We brought together David Jeffrey, Director of Fraud and Security Products, Barclaycard, and Charles White, Founder and CEO, IRM, to talk about what UK businesses need to know when it comes to fraud and security. With almost 40 years’ experience between them, their insight is eye-opening and their advice practical.
David has been in the payments industry since 2000, working on the issuing, acquiring and gateways sides of the industry. He has held a number of roles, particularly in the security space. When PCI first came about, David set up the first PCI management team at Barclaycard. He now heads up the fraud and risk space, dealing with everything from PCI compliance and the governance around that, to PSD2, strong authentication, machine learning and data sciences.
David and his team are actively involved with industry boards such as PCI SSC (PCI Security Standards Council) and chair and take part in various special interest groups.
Charles is the Founder and CEO of IRM and has been in the cybersecurity space since 1999. He has considerable experience in all things cyber, having sat on many steering boards. IRM is now a strategic partner of the NCSC (National Cyber Security Centre) and is strongly affiliated with GCHQ. He also sits on the board of trustees at the Cyber Trust. And if that wasn’t enough, he’s also a board advisor for Cyber Security Challenge, which is the project working to get more people trained up in the skills needed to tackle cybercrime.
David, Charles, why are new security and fraud regulations (like GDPR and PSD2) needed?
CW: “They’re not necessarily needed, in my opinion. PSD2 is a simple update to PSD, which was introduced back in 2009. It deals with some of the gaps that have come about as a result of the incredible and rapid developments in Fintech. The idea from the regulators’ point of view is to make the UK a safe place to do business.
“From 2009 all the way through to 2012, the world went on a frenzy of digital transformation. People no longer had to watch Coronation Street at 7pm on a weekday because that’s when it was on. Today we use catch up. Airline ticketing has changed to the extent that today we check in, chose our seat and print out our boarding pass at home. And the family finances can be managed totally from the sofa at home without the need to visit a branch. All these examples have enriched the customer experience, but the inherent risks weren’t necessarily taken into account. This has led to a lot of companies retrofitting security and fraud solutions to try and catch up with the fast-paced digital age.
“So PSD2 and GDPR are probably just a natural legislative approach to make life more secure for the population. This protection is required but will likely fall into disrepair fairly quickly, because legislation simply cannot keep up with the pace of change and digitisation that’s taking place.”
DJ: “I totally agree. We are living in a different world. The way in which we live our lives, the way in which we shop, for example, has changed. There’s that famous quote from IBM that says: ‘90% of the data in the world today has been generated in the last two years’2 and according to McKinsey, only 1% of that data has been analysed3.
“With so much data so freely available, there needs to be a degree of governance around that. PCI was formed many years ago because cards were seen to be the core of criminal activity. But that’s no longer the case. There’s immense value in personal data, which is why GDPR is required.
“PSD2 is all about inspiring innovation in the industry. It’s looking to keep the industry competitive. To ensure that data is freely available for everyone to use for the benefit of the industry, albeit you have to use it securely. One of the key items is how do you help to protect against fraud, which is a growing industry, a huge criminal industry? With more and more shopping at their convenience, there has to be a better set of guardrails about how people do business and how people use information.”
The problem with compliance is that it’s lazy. People say ‘I must just do these 32 things, and if I see a glaringly obvious problem, I’ll just ignore it because I just have to do the 32 things’.
The deadline for compliance with GDPR is 25th May 2018 for businesses in Europe. By the time everyone’s up to speed, will the framework be redundant?
CW: “The word ‘comply’ is an interesting one. We all have to adhere to the laws of the land in the UK. GDPR is going to be a law of the land. How much you intend to protect yourself and stay the right side of that legal framework is open to people’s interpretations and risk appetite.
“What is substantially different between PCI and GDPR is PCI is a finite list of things. If you do all of those things, you get a certificate and you’re compliant. With GDPR you have a number of things you must do, but you can do them to a greater or lesser extent depending on how much of a risk you perceive yourself to be at and how much of a risk you believe the data that you hold is going to be at.
