Insights & Key Trends

Fraud is evolving. So should your data security.

Help safeguard your customer card data at the point of sale

The fintech industry has made huge strides in data security, including wide implementation of EMV® technology and end-toend data encryption. Yet these technologies alone aren’t enough.

Chip card technology has reduced point-of-sale fraud — but bad actors are shifting their attention to card-not-present interactions such as online purchases. In fact, a new report finds that fraud is now 81 percent more likely to occur online than at the point-ofsale.1 And according to Juniper Research, card-not-present fraud could cost retailers $130 billion over the next four years.2

Evolutions in fraud demand a new generation of security solutions.

“Fraud isn’t going away — it’s getting more sophisticated,” says Larry Brennan, senior vice president of data security and director of cybersecurity at Bank of America Merchant Services. “But the security industry is always applying new techniques to keep pace.”

Here’s what you need to know about the current state of data security.

Fear factor: skimming, shimming and smishing

10% more debit cards were compromised at ATMs and merchant devices

Fraud aimed at stealing information from consumers and businesses is increasing, both online and on the ground.

Today’s data thieves are using increasingly sophisticated phishing schemes to download personal information from computers, as well as “smishing” schemes that target mobile devices. Additionally, the growing availability of 3-D printing technology makes it cheaper and easier for data thieves to target customers at a business’ physical point of sale, allowing for the quick creation of skimming devices (which fit over legitimate credit card readers to steal card data) and shimming devices (which fit inside card readers). Ten percent more debit cards were compromised at ATMs and merchant devices in 2017, following a 70 percent jump the year before.3

After stealing personal and credit card data with these methods, criminals sell it to be used for fraudulent transactions. Such black-market data sales also have become more sophisticated. For example, cybercriminals bundle stolen credit card information from a single zip code and sell it in that area to evade security systems that monitor out-of-area credit card use.

The public and private cost of a data breach

Businesses incur a range of expenses when data breaches occur. For instance, businesses may face penalties for noncompliance of Payment Card Industry Data Security Standards (PCI-DSS), and be required to reimburse issuing banks for the cost of replacing cards that may have been stolen from the business.

Moreover, companies experiencing a breach where 30,000 or more cards have been compromised may be required to retain a PCI forensic investigator (PFI) to help pinpoint where the breach happened and prevent future attacks. Merchants may also need to hire outside legal counsel to help manage the breach and advise them on the merchant’s obligations.

Merchants with compromised data may also incur considerable public relations costs. “Customers lose trust in a business after a breach,” says Gregg Kambour, vice president of solutions consulting at Bank of America. “Canceling and replacing cards is directly disruptive to customers’ lives.”

Companies may have to hire PR firms to handle public announcements about the breach and to develop and execute campaigns to win back public trust. The expenses can add up quickly: Simply hiring a PR agency can cost $100 to $500 per hour, depending on the size of the firm. Putting the agency on retainer can cost from $1,000 to tens of thousands of dollars per month. Add the costs of direct mail campaigns, traditional and social media outreach and increased customer support, and the sums can reach staggering levels.

“Fraud isn’t going away — it’s getting more sophisticated.”

Evolving security solutions

Security threats evolve constantly, as do technology solutions. “EMV is not a cure-all,” says Brennan. Pair it and data encryption with tokenization to protect customer card data further. Tokenization — which retrieves credit card data using randomly generated one-time tokens — enables companies to remove credit card data from their internal networks.

“Technology companies like Bank of America Merchant Services are trying to provide a holistic view of fraud activities to beat down both card-not-present and card-present fraud,” says Raoul Aranha, vice president, Security, Fraud and Analytics Services at Bank of America Merchant Services.

For example, fraud solutions are:

  • Developing machine learning systems that can track fraud before it occurs. Machine-learning software combs through company and online data to identify characteristics of fraud automatically. It looks for patterns in credit card use, identifies anomalies in those patterns and flags the anomalies as potential fraud activity.
  • Building broad networks that share data on fraud. “Bank of America Merchant Services has access to issuer data, network data and merchant-acquiring data,” says Derrick Carpenter, executive vice president of integrated payments, digital commerce & marketing at Bank of America Merchant Services. “That allows our fraud tools to create models that will outperform company models that rely solely on internal data.” These networks can alert merchants that a card making a purchase triggered a red flag at another retailer.

Protect your business — and your customers — going forward

Holding ongoing conversations about new developments with security providers and payment vendors, such as Bank of America Merchant Services, can help businesses apply emerging technologies that suit their size, industry and customer base. But a few basic preventative measures from within can help thwart data theft attempts. Here are two:

  • Teach employees at the point of sale to search for skimming and shimming devices by looking for ill-fitting card reader covers at the beginning of every shift. 
  • Run training exercises and drills — covering scenarios such as a phishing attempt — so all employees are familiar with fraud tactics and alert to them, and know the roles they are expected to play. 

Every company today must safeguard customers’ data in the face of constant and evolving threats. Payment technology vendors are in a unique position to help overcome that challenge. Discussions and check-ins with your payments and security solution provider can help you stay on top of today’s data threats and how to stop them, so you can focus on growing your business.

Get Started


Call Us