Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ NRF ’

What a couple of weeks for Senator Durbin and merchants! The Durbin amendment (capping debit card interchange or “swipe fees”) is back in the spotlight once again.

On July 31st, Judge Richard Leon of the U.S District Court for the District of Columbia found in favor a coalition of merchant groups including NACS and the NRF striking down the Fed’s 21 cent + 5 basis point cap on debit interchange. The ruling states that the Fed (tasked with implementing the law’s provisions) did not adhere to the law’s requirement to cap debit interchange rates to strictly “ACS” (authorization clearance and settlement) charges, nor did the Fed properly implement the provisions for multi-network routing. The Judge immediately issued a stay of his decision to allow lawmakers to revisit the topic without reverting to the much higher pre-Durbin rates.

Just before the ruling Senator Dick Durbin and Congressman Peter Welch wrote a letter to the Fed urging them to revisit their June 2011 ruling that set the 21 cent cap, and instead adopt the .2% cap recommended in an extensive multi-year study released by the EU Commission two weeks ago. The letter states that the .2% rate with an average debit ticket of $38.03 aligns much more closely with the original recommendations of $.07 cents.

The original fed decision reduced debit interchange by half for most merchants, but this cap would bring that down another 60% to 75% or more depending on the sale amount.  

There is no doubt that interchange fees are established by banks and networks that wield a tremendous amount of power. We are certainly far from perfect competition in this market, but as with my other posts on this topic I worry about a unilateral decision process and draconian cuts imposed. What unintended consequences will emerge this time? With the first caps we quickly saw that rates for small ticket merchants spiked drastically. We also saw some debit card benefits disappear, though certainly not to the extent the banks threatened.

The other item to keep an eye on is the second recommendation in the EU Commission report, echoed in the Durbin letter, which would cap credit card interchange at .3%. Using standard retail interchange of 1.65% + $.10 and an average ticket of $50 issuers would see their revenue cut from $0.925 to $0.15 or a reduction of 84%. If that happens you can say goodbye to your card rewards and certainly credit issuance will tighten if issuers lose 84% of their transaction revenue.

While interchange fees may be inflated they have evolved over the past 30+ years to accommodate all sorts of markets and provide easy access credit for consumers. That access to credit allows more people to spend more money with retailers. I agree that regulation is needed but all participants in the market should be careful about going too far.

The BIG Show, NRF in New York, is just a few days away and looking at the sessions, I see there will be plenty of talk about the “omni-channel” shopper and “tokenization” as a data security strategy. Retailers who are looking to enhance the security of their payment data while it moves though various card-present and card-not-present environments should know that not all tokens are created equal.

An effective token should address the following needs:

  • It should be usable in all systems where a Primary Account Number (PAN) is used today as an identifier. It should be seamless and not require rewriting of those systems.
  • It should protect the PAN and not be an encrypted form of the PAN.
  • It should be unique per card number to allow for analytics and reporting. This type of token is known as a card-based or “multi-use” token.
  • It should transcend any single sales channel, but be unique across a single enterprise. This provides additional protection in that the use of the token is limited to that enterprise, further reducing its potential value to thieves.
  • When needed, it should be possible to retrieve the original PAN from a token under highly controlled and defined scenarios.

Recent studies reveal that the majority of consumers shop cross-channel, within the same buying cycle. They may see something in a window, research it online, stop at the store to look at it, and finally buy it online. In order to best serve that customer, today’s merchants need systems and tools that provide the consumer with the same experience and options across all of its sales channels. Many tokenization systems today are unique to a particular sales channel. This can be because they are processor-based, or developed internally by a group responsible for only a single channel. Quite often merchants utilize different processors for their e-commerce and their brick and mortar transactions. Ideally though, your tokenization system accommodates ALL channels and scenarios.

Stop by our booth at NRF and ask our tokenization experts how our multi-use tokens can help your organization secure payment data, reduce PCI scope, track customer behavior and ensure a consistent experience across channels.

Flexible solution supports rapidly growing pet supply retailer

Merchant Link is proud to announce that Petsense recently installed its gateway and tokenization solution across all of their locations. The solution meets the needs of this rapidly growing pet supply retailer in terms of compliance, security and scalability.

