The holiday season is a peak selling period for merchants and it often the ‘make or break’ for annual performance figures.  In the US, the shopping season starts as early as October around Halloween and by mid-November, the momentum is maintained with Thanksgiving, Black Friday followed closely by ‘cyber-Monday’.  Now the Chinese ‘Singles Day’ (11th November) has been slotted into the schedules of many of the largest Western merchants, including, for example Macy’s.  The Christmas shopping season in Europe starts around mid-November when many shopping malls and high streets turn the Christmas lights on and the Germany-styled Christmas markets are set up.

Mark Beresford, Head of the Retailer Payments Practice at Edgar, Dunn & Company, recently caught up with Mitch Muroff, the CEO and founder of Curaxian.  Curaxian helps merchants and processors solve risk and payment related challenges and develop best-in-class risk and payment operations.  Mitch and his team at Curaxian have developed a range of solutions for more than 75 leading merchants representing more than $400 billion in annual transaction volume.

Mitch was keen to talk about the fact that the holiday season is a time when criminals will attempt to exploit merchants who are typically overwhelmed with unusually high transaction volumes.  According to the Global Fraud Index published by PYMNTS.com, the total global fraud-related costs to merchants is more than $60 billion per year.  One topic that we felt was of interest was the recent data breach at Equifax.  Mitch said that ‘data is the fuel that powers increasingly sophisticated attacks against merchants’.

The data breach at Equifax, which occurred from mid-May through July 2017, was not exceptional in terms of the number of records accessed or the number of individuals affected, however, the nature, quality, and value of the information that has been stolen was unprecedented.

Criminals have long had access to stolen payment card numbers, but never have they had access to so much high-quality data about so many consumers. What’s more, this data has a long life. When a cardholder reports that their card has been compromised, the card can be cancelled by the issuer, rendering the account useless.  The address of a consumer, by contrast, is valid for as long as the consumer lives there, and a Social Security number and date of birth are never going to be changed.  This was much more than just a data breach, it was a catastrophe in terms of consumer authentication – it was an identity crisis on a mass scale.

Knowing a consumer’s name, current or prior address, date of birth, and Social Security number could allow an attacker to obtain nearly any additional data about that consumer from other data sources, since those are the data elements typically used to authenticate and locate additional information about a person.

Mitch reminded me that the data accessed was not just related to U.S. citizens, he said that the Equifax breach included data from 400,000 to 700,000 U.K. consumers.  In summary, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers were accessed.  Equifax also identified unauthorized access to personal information for certain U.K. and Canadian residents.  As for the magnitude of the breach, Equifax has assessed that a total of 145.5 million accounts were affected.

New Account Applications

New payment cards can often be opened online with nothing more than a name, address, Social Security number, and date of birth as the identifying elements. Issuers may verify that data against the very same data sources that were breached. If an issuer verifies the data entered into an online application form against a database service provided by Equifax to determine whether the application is legitimate, it’s likely the data provided by the criminal will match exactly.

Mitch is expecting an increase in fraud attacks on merchants using new cards fraudulently opened by criminals using the data stolen from Equifax.  He also said that these types of attacks will be particularly challenging for merchants to detect because the criminal is the cardholder, so typical strategies used by merchants to determine cardholder authorization for the transaction are more likely to be passed by the attackers.

Shipping Goods To The Billing Address

Merchants, as a risk management policy, will look closely at orders not being shipped to the billing address of the cardholder.  Shipping the goods to the cardholder provides no value to the criminal unless the criminal is being rewarded for the transaction through another means, such as an affiliate program.  This is a problem for the fraudster who would prefer to place an order and ship to an address that is different to the billing address.  This will usually expose them to increased screening by the merchant.  Shipping the goods to the cardholder’s address, then trying to redirect the order after it’s been shipped is a strategy that can be thwarted by merchants who direct their fulfilment partners to disallow redirection requests. Mitch believes the real challenge for merchants is to implement an effective process to distinguish between the address change attack executed by a criminal and a valid address change from a legitimate customer. Click and Collect is another loophole that criminals have targeted to intercept goods by collecting them at the store location.

Merchants offering digital goods, such as music streaming, online gaming, or services are considerably at a higher risk of attacks using accounts opened by criminals with stolen identities since there is no need for the criminal to establish a link with a specific physical location to receive the goods.  Mitch believes that few digital goods or services have sufficient value to be worth using an account created with a stolen identity. However, for merchants that don’t ship physical goods, there is a greater risk with those who provide services of higher value, such as airlines and train operators.  These two merchant categories are expected to face intensifying attacks involving the purchase of high-value tickets in premium cabins or first-class seats, with short lead times between the time of the booking and the time of departure.

