Richard Jones at ZeroRisk explores the virtuous cycle of merchant cyber risk management
We’re all buying more online. The impact of the pandemic on the UK’s e-commerce market has been dramatic — pushing internet sales up by 46% year-on-year in 2020. In the food retail sector it was even higher (79%). This has inevitably exposed more merchants and their customers to fraud.
But that’s OK because the PCI DSS payment security standard is here to help protect us from card data breaches and follow-on fraud, right? Well, not quite. There are several challenges with the PCI compliance model, not least the fact that its focus on card data misses the bigger picture.
In reality, poor merchant cyber-security has a knock-on effect throughout the payments ecosystem. That’s why merchant service providers (MSPs) need to be looking more holistically at cyber-risk across their portfolios.
The bigger picture
Online fraud has been with us for as long as consumers have been buying things over the internet. A recent analysis claimed that internet and e-commerce fraud in the UK rose by 179% between 2010-2020. It’s arguably getting worse, as the fraudsters share knowledge, tools and tactics to improve their ROI, while merchants struggle to implement best practice security and fraud prevention. It’s estimated that more than one in 10 of us have suffered online fraud in the past decade, with losses exceeding £376 million last year.
PCI DSS was, of course, launched around 15 years ago to help put a major dent in this activity by cutting off the source of fraudulent payments: card data. But it is failing. Compliance is seen as little more than a tick-box exercise by many merchants, who don’t understand the Self Assessment Questionnaire (SAQ) questions they’re presented with and see little benefit in return. As a result, many SMBs struggle to appreciate what they need to do to improve cyber-security.
PCI DSS is also too narrow in its focus. Yes, protecting card data is important to strangle fraud. But so too is other personal information on customers which merchants may store. If cyber-criminals get hold of this, they can craft convincing phishing emails and vishing (scam phone call) attacks which could cause significant financial and emotional pain for customers.
Banks, card companies, payment facilitators, merchants and other payments stakeholders should all be focused on the same goal: building greater trust in online commerce. That boils down to improved merchant cyber-security — not just to protect card data but all types of customer information they collect. After all, without consumer trust in online channels, the entire payments community will suffer.
What does this mean in practice? For MSPs it means finding new ways to drive revenue beyond punitive non-compliance fees (which may soon be regulated anyway). A progressive way to achieve this would be to focus on providing managed compliance services where there is a closer relationship between MSP and merchant. MSPs should be proactively offering advice on which security tools they need to protect their business, for example.
Continuous risk management
However, to get there, MSPs need enhanced and continuous visibility into the risk profile of each and every merchant in their portfolio. The point-in-time snapshot provided by SAQs just isn’t good enough and cannot be taken as factually correct without an independent assessment. These types of assessments provide MSPs with all the information they need to reach out confidently to their merchants, offering advice on improving cyber-hygiene.
It’s about giving more time to each merchant, understanding where they need help and working with them as a trusted partner to lower cyber-risk. That should result in happier customers, lower fraud losses and a stronger, healthier online payments community.
Richard Jones, Head of Business Development at ZeroRisk
Main image courtesy of iStockPhoto.com