ISACA Journal
Volume 1, 2,016 

Features 

Security in the Payment Card Industry: The Importance of Data Integrity 

Mark Johnston 

In July 2015, CVS became the latest company to fall victim to an apparent breach, this one involving credit card data obtained via its web site for ordering and processing photos. The alleged breach happened through the third-party company that hosts CVSphoto.com.

As of this writing, CVS has declined to say how many customers may be affected, but the point stands: One stolen credit card number is one too many. Consumers are not held liable for fraudulent activities on their credit card; however, such activity can make consumers feel helpless. And it takes time to contact the card issuer or bank to seek reparations for fraudulent activity, especially when details about how or when the personal data was breached are unknown.

This recent incident is part of a disturbing trend in a constantly connected world. Almost half of the credit card fraud in the world—47 percent—occurs in the US. Though Americans are the victims of nearly half of the world’s credit card fraud, they make up only 24 percent of total credit card volume in the world, meaning the risk is high.1

The payoff to criminals for obtaining and sometimes using fraudulent payment card information makes that information very vulnerable. The largest retailers, the smallest restaurants and everyone in between are vulnerable if proper security is not in place.

It is not just credit cards that are at risk, either. According to the credit score firm FICO, debit card information is being stolen from automated teller machines (ATMs) at the highest rate in 20 years. Between January and April 2015, debit card data theft was up 174 percent over the same period in 2014 at ATMs that are part of banks. As for nonbank ATMs, data theft was up an astonishing 317 percent.2

The Best Defense is a Good Offense

So what should a bank or credit card company do? Financial institutions cannot hover over the point of sale at every retailer, ensuring they have secured their data. What banks do have power over, however, is what happens if a retailer allows payment card information to get into the wrong hands. And while no one can predict when data might become vulnerable to attack, there are measures to put in place—and best practices to commit to—that are game changers, essential for the payment card industry (PCI) moving forward.

This is where data controls come in—to protect the integrity of the customers’ spending data. Regardless of what protections retailers enact, credit card companies and banks with robust data controls in place will know immediately when unusual activity or spending patterns emerge. Automated controls are key to catching potential security and fraud risk such as these—and in real time. For instance, controls can be established to monitor activity by location, by store, by dollar amount spent and so forth. Essentially, any business rule can be written and controls established to alert when the rule is broken. For those fraudsters who test credit cards after being stolen by making a US $1 purchase, controls can be an essential part of early theft detection—and subsequent actions to stop the theft in its tracks.

Automated controls, then, when implemented together with automated alerts and visibility tools, provide a broad range of protection for cardholders. Alerts strengthen this process by notifying financial institutions when cardholder information has been accessed by the wrong person. Proper controls will alert the appropriate personnel so that they can take immediate action.

When analytics are leveraged to look at past patterns from historic activity, helping companies predict and prescribe future activity and alert against actual results, data integrity measures against security risk are most effective. Fraud patterns are actually one of the best-suited types of activities in which to deploy robust analytics to predict—and prevent—fraud.

With so much on the line, advance preparation for what may be in store should a breach take place can mean saved time and reduced risk later.

Working From the Inside Out With Access Controls

Before thinking about external threats to security, it is important to incorporate controls for confidentiality and proper oversight of internal employee access to customers’ sensitive financial information. Within banking and PCI, access controls prevent the wrong employee from getting private information, ensuring that various functional roles within the organization have access only to subsets of information, not the entire set of private cardholder data. When thinking about PCI security, this should be a foundational measure taken, so that threats to any potential points of data vulnerability are thwarted from the inside out.

The Importance of Automated Data Controls

There are three ways that data controls protect information:

  • Reconciliation and verification—Provide knowledge that data controls are working the way they should be.
  • Continuous monitoring and alerting—Raise an alert any time something unusual happens in the network.
  • Reporting—Ensure compliance with regulatory requirements that make organizations prove they have the proper controls in place.

