Fraud is evolving. So should your data security

The introduction and widespread adoption of financial security technology for consumers and merchants has led to huge strides in data security. Key to that has been the broad implementation of chip technology and end-to-end data encryption. However, these technologies still can’t provide complete protection from fraud.

 

Chip cards have reduced point of sale fraud, but dept criminals have developed novel ways to evade fraud detection. What’s more, many are shifting their attention to card-not-present transactions such as online purchases, according to Christina Bradshaw, vice president, merchant fraud and identity services, Bank of America. In fact, one report found that fraud is now 81 percent more likely to occur online than at the point-of-sale.¹ And according to Juniper Research, card-not-present fraud could cost retailers more than $25 billion annually by 2024.²

 

These evolutions in fraud demand a new generation of security solutions. “Fraud and cyber crime aren’t going away — they’re getting more sophisticated,” says Kris Fador, chief information security officer, Bank of America. “That’s why the security industry, financial institutions and merchants must continue to work together and apply the latest technology and thinking to keep pace.” 

 

Here’s what you need to know about the current state of data security. 

 

New ways criminals work

Today’s data thieves are using increasingly sophisticated phishing (fake e-mail) and smishing (fake text message) schemes to trick insiders into revealing credentials, passwords, protocols and system vulnerabilities, Fador says. That information can then be used to steal valuable customer data or payment information.

 

Fraudsters are also increasingly using account takeover (ATO) methods and malware to take control of customer accounts and user profiles during the online checkout process in e-commerce transactions. The compromised consumer accounts are then used to commit transaction fraud against merchants or are resold to other fraudsters.

 

After stealing personal and credit card data, by whatever means, one criminal may sell it to another, who then uses it in fraudulent transactions. Such black-market data sales also have become more sophisticated. For example, cyber criminals have started to bundle stolen credit card information from a single zip code and sell it in that area to evade security systems that monitor out-of-area credit card use. 

 

The costs of a data breach

A single data breach can result in several types of financial damage. For instance, businesses might face penalties for noncompliance with Payment Card Industry Data Security Standards and be required to reimburse issuing banks for the cost of replacing cards that may have been stolen from the business.

 

If a company suffers a breach in which 30,000 or more cards have been compromised, it may be required to retain a forensic investigator to help pinpoint where the breach happened and prevent future attacks, reports Monica Kennedy, merchant specialist executive at Bank of America. Merchants could also have to hire outside legal counsel to help manage the response to a breach and advise them on their obligations, and they. Companies also may decide they need a PR firm to help with public announcements about the breach and to develop and execute campaigns to win back public trust.

 

The expenses can add up quickly: The average cost per lost or stolen record in a data breach is $164, reports IBM, with a mega breach of 1 million to 10 million records having an average total cost of $49 million in 2022. Globally, the average cost of a data breach is $4.35 million.³

 

What’s more, merchants with compromised data may also incur considerable reputational costs. “Customers lose trust in a business after a breach,” says Kennedy. “And canceling and replacing cards is a hassle and disruptive to their lives.”

 

Evolving solutions

New security threats often require solutions that bring several technologies into alignment. For example, even more secure chip cards aren’t a cure-all, says Bradshaw.  “But you can combine it with data encryption and tokenization to protect customer card data further,” she says. Tokenization — which retrieves credit card data using randomly generated one-time tokens — enables companies to remove credit card data from their internal networks, she says. 

 

“Payment processors like Bank of America, which provide technology-based solutions to merchants, are developing a broad, holistic view of fraud activities to see and try to prevent both card-not-present and card-present crimes,” Fador says. 

 

Examples of fraud solutions include:

 

Machine learning systems that can track fraud before it occurs. Machine-learning software combs through company and online data to automatically identify characteristics of fraud. It looks for patterns in credit card use, identifies anomalies in those patterns and flags the anomalies as potential fraud activity. 

 

Integrated card-not-present risk solutions. These may include ATO protection, vertical-specific risk services, and one-time passcode (OTP), a protocol that requires customers to complete an additional verification step when paying, typically entering a number or password sent to their phone.

 

Remember that people play a key role, too

Holding ongoing conversations about new developments with security providers and payment vendors can help businesses apply emerging technologies that suit their size, industry and customer base. But a few basic people-based measures from within can help thwart data theft attempts. Here are three:

 

 

Every company today must safeguard customer data in the face of constant and evolving pressure from criminals. Payment technology vendors are in a unique position to help overcome that challenge. Discussions and check-ins with your payments and security solution provider can help you stay on top of today’s fraud trends and take measures to prevent them, so you can focus on growing your business.

 

¹ ABA Risk and Compliance, “Emerging Vectors for Payments Fraud,” 2020

² Juniper Research, “Online Payment Fraud: Emerging Threats, Segment Analysis & Market Forecasts 2020-2024,” 2020

³ IBM Security, “Cost of a Data Breach Report 2022," 2022