Fighting Payment Fraud in the Supply Chain

Best practices for procurement officers

December 1, 2011

Procurement professionals manage a world of complexity, which leads to occasional worries.

As oil and commodity prices rise, they fret that the increased cost of buying raw materials will wreak havoc with their employer’s bottom line. Tsunamis, earthquakes and political turmoil overseas—coupled with a devalued U.S. dollar, stressed euro and strengthening Chinese yuan—also could impact their global sourcing abilities and the price of products and services in their supply chain.

As defenders of their organization’s costing structure, procurement managers also find themselves with an entirely new set of challenges. Until recently, though, procurement was a necessary, but seldom celebrated, function of corporate life.

Through the 1970s and 1980s, the profession largely existed as a back-office function, where armies of junior clerks entered data from paper purchase requisitions into the company’s financial system. Procurement managers fought to be accepted by the C-suite as value-added business partners, not just as purchase order custodians.

It was during those decades that U.S. manufacturers began embracing the concept of business process management in efforts to transform their factories into models of quality and efficiency. Business process and quality manufacturing gurus such as W. Edwards Deming, statistical process controls and other techniques drove remarkable improvements in product quality.

By the 1990s, as quality strategies such as Six Sigma took hold, the relationship between buyers and sellers had evolved. Manufacturers across industry sectors and geographic boundaries who sought to deepen their understanding of the complex connection between high quality, ease of use and fair pricing developed close links with suppliers, turning what had been one-time purchases from vendors into longer-term business sales relationships. Significant investment in new procurement automation tools and supply-chain management systems were developed and deployed.

The next chapter

As companies continue their quest to lower costs and improve supply-chain visibility, the concepts that worked in the material supply chain are being applied to the financial supply chain. Firms are focused on just-in-time payments to suppliers and exert greater financial transparency and control. The emphasis is now on managing the interactions of their accounts payable (AP) with the supplier’s accounts receivable (AR) functions. Manual data entry, billing and processing of traditional AP and AR transactions are giving way to workflow automation, enabling the foot soldiers of procurement to cross-train in such key treasury functions as reconciliation of bank payments with corporate accounts.

Procurement personnel are also being tasked with linking supply chain spend to strategic organizational priorities, improving inventory management while streamlining internal operations, and collaborating with treasurers to optimize working capital. At the same time, they’re increasingly responsible for handling a number of cross-functional risks related to an organization’s sourcing, purchasing, payment, logistics and supplier requirements. New capabilities, such as the use of purchase cards (p-cards) to initiate supplier payments, or transitioning check payments via Automated Clearing House (ACH) are now part of the supplier-relationship discussion.

Any supply-chain executive who deploys and uses advanced electronic payment mechanisms must understand that this process requires putting the right tools, controls and people in place to measure, track and mitigate organizational exposure to a growing multitude of risks – including payment fraud.

As with all new capabilities come new challenges. For example, a supplier being asked to accept p-cards as a method of payment against invoices (an excellent mechanism for B2B companies) is now also exposed to new risks as well as fraud mitigation compliance requirements known as the Payment Card Industry Data Security Standards (PCI-DSS)

Payment fraud is among the growing risks companies of every size face in today’s digital payment age. A mobile workforce armed with portable data-bearing devices and cyber criminal syndicates intent on stealing confidential corporate information, such as credit card data and employees’ Social Security numbers, pose greater security threats than ever.

As businesses write fewer checks and the U.S. payment system slowly morphs from paper to electronic form, this convenience also opens up new security holes and opportunities for theft. More banks are processing checks by scanning them and sending images instead of paper checks through their system – an outgrowth of a 2004 federal law called Check 21 that allows banks to return electronic check images to issuers rather than the original hard-copy check in clearing payments. One of the top security threats businesses and financial institutions now face is ACH fraud in which cyber criminals trick employees into releasing corporate bank account login information and banks into approving and transferring company funds.

Rising incidents of corporate account takeovers related to ACH fraud recently prompted the Federal Financial Institutions Examination Council (FFIEC) to issue updated guidance for banks in implementing online authentication best practices for commercial accounts.

Criminals online today are clever, patient, organized and global. They’re masters of social engineering, skilled in targeting the most vulnerable businesses, governments and individuals with the highest potential for gain. Often, they and their networks are located in rogue nations where security and enforcement are lax and financial fraud is difficult to prosecute. Their “phishing” attacks are becoming more sophisticated, luring unsuspecting targets into clicking on links in seemingly genuine emails, unleashing malware that compromises employee computers or allows keystroke logger robots to collect user login IDs, account data and other personally identifiable information.

Cyber threats also present themselves in the form of malware that embeds itself in a browser application that can then divert, modify or manipulate information that a user submits on an online log-in page. For example, this type of attack, often referred to as a “man-in-the browser” or “man-in-the-middle” attack, looks for data that can be used by cyber criminals as secondary authentication for logging into a user’s bank account.

Protecting against payment fraud continues to be a significant and growing cost for organizations of all sizes. Consider these sobering statistics.

In its Internet Security Threat report, antivirus software vendor Symantec found that customer-related information was the most exposed type of data during breaches in 2010. Criminals find customer data alluring because it typically contains financial information such as credit card and bank account numbers that can be used for lucrative fraud schemes and large financial payouts. According to the study, Trojans continue to be a prominent malicious code threat because the majority of fraud activity is now financially motivated. Many Trojans are designed to steal information and are a primary means for attackers to harvest credit card information or banking credentials.

