How to Mitigate the Risk of Payments Fraud

Finance chiefs who manage risk for their companies have plenty on their minds, from the eurozone crisis to FX volatility. But financial risk is not their only concern. Managing compliance with government policies, fraud and data breach risk are also high on their priority list.

More than ever, CFOs are responsible for strengthening internal controls, cutting costs, streamlining complex business policies and processes to improve financial transparency – all while complying with a myriad of regulatory issues. They also have greater accountability for combating internal and external payments fraud while ensuring their firms avoid reputational risk.

An AFP survey last year about the nature and frequency of fraudulent attacks on business-to-business (B2B) payments found that 71% of organizations either experienced attempted or actual payments fraud in 2010.

Criminals online today are cunning, organized and global. They’re masters of social engineering, skilled in targeting the most vulnerable corporations, governments or individuals with the highest potential for gain. Many work for organized crime syndicates. Often, they are located in rogue nations where financial fraud is difficult to prosecute.

Payment fraud can also strike close to home. A disgruntled employee with access to internal financial systems and passwords could compromise the security of an entire organization.

Most companies can’t field full-time security defense teams with the same intensity and focus as the hackers. So, the odds of a successful intrusion are in the perpetrator's favor.

In its 2012 Data Breach Investigations Report, Verizon found 855 data breach incidents from a greater number of contributors, representing a more diverse and broader geographical scope than in previous years. In fact, the number of compromised records from these data breach incidents skyrocketed to 174 million records after reaching an all-time low in 2011 of just four million records. Unbelievably, 2011 boasts the second-highest data loss total since 2004 when Verizon first started keeping track of these statistics.

Managing the risk of a porous corporate perimeter has never been easy. But, as the financial world becomes more complex and interconnected, companies must arm themselves with tools and techniques that make cutting-edge account protection and payment data cost-effective, easy to use, and manage.

“Hackers have a built-in advantage when it comes to compromising data,” said Aaron Bills, founder and chief operating officer of 3Delta Systems®. “They think day and night about how to invent and execute a clever attack, and they gravitate to pathways that offer the least resistance for the greatest payoff. Many work for organized crime syndicates. Yet, most companies don’t have full-time security defense teams with the same intensity and focus on deterring hackers, so the odds of a successful breach are in the hacker’s favor.”

According to the Ponemon Institute’s U.S. Cost of a Data Breach Study, data heists during 2011 cost companies an average of $5.5 million, or $194 per compromised customer record. The study also found that breaches from negligent insiders (39%) and malicious attacks (37%) are the primary root causes of data breaches. Since 2007, malicious attacks from criminal insiders (employees, contractors or other third-parties) or hackers have resulted in the most costly data breaches. Consequently, organizations need to focus on processes, policies and technologies that address threats from the malicious insider or cyber thief.

The fallout from a credit card breach equates not only to lost sales and revenue for a company, but lawsuits, damage to its brand and reputation, the loss of customers who take their business elsewhere, and stiff fines for not complying with requirements known as the Payment Card Industry Data Security Standard (PCI DSS). The PCI standards require merchants who process, retain or transmit payment card data to protect that information wherever it is stored. This means any business that accepts or processes payment cards online, in a store, by phone or by mail must protect and restrict access to that data or risk penalties from the PCI Security Standards Council.

“Because every point at which credit card data is handled must be secured, conforming to PCI rules as well as building and defending one’s own data fortress can be extraordinarily difficult and prohibitively expensive,” Bills explains. “Organizations that collect and store that type of data themselves often find it to be a huge headache with potentially significant liabilities. Transferring sensitive credit card and payment transaction data off-site, where it is encrypted and stored at highly secure, PCI-compliant processing centers, is often the best solution.”

Tribute partner, 3Delta Systems (3DSI), which has met the strict PCI compliance requirements for payment data security eight years in a row, pioneered a tokenization technology in 2003 called CardVault®. The premise is simple: if companies don’t keep confidential credit card information internally, there’s nothing for hackers to steal. Likewise, when customer card data is no longer on one’s system, the need for other controls is either greatly reduced or eliminated entirely. As a result, moving card data “out of scope” lessens the risk of a data breach, promotes faster and easier PCI compliance for organizations and saves them money.

Tokenization enables merchants to exchange their customers’ confidential card data – or other personally identifiable information – for randomly generated payment “tokens,” a process that safely replaces real card numbers with a string of characters which then become useless to would-be hackers. The token provides “contextual security” because the token value only makes sense between the token holder and the provider. Merchants use only the token for each customer transaction while the real card data remains securely offsite at 3DSI’s PCI-compliant, payment processing and data storage centers.

"Tokenization can be a formidable tool in a company’s defense arsenal, and with 3DSI’s CardVault in place, CFOs can sleep better at night, knowing that their customers’ payment and transaction data is safe and secure,” says Bills.

Visit www.3DSI.com for more information about CardVault from 3Delta Systems. Solutions That Pay.®