December 2, 2014
Executive Insight: Tools for Preventing Fraud and Breaches
By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation
This piece is part three of a series on the differences between fraud and breaches. The first article in the series can be found here and the second article in the series can be found here.
In our previous two articles, we talked about the difference between card fraud and a card data breach and also how you should respond when you suspect that either may have occurred. To help you ensure you’re using all of the security tools in DOLLARS ON THE NET®, I will provide an overview. Many of you have already implemented these solutions to secure your environment, so as I review these features, I will also add a few reminders about how and why you should use them.
Preventing Card Fraud With Verification and Best Practices
Stopping fraud at the point-of-sale (POS) or property management system (PMS) starts with verifying the authenticity of a card and the identity of the cardholder. This is accomplished by correctly setting up your payment processing system and training your employees to recognize and avoid fraud. To protect against customer fraud in stores and online, Shift4 provides address verification services (AVS) and full support of cardholder verification value (CVV2, the three-digit code printed on the back of credit cards, also known as CVC2 or CID). Although CVV2 codes have historically been used only for card-not-present transactions, such as those online, Shift4 provides these tools to all types of merchants. Running verifications can be particularly beneficial for organizations that have large ticket averages or that run tabs or open authorizations. Remember that you should always run AVS and CVV2 checks and configure your POS or PMS to decline transactions if the CVV2 is declined.
There are a number of additional best practices that should be used to prevent in-store fraud, which should be incorporated into employee training and posted as a reminder to employees who interface with customers at the POS or PMS. We have included a number of these best practices in our Credit Card 101 tutorial.
Monitor Internal Fraud and Fraud Trends With Fraud Sentry®
Unfortunately, internal fraud or “trusted-employee” fraud is one of the most common types of fraud experienced by merchants. And, because it involves employees an organization typically believes are reliable, this type of fraud can go undetected for months, even years, when proper precautions are not taken. According to Statistic Brain, U.S. businesses lose 50 billion dollars each year as a result of employee theft. Monitoring transactions is an essential part of protecting your business against becoming a part of this statistic. Fraud Sentry provides real-time transaction monitoring and immediate notification of suspicious card activity so your bottom line is protected. Fraud Sentry includes customizable settings so you can manage notifications and automatically block suspicious transactions or track them in order to build a case or for disciplinary reasons. Advanced users can also configure Fraud Sentry to recognize fraudulent patterns that may signal sophisticated fraud.
Just like DOLLARS ON THE NET, Fraud Sentry can be set up for a single location or for your entire enterprise. Even if it is not implemented at the local profit center level, you can still take advantage of these protections at the enterprise level. Check out this handy article on Fraud Sentry for tips on double-checking your settings.
Support for Third-Party Fraud Prevention Tools: EMV, Apple Pay™, NFC
Shift4 has been a leading innovator in the payments industry since we launched the first card-present payment gateway back in 1994. We continue to pave the way so our merchant customers are ready for whatever the industry or consumers expect. As you may have heard, EMV is coming, and NFC and mobile wallets like Apple Pay™ are becoming more commonly preferred by consumers. Each of these payment methods comes with its own type of consumer-based fraud protection. Shift4 supports these payment methods and also goes a step further with our own merchant-based security protections.
Protecting Merchants From Breaches With P2PE and Tokenization
In the last two articles as I’ve discussed identifying and investigating fraud and breaches, I’ve made a point of mentioning Shift4’s breach-prevention tools, specifically our point-to-point encryption (P2PE) and TrueTokenization® solutions. If you aren’t taking advantage of these tools today, you should. Last year, Coalfire, an independent Qualified Security Assessor (QSA) firm, analyzed our P2PE and TrueTokenization solutions at work together within a major retailer’s environment and published a white paper showing that no sensitive card data was stored, processed, or transmitted with these solutions properly implemented.
Using P2PE and TrueTokenization reduces your breach risk and simplifies your PCI compliance because sensitive card data never enters your environment, but is instead encrypted at the point of swipe and only decrypted within our fully secure, PCI-compliant data centers. Security is at the core of what we do at Shift4, and as true merchant advocates, we provide solutions that are an essential part of securing your enterprise.
The Last Yard in a Thousand-Mile Journey
Shift4’s specialized security solutions, which are included in DOLLARS ON THE NET as a part of 4tify®, are designed to ensure our merchant customers do not store, process, or transmit cardholder data. These tools, combined with our TrueTokenization and P2PE solutions, help to create a zero-card-data environment for our merchant customers.
The journey to complete payment processing security is a long and complicated one. While tokenization and P2PE can help you cover miles, it is these specialized solutions – the ones that our competitors in the payment space haven’t even thought of yet – that secure the last yard in your 1,000-mile journey to security.
For card-present and Web-based transactions, Shift4 has created 4Go® and i4Go® to prevent actual card data from entering your POS, PMS, or Web servers. For securely accepting third-party reservations without bringing unsecured card data back into your environment, Shift4 has created 4Res®. And, to securely share customer data with trusted third-party merchants (without revealing that data in your environment and bringing your system back into PCI scope), Shift4 has created 4Word®.
Last month, we also added an e-signature integration with Sertifi that enables those of you who accept faxed or emailed credit card authorizations for payment to instead do so through DOLLARS ON THE NET, further limiting your exposure to sensitive card data.
I hope this refresher on how Shift4’s security tools prevent fraud and breaches has been useful to you. Remember to check your settings or turn these features on if you have not already done so. And, if you have any questions, Shift4 is always here to help.