Data Breach vs. Fraud: What is the Difference?

Have you noticed that there’s been a lot of talk about data breaches lately? For that matter, there’s been a lot of talk about fraud, too, and a fair amount of confusion between the two. Because these issues hit so close to home for businesses, it’s worth taking a step back to understand the difference between them, their relationship to one another and the warning signs of each.


What exactly is a data breach anyways?

Think of a data breach like breaking and entering. Basically, a data breach happens when someone who isn’t supposed to access sensitive data somehow gets past the security system. Access alone is enough to call a security break-in a data breach. However, data breaches can go one step further: theft. In these cases, thieves have not only breached the security system, but have also taken data.


But just because someone breaks into a security system to gain access to sensitive payment data, it doesn’t mean they’ve actually used it. That’s where we get into fraud.


What is fraud?

Fraud is simple to define; it’s when someone’s payment information has been used without permission. What’s less simple about fraud is the many ways that it can happen.


Following a data breach, hackers with access to large datasets of sensitive cardholder information have the ability to commit fraud many times over. Technically speaking, teenagers commit fraud when they “borrow” their parents’ credit cards to order concert tickets without being given the green-light—though the damage certainly won’t be as widespread as fraud that results from a data breach.


Any successful transactions that “trick” the system into thinking the person making a purchase is someone other than who they actually are is an instance of fraud.


That’s a lot to worry about. What are the signs of data breaches and fraud?

Data breaches and fraud don’t typically happen in the same place. Criminals usually aren’t foolish enough to steal information from a merchant and use that data to make purchases at the same business—it’s easy to be caught red-handed like that. This means that data breaches and fraud have different warning signs.


Data breaches are difficult for businesses to identify by scanning payment activity. The evidence is most noticeable through specific security tools that monitor for it. All merchants need to hold themselves to the Payment Card Industry Data Security Standards to help identify breaches.


This is because they make security a first-class stakeholder in your business. For example, PCI-DSS compliance gives you an audit system for finding any weak links within your security system. A red flag should go off if things aren’t adding up when reviewing compliance standards. Is a particular register not being closed out properly? Can you tie a particular employee back to that register? This data is all part of PCI-DSS compliance.


The number one place to look for evidence of fraud is in your chargebacks—when someone disputes a charge and your business doesn’t collect the money for that transaction. Typically, chargeback rates are low: A business should only see 1% or less of all transactions have chargebacks associated with them. If your chargeback rate increases or is above that 1% margin, it’s an indication of fraud.


What can I do if I see evidence of a data breach or fraud at my business?

If you notice that things aren’t PCI-DSS compliant, don’t ignore the alerts you get because a data breach could be the culprit. If things are out of place, don’t add up or just seem fishy, the next step is to find a third-party auditor to help you get control of the situation. The auditor will dig deeper to discover the root of the problem, assess whether the evidence points to a data breach and help bring you into compliance.


If you encounter evidence of fraud, the first thing you should do is open the line of communication with your processor or . They are your partner and can get you connected to the card brands, which can often identify the single point of access or notice a suspicious pattern of activity. PCI-DSS compliance requires you to bring in an auditor to limit the spread of fraud. This is another relationship your processor can help with.


Unfortunately, businesses will always have to remain vigilant against data breaches and fraud. But a decent understanding of the two, how they’re different, how they relate and how to monitor for them is the best way to avoid either from impacting your business. Regular PCI-DSS compliance and monitoring chargeback rates can keep you a step ahead of the bad guys.





Maybe this one.