Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:38 AM
Connect Directly
Facebook
Twitter
Google+
RSS
E-Mail

3 Keys To Making Payments More Secure

With data breaches on the rise and EMV far from a reality in the US, two-factor authentication, improved transaction monitoring, and encryption are steps banks can take now to better secure payments credentials.



The hackers who conducted cyber-attacks against Target, Neiman Marcus, and other retailers this past December pushed payments security to a new level of public awareness. Data breaches aren't new, but the scale of the attacks and the wave of headlines that followed had never been seen before. The Target breach alone could have affected up to 110 million consumers, with an estimated 40 million credit and debit cards stolen. Since then, Congress has held multiple hearings on payments security, and surveys show that companies, including banks, are increasing their cyber-security investments as a direct result of the attacks.

The breaches aren't going to stop any time soon, either. More than 600 data breaches -- a 30% increase from 2012 -- were reported last year to the nonprofit Identity Theft Resource Center. A recent global survey of IT executives by BAE Systems Applied Intelligence, a security solutions provider, found that 82% of the US respondents -- across all industries -- expected that targeted cybercrime would increase in the next two years. The same BAE survey found that 60% of the respondents are increasing their cyber-security investments, with 78% of those respondents directly attributing that increase to last year's data breaches.

Banks are in an unenviable position in regard to securing payments; they have to absorb the cost of fraudulent transactions that result from breaches, yet cannot guarantee the security of payments credentials throughout the payments system. And each new breach leads to the costly reissuing of potentially millions of card credentials. More than 17 million cards have been reissued since the Target breach, at a cost of $172 million, the Consumer Bankers Association estimates.

Customers expect their banks to protect them from financial loss when a breach occurs, but retailers play a large role in protecting credentials when they are received at the point of sale and processed. Banks have invested heavily in online security over the past several years and have to comply with strict regulations in protecting their customers. Retailers aren't held to the same standards, though, making them an easier target for cyber-criminals. Out of the 614 data breaches reported to the Identity Theft Resource Center last year, only 3.7% targeted banks, while 34% were aimed at retailers.

But banks, like other companies, are investing more in cyber-security, according to a recent survey of bankers by ACI Worldwide, which found that 50% of financial services respondents say they are increasing their investments in fraud detection. "You can only throw so much money at something that isn't under your control, and breaches aren't going away," Michael Grillo, a product marketing manager at ACI, says. "Banks need to look at their whole risk management tools and procedures and develop a multilayered approach to security."

Much of the attention after the data breaches last year was focused on the Europay, MasterCard, and Visa (EMV) standard as a possible solution to protecting payments credentials. But EMV is no cure-all for the vulnerabilities in the payments system today; for instance, EMV wouldn't have prevented the malware attack that hit Target. EMV could eventually help improve security as part of the multilayered approach that Grillo mentioned, but it's still years away from reality here in the US. Banks can help protect customers right now, though, by implementing two-factor authentication and better fraud monitoring, and collaborating with merchants on stronger encryption of credentials. That collaboration could be a challenge, but as the payments system works toward implementing EMV, the liability for fraud losses from breaches will be placed on retailers instead of banks, which may give them an incentive to work with banks on improving security.

An Extra Step in Authentication

Gmail, Twitter, and Facebook already use two-factor authentication through mobile devices for better security, and banks could implement similar systems to protect their customers, says Deena Coffman, CEO of IDT911 Consulting and CISO of IDentity Theft 911. Rather than using a static PIN, customers could have a PIN sent to them via text message that would be good for a certain amount of time or a set number of transactions, limiting the potential risk if a thief were to steal the PIN. Banks offer two-factor authentication to secure other functions, such as online banking sessions, but haven't implemented it at the point of sale, Coffman notes.

Deena Coffman, IDT911
Deena Coffman, IDT911
The big challenge in offering two-factor authentication, however, is whether or not customers will adopt it: Two-factor authentication requires customers to take the extra step of entering the second authentication factor. Banks will need to step up their educational efforts to raise awareness around risks to get customers to take that extra step to make purchases, Coffman says.

"I think people will be willing to [use two-factor authentication]. But they need to understand the repercussions to them of someone getting their information. They need to understand the loans, the jobs they won't get with the damage to their credit. People have been arrested because of fraudsters doing illegal activities with their stolen identities and cards," Coffman says.

And those customer education efforts will probably cost banks less than the mass reissuing of cards that normally occurs after a breach, she points out.

Customers wouldn't bring their money to a bank if they didn't want it to be well-protected, so banks should be able to get their customers to take extra steps to protect themselves, says David Pollino, senior VP and fraud prevention officer at Bank of the West (headquartered in San Francisco, with $62 billion in assets). "Customers bring their money to a bank to keep it safe. … If they're doing an unusual transaction, then they like to see extra security measures in place," he observes.

