How to Boost Payment Security with Finance and IT Alignment: Why Collaboration is Critical

—

The previous decade's digital transformation initiatives have placed IT departments at the forefront of innovation and in close contact with central business functions like finance. This electronic shift has increased profits but introduced new risks.

For instance, payment security and fraud prevention have become more complex. As a result, efficient collaboration between finance and IT is more critical than ever.

In this article, we explore what efficient collaboration between these two parties looks like, along with the following:

• What payment security is
• The merchant liability landscape in payment security
• Why payment security needs to be reimagined
• Best practices for aligning finance and IT to boost payment security

What is payment security?

Payment security is a set of processes that safeguards all stakeholders in a transaction. It results from companies using technology to implement robust security principles to fight payment fraud.

Given the digital nature of modern payments, payment security should be a top priority when a company establishes payment acceptance channels.

Why is payment security important?

Payment security is important because it:

1. Averts penalties from regulators—payments are governed by anti-money laundering laws (AML), know your client procedures (KYC), and payment card security standards (PCI DSS). Non-compliance leads to significant penalties and loss of reputation.
2. Builds great customer experience (CX)—security builds customer trust, leading to repeat business and faster revenue growth. Deloitte notes that product security is a critical growth lever and a key component of CX.
3. Ensures smooth cash flow—better security ensures fewer incidents that hamper cash flow. The result is a strong reputation that attracts more customers and better cash flow.

When are merchants liable for payment fraud?

Pinpointing liability in the event of a payment security breach is complex since much depends on the type of transaction a customer initiates. Here is a summary of liability in the case of credit and debit card transactions, both online and offline:

Payment industry regulators refer to a complex web of laws to determine merchant liability following a breach. Here are the rules every merchant is subject to:

1. PCI Data Security Standard (PCI DSS)—a set of laws covering data security and infrastructure standards.
2. Payment Application DSS—in-house electronic payment applications are subject to PA DSS laws.
3. IRS Code 6050W—merchants must report their transactions to their merchant services provider and the IRS.
4. National Automated Clearinghouse (NACHA) operating rules—merchants that accept automated clearinghouse (ACH) transactions are subject to data and infrastructure security standards specified by NACHA.
5. AML laws—AML laws deserve their own article, thanks to their complexity. Each country has a separate, if similar, set of AML laws merchant services providers and merchants must comply with.

5 common types of digital payment fraud

Here are the most common forms of digital payment fraud merchants experience:

1. ID theft—A malicious actor impersonates a customer and initiates transactions under that false identity.
2. Card theft—Transactions initiated using a customer's stolen credit card information.
3. Chargebacks—A customer fraudulently claims they never received goods or services, leading to fines and refunds from the merchant.
4. Card testing attacks—A fraudster enters several combinations of stolen credit card numbers using bots to test for valid ones and initiate transactions.
5. Account fraud—A malicious actor impersonates another entity (including merchants) and enters incorrect information, leading to chargebacks and ID theft.

💡 There are many more instances of digital payment fraud, which you can learn about in our guide: Payment Fraud Explained.

Payment security needs finance and IT collaboration

IT and finance teams are disconnected, and this situation is reducing bottom lines. A report by Pulse and Versapay highlighted the extent of this disconnect, with 60% of respondents saying they loop IT into transformation discussions after a project has begun.

This lack of collaboration has serious consequences for payment security. IT is unaware of broader business goals, and finance is unaware of the digital risks the company faces. As a result, payment applications go live with significant flaws and pose a potential CX risk.

Here are 4 other significant consequences stemming from this current state of affairs:

1. IT is ignorant of its impact on the bottom line

Despite its critical position in an organization, IT operates as a back office function due to no or low communication with finance and other customer-facing departments.

For instance, IT teams routinely launch new projects based on business directives that ignore technical realities. The result is a veneer of digital transformation that fails to address critical business issues.

2. Finance is unaware of insights that can transform the business

The lack of collaboration between the CFO and CIO affects finance teams' ability to shore up the business. Finance teams guess the data their companies have and file IT requests. In turn, IT teams are ignorant of the drivers behind those datasets and share limited reports.

For instance, finance teams might be unaware of data that predicts an invoice payment default and request a customer's payment history and AR aging reports to calculate default probabilities. The result is additional work that the team can easily avoid.

💡 A Workday survey found that nearly half (49%) of CFOs say a lack of data prevents them from making and executing on decisions rapidly.

The evolution of B2B payment acceptance channels further highlights the risks created by the IT and finance disconnect. B2B customers are ditching antiquated payment methods like checks in favor of digital payments, and are making those payments via collaborative payment portals that offer visibility into upcoming and past payments.

Finance teams understand this situation but struggle to communicate it to IT. The result is a disjointed customer experience across legacy and modern payment channels.

3. Companies do not understand the costs of security failures

Picking up the pieces of a security failure is an IT task. While these teams have the technical ability to discover and resolve issues, they cannot quantify them in business terms (something finance is more adept at). As a result, company executives lack insight into the cost of a security failure.

For instance, IT can explain which system failed but cannot quantify the cost of data leaking into the public domain. Executives guess the financial cost but do not understand the depth of the leaked data, leading them to adopt poor cost estimates.

4. Companies compromise long-term payment security

IT budget requests often highlight the lack of financial input. Due to this lack of expertise in quantifying business risk, executives are forced to guess numbers using their experience and estimates, leading to unrealistic budgets.

For example, an IT team might identify a critical security issue and accurately communicate fixing costs. However, without context from finance into business goals, quantifying the cost of ignoring the risk is impossible. As a result, executives receive a half-baked picture and might arrive at the wrong conclusions.

3 best practices for aligning finance and IT to boost payment security

Collaboration between finance and IT is the best way to boost payment security. Here's how companies can ensure this happens.

1. Quantify security’s impact on the bottom line

The best way to acknowledge payment security's importance is to quantify its contribution to the bottom line. Finance and IT can work together to quantify the ROI of investing in security—and secure payment acceptance technologies—giving executives a clear picture of security's importance.

2. Seek financial input into disaster recovery plans

Creating disaster recovery plans is a staple task in IT teams. However, these plans lack significant financial input. For instance, IT often neglects the cost of disaster recovery plans, lowering the efficiency of their recovery.

Financial input into disaster recovery plans makes them cost-efficient and technically sound. The organization can recover as one, with all stakeholders aligned.

3. Communicate compliance reporting needs

A payment infrastructure is only as good as its compliance levels. IT teams understand the "what" behind compliance but struggle to understand the "why" that finance teams can offer them. Through greater collaboration, IT can design scalable infrastructure that goes well beyond the minimum, giving companies a sound security stance.

—

In a competitive environment, robust, evolving payment acceptance infrastructure backed by good security is a competitive advantage. Payment processing channels and security are joined at the hip. Learn how Versapay's streamlined payment processing boosts security, accelerates cash flow, and saves companies money.