Payment Security from A to Z: Anti-fraud Systems and Compliance with the PCI DSS Standard

The number of cashless transactions grows year by year. According to Statista, the overall amount of non-cash payments has increased from 311 billion to 1.3 trillion within the recent 10 years. Analysts expect this number to surpass the mark of 2.2 trillion transactions by 2026.

The fast-growing industry of online payments attracts fraudsters. The Juniper Research survey conducted in 2022 shows that overall losses in e-commerce due to fraudulent cases reach $48 billion.

This is why payment data security and the implementation of effective measures to prevent criminal activity are urgent needs of the digital payments market.

Customers are considered more interested in integrating protective systems that prevent fraud, as buyers are at risk foremost. Cybercriminals steal their financial data and funds. Meanwhile, such security systems are equally important for merchants and marketplaces.

In today’s world, giant competition occurs in every sector, so a damaged reputation and numerous negative reviews essentially decrease a company’s chances for success. As such, underestimating online payment security and using previous-gen protective measures lead customers to lose their costs and never return to a merchant’s website or marketplace. Furthermore, a platform may be considered untrustworthy or even dangerous.

Old-fashioned security systems are based on secret phrases and passwords, while brand-new technologies provide fraudsters with much more variable tools for stealing financial information. Hence, companies and marketplaces related to payment processing must keep up with the times and implement the latest anti-fraud developments to detect and prevent illegal activity in a timely manner.

Certain security standards are accepted in the digital payments market, and companies need to correspond to those norms and demands. PCI DSS (Payment Card Industry Data Security Standard) is the most known and reliable standard. 

The PCI DSS standard came into existence in 2004. World-leading providers of card services, including American Express, Discover, JCB, MasterCard, and VISA, are the “authors” of that standard. At the time, the mentioned corporations controlled the lion’s share of the payment market. A reliable anti-fraud system was highly demanded so that companies wouldn’t lose their incomes due to fraudulent activity.

What does this security standard mean? The PCI SSC Council adopted certain documentation that consists of rules and criteria to which companies related to online payment processing should comply. The Safety Standards Council meets regularly to approve changes to the previously adopted documentation. It can be explained by the constant “upgrades” of criminals. They rely on modern technologies like AI, neural networks, and machine learning. Representatives of top-rated providers of card services understand that some measures lose efficiency. In accordance with new challenges, upgraded norms are worked out and added to the documentation.

PCI DSS compliance is not an obligatory measure but a matter of reputation; meanwhile, noncompliance with the standard means a company doesn’t protect its customers properly. There appears to be a probability of data leakage. This is why every company related to digital payment processing brings its activity into conformity with the standard’s requirements to get the PCI DSS Compliance certificate.  

The whole list of compliance criteria comprises 288 paragraphs. Meanwhile, it can be pointed out 12 core demands towards companies related to payment processing:

1. A company should install and properly maintain a firewall to protect the data environment of cardholders.
2. Default passwords and other security settings provided by vendors should not be used.
3. The stored data of cardholders needs to be properly protected.
4. The payment card data transferred over an open public network should be encrypted.
5. Companies have to use and constantly update antivirus systems.
6. Secure systems and applications should be deployed and supported.
7. Access to cardholders' payment card data needs to be restricted. It is recommended that such access be provided to employees whose work tasks require direct usage of such data.
8. Each person who accesses data or equipment needs a unique ID.
9. Companies should restrict physical access to the data of payment card owners.
10. Access to the network and data of cardholders need to be tracked and controlled.
11. Regular testing of security systems and processes is obligatory.
12. Providers have to ensure the fulfillment of the information security policy.

Based on the mentioned requirement, a company’s certification procedure takes place. When providers correspond to all the demands, they obtain the PCI Compliance certificate. Here are the following certificate levels:

• Level 1. Providers process over 6 million transactions per year.
• Level 2. The number of processed transactions is from 1 million to 6 million annually.
• Level 3. The annual amount of transactions varies from 20,000 to 1 million.
• Level 4. A company processes less than 20,000 transactions per year.

A set of obligatory requirements that are put forward to a payment services provider directly depends on the certificate level.

PCI DSS is the most reliable standard for proper data security of payment card owners. Meanwhile, payment providers that are compliant with that standard don’t work on one and the same algorithm. Otherwise, the principle of competition would have been lost.

Each company develops its anti-fraud system by applying the newest security systems and using innovative technologies corresponding to cybersecurity demands.

The principle of operation of anti-fraud systems lies in the following stages:

1. A user confirms his transaction within a website or application, and the request is sent to a payment gateway.
2. An anti-fraud system chosen by the payment gateway checks the transaction according to a set of criteria. Filters are not standardized, and gateways may use more or fewer criteria based on a particular system.
3. Depending on the check result, a system assigns a corresponding ID to the transaction. For instance, the ‘verified’ ID means the system detected no fraud characteristics. When the system marks the transaction as ‘false’, the transfer request originates from fraudsters.
4. According to the transaction status, anti-fraud systems send certain requests to payment systems. Those systems confirm valid transactions and reject fraudulent ones. In case of suspicious transactions, additional verification mechanisms are applied.