“What we’ll find with GDPR is that people will adopt the frameworks, they will do the basic things first, but I still think there’ll be some very difficult and complex things that people will struggle to do. Probably one of the most difficult things businesses will have to do is to identify where all their data is. Large organisations may not know where a lot of their data goes, and they may also share data and not know what third parties are doing with it. Those are the biggest issues people are going to try and tackle with GDPR in the early years.”
DJ: “While we talk about PCI as a list of things you have to do. It’s much more about an evolution. The payments landscape is changing on a daily, weekly, monthly, yearly basis, and providing you have the right principles in place within your organisation, to safeguard payment data, or data generally, and also ensuring that you only have the data that you require to perform a function, i.e. process a payment, then it’s about having a sensible approach that evolves with your business.
“I don’t think there are any silver bullets to this and GDPR is a great example. You can only look to have best principles in place and manage your business in accordance with those.”
That’s interesting. So potentially doing everything you want to do when it comes to security and fraud protection might not actually be realistic and it needs to be flexible within what your business does and the resources you have, as well as obviously what the framework and law states…
DJ: “Yes, and as Charles mentioned earlier, a lot of companies are retrofitting and struggling with legacy systems. And the business processes that have been in place for many years. There’s a lot of data already ‘out in the wild’ and to try and rein that in in one fell swoop is, for many businesses, nigh-on impossible. Hence why it’s got to be an evolution. It’s got to be about ingraining security principles into the DNA of any business. By always having a “security first” mantra, you will, over time, get better.”
CW: “We often say that when businesses are looking at cyber security, they have to change things internally, at three levels: culturally, procedurally and from a technology perspective. If these changes are threaded throughout an organisation then you’ll have a successful cybersecurity programme.
“But going back to data and some organisations not knowing where their data is – companies need to understand the value of their data. Credit card data on the dark web can be worth anywhere from $7 to $304. Legitimate passport details can be worth up to £2,0005. So if I’m an attacker, part of serious organised crime and I’m about to break into a travel agency, I’m probably not going to be that fussed about credit card data. But I’m going to be deeply fussed about passport information.
“We have bad behaviours where we say to people you have to be PCI compliant. So people say, ‘ok we’ll protect all the credit card data and we’ll leave all the passport data completely unencrypted’. We’re missing the point. Data is data, it’s almost immaterial what it’s about.”
DJ: “Cards has absolutely been the focus. But if breached they can be blocked and reissued. Personal Identifiable Information (PII), such as passport data, is there forever. If your PII is breached, that can be repurposed time and time and time again. You can’t just cancel your personal credentials and have a new set reissued. Protecting all data is crucial for everyone.”
So it’s clear why consumers should be worried about security and fraud, but what about businesses, why should they care about frameworks like GDPR?
CW: “Within the realms of GDPR, the scaremongering that most people hear is if you fall foul of GDPR you could face a fine equivalent to 2% of your global turnover6. My advice to most corporates is that finding the cash reserves to pay a significant fine, whilst painful, isn’t likely to lead to insolvency. The biggest problem, enshrined within GDPR, is the right for people to bring class action. You lose PII for a couple of hundred thousand people, that’s potentially a couple of hundred thousand people bringing class action and that would probably bring most organisations to their knees.”
DJ: “We’re all guilty of honing in on financial penalty. I think the really big one that perhaps isn’t mentioned so much is the impact on brand. If a breach occurs at a major brand, the details of that breach are widely available for all to see. The brand impact on those global businesses that have suffered a breach of any type, in terms of loss of customer confidence, loss of customers full stop, is a huge concern. You can’t put a value on that. A 2% fine would probably pale into insignificance in comparison. Brand is important to everyone and needs to be protected!”
