Fraud is evolving. So should your data security

Dynamic payment solutions help safeguard your business as well as your customers’ payment data

 

9 minute read

Key takeaways

  • As financial security evolves, so do the ways criminals commit fraud and delay its detection
  • Solutions to fraud bring several technologies together, such as machine learning systems and broad, shared networks
  • People play an important role in detailing data theft attempts and company awareness can be developed through company culture

The introduction and widespread adoption of financial security technology for consumers and merchants has led to huge strides in data security. Key to that has been the broad implementation of chip technology and end-to-end data encryption. However, these technologies still can’t provide complete protection from fraud.

 

Chip cards have reduced point of sale fraud, but the most adept criminals have developed novel ways to evade fraud detection. What’s more, many are shifting their attention to card-not-present transactions such as online purchases, according to Christina Bradshaw, vice president, merchant fraud and identity services, Bank of America. In fact, one report found that fraud is now 81 percent more likely to occur online than at the point-of-sale.1 And according to Juniper Research, card-not-present fraud could cost retailers more than $25 billion annually by 2024.2

 

These evolutions in fraud demand a new generation of security solutions. “Fraud and cyber crime aren’t going away — they’re getting more sophisticated,” says Craig Froelich, chief information security officer, Bank of America. “That’s why the security industry, financial institutions and merchants must continue to work together and apply the latest technology and thinking to keep pace.”

 

New ways criminals work

Today’s data thieves are using increasingly sophisticated phishing (fake e-mail) and smishing (fake text message) schemes to trick insiders into revealing credentials, passwords, protocols and system vulnerabilities, Froelich says. That information can then be used to steal valuable customer data or payment information.

 

Fraudsters are also increasingly using account takeover (ATO) methods and malware to take control of customer accounts and user profiles during the online checkout process in e-commerce transactions. The compromised consumer accounts are then used to commit transaction fraud against the merchant or are resold to other fraudsters.

 

After stealing personal and credit card data, by whatever means, one criminal may sell it to another, who then uses it in fraudulent transactions. Such black-market data sales also have become more sophisticated. For example, cyber criminals have started to bundle stolen credit card information from a single zip code and sell it in that area to evade security systems that monitor out-of-area credit card use.

 

“Fraud and cyber crime aren’t going away — they’re getting more sophisticated.”

The costs of a data breach

A single data breach can result in several types of financial damage. For instance, businesses might face penalties for noncompliance with Payment Card Industry Data Security Standards and be required to reimburse issuing banks for the cost of replacing cards that may have been stolen from the business.

 

If a company suffers a breach in which 30,000 or more cards have been compromised, it may be required to retain a forensic investigator to help pinpoint where the breach happened and prevent future attacks, reports Monica Kennedy, merchant specialist executive, Merchant Services at Bank of America. Merchants could also have to hire outside legal counsel to help manage the response to a breach and advise them on their obligations. Companies also may decide they need a PR firm to help with public announcements about the breach and to develop and execute campaigns to win back public trust.

 

The expenses can add up quickly: The average cost per lost or stolen record in a data breach is $150, reports IBM, with a mega breach of 1 million to 10 million records having an average total cost of $50 million in 2020. Globally, the average cost of a data breach is $3.86 million.3

 

What’s more, merchants with compromised data may also incur considerable reputational costs. “Customers lose trust in a business after a breach,” says Simon Nurrish, strategy and planning executive, Merchant Services at Bank of America. “And canceling and replacing cards is a hassle and disruptive to their lives.”

 

Evolving solutions

New security threats often require solutions that bring several technologies into alignment. For example, even more secure chip cards aren’t a cure-all, says Nurrish. “But you can combine it with data encryption and tokenization to protect customer card data further,” he says. Tokenization — which retrieves credit card data using randomly generated one-time tokens — enables companies to remove credit card data from their internal networks, he says.

 

“Payment processors like Bank of America, which provide technology-based solutions to merchants, are developing a broad, holistic view of fraud activities to see and try to prevent both card-not-present and card-present crimes,” Froelich says.

 

Examples of fraud solutions include:

 

Machine learning systems that can track fraud before it occurs. Machine-learning software combs through company and online data to identify characteristics of fraud automatically. It looks for patterns in credit card use, identifies anomalies in those patterns and flags the anomalies as potential fraud activity.

 

Integrated card-not-present risk solutions. These may include ATO protection, vertical-specific risk services, and one-time passcode (OTP), a protocol that requires customers to complete an additional verification step when paying, typically entering a number or password sent to their phone.

“Customers lose trust in a business after a breach. And canceling and replacing cards is a hassle and disruptive to their lives.”

Remember that people play a key role, too

Holding ongoing conversations about new developments with security providers and payment vendors can help businesses apply emerging technologies that suit their size, industry and customer base. But a few basic people-based measures from within can help thwart data theft attempts. Here are three:

 

  • Build fraud and cyber security awareness into your company’s culture. If you make awareness of risks — and best practices for mitigating them — a business-as-usual value, you and your customers will be that much safer.
  • Teach employees at the point of sale to search for skimming and shimming devices by looking for ill-fitting card reader covers at the beginning of every shift.
  • Run training exercises and drills — covering scenarios such as a phishing attempt — so all employees are familiar with fraud tactics and alert to them and know the roles they are expected to play. This training should not be generic but should be specific to your particular industry and your business’ operations.

 

Every company today must safeguard customer data in the face of constant and evolving pressure from criminals. Payment technology vendors are in a unique position to help overcome that challenge. Discussions and check-ins with your payments and security solution provider can help you stay on top of today’s fraud trends and take measures to prevent them, so you can focus on growing your business.

 

1 ABA Risk and Compliance, “Emerging Vectors for Payments Fraud,” 2020

2 Juniper Research, “Online Payment Fraud: Emerging Threats, Segment Analysis & Market Forecasts 2020-2024,” 2020

3 IBM, “Cost of a Data Breach Report,” 2021


Christina Bradshaw | Vice President, Merchant Fraud and Identity Services | Bank of America

Craig Froelich | Chief Information Security Officer | Bank of America

Monica Kennedy | Merchant Specialist Executive | Merchant Services at Bank of America

Simon Nurrish | Strategy and Planning Executive | Merchant Services at Bank of America