If we’ve learned anything from the events of 2020 it’s that merchant risk is volatile, fast-changing and ubiquitous. Fraudsters and cyber-criminals adapted with their customary agility to the pandemic to take advantage both of novice internet shoppers and traders with little previous experience in e-commerce. Unfortunately, they found many opportunities to monetize cyber-attacks and defraud unwitting consumers.
For Merchant Service Providers (MSPs) this raises some serious concerns. The way annual PCI DSS SAQs work means the compliance status of individual merchants may be out-of-date by up to almost 12 months — assuming they filled out the questionnaire accurately in the first place. The answer is to drive dynamic risk profiling across your portfolio.
Online fraud and cybercrime feed off each other. Customers’ financial and personal data is often stolen from merchants, sold on the dark web and then picked up by fraudsters to use against other merchants. An estimated £376.5 million of internet and e-commerce fraud took place on UK bank cards in 2020. Sometimes all the scammers need is a set of usernames and passwords to unlock online accounts that may contain stored cards they can use. There were 64 billion such attempts globally between 2018-20 in the retail, hospitality and travel sector alone.
The bottom line is that criminal gangs today have an endless supply of funds and are backed by a cyber crime underground worth trillions, where they can purchase new tools and sell stolen data at will. Payment providers are always playing catch-up because the criminal business can move that much quicker. Most recently there have been growing concerns over cyber-criminals targeting security gaps in Open Banking to steal personal information and commit fraud.
MSPs are getting better at managing these risks, and certainly perform well against their peers in sectors like travel, where perhaps organizations still don’t fully recognize the attractiveness of the personal information they process and store. However, smaller merchants are often left behind. MSPs can’t assume that their clients are IT security savvy, as this is very often not the case. It might seem like obvious best practice to segment a retailer’s network between that used for payment services and one for customer Wi-Fi, for example. But even the simple things like this may not be immediately apparent to an SMB (Small and Medium-sized Business) owner.
So what’s the answer? Amidst such a dynamic and volatile risk landscape, there’s no time to relax. MSPs must themselves keep up-to-date with the latest trends in cyber security and fraud prevention. But they also need to keep a close eye on their merchants. For this, the legacy snapshot of a PCI DSS SAQ will not provide the kind of continuous insight MSPs need.
Instead, they need ZeroRisk for automated, contextualized risk assessments at scale—across the entire portfolio. This kind of real-time information can then be used by MSPs to engage closer with their merchants, to assist with things like:
ZeroRisk is the end-to-end merchant portfolio risk and compliance management system designed to make the payments ecosystem safer for merchant service providers, merchants and consumers. We measure payment risk and make it easier to manage, by building intelligence and delivering customized, actionable insights across the ecosystem.
There’s an old adage in cyber security: “You can’t protect what you can’t see”. The same applies to merchant risk. That makes continuous dynamic visibility a must if your business is to play its part in making the entire payments ecosystem safer.