Merchant Link SecurityCents

…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web. Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….

The Cost of Cyber Crimes Gets More Expensive <Tweet this article>
by Sue Marquette Poremba
If you need a reason to throw more of an effort into cybersecurity, here it is: The cost of cyber crime has gotten more expensive.
According to a new study sponsored by HP and conducted by the Ponemon Institute, the occurrence of cyber attacks has more than doubled over a three-year period, while the financial impact has increased by nearly 40 percent……. Click here to read more

Facebook Want Button: Collecting massive amounts of data about you has never been easier <Tweet this article>
by Network World
Have you ever commented “Want!” anywhere on the web? Perhaps because “liking” is not enough for Facebook, and shares in its stock are still down, the company is pushing ahead with a ‘Collections’ feature. Collecting massive amounts of desired-based data about users would be like hitting the mother lode for advertisers…..……. Click here to read more

My Walletless Month: Happier, Healthier and Ready to Ditch Cash Forever <Tweet this article>
by Christina Bonnington
The e-wallet space is blowing up. Isis — an NFC-based mobile-payment platform backed by Verizon, AT&T, and T-Mobile — is set to launch on Monday. Google Wallet, now almost two years old, is nicely maturing with partnerships with an ever-expanding list of big-name retailers…..……. Click here to read more

…………………………………………………………………………………………………………………………………
What other interesting content have you come across? Leave a comment below and join the discussion
……………………………………………………………………………………………..………………………………….

I was catching up on a couple trade magazines on my flight home tonight and by the end of the second one, I had come across no less than 7 stories about mobile payments and wallets. The buzz is deafening! The interesting thing though is, consumers seem indifferent. According to CatapultRPM in the latest issue of Digital Transactions, 58% couldn’t care less about paying with their phone. And many are saying consumer adoption will be slow at best. Personally, as far as mobile payments go, reaching for my back pocket to grab a card out of my wallet versus reaching for my front pocket to grab my phone requires about the same level of effort. But if I could digitize everything and ditch my analog wallet altogether, now that would be exciting.

Leave it to Apple to get it right. Instead of launching head strong into the fray with another payment tool they took a different approach. iOS 6 released last week with Passbook, which seems to be a nifty tool to de-clutter my wallet by storing a digital version of many of the things in my wallet. Apple will certainly be amongst the big players in the mobile payments world, with 180 million account holders with saved credit card information on iTunes, they have a huge network to leverage.

Other major players include PayPal, Google, ISIS and retailers themselves via MCX, but their solutions include very limited support at the point of sale today. These and other entrants to the space seem to be more focused on getting their piece of the transaction stream revenue pie than on providing value to merchants or consumers. In most cases, their solutions will increase the cost to the merchant without providing much value to the consumer either. To gain broad adoption, there must be real benefits for all parties.

Apple, with their focus on the non-payment side of the wallet, is positioned to offer real conveniences and drive adoption. It’s a smart strategy. I’ve had iOS6 on my iPod Touch for a few days and even though I haven’t used Passbook just yet, I’m intrigued at what it can do, and more importantly what it might do to the leather wallet I carry.

Here’s what’s in my wallet at this very moment and my ideas for how I might pare it down with digital technology:

1. Insurance and other non-secure ID cards – How cool would it be if you could take a card-sized photo of both sides and create a digital version of that card that allows you to “flip it” front to back, just like turning a page in an e-book. I have 5 such cards in my wallet right now that I’d love to ditch.
2. Credit cards – It will take a while to sort out but I’m confident I’ll be able to use my digital wallet for payment.
3. Boarding pass – Thanks to American Airlines’ mobile boarding pass app and Apple Passbook, I can eliminate the old paper boarding pass.
4. Loyalty cards – Some of these are on my key chain, some are in my wallet… Passbook seems to require merchant participation, but I go back to the camera. 100% of my loyalty cards are barcode-based. Can I take a high enough resolution picture to use the stored image at check out? I’m going to try it for sure…
5. Receipts – I travel a lot for work so I hang on to receipts for my expense reporting and my wallet is overflowing within two weeks of travel. Digital wallets should be able to store digital receipts and in the meantime I’m thinking my camera can help here as well. If Passbook will sort and store them I’m really getting somewhere.
6. Business cards – Some phones can exchange contact info, but most of the time I get a card. The size is relatively standard and OCR programs exist to retrieve the data.
7. Gym membership card and locker key – Those of you that know me know I don’t have either of those, but if I did I would darn sure want it in my phone.
8. Driver’s license – I may always need this for TSA and the occasional policeman that pulls me over for speeding, but it’d be nice to have a different form factor. I can keep this but slide it under the case that houses my phone.
9. Cash – While I can pay for 99% of my purchases with electronic payments, I still feel best with cold hard cash in my pocket. I just saw a nifty phone case with a money clip on Amazon…

