The new Annual Fraud Indicator from the National Fraud Authority (NFA) was published this morning and makes some interesting reading.

 

The headline figure which everyone will pick up on is that the loss to the UK economy to fraud each year is estimated to be £73Bn. Considering the previous estimate in 2011 was £38Bn has fraud really increased two fold? The answer, unsurprisingly, is that it hasn’t; what has changed is the inclusion of new areas of the economy not previously considered in the scope and a step change in the methodology in place.

 

So what are the interesting facts in the report?

 

Estimated fraud perpetrated against the private sector came to £45Bn with an estimate of 1.4% of turnover being attributed to this fraud. This is in line with what we tend to see when we talk to merchants about their own fraud estimates. Within this section was the commentary that many retailers identified fraud from their growing online and multichannel operations as the most significant emerging issue they faced. Again this ties in with our own experience here at The Logic Group, where we see retailers trying to address this issue with a multitude of tools. There has been a large growth in the use of 3D Secure (Verified by Visa, SecureCode, SafeKey) and other real-time fraud identification tools to try and identify this fraud as it is attempted. For many retailers the issue they face is to try to identify fraudulent transactions while still permitting the valid customers transactions to flow seamlessly through the system. Rejecting valid transactions can also be a real cost to a retailer and is one of the invisible costs of fraud which will not be identified within this report. Tuning a fraud tool correctly can have a major impact on turnover and fraud levels. Fraudsters are constantly improving their techniques to counteract these tools so it remains an ongoing battle. For example, recently there has been a move targeting call centres as the channel of payment as these are unable to use 3D Secure in their validation efforts.

 

Identity related fraud (aka Identity theft) was set to an estimate of £1.2Bn, although the report states this is likely to be an underestimate. We are already aware of more attempts to steal individual personal data, as this can then be used within more sophisticated attempts to commit fraud. Why steal well protected card data if you can steal the identity of the card owner and obtain a card in his name anyway. Working in the area of the Payment Card Industries Data Security Standard (PCI DSS) at The Logic Group we see cardholder data is being well protected while alongside it, outside of the protected Cardholder Data Environment (CDE) customer and loyalty data belonging to the merchant remaining vulnerable to attack.

 

As expected fraud committed upon the individual was up with an estimate of £6Bn. Perhaps most jaw dropping of the wealth of statistics we were presented with in this area; is that fact that 1 million people responded to unsolicited communications by sending money and more unsurprisingly just under 500,000 of these people found it was fraudulent. I remember a couple of years ago a member of a specialist police team telling me they thought there was, on average, at least one meeting a day in a London hotel room where a fraudster would be meeting a victim of this type of fraud for the handover of large amounts of cash.

 

So the next time you receive that email from your “friend” who has £30M available in a bank account, due to the death of his cousin the general, or the one who rings you to tell you about your foreign lottery win, or the one who has scanned your machine on the network and found a virus they want to fix, don’t send that administration fee. Instead remember that statistic!

As a consumer we place our trust in retailers to provide the services and products we require to a service level that we expect. A retail store provides a slick and well presented mechanism to deliver products to the public in a fast, effective and secure manner. However, behind the scenes the technology that underpins this process can be woefully insecure.

 

It is reported that a major European retailer is breached every week and the reason we do not hear about it……the retailer does not know about the breach themselves. In the past five years there have been a number of high profile cases of card data theft from retailer systems including security breaches of high profile businesses resulting in data loss. These breaches have resulted in large fines being imposed and a loss of reputation for the business in question. However, the impact to us as the consumer is often more painful. The thought of your personal details being used by fraudsters to gain benefit because the retailer you trusted has failed to protect you in the most basic way, can be frustrating. That basic principle is to keep your personal information, your credit or debit card secure and safe from prying eyes and with over 165 millions cards in operation in the UK alone that proves a significant challenge.

 

For those in the know, PCI DSS was established a number of years ago by the major card schemes to provide a formal framework to reduce fraud in card payments. The framework consists of a large number points defined by 12 key requirements.

