I recently had the opportunity to discuss online payment security with Jeff Sawitke, Chief Product Officer at Verifi.
Verifi is a leading provider of global electronic payment and risk management solutions for card-not-present merchants, with a highly customizable payment and real-time reporting platform that serves as a foundation for Verifi's suite of fraud solutions and risk management strategies.
With a commitment of reducing risk while increasing profitability for clients, Verifi's multi-layered approach enables transaction risk management and mitigation, business optimization strategies, cardholder authentication and chargeback re-presentment for all major credit card brands.
Mr. Sawitke joined Verifi in 2006 as Vice President of Technology, and became its Chief Product Officer in 2010. During his tenure as Vice President of Technology, Mr. Sawitke was responsible for the development of the Verifi platform and data center operations supporting all products and services.
We appreciate Mr. Sawitke taking the time to enlighten the Infosec Island community with his insights and expertise related to the challenges in securing ecommerce transactions.
Q: What do you see as the single greatest threat to online payment security today?
There is no single greatest threat, per se. By implying there is a greatest threat leaves companies susceptible to payment security breaches. The payment network has become so interconnected that any breach can affect the entire system.
The biggest risk is systematic. Criminals and hackers have multiple points to penetrate a system, whether it's a system security breach or at human contact within these systems.
It's important for those responsible for online payment security to think of the possible risks from end-to-end.
Q: Electronic payments involve multiple entities including consumers, merchants, payment processors, banks, and credit card issuers-- is there a "weakest link" in this data access chain?
Risks can vary by each entity based on the type of security measures individual entities have put in place. One merchant may have a very strong security system while another one a very weak security system.
But there is a related responsibility between these entities. Banks are putting more pressure on payment processors to take responsibility for merchant breaches. This pressure ensures that larger numbers of banks are becoming compliant based on payment processor regulations.
Certain entities do drive greater specific risks than others. For example, credit card issuers are pro-consumer, which means they enable fraudulent credit card users to get away with online fraud or ‘friendly fraud.'
While friendly fraud isn't considered the same threat as an organized online crime ring, friendly fraud is thought to be responsible for almost half of many merchant fraud issues.
Q: One hotly debated issue today is whether or not compliance is the best benchmark for measuring security - your thoughts on the debate?
PCI is a formal compliance self-regulation. It's more of a standard than a benchmark. The standard is necessary because, as noted above, security issues are systematic.
All entities within the system must take responsibility in order to protect the whole system. We are at a point where individual merchants have created their own benchmarks and best practices.
Those with a focus on consumer protection and risk management tend to strive to meet higher benchmarks than others. Visa and Mastercard, Visa in particular, are leaders in driving new standards and setting benchmarks because they are the biggest part of the system at this time.
I anticipate more to come.
Q: Will large data loss events have an effect on the future of the self-regulatory nature of security in the online payments industry?
I believe the industry will try to stay self-regulated as long as possible. As we get more sophisticated in identifying fraud and security breaches, we begin to understand the true loss to business.
We are also beginning to understand the true end-to-end cost including resources and time. Every participant in the payment management process is incented to invest in fraud protection.
Q: What manners of data protection and authentication protocols does Verifi employ when securing client data?
We are a PCI Level I secure company. We can remove much of a merchant's PCI liability and their security risks because we host the online payment page, instantly encrypt the credit card number and give the merchant only the token.
We continue to evaluate the best technologies to ensure we provide our clients the best protection. We find many merchants may have the means to employ a basic PCI secure system such as this but forget about other areas of risk, particularly human risk associated with customer service and accounting representatives who can access data.
We have a PCI secure chargeback management team. We ensure the strictest PCI compliance to our credit card data handling rules. Our clients may not have as strong of a focus as ours, given its one of our core competencies.
This is why we are in business.
Q: In addition to securing online payments against data loss, how does Verifi help clients manage fraud detection within high volumes of transactions?
What we do, we help support clients combating 3rd parties and proprietary tool, multi-layer. Our system is constructed with fraud detection in mind. We employ the best 3rd party fraud detection technologies into our platform.
This is called our Intelligence suite. We layer our Fraud identification engine on top of these detectors and give merchants the analytics and insight they need to properly identify their risks and set rules around fraud management.
The level of detail we can provide customers is incredible. We can maximize fraud detection and minimize ‘false-positives', the occurrence of a true customer who is accidently identified as a fraudster.
This is important. A company may eliminate fraud by denying 10% of total online orders, but if 5% of those are good customer orders, that's a problem.
Disclosure: no holdings