Every data-security and fraud-prevention vendor or payments-industry analyst offers similar advice to banks and merchants about protecting customer card data and personal information.
Provide the protection in “layers,” they say.
Well, how many layers, and what are the options? Which ones are really needed, and which are most effective?
Only through questions an industry consultant or security vendor might ask a merchant or bank executive can provide the answers.
And there are other questions, too.
How much data requires protecting? How do customers generally access products? Do they order online or purchase items face-to-face in a card-present situation at a payment terminal? Who stores the data, the merchant or the processor?
Card-data security technology has advanced far beyond a payment-terminal clerk asking for a driver’s license to compare names, faces and consumer signatures in card-present transactions. Security-technology vendors had no choice but to advance their products at a rapid clip because hackers were doing the same as payments grew online, through mobile devices or on bank or merchant websites.
Ultimately, fraud-prevention technology can confuse merchants, much in the same manner consumers can’t keep track of the newest mobile phones or high-definition televisions. And technology advancements have unfolded for both card-present and card-not-present transactions.
U.S. point-of-sale fraud prevention still relies, in part, on the clerk asking for an extra piece of identification. But PINs have become common, and the EMV chip-and-PIN technology common in Europe and Canada is on its way to the U.S. (see story).
In addition, vendors created data encryption or tokenization, converting credit card numbers into symbols or tokens, as extra layers of defense once data are in the payment terminal. More recently, security vendors have promoted voice, fingerprint or eye retina biometrics as card-present or ATM-access defenses (see story).
Considering most consumers carry cell phones, some vendors as a fraud-prevention measure promote mobile-phone proximity detection to ensure the device the customer uses to initiate a transaction is at the same location the transaction is taking place. When a cardholder registers his mobile phone number with his card account and receives an application download that allows the issuing bank to monitor the location of the phone, it becomes easier to suspect a fraudulent transaction if the cell phone is in New York, but the card is being used at a point-of-sale or an ATM in Mexico.
However, cyberattacks against online merchants or mobile-banking websites brought more attention in the past two years to card-not-present fraud-prevention technology.
The e-commerce payments industry quickly established a Fort Knox attitude with various defense measures–PINs, passwords, one-time passcode tokens, secure cookies to confirm safe websites, Internet protocol address geolocation, dual controls (transactions need approval by two individuals within a company), SMS text-messaging passcodes through mobile phones, device identification, phone-call transaction validation, and personal identification questions about a mother’s maiden name or a favorite teacher or movie.
“The more layers, the better” remains sound advice, but for those needing a specific number, Avivah Litan, vice president and distinguished analyst at Gartner Inc., advises that five layers of defense provides solid security.
“Data security and fraud prevention is a very confusing space, and our five-layered approach puts some structure to it,” Litan tells PaymentsSource.
It would be misleading to think that a fraud-prevention process is more complicated for banks than for retail merchants because of the volume of data and funds they store for customers, Litan suggests.
“Banks need to protect customer accounts, and in many ways that is easier because they know those customers and they know who they are dealing with,” she says. “Merchants don’t always have accounts for their customers and, in many cases, don’t know much about their customers.”
Any layer of defense must have an enemy it is attempting to thwart. In the case of data security, the enemy is a hacker downloading or introducing malicious software into a payments network. Hackers target merchant or bank websites or bank employee or customer computers in an attempt to steal card or personal information.
The hackers’ list of Trojan malware can get as long as the list of defense mechanisms trying to stop such attacks. The hackers seek authentication credentials, tamper with transactions or hijack browser sessions with malware such as ZeuS, SpyEye or OddJob.
While Gartner’s five-layered approach may have the banking industry in mind, it would provide solid security for any company trying to protect customer accounts or to identify abnormal consumer behavior, Litan says.
Among the five layers Gartner recommends to counter malware invasions include software- or hardware-based secure browsing, out-of-band authentication and client device identification as a first layer.
Software to monitor and analyze how a customer navigates a merchant website or mobile-banking site represents the second layer. The software compares a customer’s navigation of a website with patterns deemed “normal” for that site.
The third layer involves software that analyzes account behavior and associated transactions, which allows for comparing transactions and identifying those deemed suspicious.
Software in the fourth layer seeks unusual account behavior across multiple channels (online and in-store sales), providing the same information as layer three, except it adds the other channels to determine any correlation of unusual activity.
The fifth layer features software providing “entity link analysis,” which examines any connection between site users, accounts and devices to detect organized or collusive criminal activities.
Besides options for building five layers of defense, Gartner advises merchants and banks involved in e-commerce or those dipping their toes into mobile-payment acceptance to lower their risk by establishing a limit on the value of transactions and on how many mobile transactions customers can make. As an example, Gartner recommends that banks not allow large corporate payments from mobile devices without extra security controls, such as dual authorization from two separate devices for each payment.
When initiating mobile-payment applications, banks and brokerages should not allow customers to change profile information, such as mailing addresses, nor allow funds transfers to payees not previously established by the user, Gartner recommends.
Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group, has conducted extensive research into the security measures needed to thwart cyberattacks on banks and mobile payments.
One of those reports cited mobile banking as the next major area for cyberattacks (see story). Aite expected hackers to release as many as 25 million new strains of malware by the end of 2011 and the total to grow to 87 million by the end of 2015.
“The commercial online and mobile channels need the highest priority for fraud protection,” McNelley says.
Financial institutions are about two years ahead of retail merchants in terms of fraud-prevention knowledge and level of implementation, McNelley adds.
Fraud protection and the Payment Card Industry data security standards go hand-in-hand, Edward Lawrence, an analyst and director at Auriemma Consulting Group, tells PaymentsSource.
“If everyone was in compliance, there would be no breaches,” Lawrence suggests. “A breach at the firewall of a payments network allows the hacker to get account data and other information.”
Because the first line of defense at the firewall is so important, it should be viewed as the one layer that protects everyone–the acquirer, issuer and merchant, Lawrence contends.
However, the defense layers come into play for a reason, Lawrence suggests.
“PCI compliance is designed so that if someone was able to hack in, it wouldn’t mean anything because the data is encrypted and protected through each step of the network,” he adds.
Which brings everyone back to the fraud-prevention mantra: The more data and the more places it can be in a network, the more security layers are needed.
What do you think about this? Send us your feedback. Click Here.