Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ MasterCard ’

It was a big year in electronic payments in 2012. Our dynamic industry is proving again that the only thing you can count on is change. As we near the end of the year, I wanted to take a moment to reflect back on some of the bigger stories from 2012 that will continue to be prominent in 2013.

PCI’s Long-Awaited P2PE Requirements Finally Released!
This was big news and exciting for the team at Merchant Link when the PCI Council published their point-to-point encryption requirements, SAQ and testing procedures for QSAs which will allow them to validate P2PE solutions. Once solutions are validated, the Council will provide a list of validated solutions on their website and we expect to be among the first listed in early 2013. We are eager to start working with our clients to complete the first P2PE SAQ.

  • NET: Merchants using P2PE gain very real PCI scope reduction benefits.

Visa and MasterCard Settle Lawsuit, Debate PIN vs. SIG
The seven-year-old interchange fee antitrust lawsuit brought by retailers and retail groups against Visa and MasterCard seemed to be nearing an end this summer. Instead, many of the plaintiffs spoke out against the proposed settlement. Complaints mostly centered on the temporary relief it provides. After a big victory in 2011 on debit interchange the comparatively moderate and temporary gains provided in the credit interchange suit did not hit the mark in retailer’s minds. It appears as though this story will continue into 2013 and it will be interesting to see how the current political environment might shape the results. MasterCard and Visa also publicly debated the merits of Chip and PIN vs. Chip and Signature when it comes to defining EMV standards for the United States. PIN is certainly more secure but some industry insiders (your author included) wonder if the reason the brands are mandating EMV in the U.S. is really about security and fraud prevention, or about forcing  NFC technology adoption at the POS to accelerate mobile payments.

  • NET: Don’t break out the champagne just yet, the battle rages on. And if deployment timelines for EMV in Canada are any indication, we’ll be debating Chip and PIN vs. Chip and SIG for the next several years.

What’s in Your Digital Wallet?
I recently blogged about how exciting it would be if I could digitize everything and ditch my “analog wallet.” The buzz and movement in the mobile payments space continued in 2012. It was interesting to see Google opening up their wallet to additional issuers and changing their card data storage to a cloud-based model. I am very curious to see how the ISIS pilot does as well. The pilot was delayed initially but has since launched in my home town of Austin, TX. At our inaugural Formula 1 Race in November the ISIS readers were at every point-of-sale, and though I spent a lot of time in shopping lines I didn’t see anyone use one. I continued to search for the readers in other locations in Austin but have not seen many (though the advertising is everywhere). As I mentioned in my blog post, I think mobile payments will be more slowly adopted than other wallet features but I’m excited to see the progress.

  • NET: As with anything in our industry, consumer usage and merchant acceptance will ebb and flow until we reach a critical mass but the movement to date is encouraging.

Square Emerges as a Major Payments Player
Having spent a few years in mobile payments, I am fascinated by the growth of mobile payment provider Square. Merchant adoption and processing volumes seem to be growing at an incredible pace. They also got a big nod from Starbucks who will begin processing all credit card payments in its 7,000 stores in the U.S. through Square. However, late this year AnywhereCommerce was granted two U.S. patents covering solutions that use an audio jack to process payments. The company believes their patents are enforceable so it is hard to imagine this story won’t be one to watch in 2013.

  • NET: Mobile payment acceptance will continue to be a huge story in 2013. Square isn’t the only audio jack solution and with this, many transactions and players. I’m sure we’ll see some heated public battles over these patents.

Data Breaches Continue
Finally, the lead stories in our industry continue to be data breaches. Barnes & Noble made the headlines when they announced a card data breach at 63 of their stores. Other notables included Global Payments,, The State of South Carolina and several other state and local government entities and some are calling for greater collaboration between government agencies and the private sector to combat the threat. In fact, the Obama administration reportedly plans to issue an executive order to guard against cyber attacks.

  • NET: Data security remains a challenge in both sectors. Employ a layered approach using tokenization and encryption to decrease the chances of experiencing a breach.

Which stories were you most intrigued by this year? Let us know by leaving a comment, below.

Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web. Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.

Most Small Merchants Store Unencrypted Card Data <Tweet this article>
by Ed McKinley
The vast majority of small merchants are still storing unencrypted card data and most don’t even know it, according to statistics compiled by a security vendor.
To make matters worse, the stats improved only minutely over last year, according to SecurityMetrics Inc., the Orem, Utah-based security company………
Click here to read more

Organizations Fail to Realize the Implications of a Data Breach <Tweet this article>
by Help Net Security
New research by the Ponemon Institute revealed that 54 percent of respondents have experienced at least one data breach in the last year, with nearly a fifth (19 percent) experiencing more than four.
Perhaps more worryingly, those that have so far avoided a data breach demonstrated a real lack of awareness of the financial and long-term damage that a breach can have on a company…………….
Click here to read more

MasterCard Launches Credit Card With Built-in LCD, Keyboard  <Tweet this article>
by Adario Strange
Facing ever-mounting pressure from the likes of Square, Paypal, Google Wallet, and others, traditional credit card companies like Visa and MasterCard are facing technology-driven challenges unlike any they’ve seen before. And while the Internet appears to be the primary disruptive element powering those new challenges, MasterCard has decided that its strategy for competing with payment service upstarts lies in creating an innovative new card that is fully interactive…….……. Click here to read more

What other interesting content have you come across? Leave a comment below and join the discussion

By Beth McGarrity

As the year comes to a close, and TV personalities from Oprah to Ellen to Barbara Walters highlight their favorite things and most fascinating stories in 2011,  I thought I’d take a moment to reflect on my favorite SecurityCents posts and industry news and share them with you.

PCI Announces Guidance for Merchants.

Merchants were provided with an abundance of guidance this year on emerging technologies that assist with compliance and securing sensitive data.  The first documents were released in late 2010 and focused on point-to-point encryption followed by tokenization and virtualization.  In the New Year, the Council will focus on three new areas including cloud, risk assessment and e-commerce security.

Validation from Coalfire Systems.

It’s easy for vendors to say that their product or solution is going to help merchants reduce the scope of PCI compliance.  In some cases, it’s really just unsubstantiated marketing hype.  At Merchant Link, we invest significantly in R&D to ensure that our solutions really do reduce PCI scope and we wanted to offer our customers a third-party validation of this fact.  Coalfire evaluated our TransactionVault™ and TransactionShield™ solutions for tokenization and encryption and confirmed our findings.

Avivah Litan Talks Tokenization.

We had the honor of featuring Avivah Litan on a podcast recently to discuss payment security.  As a renowned expert in this area, Avivah regularly publishes industry research and opinions on her own blog that we avidly follow here at Merchant Link.  For this podcast, Avivah focused on key trends in payment security, specifically as it relates to point-to-point encryption and tokenization.

Google Wallet Meets MasterCard and NFC.

Its here!  Finally…well…sort of.  The technology for mobile wallets has been around for awhile, but the concept hasn’t caught on very well. Then Google entered the market with the mobile wallet, using Near Field Communications (NFC) to allow for data exchange with point-of-sale (POS) technologies. From the payment side, the company partnered with MasterCard and Citi to allow users to pair credit cards to their phones.  It’s been an interesting progression to watch and something we will certainly keep an eye out for as the issues surrounding secure payment transactions will be top of mind for merchants.

What else is on your list of favorite things from 2011?  Share them with us by posting a comment below.

By Michael Ryan

As the world’s largest retail trade association, National Retail Federation (NRF) is not afraid to hunt big game.  In late November, NRF and other industry leaders took a stand and sued the Federal Reserve Board over their alleged failure to comply with the Durbin amendment requirements. Specifically, the suits alleges that the Fed did not act in accordance with the law setting debt card interchange higher than the “reasonable and proportional” mandate in the amendment and by not providing sufficient network flexibility for merchants.

I’m not a lawyer, judge or jury, so I won’t attempt to debate whether or not they complied with the law. In fact, I support the NRF’s attempts to lower processing fees in general but as I have mentioned before the execution has led to all sorts of unintended consequences. Price fixing will always produce unintended results and even negatively affect some segments of the population it intends to help.

