We’re all buying more online. The impact of the pandemic on the UK’s e-commerce market has been dramatic — pushing internet sales up by 46% year-on-year in 2020. In the food retail sector it was even higher (79%). This has inevitably exposed more merchants and their customers to fraud. But that’s OK because PCI DSS is here to help protect us from card data breaches and follow-on fraud, right? Well, not quite. There are several challenges with the PCI compliance model, not least the fact that its focus on card data misses the bigger picture.
In reality, poor merchant cybersecurity has a knock-on effect throughout the payments ecosystem. That’s why Merchant Service Providers (MSPs) need to be looking more holistically at cyber-risk across their portfolios.
Online fraud has been with us for as long as consumers have been buying things over the internet. A recent analysis claimed that internet and e-commerce fraud in the UK rose by 179% between 2010-2020. It’s arguably getting worse, as the fraudsters share knowledge, tools and tactics to improve their ROI, while merchants struggle to implement best practice security and fraud prevention. It’s estimated that more than one in 10 of us have suffered online fraud in the past decade, with losses exceeding £376 million last year.
PCI DSS was, of course, launched around 15 years ago to help put a major dent in this activity by cutting off the source of fraudulent payments: card data. But it is failing. Compliance is seen as little more than a tick-box exercise by many merchants, who don’t understand the SAQ (Self Assessment Questionnaire) questions they’re presented with and see little benefit in return. As a result, many SMBs (Small and Mid-size Businesses) struggle to appreciate what they need to do to improve cyber security.
PCI DSS is also too narrow in its focus. Yes, protecting credit card data is important to strangle fraud. But so too is other personal information on customers which merchants may store. If cyber-criminals get hold of this, they can craft convincing phishing emails and vishing (scam phone call) attacks which could cause significant financial and emotional pain for customers.
Banks, card companies, payment facilitators, merchants and other payments stakeholders should all be focused on the same goal: building greater trust in online commerce. That boils down to improved merchant cybersecurity — not just to protect card data but all types of customer information they collect. After all, without consumer trust in online channels, the entire payments community will suffer.
What does this mean in practice? For MSPs it means finding new ways to drive revenue beyond punitive non-compliance fees (which may soon be regulated anyway). A progressive way to achieve this would be to focus on providing managed compliance services where there is a closer relationship between MSP and merchant. MSPs should be proactively offering advice on which security tools they need to protect their business, for example.
However, to get there, MSPs need enhanced and continuous visibility into the risk profile of each and every merchant in their portfolio. The point-in-time snapshot provided by SAQs just isn’t good enough and cannot be taken as factually correct without an independent assessment. At ZeroRisk we offer automated, contextualized risk assessments at scale. These provide MSPs with all the information they need to reach out confidently to their merchants, offering advice on improving cyber-hygiene. Our marketplace offers access to services like security awareness training that can help merchants to help themselves — improving the resilience of the ecosystem in the process.
It’s about giving more time to each merchant, understanding where they need help and working with them as a trusted partner to lower cyber-risk. That should result in happier customers, lower fraud losses and a stronger, healthier online payments community.