measure meets predefined conditions; And identification of an object as a point of compromise if the measure of the point of compromise satisfies a predefined condition. [0018] Other objects and advantages of the invention will become apparent to one skilled in the art upon reading the detailed description of the invention and the included drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0019] FIG. 1 is a functional block diagram illustrating the main functional elements of an exemplary system for conducting an electronic payment transaction and processing payment transaction data that may be involved in implementing some embodiments of the invention;

[0020] FIG. 2 is a functional block diagram further illustrating components that may be part of a payment processing network (or payment processing system), and elements that may interact with these components in order for a consumer to complete a payment transaction, and, as a result, that may be involved in a data security breach or identification of a point of compromise, in accordance with some embodiments of the invention;

[0021] FIG. 3 is a flow diagram illustrating certain data processing operations that may be involved in implementing certain embodiments of the invention;

[0022] FIG. 4 is a flow diagram illustrating some of the data processing operations that may be involved in implementing some embodiments of the invention;

[0023] FIG. 5 is a flow diagram illustrating a process for identifying a point of compromise within the processing of payment transactions in a system or network, in accordance with some embodiments of the invention; [0024] FIG. 6 is a diagram illustrating some of the functional components that may be present in an apparatus or device used to identify a point of compromise within a transaction processing system, transaction processing network, or performing other data processing operations in accordance with some embodiments of the invention; And

[0025] FIG. 7 is a diagram illustrating elements that may be present in an instrument, device, or system configured to perform a method or process in accordance with some embodiments of the invention.

DETAILED DESCRIPTION OF THE INVENTION

[0026] For purposes of describing embodiments of the invention, the following terms are intended to have the meaning indicated, where such meaning is intended to be illustrative and not limiting of the scope of the invention. [0027] Point of compromise (abbreviated POS from the English “Point of compromise”) - an object in a payment transaction processing system or network in which a security breach occurs, leading to unauthorized disclosure of data (for example, account security data, transaction data, personal data of the account holder, etc.).

[0028] Entity - An agent or element of a payment transaction processing system that has access to sensitive account or transaction data (eg, merchant, acquirer, issuer, merchant, processor for a group of acquirers, etc.).

[0029] An acquirer is a commercial organization (eg, a commercial bank) that has a business relationship with a specific merchant and manages its account(s).

[0030] An issuer is a business entity (eg, a bank) that issues a portable consumer (payment) device, such as a credit card, debit card, smart card, or contactless device, to a consumer for use by the consumer to complete a payment transaction.

[0031] A point of compromise (POC) signal of quantity or measure, which in an embodiment of the invention is used to determine an indication that fraud has occurred or is likely to occur.

[0032] Measuring or assessing a point of compromise (POC) - a feature (usually numeric) that is derived from a POC signal and provides an indication of whether whether the organization is a likely point of compromise or whether the account should be considered at risk for future fraudulent activity (where the account level indicator may be inferred from consideration of one or more transaction level indicators, each of which is derived from consideration of one or more organization POC level indicators).

[0033] Impact Window - The period of time during which it is believed that transaction data accessed or processed by an organization could have been made available to an unauthorized party as a result of a security breach within the organization.

[0034] Fraud watch window is a period of time during which transactions or accounts processed by an organization are reviewed to determine whether a fraudulent transaction has occurred within the account.

[0035] By way of general information and to describe the context in which the invention may be practiced, it should be noted that embodiments of the invention are typically implemented in the context of a payment transaction system.

[0036] In particular, they are implemented in the context of collecting or processing billing data or processing transaction data, since compromise is likely to occur within the organization responsible for some aspect of collecting or processing billing or payment transaction data. In a typical payment transaction that may provide data used in an embodiment of the invention, a consumer provides a portable consumer device, including a payment account or payment device identifier, to a merchant or service provider. The portable consumer device may be in the form of a card (eg, a magnetic stripe card or a smart card with an embedded chip) accessed through a terminal or card reader at a point of sale, or a device including a contactless element. Payment account information can also be provided to the consumer in a card-not-present situation (for example, over the network, as in an e-commerce transaction). [0037] Embodiments of the invention can be used to identify an organization that is part of a transaction processing system and represents a suspected point of compromise (POC) where such compromise has led to fraud and may lead to subsequent fraudulent transactions. Once a suspected ROS has been identified, investigative steps can be taken to determine whether the compromise actually occurred as a result of a security breach within the organization. If an organization is verified as a POC, then account holders that may have been compromised can be notified and corrective actions can be taken to prevent fraud or additional compromises in the future.

[0038] In some embodiments, an indicator may be obtained at the transaction or account level that indicates the likelihood that a particular transaction is fraudulent or that a particular account may be the subject of an attempted fraudulent transaction. In such cases, the invention can be used to reduce possible future instances of fraud: notifying account holders, reissuing invoices, imposing restrictions on account use, etc. Additionally, in some embodiments, the invention is also directed to systems, devices, and methods for identifying data, organizational characteristics, or transaction characteristics that can be used to most effectively identify a point of compromise in a payment transaction system.

[0039] Each user transaction is further analyzed in this technical solution.

[0040] Each transaction has several characteristics, both categorical and numerical, and occurs at a certain time.

[0041] The selected data can be described as different time series data, the outline of which is shown in Table 1. The merchant type field represents, for example, an airline, a hotel, a restaurant, etc.

Table 1

[0042] The presented Transactional Vector Representation Recurrent Neural Networks (E.T.-RNN) architecture is based on NLP techniques in the context of deep learning, in which the task of estimating an indicator that indicates the likelihood that a particular transaction is fraudulent or that a particular account may become subject to attempts to conduct a fraudulent transaction is solved as a text classification problem, using clients as texts and transactions as individual words.

[0043] Let us consider in more detail the presented TRN architecture and the principle of its operation for calculating the transaction indicator. The vectorization layer or the layer for generating vector representations (embeddings) is designed to display payment card transactions in the form of vectors in latent space (vectors in latent space are vectors that cannot be obtained explicitly, but only inferred through mathematical models) before transmitting them into the RNN encoder. In particular, each categorical variable in each transaction is encoded into a low-dimensional vector through the corresponding vectorization layer (embedding layer). At the beginning of training, embedding layers are initialized randomly and trained simultaneously with the encoder. The time attribute of a transaction is processed as a set of categorical variables, each of which represents part of a date (hour, day of week, month). Each transaction is then represented as a concatenation

5 Numerical Variables and Vector Representations of Categorical Variables.

[0044] The encoder is a single-layer RNN based on a controlled recurrent unit (GRU) (widely known in the art). The latent vector (latent space vector) from the last time step of the recurrent encoder was used as the client representation.

[0045] Classifier. The latent vector from the last time step is passed to the fully connected layer for classification. Through experimentation, it was found that the simple linear classifier5 outperformed several alternative approaches and was therefore the most feasible to use in the architecture.

[0046] The operation of the claimed method uses a standard quality characteristic of the model - the area under the ROC curve (ROC - receiver operating characteristic). Several loss functions can be used as an alternative for the ROC AUC maximization problem, including the classical binary cross-entropy functions: L _C E(P, y)=-£i logpi and the marginal ranking loss functions: kp(p,, p ₂ , y )=max(0,-y(p1-p ₂ )+margin), which are directly optimized by ROC AUC. The best data processing results were obtained using the marginal ranking loss function with a margin of 0.1.

[0047] Instead of a machine learning model based on a single RNN, the principle of ensemble can be used, which is intended to improve the quality of the model and its stability, while slightly losing to one RNN in time and computing power. Since there are a sufficient number of negative class examples (customers who had a fraudulent transaction event), it is therefore possible to use different subsamples of negative class examples to train each model in the ensemble of neural networks. [0048] The final version of the model uses the average of the predictions of an ensemble of six separately trained models as a practical balance between prediction quality and model training runtime. Improving ensemble quality and other possible ensemble strategies will be further discussed later in the application materials.

[0049] The data used for the experiments was provided by the banking sector. For the experiments, transactional data was used for clients who were deceived by fraudsters. The final sample only used data from applicants who had already used a debit or credit card product at the bank. If the client has several cards, then transactions from each card are taken into account.

