October 7, 2014

Executive Insight: Fraud or Breach?

Executive Insight: Fraud or Breach?

By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation

Fraud and breach are two words that no merchant wants to hear in relation to their business. Confusing fraud for a breach – or assuming they are the same thing – can lead to panic, overreaction, and unfortunate unintended consequences. To help you avoid overreactions and costly mistakes, I want to cover the difference between fraud and a breach and what each means to your business. In future articles I will cover how you should respond to each as well as the most effective tools and methods to prevent them in the first place.

Dictionary.com defines fraud as “deceit, trickery… perpetrated for profit” and breach as “a gap made in a wall, fortification.” In our industry, those definitions have evolved somewhat, but still hold relatively true to their origins. In the payments space, fraud is any illicit method used to access or use another person’s cardholder data, while a breach is more narrowly defined as an exploitation of security measures to access and/or compromise a merchant’s cardholder data environment.

To put it simply, if hackers bypass your Internet security defenses and firewalls and infect your computers with card-stealing malware, that’s a card-data breach. If they engage in some other shady activity in order to steal card data – or use data stolen previously – that’s better defined as fraud.

Why the important distinction? Well, frankly, it’s because one is bad news and the other is really bad news. Fraud perpetuated in your business is often the result of rogue employees. This can be dealt with much more quickly and with much less expense than a security breach of your cardholder data environment and resultant card-data theft that is (these days) more likely the result of an organized criminal element rather than a few disgruntled individuals.

Typically, card fraud within a business is on a much smaller scale than an all-out security breach, which is why the two require entirely separate responses. While I will cover appropriate responses in depth in next month’s article, I’ll give you a hint today. If you believe your business is experiencing fraud or has fallen victim to a security breach, the first step is to call your merchant services provider (MSP) and advise them that you are investigating suspicious activity. (This call goes a long way to protect you from potential future fines and liabilities.) The next step is to actually investigate and get a decent understanding of what is going on. You may not get to the bottom of it, but you need to get far enough to figure out who can provide any additional help and information you might need. Again, more on that next month. Until then, be vigilant!