Hence, anti-fraud systems protect customers (fraudulent transactions are detected and blocked in time) and merchants (business owners don’t face conflicts with their clients who lost money due to fraud).

Up-to-date anti-fraud systems rely on innovative technologies. Such systems use behavioral biometrics technologies and analyze a customer’s transactional behavior. Here are some examples:

1. Customers usually spend less than ₴2,000 per month. Suddenly, they confirm a payment of ₴8,000, which seems suspicious.
2. A system collects behavioral biometric information and understands that a client needs nearly  6-7 seconds to confirm a transaction. Meanwhile, his account needed 14 seconds to confirm the last transaction. Fraudulent activity is possible in this case.

AI technologies, machine learning, and neural networks unlock the possibility of implementing anti-fraud systems with hundreds of different criteria. Those systems protect customers and cause no inconveniences for them.

Companies related to payments have to undergo a specific certification procedure to get a confirmation for the PCI DSS standard correspondence. What does this procedure include?

Step 1. Application. A payment company’s representative fills in all the required data to let an auditor company understand which demands are required.

Step 2. Agreement. A payment-related company and an inspecting company sign an agreement for audit. Only companies licensed by the PCI DSS Council get the right to conduct audits. Decisions of unlicensed companies don’t empower payment providers to receive compliance certificates. This stage usually includes partial or full payment for services provided by an inspecting company. There are no exact prices, but the procedure costs about 10-15 000 euro.

Step 3. Technical analysis. Experts perform technical analysis of a payment company. The process includes documentation verification, an interview with the technical department, the inspection of the equipment and transaction processing mechanisms, and the diagnostics of the protection level of a company’s information systems. Then, inspectors make a report with all the noncompliance with the PCI DSS standard. The report also comprises recommendations on how to fix everything.

Step 4. Troubleshooting. A payment-related company fixes all the noncompliance indicated by inspectors.

Step 5. Certified audit. An inspecting company conducts the final audit to check whether a payment provider complies with all the PCI DSS requirements. When the procedure is completed, the company receives a detailed report and a document that confirms compliance with all the standard requirements.

Step 6. Certification. A payment service provider receives the certificate confirming compliance with the PCI DSS standard. The certificate is issued in paper form with wet stamps and is valid for 12 months.

Note! When a company succeeds in passing the certification procedure, the next application is required after 10 months, two months before the certificate expiration date.

Payment service providers need to undergo the certification procedure annually. Compliance requirements change year by year, and upgraded security measures appear to protect customers and minimize transaction processing risks as much as possible. As of today, auditor companies apply to the 4.0 version of the standard.

The key task of the PCI DSS standard lies in maintaining the network infrastructure's appropriate security level and protecting cardholders' payment data.

Can payment services providers work without the PCI DSS certificate? Absolutely, the certificate is not among the obligatory requirements; meanwhile, the competition level in the sphere of online payments is exceptionally high. Customers will understand that such a company doesn’t provide them with the highest protection, and fraudsters can steal their financial information. As such, payment providers will lose clients.

Furthermore, while talking about payment gateways serving as mediators between payment systems and online stores/marketplaces, compliance or non-compliance with PCI DSS requirements are among the core criteria.

The certificate guarantees the protection of client information and excludes the possibility of data transferring to third parties or fraudulent activity within a transaction processing.

Tranzzo is one of the leading companies in the international payment platform market. Business solutions are available in 190 countries. Gateways process more than 100 million transactions annually, and the number of clients has surpassed 3000 partners.

The company has received the PCI DSS Level 1 certificate (for providers that process more than 20 million transactions per year). Tranzzo undergoes the certification procedure annually to provide its clients with the highest protection level and prevent fraud.

The provider implemented the three-level anti-fraud system. More than 200 filters screen all the transactions. Such a system detects fraud activity in real-time and bans suspicious transactions. Furthermore, the company constantly adds new criteria to the filter database. Tranzzo analysts get notifications on new untypical activity from the anti-fraud system. If those new patterns are considered signals of possible fraudulent cases, analysts add them to scenarios of dishonest behavior.

Besides, anti-fraud mechanisms applied by Tranzzo empower business owners to get a certain range of unique filters that consider the specifications of their sector.

The rapid growth of online payment volumes attracts fraudsters who try to steal payment data. As such, the security of the client’s financial information is among the key tasks in the sphere of transaction processing. Compliance with the PCI DSS standard and the presence of such a certificate ensure the appropriate protection of payment data. When a payment provider is not compliant with those requirements, it causes mistrust from the side of potential customers and makes it difficult to compete with certified companies.