Secure financial transactions are vital in a digital economy, but despite the best efforts of the world’s major credit card issuers to produce a viable standard, fraud is on the rise in Australia.
Is the explosion of online startups behind this, or, as Peter Clutterbuck argues, do we need more rigour and accountability in security standards.
Kasia is an artisan. She is also a business woman. Her business, Laikonik, is one of a rash of small businesses thriving online, which between them contribute to 34% of Australia’s private sector economic wealth.
Like many kitchen table startups, the idea behind Laikonik was to take passion and talent and combine them to build a viable business and make a reasonable living. Like most first-time entrepreneurs, Kasia had no business training. Nor was she a programmer, a web designer, a payments clerk or an accredited credit card merchant.
DR PETER CLUTTERBUCK
An expert on internet security, Peter has held management positions in the public and private sectors. He advises organisations on network security and is currently carrying out research into security auditing.
In seven years, Laikonik has grown to become an international exporter of environmentally sustainable handcrafted homewares with 70% of sales direct to customers online, the rest supplied to shops in Australia, the US and the UK. All online payments are made and taken through a third party clearing house that provides security for seller and buyer and a globally trusted payment environment. Kasia hasn’t had to speak to a bank or write a line of code.
It’s the kind of online success story that inspires many entrepreneurs. But the course of small business does not all ways run smoothly, and one issue online startups are increasingly running up against is the increase in payment fraud.
Since the boom in online retail, credit card fraud has dramatically increased, from 67.2 cents to 96.0 cents in every $1,000 transacted in 2011. According to the Australian Payments Clearing Association – whose members include financial institutions, merchants and other payments providers – shopping online, by mail or by phone accounts for 71% of fraud value on locally issued credit, debit and charge cards.
And it’s the growth of the small online business that Chris Hamilton, Chief Executive of the Australian Payments Clearing Association (APCA), believes is contributing to this rise.
Chris Hamilton believes that those who wear the fraud – financial institutions and, sometimes, merchants – are the ones who are best placed to minimise it.
“All frauds start with a “compromise”: the fraudster getting hold of something – a card, or some data – that they can use to commit the fraud. So, a standard around the securing of card data is absolutely vital. That’s where the Card Industry Data Security Standard (PCI DSS) comes in,” he said.
The PCI DSS emerged in 2004 when Visa and MasterCard merged their security requirements into a single standard. By 2006, Visa, MasterCard Worldwide, American Express, Discover Financial Services and JCB International announced the formation of an independent body – the PCI Security Standards Council, LLC – to deliver and maintain a global, industry-wide security standard for the protection of cardholder account information.
THE REQUIREMENTS THAT MERCHANTS MUST OBSERVE FALL INTO SIX CATEGORIES:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Monitor and test networks
- Maintain an information security policy
While the standard is not law, incentives to comply are clear. Financial institutions and merchants agree that fraud victims get repaid money lost, as long as there is no evidence that the merchant acted negligently. If a business is found not to comply, it faces heavy fines, increased audits, and the possible suspension of their merchant account facility by their bank or card issuer.
Card issuers have employed increasingly aggressive tactics to deal with illegal card activity, such as ‘sniffer’ programs that look for unusual behaviour patterns and stop strange transactions. MasterCard’s SecureCode and Verified by Visa require card users to enter additional security information in a bid to make account data less attractive to steal.
Trouble is, while prevention software and authentication processes do help, too many safeguards can be a turn-off. For example, a merchant may ask consumers to enter a password that their credit card company will verify, yet that extra step may make consumers change their minds about buying. “Merchants worry about abandonment when they implement these schemes, particularly for lower-value transactions,” says Hamilton.
The issue with small online retail businesses is that the PCI DSS is now several years old and small business may well lack specific knowledge of the standard or its implications.
Says Judy Shaw, spokesperson for Visa: “Criminals go for softer targets – companies that are either small or vulnerable because they are new to e-commerce. We’re encouraging more compliance with PCI DSS across small to medium businesses, particularly those that are classified as in higher risk sectors.”
Transactions between companies and customers rely on trust that cheques, credit cards and bank transfers are valid. Increasingly, though, they are not and somebody ends up with a fake check, or worse, a compromised bank account.
IF THERE ARE SECURITY STANDARDS IN PLACE, WHY IS FRAUD ON THE UP?
The problem with PCI DSS is that we don’t know who is complying, even though financial institutions and merchants contractually agree to.
“Business is very reluctant to provide specific data on security matters,” says Peter Clutterbuck, Lecturer in Business Information Systems at UQ Business School.
This makes it difficult to get up-to-date information on the size of the problem.
“It’s a question of patchy information from business and from the regulatory body.”
It’s the big companies that have enough firepower to guard against the new technical capabilities and practices of criminals.
Still, warns Dr Clutterbuck, one can not make the blanket assumption that all big companies are complying with PCI DSS. It has been described as a difficult standard to comply with. “There are questions as to whether staff are fully trained to assess compliance. Most analysts describe the PCI DSS requirements as posing significant personnel training challenges.”
- 95% of consumers stop shopping with a company that mishandles their data
- 65% of Australians are more careful with their ATM or credit card pin than their online passwords
- 22% of Australians use personal information like pets’ names or nicknames for passwords
Also, some merchants processing less than six million transactions per year are allowed to self-assess compliance, which Dr Clutterbuck sees as an inducement not to crack the whip too hard.
The difficulty of cracking down on criminals who hack into online data is exacerbated by inadequate data breach disclosure laws.Other markets are demanding that merchants identify and disclose a data breach to the authorities as well as to the individual consumer. There has been a strong push for such legislation in Australia, but, to date, nothing has been framed.
THE ENEMY WITHIN
Fraudsters, of course, also lurk inside of companies. So while companies are fighting crime and enlisting firewalls and other technologies to keep data, those steps are useless if an employee decides to steal. Armed with the username and password he or she can access a company’s computer systems with little risk of detection.
“A significant proportion of fraud is internal,” says Hamilton. Companies that hold on to card data run a huge risk. So what are they doing about securing card numbers inside their own business? What are their arrangements with employees? Do they have steps in place to stop people committing fraud?”
Says Shaw: “The potential damage goes well beyond the threat of fines for failing to protect sensitive data or immediate fraud losses. Consumer confidence in conducting business online is everything, and the potential damage to corporate reputation and brand can be extremely serious.”
In seven years of trading, five online, Kasia Jacquot has not experienced a single instance of credit card fraud or compromise of customer data at Laikonik. Her advice to startups is simple: “Buy in what you don’t know. I opened my shop with Big Cartel, who provide the virtual ecommerce environment – the shop, the shelves and the cash register.” When it came to payments, Kasia understood trust was critical. “I have opted for PayPal, an online transaction management system that is known around the world and created specifically to work online. It’s served my business and my customers well.”
LEARN MORE
If you would like to learn more about the research in this article, then take a look at:
“Security on the cards”, Magazine for Australian Chartered Accountants, 2010