Payment Identity Management

Increases in fraud–such as ongoing compromises of consumer information, corporate/retail account takeovers, and “card not present” fraud–highlight inherent limitations and weaknesses in the existing payment systems. Fraud affects everyone, and fighting it is a constant challenge, given the many technologies and processes used to authenticate a payment being made from different sources. While there are no quick fixes, sound practices and innovative technologies exist that allow payment system participants to better manage risk.

One example is aligning authentication methods to risk. Risk-based authentication techniques can reduce customer friction and increase security. Authentication can be dynamic and continually evolve, based on the increasing risk and the sequence of events between the payment channel and the user.

But solutions can’t be static. As new products and services are introduced, they should be integrated with existing tools and an organization’s risk assessment framework. Identification and adoption of stronger and more universally accepted payment identity management practices will help mitigate existing and anticipated fraud threats, making participation with or entrance into the payment system less difficult, expensive, and risky.

Data Protection

High-profile data breaches continue to make headlines. Whether personal or financial, data is a valuable commodity for hackers looking to leverage the stolen information for financial gain. As the scope of data to be protected continues to evolve, the challenge is how it should be protected in the end-to-end payments process. The payment industry must remain vigilant and incorporate practices that safeguard sensitive payment data at rest and in transit. An industry framework that provides a common understanding among payment industry participants about how to identify and appropriately protect sensitive payment data associated with different payment types would benefit a diverse set of payment stakeholders. The framework should also define how to protect data across end-to-end payment transaction processes and include a security baseline that can be universally applied to sensitive payment data.

Information Sharing

The nature of fraud and data breaches has changed considerably over the past few years. Criminals have established extensive networks to share tactics and techniques for how to carry out coordinated attacks, yet it remains difficult for the good guys to share data to mitigate these attacks.

The Cybersecurity Information Sharing Act of 2015 and subsequent guidance released in 2016 establish opportunities for information-sharing to take place among industry participants as well as between private and public sector organizations. However, barriers continue to prevent much of the intelligence from being communicated. They include a lack of baseline knowledge about available resources, limited trust amongst parties, misaligned incentives and a lack of infrastructure required to make information available to all payment stakeholders. These barriers limit the amount of information shared within the payments industry and, thus, reduce the ability to prevent fraud and data breaches.

Now is the time to eliminate these barriers and expand communication channels. One possible outcome would be standardized fraud metrics and reporting and more sharing of actionable information across payment industry participants, which would make it easier and quicker to identify fraud risks and take action.

The security challenges facing the payments industry require broad cooperation and coordination across the payments ecosystem. Collaboration is the key to success. The Secure Payments Task Force is a forum for such collaboration, allowing a wide variety of industry participants to work together to reduce fraud risk and advance the safety and security of the national payment system.