Without online payment security, you could be contributing to a nuclear weapons program.
Think that's crazy? Think again. If you’ve ever been scammed by cyber crime, there’s a good chance the stolen funds ended up in North Korea.
While news agencies drop juicy stories of super hackers and cyber espionage, the everyday risks for growing businesses are much more boring: cybercriminals are after money. Sometimes, they steal secrets they can turn into money: intellectual property, credit scores, or credit card details. Sometimes, they hold businesses ransom. Most cyber crime starts by tricking people and leeching cash - that's why you need solid online payment security, now more than ever.
The AFP, FBI, and Verizon provide insightful annual summaries going back years, each showing a picture of the growing threat to businesses. They all paint the same picture: the most popular crimes are scams and theft, many cause substantial damage to affected businesses, and the risk is growing every year.
The modern CFO is taking on increasing responsibility: organizational KPIs, strategic planning, and even whole-organization risk management. How do you balance these and secure your business with the same staff and budget as before?
I’ll describe the fastest, easiest, and best ways to address the biggest cyber risk in business: making online payments. I start with tech strategies, then progress to payments.
Security Tech - Worth It?
If you google “online payments security”, you’ll usually find top-10 lists that closely mirror the general security advice for the past 20 years: difficult passwords, multi-factor authentication (MFA), encryption, antivirus (AV), firewalls, and the like.
These lists are borne from a philosophy of defensibility and blame avoidance. Who can remember long, complicated, and completely unique passwords for every system they use? While technically it would protect you, it mostly allows the security advisor to say “I told you so!” with high confidence that their advice wasn’t followed.
Further, firewalls, multifactor, and AV are also not what they were 15 years ago. Today, the hip kids say that a strong tech defense is XDR-driven and WebAuthN-federated cloud with an AI SIEM. Or something like that; it’ll change by 2025, I promise.
What’s wrong with a tech checklist?
They age out too quickly. Everything comes with encryption nowadays, the free and default AV is as good or better than commercial offerings, traditional MFA is easily bypassed, and 0-trust identity has largely replaced the need for firewalls.
Three security principles that will keep working
There are three principles that have and will continue to stand the test of time when protecting tech: Delegation, Process, and Measurement.
Companies around the world have been realizing that the safest, most resilient, and cheapest IT strategy is to do less IT. Moving to Software-as-a-Service (SaaS) platforms is the most popular way – this eliminates almost all the tech. Use an outsourced IT service provider to manage security measures on anything you can’t get rid of.
Your greatest strength and weakness are people. Identifying, streamlining, and protecting risky activities is usually the easiest and most effective way to improve overall security. It also helps keep priorities straight for any techies: protecting your ERP is much more important than the graphic design app.
How do you make sure that your delegates are adequately protecting you? Delegate this too! There are free and easy ways to measure the online payment security of a platform, and all will stay current. This usually takes 20 minutes of googling: definitely worth it for important products.
- Search for a history of security breaches and data breaches at the provider’s company.
- Look them up on a security rating platform. SecurityScorecard and RiskRecon have a free tier.
- Check for a bug bounty program; this is a good sign. Bugcrowd, Synack, and Hackerone are common platforms.
If you need greater accuracy, many tech security advisories can do a deeper assessment for a reasonable fee. Be aware: measurement is not a one-and-done activity. As companies change, their security may also.
Paying vendors is a negotiation: some methods advantage you or them. Most of these considerations are not security-related: paying by check and insisting on NET30 terms provides you better control over cash flow. The convenience of credit cards imposes a meaningful cost on your vendor. These are important factors and well-discussed.
Today, I explain how those online payment security options impact your risk of fraud. I rank major online payment methods by risk to you, explain why, and propose the best ways to reduce that risk.
Credit card payments are consistently the safest way to pay for things. Almost all issuers completely cover fraud – sometimes up to a year later; no questions asked. Even better, because those companies have that incentive, they invest substantially in fraud detection on behalf of their customers. This can vary in quality by institution but is often better than anything you can buy.
Card data is frequently stolen, either through alteration of a Point-of-Sale system (called skimmers) or by stealing everything from a central, payment-processing system. This theft is decreasing every year as the Payment Card Industry Security Standards Council puts the screws to anyone who processes credit cards.