Out of 9 things I want to eliminate from my wallet, only two or three of them are really payment-focused. This leads me to conclude that the company that wins the larger share of the “digital wallet” will be the one that focuses on the value to the consumer and lowers costs for the merchant.

So what do you think? I’d love to hear what’s in your wallet and your creative ideas for making it digital…

When you think of digital wallets, names like PayPal, Google Wallet and Isis spring to mind. It’s been interesting watching these players position themselves to win the competition for both merchant and consumer mindshare. Each has taken a different approach, and each has had some highs and lows. Google Wallet yesterday announced a significant change to their product offering. Up until now, you were only able to take advantage of Google Wallet if you owned a Citi MasterCard. For the rest of us, no dice. As you may recall, prior to the wallet, Google had another product, known as Google Checkout. While Google Wallet holds your credit card on your phone, Google Checkout kept your card data in the cloud.

With the change, Google Wallet will now allow you to use any credit card; Visa, MasterCard, American Express or Discover. They are accomplishing this by storing your credit card in the cloud. When you store a card, a “virtual” MasterCard will be issued and stored on your phone. When a purchase is made from your phone, the charge will be against the virtual MasterCard. This insures that merchants still receive card present rates. In the background, Google will then charge the consumer’s card of choice. The weakness, of course, remains the need for NFC phones, of which only five are available in the US.

Another change is the addition of a new security feature that allows you to remotely disable your mobile wallet on a lost phone. You need web access to do this, but it’s a step in the right direction.

So, what does this mean for the world of payments? Google has come up with a rather unique way to gain acceptance of their wallet in their battle for consumer mindshare. And, they have done it in a way that will keep merchants happy too in that they will continue to enjoy card present rates. As every merchant knows, there is a significant difference between card present and card not present rates. Google appears to be subsidizing the gap in the interest of gaining penetration. From the consumer perspective, purchases will now show up on their statements with Google as the merchant of record. What impact this will have on chargebacks or return processing remains to be seen. One thing is certain however, in the battle for the mobile wallet, Google has just raised the bar, allowing almost any card to be placed in your wallet and used wherever MasterCard PayPass is accepted.

UPDATE (8.6.12):
Over the weekend, additional information was released indicating that Google was a bit pre-mature in their announcement. It appears that American Express has not yet reached an agreement with Google for processing cards via Google Wallet.  CNET released news on Friday of an email from the VP of Social Media Communications confirming that negotiations are still underway. It’ll be interesting to see how this develops…both parties expressed interest in coming to agreement. As I mentioned above, the two-card approach Google is taking could in effect mask the consumer’s actual purchase from the card brand, making purchases appear to come from Google. While it’s not confirmed that this is the approach Google is taking, no doubt American Express is concerned about Google getting between them and the American Express cardholder. We will continue to watch and comment as this story unfolds. Meanwhile, let us know your thoughts by posting a comment below.

As they often say in technology, you’re not wrong, just too early… and this may be the case with the mobile wallet.  Yes, the technology has been around for awhile.  But now that consumers have embraced their mobile devices and broadened their perspectives on payments, is it still not quite ready for primetime?

