As technology advances and fraudsters get more bold, data security is becoming a more difficult issue for payments companies.
Edison, N.J.-based security and payment gateway provider Retail Decisions is among those companies attempting to make sure merchants, issuing banks and consumers are able to use new payment systems without exposing themselves to more fraud.
Rich Rezek, director of global product management for Retail Decisions, talked with PaymentsSource about the complex world that data security has become in the ongoing conflict with organized crime and petty fraudsters.
PaymentsSource: The mounting number of sophisticated attacks on personal data taking place must mean a company like Retail Decisions is very busy.
Rezek: Yes it does. The percentage of fraud transactions has gone up by only 6% to 7% in the last year, and continues to go up each year. But what is interesting is that the dollar value has gone up by 45% or 50%, so while the volume isn’t increasing by great amounts, the value is.
PaymentsSource: Do the more organized attackers have different goals in mind than simply obtaining card data?
Rezek: Recent cyber attacks have been more about sophisticated criminal networks trying to obtain data in order to be able to shut down an account and prevent commerce, so it’s about more than stealing. It’s the denial-of-service attacks you see on Visa and MasterCard.
PaymentsSource: What’s a key concern for issuing banks at this time?
Rezek: On the issuing side, we have seen for years where a criminal takes a stack of cards and goes to the ATM and just starts drawing out money, $500 for each card. In an issuing world, how do you do a chargeback on an ATM? That’s a loss. You have to shut down the device.
PaymentsSource: Any way around shutting off that service to customers?
Rezek: One of the products we developed when working with one of the debit switches was to actually build them a fraud service, similar to what we do for merchants. This actually monitors transactions in real time in 250 milliseconds. PIN debit was always believed to be a pretty secure thing, but when you start having a problem with people showing up with 5, 10 or 100 cards, the point of loss becomes the device rather than the account.
PaymentsSource: Is device protection any more complex than account protection, or do the same analytics come into play?
Rezek: There are some things you can do to monitor a device for fraud. It is not that it’s a bad device, but just that it is being used for fraud. If transactions are coming in at that ATM at five-second intervals, it may indicate some fraud activity. The device can be shut down momentarily. Or the issuer can put the device on a “watch list” and monitor all transactions that take place there and determine where else those cards were used or at what other merchants. We can maybe then find the source of the fraud. If 10 cards were considered bad, what if we find out they were all used at the same restaurant? How about the other cards that have been used at that restaurant?
PaymentsSource: Do issuers and merchants ultimately have the same problems with fraud?
Rezek: Our ReD Shield product was built for merchants with a chargeback problem, helping them set risk-management rules for what they will and won’t allow, and for which transactions they feel good about and those they don’t. But with issuers, it is a backward problem. Issuers didn’t want to insult consumers by denying a transaction when they are buying groceries, for fear they would go to another bank. But they realized they also had to start doing real-time detection and blocking. For issuers we provide software, but with merchants it is a service.
PaymentsSource: Why the difference?
Rezek: Issuers know everything about what the consumer has done. They don’t have a timeline problem, they have a data problem. The data that flows through the card network plumbing is limited. What’s available at the POS, and what’s available from the website [payment page], and what the infrastructure really supports today is simplified data — the transaction amount, expiration date and merchant name. From that, the issuer is expected to figure out whether a transaction is fraud or not. Our system builds a profile of what the consumer normally does, so the issuer can tell if it is a normal or abnormal day for that consumer.
PaymentsSource: Do merchants and issuers share consumer data?
Rezek: When we saw that issuers had a real-time problem, we rewrote ReD Shield as software for issuers as an enhanced merchant system. But we discovered that merchants and issuers are often chasing the same fraudster. But when the transaction takes place at the merchant site, he has different information than when it hits the issuer. So we thought about what we could do to make this a smarter security mechanism.
PaymentsSource: And what came out of those discussions?
Rezek: We got into a relationship with Wal-Mart and Discover about eight months ago to build ReD Fraud Exchange to actually exchange data, with the purpose to take specific scenarios in which a merchant may decide to not continue a transaction and making sure the issuer is not waiting on a settlement transaction for the product purchase that was denied. We can take the denied transaction back to the issuer and say, “I don’t know what this exactly means, but you may want to talk to your cardholder and see if he was really trying to buy this product.”
PaymentsSource: Merchants don’t let customer data out of their hands too often, do they?
Rezek: Merchants rarely want to turn over customer data to anyone else, but the truth is, in cases like this, it is bad data. But there are cases in which the merchant does everything to complete the sale, but then the issuer gets a second or third transaction on that card that does not seem right and they talk to cardholder, block the transactions and send chargebacks to merchants. So, who benefits? No one. What if we could take that block and go back to the merchant? We could say 24 hours ago we thought this was a good transaction, but we have found it has gone bad, so before shipping the product you may want to check with the cardholder to see if they actually purchased that item.
PaymentsSource: How does mobile payment development affect data security?
Rezek: We have a lot of merchants who accept mobile payments and it creates some complexities. Traditional e-commerce used to be a consumer shopping from one computer, but that is no longer true. Now, as many as three or four devices — a PC, laptop, iPhone and iPad — may define that consumer. Your IP (Internet protocol) address is probably abstracted behind a cellular carrier now, and it used to be that your IP geo-location would identify where you are (when conducting a transaction).
PaymentsSource: Not so any longer?
Rezek: We have to create a whole new strategy around mobile. It makes a difference and it’s a big deal, but it has to be part of the norm. It is a new strategy and a new problem.