Corporate payment cards usually have sophisticated restrictions or controls designed to make unauthorized use difficult, if not impossible.
These controls have typically been seen as excessive for consumer payments, but after countless retailer data breaches exposed the risks in modern payment cards, this level of security may finally be appropriate for the consumer market.
BMO's Steve Pedersen says the technology is certainly transferrable, but matching it to consumer needs is easier said than done. And, experts say, it's not necessarily a given that corporate cards and payments are safe.
"Consumers have generally been less aware of the corporate payment capabilities and have been more focused on the convenience of having their card available anytime and anywhere. But increasingly, people are becoming concerned about the security of their cards," said Pedersen, head of North American corporate credit card products at BMO Financial Group. "The issue is how do you make that security accessible in a way that is not overly complex?"
At BMO, any corporate or consumer card can include detailed transaction controls, spend parameters, or "on/off" switches, so the bank does not need to add any new technology to meet this emerging consumer demand, Pedersen said.
"A lot of issuers are now taking advantage of ways to lock down cards, more so than in the past," Pedersen said. "We've always emphasized these capabilities as an option and we're seeing more consumer interest in this than in the past."
Corporate cards and accounts are typically configured to have limited permissions, thus preventing employees from spending company money on personal purchases. These settings also manage liability risk, since corporate accounts don't have the same fraud protections as consumer accounts.
Cards can be restricted to use at certain merchants, locations, channels, times of day or purchase types. The party that controls these accounts can also change the parameters remotely. All of these controls can help consumers fight fraud, Pedersen said, but can also make the cards far more complicated to use.
"On the corporate side, it's usually an administrator that has an understanding of these controls and how to use them," Pedersen said. "If you position these controls and management broadly to consumers it's more of a challenge to make that message easy to understand for the entire spectrum of users."
And despite the heightened level of security, corporate cards are not completely immune from fraud, Pedersen said. "It would be disingenuous to say that," he said.
For example, fraudsters who take over a corporate account may be able to remove the restrictions set by the account's owner, said Al Pascual, director of fraud and security for Javelin Strategy & Research.
Social engineering is an issue, as fraudsters have found some success in convincing company employees to approve a bogus wire transfer, Pascual said. "As the wire request ends up coming from an employee detecting and mitigating these types of crimes are considerably more difficult," he said.
Business accounts are also subject to fallout from data breaches, particularly when the accounts belong to smaller businesses, said Shirley Inscoe, a senior analyst at Aite Group.
Since a small-business owner is more likely to use the same credentials to access personal and corporate accounts, it's easy for crooks to take over an email account and impersonate the owner. "The reason you haven't seen this scam in the newspapers is that the fraud is totally contained within the small business, and the financial institution is acting on an authorized wire instruction from the business, therefore the bank has no liability," Inscoe said.
Card controls may hold less value to consumers as more U.S. shoppers see the security benefits of using EMV-chip payment cards, Pedersen said. BMO is issuing EMV cards in the U.S. as its magnetic-stripe cards expire, and Pedersen said the issuer's U.S. EMV migration is more than 70% complete.