1. Install and Maintain a firewall configuration
2. Do not use vendor supplied defaults for passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that address information security for employees and contractors

So although PCI DSS forms an adequate and comprehensive route to reduce fraud, many retailers have yet to fully the standard. The consequences being that your card data is being placed at risk and is perhaps not stored as securely as it should be.

 

In recent years, solution providers have worked tirelessly to help provide retailers with technically advanced and PCI DSS compliant solutions that help to reduce the risk of breached data being used by fraudsters.

 

So have we finally reached a Eureka moment? In September 2011 the PCI Council approved that in the correct scenarios and with the right hardware in place a solution could help reduce payment card fraud. This solution, known as Point to Point Encryption (P2PE), encrypts cardholder data at the point of capture and at no point during the payment authentication process does the retailer gain access to this data. It is therefore seen that P2PE effectively removes cardholder data from the retailer environment and can instantly allow that retailer to meet a large number of the criteria of the 12 PCI requirements.

 

The impact on a retailer if the above solution is deployed correctly in their store environment is that they can de-scope a large portion of their business from PCI DSS whilst providing a secure and effective solution to their customers. Therefore the requirements on the below in accordance with PCI DSS are reduced:

1. Network Segregation
2. Patch Management
3. Anti-Virus Management
4. Firewall Management
5. Logging and Audit Management
6. Remote Administration and Management
7. Intrusion Detection
8. Key Management and Encryption

 

PCI DSS is not avoided, the exposure of the retailer is greatly diminished and this includes reduced auditing based on cost savings in completing reports on compliance.
So finally there is some good news for merchants - a solution that can help provide a secure and efficient card processing that customers deserve. At the same point whilst securing card data the cost of adhering to PCI DSS is dramatically reduced based on the ‘out of scope’ approach. A breath of fresh air for both the retailer and the consumer, as both can remove the chances of that valuable data falling into the wrong hands.

 

Surely a winning solution for all involved, except the fraudster of course……

As the social media frenzy spirals on, the challenge for businesses trying to incorporate social networks into their overall marketing strategy intensifies.

 

Fuelled by mobile devices, which give users access wherever they are and whenever they want it, social networks will continue to become an integral part of our lives. And with it, our expectations will grow. Consumers will expect a unique experience, offers, rewards and games in return for their engagement with a brand through social networks. Although this presents a challenge to organisations, the opportunities to reach their consumers and target them with relevant communications at the right time, opens up further. Facebook is already allowing retailers to offer customer promotions specific to location when users “check-in” via facebook places. Not only does this make the offer more significant to the consumer’s location, the message is far reaching, as users also broadcast the offer to friends through the network.

 

However, the downside of consumers being able to share and talk openly with friends about your brand is that they are only too happy, and often more likely, to share the bad experiences with each other. Organisations need to keep on top of these too and respond to the criticisms so they are seen to be doing the right thing. Many hotel chains are doing this by monitoring holiday review sites and responding immediately with an apology if a customer leaves a bad review. Taking this further and rewarding those who have had a bad experience could help to retain these customers and encourage them to talk positively about the brand through the social media channels. However, to ensure this works, organisations need to invest significant resource to monitor social media feeds and respond to the consumers before the damage is done.

 

As more organisations build out their marketing presence in social networks, the importance of developing a clear social media strategy becomes evident. Organisations need to establish what role they want a social media platform to play, how this can be achieved and how success will be measured. Is it to be used as an advertising tool, to direct targeted offers to the right customer at the right time, or to provide a customer service function? What resource is required to make it work in this way, and how will we know it is working?
Each area of the business should define their own objectives and be committed to making the social media strategy work for them. Marketing will want to use social networking to find new ways to reach consumers, operations can use it to reduce the time spent answering queries as consumers seek advice from social network friends, product development can use it to generate new product ideas from the consumers themselves. If each area has its own clear objectives, forming the basis of the overall social strategy, everyone will be focused on making it a success.

 

As organisations attempt to get this right, ultimately it is the users of these networks who hold the key to its success. If organisations listen to what their consumers have to say, respond and reward, they will create an engaging online experience, which will turn even the biggest brand critic into a brand advocate. The organisation that can make this a success, and have social networks in their marketing toolbox, will have a distinct advantage from the competition.

