Merchant Link SecurityCents

By Beth McGarrity

As the year comes to a close, and TV personalities from Oprah to Ellen to Barbara Walters highlight their favorite things and most fascinating stories in 2011,  I thought I’d take a moment to reflect on my favorite SecurityCents posts and industry news and share them with you.

PCI Announces Guidance for Merchants.

Merchants were provided with an abundance of guidance this year on emerging technologies that assist with compliance and securing sensitive data.  The first documents were released in late 2010 and focused on point-to-point encryption followed by tokenization and virtualization.  In the New Year, the Council will focus on three new areas including cloud, risk assessment and e-commerce security.

Validation from Coalfire Systems.

It’s easy for vendors to say that their product or solution is going to help merchants reduce the scope of PCI compliance.  In some cases, it’s really just unsubstantiated marketing hype.  At Merchant Link, we invest significantly in R&D to ensure that our solutions really do reduce PCI scope and we wanted to offer our customers a third-party validation of this fact.  Coalfire evaluated our TransactionVault™ and TransactionShield™ solutions for tokenization and encryption and confirmed our findings.

Avivah Litan Talks Tokenization.

We had the honor of featuring Avivah Litan on a podcast recently to discuss payment security.  As a renowned expert in this area, Avivah regularly publishes industry research and opinions on her own blog that we avidly follow here at Merchant Link.  For this podcast, Avivah focused on key trends in payment security, specifically as it relates to point-to-point encryption and tokenization.

Google Wallet Meets MasterCard and NFC.

Its here!  Finally…well…sort of.  The technology for mobile wallets has been around for awhile, but the concept hasn’t caught on very well. Then Google entered the market with the mobile wallet, using Near Field Communications (NFC) to allow for data exchange with point-of-sale (POS) technologies. From the payment side, the company partnered with MasterCard and Citi to allow users to pair credit cards to their phones.  It’s been an interesting progression to watch and something we will certainly keep an eye out for as the issues surrounding secure payment transactions will be top of mind for merchants.

What else is on your list of favorite things from 2011?  Share them with us by posting a comment below.

By Michael Ryan

As the world’s largest retail trade association, National Retail Federation (NRF) is not afraid to hunt big game.  In late November, NRF and other industry leaders took a stand and sued the Federal Reserve Board over their alleged failure to comply with the Durbin amendment requirements. Specifically, the suits alleges that the Fed did not act in accordance with the law setting debt card interchange higher than the “reasonable and proportional” mandate in the amendment and by not providing sufficient network flexibility for merchants.

I’m not a lawyer, judge or jury, so I won’t attempt to debate whether or not they complied with the law. In fact, I support the NRF’s attempts to lower processing fees in general but as I have mentioned before the execution has led to all sorts of unintended consequences. Price fixing will always produce unintended results and even negatively affect some segments of the population it intends to help.

Case in point: Convenience stores, vending machine businesses and other merchants with a small average ticket.  The intent of the Durbin amendment was to lower rates for all but in the end it actually raised rates for these groups. USA Technologies, a provider of card solutions for the vending industry, was affected and it was announced a few weeks ago that they struck a deal with Visa to normalize their rates post-Durbin.  While not every merchant has the size and power to secure a deal like this one on their own, I applaud their efforts to use negotiation instead of litigation.

And this is nothing new.  For over 30 years, the card associations have worked with large merchants and industry groups to negotiate and adjust interchange rates to meet the market’s needs. We’ve seen this in the grocery, convenience and small ticket markets, each of which managed to persuade the associations to create industry-specific interchange categories and lower their rates. While those efforts may not have reduced the issuers’ margins to zero, they have been effective. Yet, the government mandate negates all previous negotiation by applying a one-size-fits-all method, wiping away any past progress made by small ticket merchants and other groups.

That brings us to network exclusivity the second major allegation in the suit. This is where the law can help level the playing field by introducing real competition. The associations wield a lot of power when it comes to signature debit.  Had the Fed required multiple PIN and signature network affiliations on each card, as was discussed early in the negotiations; merchants might have really gained some negotiating power. That almost certainly would allow them to affect price adjustments more naturally through competition rather than price fixing.

Who knows what will come out of the lawsuit but let’s hope it gets us closer to natural market competition than the first attempt has.