[0050] The available transaction data is divided into subcategories: transaction level (eg, timestamp, country, amount, merchant type) and card level (eg, issuing branch, card type). Card-level data is duplicated verbatim for every transaction associated with the corresponding card. An example of three typical card transactions is presented in Table 1. Two derivative functions were also used, calculated from the transaction data: a. the difference in days between the time of the current transaction and the time of the previous transaction of this client; b. time in days elapsed from the card issue date to the transaction date.

[0051]Only transactions completed during the fraudulent activity period are accepted for training and verification.

[0052]0The training dataset represented more than 740 thousand customers with a total number of transactions equal to 200 million. The target variable was the event of fraudulent behavior. A period of one year was selected using the performance window attribute. Due to the risk of data non-stationarity, a time-free validation strategy was used. However, the results for validation outside the period were consistently higher, than results for timeless validation for a range of architectures and hyperparameters.

[0053] A subset of telephone fraud cases from a 16-month training period and a four-month validation period was used (timeless validation approach). The training and validation sets were the same for each model considered and the base model. Due to the large discrepancy between the number of positive and negative examples (due to the low default rate in the bank), we settled on the following undersampling strategy: before each experiment, we selected all positive examples and 10 times more randomly selected examples of the negative class. Each training epoch used all positive examples and an equal number of negative examples selected from the pool of negative examples.

[0054] All models were trained on each customer's last 800 transactions when available, and padded with zeros when the actual number of transactions for a customer was lower.

[0055] To compare the created model with other approaches, a model based on logistic regression was implemented. An additional model based on the gradient boosting method (GBM) was also used. Both logistic regression and GBM gradient boosting methods require a large number of aggregated features, manually prepared from transactional data, as input to the classification model. An example of an aggregate function would be the average number of successful fraud cases in the user's area.

[0056][0042] The LightGBM gradient boosting algorithm was used and approximately 7000 manually prepared aggregated features were created. Similarly, about 400 aggregate features were developed for logistic regression. The method of digitizing features by weight and dividing them into bins was used to transform categorical features. [0057] Selecting a recurrent encoder architecture. Experiments with various recurrent encoder architectures used long short-term memory (LSTM), bidirectional recurrent cells, and a guided recurrent unit (GRU). Based on the experiments, it was decided to use a single-layer GRU because the difference with the best performing bidirectional models was not statistically significant, while increasing the complexity of the model and obtaining a noticeable benefit in computing resources.

[0058] Loss function and learning rate. A batch size of 32 was used for training and a batch size of 768 for testing was used for all experiments. When using the loss ranking function, a new hyperparameter was introduced - the margin size of the loss function. As stated above, a loss function margin size of 0.1 produces the best results among all loss function hyperparameters.

[0059] The learning rate used in the gradient descent learning method and the learning rate decay graph are some of the most sensitive hyperparameters that can dramatically change the performance of the model. In this case, the graph of the optimal learning rate strongly depends on the loss function used, the batch size and the total number of parameters in the model. We tested several training modes and several learning rate reduction modes and found that for both the binary cross entropy (ALL) loss function and the ranking loss function, the most effective strategy was an aggressive linear reduction in the learning rate with gamma = 0.5

[0060]Regularization methods. Due to the low number of positive examples, all models show a tendency to overfit. Therefore, for regularization, various types of dropout were tested (in the process of training a neural network, a layer is selected from which a certain number of neurons are randomly ejected and excluded from further calculations), such as: a. Transaction dropout, which randomly drops some client transactions with a certain probability. b. Transaction shuffling, which randomly rearranges the order of client transactions. c. Dropout after the embedding layer, which randomly resets some components after the embedding layer.

[0061] The presented method on the proposed architecture of the evaluation model of an indicator that indicates the likelihood that a particular transaction is fraudulent or that a particular account may be the subject of an attempted fraudulent transaction was evaluated on a bank's production pipeline, which for each customer with a debit or credit card. Preparing the full ensemble of six models took about 4 hours on a Tesla P100 GPU. It takes about 17 minutes to reach 1 million customers on the Tesla P100 GPU. Withdrawal time depends linearly on the number of clients. These scores were used to make decisions about whether to obtain a client indicator for tens of thousands of applicants over a one-month period.

[0062] The claimed E.T.-RNN architecture significantly outperformed the reported baseline. Moreover, one of the most important features of the proposed approach is that it does not require feature engineering, unlike classical methods that rely heavily on hand-crafted features (e.g., 400 features for logistic regression and 7000 features for LGBM).

[0063] Number of transactions. The performance of the ET-RNN model is highly dependent on the number of available transactions per client. The quality of the estimate increases until a data quantity of -350 transactions is reached. Beyond this level, the performance gain due to additional transactions is fairly negligible. Additionally, the percentage of customers having more than 350 transactions is around 50 percent for the specified data set. This means that the proposed model achieves significant success in assessing bank clients. On the other hand, the proposed method is still effective even for applicants with a small number of transactions. For customers with more than 25 transactions (about 95 percent of the total number of customers), a ROC-AUC value of 82.5 was obtained.

[0064] The proposed method provides a good quality indicator calculation that indicates the likelihood that a particular transaction is fraudulent or that a particular account may be subject to a fraudulent transaction attempt, for the following reasons: a. Quite a large number of clients in the training data set. Neural networks have many parameters available to learn compared to classical approaches and therefore require more data than classical methods. b. The low-level, granular data used to operate the claimed method can be described as a sequence of events, and each event consists of several variables. c. High frequency data. As discussed earlier, more than 80 percent of customers have at least 100 transactions.

[0065] Thus, the proposed new method for automatically assessing an indicator that indicates the likelihood that a particular transaction is fraudulent or that a particular account may be the subject of a fraudulent transaction attempt, using the E.T.-RNN model, allows the use of detailed transaction data to indicator assessments. Tests carried out for compliance with standards using historical data showed high performance.

[0066] A significant advantage of the claimed approach is that even complex multivariate time series data can be directly used for training without any need for feature engineering. Because the neural network learns meaningful internal representations of the input data in training time, this reduces the need to generate hundreds or even thousands of manually created aggregated features, as is usually done in an indicator.

[0067] Embodiments of the invention include a data processing platform and associated methods for processing input data associated with the transaction history of a given set of payment accounts. These could be a. accounts known to have been fraudulently used (i.e. a payment account whose owner has reported a fraudulent transaction), b. accounts whose transaction history indicates evidence of “testing” (i.e., an attempt by a person intending to commit fraud to use a set of transactions to evaluate the fraud detection mechanisms of a transaction processing system), c. accounts used to conduct transactions processed by the organization during the relevant time period, or d. accounts that have characteristics indicating that they may be used for fraudulent transactions.

[0068] These are examples of possible input data, and it is understood that other types of data (eg, transaction data for all transactions conducted using an account or set of accounts that have been processed by an organization) may be used as input to the invention.

[0069] Another type of input data that can be used in the invention is data on all transactions for which authorization was requested during the relevant period of time. This data may be the result of a transaction authorization process, such as the "Advanced Authorization" (AA) process implemented by Visa. The transaction authorization process typically processes the received transaction information (ie, the account used to conduct the transaction, the merchant involved, the transaction amount, etc.) and produces a score or indicator of the risk associated with the transaction. The results of the Advanced Authorization process can be used by the issuer when deciding whether to approve or reject a transaction. Transaction authorization data may be used in the invention to help determine other information about a transaction or to understand the significance of associated fraud or other inputs by providing a method of debiasing, normalizing, or providing a baseline for evaluating the inputs.

[0070] It is worth noting that while authorization processes are used to assess the risk of a proposed transaction, the implementation of the invention is directed to assessing the risk associated with an organization that may have access to data for multiple transactions and accounts. Thus, it is necessary to look at a much larger data set and then assess the likelihood that accounts transacting with the organization will experience fraud due to compromise. For example, in the case of an organization that is a merchant, transactions passing through it during a relevant time period (or window) can be used to identify the corresponding accounts used for those transactions. Further, for these accounts, future transactions (during the second window) can be monitored to identify accounts that subsequently experience fraud. Based on this information, a merchant profile can be created, and based on the merchant profile, a merchant-level compromise score can be calculated. The Compromise Score represents the likelihood that an account will experience fraud due to past transactions with the organization. In some implementations, if this compromise score changes significantly between the first and second time periods, this may indicate a security breach in the organization.

