The Surprising Costs of Data Security in Fraud Prevention
When building an in-house anti-fraud system, there are a number of costs to consider. A couple that can be overlooked involve the areas of data security and PCI compliance.
Many businesses adequately plan for the costs of the underlying IT infrastructure and equipment on which the anti-fraud software and technologies run, as well as the people required to support and operate that infrastructure.
However, companies often underestimate the substantial investment in data center and network security systems to protect that IT infrastructure from intrusion and attacks, plus the staff required to operate these security systems.
In addition, many organizations lacking expertise regarding the Payment Card Industry Data Security Standard (PCI-DSS) are often surprised by the investment in staff and training required to establish and maintain PCI compliance.
The threat of a breach is real. Since 2005, hundreds of online eCommerce operations and brick-and-mortar retailers have had their systems compromised, with close to 7 billion breaches. Building and sustaining secure networks and data centers capable of withstanding the tsunami of attacks involves a significant investment in time, equipment, and staff.
- Time. A new startup organization with no established infrastructure must make dozens and dozens of purchasing and hiring decisions -- ranging from equipment to software to third party providers to staff and more. This can add weeks or months to a “go live” date. Even established organizations implementing new capabilities may spend weeks working through their purchasing decision tree.
- Equipment. For a large eCommerce operation processing 10 million transactions per year, The Fraud Practice calculates that hard costs of $1 million a year for systems and upgrades are not uncommon. Of course, not all of this spending involves data security. And yet, even technologically sophisticated organizations that are willing to invest the time, money and expertise needed to build and maintain an in-house data center with Tier-3 or Tier-4 security levels can be vulnerable. For example, Target ($39 million settlement), T-Mobile (5 lawsuits), and Yahoo (500,000 potential class action participants) are paying the price for the high-profile breaches they’ve experienced.
For this reason, many online retailers that choose to build in-house systems may find it more cost-effective to outsource hosting to data centers that specialize in meeting PCI-DSS standards. Nevertheless, this hosting, due to the significant investment required to meet and maintain PCI-compliance, is often substantially more expensive than even enterprise-class hosting.
- Staff. The Fraud Practice further estimates another $1 million a year spent on the expert IT staff and resources to securely operate an enterprise-class fraud prevention system in house. A significant portion of this spending obviously involves network administrators, security managers and system integrators devoted to network and data security.
Another factor to consider is the cost to maintain PCI compliance.
eCommerce operations with legacy systems older than five years may not be fully current with the latest standards, leading to increased costs. For example, a merchant wanting to speed up processing for fraud detection may institute negative and positive lists of customers based on their historical behavior. However, the merchant may not realize that retaining this personally identifiable information creates the obligation to conform to the PCI-DSS. The result can be higher fees and charges from their processor as the processor attempts to appropriately price for the risk of potential exposure to credit card fraud due to breach.
The confluence of these factors -- longer timelines, higher equipment costs and accelerating headcount numbers -- can be a drag on growth and profits. They may make it impossible to scale efficiently as transaction volume increases and the need to provide higher levels of security expands.
Discover more about the numerous costs, benefits, risks, and exposures involved in deploying an enterprise-class operating fraud prevention system. Attend the webinar “Should You Buy or Build a Fraud Management Solution?” on Thursday, April 20 at 1 PM EST. Featured panelist will be Justin McDonald, Senior Risk Management Consultant at The Fraud Practice, who will speak about the many factors involved in making the right decision for your eCommerce business.