Payments Fraud: Why Layered Security Matters
The term, "layered security,” can mean different things depending on who is using it. Organizations involved in online and mobile banking encourage layered security to authenticate the people and devices accessing accounts and to protect accounts from being ransacked. In payments, we recommend a layered security approach to identify and block fraud.
Both of the above examples come down to a singular driving philosophy: It takes an industry to fight fraud. No bank, credit union, cardholder, processor or network can detect and prevent fraud alone and no single technology tool exists to effectively protect against all fraud scenarios. By layering multiple strategies and tools, the whole is stronger than any individual piece can be.
A comprehensive and clearly articulated fraud strategy serves as the foundation of the financial institution’s approach for payments fraud protection. Among the factors to consider are your institution’s risk profile, region, cardholder footprint, level of acceptable fraud loss and how much inconvenience cardholders will tolerate from false positives. It is also suggested to establish a protocol for managing, indicating and reporting fraud to your partners and an aftercare program involving direct communication and other programs to decrease attrition.
The issuer’s approach to fraud mitigation serves as the top layer of protection against payments fraud. The issuer defines when transactions should be declined, and establishes the process for responding to alerts of potential or confirmed fraud. Finally, the issuer works closely with its processor and payments networks to ensure authorization rules and fraud strategies are updated and appropriately aligned.
It is unfortunate but cardholders may hold an institution responsible for fraud events and upwards of 3% terminate their relationship after an event * and cardholders dissatisfied with how an institution handles a fraud event can have an attrition rate of 20%**
Payments Network Layer
Payments networks have a unique ability to monitor every card-present, card-not-present, PIN, PINless, ATM, and funds transfer transaction going over its rails, and most networks offer their own fraud monitoring service. For instance, PULSE provides registered issuers fraud detection and fraud alerts through its DebitProtect® Fraud Mitigation Services. Most payment networks offer a robust set of fraud detection tools and techniques designed to adapt to the changing strategies of fraudsters. Another option to protect yourself at the network level is to register for fraud alerts for cards that have been identified as being used at a merchant that has been the victim of a data breach. This is an essential tool for FIs to get in front of fraud transactions before they start occurring.
Working together with your processor to understand their fraud mitigation capabilities and how they can fit your institution’s strategy is a necessary step. It is also a good practice to establish expectations with your processor on what actions you expect them to take, and what actions they can expect your institution to take in order to eliminate any confusion when a fraud event occurs.
Bringing it All Together
Each of these layers of protection against payments fraud works both independently and in concert with the other layers. Each can take advantage of its unique perspective and capabilities to identify and block fraud. But the most important player of all is the issuer.
By owning the customer relationship and bearing the risk of losing the customer, issuers need to work with their networks and processor to balance the risk of fraud against the potential for customer inconvenience. Many FIs struggle balancing their fraud strategy with customer service, but a layered approach gives an FI the ability to improve their results in both areas.
* Security, Fraudulent Transactions and Customer Loyalty: A Field Study, Carnegie Mellon University, 2016
** Global Consumer Card Fraud: Where Card Fraud Is Coming From, Aité Group, July 2016.