ACI Worldwide's survey found that customers actually responded well when banks took actions such as blocking their cards to protect them from fraud. Among the bankers surveyed, 42% reported that customers viewed their efforts in the wake of last year's data breaches favorably, even though banks were often inconveniencing customers with those interventions.

"I was surprised by the number of people that thought banks were handling the situation well. It's definitely worth noting that for a good number of banks, customers appreciate what they're doing," ACI's Grillo shares.

Two-factor authentication alone won't fully protect bank customers; it has to be implemented along with other systems as part of a wider risk management strategy for banks to offer the best protection possible, Bank of the West's Pollino says.

David Pollino, Bank of the West
David Pollino, Bank of the West
"There's no one technology that's billed as a silver bullet. EMV, two-factor authentication, encryption -- they all play a role, but none of them solve everything," he explains. "You need to have a risk-based approach, not one size fits all, where you handle riskier logins and transactions differently with added controls."

One bank that has implemented such an approach to its transaction monitoring and has seen results is Madison, Wis.-based AnchorBank ($1.3 billion in assets). The bank started working with Fiserv's Risk Office in the spring of 2010 because the bank was taking too many losses from breaches, says Don Thornton, a card fraud analyst at the bank. Fiserv helped the bank improve its transaction monitoring so it could focus its fraud-prevention efforts on transactions that pose the highest risk, Thornton relates, and within two months AnchorBank was preventing 90% of fraud attempts against its cardholders.

"We really fully immersed ourselves and focused on analyzing trends on a daily basis. We developed an understanding of what was typical for our card base, … and we started to understand when to impact the cardholder," Thornton explains.

Based on that analysis, the bank developed a set of foundational rules to determine when a transaction poses high enough risk for the bank to take preventive action. Those rules are based on customer data such as demographics and purchasing history, and can be adjusted to handle specific incidents such as a data breach, Thornton says.

Don Thornton, AnchorBank
Don Thornton, AnchorBank

That approach paid off for AnchorBank when the retailer breaches hit last year. While many banks reissued cards en masse to prevent fraud after the breaches, AnchorBank was forced to reissue only 1% of its cards because of fraud concerns in one of its products, Thornton reports. The bank was also able to stop more than 94% of fraudulent transactions against its cardholders in December.

Strong Encryption, Strong Collaboration

Two-factor authentication can limit fraudsters' ability to use stolen credentials, and transaction monitoring can help banks know when to be on high alert, but strong encryption of payments data can help prevent credentials from being compromised to begin with. "Everyone in the payments system has to use strong encryption [the current standard is AES-256] from the point at which they receive data through the processing, storage, and final disposition of that data," says Identity Theft 911's Coffman.

It would be in everyone's interest to adopt strong encryption, which is also recommended by the Payments Card Industry (PCI) council, an industry group that sets security standards for merchants accepting card payments, but faulty installations among merchants remain an issue, Coffman says. "There's a standard out there. Some retailers just aren't following it," she observes. "People aren't motivated because the risk isn't passed on to the consumer."

Instead the risk is passed on to banks, which have to meet strict regulatory compliance mandates or face stiff penalties. Retailers don't face the same kind of repercussions if they fail to meet PCI standards, Bank of the West's Pollino says. "I don't think that PCI has created that same kind of environment [as banks deal with] where things are examined holistically and certain actions need to be taken. You need to have some teeth to make something happen," he explains.

The upcoming EMV liability shift will provide some incentive for retailers to up their security, Pollino says. The liability shift will mean that retailers will have to take the financial hit for breaches if they don't implement EMV-compliant terminals. "I wouldn't be surprised if we see a retailer go out of business or see one of them take a big hit in their financial disclosures," Pollino predicts.

But even the liability shift might not be enough to push retailers, especially smaller ones, to implement better security, he adds. "Smaller merchants in particular may be unaware of their liability exposure," he says. "A lag in implementing additional controls can provide a great opportunity for criminals to profit. Private entities or regulatory bodies need to proactively push for greater controls."

For now, banks need to reach out to retailers to collaborate and educate them on best practices and risks that they could inherit when the liability shift occurs, Pollino says. Bank of the West has started to contact its retail partners to this end, and industry groups such as the Financial Services Roundtable, the Retail Industry Leaders Association, the American Bankers Association, and the National Retail Federation announced a partnership in February to find ways to improve payments security.

"I hope that my team's outreach and the more stories we see about this topic will help us build a dialogue with retailers. … Hopefully we don't wait until we put a bunch of money in the fraudsters' pockets first," Pollino says.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2018 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service