By Patti Murphy
Fraud threatens the integrity of the payments system. And by extension, it threatens the livelihood of every company and individual in the payments stream: banks, acquirers, merchants, ISOs and the feet on the street. Yet I can't help but think we, as a society, are becoming inured to the perils of fraud.
Seemingly every week brings news of hacks, breaches of card data and subsequent payouts by breached companies, and revivals of old-school schemes like card skimming. This is despite ongoing efforts to protect credit and debit card data with enhanced security protocols like EMV (Europay, Mastercard and Visa).
Fraudsters are savvy. They understand, for example, that the proliferation of EMV cards and card readers eliminates opportunities for fraud like card skimming, so they're focusing on unattended terminal locales, like gas stations, which are not required to be EMV compliant until October 2020.
Recent reporting by the Sun Sentinel, a South Florida newspaper, found that more than 400 card skimmers have been found at gas stations across Florida since 2015; more than half of those (251) were discovered this year alone. Three Florida counties, in particular, seem to be hotbeds of card-skimming activity: Broward, Palm Beach and Miami-Dade. Skimmers are small electronic devices that surreptitiously record data from the magnetic stripes on credit and debit cards.
As of June, 46 skimmers had been discovered in Broward County, the Sun Sentinel reported, citing state records. That's up from 40 in 2016 and 34 in 2015. In Palm Beach County, 52 skimmers were found as of early June, up from 22 in 2016 and 19 in 2015. And in Miami-Dade County, the tally as of June was 22, up from nine in 2016 and 17 the year before.
Despite the uptick in activity, card skimming is not as big or costly a problem as outright data breaches. Just ask Target Corp., which paid out $18.5 million in fines to 47 states for a 2013 data breach that affected more than 40 million cardholders. That's on top of more than $200 million in legal fees the retailer reportedly incurred because of the breach.
Target's costs stemming from this breach don't begin to describe just how expensive, and serious, card data breaches can be. Juniper Research Ltd., a U.K.-based research and analysis firm, recently warned that, globally, retailers stand to lose $71 billion from fraudulent card transactions over the next five years. This is attributed to increased criminal migration to card-not-present transactions concurrent with U.S. implementation of EMV.
While Juniper did not provide a breakdown, a recent report by the cybersecurity firm Trustwave Holdings Inc. suggests North American retailers are particularly vulnerable. Trustwave publishes a yearly report on global cybercrime, data breaches and other security threat trends. The latest report, published in June and covering hundreds of breach investigations conducted in 2016, revealed that North American businesses, particularly retailers, are more vulnerable than those in any other region, accounting for nearly half (49 percent) of all breaches investigated by the company.
The largest single share of breaches (22 percent) occurred at retail establishments, followed closely by the food and beverage industry at nearly 20 percent. Breaches directed at POS systems represented 31 percent of all breaches investigated, Trustwave reported, up from 22 percent in 2015. And more than half of all incidents investigated targeted payment card data, the firm said.
"As our data breach investigation and threat intelligence show, attackers continue to evolve their tactics and focus on extreme paydays," said Robert J. McCullen, Trustwave's President and Chief Executive Officer. "Meanwhile, security skills and talent remain scarce. As an industry we must continue to focus on key areas like threat detection and response, security scanning and testing, and cloud services that provide meaningful layers of protection from constantly evolving threats."
Meanwhile, the news out of fraud solution provider Kount Inc. is that mobile payment fraud is on the rise. The share of merchants who could definitively state they are seeing more fraud in the mobile channel reached 40 percent in 2017, up from 23 percent last year, according to Kount's Fifth Annual Mobile Payments & Fraud Report. Forty-two percent said they weren't sure.
The increase isn't surprising, particularly as more merchants move to facilitate mobile commerce. What is surprising is merchant attitudes toward addressing the lurking problem of mobile payments fraud. "Causing some concern is the fact that despite more merchants reporting growing mobile fraud, fewer merchants are concerned with managing fraud in the mobile channel any differently than they do for traditional ecommerce," Kount wrote. Just one in four described mobile as a higher-risk channel, compared to 44 percent two years ago, the report noted.
It's no secret that merchants, with their troves of personal customer information, are magnets for crooks. Financial institutions are, too, but banks and credit unions operate under sweeping federal mandates regarding customer data and privacy protection – mandates enforced by federal regulators. Merchants do not. This makes for sharp contrasts when comparing breach sources.
According to the Identity Theft Resource Center, 81.3 percent of records exposed in breaches as of May were at businesses, including retailers; just 0.2 percent occurred in the financial sector.
Legislation that would have imposed strong data protection requirements on all companies handling sensitive consumer financial data (not just banks) was shot down in Congress in 2016. No similar legislation has been introduced in the current session of Congress.
The American Bankers Association and other banking groups want a renewed push, however. "It's time to get serious about building a security infrastructure that brings banks, payment networks and retailers together to safeguard sensitive financial data," James Ballentine, ABA Executive Vice President for Congressional Relations and Political Affairs, wrote in a May 8 letter to members of Congress. It's time to pass a strong, consistent national standard for fighting data breaches that give consumers the protection they deserve."
I agree. There's also a need for more and better coordination between participants in the payments space to keep cardholder data secure and out of reach of fraudsters. EMV is a start, but it's only a start. And considering the United States is the last major economy to move to EMV, and that card-accepting gas pumps are exempt from the mandate for another three years, it's a weak start at that.
Patti Murphy is Senior Editor of The Green Sheet and President of ProScribes Inc. She is also the founder of InsideMicrofinance.com. Email her at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next