There have never been more ways for consumers to pay for goods and services than there are today. But with each payment method comes data security considerations that mid-size to large businesses need to study as they attempt to repel breaches — both in the U.S. and abroad.
Here’s what Bank of America Merchant Services Senior Vice President of Data Security and Director of Cybersecurity Larry Brennan had to say about new fraud tactics and security measures enterprise businesses should embrace.
Criminals have no boundaries. They can initiate the same types of data breaches regardless of where the business is around the world.
Many of the data compromises Bank of America Merchant Services sees today are caused by human error. In particular, businesses will fall victim to a phishing attempt. Some of the largest security events we’ve seen were the result of phishing. An employee will unknowingly receive a phishing email and unsuspectingly provide their login information, therefore giving the bad actor access to the system and credit card data. This is a global problem.
Phishing emails are becoming harder to identify because they’re increasingly sophisticated. In the past, they’d be riddled with misspellings and improper grammar — that’s not necessarily the case anymore. Fraudsters will also target a specific person, tricking the employee to believe the email is legitimate and meant for them.
Having the right security tools in place, including a password complexity policy and requiring two-factor authentication, can help businesses protect against phishing. Businesses should also install anti-phishing software in their email environment.
Employees should be trained to recognize malicious links, understand their role in information security and never divulge personal information in an email.
Since the implementation of EMV chip card technology in the U.S. and abroad, we’ve seen a decrease in the amount of card-present fraud. But that means they’re looking at another avenue to access secure information: eCommerce.
It’s much more challenging to secure the eCommerce environment because the card is not present. When a consumer is present with a credit card at a business, the business can deploy secure technology such as point-topoint and end-to-end encryption at the point of sale to help minimize the impact of a data compromise. eCommerce takes more effort to secure.
Businesses that want to expand their eCommerce presence need to rely on enhanced security tools such as tokenization, address and card number verifications, geolocation data and CAPTCHA to enhance consumer and payments security. Of course, there is no one security option that is enough by itself. Layered security is essential to help protect against fraudsters in an eCommerce environment.
Bad actors don’t care about where you live or process from. They’re just looking for a way to get credit card data so they can monetize it.
I believe more merchants need to be able to accept mobile wallet payments. Both merchants and consumers can benefit from this type of payment.
First, digital wallets do not use a physical credit card number. Their own token is created when a credit card is put into a mobile device, therefore securing the payment.
It’s also a much faster transaction. Chip cards can take up to 20 seconds2 to process. Digital wallet payments process within a couple of seconds. This is a much better experience for the consumer and the merchant, because they can process more transactions per hour.
Mobile payments are more secure than a card-present transaction because the credit card number isn’t residing inside the digital wallet.
The rate of data breaches will likely not decline as a result of increased adoption of mobile payments. As one payment avenue becomes more secure, fraudsters will look elsewhere to continue their activities.
Mobile payments in today’s environment are not going to change the rate of data breaches we see, but as a more people adopt mobile payments, bad actors will be less enticed to steal credit card data from a merchant.
Absolutely. Card not present fraud is going to be a primary evolution for fraudsters. The more card present security put in place, the harder fraudsters will have to work to monetize. eCommerce is where we’re going to see a lot of migration of their efforts to steal credit card data.
The important thing to know about eCommerce transactions is that those payments provide bad actors less valuable data to monetize once stolen. In a card not present transaction, they are typically only provided the card number, expiration date and CVV data. It doesn’t include the full Track I and Track II data, which means fraudsters can’t create a physical credit card.
Although the card data available on a card not present transaction minimizes the opportunities for the bad actors to monetize stolen card data, merchants should still take steps to prevent what we predict will be an increase in this type of fraud.
Enabling a fraud prevention solution that requires enhanced authentication options at checkout, and has real-time fraud scoring and machine learning capabilities, can help reduce a merchant’s overall exposure to fraud in an eCommerce environment.
Three-dimensional skimming devices are tricky to spot because it’s a replica of an existing credit card processing terminal. Think of it like a Halloween mask — bad actors place the 3D overlay onto the payment terminal and it only takes three seconds. Because of this, 3D skimmers are easy to place in self-checkouts, high traffic areas and areas with limited visibility.
To minimize the impact of 3D skimmers, Bank of America Merchant Services recommends that every merchant with a terminal-based payments environment checks those terminals every shift. Not every day — every shift.
Use water marking on the terminal to make tampering easier to detect. Check to make sure the stylus fits into the cradle, and that the green light on the terminal is bright. If the stylus doesn’t fit, and if the green light is dull, it’s possible that a 3D skimmer has been deployed.
It’s one of the primary industries that’s been under attack in the past couple years. We’re seeing more instances where businesses in the quick-service, casual dining and hotel food and beverage industry have not adopted EMV technology as rapidly as we hoped.
More than likely, bad actors started concentrating on this industry because these businesses require remote access capabilities in order to support the client with their POS systems.
We also see, in certain instances, where merchants are supported by a corporate environment and that environment may have been breached. If the bad actors can get into a corporate server, they can distribute malware to all locations supported by the corporate server.
First, merchants should use payment terminals that are able to accept EMV chip cards. This helps prevent merchants from accepting counterfeit credit cards.
Those terminals should be equipped with a secure technology for their environment, such as point-to-point or end-to-end encryption. This helps secure merchant and payment information.
Finally, merchants should implement tokenization technology. Tokenization replaces cardholder data with surrogate values, known as tokens. This works in tandem with encryption to eliminate storage of cardholder data. Using tokens still enables the merchant to perform their accounts payable functions.
Every company today has an obligation to safeguard customers’ data in the face of constant and evolving threats. Speaking with a trusted payments and security solution provider can help businesses stay on top of today’s data threats and offer solutions on how to stop them.