Fighting Payment Fraud in the Supply Chain

Best practices for procurement officers

Aaron Bills Lores 10456840

Procurement professionals manage a world of complexity, which leads to occasional worries.

As oil and commodity prices rise, they fret that the increased cost of buying raw materials will wreak havoc with their employer’s bottom line. Tsunamis, earthquakes and political turmoil overseas—coupled with a devalued U.S. dollar, stressed euro and strengthening Chinese yuan—also could impact their global sourcing abilities and the price of products and services in their supply chain.

As defenders of their organization’s costing structure, procurement managers also find themselves with an entirely new set of challenges. Until recently, though, procurement was a necessary, but seldom celebrated, function of corporate life.  

Through the 1970s and 1980s, the profession largely existed as a back-office function, where armies of junior clerks entered data from paper purchase requisitions into the company’s financial system. Procurement managers fought to be accepted by the C-suite as value-added business partners, not just as purchase order custodians.

It was during those decades that U.S. manufacturers began embracing the concept of business process management in efforts to transform their factories into models of quality and efficiency. Business process and quality manufacturing gurus such as W. Edwards Deming, statistical process controls and other techniques drove remarkable improvements in product quality.

By the 1990s, as quality strategies such as Six Sigma took hold, the relationship between buyers and sellers had evolved. Manufacturers across industry sectors and geographic boundaries who sought to deepen their understanding of the complex connection between high quality, ease of use and fair pricing developed close links with suppliers, turning what had been one-time purchases from vendors into longer-term business sales relationships. Significant investment in new procurement automation tools and supply-chain management systems were developed and deployed.

The next chapter

As companies continue their quest to lower costs and improve supply-chain visibility, the concepts that worked in the material supply chain are being applied to the financial supply chain. Firms are focused on just-in-time payments to suppliers and exert greater financial transparency and control. The emphasis is now on managing the interactions of their accounts payable (AP) with the supplier’s accounts receivable (AR) functions. Manual data entry, billing and processing of traditional AP and AR transactions are giving way to workflow automation, enabling the foot soldiers of procurement to cross-train in such key treasury functions as reconciliation of bank payments with corporate accounts.

Procurement personnel are also being tasked with linking supply chain spend to strategic organizational priorities, improving inventory management while streamlining internal operations, and collaborating with treasurers to optimize working capital. At the same time, they’re increasingly responsible for handling a number of cross-functional risks related to an organization’s sourcing, purchasing, payment, logistics and supplier requirements. New capabilities, such as the use of purchase cards (p-cards) to initiate supplier payments, or transitioning check payments via Automated Clearing House (ACH) are now part of the supplier-relationship discussion.

Any supply-chain executive who deploys and uses advanced electronic payment mechanisms must understand that this process requires putting the right tools, controls and people in place to measure, track and mitigate organizational exposure to a growing multitude of risks – including payment fraud.

As with all new capabilities come new challenges. For example, a supplier being asked to accept p-cards as a method of payment against invoices (an excellent mechanism for B2B companies) is now also exposed to new risks as well as fraud mitigation compliance requirements known as the Payment Card Industry Data Security Standards (PCI-DSS)

Payment fraud is among the growing risks companies of every size face in today’s digital payment age. A mobile workforce armed with portable data-bearing devices and cyber criminal syndicates intent on stealing confidential corporate information, such as credit card data and employees’ Social Security numbers, pose greater security threats than ever.

As businesses write fewer checks and the U.S. payment system slowly morphs from paper to electronic form, this convenience also opens up new security holes and opportunities for theft. More banks are processing checks by scanning them and sending images instead of paper checks through their system – an outgrowth of a 2004 federal law called Check 21 that allows banks to return electronic check images to issuers rather than the original hard-copy check in clearing payments. One of the top security threats businesses and financial institutions now face is ACH fraud in which cyber criminals trick employees into releasing corporate bank account login information and banks into approving and transferring company funds.

Rising incidents of corporate account takeovers related to ACH fraud recently prompted the Federal Financial Institutions Examination Council (FFIEC) to issue updated guidance for banks in implementing online authentication best practices for commercial accounts.

Criminals online today are clever, patient, organized and global. They’re masters of social engineering, skilled in targeting the most vulnerable businesses, governments and individuals with the highest potential for gain. Often, they and their networks are located in rogue nations where security and enforcement are lax and financial fraud is difficult to prosecute. Their “phishing” attacks are becoming more sophisticated, luring unsuspecting targets into clicking on links in seemingly genuine emails, unleashing malware that compromises employee computers or allows keystroke logger robots to collect user login IDs, account data and other personally identifiable information.

Cyber threats also present themselves in the form of malware that embeds itself in a browser application that can then divert, modify or manipulate information that a user submits on an online log-in page. For example, this type of attack, often referred to as a “man-in-the browser” or “man-in-the-middle” attack, looks for data that can be used by cyber criminals as secondary authentication for logging into a user’s bank account.

Protecting against payment fraud continues to be a significant and growing cost for organizations of all sizes. Consider these sobering statistics.

In its Internet Security Threat report, antivirus software vendor Symantec found that customer-related information was the most exposed type of data during breaches in 2010. Criminals find customer data alluring because it typically contains financial information such as credit card and bank account numbers that can be used for lucrative fraud schemes and large financial payouts. According to the study, Trojans continue to be a prominent malicious code threat because the majority of fraud activity is now financially motivated. Many Trojans are designed to steal information and are a primary means for attackers to harvest credit card information or banking credentials.

The Ponemon Institute reported in its Second Annual Cost of Cyber Crime Study that online crime cost the 50 U.S. multinational enterprises participating in its study an average of $5.9 million per year, up 56 percent over last year’s annualized average of $36.5 million per company. These corporations also experienced 72 successful attacks per week and more than one successful attack per company per week, an increase of 44 percent from a year ago. According to Ponemon’s research, the most costly cyber crimes are those caused by malicious code, denial of service, stolen devices and web-based attacks.

A 2011 Data Breach Investigations report issued by Verizon Business found that 76 percent of all compromised data came from corporate servers, 96 percent of all breaches were avoidable through simple or intermediate controls, 86 percent were discovered by a third party, and 89 percent of victims subject to PCI-DSS rules for protecting credit card data were not in compliance.

These reports serve as powerful reminders of the importance of safeguarding financial data and how difficult it can be for companies to ensure proper safeguards when they try to do it themselves. 

As purchasing executives and acquisition managers seek to simultaneously be paid electronically and disburse payments electronically to their suppliers, they bear responsibilities in each respective role. For example, the use of corporate p-cards through buyer-initiated payments or electronic AP methods traditionally required a supplier to keep live credit card data on file. With recent technological advances, many suppliers are no longer storing card data internally but instead opting for one-time-use cards or a fully automated, buyer-initiated electronic system, with payments sent directly to the supplier/merchant account without the card data ever being exposed.

Managing payment information security in large organizations is a dynamic, complex task with multiple components, resource needs and requirements that constantly change. Many companies that accept credit card payments from suppliers and must, therefore, comply with PCI-DSS rules rely these days on outsourced solutions that completely remove payment data from their internal systems. Yet thousands of businesses still use outdated technology that doesn’t adequately protect confidential credit card data, exposing their business, employees and customers to risk and potential losses.