The Payment Processing Chain – Holistic Risk Management

ATM keypadA lot of people in the credit card industry focus on the compliance and security component of the payment processing chain that they control.  This is expected and is the right thing to do.  Most people do not have an appreciation of the steps needed for a successful transaction.  Some merchants, cards and banks could have varying processes but most transactions involve, at a minimum, a consumer, a merchant, a payment gateway or processor, the card brand and the bank issuing the card.  In order for a transaction to complete, the reverse path is taken to validate the transaction.  Add in credits, refunds and loyalty programs and that’s a lot of moving parts in a system that appears to act instantaneously.  The system works well and we all depend on that.

Like any complex ecosystem, components need occasional maintenance.  Operators for every component of the ecosystem should be cognizant of the controls in place for the entire ecosystem as well as recognizing their place in the system.  A credit card and its associated transactions will be as secure as the weakest spot in the processing chain.  The consumers that believe they should be able to depend on the security of payment processors and banks are correct in their assumptions.  In the same vein, banks and payment processors should be able to depend on the security practices of consumers and merchants.

What does this mean to all of us?  For the issuing banks, this means monitoring the behavior patterns of consumers to facilitate better and faster fraud detection.  Acquiring banks do the same for merchants.  For merchants, a demonstration of security and compliance competence is needed.  If merchants do not have this expertise, they should engage with a firm that does and allow them to do that.  Many merchants have not grown security and compliance expertise, focusing instead to grow their business on their core competency.  Banks have regulators for oversight and examiners for validation.

That leaves the consumer.  Every consumer plays a vital role in the risk management chain but many do not recognize that and do not utilize the tools available to them.  Some of these tools are:

  • Credit Card Statements
    • Perhaps the best tool available to consumers – address unexpected activity!
    • Use online statements to see current (very recent) activity.
    • Use SMS and email alerts for higher than expected volume or value of activity.
  • Credit Reports (things to look for are below)
    • Higher balances than expected
    • Unexpected new accounts opened
    • Unexpected accounts closed by credit grantor
  • ATM Machine Activity
    • In addition to being aware of ATM fees, make sure you trust the machine.
    • When using a machine for the first time, consider techniques such as entering an invalid PIN once to see if it is rejected.  If it is and the valid pin works, the machine is on your network.
    • Watch your surroundings.  If someone sees you enter your PIN, your chances of a compromise increase.
  • Utilize the security and control measures of your merchants and banks
    • If you cannot rely on them, ask them to change or move your business.

At any point in the chain, inspect the controls and ring the bell if they do not meet your standards.

Image Credit: Catatronic

Jeff Reich, Layered Tech Chief Risk OfficerAbout the Author: As Chief Risk Officer at Layered Tech, Jeff Reich (@LayeredTechCRO+Jeff Reich) drives the company’s security and compliance services and guides risk mitigation efforts for clients. With more than 30 years of experience, Reich is a well-known risk management and security expert in the industry. He holds CRISC, CISSP and CHS-III certifications and is an ISSA Distinguished Fellow.


Comments are currently closed.