GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Tablets, smart phones or the cloud for mobile payments?

News

Industry Update

Global Payments, payments community respond to reported breach

Gift card providers pull out of N.J.

Trade Association News

Features

Seven essential steps for creating a successful social media strategy

Marc Beauchamp
Performance Training Systems

Research Rundown

Mobile payment experts disagree on NFC dominance

ISOMetrics:
Durbin's impact on major banks

Selling Prepaid

Prepaid in brief

Demands of a standardized fee disclosure box

How consumer segmentation leads to success

Views

Has payment fraud become SOP?

Patti Murphy
ProScribes Inc.

ISOs and MLSs: How banking changes will affect you

Brandes Elitch
CrossCheck Inc.

Education

Street SmartsSM:
Lessons for a lifetime

Jeff Fortney
Clearent LLC

Moving mobile payments to the next level

Nicholas Cucci
Network Merchants Inc.

In search of an ethical corporate culture

Dale S. Laszig
Castles Technology Co. Ltd.

The challenge of data breach reporting

Mark Brady
CSR

What matters most in a restaurant POS system?

Jerry Cibley
The POS Man

Company Profile

Chargeback Guardian Inc.

New Products

Mobile check deposit

Simply Deposit Mobile
RDM Corp.

Bundling mobile payments

All Inclusive Mobile Merchant (AIMM)
CardWare International, Resource Leasing Co.

Inspiration

Community and the payment pro

Departments

10 Years ago in
The Green Sheet

Forum

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

April 23, 2012  •  Issue 12:04:02

previous next

Insiders report on payments
Has payment fraud become SOP?

By Patti Murphy

Recent news reports have got me thinking - is payments fraud just another cost of doing business in our 21st century economy? Payment fraud is a many-armed bandit. Specific frauds include, but are not limited to, writing bad checks, initiating fraudulent transactions through the automated clearing house (ACH) system, and unauthorized use of credit and debit cards.

Data hacks are one of the leading causes of many of these frauds, especially credit and debit card fraud. According to the Association for Financial Professionals' 2012 Payments Fraud and Control Survey, sponsored by JPMorgan Chase & Co., two-thirds of the largest U.S. companies were targets of payment fraud in 2011, yet 74 percent of those companies lost no money as a result. The AFP, a Bethesda, Md., group that supports corporate treasury professionals, polls a cross-section of U.S. companies each year. It said most companies emerged unscathed from their brushes with fraud because they had adopted good fraud mitigation policies, including the Payment Card Industry (PCI) Data Security Standard (DSS). In fact, the AFP found the typical corporation spends $18,500 per year on PCI compliance.

"Although attempted attacks still occurred in 2011, financial loss was typically avoided because companies have taken steps to eliminate vulnerabilities," said Jim Kaitz, President and Chief Executive Officer at the AFP. Or, as Ben Franklin so astutely observed, "An ounce of prevention is worth a pound of cure."

Standard operating procedure blues

Don't fool yourselves into thinking fraudsters are looking for new lines of work, however. Instead, they're looking for the next big score, and merchant acquirers and processors, with their massive databases of card and cardholder information, fit the bill. Think companies like Heartland Payment Systems Inc. or, more recently, Global Payments Inc.

"The owners of critical information systems need to invest in more than prevention - they also need to invest in preparation for these sorts of inevitabilities," said Joe Levy, Chief Technology Officer at security company Solera Networks Inc.

In 2009, Heartland became the first top 10 merchant acquirer to reveal its systems had been hacked. At the time, word on the street was the Princeton, N.J.-based acquirer was a goner. There was no mass exodus of clients at Heartland, however. In fact, the company leveraged the event to its advantage by developing inexpensive card readers that rely on industrial strength encryption to secure data.

Global Payments discovered hackers had breached its networks in late March 2012, stealing data on 1.5 million Visa Inc. and MasterCard Worldwide accounts. As a consequence, the leading acquirer lost its spot on the Visa/MasterCard lists of PCI DSS compliant processors.

Other than that, the fallout was modest. In a week that saw the New York Stock Exchange's composite average share price drop by 20 percent or more, Global's stock took a relatively modest hit of 10 percent.

The remediation two-step

So what happens when a company gets blacklisted for being out of step with PCI? It doesn't seem like much, outside of spending a lot of time and money on remediation and fines, if the Heartland and Global experiences are the norm. Paul Garcia, Global's CEO, said in a conference call with investors in early April that the data compromise was confined to Track 2 card data. That means personal information, like Social Security numbers, names and addresses weren't compromised, as far as Global can tell.

"It goes without saying that we are providing uninterrupted service 24 hours per day to our customers around the world as we speak," Garcia said.

Pretty much the same thing happened at Heartland, which spent months and millions of dollars on remediation before getting placed back on the card brands' lists of approved processors. Sales and processing continued pretty much uninterrupted. I don't get it. If an acquirer is found to be out of compliance with PCI, aren't its customers out of compliance if they continue to process card payments through the noncompliant processor?

Mark Bower, Vice President, Product Management at data security firm Voltage Security Inc., said situations like these illustrate the need for strong security protocols. "Alarm bells have been ringing loudly on these risks for years - payment processors are a top target for attackers," he said. "If there is one industry that absolutely needs to adopt a data-centric security strategy to mitigate breach risk, it's the payments industry.

"And the writing is on the wall for those payment acquirers that don't."

Checks are risky business

This becomes ever more important as more companies migrate payables from checks to electronic payments. There is a downside to this trend "Now fraudsters have shifted their focus to higher-value payoffs, including attempting to hack into corporate accounts," the AFP's Kaitz said.

Stephen Markwell, Executive Director of J.P. Morgan Treasury Services, said, "With the proliferation of payment options, fraudsters are constantly exploring new and bolder ways to perpetrate fraud." Yet, Markwell insisted technology advances make it easier to stay ahead of the bad guys.

"Sophisticated new fraud protection technologies are making it possible to combat fraud more effectively and efficiently, reducing the potential for losses and protecting critical assets," he said. Not surprisingly, the AFP survey suggests larger companies are more vulnerable to payment fraud than are smaller firms. Also, retailers and other consumer-facing industries experience payment fraud rates that are 15 percent to 20 percent higher than other industries.

Other interesting insights came out of AFP's survey. In 2011:

Patti Murphy is Senior Editor of The Green Sheet and President of ProScribes Inc. She is also the founder of InsideMicrofinance.com. Email her at patti@greensheet.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services