Mitch said that merchants in the digital or service segment should be very careful in evaluating their existing policies to determine whether there are sufficient compensating controls in place to detect exceptionally clean orders with completely matching identity information.  He went on to describe a key question that digital services merchants should be asking themselves: “If a criminal has a full identity because of the Equifax data breach and passes our identity checks, then what other controls are in place to detect a fraudulent attack?”. If there are no other controls in place then how can they reasonably expect to stop a large-scale attack with this characteristic.  The merchant is exceptionally vulnerable to a

high-scale clean order attack driven by the Equifax data breach. If this vulnerability is found, it is essential to develop stricter controls that can identify such an attack.

The GDPR In Europe

During our conversation, I spoke to Mitch, who mainly serves the North America market, about the General Data Protection Regulation (GDPR) in Europe and the potential implications for US businesses – especially processors of data, such as Equifax.  In some cases, Equifax will be a data controller in their own right.  The GDPR will apply across Europe from 25th May 2018.  It is a regulation, not a European Directive, therefore, it will become law on the 25th May 2018, without the need for any more debate amongst the 28 Member States of Europe.  The GDPR is legislation that has already been approved and ready to go live.  The UK government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

The GDPR will see huge changes in the protection of personal data, data privacy and the rights of data subjects (people who reside in the European Union).  This is not just about EU citizens, it is about everyone who resides in the EU.  According to Eurostat, there are an estimated 510 million citizens living in the EU and 2.4 million of them are from non-member EU countries.

One the of key articles in the GDPR relevant to the Equifax data breach are the rules around data breaches, specifically Article 33.  From 25th May 2018 there will be increased responsibilities for data controllers and data processors.  Data controllers and data processors, companies using personal data on behalf of others, will have specific legal obligations to maintain records of personal data and processing activities.  Data breach reporting will also change under the GDPR.  Data controllers will be obliged to notify the national competent authority (NCA) in their member state, within 72 hours, from the moment they are sufficiently aware a data breach has taken place and where it is likely to result in a risk to the rights and freedoms of individuals.

Where the breach poses a high risk to individuals’ rights and freedoms, those individuals must also be notified. Under the new regulation, the regulator is intending to make public any breaches, such as the Equifax example.  This is likely to result in severe reputational damage and may impact the stock of publically listed companies.  It is important to consider supply-chain risk when outsourcing, where a firm (the data controller) outsources to an external service provider (a data processor) and that a service provider itself outsources some aspects of their infrastructure to another service provider (a data sub-processor).  Then, in this type of situation where a breach occurs, the data processors are required to inform the data controller without undue delay so the data controller can notify the NCA within 72 hours.  It is important that companies have clear documentation as to what data they use external firms to process.  In most cases, the operational procedures required for breach management must be established and in the best case, they need to be updated.  Most consumer-facing organisations would find it very difficult to meet the timeframe to report a data breach or even have a clear understanding (i.e. a detailed data map) of the data that their processors may be handling.

Next Steps For Merchants

Consumers all over the world are already interacting digitally and using digital technology – their shopping behaviour and transaction history are being tracked, recorded, and monitored across multiple channels, suppliers and data processors.  Today, many retailers are only just getting to grips with an omnichannel payments acceptance strategy.  The need to constantly develop their fraud protection policies, protect consumer data and the privacy of individuals only adds to the complexity of retailing today.

Curaxian can help in three ways:

  • Using solutions such as the Curaxian analytics and monitoring, merchants will be able to detect and resolve attacks that they might otherwise not catch.
  • Build a best-of-class manual review operation to ensure that manual review teams are making the right decisions.
  • Enhance risk management strategies to defend against increasingly sophisticated and automated attacks.

For more information about Curaxian and the recent Equifax data breach download the white paper.  This paper provides a more detailed analysis of the challenges of data breaches and the implications for e-commerce merchants globally.

By working with Edgar, Dunn & Company, there are three steps to follow for getting ready for GDPR, or fast-tracking your GRPR plans or improving your existing plans:

  • Conducting a light-touch health check – no more than a few days of assessing the current roadmap for getting ready for GDPR – essentially this is the gap analysis. In some cases, where there is an on-going in-house GDPR project, it is advisable to gain an outside independent perspective of your GDPR plans.
  • An in-depth data mapping of the current processes, people, platforms and places – as required by Article 30 in the GDPR – using the optimal documentation tool, from a range of sophisticated GDPR-ready documentation tools, which best suits your business to perform this step.
  • Change management – creation of new policies, such as SARs (subject access request) policy, retention policy, privacy policy across all channels and customer touch points.  We work with lawyers and solution vendors where necessary to conduct this step.

We have found that most merchants and companies that handle personal data are focusing their limited resources on the need to be compliant with GDPR.  At Edgar, Dunn & Company, we see the next wave of GDPR frenzy (i.e. post 25th May 2018) will be the need to be more visionary in the identification of new business opportunities that exploit data portability, access to centralized customer data and the monetization of data.