AUGUST - 20199access security, and second, the risk associated with including sensitive payment information within transactions (as opposed to masked account information). The Internet has provided an ideal environment in which criminals from Eastern Europe, China or anywhere in the world looking to steal payment data can perform large scale automated attacks on systems anonymously, with low risk of getting caught and prosecuted. Prior to the Internet exposure risk of payment account data already presented vulnerability, but it was much more difficult to access the data and attacks were not scalable, thus minimizing the risk exposure.Data stolen through data breaches, along with employment and family history information stolen from social media sites like LinkedIn and Facebook and via phishing schemes, have all been enabled by the broad adoption of Internet. This information can be used to steal or guess payment credentials to initiate fraudulent transactions fraudulently apply for new accounts or penetrate accounts already held on merchant sites. Using breached data and information stolen from social media sites, criminals utilize many devious methods to commit payment fraud.A remote electronic payment is another internet enabled innovation which is at the root of growing payments fraud. Remote electronic payments made on home computers, tablets and mobile phones have revolutionized how people shop, introducing the convenience of shopping from anywhere. Consequently, remote electronic payments are now both the fastest growing form of payment and the fastest growing form of payment fraud. When the customer is not present in-person to make the purchase, it greatly increases the complexity of authenticating the cardholder.The primary vulnerability exposed by remote electronic payments is the reliance on static data to authenticate a transaction. That is, the same account information is used for every transaction: it does not change. As a result, once the payment information is acquired it is easy to perform a fraudulent transaction. Furthermore, this fraud is extremely difficult to detect.To address the risk posed by static authentication, in 2015 the U.S. began migration to chip cards. Chips embedded in credit, debit and prepaid cards enable dynamic data authentication for in-person purchases. This means that unique data, secured with cryptography, are generated for every transaction. The outcome is improved detection and mitigation of fraudulent transactions, in particular for counterfeit card fraud. Chips embedded in credit, debit and prepaid cards enable dynamic data authentication for in-person purchasesGuy BergUnfortunately, chip technology is not readily applicable to remote payments so the industry is feverishly searching for new solutions that can be broadly adopted cost effectively to enhance remote authentication capabilities.As they say, the train has left the station, so the Internet and remote payments are here to stay. Usage of both will grow even faster in the years to come and protecting data will become more difficult than ever. The good news is that there are viable ways to curb payment fraud resulting from them. The question is, how long will it take for payment industry stakeholders to make some tough decisions to remove account credentials from payment transactions to eliminate the utility and value of data breaches? And how long will it take payment industry stakeholders to agree upon the best approach to strengthen remote payment authentication? The technology exists to resolve these vulnerabilities. It is achieving collaboration across payment a industry stakeholder that is the greatest challenge. BC
< Page 8 | Page 10 >