Well as usual, I attended PCI London this week, which is probably my fourth or fifth one over the years. As always it was very well attended, which was encouraging as it demonstrates that merchants, schemes and service providers continue to treat security seriously, even in these difficult times.

 

It has been interesting to see the changes in approach.

 

Initially at my first one, the event had an educational bias. “What is PCI DSS, who does it impact, what does it mean?”

 

Then it moved to a more supplier centric focus, with many presentations talking about technology and solutions which would allow a merchant to meet a variety of controls within the standard.

 

Over this and the last event in the summer of 2011, the focus has moved again and there has been a definite move across to focusing on the data which would be considered within the scope of the assessment and how to reduce the footprint of this data within the merchant environment. Indeed we had a full house at the seminar I gave with our partners from Semafone focussed directly on how to reduce the scope of an assessment when a merchant has the multiple payment channels such as card present, e-commerce and call centre environments.

 

Alongside this, there has been a big push in the area of data discovery to help define where the cardholder data actually is. I saw more people talking about PAN discovery than ever before, with a number of booths offering solutions in this area at various stages of maturity.

 

The talks themselves ranged in topic and quality, as they always do. This time there seemed to be more focus on merchants describing how to approach a PCI DSS programme. What was encouraging to see was a maturity of approach; moving away from just treating compliance as a PCI project with a specific end date when all resources are released to a more holistic approach of developing a security architecture and security management system to meet and continue to meet compliancy requirements including PCI DSS.

 

As always, there was an interesting approach taken by Barclaycard, talking about the new dimension and how this would encompass the CISO, and how the CISO role would move from just a technical security perspective to becoming a business enabler, helping the business to achieve their aims in a secure and compliant manner. There was a lot of discussion about risk management and risk assessments and how this can be embedded within a PCI DSS model. As we all know, PCI DSS remains a prescriptive standard. However the requirement for risk assessments has been raised up to a milestone 1 control in the PCI DSS Priority based approach which demonstrates how the PCI SSC are trying to incorporate risk modelling and assessments into the standard. This risk based approach continues to be developed and one of the PCI SSC Special Interest Groups is directly focussed on this particular issue. I think it will be a case of watch this space, to see what comes out of this.

 

With regard to The Logic Group and our stand at the event; we had many visitors to the stand the majority of whom seemed very keen to discuss the Point to Point encryption (P2PE) and hosted Paypage type solutions on offer.

 

When people come back in a few years time to reflect on the effect of PCI DSS within the UK I suspect one of the findings will be that many merchants used the standard as a reason to move from an in-house to a managed service payment solution.

 

So a successful day and I suspect the next one later in the year will have further to say in these areas of defining and reducing scope and risk management and assessment for PCI DSS.

Our latest research for The Logic Group shows that, of those of us who are members of loyalty schemes, an impressive 69% are satisfied with them and only 5% dissatisfied.

 

What the research also finds is that the British consumer is a contrary creature who at once accepts the rewards that loyalty schemes bestow on them, while rejecting the mechanisms that make these rewards useful.

 

So the question remains: will consumers ever be happy with loyalty schemes?

 

The research shows that points, discounts, rewards, vouchers and freebies are the top five reasons for satisfaction with schemes – clearly scheme satisfaction is all about getting a bargain. This is not, then, fuzzy warm consumer loyalty that we are witnessing, nor indeed are consumers even maintaining the pretence of such emotional ties – consumers are members of schemes and repeat shop with their brands for one primary reason: to get money off.

 

But this is where consumers start to be contrary. If getting money off is the reason for scheme satisfaction, it is also the reason for dissatisfaction: offers and rewards also top the “reasons to be dissatisfied” table.

 

So what is it that is right sometimes and wrong at other times? In a word, relevance. What the good schemes have got right is that their offers are useful: consumers can readily use them, and they use them for purchases that resonate with their life-styles. In more concrete terms consumers expect financial reward for purchases that they would normally be making – or rewards for ‘near enough’ to normal purchases. And this is exactly where the less successful schemes fall down: offers are not relevant (cat food for a person with no cat); or rewards are perceived as too slow to gather (no reward at all if it never comes).

