Has payment fraud become SOP?
By Patti Murphy
Recent news reports have got me thinking – is payments fraud just another cost of doing business in our 21st century economy? Payment fraud is a many-armed bandit. Specific frauds include, but are not limited to, writing bad checks, initiating fraudulent transactions through the automated clearing house (ACH) system, and unauthorized use of credit and debit cards.
Data hacks are one of the leading causes of many of these frauds, especially credit and debit card fraud. According to the Association for Financial Professionals’ 2012 Payments Fraud and Control Survey, sponsored by JPMorgan Chase & Co., two-thirds of the largest U.S. companies were targets of payment fraud in 2011, yet 74 percent of those companies lost no money as a result. The AFP, a Bethesda, Md., group that supports corporate treasury professionals, polls a cross-section of U.S. companies each year. It said most companies emerged unscathed from their brushes with fraud because they had adopted good fraud mitigation policies, including the Payment Card Industry (PCI) Data Security Standard (DSS). In fact, the AFP found the typical corporation spends $18,500 per year on PCI compliance.
“Although attempted attacks still occurred in 2011, financial loss was typically avoided because companies have taken steps to eliminate vulnerabilities,” said Jim Kaitz, President and Chief Executive Officer at the AFP. Or, as Ben Franklin so astutely observed, “An ounce of prevention is worth a pound of cure.”
Standard operating procedure blues
Don’t fool yourselves into thinking fraudsters are looking for new lines of work, however. Instead, they’re looking for the next big score, and merchant acquirers and processors, with their massive databases of card and cardholder information, fit the bill. Think companies like Heartland Payment Systems Inc. or, more recently, Global Payments Inc.
“The owners of critical information systems need to invest in more than prevention – they also need to invest in preparation for these sorts of inevitabilities,” said Joe Levy, Chief Technology Officer at security company Solera Networks Inc.
In 2009, Heartland became the first top 10 merchant acquirer to reveal its systems had been hacked. At the time, word on the street was the Princeton, N.J.-based acquirer was a goner. There was no mass exodus of clients at Heartland, however. In fact, the company leveraged the event to its advantage by developing inexpensive card readers that rely on industrial strength encryption to secure data.
Global Payments discovered hackers had breached its networks in late March 2012, stealing data on 1.5 million Visa Inc. and MasterCard Worldwide accounts. As a consequence, the leading acquirer lost its spot on the Visa/MasterCard lists of PCI DSS compliant processors.
Other than that, the fallout was modest. In a week that saw the New York Stock Exchange’s composite average share price drop by 20 percent or more, Global’s stock took a relatively modest hit of 10 percent.
The remediation two-step
So what happens when a company gets blacklisted for being out of step with PCI? It doesn’t seem like much, outside of spending a lot of time and money on remediation and fines, if the Heartland and Global experiences are the norm. Paul Garcia, Global’s CEO, said in a conference call with investors in early April that the data compromise was confined to Track 2 card data. That means personal information, like Social Security numbers, names and addresses weren’t compromised, as far as Global can tell.
“It goes without saying that we are providing uninterrupted service 24 hours per day to our customers around the world as we speak,” Garcia said.
Pretty much the same thing happened at Heartland, which spent months and millions of dollars on remediation before getting placed back on the card brands’ lists of approved processors. Sales and processing continued pretty much uninterrupted. I don’t get it. If an acquirer is found to be out of compliance with PCI, aren’t its customers out of compliance if they continue to process card payments through the noncompliant processor?
Mark Bower, Vice President, Product Management at data security firm Voltage Security Inc., said situations like these illustrate the need for strong security protocols. “Alarm bells have been ringing loudly on these risks for years – payment processors are a top target for attackers,” he said. “If there is one industry that absolutely needs to adopt a data-centric security strategy to mitigate breach risk, it’s the payments industry.
“And the writing is on the wall for those payment acquirers that don’t.”
Checks are risky business
This becomes ever more important as more companies migrate payables from checks to electronic payments. There is a downside to this trend “Now fraudsters have shifted their focus to higher-value payoffs, including attempting to hack into corporate accounts,” the AFP’s Kaitz said.
Stephen Markwell, Executive Director of J.P. Morgan Treasury Services, said, “With the proliferation of payment options, fraudsters are constantly exploring new and bolder ways to perpetrate fraud.” Yet, Markwell insisted technology advances make it easier to stay ahead of the bad guys.
“Sophisticated new fraud protection technologies are making it possible to combat fraud more effectively and efficiently, reducing the potential for losses and protecting critical assets,” he said. Not surprisingly, the AFP survey suggests larger companies are more vulnerable to payment fraud than are smaller firms. Also, retailers and other consumer-facing industries experience payment fraud rates that are 15 percent to 20 percent higher than other industries.
Other interesting insights came out of AFP’s survey. In 2011:
- 66 percent of companies surveyed said they experienced actual or attempted payment fraud, down from 71 percent in 2010.
- 12 percent of companies reported that fraud attacks involved compromised user identification/passwords or other access credentials.
- 74 percent of companies that were victims of actual or attempted payment fraud reported no financial losses from it.
- $19,200 was the typical monetary loss from companies victimized by payment fraud.
- 62 percent of companies reported being hit by check fraud, making checks the payment method most vulnerable to fraud; in 85 percent of those cases, the company’s checks were counterfeited.
- 14 percent of companies experienced ACH fraud.
- 20 percent of companies reported purchasing cards accounted for fraud they experienced.
- 5 percent of companies reported being victims of fraud via payroll and other benefit-related corporate cards.