[0071] Embodiments of the invention also allow the user to define certain parameters that will be used when processing input data to identify a possible point of compromise in the payment transaction processing system. These options include setting the type or level of organization that will be investigated as a possible source of compromise, setting the time permission for data processing and output generation, establishing data "windows" that define which set of data is considered for transactions that occurred within that window, and which the data set is examined for signs of fraud resulting from these transactions, the application of at least one data filter to remove noise or cross-correlation effects, etc.

[0072] Once processing parameters have been determined, embodiments of the invention allow the user to select a fraud indicator, fraud measure, or other “signal” of interest. This signal represents the amount or measure that the invention will examine as an indication that fraud has occurred, and it is usually represented as the value of the indicator at a specific time. Examples of such signals include, but are not limited to, the subsequent (confirmed) level of fraud (or fraud event) for an entity after a set of accounts have engaged in a transaction with that entity or transactions have been processed by that entity, the estimated time to fraud for the entity, the availability test activity (as implied by certain patterns of transaction attempts) or increased AdvancedAuthorization (AA) scores of transactions (implying increased risk for a set of accounts). Other potential signals include inconsistent and discontinuous increases in transaction amounts or changes in online shopping behavior, geographic purchasing patterns or other previous behavior.

[0073] Typically, the result of processing the input data includes a "signal" value as a function of time over a period of time defined by the fraud observation window. The signal value is a measure of the amplitude or level of the characteristic being examined. The temporal resolution of a signal (i.e., the number of amplitude or level measure values in a time range) will depend on the resolution used in processing the input data (i.e., whether multiple data points were converged into a single point, etc.). Signal values as a function times typically vary within a fraud observation window, and one aspect of the invention is to transform or interpret these values as an indication (eg, a score) of the likelihood that the entity under investigation is a point of compromise. As will be described, such conversion or interpretation may involve the use of various types of statistical models or tools that generate an estimate based on means, average readings, standard deviations, variability, scatter, fit to a given function, or other characteristics of the signal.

[0074] The selected specified signal may be processed to enhance the ability to determine a point of compromise as a result of the signal. Such signal processing may include applying filters to increase the signal-to-noise ratio (SNR), selectively reducing noise components, removing certain trends that may make the output less reliable, normalizing to a baseline to account for missing data, etc. After signal processing, the invention produces an output signal (eg, a measurement of an object's characteristic as a function of time) for a selected object type or level. The output value can then be subjected to one or more types of statistical analysis or models to produce a point of compromise (POC) measure or score for the organization. This may involve applying one or more types of models or operations to the signal, thereby converting signal values as a function of time into scores or indicators. Such models or operations may include, but are not limited to, considering averages, averages, deviations from averages or averages, integrating the value of a signal over a suitable period of time, applying a suitable transform or function to the signal, convolving the signal with a function representing an organization characteristic or type transactions, inclusion of historical information regarding the organization, transactions or accounts, etc.

[0075] An organization's POC indicator or score may be subject to a threshold or other form of assessment to determine whether indicator to the point of compromise (in this case, the assessment or inference method used can be modified to reduce the number of false positives, provide the desired detection efficiency or other operational characteristic, compare the current POC indicator with the previous one, etc.). If the score is considered to indicate a point of compromise, then appropriate alerts or notifications can be created for issuers, consumers, acquirers, or others involved in payment transactions. An investigation may also be initiated that will lead to corrective action if the organization is confirmed to be a point of compromise. A POC indicator for one or more entities involved in a transaction can be used to calculate a transaction-level POC indicator, which may indicate that a particular transaction (either historical or proposed as part of an authorization request) should be examined more closely , because it may be fraudulent. The POC estimates for all transactions posted to a particular account can also be combined (by addition, appropriate weighted addition, application of specified functions or transformations, etc.) to create an account-level POC estimate. This can be used to indicate that a particular account is at risk of future fraudulent activity. In such cases, a warning may be issued, the payment account may be closed and reissued to the consumer, transactions conducted using the account may be blocked or restricted by conditions (eg, quantity, frequency, amounts, types of merchants), etc.

[0076] The following is a description of the organizations involved in processing and authorizing payment transactions and their role in processing payment transaction data. The discussion will help identify specific organizations that may be the source of a security breach, that is, organizations that may be a point of compromise (POC). Fig. 1 is a functional block diagram illustrating the main functional elements of an exemplary electronic payment transaction and data processing system 20 payment transaction, which may be involved in the implementation of some embodiments of the invention. Generally, an electronic payment transaction is authorized if the consumer conducting the transaction is properly authenticated (i.e., his identity and legal use of the payment account is verified) and has sufficient funds or credit to complete the transaction. Conversely, if the consumer's account has insufficient funds or credit, or if the consumer's payment device is on a negative list (for example, indicating that it may have been stolen), then the electronic payment transaction may not be authorized.

[0077] As shown in FIG. 1, in a typical transaction, a consumer 30 wishing to purchase a product or service from a merchant provides transaction data that can be used as part of the transaction authorization process, typically using a handheld device 32 that functions as a payment device. Consumer 30 may use a portable consumer device 32, such as a card with a magnetic stripe encoded with account information or other relevant data (eg, a standard credit or debit card) to initiate a transaction. In an electronic commerce (eCommerce) transaction, the consumer may enter data into a merchant communication device or other element of the system 20, such as a laptop or personal computer. The consumer may also initiate a transaction using data stored and provided from a suitable storage device (eg, a smart card, a mobile phone or PDA containing a contactless element, or a portable storage device). As an example, a card or similar payment device may be presented to a point-of-sale terminal, which scans or reads data from the card. Similarly, a consumer may enter payment account information into a computing device as part of an e-commerce transaction. Next, the consumer can enter payment account information into a cell phone or other wireless communication device (such as a laptop computer or personal digital assistant (PDA)) and transmit this data to the merchant, the merchant's data processing system, or the device's transaction authorization network. A portable consumer device comprising a contactless element may also initiate a payment transaction by communicating with a point-of-sale device reader or point-of-sale terminal using a short-range communication mechanism such as NFC (Near Field Communication), radio frequency, infrared, optical communication, etc. . Thus, in some cases, access device 34 may be used to read, scan, or otherwise interact with a consumer's portable device and thereby obtain data used in a payment transaction. [0078] Payment account data (and, if necessary to process the transaction, other consumer data) is obtained from the consumer's device and provided to the merchant or its data processing system. The merchant or its data processing system generates a transaction authorization request message, which may include data received from the consumer's device as well as other data related to the transaction and the merchant. As part of generating the authorization request message, the merchant or the merchant's transaction data processing system may access a database that stores data about the consumer, the consumer's payment device, and transaction history with the merchant. The merchant transaction processing system typically interacts with the merchant acquirer 24 (eg, a commercial bank that manages the merchant's accounts) as part of the overall transaction authorization process. The merchant transaction processing system and/or merchant acquirer 24 provides data to the payment processing network 26, which, among other functions, participates in the clearing and settlement processes that are part of the overall transaction processing.

[0079] Payment processing network 26 may be operated in whole or in part by a payment processing organization such as Visa. As part of the transaction authorization process, payment processing network element 26 accesses the account database, which contains information about the consumer's history, return or dispute history, creditworthiness, etc. Payment card processing network 26 interacts with issuer 28 as part of an authorization process, where issuer 28 is the entity that issued the payment device to the consumer and manages the consumer's account. Consumer account data is typically stored in a consumer database that is accessed by the issuer 28 as part of the transaction authorization and account management processes.

[0080] Payment processing network 26 may include data processing systems, elements, and networks and may be configured to implement operations used to support and provide authorization services, stop list services, and clearing and settlement services. An example of a payment processing network would be VisaNet. Payment processing networks such as VisaNet are designed to process credit card transactions, debit card transactions, and other types of commercial transactions. VisaNet, in particular, includes the VIP system (Visa Integrated Payments system), which processes authorization requests within transactions, and the Base II system, which performs clearing and settlement services for transactions. The payment processing network 26 may include a server computer. A server computer is usually a powerful computer or cluster of computers. For example, a server computer may be a large computer, or a cluster of minicomputers, or a group of servers operating as a single unit. In one example, the server computer may be a database server connected to a web server. The payment processing network 26 may use any wired or wireless network, including the Internet, to facilitate communication and data transfer between system elements.