Tweet this: NEWS: Petsense Implements @Merchant_Link ’s Gateway and Tokenization Solution #NRF13

Across more than 70 retail stores nationwide, Petsense implemented Merchant Link’s processor-neutral payment gateway that ensures transactions are routed to their appropriate destination quickly and accurately. Petsense also implemented TransactionVaultTM, Merchant Link’s tokenization solution that removes credit card data from merchants’ systems and stores it in a secure hosted “vault” – away from the business and safe from hackers. Together these security solutions help merchants meet and exceed Payment Card Industry Data Security Standard (PCI DSS) requirements by ensuring sensitive cardholder data never resides in the merchant environment.

“Tokenization is an effective way for retailers to simplify their compliance efforts while avoiding becoming the next victim of a data breach,” said Laura Kirby-Meck, EVP of Sales & Marketing at Merchant Link. “In the event hackers access a merchant’s system, they would obtain meaningless tokens.”

Implementation was completed in just six weeks and with interface customization collaboratively provided by Quaterion Solutions LLC, one of the largest independent consulting companies specializing in store systems products licensed by JDA Software Group®.

Merchant Link will be exhibiting at booth #C200 at the National Retailer’s Federation (NRF) 102nd Annual Convention and EXPO January 13-15, 2013 in New York City.

Fresh off the road from a busy Spring schedule of conferences and events such as the recent RIS Retail Technology Conference and MICROS Retail Conference, I reflected on some of the latest trends in retail I picked up on in various sessions, conversations and reports.

Customers are King; Mobile Use and Commerce Increasing
Mobile has placed even more power into the hands of today’s consumer, with the ability to check competitors’ prices while in store (a phenomenon known as “showrooming”) and so retailers are being forced to adopt new pricing and promotional tactics. Marketing investments are focused on mining more data and using it to provide more customized promotions to increase engagement and loyalty. To keep up with today’s tech-savvy consumers, retailers are also increasingly adopting mobile point-of-sale solutions. We’re seeing some POS providers leveraging the tablet form factor, integrating barcode scanners and mag stripe readers into handheld devices that double as a tool to offer on-demand product information to shoppers wherever they are in the store.
Profits Are Up; Retailers Reinvesting Again
According to the NRF Foundation’s recently released Retail Horizons: Benchmarks for 2011, Forecasts for 2012, retailers have returned to profitability after the economic downturn. The survey revealed that marketing and advertising spend is up, as well as investment in IT upgrades, e-commerce and leadership development.
P2PE Emerging as Key Data Security Strategy
Point-to-point encryption (P2PE) is gaining greater momentum as one of the most effective ways for retailers to secure on- and offline and mobile payments, with the added benefit of reducing PCI scope. Unfortunately, hackers continue to target retailers, with their favorite method being to target data “in transit,” as it moves through and from the merchant environment. Attackers in 2011 were more successful at harvesting data in transit than any other method, according to the Trustwave’s 2012 Global Security Report. Meanwhile, the PCI Council just released updated point-to-point encryption requirements as well as a fact sheet outlining how merchants can securely accept payments using mobile devices with actionable recommendations on partnering with a P2PE solution provider to securely accept payments and meet PCI DSS compliance obligations.

So those are a few of the key trends I’ve observed.

What are you seeing and experiencing? Share your comments and thoughts below.

The big day is just around the corner.  With only days left, how can you show your significant other how much you care?

According to New Online Spending Index conducted by Javelin Strategy & Research, 19 percent of shoppers will spend more money on gifts.

The National Retailer Federation’s (NRF) conducts an annual Valentine’s Day Consumer Intentions and Actions survey and this year found that the average person will spend more than they have over the past 10 years, reaching a spending total of $17.6 billion.

Shopping surges happen throughout the year and it often makes us wonder if merchants are prepared to secure all that consumer payment data.  Both of these recent surveys indicate that safe and secure shopping is critical for both online and traditional brick and mortar merchants.  Flowers and chocolates are always favorite gifts around this time of year, but according to Javelin, 60 percent of those surveyed plan on purchasing something else.

Jewelry merchants should be especially vigilant. Last year, the day after Valentine’s Day, several jewelry stores were under attack from hackers.  Day’s Jewelers, with five stores across Maine and New Hampshire, suffered a breach from outside hackers and nearly 1,000 customers who purchased items from Day’s reported fraudulent activity on their cards.