Data controls are automated and run continuously, verifying, balancing, reconciling and tracking every single bit of activity that happens across a network of payment cards and customers. They react in real time to anything suspicious they come upon, so the flow of fraudulent activity is stopped as soon as possible and business leaders are alerted to shut down payment card activity at the first sign of something unusual. This limits the damage and helps a company get a handle on the situation, even before any humans get involved with the investigation.

An Evolving PCI Marketplace

As the payment universe continues to evolve—2015 will be the first US holiday season with ApplePay—managing activity on a network is going to become even more complex. For instance, ApplePay does not require customers to present a credit card. All it requires are a few taps on an iPhone or Apple Watch, and the payment goes through.

In fact, criminals have already figured out one way to exploit ApplePay for their gain. They are adding fake credit card numbers to the system. According to a recent article in Digital Trends, fraud accounts for 6 percent of ApplePay transactions.3 This is an exponentially higher rate than with traditional credit cards, where criminal activity accounts for only 0.1 percent of transactions. In this case, the burden is entirely on the banks to verify that the card numbers are real. In real-world scenarios, not all banks have been up to the test. Data controls, however, such as automated RECON data set controls, raise a red flag if someone tries to load a fake number into his or her ApplePay account. By matching customer-entered account numbers against a list of authenticated cards, profiles and locations, these controls ensure that unusual activity, no matter how minor, is not overlooked.

No one can predict other ways criminals might hack into these new payment methods or how they will further complicate transactions for customers. Data controls help guide companies through this revolutionary time by ensuring that changes in technology cannot dictate an organization’s ability to protect its bottom line from fraudulent activity. It does not matter how customers pay, whether by physical card, web transaction, ApplePay or some other method yet to be developed; the controls work the same way to monitor, verify and reconcile every bit of payment data as they flow through a network.

What Is at Stake

Data controls, then, let organizations protect their customers, reputation and revenue. Banks typically suffer the most in a data breach, even if the breach happened through a retailer. Someone must foot the bill for all of the improper purchases. In 2013, the cost of credit and debit card fraud was US $7.1 billion, according to a Business Insider report.4 The bottom line is that there is a great deal of money at stake when payment card information gets into the wrong hands, so it is in everyone’s best interest to stop the fraudulent activity as soon as it starts.

In an ideal world, an organization would not need to worry about criminals getting their hands on its customers’ information. But organizations cannot control what happens through other organizations’ systems—that is, unless they have their own set of controls in place that can detect fraud as soon as it happens, stop scammers in their tracks and minimize risk in meaningful ways that will impact the financial services industry immensely as the market continues to evolve.

Endnotes

1 Sweet, K.; E. Swanson; “AP-GfK Poll Shows Few in US Have Received Credit Cards With Chips,” Associated Press, 6 June 2015, http://ap-gfkpoll.com/featured/ap-gfk-poll-shows-few-in-us-have-received-credit-cards-with-chips
2 Buzzard, J.; “Theft of Debit Card Data From ATMs Soars,” FICO.com, 19 May 2015, https://community.fico.com/community/fico_analytic_cloud/preventing-fraud/blog/2015/05/19/theft-of-debit-card-data-from-atms-soars
3 Gokey, M.; “Fraudsters Exploit Weak Bank Security Process to Add Fake Cards on ApplePay,” Digital Trends Online, 4 March 2015, www.digitaltrends.com/mobile/apple-pay-fraud-fake-credit-cards/
4 Heggestuen, J.; “The US Sees More Money Lost to Credit Card Fraud Than the Rest of the World Combined,” Business Insider, 5 March 2014, www.businessinsider.com/the-us-accounts-for-over-half-of-global-payment-card-fraud-sai-2014-3

Mark Johnston is customer advocates director at Infogix where he works with more than 150 unique customers from the health care, financial services and insurance industries. He leverages a broad range of industry, educational and job-related experience and combines it with his passion for strong and growing customer relationships to help deliver long-term success for his customers. Johnston has also worked as a financial advisor with Edward Jones and Raymond James. He also has job-related experience in the online K-12 education field, document management for patent law firms and online trading firm TD Ameritrade.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.