News

10:38 AM
Connect Directly
Facebook
Twitter
Google+
RSS
E-Mail
50%
50%

3 Keys To Making Payments More Secure

With data breaches on the rise and EMV far from a reality in the US, two-factor authentication, improved transaction monitoring, and encryption are steps banks can take now to better secure payments credentials.

One bank that has implemented such an approach to its transaction monitoring and has seen results is Madison, Wis.-based AnchorBank ($1.3 billion in assets). The bank started working with Fiserv's Risk Office in the spring of 2010 because the bank was taking too many losses from breaches, says Don Thornton, a card fraud analyst at the bank. Fiserv helped the bank improve its transaction monitoring so it could focus its fraud-prevention efforts on transactions that pose the highest risk, Thornton relates, and within two months AnchorBank was preventing 90% of fraud attempts against its cardholders.

"We really fully immersed ourselves and focused on analyzing trends on a daily basis. We developed an understanding of what was typical for our card base, … and we started to understand when to impact the cardholder," Thornton explains.

Based on that analysis, the bank developed a set of foundational rules to determine when a transaction poses high enough risk for the bank to take preventive action. Those rules are based on customer data such as demographics and purchasing history, and can be adjusted to handle specific incidents such as a data breach, Thornton says.

Don Thornton, AnchorBank
Don Thornton, AnchorBank

That approach paid off for AnchorBank when the retailer breaches hit last year. While many banks reissued cards en masse to prevent fraud after the breaches, AnchorBank was forced to reissue only 1% of its cards because of fraud concerns in one of its products, Thornton reports. The bank was also able to stop more than 94% of fraudulent transactions against its cardholders in December.

Strong Encryption, Strong Collaboration

Two-factor authentication can limit fraudsters' ability to use stolen credentials, and transaction monitoring can help banks know when to be on high alert, but strong encryption of payments data can help prevent credentials from being compromised to begin with. "Everyone in the payments system has to use strong encryption [the current standard is AES-256] from the point at which they receive data through the processing, storage, and final disposition of that data," says Identity Theft 911's Coffman.

It would be in everyone's interest to adopt strong encryption, which is also recommended by the Payments Card Industry (PCI) council, an industry group that sets security standards for merchants accepting card payments, but faulty installations among merchants remain an issue, Coffman says. "There's a standard out there. Some retailers just aren't following it," she observes. "People aren't motivated because the risk isn't passed on to the consumer."

Instead the risk is passed on to banks, which have to meet strict regulatory compliance mandates or face stiff penalties. Retailers don't face the same kind of repercussions if they fail to meet PCI standards, Bank of the West's Pollino says. "I don't think that PCI has created that same kind of environment [as banks deal with] where things are examined holistically and certain actions need to be taken. You need to have some teeth to make something happen," he explains.

The upcoming EMV liability shift will provide some incentive for retailers to up their security, Pollino says. The liability shift will mean that retailers will have to take the financial hit for breaches if they don't implement EMV-compliant terminals. "I wouldn't be surprised if we see a retailer go out of business or see one of them take a big hit in their financial disclosures," Pollino predicts.

But even the liability shift might not be enough to push retailers, especially smaller ones, to implement better security, he adds. "Smaller merchants in particular may be unaware of their liability exposure," he says. "A lag in implementing additional controls can provide a great opportunity for criminals to profit. Private entities or regulatory bodies need to proactively push for greater controls."

For now, banks need to reach out to retailers to collaborate and educate them on best practices and risks that they could inherit when the liability shift occurs, Pollino says. Bank of the West has started to contact its retail partners to this end, and industry groups such as the Financial Services Roundtable, the Retail Industry Leaders Association, the American Bankers Association, and the National Retail Federation announced a partnership in February to find ways to improve payments security.

"I hope that my team's outreach and the more stories we see about this topic will help us build a dialogue with retailers. … Hopefully we don't wait until we put a bunch of money in the fraudsters' pockets first," Pollino says.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mike Angel
50%
50%
Mike Angel,
User Rank: Apprentice
8/27/2014 | 5:31:36 PM
re: 3 Keys To Making Payments More Secure
It would be inteeresting to know what you are using for your Second Factor. One Time Passwords or Codes sent via your cell phone or even a key fob under a time constraint, that you must enter, is still Single Factor Authentication because they are something you KNOW if you must enter them. Anything you must enter can be easily stolen by today's Trojan exploits. If your Second Factor is a Cookie or an IP Address are no longer strong enough because any Trojan will eliminate all Cookies and will temporarily move an IP Address to the Hacker's computer.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
5/15/2014 | 4:24:28 PM
re: 3 Keys To Making Payments More Secure
Some of the tech companies are leading the way on this already. Gmail and Facebook already offer two-factor authentication. So banks should be following their lead.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
5/15/2014 | 4:23:39 PM
re: 3 Keys To Making Payments More Secure
I think it's definitely becoming more of a regular thing in everyday lives, so I think the customer experience issue will go away with time. And the better the banks can educate customer about the benefits, the less likely there will be an issue to begin with.
Kelly22
50%
50%
Kelly22,
User Rank: Author
5/14/2014 | 8:30:21 PM
re: 3 Keys To Making Payments More Secure
I would definitely use two-factor authentication for banking - seems much safer than a static PIN and a solid component of a bank's risk-management strategy.
Nathan Golia
50%
50%
Nathan Golia,
User Rank: Author
5/14/2014 | 7:54:39 PM
re: 3 Keys To Making Payments More Secure
I recently implemented two-factor authentication after the Heartbleed work and an embarrassingly successful phishing attempt on my e-mail account. It's really not that inconvenient. The personal connection with a mobile device seems like an ideal outlet for better security.
JaCa
50%
50%
JaCa,
User Rank: Apprentice
5/14/2014 | 4:25:34 PM
re: 3 Keys To Making Payments More Secure
Great advice, businesses should take a disciplined approach to Web application security that focuses first on the most common security concerns. Payment processing companies need to ensure secure payments and make sure PCI guidelines are met EMV's are inherently secure, it will however take time for the system to mature. I work for McGladrey and there is a whitepaper on our website that offers good information on the above discussed topic readers will find it useful. "Two common Web application attacks illustrate security concerns" @
http://bit.ly/1c0f35M
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.