We’ve talked a little bit about putting security first. But is the resource needed to do this a barrier for growth do you think, particularly for SMEs rather than corporates who might have departments dedicated to security and fraud?
DJ: “I think for a large number of SMEs there’s still a general lack of awareness around security. Many don’t know what their responsibilities are. And if they do, very few are able to effectively manage it. I don’t think it’s a barrier, though, I think it’s about being smart about who you partner with. We are here to take the pain out of a number of those processes for merchants. By partnering with the right people, it certainly isn’t a barrier to business growth.”
CW: “I agree with David. A large swathe of the SME market is unaware of the risks that cyber brings. You can’t just go and buy a product that solves cybersecurity. So a lot of people buy a product and think they’ve dealt with the problem, when in all probability they haven’t. But an SME told that a cybersecurity consultant day rate is £1250 will probably fall off their seat. They simply can’t afford it. The sooner we start to address the issue of a lack of skills in this industry, the sooner we can more effectively help the SME market. But that’s another topic!”
So smaller companies increasingly need cybersecurity consultancy but they may not be able to afford the fees. Is that where cybersecurity products and the accompanying customer support come in, David?
DJ: “As we’ve all said, there are no silver bullets. But there are scalable, affordable products and services that help customers. They really help to manage cybersecurity issues. Ultimately, it’s about not being the weakest in the pack. And that’s a really important point. Criminals and cyber criminals will always look for the path of least resistance. Where are the easy targets? So if a company has some degree of protection in place, that customer will be in a far better position than the customer next door who has nothing.
“Ignore the risks at your peril. I’m not saying that you can neutralise all the risks, but you can put processes in place to help manage that exposure.”
CW: “It’s the 80/20 rule I think. Some of the products that are out there will deal with the top 20 issues that you’ve got and, say, 80% of the risk goes away. And that’s brilliant. Think about it this way – if you go out and buy an anti-virus solution but you don’t configure it properly, you may think you’ve fixed a problem but in all likelihood you probably haven’t.”
DJ: “Absolutely right. I suppose the one thing we can’t secure against is how businesses operate and how they use the security products. But we do work towards that by offering expert help and support, not just products and technology.”
CW: “I’ll give you a great example. We did an exercise on a major company recently. They spend millions on security, yet we sent a guy in in a workman’s jacket, who told reception he needed to get out the back to fix an urgent drainage problem. He was let through. As soon as he was inside, he took off the jacket, went into the office and scattered a number of keychains with a set of house keys and a USB stick on. Within 24 hours you can see people have found the keychains and have started putting the USB sticks into their work laptops. They just couldn’t help themselves. And no sooner had they done it than the whole system was infected. It was that easy.
“My point here is, don’t buy a product and assume you’ve eliminated the risk, you will have reduced it and that’s great, but choose a solution that comes with expert support.”
That’s an eye-opener!
CW: “Yes, because we only ever see the spotty teenage hacker in the media, not the serious organised cyber criminals. It’s an education piece for businesses really.”
DJ: “Charles hit on a really good point there about the spotty teenager. There is still a degree of thinking that this stereotype of cyber criminals is behind serious breaches. But the reality is very different. An email dropped in my inbox recently offering a course in cyber criminality for the princely sum of 65,000 Rubles (approximately £600). The courses aim to give students proficiency in cybercrime. The cybercrime industry is training and recruiting!
“These people are incredibly intelligent, talented individuals whose sole job it is – 24 hours a day, 365 days a year – to carry out large-scale, organised cyberattacks. That’s why it’s so important that everyone takes cybersecurity seriously.”
Have the nature of the conversations you have with merchants changed in recent years, David?
DJ: “Absolutely. More and more so the questions have gone from: ‘Can you process a transaction in this way? Can you reduce my price by X?’, to: ‘Tell me how you can increase my revenue by 1, 2, 3, 4, 5% etc.’. That’s the big game in town.