While 2012 was supposed to be the year of the mobile wallet, players like Google are still struggling to find merchants who are willing to support and embrace the new technology.  Recent attempts to hack into the Google Wallet application are not helping these players make their case.

Google Wallet requires a personal identification number (PIN) code and a phone lock screen, which the company claims provides a higher level of security than most credit cards have today.  However, this past month two incidents proved that the PIN code could be cracked.  These breaches also forced Google to discontinue the acceptance of prepaid cards.

While we know that there will continue to be a lot of hype around mobile commerce, we also clearly understand that adoption by merchants and processors will really depend on payment security.

To deny the possibility of an attack over a mobile payment network would be irresponsible.  Most merchants are awaiting further development in this area before they take that leap and adopt a mobile wallet solution.  Once the industry embraces an aggressive security strategy for mobile payments, we believe adoption by merchants will follow suit.

What do you think? Let us know by leaving a comment below.

By Beth McGarrity

As the year comes to a close, and TV personalities from Oprah to Ellen to Barbara Walters highlight their favorite things and most fascinating stories in 2011,  I thought I’d take a moment to reflect on my favorite SecurityCents posts and industry news and share them with you.

PCI Announces Guidance for Merchants.

Merchants were provided with an abundance of guidance this year on emerging technologies that assist with compliance and securing sensitive data.  The first documents were released in late 2010 and focused on point-to-point encryption followed by tokenization and virtualization.  In the New Year, the Council will focus on three new areas including cloud, risk assessment and e-commerce security.

Validation from Coalfire Systems.

It’s easy for vendors to say that their product or solution is going to help merchants reduce the scope of PCI compliance.  In some cases, it’s really just unsubstantiated marketing hype.  At Merchant Link, we invest significantly in R&D to ensure that our solutions really do reduce PCI scope and we wanted to offer our customers a third-party validation of this fact.  Coalfire evaluated our TransactionVault™ and TransactionShield™ solutions for tokenization and encryption and confirmed our findings.

Avivah Litan Talks Tokenization.

We had the honor of featuring Avivah Litan on a podcast recently to discuss payment security.  As a renowned expert in this area, Avivah regularly publishes industry research and opinions on her own blog that we avidly follow here at Merchant Link.  For this podcast, Avivah focused on key trends in payment security, specifically as it relates to point-to-point encryption and tokenization.

Google Wallet Meets MasterCard and NFC.

Its here!  Finally…well…sort of.  The technology for mobile wallets has been around for awhile, but the concept hasn’t caught on very well. Then Google entered the market with the mobile wallet, using Near Field Communications (NFC) to allow for data exchange with point-of-sale (POS) technologies. From the payment side, the company partnered with MasterCard and Citi to allow users to pair credit cards to their phones.  It’s been an interesting progression to watch and something we will certainly keep an eye out for as the issues surrounding secure payment transactions will be top of mind for merchants.

What else is on your list of favorite things from 2011?  Share them with us by posting a comment below.

By Sue Zloth

When Google made the announcement that it was launching a new mobile wallet backed by MasterCard and Visa, we knew that the industry needed to get a better hold on mobile payment security standards.

So what has the PCI Council thought about all of this?

The Council has been evaluating mobile communication devices and the payment application landscape.  The current focus is on determining the need for advice, guidance or re-evaluation of existing PCI requirements for mobile payment transactions.

Recently, the Council issued a statement on PA-DSS and mobile payment acceptance applications that provides specific detail on the types of mobile payment acceptance applications that can meet PA-DSS requirements, and those that require additional examination from the Council.

The Council’s Mobile Working Group, which includes representatives of each payment brand, put mobile payment acceptance applications into three categories based on type of underlying platform [according to  guidance document]:

• Mobile Payment Acceptance Application Category 1 – The category includes payment applications that operate only on a PTS-approved mobile device

• Mobile Payment Acceptance Application Category 2 – Payment applications which meets all of the following criteria;
  • payment application is only provided as a complete solution ―bundled with a specific mobile device by the vendor;
  • underlying mobile device is purpose built (by design or by constraint) with a single function of performing payment acceptance; and
  • payment application, when installed on the ”bundled” mobile device [as assessed by the Payment Application Qualifed Security Assessor (PA-QSA) and explicitly documented in the payment application’s Report on Validation, provides an environment which allows the merchant to meet and maintain PCI DSS compliance.

