It has been nearly a year since the Target breach has tuned the world into what fraud managers have been dealing with for years.
The change in thinking that has driven the revision of payment security has been nothing if not revolutionary, with the conversation changing to be rightly focused on the weak points in the chain, and greater understanding placed in the locations where the true vulnerabilities lie.
I recall being a bank officer almost a decade ago, developing metrics and seeing the first big wave of merchant-breach related fraud. My recently designed statistical KPIs suddenly reached new heights, which left me wondering if there was a problem with the standard deviation in the formula.
This was the warning shot across the bow of the ship, when the first massive merchant compromises were just starting to be identified. In the following year, the major merchant card processor, Heartland Payment Systems, suffered the eras largest breach of payment cards. While this opened the floodgates of counterfeit card fraud, it also began to change the thinking in the tradeoff of security vs. convenience and drive how we would secure the payments ecosystem.
Since then, there has been a tremendous shift in the thinking from the corner office to the consumer. Rightly so, not a day passes when I am not driving past a strip mall and remember working a breach at one of the merchants that hangs a sign there.
Banks I worked with years ago were afraid to re-issue cards as they assumed that customers might believe that the bank could have been the source of the breach. Now, they are the same banks that will proudly reissue in the interests of customer satisfaction and brand protection. Payments security has indeed become a competitive advantage. Major issuers now openly advertise their competence in the management of fraud, minimizing the impact with humor. Have you seen the one from Discover with the frog detection? Brilliant.
Its not funny all the time; we are still dealing with a tragic situation, where a foreign hacker will steal the login credentials from a point of sale vendor or other integrated service, and be able to drop malware on dozens of small mom and pop shops that sell pizza or coffee beans to their community.
Small businesses are still the most vulnerable and still a very unfortunate target. They are in the business of serving their customers, not focusing on the effects of breaches. Still, we all need to step up our sophistication, and the world around us is pushing for stronger controls and new hardware to mitigate the risk. By October of next year, the way we checkout at our favorite stores will change. It took a very long time to get the United States to this step, and we have a security-technical debt to pay.
However, in this last eventful year, the public realized how far we had fallen behind in our technology to secure our payments ecosystem. Since then, Walmart has started widely accepting chip cards, Home Depot has point to point encryption at registers, Apple is showing us how tokenization and mobile wallets will further change the checkout experience. These are indeed tremendous innovations, and will leave us in a position next year that is equally as distant as the year behind us.
Seth Ruden is senior fraud consultant for ACI Worldwide.