More consumers than ever are embracing digital methods to pay bills. In our research we found that 54% pay using the biller’s website, 33% use the biller’s mobile app, and 8% pay remotely using cash at a retail location. What’s more, a significant group of consumers says it would be very convenient to have additional mobile payment options, such as PayPal (20%), Apple Pay/Google Pay (14%) and Venmo (10%).
Billers are hurrying to get on board with these trends and make digital bill payment as easy and frictionless as possible. But before they get too far along that path, they should recognize that new payment types and channels add complexity to the payment delivery chain and require additional focus on vendor management. Without an oversight program, the business and their customers could potentially be at risk of excessive declines or disputes, service interruptions, increased transaction costs, and security incidents.
The 2022 Verizon Data Breach Investigations report noted that ransomware attacks alone increased by 13% between 2020 and 2021—a larger jump than the past five years combined. Vendors, partners, and third parties in the payments delivery chain were responsible for 62% of system intrusion incidents in 2021, which may represent “larger trends that we’ve been seeing in the industry, in terms of the interconnected risks that exist between the vendors, partners and third parties,” according to the analysts.
Billers can’t opt out of offering digital payment options—customers have already made their preferences clear. However, they can choose a payments platform partner that expands and integrates digital bill payment, while effectively detecting and managing risk.
Lessons We Can Learn from Target
To illustrate how damaging a single cyberattack can be, it’s helpful to look at one of the most visible examples in recent history: the 2013 Target breach. According to one analysis, Target had to invest $100 million after the incident to improve its payments infrastructure, and another $100 million-plus in payouts to banks and credit card companies that had to reimburse customers.
But even more catastrophic was the hit to its reputation and customer trust. The company’s “buzz score,” which measures brand perception, dropped 45 points during the week after the breach and, in turn, profits dropped 46% in one quarter.
Your company may not be a mega-retailer like Target, yet this experience can teach billers that cybersecurity is always a “invest now or pay later” calculation. Invest in a secure payments platform now, or face the financial fallout when a security breach occurs.
In addition, a payments platform provider that cuts corners may compromise the very protections you currently have in place to hedge against cyber losses. For example, in 2021, surging ransomware losses caused the cost of cyber insurance premiums to nearly double in 2021, and some insurers dropped coverage entirely for companies that couldn’t demonstrate they and their payments platform provider have reasonable security protections in place. Investing up front, including selecting the right payments platform partner, requires effort and forethought, but it could save you from these costly repercussions in the future.
Four Cybercrime Prevention Strategies
There are numerous cybercrime prevention strategies, but I’ll briefly cover four that your payments platform provider should have in place to guard against cyber attacks.
- Two-Factor and Biometric Authentication
Customers increasingly expect to be provided protection as part of the payments experience. And, rightly so. A year-long study by Google, New York University, and UC San Diego found the simple practice of two-factor authentication using on-device prompts was highly successful at preventing the vast majority of account hijacks. Sending a message directly to the device on file and having the individual tap on the message to authenticate prevented 100% of automated bots, 99% of bulk phishing attacks, and 90% of targeted attacks.
Even better is biometric authentication, which is built into digital wallets and some mobile payment types such as Apple Pay and Google Pay. Customers avoid entering payment information altogether, simply using a facial scan or fingerprint to access their account.
Yes, authentication can add friction to the payments experience. However, it’s necessary friction that when timed appropriately actually creates a better experience for customers. Configuring the authentication “trust hug” early in the customer relationship with messaging that lets them know they are being protected against fraudulent transactions is essential. Business rules can then be implemented to address anomalies that raise a red flag for potential fraud.
The payments provider should have a customer engagement strategy for educating customers and facilitating two-factor authentication for functions such as autopay registration. For built-in biometric authentication, it’s smart to work with a platform provider that enables Apple Pay and Google Pay as payment options and generates biller-unique credentials specific to each payer’s bill. Customers appreciate when authentication is designed as part of the payments experience because they understand the risk and potential misappropriation of their data, as well as the avoidable hassle to remediate the situation.
- Encryption and Tokenization
Encryption and tokenization play different roles in protecting data, so both should be leveraged to facilitate digital payments. Tokenization is the replacement of sensitive account-level data with a unique encrypted value. Encryption is the method in which the data is converted to a “secret value.”
Using them together helps companies build trust with customers by avoiding damaging data breaches. Additionally, these security measures help your payments platform provider meet regulatory compliance requirements necessary for any business collecting credit or debit card information, which render them must-have tools in your payments platform provider’s security toolbelt.
These methods protect sensitive payment data from being stolen and ransomed by cyber criminals. Even better, these methods act as deterrents, since hackers tend to gravitate to unprotected targets that offer a big payoff with minimal effort. If they can’t easily and quickly find valuable information, they will retreat and look elsewhere.
- A Risk Mitigation Team
Cybercriminals are both creative and skilled, so it’s important to have an equally formidable defense on your side. That means your payments partner employs a cross-functional team of seasoned risk, compliance and technology professionals who know how to design and build a secure payments environment: a head of risk to lead the development of a scalable control environment; an information security officer to oversee monitoring of the perimeter, conduct ongoing testing and perform security audits; staff members dedicated to reducing operational risk and implementing dynamic security protocols as necessary; and a legal and compliance officer to work with regulatory agencies, coordinate regulatory audits and ensure regulatory compliance.
Keep in mind designing risk protections into a payment product or service is much more cost-efficient than retrofitting after the fact, so look for a payments platform with built-in controls, as well as a talented team that custom-fits them to client needs.
- Audits, Certifications, and Security Standards and Tests
With the intensifying pace of payment types and technologies, some payments platform providers have failed to prioritize time and resources in internal and external audits, security tests and security certification procedures. However, those areas of oversight provide an effective third line of defense—after operations and second-line functions such as risk management and compliance—to ensure the platform is sound from a “security hygiene” and regulatory perspective. Third-line audit functions keep payments platform providers sharp, accountable and provide assurance to senior management and board members that the first two lines of defense are meeting expectations.
For that reason, billers should only work with a payments platform provider that has undergone comprehensive privacy and security assessments and certifications performed by qualified third parties. For example, to keep information assets secure, a payment platform provider should have the ISO/IEC 27001 certification or an equivalent security-focused certification.
The platform should also be PCI compliant and have processes in place to enable the biller’s customer support staff to maintain compliance when interacting with customers regarding payment.
Every payments partner under consideration should be following NIST CSF, a cybersecurity framework containing industry standards and best practices to help organizations understand and reduce their risk.
Finally, ask prospective payments platform providers whether they conduct regular security training for their staff—including social engineering risks—and test their systems to identify vulnerabilities. You need to know you have someone on the inside thinking like cybercriminals and taking preventive measures accordingly.
Securing Every Link for Digital Bill Payments
Today’s bill payment stack is more complex than ever with the addition of digital bill payment options—digital wallets, scan-and-pay QR codes, person-to-person payment apps, and more.
You can’t control the criminals, but you can strengthen your payment supply chain, from beginning to end, by working with a security-focused payments platform provider that has put in place protections, such as two-factor verification; encryption and tokenization; a risk management and compliance team; and professional third-party audits, security tests and certifications.
The evolution of mobile bill payment is in full swing. Now payments professionals must work together to stay one step ahead of those working to exploit it.