This article originally appeared in the July/August 2017 issue of Payments Business
For businesses operating in a digital economy, data breaches are both disruptive and costly. Recent statistics from Ponemon, on behalf of IBM, show that the average cost of a cybersecurity breach in Canada is $5.78 million. Despite this, Ovum reports that fewer than half of Canadian business executives plan to increase data security spend. It’s a frightening statistic and something that shouldn’t be taken lightly by any business that accepts payments from Canadian consumers.
Businesses can protect themselves and their customers effectively through traditional vigilance of transactions and by implementing payment security solutions to help minimize risk. However, to understand best practices, businesses need to understand the most common types of fraud their business faces.
Face-to-face fraud, commonly referred to as card-present (CP) fraud, is initiated by someone who intercepts card data or cardholder’s PIN to duplicate a card for subsequent use, like accessing cash at ATMs or to make online/in-store purchases. The introduction of chip-based payment cards has made reproducing secure chip data impossible. However, advanced techniques to intercept basic card data like a card number at the point-of-sale (POS) are still possible and fraudsters exploit these for purposes of fraudulent activity in the online space.
As Canadian businesses continue to adopt digital commerce (online and mobile purchases), fraud concerns shift to card-not-present (CNP) fraud. CNP fraud covers illegitimate purchases made online (PC, tablet, mobile phone), over the phone or by mail. Fraudsters gain access to consumer data through methods like skimming, phishing, ransomware and other manipulation tactics.
The online fraud industry is a growing concern. For example, phishing scams occur when a fraudster claims to be a reputable source via phone or email and persuade cardholders to reveal sensitive information such as passwords or credit card numbers. In the first quarter of 2016, PhishMe reported a 789 per cent increase in phishing incidents globally. Data is valuable and, in many cases, sold to fraudsters through the dark web – an anonymous and untraceable area of the internet.
To aid in creating a viable list of credit card numbers, criminals will often test card data online. Card-testing fraud employs bots to test thousands of cards within seconds on websites that have weak payment verification in their check-out process – allowing fraudsters to identify valid card information.
In any instance of card payment fraud, without the correct safeguards in place businesses can incur monetary losses resulting from chargebacks, loss of fraudulently purchased goods, and more. It doesn’t have to be doom and gloom for businesses. There are effective data security processes and best practices available to help mitigate some of these risks.
Card-present fraud prevention
There are simple, affordable ways to prevent CP fraud. Use of a reputable payment provider, deployment of secure payment technology, end to end encryption and tokenization software can reduce, if not eliminate, access to sensitive data needed to commit fraud. In addition, businesses should be diligent in payment acceptance procedures that ensure they monitor their equipment, restrict access to it and regularly check terminals for tampering. Additional best practices can be found at www.moneris.com/fraud.
Card-not-present fraud prevention
Increased security at the POS with chip and PIN technology has forced fraudsters to the CNP environment. To avoid CNP fraud, businesses can implement best-in-class online fraud prevention techniques, including payment validation tools like address verification and credit card security codes found on the back of physical cards. In addition, there are tools available through payment processors and third party vendors that can analyze hundreds of data points in real-time, allowing businesses to determine the risk factor of a particular transaction. For example, a payment originating in Africa for a cardholder that resides in North America should trigger an alert, especially if the goods are shipped to a place other than the cardholder address on file. These tools help to thwart fraud, minimize potential losses and reduce the need for manual review.
Having seen the evolution of security based software solutions, I also recommend that businesses remove the risk of storing Payment Card Industry (PCI) data locally by adopting solutions like tokenization. Tokenization allows a business to transfer the responsibility of storing PCI data to a payment processor and replace that data with an unidentifiable value or token that can be stored and limit the risk of customer data exposure should a data breach occur.
Payment processors have started adopting cloud-based technologies, and project to see continued public adoption with card-on-file payment apps, which are continuously evolving. Take parking meters for example, you can now pay using a physical plastic card or with an app that accesses securely stored card-on-file information, a capability that transpires in the cloud.
As digital innovation continues, we can expect criminals to evolve their fraud methods and create new ways to exploit businesses within this channel. Payment processors like Moneris work closely with businesses to help combat fraud by offering applicable security tools. With the proper safeguards in place and a trusted partnership between businesses and processors, we can continue to thrive in the evolving payment landscape.
Written by: Amer Matar, Moneris’ Chief Technology Officer, has spent over two decades in the field of data management and is responsible for all technological aspects at Moneris - including software development, technology infrastructure engineering, information security and integration engineering. He holds an undergraduate degree in Computer Science from University of Montreal and an MBA from Rotman School of Business at the University of Toronto. For additional tips on preventing credit card fraud, visit moneris.com/fraud.