Challenger Banks & Cybersecurity
When it comes to fighting ecommerce fraud, we’re all in it together, every participant in the online payments economy: banks, payment processors, merchants, card networks. This isn’t just a feel-good call for unity—it’s a recognition of the fact that when consumers are victimized by fraudsters, hackers, and other cybercriminals, they tend to be very equitable about sharing the blame among every company that was involved in the incident, whether or not they were actually responsible. How can you maintain the trust of your customers and preserve your reputation when you’re likely to get held accountable for the gaps in another company’s cybersecurity?
Imagine that a fraudster uses payment credentials stolen from Merchant A to make a purchase with Merchant B. When the cardholder finds out, they’re going to be frustrated that Merchant A’s security measures were insufficient, but fairly or not, they’re also going to be upset with Merchant B for accepting the fraudulent transaction, with their issuing bank for failing to pick up on the early warning signs of fraud, for the card network for allowing the transaction to be processed. And of course, Merchant B will be on the hook for the chargeback.
Banks are going through similar issues, especially in the United Kingdom where laws were recently changed to make it easier to start up newer, smaller retail banks. Lacking the infrastructure, capital, and collective experience of the “big four” banks they’re competing with, these so-called challenger banks struggle to keep their cybersecurity protocols as strong as the larger banks’ and get preyed upon by opportunistic fraudsters.
Who’s Responsible for Stopping Fraud?
These days, it takes a village to process a simple credit card payment, and every stop the transaction data makes on its way from the payment processing terminal to the merchant’s bank account is a potential point of vulnerability for fraudsters to attack.
It doesn’t make much difference if the cardholder’s acquiring bank is employing expensive, state-of-the-art anti-fraud technology if the merchant doesn’t bother requiring strong passwords and the payment processor is waiting until the next profitable quarter to invest in up-to-date security tools. As soon as the fraudsters can get their hands on a card number and its authenticating credentials, they’re off spending other people’s money.
Ironically, the cardholder will probably feel just as negatively toward their acquirer—the most secure link in the chain, in this hypothetical scenario—for the simple reason that they have more of an established business relationship with their acquirer and will therefore feel more let down by their failure to protect them from fraud than they would toward the merchant (who they’ve perhaps only shopped with a few times) or the payment processor (whose existence they are barely aware of).
These distorted patterns of blame allocation in the aftermath of fraud are part of the reason why some banks are hesitant to question or push back against their customers’ attempts to dispute transactions that may not actually count as fraud. When a bad experience with fraud can quickly turn years of customer goodwill to ashes, banks are eager to try to create good outcomes for unhappy customers.
Unfortunately, when banks are too accommodating and allow bogus disputes to turn into friendly fraud chargebacks, merchants are stuck having to fight these claims or take the financial hit.
Are regulations helping or hurting?
Compounding the problem is the fact that open banking regulations like the Revised Payment Services Directive are creating requirements for banks to share data with each other. In places where data sharing is not mandated by law, financial institutions may end up doing it anyway in order to participate in high-speed payment processing networks.
This means that data that once might have been protected behind a single, highly secure institution now has multiple locations and potential vulnerabilities for fraudsters to target. Worse yet, low-security banks can compromise the defenses of their more secure partners if they mistakenly validate fraudulent transactions as “trustworthy” due to their use of outdated or insufficient fraud detection technology.
While fraudsters usually seek out the path of least resistance, it’s always a mistake to think of them as lazy or foolish. The tools they devise are highly sophisticated, their methods are rigorous and well-tested, and their persistence must never be underestimated. In a system with a mix of strong and weak security measures, the fraudsters will find the weaknesses and leverage them to gain access to the more secure areas.
Are traditional banks or challengers more secure?
Let’s not forget that it isn’t always the little up-and-coming banks who are at fault for security breaches. Huge financial institutions like Wells Fargo and Capital One have experienced severe data breaches in recent years, exposing millions of consumers to the predations of fraudsters.
While merchants can vote with their dollars and choose to enter into banking and business relationships with financial institutions that have demonstrated a commitment (and competence) in the realm of cybersecurity and fraud prevention, no bank, no matter how large, can truly guarantee protection against hackers and fraudsters. As long as the technology we use to process payments keeps evolving, there will be unforeseen vulnerabilities and blind spots that cybercriminals will be waiting to pounce on.
However, other than making the most informed choices they can about which banks offer the strongest protection against fraud, there’s not much merchants can do to change the realities of the situation. This is why it is so important to take as much fraud prevention into your own hands as you can.
Conclusion
For the sake of your bottom line and your reputation, it’s important to be able to point to the steps you’ve taken to protect your customers and their data from outside attacks. Payment processors may offer you a range of options to tighten or loosen security controls to screen out possibly-fraudulent payments. Security measures like 3-D Secure, two-factor authentication, strong password requirements, and other tools and procedures are always available. Educating yourself and your staff to recognize possible signs of fraud is very important too, provided that you empower them to decline or investigate suspicious transactions when they encounter them.
Fraud is a problem with tentacles that reach into every aspect of ecommerce and online security. The banks are fighting their own battles trying to balance the need for speed, convenience, and affordability against airtight security, and merchants cannot just rely on faith that big multi-billion dollar institutions will necessarily have the resources to shelter them from fraud. Every little thing you can do to make your business and your customers more secure will help you hold on to your revenue and avoid costly chargebacks.
Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com