The Ponemon Institute reported in its Second Annual Cost of Cyber Crime Study that online crime cost the 50 U.S. multinational enterprises participating in its study an average of $5.9 million per year, up 56 percent over last year’s annualized average of $36.5 million per company. These corporations also experienced 72 successful attacks per week and more than one successful attack per company per week, an increase of 44 percent from a year ago. According to Ponemon’s research, the most costly cyber crimes are those caused by malicious code, denial of service, stolen devices and web-based attacks.

A 2011 Data Breach Investigations report issued by Verizon Business found that 76 percent of all compromised data came from corporate servers, 96 percent of all breaches were avoidable through simple or intermediate controls, 86 percent were discovered by a third party, and 89 percent of victims subject to PCI-DSS rules for protecting credit card data were not in compliance.

These reports serve as powerful reminders of the importance of safeguarding financial data and how difficult it can be for companies to ensure proper safeguards when they try to do it themselves.

As purchasing executives and acquisition managers seek to simultaneously be paid electronically and disburse payments electronically to their suppliers, they bear responsibilities in each respective role. For example, the use of corporate p-cards through buyer-initiated payments or electronic AP methods traditionally required a supplier to keep live credit card data on file. With recent technological advances, many suppliers are no longer storing card data internally but instead opting for one-time-use cards or a fully automated, buyer-initiated electronic system, with payments sent directly to the supplier/merchant account without the card data ever being exposed.

Managing payment information security in large organizations is a dynamic, complex task with multiple components, resource needs and requirements that constantly change. Many companies that accept credit card payments from suppliers and must, therefore, comply with PCI-DSS rules rely these days on outsourced solutions that completely remove payment data from their internal systems. Yet thousands of businesses still use outdated technology that doesn’t adequately protect confidential credit card data, exposing their business, employees and customers to risk and potential losses.

10 Best Practices Tips

The Best Defense is a Multilayered Offense. Assume your systems will be compromised at some point – and plan for it. Manage the risk of a potential breach by solving for the concept of “graceful failure,” and invest sufficient time and money in smart people and the right technologies to build and maintain a secure, multilayered system that locks down payment data so it’s worthless to hackers in case of a breach. Have policies in place for firewall maintenance. Provide for vulnerability assessment and intrusion detection as well as training for systems administrators with access to sensitive information. By assuming that perpetrators will eventually gain some form of access to your confidential data, plan for a deep, multilayered defense to secure your system so that if one safeguard fails, other countermeasures can detect and respond to an attack. Combine IDs, passwords and tokens with robust business rules that limit activity to normal business patterns, payment types and accounts. Make sure a detailed audit trail is created, so that you’ll know who touched what data and when.

Identify your go-to team. Form a fraud prevention team that thinks and works strategically to prevent attacks rather than just detect and fight them. Involve your suppliers and vendors so that everyone understands one another’s goals, requirements and capabilities.

Stay Informed. When acquiring technology applications related to payment processing, be fluent in privacy protection, PCI-DSS data protection and compliance requirements so that you can discuss the issues and the countermeasures embedded in your system as part of the sourcing team involved in payment technology acquisition. To be a meaningful contributor to the sourcing team, it often falls to the purchasing executive to keep up with one’s colleagues and raise issues that their colleagues may not be aware of.

Use Your Head. An alert mind is often the best defense against fraud. Train employees and system users to keep an eye out for "things that don't belong" – out-of-pattern, unexpected account usage, for example – and to sound an alert in case of anomalies.

Move the target. One of the safest practices for purchasing officials and suppliers who process credit card data is so obvious it is often overlooked: eliminating the storage of that data altogether. No data stored = less risk. Unless it’s absolutely necessary to retain payment or cardholder data, don’t. Cyber criminals think day and night about how to invent and execute a clever attack, and they gravitate to pathways that offer the least resistance for the greatest payoff. Study after study shows that failure to protect sensitive payment data from a breach leads to massive financial costs, customer defections, lawsuits and loss of reputation.

Change the target. Tokenization is one of the best strategic weapons for protecting financial data. With tokenization, a customer’s credit card or bank account data is replaced with randomly generated reference keys using a process that safely converts real card or account numbers into a string of characters which then become useless to would-be hackers.

Isolate the target. Segregate accounts by type of use, such as for exclusive deposits, and instruct banks not to post checks or ACH transactions against those accounts so that out-of-pattern events are easier to detect.

Secure system gateways and endpoints. Your network architecture and PCs should be scanned regularly for vulnerabilities, every transaction point where payment information is exchanged should be scrutinized, and all document payment data flows and touch points secured. Protecting against malicious viruses, malware and spyware infections is often the first line of defense against a security breach. Not only should you install anti-virus software, you must also keep it regularly updated.

Adopt industry safeguards. The major U.S. credit card companies developed the PCI standards as guidelines to help merchants, vendors, service providers and banks who collect, process and store credit card data better protect that sensitive data from being stolen or compromised. Becoming PCI-certified doesn't magically shield a business from losing data or provide impenetrable security against hackers or malware. But they have proven to be an excellent roadmap for data security best practices. Use PCI standards not only for card activity, but also as a guideline for protecting other key data and access.

Do your homework when outsourcing. When choosing an outside payment system or data security provider, make sure they have deep security capabilities and a like-minded business focus. If card-based, make sure they’re PCI-compliant and audited every year by an independent third party. Seek suppliers whose global payment platform manifests a high degree of security authentication and controls across all payment types and provides a mix of services you need with the most secure infrastructure and policies.