Updated: Friday, December 26, 2014
New Year's Eve countdown to PCI DSS 3.0
W hen the ball drops at 12 a.m. on Jan. 1, 2015, it will mark the beginning of a new year, as well as the deadline for implementation of a new set of security standards. The PCI Security Standards Council released Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 in January 2014, and gave merchants and payment services providers one year to review and upgrade their PCI DSS 2.0-compliant systems.
The security community embraced the new standards, noting the enhanced protections for e-commerce, widely considered to be a leading point-of-entry for cyber attacks. Many security analysts emphasize that security best practice requires constant vigilance that extends far beyond required scans, penetration tests and self assessment questionnaires.
Sustainable best practices are business-as-usual
Suraj Srinivas, Director of Security Consulting at ANX, a Michigan-based data security organization, sees the spirit of constant vigilance reflected in the business as usual (BAU) concept introduced in PCI DSS version 3.0.
"ANX Qualified Security Assessors (QSAs) were early adopters of this concept, having seen its success in other audit program," Srinivas said. "The key to success for any compliance program is its sustainability. Sustainability is achieved by having a methodical process for ensuring that all the necessary preparatory steps are performed during the course of the year, easing the burden of the annual PCI assessment."
He added that a common piece of advice that ANX offers clients is to "measure twice and cut once," which is aligned with the company's overall approach. ANX supports customers' BAU initiatives with a blended approach that leverages a software-as-a-service compliance tool with the hands-on expertise of the company's QSAs. He believes the company's focus on sustainable best practices keeps compliance in the forefront as a systematic, year-round process for its customers.
Protecting the transaction life cycle
Frank Stornello, Chief Marketing and Strategy Officer for Verifi, noted that the impact of omni-channel trends on payment technology has made full life cycle transaction protection critical for best-in-class online commerce. For retailers, protecting omni-channel payments from start to finish while ensuring a seamless shopping experience requires a careful blend of pre- and post-sale security and fraud prevention.
"The landscape of payments is quickly evolving and new payment options and technologies are emerging rapidly – giving consumers many choices for payment: mobile, online, cash, credit, loyalty points and digital currencies to name a few," Stornello said. "Unfortunately, security lapses change shopper behavior. Studies show a direct correlation between a data breach and consumer confidence - threatening the merchant's ability to remain in business."
E-commerce: not one-size-fits-all
PCI DSS 3.0 guidelines categorize e-commerce merchants by matching self-assessment questionnaires (SAQs), scans and testing levels to each group's degree of exposure to cardholder data. Many security analysts believe e-commerce merchants who implement PCI 3.0 security controls will significantly mitigate the risk of cyber attacks.
Following are three distinct forms of e-commerce and their respective SAQ's:
- SAQ A merchants, as defined by the PCI SSC, are card-not-present merchants that do not store cardholder data in electronic format and do not process or transmit any cardholder data on their systems or premises. These companies outsource credit card processing to third party service providers, and do not need to conduct penetration testing or scans. A 14 question SAQ A and Attestation of Compliance are their only requirements.
- SAQ A-EP merchants are e-commerce merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises.
- SAQ D, which comprises 335 questions, is the most rigorous PCI DSS 3.0 SAQ due to the increased risk of fraud by merchants and payment service providers in this category. These types of processing environments include e-commerce merchants who accept cardholder data on their websites and merchants who store electronic data.
Merchants remain first line of defense
Verifi's Stornello noted that as payments become more complex, merchants will increasingly be called upon to shoulder the "full burden of true as well as friendly fraud" as consumers increasingly rely on them to protect the integrity of their payment transactions.
"Merchants are facing confusing statements, changing compliance requirements, determined hackers, and no shortage of processing fees, multiple discount rates, and chargebacks," Stornello added. "Consumers expect merchants to protect their payments at all phases of the transaction lifecycle - even identity theft - which occurs before the payment card even enters the payment stream."
Congress of two minds about legal pot
Tuesday, December 23, 2014
T he U.S. Department of Justice has been ordered to stop making trouble for individuals and businesses that take advantage of state medical marijuana laws. However, the demand, attached to the $1.1 trillion federal budget bill that was signed into law Dec. 16, 2014, is not a total condemnation of the federal government's efforts to stamp out marijuana legalization initiatives.
