Electronic Payment Fraud, Security and Risk Mitigation

Updated: July 29, 2010

Q: What do you see as the single greatest threat to online payment security today?

There is no single greatest threat, per se. By implying there is a greatest threat leaves companies susceptible to payment security breaches. The payment network has become so interconnected that any breach can affect the entire system.

The biggest risk is systematic. Criminals and hackers have multiple points to penetrate a system, whether it's a system security breach or at human contact within these systems.

It's important for those responsible for online payment security to think of the possible risks from end-to-end.

Q: Electronic payments involve multiple entities including consumers, merchants, payment processors, banks, and credit card issuers-- is there a "weakest link" in this data access chain?

Risks can vary by each entity based on the type of security measures individual entities have put in place. One merchant may have a very strong security system while another one a very weak security system.

But there is a related responsibility between these entities. Banks are putting more pressure on payment processors to take responsibility for merchant breaches. This pressure ensures that larger numbers of banks are becoming compliant based on payment processor regulations.

Certain entities do drive greater specific risks than others. For example, credit card issuers are pro-consumer, which means they enable fraudulent credit card users to get away with online fraud or ‘friendly fraud.'

While friendly fraud isn't considered the same threat as an organized online crime ring, friendly fraud is thought to be responsible for almost half of many merchant fraud issues.

Q: One hotly debated issue today is whether or not compliance is the best benchmark for measuring security - your thoughts on the debate?

PCI is a formal compliance self-regulation. It's more of a standard than a benchmark. The standard is necessary because, as noted above, security issues are systematic.

All entities within the system must take responsibility in order to protect the whole system. We are at a point where individual merchants have created their own benchmarks and best practices.

Those with a focus on consumer protection and risk management tend to strive to meet higher benchmarks than others. Visa and Mastercard, Visa in particular, are leaders in driving new standards and setting benchmarks because they are the biggest part of the system at this time.

I anticipate more to come.

Q: Will large data loss events have an effect on the future of the self-regulatory nature of security in the online payments industry?

I believe the industry will try to stay self-regulated as long as possible. As we get more sophisticated in identifying fraud and security breaches, we begin to understand the true loss to business.

We are also beginning to understand the true end-to-end cost including resources and time. Every participant in the payment management process is incented to invest in fraud protection.

Q: What manners of data protection and authentication protocols does Verifi employ when securing client data?

We are a PCI Level I secure company. We can remove much of a merchant's PCI liability and their security risks because we host the online payment page, instantly encrypt the credit card number and give the merchant only the token.

We continue to evaluate the best technologies to ensure we provide our clients the best protection. We find many merchants may have the means to employ a basic PCI secure system such as this but forget about other areas of risk, particularly human risk associated with customer service and accounting representatives who can access data.

We have a PCI secure chargeback management team. We ensure the strictest PCI compliance to our credit card data handling rules. Our clients may not have as strong of a focus as ours, given its one of our core competencies.

This is why we are in business.

Q: In addition to securing online payments against data loss, how does Verifi help clients manage fraud detection within high volumes of transactions?

What we do, we help support clients combating 3rd parties and proprietary tool, multi-layer. Our system is constructed with fraud detection in mind. We employ the best 3rd party fraud detection technologies into our platform.

This is called our Intelligence suite. We layer our Fraud identification engine on top of these detectors and give merchants the analytics and insight they need to properly identify their risks and set rules around fraud management.

The level of detail we can provide customers is incredible. We can maximize fraud detection and minimize ‘false-positives', the occurrence of a true customer who is accidently identified as a fraudster.

This is important. A company may eliminate fraud by denying 10% of total online orders, but if 5% of those are good customer orders, that's a problem.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more