If you’re like me, you spend time during your daily commute at the local Starbucks, standing in line, waiting for your caffeine fix. As you eagerly await your turn in line, reciting your order repeatedly in your mind to ensure you don’t mess it up, you see individuals approach the register and pay for their cappuccinos, coffees, espressos and other concoctions with…their cellphones?

The scenario of a barista scanning their mobile device and account information being transferred through a point-of-sale system raises some red flags in the minds of consumers. Yet studies by credit card giants, such as MasterCard, show that customers aren’t so adverse to the increased adoption of mobile payments.

In fact, results of a recent study they conducted showed that 62 percent of Americans with cell phones would welcome paying for purchases with a mobile device.  It really becomes a psychology issue rather than a pure technology issue. Does the convenience of the purchase outweigh the security concerns in their minds?

With that in mind, younger generations are more likely to embrace mobile payments and feel more comfortable without a wallet than without a mobile device.  That could mean that mobile payments and a society without cash are clearly around the corner. Right?

Well, not completely. The customer is only one half of the equation for mobile payment adoption. The other half is the merchant, and right now, merchants are simply not seeing the potential return on their mobile payment investment. That’s because the switch to mobile payments involves much more than just training your staff to add “cell phone” to the list of ways customers can cover their tab.

To embrace mobile payments, a merchant’s point of sale, payment processing, and device management systems need to be overhauled. Most importantly, additional security concerns need to be addressed.

With advanced tokenization and encryption solutions being embraced by merchants, the customer’s invaluable credit card information can be protected from the time of the card swipe through the rest of the transaction lifecycle.

Most of us in the industry understand that the movement to secure mobile payments is only in the beginning stages and that solutions are in development to secure these types of transactions in the future. However, until merchants see enough benefit in embracing mobile devices as forms of payment to cover their investment in upgrades to their point of sale, payment processing and security systems, a cashless society could remain simply a pipedream.

By Michael Ryan

Recently, Gartner Group, surveyed U.S. retailers looking at the spending levels for PCI compliance.  The findings reflect much of what we’ve seen in the market as we have discussions with major retailers.  Most big brands have already taken steps to achieve PCI compliance and so 89 percent of Level 1 merchants surveys were compliant while 57 percent of merchants that  that fall between Level 2-4 were compliant.  But interestingly, the survey found that Level 2-4 merchants are spending more on compliance.

So what gives?

Of course, the spending increase for lower level merchants could just be basic math.  There are far more retailers at the lower levels than at Level 1, half of which still need to take steps to become PCI compliant.

One of the motivations that Gartner analyst, Avivah Litan, points to is that the merchant-acquiring banks that enforce PCI compliance on behalf of the card brands like Visa, MasterCard etc., have been contacting Level 1 merchants, reinforcing the message that they must be in compliance with PCI standards.  Fines and threats are usually effective motivators.

The costs increases for Level 2 merchants are just the associations’ long term plans playing out. They started with e-commerce merchants, moved to the largest retailers and are now increasing pressure on the next level of retailers who are currently not meeting compliance standards.

The pressure is good and we do hope that retailers realize that becoming PCI compliant is necessary, but only a baseline.  It’s necessary but it is only the baseline.  In fact, Gartner predicts that by the end of 2012, 75 percent of the retailers that are breached will be PCI compliant.

So what is a retailer to do?

Use PCI standards as a baseline for protection but understand that newer technologies are available to remove the sensitive data from their systems altogether and ensure that they have a layered approach to securing their networks.  From encryption to tokenization, retailers must realize the benefits of implementing these technologies including reductions in the scope of PCI audits as well as minimizing card data exposure, making retailers a less attractive target for attacks.

By Beth McGarrity

Recently, Javelin Strategy & Research released a study that analyzes how consumers’ credit details are secure.  The Seventh Annual Card Issuer’s Safety Scorecard dives into existing trends related to card fraud, mitigation against these threats and evaluation of card issuers that have consumer-facing prevention, detection and resolution capabilities.

The study focused on the top 20 card issuers such as American Express, MasterCard, Visa, Bank of America, JP Morgan Chase, Capital One and more. The results found that card issuers do a good job resolving fraud problems once they occur, but ultimately fall short on prevention and detection.