Case in point: Convenience stores, vending machine businesses and other merchants with a small average ticket.  The intent of the Durbin amendment was to lower rates for all but in the end it actually raised rates for these groups. USA Technologies, a provider of card solutions for the vending industry, was affected and it was announced a few weeks ago that they struck a deal with Visa to normalize their rates post-Durbin.  While not every merchant has the size and power to secure a deal like this one on their own, I applaud their efforts to use negotiation instead of litigation.

And this is nothing new.  For over 30 years, the card associations have worked with large merchants and industry groups to negotiate and adjust interchange rates to meet the market’s needs. We’ve seen this in the grocery, convenience and small ticket markets, each of which managed to persuade the associations to create industry-specific interchange categories and lower their rates. While those efforts may not have reduced the issuers’ margins to zero, they have been effective. Yet, the government mandate negates all previous negotiation by applying a one-size-fits-all method, wiping away any past progress made by small ticket merchants and other groups.

That brings us to network exclusivity the second major allegation in the suit. This is where the law can help level the playing field by introducing real competition. The associations wield a lot of power when it comes to signature debit.  Had the Fed required multiple PIN and signature network affiliations on each card, as was discussed early in the negotiations; merchants might have really gained some negotiating power. That almost certainly would allow them to affect price adjustments more naturally through competition rather than price fixing.

Who knows what will come out of the lawsuit but let’s hope it gets us closer to natural market competition than the first attempt has.

If you’re like me, you spend time during your daily commute at the local Starbucks, standing in line, waiting for your caffeine fix. As you eagerly await your turn in line, reciting your order repeatedly in your mind to ensure you don’t mess it up, you see individuals approach the register and pay for their cappuccinos, coffees, espressos and other concoctions with…their cellphones?

The scenario of a barista scanning their mobile device and account information being transferred through a point-of-sale system raises some red flags in the minds of consumers. Yet studies by credit card giants, such as MasterCard, show that customers aren’t so adverse to the increased adoption of mobile payments.

In fact, results of a recent study they conducted showed that 62 percent of Americans with cell phones would welcome paying for purchases with a mobile device.  It really becomes a psychology issue rather than a pure technology issue. Does the convenience of the purchase outweigh the security concerns in their minds?

With that in mind, younger generations are more likely to embrace mobile payments and feel more comfortable without a wallet than without a mobile device.  That could mean that mobile payments and a society without cash are clearly around the corner. Right?

Well, not completely. The customer is only one half of the equation for mobile payment adoption. The other half is the merchant, and right now, merchants are simply not seeing the potential return on their mobile payment investment. That’s because the switch to mobile payments involves much more than just training your staff to add “cell phone” to the list of ways customers can cover their tab.

To embrace mobile payments, a merchant’s point of sale, payment processing, and device management systems need to be overhauled. Most importantly, additional security concerns need to be addressed.

With advanced tokenization and encryption solutions being embraced by merchants, the customer’s invaluable credit card information can be protected from the time of the card swipe through the rest of the transaction lifecycle.

Most of us in the industry understand that the movement to secure mobile payments is only in the beginning stages and that solutions are in development to secure these types of transactions in the future. However, until merchants see enough benefit in embracing mobile devices as forms of payment to cover their investment in upgrades to their point of sale, payment processing and security systems, a cashless society could remain simply a pipedream.

By Michael Ryan

Recently, Gartner Group, surveyed U.S. retailers looking at the spending levels for PCI compliance.  The findings reflect much of what we’ve seen in the market as we have discussions with major retailers.  Most big brands have already taken steps to achieve PCI compliance and so 89 percent of Level 1 merchants surveys were compliant while 57 percent of merchants that  that fall between Level 2-4 were compliant.  But interestingly, the survey found that Level 2-4 merchants are spending more on compliance.

So what gives?

Of course, the spending increase for lower level merchants could just be basic math.  There are far more retailers at the lower levels than at Level 1, half of which still need to take steps to become PCI compliant.