 

But here consumers get even more contrary. In a world where consumers are open about their somewhat mercenary motives for joining loyalty schemes, they remain markedly reluctant to accept that organisations proffer loyalty schemes for equally mercenary reasons. In other words, while consumers will happily criticise the scheme that gives vouchers for nappies to a childless singleton, they are not always so willing to embrace the fact that the same technology that ensures this does not happen also gathers information about them.

 

To this end the same research found that two-in-five (38%) consumers agreed that they prefer to receive general offers, rather than rewards tailored to their shopping habits (while only one-in-five (21%) disagreed). When we probed the apparent contradiction between this and the reasons consumers gave for being satisfied with their schemes in focus groups, the same rationale came up time and time again: they do not like ‘big brother’ watching them, and they certainly do not like the feeling that the brand is in any way intruding into their everyday worlds. Schemes that do this too brazenly therefore can become vilified for making use of the very mechanism that previously ensured their popularity.

 

So what remains for loyalty schemes is the fine line between overt intrusions into consumers’ lives, and providing rewards that – through lack of ‘intelligence’ – never really quite hit the mark. Ultimately then, loyalty schemes, however dependent they are on complex and sophisticated technology, and however closely they monitor their customers, need to remain light-handed and discreet – the perfect counterfoil to the more brazen, bargain-hunting consumer.

Like many people out there, I stood on my bathroom scales a few days after Christmas, and after pushing my belly to one side in order to read the dial, decided that this year has got to be the year that I do something about shifting those excess pounds. Yes I’d promised myself in previous years that I would lose weight and get fitter, but never really got round to it, always finding other ‘More Important’ things to concentrate on. But this year I simply have to act.

 

I wonder how many IT Directors or Heads of Finance are wondering the same sort of thing regarding PCI compliance? Having put it off for a few years in the hope it will just ‘Go away’, this year may just be the year they decide to face this challenge head on.

 

It’s a daunting prospect, and whilst for me, there is no more frightening word in the English Language than the word ‘Diet’ many business leaders may feel the same way about the word ‘Audit’.

 

So how do I go about it? Well first thing’s first, I shouldn’t be afraid to ask for help. There’s plenty of support out there for people like me, and ‘outsourcing’ some of this to gyms or diet clubs is definitely an option to consider if it will help me achieve my goal. These places will have the technology and the expertise to help me, rather than going it alone. The same can be said for a trusted payment service provider. By utilising the technology and expertise that these companies provide, the path to PCI compliance could well be much smoother.

 

However, in the same way losing weight can only be achieved by a combination of exercise and a healthy diet, PCI compliance can only be achieved by a combination of technology and secure business process. Spending a huge sum of money on the latest software/service is no use unless your internal procedures are designed with security in mind.
To go one step further, a Personal Trainer can help me by discussing my specific situation, goals and limitations and build a plan that fits my lifestyle. A QSA should be viewed in the same way. They shouldn’t be seen as there to simply tick boxes, but if the relationship is more ‘Consultative’, the QSA will understand your business in more detail, and will be better able to make recommendations, not just on PCI compliance but on security processes as a whole.

 

But why bother…what’s the point? Gyms, diet clubs, Personal Trainers, it could all be pretty expensive. Well we all know the risks if we don’t lose weight, just as we should all know the risks of non-compliance by now, but the same ‘It will never happen to me’ attitude probably sits in the back of all our minds. But the benefits should also be a huge factor in our decision to act. Looking, feeling and being fitter is surely motivation enough, add this that to the fact that I will no longer have to reach - in mixture of hope and despair - to the back of the rail when hoping to try on clothes, and I’m sold. A more secure business environment doesn’t just benefit card data, but any other sensitive information/ business asset.

 

Finally, what if I achieve my goal and lose the weight. Does the work stop there? It is tempting to view the effort of PCI as simply getting to a point when you become compliant. However this is really just the start of the journey, not the end. By continuing the good work already undertaken, maintaining focus, and not being afraid to ask expert help if required, we can all stare at the scales every New Years Day, and feel pretty good about ourselves.