Treasury Today Country Profiles in association with Citi

Cybercrime: is your payment service provider a weak link?

The latest hacking scandal to hit the business world has seen Global Payments, a credit and debit card transactions processor, reveal that 1.5m credit card numbers in the United States may have been stolen by hackers. The news highlights the growing danger of counterparty risk to corporates. Can companies trust their payment service providers (PSPs) to have the right security in place?

The incident is the latest in a long line of high-profile examples of cyber-theft impacting major businesses, including Sony and Nintendo. Global Payments said in a statement: “Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.” Others are not so certain. There is fear that the business will struggle to rectify the damage caused.

Global Payments has lot to be worried about. “The obvious business risk of payment fraud for companies is financial loss, particularly from a treasury perspective,” says Nasreen Quibria, Payments Expert at Logica. “And then there is the reputational damage to consider. Even if there is just a perception that fraud has occurred, it can directly impact the business in terms of driving up the cost of capital.”

Annual research conducted by Verizon, an American communications business, found that 174m files were stolen by means of hacking and similar criminal activities online in 2011.

But high-profile cases of hacking can be misleading. Contrary to appearances, incidences of attempted and actual payment fraud have declined in the past two years. Cybercrime, it seems, is on the wane. “What is interesting is that the growth in fraud is reflecting the general global economic landscape,” notes Quibria. “Payment fraud increased considerably during the Great Recession; but fell as the global economy started to improve.”

“Fraud over a ten year period has increased but we have seen a decline in the last two years due to risk mitigation steps taken by treasury professionals,” says Dave Watson, Head of Client Access, Global Transaction Banking, Deutsche Bank.

Risks remain however. “As much as technology is continually evolving so are fraudsters,” warns Watson. “Technology continually advances and, especially in the area of security, is always looking to improve. However the criminal motivation is also there and is also driving more and more technical advances in fraud attempts.”

Andrew Durant, Senior Managing Director, FTI Consulting, highlights two major weak points that lend themselves to payment fraud. The first is the prevalence of customer-not-present payments, ie transactions secured over the internet. “The other issue is the enormous volume of data maintained by individual banks and retailers. Businesses offer hackers easy targets with that number of card details in one place.”

Indeed, some sectors are more susceptible to online fraud than others. According to PwC’s global economic crime report, “cybercrime has risen up the ranks over the last year to become the second most commonly reported economic crime affecting companies in the financial services sector.” Cyber-theft has a disproportionately large impact on the finance industry, accounting for some 38% of economic crime incidents. In other sectors it merely accounts for an average of 16%.

The relative vulnerability of finance raises questions. True, corporates are starting to pay attention to online security. But can they be sure that their counterparties are taking the same precautions? After all, there are two end points to every transaction. An effective counterparty risk mitigation policy is essential when it comes to fighting internet fraud.

In the meantime there is at least an upside to the Global Payments scandal. “What is encouraging is that, possibly as a result of such high profile attacks in the past, there has been increased awareness of payment fraud among businesses,” says Quibria. “This has spurred a rise and use of best practices and monitoring to reduce and avoid fraud.”