[0081] With reference to the system elements depicted in FIG. 1, it should be understood that there are many elements or organizations that can be the site of a security breach and thus serve as a point of compromise (POC). For example, access device 34 may be compromised such that account information and possibly other data obtained from portable consumer device 32 are inappropriately provided to an unauthorized party. side. In such a situation, the device used to access or read data from a portable consumer device is the source of sensitive data that is provided to a party that does not have access to that data. This may occur if the card reader is equipped with a device that can read the magnetic stripe on the inserted card and store this data for later access. This can also happen, for example, if a merchant reader or terminal does not process payments properly, such as Visa. Another possible point of compromise is the retailer's data processing system itself. In such a case, account data obtained from the consumer's device may be stored on the merchant's system and may be inappropriately accessed by an unauthorized user or misused by an authorized user of the system. Likewise, the security measures of an acquirer's or issuer's data processing systems may be breached, allowing access to an unauthorized person who then uses the data stored in those systems to attempt fraudulent transactions. Another possible point of compromise is the data processor (for example, for a group of acquirers) that is part of the payment processing network. In this case, a large number of account numbers and related information may be improperly obtained and used in subsequent attempts to conduct fraudulent transactions.

[0082] Given the large number of transactions and numerous organizations that may be the site of a payment processing system security breach, it is desirable that a system designed to identify points of compromise take into account multiple factors and data processing techniques associated with these factors to most effectively identify the point of compromise compromise. Embodiments of the invention can do this by providing multiple ways to process data associated with a transaction and flexibility regarding factors that are considered an indicator of the location of compromise. Instead of relying on one heuristic or rule base, as is the case in many traditional methods, embodiments of the invention take into account many possible indicators of a point of compromise or fraud (i.e., the "signals" described earlier), as well as many ways to interpret these signals to obtain an estimate of the point of compromise that may be used to determine whether an organization is a likely source of compromise.

[0083] FIG. 2 is a functional block diagram further illustrating components that may be part of a payment processing network (or payment processing system) and elements that may interact with these components so that a consumer can complete a payment transaction and may be involved as a result. compromising data security or identifying a point of compromise, in accordance with some embodiments of the invention. It should be noted that although element 204 is referred to as a payment processing system or element in FIG. 2, it may be a processing device, apparatus, server, group of servers, etc. that are part of a larger network. For example, element 204 may be one of a group of processing platforms operated by or providing data to the organization responsible for operating the payment processing network depicted in FIG. 1.

[0084] As shown in the Figure, elements interacting with the system 204 include the acquirer 202, which provides an authorization request message 220 for a payment transaction to the payment processing system 204. The payment processing system 204 may provide the processed authorization request message 222 to the issuer 210 to assist issuer 210 to decide whether to authorize or deny the transaction. The issuer 210 provides the payment system 204 with an authorization response message 224 containing information about whether the transaction was approved or rejected. An authorization response message 226 (which may be the same as message 224 or contain other information) is provided to the acquirer 202 to inform the acquirer 202 (and ultimately the merchant and consumer) whether the transaction has been approved or declined. [0085] When processing transaction authorization messages or when processing other data associated with payment transactions (or records related to the processing of payment transaction data by other organizations), the payment processing system 204 may use one or more of the components or elements depicted in FIG. 2. Such components or elements include a processor or central processing unit (CPU) 203 that is programmed to execute a set of instructions, some or all of which may be stored in a storage device or memory 206. The instructions may include instructions that, when executed, cause the system payment processing 204 perform one or more payment transaction data processing functions or operations (as suggested in the Transaction Authorization Operations instructions or instruction set 208), and/or functions or operations designed to assist in reducing fraud by identifying or confirming a point of compromise (as suggested by the Handling Point of Compromise instructions or instruction set 207). In performing these operations, the processor or central processing unit 203 may access one or more databases 209 containing data and information that may be used by the payment processing system 204 to identify or confirm a point of compromise or to determine the nature of the data or transactions that may be used for these goals. Such data or information may include, but is not limited to, data relating to a consumer or group of consumers who conducted a payment transaction with a particular merchant on certain dates, the transaction and fraud history of those consumers following a transaction with that merchant, the merchant's fraud history or chargebacks, transactions carried out by a group of consumers, etc. Payment processing system 204 may use network operating interface 205 to communicate with other elements depicted in FIG. 2.

[0086] FIG. 3 is a block diagram illustrating some of the data processing operations that may be involved in implementation of some embodiments of the invention. The processes, operations or functions that will be described with reference to FIG. 3 may be implemented by a central processing unit (CPU), microprocessor, or other suitable processing element that is programmed to execute a suitable set of instructions. By way of example, one or more of the processes, operations, or functions depicted in FIG. 3 may be implemented by the processor/CPU 203 in FIG. 2, Data/Instruction Handler 602 in FIG. 6 or CPU 773 in FIG. 7.

[0087] As shown in FIG. 3, in some embodiments, the method of the invention operates by processing a set of selected input data (denoted "Input Select 302"). In some implementations, the input data may include records of fraudulent transactions that have been reported by issuers (ie, known or confirmed fraud). A transaction reporting fraud can be matched to the original transaction authorization data. This can be used to provide account details, merchant details and other transaction information. Other inputs may include those for accounts where the transaction history indicates "testing" (i.e., the activity of a person intending to commit fraud in attempting to complete a series of transactions as a way of evaluating the fraud detection mechanisms of the transaction processing system), transaction records for all accounts used to conduct transactions with a specific entity or entities, or accounts or transactions that have indications that they may be used to commit fraud or are fraudulent (for example, a fraud score or other indicator that falls within some range) . Another type of input data that can be used in the invention is data on all transactions for which authorization was requested during the relevant period of time. This data may be the result of a transaction authorization process, such as the AdvancedAuthorization (AA) process implemented by Visa. These are examples of possible inputs and it is intended that other types or data forms can be used as input for the invention.

[0088] Embodiments of the invention may prompt the user or otherwise specify certain parameters that will be used when processing input data to identify a possible point of compromise in the payment transaction processing system (denoted as "Processing Parameter Selection 304"). These options include setting the type or level of organization that will be investigated as a possible source of compromise (e.g. merchant, issuer, data processor, acquirer or acquiring organization's data processor, etc.), setting the time permission for data processing and output generation , establishing data "windows" that define what set of data is considered for transactions that occurred within that window and what set of data is considered for indications of fraud as a result of those transactions, applying filters to remove noise or cross-correlation effects, etc. . Note that if an object is identified as a possible point of compromise, then a subdomain of that object can be further investigated to identify the actual point of compromise.

[0089] For example, it has been determined that a period of several days, weeks, or months may be used to obtain useful results. The time resolution may be chosen to be equal to the time period or some period less than the time period. Selecting a time resolution (and in some cases a window) may involve consideration of a period large enough to provide a degree of stability and a period small enough to detect change. In addition, the temporal resolution may differ depending on whether the invention is examining the ability to detect a given signal, as opposed to examining when the detected disturbance occurred. In some embodiments, the invention has shown that for both merchant and processor level organizations, and for the known trade-offs considered, a time period of four weeks was effective period, and was generally more effective than the shorter period.

[0090] As noted, in some implementations there may be two gains that require determination: a. (1) the impact window, which is the period of time during which transaction data held by the organization is considered likely to be transferred to an unauthorized party as a result of a security breach in the organization; and b. (2) a fraud surveillance window, which is a period of time during which transactions or accounts processed by an organization are monitored for evidence of fraud. The fraud observation window is usually selected some time after the impact window because there is a period of time required for the incorrectly obtained data to be used in an attempt to commit a fraudulent transaction (which may be referred to as the "conversion" time or period).

[0091] It is worth noting that in typical circumstances a compromise is followed by a period of conversion (which is the start of one or more attempts to commit fraud), but the fraud may not be detected until some time after the fraudulent activity has begun.

[0092] Once processing parameters have been determined, embodiments of the invention may allow the user to select a fraud indicator, fraud measure, or other form of “signal” of interest (denoted “Select Fraud Measure or “Signal” of Interest 306”). This signal is a quantity or measure that the invention will use to determine an indication that an incident of compromise has occurred at a specified facility. Examples of such signals include, but are not limited to, the subsequent (confirmed) level of fraud (or fraud event) for an entity after a set of accounts has engaged in a transaction with that entity, or transactions have been processed by that entity, the estimated time to fraud for the entity, the presence of test activity (as suggested by certain patterns of transaction attempts), or an increase in AdvancedAuthorization (AA) scores of transactions (implying an increase in risk for a set of transactions. Other potential signals include inconsistent and discontinuous increases transaction amounts or changes in online shopping behavior, geographic purchasing patterns or other past behavior.

