How Payment Businesses Deal with Fraud and Data leaks

Any problems that payment business faces bear direct, measurable losses. Situations like data leaks, fraudulent schemes, or simple miscommunication with the provider may cost millions. 

This article will help to avoid such situations by relying on anti-fraud, PCI DSS, reconciliation, and more.

Evaluating the problem 

Before learning about the remedies, let's face some facts about the problem — data leaks and online fraud. 

Data leaks

In 2021-2022, the average cost of a data leak in hybrid infrastructure in the USA is $3.6 million per incident. For financial institutions, the average worth of data leakage is even higher, reaching $5,85 million. Since last year, the figure has increased by another 10%. 

COVID has forced many people to work from home. Not all companies have had time to move to cybersecurity technologies such as Zero Trust Security and implement other distributed security methods. Therefore, the number and cost of incidents will increase along with the cost of data processing.

Fraud

Fraud is when someone wants to deliberately deceive others to obtain a particular benefit, most commonly — funds. There are various types of fraud:

• Phishing is a widespread fraud type with the purpose of obtaining personal data from users. Fortunately, modern email providers and messengers have learned to recognise phishing messages and prevent users from opening them by blocking and marking them as spam.  

• Friendly fraud, or fraudulent chargeback, is a forced return of money to a customer. For example, when a person pays for a service with their card and then makes a refund based on some nuance in Terms of use or other documents. If it is a digital product, it can be made numerous times. Twitch faced this problem quite often. The service allows streamers to receive donations for reading messages or usernames during streams. The practice of donating $1, $3, $5 or more and requesting a refund later became very common, as the refund request procedure on Twitch has been too simple. That’s why the service decided to introduce a verification practice. 

• Card theft. If the cardholder has not set up protection methods such as 3DS and their card ends up in the fraudster’s hands, it won’t be possible to recover the lost funds.

• Account takeover fraud. For example, a user pays for the delivery service. They enter the card details, confirm the transaction, and see a successful payment for the delivery service in their card statement. But during the process, the card data ends up on someone’s server and can be used for making payments without the user knowing about it. The best solution against such a scheme is to turn on dynamic CVV, set card payment limits and apply other basic security rules.

To hint at the scale of the fraud problem, here are the statistics and projections of the total volume of global card purchases in comparison to fraud losses. 

What the provider can do

The provider, for its part, can influence the amount of fraud. For this, checking all transactions and saving and tracking their history is necessary. When processing a large number of payments, it is almost impossible to perform such checks manually. Therefore, there are several methods in the arsenal of the provider that ensure efficient work. Let's talk about them in more detail.

Rule engine

As the name hints, this solution filters transactions based on established rules. The system reads all available information while the transaction is being processed, including device, geolocation, customer's history, IP address history, etc. Based on this data, the system aggregates metrics, which can be used to create rules. For example, if a customer pays regularly and with high conversion, they can freely have their transactions confirmed. But if any rules are not followed, the provider automatically applies additional security rules.

Scoring and AI

Fraud scoring is a process of quantitive assessment of the transaction risk level. It is based on machine learning technology, which verifies each transaction using a variety of indicators. Then the system assigns a simple numeric score representing the transaction’s risk level. 

The assessment process consists of such steps: 

1. A client initiates the transaction.
2. The system collects all available information about the client (payment history, phone number, email, IP address, etc.).
3. All the information is analysed by the scoring system. 
4. The system assigns a positive or negative score to each indicator.
5. The total score is calculated.
6. Depending on the total score, the system takes one of the actions: approve, decline, or forward the transaction for manual review.

The company may create its own scoring system or use third-party services. 

Artificial intelligence is a must for companies working with a large amount of data, as different types of business or even a specific client may require custom scoring settings. AI helps to adapt the system to various events or a rapid increase in sales. 

Blocklists

This method is available to both the provider and the merchant. 

Merchants know their customers better. They can adjust the purchasing process to ensure the customer's transactions are processed regardless of which card he paid with by including this customer in the bypass list. 

But some transactions should never be processed. For example, the ones initiated from a suspicious IP address. This is where blocklists come to the rescue.

There is also a dynamic list that gets filled based on the results of other systems. For instance, if the payment provider rejected the transaction with an "anti-fraud" error, the merchant can block the client who made it or a specific card they used. That's how the list gets filled. It's not the best fraud prevention method, but it's good as an additional tool.

PCI DSS compliance

The payment card industry developed PCI DSS — a set of recommendations and rules for businesses that work with card payments to ensure data security. The development and implementation of the PCI DSS began in 2004, and the current version on the market is v3.2.1.

The standard does not belong to a specific country and is not the law. Still, the world's most well-known payment systems, like Visa or Mastercard, won't work with a company that has not passed PCI DSS compliance. There are four levels of compliance:

• L1 – 6+ million transactions annually
• L2 – 1-6 million transactions annually
• L3 – 20,000-1 million transactions annually
• L4 – less than 20,000 transactions annually

The requirements are different for each level and may involve quarterly ASV scans and penetration tests at least once a year. The price for Level 1 could be from $10K to $50K, and the initial compliance takes more than two months. The company needs to be PCI DSS compliant only if it will host a payment page on its side and work with a payment gateway Server-to-Server. In other cases, partnering with a trusted PCI DSS L1 compliant payment intermediary is a great solution.

Reconciliation

Reconciliation is an accounting process of comparing two sets of records to check that figures are correct and in agreement. 

Everything that passes through our system is secured by funds in another system. That's why it's crucial to ensure that the statuses and amounts in both systems are the same, there was no failure, and the commission was calculated correctly.

Reconciliation should help with the following issues:

• Status mismatch
• Amount mismatch
• The operation does not exist in the provider's system
• The operation does not exist in the processing
• Non-financial attribute mismatch: IP, fingerprint, description, etc.

Interaction logs

Ideally, the company should record absolutely every interaction with the provider, as sometimes it is necessary to confirm certain actions. In the payment industry, the inability to provide evidence of one's actions can result in financial and reputational losses.

It is crucial to keep a record of the following data:

• All requests and responses between you and the provider
• Provider transport errors: 500+, timeouts, unexpected behaviour
• Callbacks
• User returns

Infrastructure

Effective and high-quality infrastructure setting directly affects the work of a company. Modern infrastructure providers such as Amazon Web Services, Cloudflare and others offer businesses a wide range of packages and services.

The main functions that the infrastructure provider should offer are:

• Capacity planning
• Scaling policies
• DDoS protection
• Data backups
• Data retention

Conclusion

Businesses that work with digital payments bear direct losses resulting from data leaks, miscommunication with providers, or fraudulent schemes. To avoid this, they must apply relevant security measures or look for a payment partner that takes care of it. Fortunately,  there is plenty of trusted payment security solutions on the market. 

Rule engines, scoring services, artificial intelligence, and block lists based on a variety of attributes prevent businesses from processing suspicious transactions. Reconciliation, interaction logs, and high-quality infrastructure help minimise the possibility of problem cases and enable businesses to solve occurring issues quickly. PCI DSS compliance implies a set of security measures that a company working with payments has to implement to protect customers’ data and transactions.

Fraud as a phenomenon will always be present in the market. But using modern methods and services gives companies many opportunities to protect their customers from fraud and prevent unwanted losses.