Will Data Sharing Stop Data Breaches?

When MPD CEO Karen Webster kicked off Retail Reinvention 2015 last week (Aug. 4-5), she reminded the room of industry innovators from across the retail, payment and commerce landscape they had a front row seat to the reinvention of retail.

While those at the two-day retail summit got the inside scoop first from leaders in retail technology, digital retailing and engagement tactics, fraud management, EMV, security and cross-border commerce, the conversations didn’t stop there. After all, reinventing retail means taking complex concepts discussed from leaders across those individual sectors and finding solutions that can be implemented in the real world.

And in that real world, there’s one big topic that continues to be the elephant in the room that everyone knows they should be talking about — but no one really wants to. It’s a topic that touches the deepest and most important aspects of retail and commerce and can shake any company to its core if not handled properly. That topic, of course, is the role of privacy, data and security as it relates to protecting consumer privacy, keeping data secure and managing fraud while fostering business growth.

Michael Reitblat, CEO and Co-Founder of Forter, a real-time fraud prevention solution provider for online merchants, got the conversation started when he shared the harsh reality of what every retailer and payment network fears most: “Everyone will be breached at some point.”

What the retail, payments, fraud and security industries need to do is have plans in place to know what to do once someone gets breached, Reitblat explained during the summit.

So how can that exactly be achieved? PYMNTS caught up with Reitblat to learn a little bit more about what it means to manage fraud in a way that protects retailers and protects them in a consumer-friendly manner. And that conversation starts with one big word you can’t escape when talking fraud management: tokenization.

“[The major breaches] made everyone realize that tokenization is something that they just have to do. It’s a technology that was available for 10 years, but everyone disregarded that, [thinking] nothing will happen to them. And after a few big breaches happened, everyone realized that it’s about time they actually do something about it,” Reitblat said.

Dissecting Fraud, Data And Security


So what does this CEO have to say about the two trends in the fraud, data and security industry as it relates to retail? For one, that “the threat of fraud is becoming greater and more complicated to deal with.” And second? “Consumers expect better service.”

“We should eliminate all friction or as much friction as possible. There are solutions that enable frictionless authentication. Second, we want to make sure that everything is in real time. We should eliminate all delays, reviews and everything else that retailers were doing up until now,” Reitblat explained. “Why would they agree to get a lesser experience from someone else just because someone needs to authenticate them. If you’re not a criminal, you don’t expect to be treated as a criminal.”

That’s where the conversation comes back to tokenization.

“I think we can learn a lot from the tokenization process. Retailers thought that they could protect their own data and not use something centralized with companies that invest a lot in technology in that space. And after criminals proved them wrong, and proved that everyone could be breached and that no one can actually protect themselves well enough,” Reitblat said.

But there’s just one hitch in the retail industry that’s kept the fraud management conversations even more pertinent — particularly as one big breach continues to follow the next. Retailers aren’t keen on sharing their data, and are even less keen on sharing when they’ve been breached. But unless retailers, card networks and fraud solution providers get on the same page, there’s a much higher risk that another big breach will sneak under the radar until it’s too late.

“Retailers are not fraud experts. They can’t be. Now it seems that they have to be, but it doesn’t have to remain that way. They should try and push their authentication needs and fraud prevention needs to companies that specialize in it. I think we’re already seeing that trend.” Reitblat said. “I just think it’s a good thing for everyone to do. For everyone to do what they are best at.”

Fraud management, Reitblat explained, is a numbers game. It’s not about ensuring retailers crack down on every transaction; instead it’s about ensuring they have a handle on managing the massive amounts of transactions that could lead to a data breach. From a retailer’s perspecitve, that means looking at fraud from a big-picture perspective.

“You need to see how [they] manage a fraud strategy versus just making the right decision every time. [They] need to realize having some fraud in the system is OK. If it’s the cost of business, as long as they can predict [fraud] and can make sure that it’s in control, then it’s fine. Because it’s kind of a sign that they‘re not being too harsh or conservative regarding their good customers. Retailers make money from serving good customers — not from turning away bad ones. So [retailers] should focus on serving those even at the small expense of having a little fraud in their system.”

Multi-Disciplined Approach


Managing fraud also means tackling the problem with a multi-disciplinary approach. It means not playing the “blame game” and pointing fingers when there is a breach. Instead, Reitblat suggested that it’s about addressing the issue as an industry whole when a breach occurs. From a preventative measure, it also means being transparent with other retailers when a potential fraudulent transaction occurs.

“I think retailers are playing a little too defensive in disclosing information about those breaches,” he said. “We know for a fact that retailers got breached and never reported it. I think there should be more cooperation in that regard. Not only between retailers but between banks as well. I think everyone is a little too strict into keeping their own data to themselves, and in a lot of cases it will be beneficial to share it.”

Protecting From Fraud Vs. Breaches


When talking about fraud, data and security, it also means being able to decipher how to protect retailers from data breaches and protecting them from fraud. As one panelist expressed at the R2 Summit during last week’s discussions, there’s a big difference between the two, but breaches and fraud are often looped into the same conversations without recognizing that difference.

“Protecting from breaches is essentially a cybersecurity challenge. Retailers are building walls around their data vaults, making sure that no one breaks in,” Reitblat said. “Protecting from fraud is a payments transaction aspect in most cases. …In our perspective it’s credit card fraud, or any type of payment fraud. It’s transactional and they‘re trying to prevent that information coming in instead of someone stealing good information and taking it out. There are kind of two different disciplines to two different technologies. Retailers have to do both. I think even as an industry, everyone has to do both.”

And do it in a way that takes the friction out of payments, while still ensuring their customers that their purchases are protected. No easy task indeed. But if major retailers want to stay out of the big breach headlines, it’s going to take a sense of collaboration on the fraud front to stay ahead of the widespread problem that travels like wildfire when it hits. 

At least for now, with more retailers realizing they can’t tackle fraud and cybersecurity issues alone, Reitblat said the industry seems to be headed in the right direction. Sure, it could get there quicker, he noted, but the pieces are in play for the payments and commerce industries to be more proactive instead of reactive when it comes to merchant fraud management.

“As an industry [we are] moving in the right direction of being more secure, being more customer-focused in our security, making sure security doesn’t kill the business,” he said. “I think the industry [is going] in the right direction with EMV being implemented, which is a good compass. And tokenization being implemented by most of the retailers, which is also a good thing. And retailers implement a lot of the newer fraud prevention providers instead of doing everything themselves, which is also a good thing. So I think we’re in the right direction. I’m hoping everything will move faster, but just moving there would be enough.”