The downside is the cost to your vendors: most card processors take a 2.7% fee from every transaction, with bulk processing providing discounts as low as 1.5%. This fee mostly funds fraud coverage and card rewards.
Use Business Cards
Ensure that business payments occur against credit cards legally tied to the business, not owners and employees. Segmenting personal and business finances not only makes accounting easier, it shelters owners' and employees’ financial health if something bad happens to the business.
Bonus: using cards also builds credit for businesses, substantially improving the available terms and rates for loans. While personal credit is tied to SSNs, business credit is indexed against EIN. The major credit agencies in the US are Dun & Bradstreet, Creditsafe, Experian Business, and Equifax Business.
What if you could create as many credit cards as you want by clicking a button? That would give you incredible granularity for fraud control: each vendor could get a card, and you could lock the limit on each to an expected amount. When you discontinue services, you could stop paying them without depending on them to stop charging you.
A growing number of fintech and banks allow exactly this. From a web portal, you can create, manage, and remove a (virtually) limitless number of cards. They all charge against a common account, allowing you a central picture of spend. The leader in this space is Ramp, which has invested in a custom rules engine that allows extensive control.
The biggest source of credit card fraud is stolen card information. There is a vast supply chain of fraudsters that steal card data, others that buy it and manufacture duplicate cards, and money mules that use those duplicates for fraudulent charges. Most of us have experienced this, and it is a headache: the card must be canceled, a new one mailed, and each service using that card must be updated.
With virtual cards, this becomes trivial. Unexpected payments become more obvious and changing payment details is only necessary at a single vendor. You know exactly which vendor enabled the fraud: the unauthorized charges are to their dedicated card.
A payment network is a registry of companies with vetted payment information. Instead of manually exchanging payment data, you select your vendor from the list, set the amount, and payment is automatically transferred. Often, such networks are maintained by large banks and integrated as part of a managed AP service. There are some publicly available networks such as Bottomline Paymode-X in the US and EFTsure in Australia. If you use a bank-provided AP service, ensure that it provides vendor verification. Some banks blindly mail checks to whichever address you specify, so, needless to say, they do not protect against fraud.
Fintechs aimed at small businesses are also quickly developing these networks, and experts in my network expect to see substantial growth in this area over the next several years.
Consistent use of a payment network substantially decreases fraud. One of the biggest sources of B2B fraud is intercepted payments between legitimate businesses, usually by tricking them into using incorrect payment information. Payment networks eliminate this source of error: they ensure that payment details are correct and work to prevent imposters from joining the platform.
Rarely will all your vendors be on a network, so this technique cannot stand alone.
Automated Clearing House transactions (commonly ACH, also called direct deposit) have the lowest rate of fraud compared to other commercial online payment methods. However, the bulk of these transactions are automated transfers between large companies with independent and sophisticated fraud control. The risk to them is not the same as the risk to a smaller company. Paying through ACH is still fairly safe, especially if your vendor uses a dedicated payments platform with a self-service payment portal.
ACH works through the checking system, clearing in 3-5 days based on fraud indicators such as payment amount and prior activity. Like the credit card system, it has no authorization mechanism: knowing an account number allows a charge to be placed on that account. While the credit card industry is trying to make their numbers secret, there is no hope of that for bank account numbers: it is available to anyone who sees one of your checks or looks at your ACH payment details.
Further, there is little fraud coverage for businesses. Banks are only obligated to recover money within 24 hours of the transaction.
The biggest protection from ACH fraud is that a financial institution in good standing must initiate it. In the US, Know Your Customer (KYC), Anti-Money Laundering (AML), and other banking regulations from the FFIEC impose strict requirements on banks to vet customers and transactions for suspicious activity. While regulation is always a step behind crime, banks have strong incentive to prevent criminals from using their services.
These methods work for both ACH and checks.
Segment Accounts & Alerts
Creating multiple accounts for different uses can add excellent protection at a low cost. Creating a dedicated account for receivables, treasury, and payables can limit your exposure to fraud. Receivables accounts should be swept frequently into the treasury account, and funds to expected charges are moved from the treasury account into payable accounts. Set up alerts for all accounts for unexpected situations like low balances.
This way, outsiders only know of accounts with limited funds, so fraud attempts will not be as damaging if successful. Different banks offer varying degrees of automation for this strategy and many offer it as a packaged service for larger clients, usually called Treasury Management.