[0093] It is worth noting that instead of a rate, the raw number of accounts or the selected type or level of organization (labeled "Calculate Organization Score 308"). The processed signal may be in the form of an amplitude or a measure of the signal as a function of time, and may be subjected to one or more types of statistical analysis to obtain an estimate of the point of compromise for the organization of interest. Suitable types of statistical analysis include the use of baselines, Z-scores, or a combination of baselines and Z-scores. Other statistical approaches may also be used, such as filters, odds ratios or logarithms of odds ratios calculated from baselines, application of a change detection algorithm or processing method, application of a specific model representing the entity, selective weighting, scaling, application of a specified weighting function, convolution with a function representing a characteristic of an entity or a transaction type, etc. In general, any suitable type of statistical analysis method can be used that can be applied to a processed (and typically time-varying) signal to produce an output measure or estimate where the applied method provides the desired degree of confidence that the output measure or the assessment may rely on the inference of the existence (or possibility of existence) of a compromise point. This may include combining the estimate with other data related to the account to produce a final estimate that indicates the possibility of POC, considering how much the estimate for the organization deviates from average rating for a group of similar organizations, etc. Various ranking techniques, heuristics, or algorithms can be used to determine whether a score should be relied upon to indicate the possible existence of a POC, or whether a particular organization in a group of organizations is more likely to be a POC than others.

[0094] Once calculated, the organization's POC score may be subject to a threshold assessment or other form of assessment to determine whether the score should be considered an indicator of a point of compromise. If the score exceeds the threshold or meets a certain value for a given number of days or investigation periods, the score differs from the score for the previous period if the organization is confirmed to be a point of compromise. This may include conducting a more in-depth analysis of fraudulent activity associated with the organization, tracking fraud trends over a period of time. The processes used to determine whether a POC assessment should be considered an indication of a point of compromise are represented by the module labeled “Determining the Presence of a Possible POC 310” in the figure. Subsequent actions that may be performed as a result of an entity's POC assessment indicating the existence of a point of compromise are presented in the Investigation, Corrective Action 312 module of the Figure. An estimate of an organization's POC can also be obtained by applying a statistical analysis technique (such as logistic regression) to a set of data for a single entity or a group of entities. Thus, in some embodiments, a “signal” may be generated for multiple organizations and a statistical method is used to assist in determining the most likely source or sources of compromise. In addition, trend analysis of POC indicators or indicators over time can be used to confirm the existence of a point of compromise (for example, a POC indicator that increases and remains at an elevated level for a sufficient period of time). It should also be noted that time windows may change as part of the analysis in an attempt to determine the correct time period during which the compromise occurred, as well as to determine the delay between exposure and the actual execution of the bulk of the fraudulent activity (i.e., the period of time for converting incorrectly received data into actual fraud attempts). Next, the regression method can be applied to the set of values for possible time intervals to determine the most likely exposure period. Thus, the invention provides a platform for determining which parameter values are most effective in identifying whether a compromise has occurred and in determining which of several entities is the most likely source of compromise. In the case where the input data includes data about confirmed (known) fraud, the invention can be used to determine the likely source of compromise that led to this fraud. In such cases, the invention provides a tool for retrospectively identifying the point of compromise and then taking corrective or remedial action.

[0095] It should be noted that depending on the input data used, the result of the invention may be useful for identifying risks to accounts that are likely to arise in the future, while other forms of input data may be more effective in identifying a possible point of compromise before actual fraud occurs. For example, limited fraud data is thought to provide a better indication of subsequent risk to an account or accounts, while the presence of "testing" activity or elevated enhanced authorization scores may provide a mechanism for detecting a potential point of compromise (i.e., before how fraud or significant fraud will occur).

[0096] Once the POS score for the organization or organizations is determined, a transaction-level POS score can be determined (as shown in the Transaction Score Calculation 314 module of the Figure). In some implementations, this may be accomplished by combining the POC estimate for each entity that may be associated with the transaction (e.g., merchant, data processor, point of sale terminal, etc.). The combination can be performed by any suitable method, including summation, weighted summation, multiplicative combinations, application of a suitable transformation, convolution with a given function, etc. A transaction level POC assessment may indicate that a particular transaction (whether conducted in the past or proposed as part of an authorization request) should be examined more closely because it may have been (or is) fraudulent (for example, because the POC indicator of the entity involved in the transaction , or indicators from multiple organizations involved in the transaction indicate that a compromise has occurred).

[0097] As indicated, in some embodiments, in order to determine a transaction-level POC score, it may be necessary to consider all independent sources of risk such that the score reflects the contributions of multiple entities (e.g., merchant, acquirer, issuer, acquirer-issuer, and etc.). However, as the inventors acknowledge, in practice this approach may be too complex and computationally inefficient. Signals are rare events, and for short time periods organizations almost always demonstrate zero or negligible risk. When the risk is not negligent, two situations may arise. In the first case, one organization exhibits much greater risk than others. In this situation, all but high-risk contributions can be ignored and the risk is assumed to come primarily from one source. In the second situation, two or more organizations exhibit similar levels of increased risk. In this case, the entities may be correlated and should not be treated as independent sources. Although it is possible that these objects have multiple independent signals occurring as part of a single transaction, the inventors believe that such cases are rare and can be ignored in first-order calculations. Note that since the invention is typically used to study one organization at a time, in such cases the possibility of multiple transactions being compromised by the action is ignored or treated as a lower order action. [0098] The POC estimates for all transactions conducted using a particular account can be combined (by adding, adding with appropriate weighting or filtering, applying a given convolution transformation using a given function, etc.) to create an account-level POC estimate (as suggested in the module entitled "Calculating Score Estimate 316" in the Figure). An account level POC indicator can be used to indicate that a particular account is at risk of future fraud by applying a threshold or trend analysis (as suggested in the module labeled “Determining the Presence of Future Possible Fraud 318” in the Figure). In such cases, a "warning" may be issued, the payment account may be closed and reissued to the consumer, certain types of transactions may be blocked (based on merchant category, number of transactions, or frequency of transactions), etc. This is an example of the proactive or forward-looking use of methods and activities that are part of the implementation of the invention. In such cases, the account may be flagged and monitored as a likely candidate for future fraudulent transactions based on the aggregate POC indicator for transactions conducted using the account.

[0099] Transaction and account level POC indicators can be processed to identify patterns, data values, transaction trends, transaction types, or other information that contributes to relatively higher POC indicators. This can improve the ability to identify accounts that have a higher risk of being the target of attempted fraud. Regardless of the identification method, when such an account is identified, a warning may be issued, the payment account may be closed and reissued to the consumer, etc. (as suggested in the "Generate Warning Notification, Reissue Bill 320" module in the Figure). [00100] It should be noted that in some embodiments, the invention may be used to provide a real-time or pseudo-real-time indicator of suspected fraud on an account. In this case, the invention may be used to monitor some or all accounts transacting on a payment network (such as the Visa network) and assess the risk that the account may be susceptible to fraudulent activity at a later date. This assessment may be based on the cumulative impact of POC estimates (or changes in estimates) of entities involved in transactions conducted using the account. This type of assessment may be especially relevant for accounts that have been involved in a compromise incident (for example, conducting a transaction with a known POC). When an account is determined to be at risk, transactions may be restricted, subject to conditions, blocked, accounts closed and reissued, etc. In some embodiments, the results of such an assessment may be attached to an authorization message or other form of transaction processing message as an indication that the account or transaction should be monitored or otherwise subject to a higher level of scrutiny.

[00101] Note further that in some embodiments, the results of the processing implemented by module 318 may be used to improve detection or identification of a point of compromise at the organizational level. For example (as suggested by the module labeled “POC Value Expansion 322” in the figure), account risk (based on the account level POC assessment and processes implemented by module 318) can be used to improve the invention's ability to identify an entity as a point of compromise. This can be done by using risk sources in an account-level risk assessment to better determine which of several possible organizations is a point of compromise. The account POC level assessment and the account risk assessment may also be used to modify the processes implemented in module 310 by changing filters, thresholds, etc.

