Is Your Business Armed with 2015's Retail Fraud Protection Strategies?
Record sales spikes are usually great news. That is, unless, you're a cyber crime victim. Take for example, the case of hackers utilizing Dominos' smartphone app to work through lists of stolen credit card numbers. The hackers placed pizza orders to see which numbers were still valid. Working numbers were then used to order big-ticket items online--- all while people in pockets of Brownsville and East New York in Brooklyn ate free pizzas.
Dominos is not alone in being targeted. Home Depot was a recent victim in the latest wave of high-profile hackings at big merchants in recent months. The attacks ranged from high-end retailer Neiman Marcus Group Ltd. to grocer Supervalu Inc. Hackers stole 56 million payment card details and collected 53 million email addresses of people who shopped at Home Depot's stores between April and September in the U.S. and Canada. Home Depot spent $43 million in its third quarter dealing with the fallout of one of the largest ever data breaches. If there is one thing these cases prove, it's the costly nature of security failures.
Retailers are combating threats with everything from investing millions of dollars on internal investigations to providing identity theft protection services to consumers.
Those measures aren't enough, however. Retailers should be proactive in regards to staying on top of the methods hackers are using to steal customers’ credit card information. Here are some suggestions for identifying and preventing credit card fraud in 2015:
* PCI is important, but don't be a PCI robot. The highly proprietary Payment Card Industry Data Security Standard (PCI DSS), is aimed at the protection of cardholder data. The objective is preventing payment fraud by securing cardholder data within organizations that either accept card payments, or are involved in the handling of cardholder data.
The Catch: The PCI Security Standards Council has been warning retailers that passing an annual audit may not be sufficient and that compliance monitoring should be an ongoing work.
The PCI standard only sets a minimum level of security requirements, meaning it might not be enough to meet your business's risk appetite. For example, one PCI requirement states external vulnerability scans must occur on at least a quarterly basis. For most organizations, however, a quarterly scan is not enough, and typical best practice is to run external vulnerability scans weekly, (if not daily).
*Real-time Fraud Monitoring Hits Hackers Where It Hurts: Real-time fraud detection mitigates risk, reduces manual reviews and streamlines order processing. Companies can reduce fraud risk by quickly and intelligently analyzing thousands of transactions in a stream and uncover relevant information for informed decision-making. Real-time monitoring allows your business to build and leverage the power of proprietary algorithms and scoring capabilities and connect them to identify fraud patterns.
*BigData & Stream Processing Means There's No Excuse For Poor Records: In the Dominos case, some accounts had anywhere between 50 to nearly two thousand purchase attempts in one month. Suspicious activity like this could have easily been detected through real-time stream processing. Stream processing has advanced dramatically in past 2 years; there are several open source and proprietary solutions out there to analyze data on the fly.
As for data, storing large amounts of data is not expensive anymore. It should be a given that your company is storing all possible access logs, cookies and session information to detect fraud patterns. What good can storing all of this information do? The insight of an access log, for example, could reveal that 5% of fraud is occurring from a specific IP address, or from users using a particular browser. Having that information on hand can protect you from a more malicious attack, and isolate the source of new threats.
*Your Staff Are The Foot Soldiers of the Fraud War: Training store staff on standards and security measures is imperative; they are the frontlines of your fraud prevention strategy. Ensuring they are knowledgeable about sensitive information protection is the first step to protecting your business, especially since hackers can tamper with physical devices. Educating your staff on spotting these very real threats is a strategy element you can't afford to skip.
*End-to-End Encryption (E2EE) is the ideal state in which credit card numbers and other sensitive information is encrypted from the point of entry (card swipe) to the other end (the issuing bank). Point-to-point encryption (P2PE), sometimes referred to as end-to-end encryption (E2EE), is defined as a solution that encrypts card data from the entry point of a merchant's point-of-sale (POS) device to a point of secure decryption outside the merchant's environment, such as a payment processor like TSYS Acquiring Solutions. The purpose of P2PE is to address the risk of unauthorized interception associated with cardholder data-in-motion during the transmission from the POS terminal to the payment processor.
*Tokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value.
*Hardware based encryption: Enable off-site data storage with a physical device that stores all of your sensitive information, encrypts data and outputs the reference token.
While fraud risks can vary from company to company, with real-time monitoring, strong encryption, and a staff educated in recognizing red flags, retailers can gain a leg up and be vigilant about fraud detection in the New Year.