• Mobile Payment Acceptance Application Category 3 – Payment application operates on any consumer electronic handheld device (e.g., smart phone, tablet or PDA) that is not solely dedicated to payment acceptance for transaction processing

Guidance in the third category is not being addressed by the Council at this time.  It is a very important category given the growing trend of mobile payments and it needs to be addressed.  However, in the meantime, the Council plans to release additional guidance on the other categories by the end of 2011.

By Sue Zloth

For years, we’ve been hearing about the mobile wallet.  The idea that you could scan your phone to pay for an item instantly without having to carry cash or plastic, is appealing.  It used to seem a bit futuristic, but mobile near-field communications (NFC) payments are here with Google at the forefront with their mobile wallet.

While it is exciting that mobile payments are here, most of us in the payments industry are still aware of the many unknowns that exist.  So I was pleased to see this blog post from Avivah Litan, of Gartner Group, which outlines all the major unknowns that come with mobile payments.

One of the unknowns not mentioned, but one that will be an issue for merchants is the security of payment data.  NFC or  traditional point of sale (POS) transactions require a layered approach to security.  Merchants who are struggling to secure transactions today, will need to consider how they will secure mobile transactions in the near future.

Read below to see what Avivah has to say:

I’m as excited as anyone about the prospects of mobile NFC payments, and it was good to see Google line up much-needed cooperation from MasterCard, Sprint, Citi, and some retailers with its new Google Wallet initiative. We just wrote a Gartner First Take that explores the benefits of Google Wallet as well as the hurdles to adoption.

In my opinion, the main hurdle is convincing retailers to accept these new payment types. In watching payment systems evolve over the past decade and more, I’ve come to strongly believe that it’s the sellers (or retailers) that drive new payment system adoption. And I just don’t see a strong enough value proposition for the retailers out of the gate to drive success here. Sure, in the long run, there is likely to be value with customer acquisition and retention generated via the Google Offers (advertising, coupons, loyalty, etc.) program. But it’s the short run that immediately matters because if we don’t get past the short run hurdles, there won’t be any significant adoption.

And in the short run – the expense and costs for this new program will probably outweigh the benefits for most retailers that consider it, unless of course Google and other Google Wallet participants PAY merchants to join (which is a common approach struggling new payment systems have taken in the past).

In my opinion, the big unknowns are:

a) why are merchants requiring signatures on these contactless transactions, which defeats the (albeit questionable) promise of speed and convenience at the check out lane?

b) what in fact are the interchange fees that the retailers will have to pay? Retailers pay more for signature based payment card transactions than they do for PIN ones, and even with low value debit payments that don’t require signatures, my understanding from talking with retailers is that contactless debit payments typically cost merchants more than debit card-swipes.

In fact, retailers have been known to shut off contactless payments over interchange disputes. For example Storefront Backtalk (www.storefrontbacktalk.com) reported early last year on BestBuy’s dispute with Visa over its contactless debit card payment interchange policies and fees, which led the mega-retailer to stop accepting Visa’s contactless transactions. The news group, a rich and well-respected source for retail industry information, also disclosed issues other large retailers had with the contactless fee structure.

Indeed, interchange fees paid for credit and debit card payment processing is a sizable chunk of many retailers’ balance sheets (the second largest line item at Target for example, right after labor costs).  It’s a constant source of friction between retailers and the banks, and is being hotly debated as part of the Durbin amendment which threatens to dramatically reduce bank debit card interchange fees.

So while mobile payments are not just about payments – they are trying to be about the entire customer shopping experience – fees play a critical role in merchant willingness to promote new payment types. Most retailers will already have to upgrade their POS equipment to accept the contactless payments. And now they have to be willing to forego lower interchange fees on PIN debit.

I’m just not sure this is going to fly, despite the mobility.