[00102] When determining an account level POC estimate, although each account transaction may affect the overall risk of the account, certain data processing assumptions may be useful to make the determination process more computationally efficient and practical to implement. In a sense, the goal is to accurately account for all independent transactions without exaggerating the risk due to correlating events. As the inventors recognized, accounts with multiple transactions are more susceptible to compromise, and accounts that are repeatedly compromised present an opportunity.

[00103] To understand the computational problems encountered in some embodiments of the invention, consider an account with N transactions. A complete risk calculation involves calculating all the correlations between all transaction permutations, which is non-trivial and becomes difficult to do as N gets large. Instead, it may be preferable to apply complexity estimation or reduction, which reduces the number of correlation calculations. In this regard, the following points are worth noting: a. additional transactions through the same enterprise in the same period do not introduce additional risk; b. as an extreme case, the risk of the account may be as great as the risk of the riskiest trade. Because in some cases the risk of one transaction dominates, the maximum POC score of the transaction can be used to represent the POC score of the account without introducing significant error. This is especially true for single compromised accounts; c. when there are multiple trades, the correct approximation is to use only two-way interactions in risk calculations. The computational complexity is reduced to O(N2). This allows for a higher, but still potentially lower, risk; d. If a subset of transactions are characterized by increased risk, the account risk can be considered to be associated with these “risky” transactions. The rest may be considered to introduce negligible risk. As a result, two-way correlation only needs to be calculated for these “higher risk” transactions; and e. Since correlated transactions introduce less risk into the account, the correct simplification is to exclude correlated transactions from consideration. A good approximation for risk correlation is the similarity between transactions. Therefore, less risky surgeries that share common features with riskier surgeries can be ignored.

[00104] As a result of the above considerations, as a first approximation, the account level POC score may be taken as the highest transaction POC score for the account. Further, in some cases it is important to understand the strength (or level of confidence) of an assessment. A simple approximation is that the level of confidence in an estimate is proportional to the difference between the POC scores of the two riskiest transactions. Although this only reflects first order effects, the inventors believe that it will be effective in practice.

[00105] In some embodiments, the invention may include a feedback or learning mechanism that provides adaptive control of certain aspects of the data processing operations implemented by the invention. For example (as suggested by the module entitled “Result Validation, Process Flow Adjustment 324” in the figure), the determination of possible point(s) of compromise generated by the invention can be compared to the actual (i.e., known) points of compromise that led to fraud to confirm the results of the invention. In addition, by performing a sensitivity analysis or other form of evaluation, the parameters of the data processing operations implemented by the invention can be examined and modified to obtain more accurate results. Next, different combinations of parameters can be selected and run as “test cases” to determine which ones are more or less likely to produce results that are supported by actual knowledge of points of compromise.

[00106] FIG. 4 is a flow diagram illustrating certain data processing operations that may be involved in implementing some embodiments of the invention. Note that the operations or functions depicted in FIG. 4 are intended for the purpose of describing a relatively high-level implementation of one or more embodiments of the invention; embodiments may include other operations or functions, where these other operations or functions may be implemented as part of those shown in the figure, or as separate operations or functions in addition to those shown in the figure. In addition, some embodiments may not include one or more of the operations or functions shown in the figure.

[00107] Referring to FIG. 4, in some embodiments, the invention may be carried out by first accessing a desired set of input data (step or step 402). As discussed, the selected inputs may vary depending on the type of ROS being investigated or based on the fraud situation being considered (e.g., known or confirmed fraud, detection in the ROS retrospectively or potentially, etc.). Next, processing parameters for processing the data are selected (step 404). As discussed, this may involve selecting the organization of interest, setting a time interval, setting “windows” to determine what data will be examined, etc. After selecting the processing parameters, a compromise signal or indicator point is selected (step 406). As already discussed, various possible "signals" can be selected, with the selected signal being determined to some extent by the situation or available data. The signal may be subjected to processing operations to increase the signal-to-noise ratio (for example, removing the effect of autocorrelation between accounts), to account for missing or incomplete data (by normalizing the data to a baseline, such as a national signal or a national merchant category), to account for fluctuations in transaction volume (to remove trend, drift or seasonal effects), or by applying one or more filters to remove certain sources of noise.

[00108] Note that each fraudulent account can contribute both signal and noise. In extreme cases, the compromised account has only one previous transaction. In this case, it can be known exactly where and when the incident of compromise occurred. In this case, the count is considered to have contributed only to the "signal". As the number of previous transactions increases, uncertainty increases. The uncertainty increases when previous transactions are also in the same organization, thus raising the background.

[00109] Next, the POC score for the relevant entities or elements (such as a transaction or account) of the payment transaction system is determined (step 408). As described, an estimate of the POC can be obtained from the processed signal by applying a suitable statistical model or technique. The model or method used may depend on the type of organization involved, the type of input data, the retrospective or prospective nature of the investigation, etc. Once the POC indicator has been determined, the indicator is evaluated to determine whether it indicates a point of compromise (step 410). This may include applying a threshold or test to the score, evaluating the score using a suitable inference model, applying a score or signal detection model to the score or signal, etc.

[00110] If the POC assessment relates to a suspicious organization, then this can be considered a retrospective application of the invention. In response to the identification of a suspicious POC, issuers or account holders may be alerted, an investigation may be initiated to confirm that the compromise has occurred, corrective action may be taken, etc. (step 412). If the POC assessment relates to counting, then this can be considered a promising application of the invention. In such a case, the invention identifies the account at risk and proactive actions can be taken to reduce the likelihood of fraud within the account (step 414), such as notifying the account owner, blocking transactions, placing conditions on transactions, reissuing the account, etc.

[00111] FIG. 5 is a flow diagram illustrating a method for identifying a point of compromise in a payment transaction processing system or network in accordance with some embodiments of the invention. In the process shown in FIG. 5, a change in the POC indicator for an organization or account over time can be used as an indication that the organization is the source of compromise or that the account is likely the subject of a fraud attempt. As shown in the Figure, in some embodiments, the POC score (or scores if more than one organization or account is considered) may be determined for a first set of exposure/observation periods or time periods (step or step 502). Next, a POC estimate (or estimates) is determined for a second set of exposure/observation periods or windows (step 504, where the exposure window or observation window for the second set may or may not be different from that used in the first set). The two POC estimates (or sets of estimates) are then compared (step 506). The comparison may be made by ratio, statistical comparison, or other suitable process. The comparison result is then evaluated to determine whether the result indicates a point of compromise (in the case of organizational POC assessments) or an account at risk (in the case of an account-level POC assessment) (step 508). The evaluation can be done by applying a threshold, an inference model, a statistical process, etc. If the result of the comparison indicates or suggests the presence of a point of compromise or account at risk (with a reasonable level of confidence), then appropriate action may be taken (step 510, e.g., raising an alert, blocking the account, imposing conditions on transactions conducted or processed by the organization, imposing conditions for transactions carried out using the account, re-issuance of the account, etc.).

[00112] Thus, FIG. 5 depicts the process of determining the POC or account at risk by considering whether the POC indicator has changed significantly over time (this change can increase or decrease). This type of detection model can be used in situations where the invention is used to monitor the POC score of an organization (or organizations) over time and "flag" an entity as a possible point of compromise when sufficiently significant changes in the POC indicator are detected. In this use of the invention, the inventive methods, methods and operations can be performed in the background to provide a continuous assessment (based on the calculation of POC scores for various exposure and fraud monitoring windows) of the risk posed by the multiple entities that are part of the payment transaction processing system. A "baseline" or standard POC indicator can be calculated for an organization based on the organization's fraud history over a period of time, and the invention can be used to detect changes in this baseline indicator that may indicate a security breach.