In light of the number of recent breaches that have impacted big brands, as well as financial institutions like Citigroup, consumers need to be aware of how their payment information is protected and take proactive steps to ensure their own credit protection.

By Michael Ryan

Earlier this year, I wrote about how legislation could affect debit transactions and specifically, the impact of the Durbin Amendment, which is aimed at debit card interchange fees and increasing competition in payment processing. Nearly six months later and we now have the official rules.

The big banks can breathe a sigh of relief. Fee caps are now 21 cents plus five basis points. This is still a hit of roughly 50 percent on a $40 transaction but it certainly looked much bleaker (max of 12 cents per transaction) just a couple months ago.

The network routing rules are also a bit simpler. Cards must carry bugs from two unaffiliated networks but they do not need to offer the same authentication service. In most cases that likely should mean one network for signature-based and one for PIN- based. With the elimination of rate differences between the two options we may actually see real competition in the form of new offerings from the networks.

So who won?

The issuers traded draconian cuts for merely drastic cuts but it would be hard to categorize that as victory. Certainly large merchants who are able to negotiate interchange plus type rates will see the biggest short term gain. Ostensibly that will lead to reduced prices for consumers who were supposed to benefit most from this legislation. We may see some trickle down but I wouldn’t expect any sweeping price reductions.

So of the groups most often cited in Durbin discussions – issuers, merchants and consumers – each may have come away with something.

But I believe the real beneficiaries are a third group not often mentioned in this discussion, acquirers/ISOs. The regulation caps the interchange that issuers can collect but it says nothing about acquirer’s margins on top of interchange.

So while large savvy merchants who have negotiated interchange plus rates will see decreases there is no reason to believe that acquirers will cut debit fees in the short term for small merchants who pay more traditional rates. This could be a huge windfall for the acquirer community.

As we have seen with other examples of regulatory price fixing, the unintended consequences may ultimately be more pronounced than what is actually intended.

By Beth McGarrity

Here on SecurityCents, we are often blogging about attacks on restaurants, retail or lodging where the attacker has one main purpose:  stealing payment information for monetary gain.  But as we’ve seen during recent months, the attackers’ motive is shifting and evolving.

Just ask Sony…

Or the CIA and FBI…

Or Mastercard and Visa…

Each of these organizations have been faced with a different sort of attack during the year where groups like Anonymous and Lulz Security have attacked servers to bring down the site and embarrass the organization for lack of security controls.

It may be different than the stories we’ve told in the past, but the moral of the story is the same.  And these new threats shouldn’t detract from what we already know.

The focus on stealing payment data has not been lost.  A few months back, Citigroup disclosed that over 210,000 accounts in North America alone were breached and information was stolen.  It was one of the most significant attacks on a financial institution.

So while the rise of hactivism is currently in the spotlight, don’t forget that cyber criminals who are seeking monetary gain continue to lurk in the shadows, slowly and consistently tapping into networks and determining the vulnerabilities that exist and can be exploited.  It is critical that merchants continue to stand guard and ensure that they have the security controls in place to protect customer payment data.

By Sue Zloth

For years, we’ve been hearing about the mobile wallet.  The idea that you could scan your phone to pay for an item instantly without having to carry cash or plastic, is appealing.  It used to seem a bit futuristic, but mobile near-field communications (NFC) payments are here with Google at the forefront with their mobile wallet.

While it is exciting that mobile payments are here, most of us in the payments industry are still aware of the many unknowns that exist.  So I was pleased to see this blog post from Avivah Litan, of Gartner Group, which outlines all the major unknowns that come with mobile payments.

One of the unknowns not mentioned, but one that will be an issue for merchants is the security of payment data.  NFC or  traditional point of sale (POS) transactions require a layered approach to security.  Merchants who are struggling to secure transactions today, will need to consider how they will secure mobile transactions in the near future.

Read below to see what Avivah has to say:

I’m as excited as anyone about the prospects of mobile NFC payments, and it was good to see Google line up much-needed cooperation from MasterCard, Sprint, Citi, and some retailers with its new Google Wallet initiative. We just wrote a Gartner First Take that explores the benefits of Google Wallet as well as the hurdles to adoption.

