Most business owners are cognizant of the prevalence of fraud in the digital world today. According to Experian’s Global Fraud and Identity Report 2018, almost three-quarters of businesses believe fraud is a growing concern, and nearly two-thirds reported fraudulent losses over the past year.
What is Fraud?
Fraud occurs when an individuals’ payment information is used without their authorization. When hackers breach your network and access your customers’ or clients’ sensitive cardholder information, they have many opportunities to commit fraud numerous times. Anytime someone falsifies an identity and “tricks” a system into thinking the person making a purchase is someone other than who they actually are, this is considered to be fraud.
Fraud is Pervasive in Today’s Digital World
This is because the majority of business and consumer data remains vulnerable. As the value of digital information grows, so does the hacker’s motivation to develop methods to avoid detection from the latest technologies.
The existing account setup process requires consumers to provide extensive amounts of personal information along with passwords and secret questions. And data breaches provide this information to cybercriminals. When this data is stolen, it’s often used for fraudulent activities.
Fraud is a moving target just like the hackers. New tactics are evolving where criminals combine real and fake information to create new identities.
Most business owners just don’t have a handle on this – and they lack confidence in their ability to protect their customers and their companies from fraud.
One of the reasons for this is that their initiatives are mostly reactionary rather than proactive as many continue to use legacy cybersecurity technology rather than investing in new, more sophisticated data protection solutions. As a result, every month that goes by increases their vulnerability and exposure to data breaches and fraud.
Fraud is an ever-present and growing risk
For businesses in e-commerce, managing the risk of fraud is a delicate balancing act between providing an ease of use for customers vs. fraud protection. They struggle with mitigating fraud and providing a positive customer experience. Unfortunately, the customer experience wins out in most cases, and businesses are willing to risk fraudulent losses over losing customers to their competition. Ironically, they are setting their businesses up for reputational damage where they will end up losing customers anyway, fail to gain new ones, and possibly face financial penalties and litigation costs.
The 2017 Cost of Data Breach Study from the Ponemon Institute, sponsored by IBM, puts the global average cost at $3.6 million, or $141 per data record. That’s a reduction in the average cost in 2016, but the average size of data breaches has increased. It’s also worth noting that the average cost of a data breach in the United States is much higher at $7.3 million.
More than 50 percent of businesses say they still rely on passwords as their top form of authentication.1 And business leaders know that using passwords isn’t the most secure option. But customers are used to them, and business owners want to please them. They also complain that they lack the financial resources to adopt more advanced authentication methods when this would save them legal fees and penalties if/when their customers’ accounts are breached–not to mention their reputation and the future existence of their business. This, of course, is very shortsighted.
How data breaches and fraud are connected
Data breaches and fraud don’t usually occur at the same time and place. Cybercriminals won’t steal a customer’s information and turn around and use it for a purchase from the same business. So. it’s not easy for a business to detect when a breach occurs.
Data breaches are typically detected by using specific security tools that monitor all payment activity. Merchants should follow PCI/DSS Standards to identify and prevent breaches and remain compliant. PCI-DSS audits will help you find vulnerabilities in your system and reveal inadequacies that must be eradicated.
A successful case of fraud spreads like cancer
If a hacker can get one password, they may have the keys to other password-protected accounts. The more online accounts people open, the greater their risk. And most people have quite a few. If the hacker can figure out the password to someone’s email account, they may also have the key to their credit card and banking accounts as well.
You must remain vigilant to prevent data breaches and fraud.
What to do if you suspect fraud
A key indicator of evidence of fraud is in chargebacks where a customer disputes a charge on their credit card, and where you aren’t paid for the service or product. If your chargeback rate increases above a 1% margin, this is a good indication that you’re experiencing fraud.
In this case, you should hire a third-party auditor like an IT Managed Services Provider (MSP) to help bring you back into compliance and stop the thieves. They will detect where the problem(s) exist and if what they find indicates a data breach. PCI-DSS compliance requirements mandate that you do this to stop the fraudulent activity.
Of course, you should contact the card processor as well. They will connect you to the card providers who can often identify the point of access or detect a suspicious pattern of activity.
What You Can Do to Reduce Fraud and Data Breaches.
Use EMV Technology.
EMV (Europay Mastercard Visa) is the global standard to authenticate payment cards. EMV technology can help you protect your business from fraud. It ensures the card is legitimate and that the person using the card is the authorized user.
EMV chips are microprocessors that store and protect cardholder data. They use a unique cryptogram that’s validated by the card issuer. This makes it more difficult for hackers to break the code and steal card information to commit fraud.
Today, if you don’t use an EMV-capable terminal, and the transaction turns out to be fraudulent, you can be held financially liable for that transaction.
EMV has been used in the United Kingdom since 2004, and card-present fraud has gone down by 80% as a result. By comparison, without EMV in the U.S., fraud increased during this time by nearly 70%.
Protect Data in Transit by Using Encryption.
When credit card data is stolen, it’s considered a data breach. Considering the number of card payments your business processes in a month, hackers may view you as the “Pot of Gold at the end of a Rainbow.” In other words, your business is a prime target.
You can help stop the hackers from accessing data in transit by using end-to-end encryption (E2E) and point-to-point encryption (P2PE).
The advantages of end-to-end encryption are:
That you don’t need a separate key for the decryption of the data.
You have flexibility in deciding what data to encrypt.
You can choose specific configurations for more functionality.
The file size is small, and the processing time is minimal.
Point-to-point encryption encrypts transmitted data as it goes through a designated “tunnel.” This is used most often for credit card information that’s encrypted from the point-of-sale (POS) to the credit card processor.
With encryption, if a breach does occur, and data is stolen, it will be useless to cybercriminals in its encrypted state.
Protect Data at Rest by Using Tokenization.
Tokenization breaks up a sequence of data into pieces such as words, keywords, symbols, phrases, and elements called tokens. Tokens can be words, phrases or even whole sentences. In other words, tokenization keeps cybercriminals from using data by replacing it with meaningless characters. Tokenization is helpful for businesses that store sensitive card data for re-billing. It’s also one of the most effective and affordable ways for businesses to protect their customers’ confidential card data.
Combining encryption and tokenization is one of the best ways to protect your business from the devastating effects of a data breach.
Secure Your IT Environment
Ask your IT Managed Services Provider (MSP) to set up a next-generation firewall, anti-spam, and anti-virus solutions.
Ensure your POS and router are on different networks and separate from other systems that access the Internet.
Don’t use your business POS for surfing the Web. This can expose it to viruses and result in vulnerabilities that can be breached.
Assign separate login credentials for each user.
Forbid sharing of login credentials and enforce this.
Keep your user list up to date and disable accounts that are no longer needed.
Only provide remote access for users with a clearly identified need.
Don’t leave remote access software turned on when unattended.
Keep all software and anti-virus, anti-spam programs up-to-date.
Regularly run and review scans for malware.
Regularly have your MSP run vulnerability scans.
Ask your MSP to train your staff on the latest security threats and what to do if they come across one.
Train your staff how to detect unauthorized skimming devices that could be installed on POS or credit-card terminals.
Have Your MSP Train Your Employees on Cybersecurity Awareness.
Teach your employees about password security and make sure you enforce this behavior:
Don’t use words from the dictionary.
Don’t use names of family members.
Don’t reuse passwords from your other accounts.
Don’t write down your passwords or put them where others can see them.
Consider using a Password Manager (e.g., LastPass or 1Password).
Use password complexity (e.g., P@ssword1).
Create a unique password for work separate from your personal use.
Change passwords at least quarterly.
Use passwords with 9+ characters.
A criminal can crack a 5-character password in 16 minutes.
It takes five hours to crack a six-character password.
Teach employees about ransomware and phishing threats. These appear to be from an official like the IRS or FBI. If a screen pops up that says you’ll be fined if you don’t follow their instructions, don’t! If you do, the criminal will encrypt all your data and prevent you and your employees from accessing it. Teach them to:
Beware of messages that:
Try to solicit your curiosity or trust.
Contain a link that you must “check out now.”
Contain a downloadable file like a photo, music, document or pdf file.
Don’t believe messages that contain an urgent call to action:
With an immediate need to address a problem that requires you to verify information.
Urgently asks for your help.
Asks you to donate to a charitable cause.
Indicates you are a “Winner” in a lottery or other contest, or that you’ve inherited money from a deceased relative.
Be on the lookout for messages that:
Respond to a question you never asked.
Try to start a conflict.
Watch for flags like:
Ask Your MSP to Help You with PCI Compliance.
PCI Compliance is not a one-time event but should be a continual process to ensure your IT systems are appropriately transmitting and storing sensitive data. It mandates that network and business practices are secure.
Failing to maintain compliance with the Payment Card Industry Data Security Standards (PCI DSS) can ruin your small business if you get hit with a data breach.
It’s not always easy to do this on your own. Your MSP can help by:
Performing scans of your network to identify and eliminate vulnerabilities that can lead to data breaches.
Monitoring network activity and blocking malicious activity before it can lock down or steal your data.
Providing you the tools and resources to promote compliance.
Implement data-breach protection solutions.
Help you sign up for a breach assistance/cyber insurance program that provides for reimbursement of certain card brand fees that are charged if data is compromised. Some cover the costs of a data breach, which can be upwards of $100,000 or more.
Protect Your Business from Data Breaches, Fraud, and the Resulting Consequences
When you take all of this seriously, you’re not just protecting your customer’s confidential information; you’re also protecting your business from fraud.
Most companies that experience a data breach will see a rise in cost to retain existing customers. And, they will also see an increased cost to acquire new customers. When you add these increases in cost to the loss of revenue from customers that choose take their business to your competitors, you’ll soon see how your damaged reputation dramatically affects your company’s bottom line.
You don’t have to face this alone.
The right IT Managed Services Provider can be your best ally against security threats. From helping you with integrated and compliant POS systems to implementing technologies like encryption and tokenization, and providing compliance and breach assistance, the right IT Partner is worth every cent when it comes to helping you secure your business against the devastating effects of credit-card fraud and data breaches.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.