[00113] In some embodiments of the invention, point of compromise processing may be implemented using the device shown in FIG. 6, which is a diagram illustrating some of the functional components that may be present in an apparatus or device used to identify a point of compromise in a payment transaction processing system or network or to generate other data processing operations, in accordance with some embodiments of the invention. In some embodiments, the apparatus, processing device, or computing device may be operated by a payment processing organization (such as Visa) or otherwise associated with a payment processing network element. Fig. 6 represents a computing element, a central processing unit (CPU), microprocessor, or other element capable of executing a set of instructions (referred to as “data/instruction processor 602” in the figure). The processor is programmed with a set of instructions stored in a suitable data store or memory (labeled "data/instruction store 604" in the figure). When the instructions are executed by the programmed processor, the point of compromise processing device operates to perform one or more of the processes, operations, or methods that are part of the invention. The memory element may also store data that is used by the processor to perform inventive processes, operations, or methods. Such data may include information about transactions, accounts, organizations, etc., which is processed to detect a possible point of compromise.

[00114] Executable instructions or data stored in a data/instruction storage element may include instructions for performing one or more processes, functions, operations, or methods. For example, the instructions may include instructions that when execution implements the process of obtaining input data for POC processing (indicated in the figure as "Input Processing Process 606") and, if necessary, formatting or otherwise preparing this data for use in POC processing. The input data may be provided by any suitable data input, network connection or interface, as represented in the element labeled "User Interface/Web Interface/AP1 618" in the figure. The instructions may include instructions that, when executed, implement a process for performing one or more of selecting parameters to use when processing input data within the POC definition (labeled "Processing Parameter Selection Process 608" in the Figure), selecting a "signal" to be used as a POC indicator (labeled "Signal Selection Process 610" in the Figure), applying one or more signal processing techniques to detect the signal, increasing the signal/inactivity ratio used as the POC indicator (labeled "Signal Selection Process 610" in the Figure), applying one or more signal processing techniques to improve signal detection, increase signal-to-noise ratio, or otherwise improve the reliability of POC detection (labeled “Signal Processing to Improve SNR Process 612” in the Figure), from the signal, calculate one or more of the organization's POC estimates . and, if relevant, other data, determine whether these estimates indicate the presence of POC (labeled “POC Determination or Possible Future Fraud Process 616” in the Figure).

[00115] It should be noted that embodiments of the invention may use some or all of these methods. In addition, the identified processes can be implemented as a process that performs all the described functions, only some of them, or additional functions to those described. In addition, embodiments may implement additional processes that perform various types of signal processing, estimation, detection or related functions. For example, when processing a signal, calculating a POC score, and determining whether a score or scores indicate the presence of a POC, embodiments of the invention may employ signal processing, target detection, or statistical analysis techniques designed to reduce the false positive rate or improve other aspects of the overall process identification of potential ROCs.

[00116] As described with reference to FIG. 6, in some embodiments of the invention, methods, methods, or operations for identifying a point of compromise, confirming a suspected point of compromise, or identifying transaction data or characteristics that can be used for these purposes may be implemented in whole or in part as a set of instructions executed by a programmable central processor (CPU) or microprocessor. A central processing unit or microprocessor may be embedded in a machine, server, or other computing device that operates through or in connection with an authorization network node (such as a payment processor or payment processing network element). In some embodiments of the invention, a machine, server, or other computing device may include elements additional to those depicted in FIG. 6. For example, FIG. 7 is a diagram illustrating elements that may be present in an apparatus, device, or system configured to perform a method or process in accordance with some embodiments of the invention. The subsystems shown in FIG. 7 are interconnected via a system bus 775. Additional subsystems are shown, such as a printer 774, a keyboard 778, a fixed disk 779, a monitor 776 that is coupled to a display adapter 782, and others. Peripherals and input/output (I/O) devices that connect to I/O controller 771 may be connected to the computer system using any number of means known in the art, such as serial port 777. For example, a serial port 777 or external interface 781 can used to connect a computing device to a wide area network such as the Internet, a mouse input device, or a scanner. Communication through the system bus 775 allows the central processing unit 773 to communicate with each subsystem and control the execution of instructions, which may be stored in system memory 772 or on a fixed disk 779, as well as exchange information between subsystems. System memory 772 and/or fixed disk 779 may be computer readable media.

[00117] As described, some embodiments of the invention are directed to identifying a possible point of compromise (POC) in a payment transaction processing system. Such POCs may be responsible for providing unauthorized access to transaction data or payment account data belonging to multiple consumers. Examples of possible PPOs include, but are not limited to, merchants, transaction data processors, account or transaction data storage elements, issuers, acquirers, payment processors for a group of acquirers, etc. The invention may also be used to investigate whether a group or set of organizations (or a member of that group) is responsible for disclosing sensitive payment account or transaction data; for example, the invention may be used to examine whether merchants in a certain location (based on zip code) or in a certain category of merchants (e.g., in an industry identified by a particular MCC code), are an acquirer, a member of a chain store group, etc. d. a likely source of compromise. If so, this group can be examined to determine if it has characteristics that may indicate an actual point of compromise. Security breaches, improperly obtained payment transaction data, or payment account data resulting from a compromise can be used to conduct fraudulent transactions. Thus, one aspect and advantage of the invention is to determine whether there is a statistically significant correlation between the use of a payment account or device (or sets of accounts) for a particular organization and a subsequent increase in the number of payments in fraudulent transactions associated with these accounts. Another aspect and advantage of the invention is to determine what types of transactions or account data or transaction characteristics are best suited to be used to identify or confirm the existence of a POC. Another aspect and advantage of the invention is to identify an account or accounts that may be at risk of future fraudulent activity so that proactive steps can be taken to prevent such fraud.

[00118] Embodiments of the invention typically include selecting an organization or group of organizations to test for indicators of a point of compromise. This determines the origin of the data set being processed. The selection of an organization to review may be based on knowledge that fraud has been committed on an account or transaction involving that organization. Data received from an organization (for example, transaction-related data) can be narrowed down to a specific transaction period (similar to an impact window). The fraud indicator or research signal may be determined in a given observation window at some time after the exposure window. Given the value of a signal over a period of fraud observation (eg, value or amplitude as a function of time), the invention can process the signal to increase the signal-to-noise ratio or otherwise improve its quality. The processed signal can then be interpreted or converted using an appropriate statistical approach or model into a POC estimate for the organization. A statistical approach or model can summarize the signal values over a time interval into a numerical score, function, etc. The result of a statistical approach or model can be subjected to older or other forms of "testing" to determine whether it (or a change from a previous value) suggests that the organization is a likely location of compromise. If this is the case, appropriate investigative action may be taken or correction, warnings or notifications are created, further actions of the organization are limited, etc.

[00119] In some embodiments, the approach of the invention collects statistics (“signal” or POC statistics) from observations during a fraud observation window. When interpreted in light of an appropriate statistical test or model, the signal can be expressed as a score or indicator that reflects the likelihood that the organization of interest has been compromised. The type of observations (input data) used, the type of signal, and the statistical model used to interpret the signal all matter in determining the effectiveness and accuracy of the invention in identifying an actual point of compromise or a suspected point of compromise. Among other factors, the methodology of the invention can be used to explore appropriate statistical methods, such as various normalization methods, coefficients based on various input data, and other specialized methods introduced to improve the reliability of POC estimation. In addition, the methodology can be used to explore the use of various filters that act to select data from available observations based on specified criteria (for example, transactions that occur over a certain period of time or have only one transaction associated with the organization of interest) and such thus improve the reliability of the POC assessment. As already described, different detection accuracies may result from different choices of 1) target, 2) exposure period, 3) fraud observation window, 4) computed statistics (signal), 5) filters or signal processing applied, and 6) statistical method or model used to convert statistics into POC estimate(s).

[00120] An important aspect of embodiments of the invention is that the inventive methodology can be used (1) retrospectively to identify a suspected point of compromise in a situation in which fraud has occurred, and the objective is to determine which of several possible points of compromise is likely source of the security breach; and 2) Potentially identify an account that is expected to be at risk of future fraudulent activity and take steps to mitigate that risk. In both types of use cases, embodiments of the invention provide a mechanism to reduce the risk of fraud and ensure the integrity of the payment transaction processing system and its constituent elements.

