This page contains a Flash digital edition of a book.
have fingerprint technology in place to authorise payments.” Alan Gillies, vice-president of UK sales


for American Express Global Corporate Payments, says that when an Amex card is added to Apple Pay, “a unique device account number, as opposed to the actual card number, is assigned, encrypted and securely stored in the secure element on your device. Each transaction is authorised with a one-time unique dynamic security code, instead of using the security code from the back of your card.” Perhaps the security of smartphones


was best illustrated by the time it took for the FBI to get into the iPhone of terrorist Syed Farook who carried out the massacre in San Bernardino, California, in December. The crime- fighting agency only managed to get into Farook’s phone in late March and before this breakthrough had been trying to force Apple to write software to allow them access to this phone’s data – a move that Apple was resisting legally. There have also been questions about the security of using ‘contactless’ cards to pay for goods and the poten- tial ability to fraudsters to steal this information through near-field commu- nication (NFC) technology. Consumer magazine Which? was able last year to use widely-available contactless-


Protecting the ‘security of data’ remains one of the card industry’s major priorities


card-reading technology to obtain the card numbers and expiry dates of ten customer cards, which could be used to make fraudulent purchases.


UNIQUE IDENTIFICATION The UK Cards Association says the solu- tion to this kind of fraud is the increased use of ‘tokenisation’, where the card’s es- sential data is replaced by ‘unique identifi- cation symbols’ which allows the necessary payment information to be transmitted without compromising its security. “Card details would be tokenised, or disguised, and would sit on a phone or tablet and the user would authorise the payment with a passcode or other verification method,” says the association. Protecting the ‘security of data’ remains one of the card industry’s major priori- ties and Barclaycard’s commercial cards product director, Maria Parpou, says this is illustrated by providers’ involvement in im- proving the security of card data through the industry-wide Payment Card Industry Data Security Standard (PCI DSS).


“Wherever possible card numbers are masked, and two-stage or two-factor authentication methods are used for accessing systems being used to store card data,” says Parpou. The increased adoption of single-use virtual cards (see also feature, Virtually seamless, p14) is also seen as playing a major part in improving overall security and reducing the risk of fraud around business travel and meetings payments. But there is no perfect solution or ‘magic


bullet’ to prevent fraud, as Concur’s UK & Ireland managing director Chris Baker says: “Virtual, mobile and contactless pay- ments have the potential to reduce fraud, but in reality the possibility of fraud will never be reduced to zero. “The impetus remains on travellers and companies to remain vigilant and ensure that they’ve got the right levels of visibility into employee spend so that it is easy to spot an ‘out of character’ purchase quickly.” So, much like the cops and criminals


of The Wire, card providers and fraudsters will continue to look for ways to outwit each other, with technology being the key driving force. As one industry leader says: “We have to constantly come up with new ways to fight fraud attacks. We believe we have a strong range of tools to combat fraud at the moment. But you never know – things can look okay until they suddenly aren’t okay.”˜


TACKLING PAYMENT FRAUD: ADVICE FROM BANK OF AMERICA MERRILL LYNCH


THERE ARE SEVERAL DIFFERENT APPROACHES used by criminals when it comes to payment fraud. One of the most common is through a process known as ‘phishing’, where employees are tempted into clicking on a link or attachment in an email. If they do this, then


malware is downloaded on to the staff member’s computer without them knowing it is happening. This can allow the criminal to get access


30 BBT CORPORATE CARDS SUPPLEMENT 2016


to confidential information such as system log-in details and emails.


Fraudsters may also use an approach called ‘masquerading’, where they send an email pretending to be a senior manager who is giving instructions on a payment. This will also usually involve the employee being told to keep these instructions secret. The advice for staff


receiving these kinds of emails or communications is


that they should contact their IT department immediately. Employees are also advised to be wary of any unusual or confidential requests, and to never reply directly to the


suspicious email because the fraudster may be using an email address that is slightly altered from the manager’s real address.


They should also validate all details by phone if there has been any change in a supplier’s address or bank


account number. Having a ‘dual authorisation’ policy within the company, where two managers must sign off the payment, could reduce the risk of being defrauded as well.


The company’s bank should be alerted if a payment transfer needs to be stopped; and, when a computer has been affected by malware, it should be taken off the network until the malicious software has been totally removed.


In association with


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36