Integrated Solutions for Retailers: Strategies from CNP Transactions Reduce Risks for Retailers at t04-May-2014
By Sally Jones, contributing editor
Facing down retail credit card fraud means introducing stronger, faster integrated solutions before the customer leaves the cash register.
Taking into account recent high-profile breaches of retail brick-and-mortar POS systems, businesses are looking for ways to reduce the risk of credit card fraud, while maintaining the speed and ease of transactions for customers. In this conversation, Rich Stuppy, VP of operations of Kount, recommends looking to card-not-present transactions for strategies to better secure in-store purchases.
Why are brick-and-mortar stores appearing to be less secure for retail transactions?
Stuppy: One of the reasons is the millions of credit cards and corresponding identity details used daily in retail stores across the U.S. And, cybercriminals have seen tremendous innovations in the way they can get inside retail POS systems.
I call it stackable breach technology. Just like a child can stack blocks to build a toy house, the fraudsters are stacking layers of technology to create an effective and scalable breach-and-fraud machine. The first block is the vulnerable POS machines. They can be very difficult to secure, because big retailers have many locations, and most POS systems are in public areas, so criminals may have easy access. Stack on top of that ways of infiltrating corporate networks, like phishing schemes and insider threats, and memory-scraping malware designed to read cards and personal data from the POS and send that information to a controller device. Then an existing card distribution network takes stolen cards and ships them to the final building block, which is the fraudsters who build businesses to duplicate cards and use those stolen cards online via e-commerce or mobile transactions. Combined, these building blocks allow criminals to go from stealing cards to committing fraud, all in a matter of minutes, and it all starts at the POS terminal.
What makes e-commerce transactions more secure, in theory, than in-store?
Stuppy: Vulnerabilities during transactions still exist for e-commerce, but CNP (card-not-present) transactions can actually be more secure than face-to-face transactions. That's because retailers can glean much more information about the buyer using the right set of systems and techniques. For example, compare a POS purchase versus an online transaction. During the POS interaction, many retailers simply check the card and ask the customer to sign off on the purchase. But in the online realm, you're sitting on much more data about the buyer, including personal details from the order form, payment, device, and mobile data, and it's all there for the taking, if you have the right analysis tools during the transaction.
What can retailers take from successful e-commerce security and apply to their in-store transaction to bolster security?
Stuppy: Multi-channel retailers often neglect the strongest weapon in the arsenal, and that's the data from customer transactions. By using customer data from all of their channels, they can offer a similar level of protection for individual POS transactions as they do for mobile, call center, and e-commerce transactions. When you combine all that information and use it in a real-time system, you have a much higher likelihood of detecting and preventing fraud.
How does a retailer enable secure transactions, while maintaining happy customers?
Stuppy: By building an integrated all-in-one solution that uses customer data from every channel of your business, you can ensure more secure transactions. I talked about how fraudsters have a stackable solution where they are layering multiple capabilities on top of each other. Using a strategy like this one will always be slower than an integrated approach.
When retailers create a real-time integrated solution to monitor POS transactions, they can respond in a fraction of a second when risky transactions come through. That's because many of these tools were originally designed to work in e-commerce environments and need just 300 milliseconds or less to perform a risk assessment on a transaction. On the other hand, the fraudsters may take a few minutes or longer in attempting to breach the system.
Originally published at Integrated Solutions for Retailers.