[00121] In developing, creating, and implementing the invention, the inventors have studied the factors associated with identifying points of compromise in payment account and transaction data and have identified some of the factors that may affect the effectiveness of a particular set of data processing parameters or operations. For example, they determined that the parameters selected for use in identifying a point of compromise on

[00122] at one level of an organization (eg, a merchant) may not be as effective in identifying a point of compromise at another level (eg, a payment processor). There are at least three reasons for this difference: a. 1. Comparatively low conversion rate - the size of the breach (i.e. the number of accounts compromised) limits the number of accounts that can be converted into counterfeit cards (or other form of payment device) within a given time period. As a consequence, the detection rate of stolen accounts is low and the corresponding signal may be relatively weak; b. 2. Temporal correlation - organizations usually have ongoing relationships with their customers (i.e. consumers regularly go to the same supermarket). Therefore, many compromised accounts may have other transactions within the compromised organizations that are not within the surveillance (or compromise) window. This correlation obscures the signal. In larger organizations this effect is more pronounced; and c. 3. Organization correlation - accounts that have multiple transactions at a geographic level can create cross-correlations that hide the true location of the compromise. For example, if a merchant is located close to a compromised business, many of the accounts at risk may have made purchases at both locations.

[00123] As subsequent fraudulent invoices are identified, it may be difficult to determine which organization was the source of the compromise. In general, the larger the organization (in terms of volume of transactions), the more difficult it is to separate correlations and correctly assess risk.

[00124] In some embodiments, the invention considers the fraud rate (or number of events) for payment accounts that participated in a transaction with a particular merchant or were part of a transaction processed by a particular transaction data processor (eg, a processor for a group of acquirers). If the subsequent fraud level (or other relevant "signal") changes sufficiently over time, then the organization may be identified as a possible point of compromise due to a change in the signal value or corresponding POC score (i.e. deviation from the baseline or normalized value ). Once identified, further investigation can be conducted to determine whether the organization is indeed the source of the compromise. If this is the case, corrective action may be taken to notify account holders, reissue invoices, freeze accounts, etc.

[00125] In some embodiments, the invention may be used with a set of different exposure and observation windows to provide an iterative process for calculating the POC value over time. This can be used both to identify a suspected point of compromise or account at risk by monitoring changes in the POC indicator, and to examine the effectiveness of various parameter settings, signals, statistical models, inference models, etc.

[00126] It should be understood that the invention, as described above, can be implemented in control logic using a computer software in a modular or integrated manner. Based on the disclosure and teaching presented herein, one skilled in the art will learn and appreciate other ways of implementing the invention using hardware and combinations of hardware and software.

[00127] Any of the software components or functions described herein may be implemented as program code for execution by a processor using any suitable computer language, such as Java, C++, or Perl, using, for example, traditional or object-oriented techniques . Program code may be stored as a series of instructions or commands on a computer-readable medium such as random access memory (RAM), read-only memory (ROM), a magnetic medium such as a hard disk or floppy disk, or an optical medium such as a CD -ROM. Any such computer-readable media may be located on or within a single computing device, or may be present on or within different computing devices within a system or network. [00128] Although certain exemplary embodiments have been described in detail and illustrated in the accompanying drawings, it should be understood that such embodiments are merely illustrative and are not intended to limit the broad invention, nor is the present invention limited to the specific circuits and structures shown and described , as various other modifications may arise from those skilled in the field.

Claims

FORMULA 1. A system for identifying points of compromise in the payment transaction processing system, which includes: • a processor configured to execute a set of instructions for identifying a point of compromise in a payment transaction processing system; And • a data storage device coupled to an electronic processor and having a set of instructions stored therein, the set of instructions executed by a programmed electronic processor that: o identifies a point of compromise for at least one entity involved in accessing or processing payment transaction data; o defines a payment transaction measure for a payment transaction obtained by combining the point of compromise measure for each of those entities that are involved in accessing or processing data for the payment transaction; o defines a payment account indicator, wherein the payment account indicator is obtained by combining payment transaction indicators for each of the multiple payment transactions carried out using the payment account, and processes the resulting data using a machine learning model based on a recurrent neural network (RNN) or ensemble RNN trained on vector representations of clients’ transactional activity, and during this processing the following is carried out: ■ dividing data on each client's transactions into categorical and numerical variables; ■ variable transformation, which involves vectorization of categorical variables and normalization of numerical variables; 52 ■ concatenation of transformed variables and identification of the vector corresponding to the last time period of the client’s transactional activity; ■ classification of the mentioned vector to determine the payment account indicator; o evaluates a payment account measure to determine whether it satisfies a predefined condition indicating that the account is at risk of future fraud and checks for at least one condition: ■ determining whether the payment account indicator exceeds a threshold value; ■ determining whether the payment account indicator exceeds a specified value for a specified amount of time; or ■ determining whether the ratio of the payment account indicator for the first time period and the payment account indicator for the second time period exceeds a specified value; and o generates a notification or changes the account transaction if the payment account indicator satisfies the predetermined condition verified in the previous step. 2. The system according to claim 1, characterized in that the device determines the measure of the point of compromise for at least one organization by the following: • access to multiple inputs; • receiving the indicator selection obtained from the input data; And • determines the value of the point of compromise measure using an indicator. 3. The system according to claim 2, characterized in that the indicator points to one of the following points: • the subsequent level of fraud or number of incidents of fraud for an entity after a set of accounts involved in a transaction or transactions with that entity have been processed by that entity; • accumulated time to fraud for the organization; • availability of verification activities; or • increasing points for authorizing transactions. 4. The system according to claim 2, characterized in that the system determines the value of the measure using an indicator, applying a statistical model to the indicator. 5. The system of claim 1, characterized in that the entity is one or more of a merchant, an issuer, a point-of-sale terminal, an acquirer, or a data processor for an acquirer. 6. The system according to claim 1, characterized in that the system generates a notification or changes the operation of the account as follows: • generating a notice to the issuer that the account may be at risk; • generating a notice to the account owner that the account may be at risk; • blocking the use of the account to prevent the use of the account to carry out a payment transaction; or • imposing conditions on the type of transactions that can be carried out using the account. 7. A method for reducing fraud in a payment transaction system, performed by at least one computing device, which includes: • determination, using an electronic processor, of a point of compromise for at least one organization associated with gaining access to data on payment transactions or their processing; • defining a payment transaction measure for a payment transaction obtained by combining the point of compromise measures for 54 each of the organizations involved in accessing or processing data for a payment transaction; • determination of the payment account indicator, wherein the payment account indicator is obtained by combining the payment transaction indicator for each of the multiple payment transactions carried out using the payment account, and processes the resulting data using a machine learning model based on a recurrent neural network (RNN) or ensemble RNN trained on vector representations of clients’ transactional activity, and during this processing the following is carried out: ■ dividing data on each client's transactions into categorical and numerical variables; ■ variable transformation, which involves vectorization of categorical variables and normalization of numerical variables; ■ concatenation of transformed variables and identification of the vector corresponding to the last time period of the client’s transactional activity; ■ classification of the mentioned vector to determine the payment account indicator; • evaluating the payment account indicator to determine whether it satisfies a predetermined condition indicating that the account is at risk of future fraud, whereby the payment account indicator is evaluated to determine whether it satisfies a predetermined condition that includes at least one condition: o determining whether the payment account indicator exceeds a threshold value; o determining whether the payment account indicator exceeds a specified value for a specified amount of time; or 55 o determining whether the ratio of the payment account indicator for the first time period and the payment account indicator for the second time period exceeds a predetermined value; and • generating a notification or changing an account transaction if the payment account indicator meets a predefined condition. 8. The method according to claim 7, characterized in that determining the point of compromise measure for each of the plurality of entities additionally includes: • selection of input data set; • selection of an indicator obtained from the input data; And • determining the value of the point of compromise using an indicator. 9. The method according to claim 8, characterized in that the indicator is one of the following: • the subsequent level of fraud or number of incidents of fraud for an organization after a set of accounts is involved in a transaction with that organization or a transaction is conducted by that organization; • accumulated time to fraud for the organization; availability of verification activities; or • increasing points for authorizing transactions. 10. The method according to claim 8, characterized in that determining the value of the measure using the indicator further includes applying a statistical model to the indicator. 11. The method of claim 7, wherein the one or more entities includes one or more of a merchant, an issuer, a merchant terminal, an acquirer, or a data processor for the acquirer. 12. The method of claim 7, wherein generating a notification or changing an account transaction further includes one or more of the following: • generating a notice to the issuer that the account may be at risk; • generating a notice to the account owner that the account may be at risk; • blocking the use of the account to prevent the use of the account to carry out a payment transaction; or • imposing conditions on the type of transactions that can be carried out using the account.