Cybersecurity & Payment systems: it’s just not about fraud anymore

By Guy-philippe Goldstein, lecturer at EGE (Ecole de Guerre Economique de Paris) & Advisor to PwC France

FIC – LILLE
Payment systems, and the authentication systems built around them, are the unsung heroes of the digital revolution. Without them, the enablement of ecommerce would not have been possible. What started with Pizza Hut’s online shop in 1994 – one the first ever to enable online purchase – and then the use of Secure Sockets Layer by Netscape Communications, has turned into a behemoth. Today, E-Commerce amounts to approximately 2.3 trillion US dollars and should double by 2021, less than three years from nowⁱ. Overall, E-Commerce today represents 10% of retail sales and should reach 20% worldwide in 2023 – and up to 35% in the Asia Pacific areaⁱⁱ.

But without securing a modicum of trust among parties in order to authorize exchange of goods and payments, these figures would have never been attained and it is probable E-Commerce would have remained an interesting but experimental means of exchange. And Amazon today would not be the company with the second largest market capitalization in the world, worth the value of WalMart, Home Depot and CVS combined.

A large part of this achievement is drawn from the payment industry’s successful fight against online fraud. In the United States, the average annual fraud loss from web store, as a percentage of annual eCommerce revenue, has been nearly halved in 7 years, declining from 1.40% in 2007 to 0.80% in 2015ⁱⁱⁱ. To take another example, in the United Kingdom, the amount of e-commerce fraud losses on issued cards has been halved from 0.20% of national ecommerce sales in 2008 to slightly above 0.10% in 2014^iv. Many approaches have been successfully tried to resolve this issue, from the rapid spread of SSL certificates to the early development of anomaly detection systems based on various machine learning techniques.

This is the approach that greatly helped Paypal to become one of the early leaders in epayments. Artificial Intelligence and statistical modeling, using also third party data sources, constitute today core activities for units belonging to payment giants such as Visa or Mastercard. In some instances, the solutions have even become more problematic than the fraud itself: combined, both chargeback fraud – the fraudulent request for a return or refund in the form of chargeback in case of identity theft – and ‘friendly fraud’ – the non-malicious but erroneous use of merchant return policies – represent more than double the amount of ‘true fraud’ losses for merchants in the US^v. But if the solutions, chargeback and other return policies, entail more costs more than the problem itself; and if this has been accepted by industry players for quite some time while ecommerce is growing quickly; then it does hint that the underlying problem, fraud, is actually at manageable levels.

And yet, new dark clouds are gathering for the payment industry. This is in part captured by survey of retail banking executives: by 2017, their main concern had become cybersecurity^vi, following escalatory fears, starting in the year 2014-2015, among City of London’s finance executives, as captured by a bi-annual survey from the Bank of England^vii, or among global business leaders in the 2018 World Economic Forum’s Global Risks Survey: for the first time, cyberattacks have reached the top 3 spot in terms of main global risks^viii. Indeed, over the last few years, major cyberattacks have exposed deep vulnerabilities in our online payment and wiring systems. To cite a few famous examples – Target, the US retail company, was the victim of a cyber-attack in late 2013 that managed to reach its point-of-sales terminal; the SWIFT international payment system was abused by hackers perhaps from North Korea in order to defraud the Bangladesh central banks; and then the NotPetya wiper malware in 2017 managed to disrupt operations among 22 banks in Ukraine.

What is going on?

As with any other industries, the payment industry is actually today confronted with the full spectrum of cyber-risks. While it has historically focused on fraud, it is not anymore the only threat it faces from cyber-attacks. Cybersecurity issues can be analyzed using the “CIA” framework – identifying problems that could impact the confidentiality of data (C); its integrity (I); and its availability (A). Focusing on fraud has helped to alleviate the direct costs related to tampering on the integrity of data. But indirect effects, such as reputational impacts and degradation of the client relationship, may constitute a much heavier cost: a recent study conducted by PwC France has shown that for about 40% of publicly listed companies that had to disclose a significant cyber-attack, stock price losses had reached 20% on average 12 months later^ix. This may constitute a good evaluation of that reputational impact. The loss of confidentiality of data may also constitute another significant cost, especially in the European context of GDPR: up to 4% of yearly revenues may be at risk, as it constitutes the maximum penalty on companies that would have infringed this new EU regulation. But then again, the combined impact with reputational costs may be even more significative. After Heartland Payment Systems announced a large data breach on January 2009, stock price plunged, sinking nearly 80 percent by early March.

The fact that VISA had delisted Heartland from its list of validated service providers played a large part in that stock price collapse^x. Finally, financial companies and payments systems can suffer from lack of system availability caused by cyber-attacks. This is what happened already in a few examples linked to nation-state cyber-attacks – the cyber-attacks against Estonian bank Hansapank in 2007, against US banks during the Iranian-related Ababil cyber operations in 2012 and then, as already mentioned, during the 2017 NotPetya attack. Non-malicious incidents give an idea of the cost at stake. For example, the botched IT upgrade by British bank Lloyds TSB, leading up to 1.9 million customers locked out of their accounts for a few days, may have cost at least GBP 175 million^xi.

These are new challenges that must be tackled by the payment industry. In our volatile environment, such a cyber-disruption could have systemic effects to the rest of global markets^xii. Fraud has been managed. The payment and banking industry will have now to tackle the rest of the spectrum of cyber-risks. This is turning into a critical investment to make in order to maintain trust in our digital markets.