So don’t let the big day break any hearts or wallets.  Retailers must protect that trust of their customers and can do so by following a few simple tips that we often talk about on this blog:

  • It’s all in the heart — of the network that is. Every retailer should understand where cardholder data is stored on the network. Are there proper security controls in place to protect this data? Ensure data is properly protected according to PCI standards.
  • Focus on the relationship. It’s not just technology, its people and processes, and how they all connect and work together. Merchants must educate and train staff to understand network security policies and procedures.
  • Know when it’s time to move on. As in every relationship, there are times when you need to take stock of things and let go.  The same holds true for information stored on the network. Merchants tend to hold on to data when in reality, this information can be easily removed from the system which in turn minimizes the cardholder data environment and security risk.

We hope that merchants take these tips to heart to maintain strong relationships the loyalty of their customers.

By Michael Ryan

As the world’s largest retail trade association, National Retail Federation (NRF) is not afraid to hunt big game.  In late November, NRF and other industry leaders took a stand and sued the Federal Reserve Board over their alleged failure to comply with the Durbin amendment requirements. Specifically, the suits alleges that the Fed did not act in accordance with the law setting debt card interchange higher than the “reasonable and proportional” mandate in the amendment and by not providing sufficient network flexibility for merchants.

I’m not a lawyer, judge or jury, so I won’t attempt to debate whether or not they complied with the law. In fact, I support the NRF’s attempts to lower processing fees in general but as I have mentioned before the execution has led to all sorts of unintended consequences. Price fixing will always produce unintended results and even negatively affect some segments of the population it intends to help.

Case in point: Convenience stores, vending machine businesses and other merchants with a small average ticket.  The intent of the Durbin amendment was to lower rates for all but in the end it actually raised rates for these groups. USA Technologies, a provider of card solutions for the vending industry, was affected and it was announced a few weeks ago that they struck a deal with Visa to normalize their rates post-Durbin.  While not every merchant has the size and power to secure a deal like this one on their own, I applaud their efforts to use negotiation instead of litigation.

And this is nothing new.  For over 30 years, the card associations have worked with large merchants and industry groups to negotiate and adjust interchange rates to meet the market’s needs. We’ve seen this in the grocery, convenience and small ticket markets, each of which managed to persuade the associations to create industry-specific interchange categories and lower their rates. While those efforts may not have reduced the issuers’ margins to zero, they have been effective. Yet, the government mandate negates all previous negotiation by applying a one-size-fits-all method, wiping away any past progress made by small ticket merchants and other groups.

That brings us to network exclusivity the second major allegation in the suit. This is where the law can help level the playing field by introducing real competition. The associations wield a lot of power when it comes to signature debit.  Had the Fed required multiple PIN and signature network affiliations on each card, as was discussed early in the negotiations; merchants might have really gained some negotiating power. That almost certainly would allow them to affect price adjustments more naturally through competition rather than price fixing.

Who knows what will come out of the lawsuit but let’s hope it gets us closer to natural market competition than the first attempt has.

By Beth McGarrity

There is a new bill in the U.S. Senate that is aimed at protecting a citizen’s privacy and information when a security breach occurs.  In the last few weeks, the Personal Data Protection and Breach Accountability Act of 2011 was introduced, with sponsors of the bill, saying that many of the recent security breaches have been preventable.

But the National Retail Federation has another view.  David French of NRF said that the bill is far too broad and instead of achieving protection of consumer information, the bill would have a negative impact, resulting in “notice fatigue.”

Now, this is interesting, because NRF is an avid supporter of protecting notification when identity theft occurs, yet feels that standards must be met before a notification is sent out.  If consumers are receiving notices for every incident, regardless of severity, they will eventually begin to ignore the notification and potentially not take the appropriate steps when the risk level is high.

We are all for notification to consumers when there is a risk involved and agree that notification fatigue could be an issue.  But the real issue that we believe needs to be addressed is how the sensitive information is being stored on a merchant’s system.

Ultimately, this becomes a security issue and storing personal identifiable information about consumers on a network that doesn’t have the proper security controls, is a major risk.  If you are going to take the risk, you must take an aggressive approach to security and you must test and monitor your approach regularly.

An incident may still occur, but you are less likely to have to notify your customers of a security incident if you are thinking about security as an integrated process within your business.

Google Advertisement