In my opinion, the main hurdle is convincing retailers to accept these new payment types. In watching payment systems evolve over the past decade and more, I’ve come to strongly believe that it’s the sellers (or retailers) that drive new payment system adoption. And I just don’t see a strong enough value proposition for the retailers out of the gate to drive success here. Sure, in the long run, there is likely to be value with customer acquisition and retention generated via the Google Offers (advertising, coupons, loyalty, etc.) program. But it’s the short run that immediately matters because if we don’t get past the short run hurdles, there won’t be any significant adoption.

And in the short run – the expense and costs for this new program will probably outweigh the benefits for most retailers that consider it, unless of course Google and other Google Wallet participants PAY merchants to join (which is a common approach struggling new payment systems have taken in the past).

In my opinion, the big unknowns are:

a) why are merchants requiring signatures on these contactless transactions, which defeats the (albeit questionable) promise of speed and convenience at the check out lane?

b) what in fact are the interchange fees that the retailers will have to pay? Retailers pay more for signature based payment card transactions than they do for PIN ones, and even with low value debit payments that don’t require signatures, my understanding from talking with retailers is that contactless debit payments typically cost merchants more than debit card-swipes.

In fact, retailers have been known to shut off contactless payments over interchange disputes. For example Storefront Backtalk (www.storefrontbacktalk.com) reported early last year on BestBuy’s dispute with Visa over its contactless debit card payment interchange policies and fees, which led the mega-retailer to stop accepting Visa’s contactless transactions. The news group, a rich and well-respected source for retail industry information, also disclosed issues other large retailers had with the contactless fee structure.

Indeed, interchange fees paid for credit and debit card payment processing is a sizable chunk of many retailers’ balance sheets (the second largest line item at Target for example, right after labor costs).  It’s a constant source of friction between retailers and the banks, and is being hotly debated as part of the Durbin amendment which threatens to dramatically reduce bank debit card interchange fees.

So while mobile payments are not just about payments – they are trying to be about the entire customer shopping experience – fees play a critical role in merchant willingness to promote new payment types. Most retailers will already have to upgrade their POS equipment to accept the contactless payments. And now they have to be willing to forego lower interchange fees on PIN debit.

I’m just not sure this is going to fly, despite the mobility.

By Michael Ryan

It’s the time of year.  Ghouls and ghosts come out to play making most of us quake in our boots.  Some of us love it, others put up with it just to get the goodies and treats.  So in the spirit of Halloween, I’ve pulled together a list of myths for the week that may have merchants a bit confused.  As a treat, I will address these myths and provide our readers with more insight so that they can put these spooky myths in their graves for good.

Today, we’ll take a look at transaction security.  With the number of breaches that have occurred in the retail industry, this myth should really have you quivering in fear. The last thing any merchant wants to see is their name splashed across a news story pointing to the loss of thousands of customers’ credit card data.

Spooky Myth of the Day: EMV is all the transaction security I will need.

For those of you that don’t know, EMV comes from the letters of Europay, MasterCard and Visa, who are the three companies that developed this card standard for authenticating credit and debit card transactions at point-of-sale (POS) terminals and automated teller machines (ATMs).

When I am talking to merchants, I hear it all the time, “Won’t it be great when we have EMV in the US and my transaction security woes will be over?”  This is often followed by a debate over the time frame in which we’ll see this revolution.

But don’t be fooled by this myth.  The truth is that while several studies have shown how EMV has been effective in preventing fraud at the point of sale in brick and mortar environments it really only addresses counterfeit card creation and usage.

EMV transactions still transmit sensitive cardholder data in the clear so it does very little to mitigate PCI. Merchants processing EMV must still limit data storage and protect data that is stored.  EMV does not eliminate potential fraudulent activity with Mail Order or Telephone Order (MOTO) payment processing or with online transactions.

So while EMV may help us prevent fraud committed with counterfeit cards used at the physical point of sale, the data is not automatically secured in-flight or at rest and may be stolen and used to commit fraud in other ways. It is important to remember as well that the data only needs to be stolen (not used) for a merchant to face significant penalties and damage to their brand.

Don’t let these myths fool you.  Understand the limitations of EMV and ensure that you have a layered security approach that can secure data in-flight and at rest.

Visit us later this week for the next spooky myth.  If you have other myths that you’d like to add, include it in a comment below.