Data-security vendors generally acknowledge they are up against extremely high-tech, organized and relentless cybercriminals looking to steal identities and payment card data to execute fraudulent transactions.

As such, the defense mechanisms for merchants accepting card-present or card-not-present transactions must be formidable and come in layers. And the more layers, the better.

Traditional security technology such as chip-and-PIN cards for card-present transactions and 3-D Secure passcodes and encryption for online purchases help achieve Payment Card Industry data-security standards compliance. But a three-pronged approach to defense is needed to ensure better security, a payments security executive contends.

“Those accepted methods of security can help, but they are completely independent of each other, so they must be used in tandem with another layer of defense,” Mike Alford, managing director of London-based Alaric International, tells PaymentsSource.

Self-learning data-security techniques hold the key to a solid three-pronged approach for card issuers, processors and merchants, Alford contends.

When using a self-learning technique, card issuers and merchants establish fraud-detection “rules” specific to a certain business that determine whether to authorize a card transaction at the point of sale or online, Alford notes.

A card issuer may determine “rules” to not authorize a transaction until more confirmation takes place if the amount is more than $2,000 from an electronics retailer or if the Internet protocol address of an online purchaser indicates the order is taking place from a computer in Mexico with card data from a resident in another country, Alford explains.

Use of Bayesian statistical methods represents another self-learning security option, Alford adds.

“Bayesian is a mathematical approach in which the detection software maintains a list of probability of fraud at a particular merchant at any given time, creating relevant parameters for detection,” he says.

The Bayesian statistical method can operate on small data sets, so it works well for a small issuer of 250,000 cards or less, whereas other statistical methods generally need 1 million cards or more to be effective, Alford says.

The Bayesian method has proven to be an effective one for sorting out probabilities for good or bad transactions and for adapting to any new trends at a specific business, one fraud analyst says.

“I get positive feedback from the market that this method can really bring the issuer and merchant up to speed with security,” Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group, tells PaymentsSource.

Bayesian creates data similar to any system using a statistical model in that it “learns” more about the data as transactions occur, using it as a basis for ongoing alerts when a transaction doesn’t fit the data sets, McNelley says.

“Banks and issuers would adopt this method first, but I can see large merchants embracing it as well because we’re going to see analytics take hold in data security,” McNelley adds. “It’s a proven method.”

Alford says each defense method has its own strong points.

The chip-and-PIN smart cards primarily make it nearly impossible to clone a card, so it reduces fraud in a card-present environment, while the 3D Secure Verified by Visa or the MasterCard Secure Code password systems protect online retailers, Alford notes.

PCI standards ensure data are encrypted in storage so hackers getting past other defenses find it difficult to decrypt the data, he adds.

However, the self-learning techniques occur at the time of authorization, making it a key weapon in stopping fraudulent transactions, Alford contends.

“Our stance generally is that hackers will continue to be successful, so we have to keep advancing the technology to detect fraud in mathematical ways,” Alford says.

Alaric International offers self-learning capabilities in its Fractals 3.7 software used in conjunction with the payment-authorization step, Alford notes.

Alaric introduced its newest fraud-prevention software in August (see story).

Payment data from issuers using Alaric’s system during transaction authorization arrives in a fraud-protection system at Alaric, which notifies the issuer of a potential problem, Alford adds.

“Most merchants in the United Kingdom have caught on to the fact you need a three-pronged approach,” Alford says.

Cybercrooks are migrating their fraud attacks to the U.S. because the country does not support the EMV chip-and-PIN card, Alford suggests.

“But EMV migration will have a massive impact in the U.S. because of the equipment change needed, so U.S. merchants are reluctant to change,” he adds.

What do you think about this? Send us your feedback. Click Here.


Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry