McPherson says banks need to scrutinize payments security from two standpoints: security that blocks threats at the doors, such as identity verification and real-time scoring of fraud risks before they occur; and internal security, such as examining databases within the bank using behavioral analytics to determine suspicious patterns of behavior.
Still, gaining a 360-degree view of customers' accounts and enterprise data is only part of the solution. The other is making clients understand the importance of certain technologies and practices in keeping their payments safe.
JPMorgan's Khan says, for example, even though the bank's positive pay service (which helps the bank compare a company's record of checks issued with checks presented) has been proven to significantly reduce check fraud on the corporate side, there are some companies that still have not implemented the technology. "A lot of corporates are hit with fraud because they don't protect themselves very well," he contends. "They need appropriate internal controls."
It starts, Khan adds, with awareness. "This just isn't seen as a business priority for some companies until it actually hits," he relates, adding, "We work very actively here to educate our clients on fraud prevention." According to Khan, JPMorgan hosts client workshops on fraud best practices. The bank also works with its sales and services employees to ensure that they are familiar with the bank's fraud prevention products. "We also try to price these products so they make sense to a corporate," Khan notes. "Fraud prevention is in all of our best interests."
That's an idea that the industry is at least starting to acknowledge, as payments players increasingly embrace cross-industry efforts to secure payments transactions. "People are talking about greater sharing of data between parties in the payments value chain -- banks, merchants and processors," according to Financial Insights' McPherson, who notes that such collaborative efforts traditionally haven't had much support because all parties involved fear loss of control of the payments transaction data. "Sharing data on security breaches involves personal account data that banks are reluctant to share. There are privacy concerns."
Fighting the Low-Tech Fight
Perhaps lost amid all of the attention on high-tech data breaches, however, is the reality that low-tech fraud forms are surprisingly dominant, says Javelin's Wills. "The area of data breaches is distorted," he asserts. "The big ones grab headlines. But there's no strong correlation between a breach and fraud. Now we're seeing all this regulation around data breaches and how banks need to notify customers. There's also PCI compliance, which is a quasi regulation [for card data safety]. But according to our research, only one in 10 breaches actually results in fraud." (For more on privacy regulation's impact on the industry, see Perspectives.)
The reason, Wills says, is that fraudsters need more information to commit these crimes than just a card number. That's where old-fashioned Dumpster diving or even Facebook research on individuals comes in, he says. "Look at all the personal information people put in their Facebook accounts," Wills comments. "This makes it so easy for criminals to fill in the blanks."
Add to this the fact that most fraud is "friendly fraud," when the victim knows the perpetrator in some way, according to Wills, and fraud prevention takes on another dimension. "There's a lot of focus on breach protection, which is fine. But mitigation strategies for breaches and for fraud are not the same," Wills stresses. "PCI was built around breach protection: It helps you plug holes. For fraud, you must focus more on Know Your Customer and tracking and analytics than we do today."