Valid Vendors (ACH only)
Some banks allow business checking accounts to restrict ACH charges to an authorized list of accounts. This can eliminate the possibility of fraudulent ACH transactions but requires some maintenance and can be annoying to troubleshoot.
Avoid ACH and Checks for Vendors who Manually Process Payments
Because your risk of ACH and check fraud is directly tied to the number of people that see your checks, you can reduce it by only using them in automated, self-service payment processors.
For ACH, look for a web portal where you log in and key in your payment method. Often, you can tell if such a platform is provided by a vendor: Quickbooks, Stripe, and Paypal are popular choices. Homegrown solutions are less likely to be automatically processed, and so represent higher risk.
In checks, this is a lockbox facility that automatically processes receivables for many businesses. You can find out if an address is a lockbox facility by looking it up on a map. If it is for your bank or a known lockbox processor, that is what you want.
Don’t Write Your Own Checks
A fair amount of check and ACH fraud comes from the simple theft of checks from your outgoing mail.
You can avoid this by using a payment service to print and mail checks on your behalf. This often is packaged with a payment network. Many banks provide this at varying degrees of automation. Such checks are printed in a central facility and theft is difficult.
If you suspect your bank has not invested in check or ACH fraud protection, just switch. While there are no independent and objective rankings of banks in this domain and you likely don’t have the leverage to audit them, there are a few principles:
- Bigger is often better. Larger institutions often can afford to spend more on online fraud prevention.
- Competence is often better. A history of fraud, mismanagement, or simple disorganization is a bad sign.
- Newer is often better. Banking management is often conservative about change, including emerging ways to combat fraud for their clients.
Check fraud is the most common source of fraud for B2B payments, according to the AFP’s annual report. Like ACH, checks provide a 24-hour window to contest a transaction. Further, checks are easy to print if the account number is known. Every person who sees your checks is another opportunity to attempt check or ACH fraud (plus, there are few online payment security benefits when you aren't, y'know, paying online).
Most check fraud is possible for banks to detect, but not all make equal investments, so the quality of your bank makes a huge difference in this risk.
(see techniques above under ACH)
Proprietary Payment Systems
Zelle, Cash App, Venmo, PayPal, and wire transfers are favored mechanisms for crime, with little online payment security. Transactions are instant and irreversible. These platforms have no regulatory control or consumer protection, so they have little incentive to detect and prevent fraud.
These platforms are best used by consumers and for small amounts – paying someone back for dinner or the teen who mowed your lawn.
If a vendor must be paid through one of these, take caution. Double-check payment details and only use them for transactions you can afford to write off. Lock down the platform as much as you can: if someone sneaks in and sends themselves some money, it could be bad.
Combine with Account Segmentation
Funding these payment platforms with dedicated, limited accounts is an easy and effective way to limit your exposure.
Risk: Bad idea
Debit cards have all the downsides of credit cards, the downsides of checks, and the benefits of neither. Because a debit card is used in the credit card ecosystem, the card numbers are often stolen and used for fraud. Debit card transactions have no fraud coverage, though: like checks, you must contest a fraudulent transaction within 24 hours.
Worse, the tools and maturity banks have developed to fight check fraud do not work on card transactions, and banks providing debit cards rarely invest in the fraud detection common to credit card companies.
Debit cards are dangerous, and there is no use for them that a credit card can’t do better. The extra rewards aren’t worth it.
This is the opposite of online payment security.
In my opinion, the only businesses that need to be paid in cryptocurrency are crime rings. Cryptocurrency has all the disadvantages of proprietary payment platforms (instant, no fraud prevention, no regulatory incentives) and is more vulnerable to technical attacks, market manipulation, and a culture of fraud within its institutions. It lends itself to money laundering and theft.
Don’t Do It
Unless you’re a crime ring.
Stay Smart, Stay Protected
While online payment fraud is the biggest cyber threat to most businesses, addressing it can be fast, easy, and effective. Wisely outsourcing tech and sticking to safer online payment methods will eliminate a lot of that risk.
Most remaining AP risk is also easily avoidable. Subscribe to get notified of my next installment, where I discuss how AP strategy and process can also stop hackers and criminals.
Thoughts, opinions, or questions? Drop me a line, join the conversation below, or jump in on social media.