How to win the fight against fraud while conquering risk
14 April 2013
As part of our commitment to customer service and helping the industry improve payment security standards, Barclaycard constantly strives to develop innovative and practical ways to help merchants fight fraud and reduce their data security risks as effectively and efficiently as possible. Whether you are a multi-national corporation or a corner shop, our battle guide could help your business shape its approach.
Research conducted by Barclaycard shows that many companies feel under pressure to meet compliance deadlines. This means they will frequently implement solutions to address the most visible, urgent, or costly issues they face in order to achieve compliance with the ever-growing range of mandatory and regulatory obligations, not least of which is the Payment Card Industry Data Security Standard (PCI DSS).
All too often, “silver bullet” solutions are implemented which prove to be ineffective, short-lived and expensive, which ultimately lead to vital information security investment becoming more difficult to secure. It’s a vicious circle. The first rule of battle in terms of tackling all aspects of risk and fraud is to meet the challenge head-on and take a longer-term approach.
Our approach to helping merchants address these issues in the longer-term is to provide an integrated and holistic means of reducing security risks and meeting compliance requirements. Doing this in a cost-effective and prioritised manner mitigates the risks associated with the storing, processing or transmission of payment card-holder data. This has resulted in the development of the Barclaycard Risk Reduction Programme (BRRP).
A key aspect of this initiative is that all the PCI DSS controls and risk-scoring metrics are held securely and without alteration in a Governance Risk and Compliance tool. This provides merchants with a true and accurate reflection of risk within the context of their individual business as part of their journey towards PCI DSS compliance.
Removing the burden from the merchant of onerous reporting – through risk scoring, identification and tracking of key payment assets – are inherent to the BRRP methodology. As a result, merchants can move from a pure compliance stance, with an annual audit, to a mature security posture, with continuous risk assessment for the longer term.
By increasing automation, organisations can move their risk reduction activities to business-as-usual more quickly than with traditional methods. It also enables merchants to join the Visa Europe Technology Innovation Programme and the MasterCard risk-based approach.
By acting as an enabler to meeting regulatory mandates – payment security-related or otherwise – and by allowing alignment with other information security endeavours, this type of programme can facilitate predictable investment and sustainable returns in information security.
The methodology was launched to the wider payments industry at the PCI SSC board of advisors in late 2012, and Barclaycard has worked closely with the UK PCI working group to facilitate the dissemination of the programme as widely across the industry as possible.
Moving on to fraud, the stakes are so high for many businesses that a considered and long-term battle plan is critical to defeating fraudsters. By working closely with a range of security partners, Barclaycard’s fraud approach aims to provide merchants with the best possible tools to fight fraud and improve data security. These are carefully selected to help small and large merchants develop multi-layered defences to protect their business at key stages along the customer journey.
Tools such as fraud screening solutions can be implemented along the entire customer shopping and browsing journey to provide protection before, during and after transactions have taken place, ensuring reliable transaction and improving revenue. Another important tool to consider in your defence arsenal is web session intelligence, which enables suspicious activity to be detected before online transactions have even taken place. By monitoring the entire web session and consumer activity on a click-by-click basis, merchants can benefit from vital advance warning of an impending threat of attack.
Implementing specialist database technology also offers robust fraud detection and prevention techniques. Merchants are able to screen greater numbers of bad transactions while processing a higher amount of good ones using our advanced fraud-screening partner technologies.
The ability to assess the riskiness of phone numbers based on geo-location, status and type of phone line is another new tool called phone verification, which provides critical insight for merchants. This insight can be fed into decision engines as an additional field of intelligence and used to generate rules based on type of phone line provided by the customer, as well as smart two-factor authentication. This can provide additional upstream security while users are logging in online, as well as at point-of-delivery of goods to confirm these are being delivered to legitimate customers.
Our security partners work together to provide seamless integration to complimentary services, which offer additional protection and intelligence such as two-factor authentication, age verification and identification and verification services.
Data is a valuable asset for all businesses and, in particular, when tackling fraud. Using our unique insight into our merchant’s consumer spending patterns has enabled the creation of a service that directly connects these businesses to issuing banks, via a secure online portal. Merchants can then benefit from comprehensive, real-time fraud alerts as soon as a fraudulent transaction has been confirmed between an issuing bank and the card-holder.
The service, known as Barclaycard Fraud Reporter, gives enhanced visibility and understanding of fraudulent transactions, which is unique to the market due to the reliability of our data set and the timeliness of the confirmed card-holder fraud.
It also provides the opportunity for merchants to detect and intercept fraudulent transactions that have already been processed before the goods are shipped, thereby mitigating the risk of potential charge-backs that could be received by the merchant.
Fraud management solutions will continually evolve with the introduction of new and sophisticated fraud prevention tools. However, as these technologies evolve, so do the fraudsters. Therefore, a robust battle plan is vital to ensure your business stays one step ahead of the game – and using all the latest tools and technologies available could be a critical step in doing so.
Fraud reporter video link:
PCI DSS Compliance tips video