“Fraud is measured in a fraud to sales ratio and as you can imagine, online sales in particular are increasingly at an exponential rate7, and fraud is increasing at an even higher rate8. But whilst the ratio remains static or similar, and therefore acceptable, it’s estimated that the amount of fraud that is going to go through the card not present space will reach £600m in the UK by 20189. A US study in 2014/2015 said that there was $9bn lost in fraud10 in the US market. If you compare that against the genuine transactions that were rejected by anti-fraud technology, that’s where the staggering figures come in.
“In the US, while $9bn was lost in fraudulent payments, $118bn11 was identified as being lost from false positives. In other words, genuine, non-fraudulent transactions being rejected as fraudulent. We don’t know what the figure is in the UK – that information isn’t available. But if you use a similar scale (£600m x 13, just as $9bn x 13 = $118bn), it’s around £7.8bn. To contextualise that, the main focus for merchants today is ‘how can you get me a better rate of acceptance, because I’d like more revenue. If you can reduce fraud in doing that, then great, but actually just give me more revenue without exponentially increasing my risk’.
“Bringing it full circle. Part of PSD2 is trying to find a better way of identifying good and bad transactions. Are we going to see card not present fraud drop off a cliff? No, I don’t think so. But it will help reduce fraud in this space. And as much as we’ve been looking at PSD2 over the last three years or so, you can bet your bottom dollar that serious organised cybercriminals have been poring over it, and thinking about counter strategies. So while you might not be able to solve the problem of cyber criminality, there are ways to manage your exposure to risk. To reiterate, it’s about not being the weakest in the pack.”
Both David Jeffrey and Charles White will be speaking at Barclaycard’s invite-only PCI Seminar and at PCI London on 5th July 2017. You can register for PCI London online, here.
1. https://www.theguardian.com/uk-news/2017/jan/24/uk-fraud-record-cybercrime-kpmg (Jan 2017)
2. https://www-01.ibm.com/software/data/bigdata/what-is-big-data.html (originally from here: https://www.sciencedaily.com/releases/2013/05/130522085217.htm
(May 2013 - no more recent stats, this is still quoted by all sources, including IBM and McKinsey)
3. http://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/straight-talk-about-big-data (May 2013 - no more recent stats, this is still quoted by all sources, including IBM and McKinsey)
5. http://www.express.co.uk/news/uk/723087/Deep-web-black-market-British-passport-criminal-gangs (October 2016)
6. https://www.out-law.com/en/articles/2016/may/gdpr-potential-fines-for-data-security-breaches-more-severe-for-data-controllers-than-processors-says-expert/ (May 2016)
7. ‘Online retail sales in the UK topped £133bn in 2016…a jump of 16% from 2015: uk.businessinsider.com/mobile-sales-drive-unexpected-UK-e-commerce-growth-2017-1 (Jan 2017)
8. ‘Total financial fraud losses across payment cards, remote banking and cheques were £399.5m in the first half of 2016, a 25% increase on the same period in 2015’: https://www.financialfraudaction.org.uk/news/2016/10/12/scams-and-online-attacks-drive-fraud-increase-figures-show/ (Oct 2016)
9. Estimated, based on the figures for 2006-2015 inclusive. These figures available on page 16, FFA (Financial Fraud Action) UK’s FRAUD THE FACTS 2016: The Definitive Overview of Payment Industry Fraud (2016), available here: https://www.financialfraudaction.org.uk/news/2016/10/12/scams-and-online-attacks-drive-fraud-increase-figures-show/
10. Page 4, Javelin whitepaper How Consumers Respond to False Positive Declines, available to download here: http://pages.riskified.com/how-consumers-react-to-false-declines-white-paper/
11. https://www.javelinstrategy.com/coverage-area/overcoming-false-positives-saving-sale-and-customer-relationship (Sept 2015 - no more recent data is available)
Please note that the views expressed in this article are personal opinions. Barclaycard cannot accept any responsibility or liability for reliance by any person on this article or any of the information set out in it.