Another breach. Another day. Another fraud strategy?
An overwhelming volume of merchant data breaches in the United States is the current condition facing banks. To be strategically managing them with the degree of precision that is necessary to maintain solid control over the environment is a tremendous challenge, and this requires extraordinary governance.
The ID Theft Resource Center suggests that the first half of this year is about on par with the whole of 2011 in terms of data breaches, and I remember that year having some significant merchant compromises in the US (Pizzapocolypse, anyone?). Effectively, we are now required to control twice the number of breached records, with the same resources. However, in this situation, automation using compromised card strategies that can scale across channels ultimately should be the go-to solution in order to match the massive volumes of today’s data breaches.
Back in January, I wrote about breach exhaustion…the result of unrelenting volume of data compromises that impact banks, merchants and acquirers. Long investigations, difficult decisions involving the unknown risks and flare-ups of ‘thought to be’ extinguished incidents may continue to haunt us. I get it, it’s a lot of pressure, there is no let-up, and if we look off the ledge, it’s a long way down. The compromise du-jour is worse than the one preceding it and the frequency of massive compromises is increasing.
And it’s going to get a lot worse before it gets any better. In the countdown to the EMV transition in the USA, we have seen new attack vectors focused on merchant networks, POS system exploits and remote access solutions, which wreak havoc on our plastic-focused consumer payment ecosystem. Clearly, the hackers, who sit far abroad, can practice their craft on our merchants with near complete impudence. They have scaled up, grown their niche with incredible sophistication and business acumen. The recognition of the fact that there is another massive merchant network intrusion already developing should be enough for us to realize that if we do not have a well-defined strategy for this, either as merchants or as issuers, we’re not going to keep up. Clearly, people are not going to slow their use of plastic, and I expect technology like Apple’s new Apple Pay to continue contributing to the climb. We are linking account numbers to new payment products like mobile wallets, further expanding the exposure into new channels with unknown risks.
Here is a classic operational risk (rhetorical) question: Is a card breached twice (with the same data lost) at dissimilar merchants riskier than a card breached only once? Clearly it is, by a measure, but at some point we realize the card will likely be used for fraud only once, before we detect and block it. At this point, we can accept that compromised cards can be managed in similar strategies based on risk, respective of their breach.
Start a checklist:
- Is there a strategy for compromised and counterfeited cards used at brick and mortar merchants?
- Is there a strategy for recent reset of PINs on compromised cards, which may result in ATM fraud?
- Is there a strategy for alternative risks, such as travel guidance on a recently compromised card?
With a review of the common typologies that we experience in all the most recent massive compromises, we can build a considerable inventory of attack patterns, and build controls to meet these threats.
- Cards with a merchant breach with no local counterfeit risk, no PIN?
- Cards compromised, with customer information and with the potential for VRU PIN changes resulting in ATM fraud and account takeover risks?
- Rules that reference this common list and work in cross channel fraud types when unusual callers request travel exceptions?
Our goal is to challenge the fraudsters, and decline them with the same impudence they offer us; rapidly developing, testing, and deploying rules that are both automated and aligned to a larger compromise strategy. Instead of focusing on the short term, scalable compromise processes should be implemented to illustrate how to evolve a financial institution with cross-channel controls. Instead of this breach being another opportunity to have a glut of compromised cards to re-issue, the proactive stance is loading a list and reducing the anxiety of breach exhaustion.
Related Blog Posts
Women in Payments: It’s Time to Get Out of Your Comfort Zone
As we gear up for Money 20/20 U.S next month, we are excited to shine a spotlight on Natalia Ruiz, manager, Payments Risk Solutions at ACI Worldwide, who was recently selected to be part of the 2019 Rise Up Academy. This global program created by Money 20/20 addresses the gender imbalance in leadership positions within the Financial Services and Fintech industry.
Universal Confirmations: Get Ready for 2020
With the arrival of universal confirmations, we sit down with some industry experts to find out more about what impact this will have on transforming cross-border payments. We’re welcomed by Fabien Depasse - Head of SWIFT gpi Customer Success at SWIFT and Craig Ramsey - Head of Real-Time Payments at ACI Worldwide.
How to be a Payments Trailblazer – The Seven Habits of Highly Innovative Organizations
The new Culture of Innovation Index from Ovum and ACI identified segments—from banks to intermediaries to merchants to corporates—at the cutting edge (of innovation) across the payments ecosystem. But what is most notable about those segments that have reached ‘trailblazing’ status is the apparent lack of commonality between them. No one segment, nor one region fosters better innovation. In fact, what’s driving these segments/organizations to be best of breed is their own culture of excellence. The only thing they have in common is their attitude.
How will SWIFT gpi Impact Latin America?
As the world continues to transition toward real-time, and technology continues to evolve, new challengers are disrupting the market with value propositions including real-time cross- border payments. The competition has inspired SWIFT to work with the industry and challengers to create the Global Payments Innovation (GPI) program, which radically changes the way banks interact with their correspondents and offers improved transparency and customer service to their customers.
The Middle Eastern payments revolution: Getting Real-Time Ready
The Middle East is developing quickly and considerably. The population has surpassed 410 million and a number of nations, such as Saudi Arabia and the United Arab Emirates (UAE), represent some of the world's most innovative economies. The region has become synonymous with the rise of large infrastructure developments and technological innovation, while tourism continues to grow - 1.4 billion people visited in 2018 alone.
Why India's Payments Players Need to Fight Fraud with Machine Learning
By 2023, experts are predicting 60 billion UPI (Unified Payments Interface) transactions annually, accounting for more than 50 percent of India’s total digital payments transactions. And it’s estimated that today nearly 50 percent of all real-time payment (RTP) transactions globally are processed in India. It’s an exciting market for payments innovation, with a wide range of digital overlay services available to consumers and merchants, thanks to the introduction of UPI.
The Untapped Opportunity of Machine Learning for Real-Time Payments Fraud Prevention
Artificial Intelligence (AI) is among the buzzwords of the moment, but when it comes to tangible innovations that have the potential to drive rapid ROI, machine learning should be part of every bank or processor’s strategy. No matter the size of the institution.
European Banks Have the Right Tools to Stay Ahead – But Will Big Tech Overtake?
Open banking and immediate payments have come a long way, according to the panelists who joined me during the ‘Open Banking in an Instant World’ session at EBAday in Stockholm recently. The building blocks are now falling into place through the introduction of national and regional schemes, open banking initiatives, regulations such as PSD2 and the acceptance and use of APIs.
How UPI is Driving India's Shift from Cash to Digital Payments
The Indian economy has traditionally been heavily dominated by cash, while experiencing low adoption of various online payment systems including National Electronic Funds Transfer (NEFT), Real Time Gross Settlement (RTGS) and inter-bank mobile payments. The dominance of cash is evidenced by the ratio of cash withdrawals at ATMs vs debit card usage at Point of Sale (POS)—ATM transaction volume is more than 2x greater than POS.
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.