Stolen cards used once every 20 seconds in March

15 Apr 2015

LONDON – 15th April 2015 – British businesses were hit by card fraud once every 20 seconds in March, with payments expert Worldpay warning that small businesses are likely to have been hackers’ biggest targets.

Worldpay, the UK’s leading payments company, saw over 133,000 fraudulent transactions worth  £10 million reported in March alone, leaving businesses out of pocket as fraudsters purchased goods and services using stolen card details. Over 67% of all fraudulent transactions happened online, while purchases made over the phone or by mail accounted for 19% of the total.

Tim Lansdale, Head of Payment Security at Worldpay, said:

“Technology to guard against card counterfeiting and fraud has come a long way, yet the rates of attack are truly alarming. Card details are the weakest links in consumers’ and businesses’ defences and the one area that fraudsters know to hone in on.

Businesses that fail to protect their payment systems are not only left out of pocket when goods are purchased using stolen card details but also face paying for the investigation into the breach and the stiff industry penalties which inevitably follows. They are also likely to face bad publicity, which can swiftly  erode the years of trust customers have built up in a business and can lead to even more lost custom in future.”

Small businesses, which accounted for 85.7% of all card data breaches, last year, make easy prey for the more advanced cyber hackers. By contrast, Worldpay has seen a 179% increase in payment security compliance amongst the UK’s biggest businesses, as the boardrooms of larger, better resourced companies look to bulk up their security in line with the card payment industry standards.

Regardless of business size, the clean-up costs of being targeted by hackers and suffering a card data  breach can run to tens of thousands of pounds. A standard small business forensic investigation into a card data breach costs £11,250 on average and typically attracts at least a £8,000 industry penalty, not including the costs of lost goods and damage to reputation. Worldpay has seen larger businesses pay up to £100,000 for the forensic investigation alone.

“Prevention is clearly better than the cure when it comes to getting hacked. The UK’s largest companies have made great strides to improve their payment security but small businesses are still falling behind and being targeted as a result. Businesses of all shapes and sizes should be taking the necessary measures to protect themselves and their customers and employees,” said Lansdale.

Advice to businesses: How to avoid being a victim:

Card data breaches:
1. Check you meet the card industry’s standards for keeping card data safe, and that your third party suppliers do too.
2. Install all the latest patches for servers, operating systems, applications, and frameworks (Java, .NET etc.), to protect your ecommerce website.
3. Change online system log-ins from the default, and use strong passwords that hackers cannot guess.

1. Ask your payment processor about online protection, such as Verified by Visa, to make ecommerce payments safer from fraud.
2. Be wary of high value or unusual orders from a customer you do not know, particularly if the product can be resold easily.
3. Use the Address Verification Service, to match the customer’s delivery address with the billing address of the card owner.


Notes to editors:

• Figures are based on card data breaches which occurred for Worldpay’s UK customers during 2011-2014 and fraudulent transactions reported by Worldpay’s UK customers during March 2015.
• The most common causes of card data breaches during 2011-2014 were malicious web shells and SQL injection.
• The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines designed to keep credit and debit card payment data safe and secure. It was created by the five major Card Schemes – American Express, JCB, MasterCard, Visa and Discover – to combat the problem of card data theft and fraud.
• The Address Verification Service (AVS) is a service that banks perform during authorisation. Using this service, the billing address that customers enter when placing an order are compared to their addresses kept on record at the bank. The service checks whether the numeric address and zip code match. Depending on the accuracy between these two addresses, the system returns a flag, so the business can make a decision based on the flag returned.

For more information please contact:
Tom Parker, Director, Golin: T +44 (0) 207 067 0288.
Emily Lahey, Senior Communications Manager, Worldpay: T +44 (0) 203 664 5663.

About the data
Figures quoted are according to data breaches reported by Worldpay’s customers from 2011-2014, and fraudulent transactions reported by Worldpay UK customers during March 2015. In 2014, Worldpay processed 44% of all UK card transactions (based on market data provided by the UK Payments Administration).

About Worldpay
Worldpay is one of the world’s leading independent payment processing companies. The Worldpay Group has three operating divisions: ecommerce, Worldpay US and Worldpay UK.
Worldpay UK, the UK’s leading payment processor, helps businesses of all sizes sell more to their customers – by accepting credit and debit card payments in-store, online, via mail or telephone, and on the move. In 2014 Worldpay handled 44% of all card payments made in Britain.
Across the Worldpay Group, we process over 8.4 billion transactions every year, and our online payment options cater for over 200 payment types in 115 currencies.

15 Apr 2015