“Fraud” and “breach” are two words that no merchant wants to hear in relation to their business. Confusing fraud for a breach—or assuming they are the same thing—can lead to panic, overreaction and unfortunate unintended consequences. Knowing the difference between fraud and a breach, and what each means to your business, can avoid overreactions and costly mistakes.
Fraud can be defined as “deceit, trickery… perpetrated for profit” and breach as “a gap made in a wall, fortification.” In the payment security industry, those definitions have evolved somewhat but still hold relatively true to their origins. In the payments space, fraud is any illicit method employed to access or use another person’s cardholder data, while a breach is more narrowly defined as an exploitation of security measures to access and/or compromise a merchant’s cardholder data environment.
To put it simply, if hackers bypass your Internet security defenses and firewalls and infect your computers with card-stealing malware, that’s a card-data breach. If they engage in some other shady activity in order to steal card data—or use data stolen previously—that’s better defined as fraud.
Why the Distinction?
Well, frankly, it’s because one is bad news and the other is really bad news. Fraud perpetuated in your business is often the result of rogue employees. This can be dealt with much more quickly and with much less expense than a security breach of your cardholder data environment and subsequent card-data theft that is (these days) more likely the result of an organized criminal element rather than a few disgruntled individuals.
Typically, card fraud within a business takes place on a much smaller scale than an all-out security breach, which is why the two require entirely separate responses. Below are recommendations on how organizations should respond with a preliminary investigation if there is suspicion that fraud or a breach may have occurred. This advice does not replace the guidelines of your merchant services provider (MSP) or processor, nor does it supersede the requirements given by the PCI (News - Alert) Council; it’s simply based on my 20 plus years in the payment processing industry.
Do You Suspect a Breach May Have Occurred? Call Your MSP
The first step when you suspect you might be the victim of either fraud or a card data breach is to contact your MSP. (An MSP is the person or organization that sets up your merchant account.) Your MSP should then guide you through the other required steps. This initial call fulfills the reporting requirements that are usually written into your merchant services agreement, and even if it’s as simple as “we’re seeing some unusual activity and just want to give you a heads up that we’re looking into it internally,” it can go a long way in helping you avoid future issues and potential fines.
Begin an Internal Investigation
Next, you will want to launch an internal investigation. Verify that your antivirus program is up to date and check for malware and virus alerts. Review all your audit records and see if you can spot anything unusual. Are there any security alerts you might have overlooked? After that, watch for any suspicious trends. Were all the customers affected on the same day? Were they helped by the same employee(s)? Were the affected e-commerce customers shopping on a certain day flagged with suspicious trends? In addition to your internal investigation, you will also want to review your surveillance videos.
Enlist Your Trusted IT Employees to Help Investigate
If you have trusted IT administrative staff, get them involved in reviewing your firewall and systems logs. They should also check to see if there are any rogue or unidentified application programs on your payment systems. This can be a tricky task because an illicit program, such as a memory scraper, typically won’t appear in your programs list. However, these are all steps that can help you to begin narrowing down the source of the problem and possibly rule out a full-scale breach.
Identify the Likelihood of Fraud or a Breach
What if you find no malware or rogue programs and no indication of a massive theft of your customers’ payment card data? Perhaps only a few customers have contacted you to report a potential issue. This is still something to take seriously, but experience tells me in these cases that it’s more likely to be internal fraud committed by one of your employees than a full-blown breach. Fraud is usually much more limited in scope than a data breach. While external crooks occasionally perpetrate it, most fraud in the industry today involves a dishonest employee within your organization.
In case of a major breach, you would more likely be contacted by your MSP, your bank, or one of the card brands rather than by a handful of concerned customers. With a major breach, the first contact may occasionally come from law enforcement.
Be Wary of Phishing Scams
I’m sad to report that there is a known phishing scam in which people call merchants, reporting to be from the bank or even the Secret Service, and claim they are investigating a breach. They will then ask for your merchant account information, which they can later use to defraud you. That’s why we recommend you do your homework when someone contacts you unexpectedly and makes these claims. You can request that law enforcement send a local officer out to meet you in person. You can ask for an email or fax on company letterhead. A lot of times the easiest way is to ask if you can call them back. If you call the local Secret Service office or your MSP’s fraud department using the number listed on their website and they tell you they’ve never heard of the person who called you, then that tells you that it was probably a phishing scam.
Follow Appropriate Procedures for Fraud or a Breach
So, whether it’s a call from the card brand or your own internal investigation that determines your environment has actually been breached, the response is the same. Your response to a breach is strictly regulated by PCI, the card brands’ procedures and (in most cases) the state and federal government. When you contact your MSP, ask them if they will be contacting the card brands or if you need to do it. Likewise, work with them to inform the proper authorities. They will also advise whether you need to enlist the support of a PCI Forensic Investigator (PFI) to track down the source of the breach. Depending on the magnitude of a breach, one or more of the card brands may automatically direct a full investigation by a PFI.
With a fraud situation, you have a little more discretion in how you proceed. A dishonest employee stealing a handful of card numbers probably doesn’t warrant a call to the Secret Service or spending tens of thousands of dollars on a forensic investigation. You should inform your MSP and they will advise whether you need to inform the card brands, and – of course – you may also want to turn the evidence over to your local police. However, dealing with the problem on your own and alerting your MSP is usually sufficient unless your preliminary investigation points to a major compromise of your environment (either malware that has been taking card data out of your system or some other major theft of customer information).
One more point on these preliminary investigations: please do them. Before you panic and before you call in the cavalry, take the time to really look at what’s going on. A few years ago, we had a customer panic after receiving a handful of calls from concerned customers reporting suspicious activity on their cards after staying in their hotel. The hotel called the police, the card brands, their attorneys, and their PR team – all before they did any investigation into the problem. After careful examination, it turned out that they had not been breached at all; the restaurant a few miles up the road had been compromised, and many of their customers had eaten there. This company spent thousands of dollars to bring in significant outside resources that proved entirely unnecessary.
Please note that this guidance is by no means intended to be a comprehensive to-do list. What I have provided are the vital questions you need to get answered and early steps to get you moving down the right road. Card data breaches are serious crimes, and they can be costly and time-consuming to recover from. Be vigilant in securing your customer’s sensitive data, and quick to respond to any suspicious activity, but always do your due diligence before wasting time and resources that may not be required.
About the Author: J.D. serves double duty as Shift4's Senior Vice President, Research and Development and Chief Technology Officer. J.D. is a Certified Network Engineer with more than 15 years of experience. He leads Shift4's system operations and development efforts as well as the security and compliance teams. J.D. is the overall architect of the DOLLARS ON THE NET (News - Alert)® solution. He was also an early adopter/member of the PCI Security Standards Council.