One of the motivations that Gartner analyst, Avivah Litan, points to is that the merchant-acquiring banks that enforce PCI compliance on behalf of the card brands like Visa, MasterCard etc., have been contacting Level 1 merchants, reinforcing the message that they must be in compliance with PCI standards.  Fines and threats are usually effective motivators.

The costs increases for Level 2 merchants are just the associations’ long term plans playing out. They started with e-commerce merchants, moved to the largest retailers and are now increasing pressure on the next level of retailers who are currently not meeting compliance standards.

The pressure is good and we do hope that retailers realize that becoming PCI compliant is necessary, but only a baseline.  It’s necessary but it is only the baseline.  In fact, Gartner predicts that by the end of 2012, 75 percent of the retailers that are breached will be PCI compliant.

So what is a retailer to do?

Use PCI standards as a baseline for protection but understand that newer technologies are available to remove the sensitive data from their systems altogether and ensure that they have a layered approach to securing their networks.  From encryption to tokenization, retailers must realize the benefits of implementing these technologies including reductions in the scope of PCI audits as well as minimizing card data exposure, making retailers a less attractive target for attacks.

By Beth McGarrity

Recently, Javelin Strategy & Research released a study that analyzes how consumers’ credit details are secure.  The Seventh Annual Card Issuer’s Safety Scorecard dives into existing trends related to card fraud, mitigation against these threats and evaluation of card issuers that have consumer-facing prevention, detection and resolution capabilities.

The study focused on the top 20 card issuers such as American Express, MasterCard, Visa, Bank of America, JP Morgan Chase, Capital One and more. The results found that card issuers do a good job resolving fraud problems once they occur, but ultimately fall short on prevention and detection.

In light of the number of recent breaches that have impacted big brands, as well as financial institutions like Citigroup, consumers need to be aware of how their payment information is protected and take proactive steps to ensure their own credit protection.

By Michael Ryan

Earlier this year, I wrote about how legislation could affect debit transactions and specifically, the impact of the Durbin Amendment, which is aimed at debit card interchange fees and increasing competition in payment processing. Nearly six months later and we now have the official rules.

The big banks can breathe a sigh of relief. Fee caps are now 21 cents plus five basis points. This is still a hit of roughly 50 percent on a $40 transaction but it certainly looked much bleaker (max of 12 cents per transaction) just a couple months ago.

The network routing rules are also a bit simpler. Cards must carry bugs from two unaffiliated networks but they do not need to offer the same authentication service. In most cases that likely should mean one network for signature-based and one for PIN- based. With the elimination of rate differences between the two options we may actually see real competition in the form of new offerings from the networks.

So who won?

The issuers traded draconian cuts for merely drastic cuts but it would be hard to categorize that as victory. Certainly large merchants who are able to negotiate interchange plus type rates will see the biggest short term gain. Ostensibly that will lead to reduced prices for consumers who were supposed to benefit most from this legislation. We may see some trickle down but I wouldn’t expect any sweeping price reductions.

So of the groups most often cited in Durbin discussions – issuers, merchants and consumers – each may have come away with something.

But I believe the real beneficiaries are a third group not often mentioned in this discussion, acquirers/ISOs. The regulation caps the interchange that issuers can collect but it says nothing about acquirer’s margins on top of interchange.

So while large savvy merchants who have negotiated interchange plus rates will see decreases there is no reason to believe that acquirers will cut debit fees in the short term for small merchants who pay more traditional rates. This could be a huge windfall for the acquirer community.

As we have seen with other examples of regulatory price fixing, the unintended consequences may ultimately be more pronounced than what is actually intended.

By Beth McGarrity

Here on SecurityCents, we are often blogging about attacks on restaurants, retail or lodging where the attacker has one main purpose:  stealing payment information for monetary gain.  But as we’ve seen during recent months, the attackers’ motive is shifting and evolving.

Just ask Sony

Or the CIA and FBI

Or Mastercard and Visa

Each of these organizations have been faced with a different sort of attack during the year where groups like Anonymous and Lulz Security have attacked servers to bring down the site and embarrass the organization for lack of security controls.

