Online data is more prevalent and valuable than ever before, for consumers, businesses and fraudsters alike. While the ability to do anything, from anywhere has its benefits, including convenience and constant connectivity, there’s also a dark side: criminals waiting to exploit your most personal, sensitive information. In fact, the total number of personal records exposed in data breaches more than doubled over 2018, compared to 2017.
The value of data has led to new legislation intended to protect information shared and stored online. Europe’s GDPR became binding in May 2018, and a variant in California is slated to become effective in 2020, complicating matters for companies that limited their European data presence in hopes of avoiding GDPR. In addition, the revised Payment Services Directive (PSD2), intended to democratize access to data and simultaneously protect it through Strong Customer Authentication (SCA), will come into effect in Europe in September 2019.
Perversely, both GDPR and PSD2, which were created to protect customers and their data, actually introduce new risks and complications for businesses operating online. Both sets of regulations were born to protect data (or in the case of PSD2, increase data security as a result of open banking) and consumers’ rights over their own data. But today’s payments ecosystem is intricate and complex, and it is hard for legislation to predict and guard against the moves criminals will take in reaction to it.
With GDPR, consumers can request deletion of their data at any time. But for fraudsters, this means they can disguise themselves as legitimate actors and demand all data on their personas be removed, then present themselves to online businesses as blank slates every time. Being able to identify fraudsters as returning bad actors is vital to all fraud fighting efforts, and not having previous visits to draw on would be a serious handicap to proper prevention.
In the case of PSD2, an unintended consequence is similar to the unfortunate side effect of EMV introduction. In that case, fraudsters were successfully deterred from carrying out card present fraud, and shifted online to card not present fraud instead. With PSD2, making fraud more difficult at the point of transaction within EU transactions is likely to shift fraud to other geographies and attack points. Most online businesses are global, and those that sell outside of the EU, as well as within it, will have to be particularly careful of non-EU transactions once PSD2 kicks in. Criminals who stop using European data won’t stop stealing; they’ll just start using data from elsewhere.
Know your ecosystem
To combat the unintended risks that GDPR and PSD2 bring in their wake, companies need to develop a deep understanding of their own ecosystem and the users who are part of it. Only a full comprehension of good and bad actors, and the connections both hidden and overt between them, can provide the necessary framework for protecting an online business.
A rich understanding of your ecosystem mitigates the GDPR risk because the legislation does not require you to delete the information of known criminals. If your system is accurate enough to detect fraudsters reliably, and to make the right connections to recognize them when they return in different guises, then you won’t need to delete their data — even on request. In fact, such a request would simply become additional, valuable information.
It isn’t enough to be able to match obvious data points such as addresses, names or even IP addresses. Your system needs to be able to match behavioral data and patterns and use cyber intelligence to piece together obfuscated elements. Only then can you identify malicious actors continuously, even when they have changed everything they can in their digital appearance.
A similar level of sophistication and sensitivity is necessary for dealing with the “attack shift” that will likely follow PSD2. In order to guard against the risk of geographical fraud changes, your system must be sensitive to the genuine behaviors of different geographical areas, and be able to flag when a user does not match the expected norms for their location. Different industries and businesses have different behaviors, and so it is vital that your system be attuned to your own ecosystem.
Make sure your customers and accounts are protected by a system that knows your customer base just as well as you do. It requires flexibility and continuous innovation, and an ongoing effort to stay ahead of criminals, and abreast of the evolution in customer behaviors and expectations. However, with constant, accurate, informed protection, you can maintain compliance, security, and customer trust.