There is considerable evidence that Automated Clearing House (ACH) and credit card payments offer many advantages for installing security contractors over “snail mail” billing systems. At a minimum, electronic billing has proven to be more cost-effective and greener than paper-based invoicing systems. Companies whose customers are billed via ACH and credit cards also experience lower attrition rates and more timely cash collections.

Importantly, there is yet another, lesser known advantage of ACH and credit card billing over paper invoicing for security companies – fraud risk reduction. A survey conducted by the Association for Financial Professionals (AFP) in 2010 indicated that check fraud remains the primary source of payment scams. Some 73% of organizations surveyed experienced attempted or actual fraud in 2009, and within that group nine out of 10 were victims of check fraud.

The leading type of check fraud reported by respondents involved counterfeiting the firms’ magnetic ink character recognition (MICR) line data (72% of respondents), followed by altered payee names (58%) and altered dollar amounts (35%). When check fraud resulted in losses to an organization, 37% said it involved a check being cashed by a check-cashing service.

With an aim toward defending your company against fraudulent payment attacks, let’s explore some best practices to implement as well as consider some additional statistical data in this area.

A Data Security Standard Is Born

Many of the AFP survey respondents that shifted from paper to electronic payments indicated they had done so with fraud prevention in mind, a strategy that AFP applauds. “Organizations large and small should be pushing hard and working with their banks, vendors and other suppliers to eliminate [check fraud] vulnerability by moving transactions to ACH and card payments,” the AFP report advises.

Nonetheless, it is important to note that electronic billing systems are not immune from being the targets of fraud. AFP survey respondents reported that consumer and corporate/commercial cards were the second-most targeted (37%), followed by ACH debits (25%), ACH credits (7%), and wire transfers (3%).   

The impact of credit card fraud is immense. According to a report by the U.S. Department of Justice, more than 11 million Americans, or approximately 5% of those age 16 or older, have been the victims of identity theft during a recent two-year period, and more than half of those identity theft victims (53%) experienced the unauthorized use of an existing credit card.  Furthermore, a Gallup survey conducted two years ago cited identity theft as Americans’ leading crime concern.

Security companies that accept credit or debit cards must comply with standards established by the major card associations to safeguard buyers’ card data. Failure to meet these standards can result in costly fixes, hefty fines, and potentially crippling damage to a firm’s reputation. Technology that enabled merchants to accept card transactions via the Internet — not to mention the subsequent card data breaches that followed — led the card associations to collaborate on the Payment Card Industry Data Security Standard (PCI DSS).

The standard attempts to prevent unauthorized access to cardholder data, such as a skilled hacker remotely accessing a computer system containing cardholder records. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design, and other measures intended to protect customer card data.

The card associations — MasterCard Worldwide, Visa Inc. Int’l, Discover Financial Services, American Express and JCB Int’l — are responsible for enforcing compliance with the PCI DSS standard. They in turn rely on credit card issuers, such as commercial banks, to ensure their clients comply. Potential consequences if a merchant doesn’t adhere to PCI DSS, and has its system hacked into and customer card data stolen, include:

Expensive remediation —If the card associations notify a bank’s merchant services department that its security company client is the source of a card-data breach, that company will be required to shut off its Internet connection and submit to a costly forensics investigation to determine the reason for the breach. Appropriate action will then be required to resolve the problem. A Qualified Security Assessor (QSA) typically charges $10,000 to $20,000 per business location to conduct such an investigation.

Potentially large fines —When the investigation is complete, the QSA firm will send a report on its findings to the card associations. Based on that report, including how egregious the QSA determines the security lapses were and how many cards were compromised, the card associations will levy a fine that can range from $5,000 to $200,000.

Damage to your business’ reputation — A compromised card merchant, particularly a security company whose principal service is protecting people, property and information, faces the threat of negative publicity and resulting damage to the reputation it has worked so hard to build. In recent time there have been many instances of businesses that suffered card-data security breaches ended up on the evening news and in the newspapers.

Merchant services departments in the banking industry often require clients that process card transactions via an Internet connection to participate in a PCI DSS compliance validation program.

Typically, merchants conduct a self-assessment questionnaire which reviews the policies and procedures they employ to store, process and transmit credit card data, and train their staffs. To remain compliant with PCI security standards, merchants are required to complete and pass the questionnaire each year, as well as pass a network scan of their system each quarter.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Related Content