It may be different than the stories we’ve told in the past, but the moral of the story is the same.  And these new threats shouldn’t detract from what we already know.

The focus on stealing payment data has not been lost.  A few months back, Citigroup disclosed that over 210,000 accounts in North America alone were breached and information was stolen.  It was one of the most significant attacks on a financial institution.

So while the rise of hactivism is currently in the spotlight, don’t forget that cyber criminals who are seeking monetary gain continue to lurk in the shadows, slowly and consistently tapping into networks and determining the vulnerabilities that exist and can be exploited.  It is critical that merchants continue to stand guard and ensure that they have the security controls in place to protect customer payment data.

By Sue Zloth

For years, we’ve been hearing about the mobile wallet.  The idea that you could scan your phone to pay for an item instantly without having to carry cash or plastic, is appealing.  It used to seem a bit futuristic, but mobile near-field communications (NFC) payments are here with Google at the forefront with their mobile wallet.

While it is exciting that mobile payments are here, most of us in the payments industry are still aware of the many unknowns that exist.  So I was pleased to see this blog post from Avivah Litan, of Gartner Group, which outlines all the major unknowns that come with mobile payments.

One of the unknowns not mentioned, but one that will be an issue for merchants is the security of payment data.  NFC or  traditional point of sale (POS) transactions require a layered approach to security.  Merchants who are struggling to secure transactions today, will need to consider how they will secure mobile transactions in the near future.

Read below to see what Avivah has to say:

I’m as excited as anyone about the prospects of mobile NFC payments, and it was good to see Google line up much-needed cooperation from MasterCard, Sprint, Citi, and some retailers with its new Google Wallet initiative. We just wrote a Gartner First Take that explores the benefits of Google Wallet as well as the hurdles to adoption.

In my opinion, the main hurdle is convincing retailers to accept these new payment types. In watching payment systems evolve over the past decade and more, I’ve come to strongly believe that it’s the sellers (or retailers) that drive new payment system adoption. And I just don’t see a strong enough value proposition for the retailers out of the gate to drive success here. Sure, in the long run, there is likely to be value with customer acquisition and retention generated via the Google Offers (advertising, coupons, loyalty, etc.) program. But it’s the short run that immediately matters because if we don’t get past the short run hurdles, there won’t be any significant adoption.

And in the short run – the expense and costs for this new program will probably outweigh the benefits for most retailers that consider it, unless of course Google and other Google Wallet participants PAY merchants to join (which is a common approach struggling new payment systems have taken in the past).

In my opinion, the big unknowns are:

a) why are merchants requiring signatures on these contactless transactions, which defeats the (albeit questionable) promise of speed and convenience at the check out lane?

b) what in fact are the interchange fees that the retailers will have to pay? Retailers pay more for signature based payment card transactions than they do for PIN ones, and even with low value debit payments that don’t require signatures, my understanding from talking with retailers is that contactless debit payments typically cost merchants more than debit card-swipes.

In fact, retailers have been known to shut off contactless payments over interchange disputes. For example Storefront Backtalk ( reported early last year on BestBuy’s dispute with Visa over its contactless debit card payment interchange policies and fees, which led the mega-retailer to stop accepting Visa’s contactless transactions. The news group, a rich and well-respected source for retail industry information, also disclosed issues other large retailers had with the contactless fee structure.

Indeed, interchange fees paid for credit and debit card payment processing is a sizable chunk of many retailers’ balance sheets (the second largest line item at Target for example, right after labor costs).  It’s a constant source of friction between retailers and the banks, and is being hotly debated as part of the Durbin amendment which threatens to dramatically reduce bank debit card interchange fees.

So while mobile payments are not just about payments – they are trying to be about the entire customer shopping experience – fees play a critical role in merchant willingness to promote new payment types. Most retailers will already have to upgrade their POS equipment to accept the contactless payments. And now they have to be willing to forego lower interchange fees on PIN debit.

I’m just not sure this is going to fly, despite the mobility.