"It merely restricts the use of funds in a one-year budget bill," noted a web post by the National Law Review. "The bill does not exempt marijuana has as an illegal Schedule I drug under the federal Controlled Substances Act."
In fact, the very same bill includes a provision that blocks Washington, D.C., from implementing a local referendum legalizing possession of marijuana there. Washington, a city of almost 700,000, is a "federal district" under the exclusive jurisdiction of Congress, which can veto any local laws.
A budgetary maneuver
Typically when the voters of the "district" approve controversial laws opponents will attempt to invalidate those measures with budgetary maneuvers. Tucked into the 701 page budget bill signed into law last week was a provision stating: "None of the Federal funds contained in this Act may be used to enact or carry out any law, rule, or regulation to legalize or otherwise reduce penalties associated with the possession, use, or distribution of any Schedule I substance under the Controlled Substances Act."
The budget bill is an omnibus package of legislation that appropriates funds for federal agencies and programs through Sept. 30, 2015. It was a must-pass bill, because without operating funds the government would have had to shut down. Often lawmakers will use a must-pass bill such as a budget measure to advance initiatives that might lack support to pass on their own. Appropriately enough, these omnibus legislative initiatives are known as "Christmas trees" among Washington insiders.
The budget bill provision addressing medical marijuana addresses funds appropriated to the Department of Justice, and specifically refers to medical marijuana laws in 12 states and Washington, D.C. It instructs that no funds appropriated to Justice Department "may be used" to prevent those states and Washington "from implementing their own State laws that authorized the use, distribution, possession or cultivation of medical marijuana."
Last year, the Justice Department stated it would back off efforts to challenge state laws legalizing recreational pot use, provided those states establish strong regulatory regimens.
Ingenico spots six payments trends to watch in 2015
Friday, December 19, 2014
A t the close of 2014, payments leaders are reflecting on the year's highlights and looking ahead to what many believe will be a defining year for the industry. An unprecedented number of disruptions have occurred over the past twelve months, led by emerging technologies, the expanding role of data analytics, and changes in purchasing behaviors and banking environments.
The digital transformation of payments is perhaps most evident in the changing role of payments industry equipment manufacturers. Top brands have evolved from device-centric models to holistic, end-to-end solutions that are compatible with diverse populations of POS hardware and software.
Thierry Denis, North American President of Ingenico Group, a global enterprise dedicated to seamless payments with U.S. headquarters in Atlanta, expects to see more disruption in 2015, as EMV (short for Europay, MasterCard and Visa) adoption, mobile payments and improved security standards continue to shape the future of merchant services. For this article, Denis discussed six top payments trends Ingenico identified for 2015.
1. Security to remain a key driver in payments
As the last region in the world to adopt EMV, the United States became an easy target for cyber criminals who found it relatively easy to steal cardholder data processed on mag stripe card readers, compared with the more secure method of smart card payment processing. A record number of data security breaches occurred in the North American region in 2014.
Ingenico Group advises all merchant services providers to work closely with retailers to address this. Many companies are revisiting security strategies to improve their protection of card data environments in conformance with guidelines of the PCI Security Standards Council (PCI SSC).
2. Companies to combine P2PE and EMV to optimize security
Also known as end-to-end encryption, P2PE encrypts card data from the entry point of a merchant's POS device to a point of secure decryption outside the merchant's environment, such as a payment processor.
Many Tier 1 and 2 merchants are preparing for the Oct 2015 EMV liability shift with a shortcut approach that links EMV and P2PE planning, an approach that Ingenico calls "semi-integrated." This aims to take the entire merchant environment out of Payment Card Industry (PCI) Data Security Standard (DSS) scope and solve the EMV piece at the same time via a seamless payments system that addresses both PCI and EMV compliance.
3. Security upgrades, outsourcing expected to grow in 2015
Ingenico noted that small to midsize business owners have been slower to implement EMV technology that would help protect their processing systems from malicious attacks. This is puzzling, considering that a majority of data security breaches have taken place at Level 4 merchants, according to data provided by the PCI SSC.
Even the upcoming liability shift has not made a significant impact on EMV adoption in this segment. Ingenico predicts that over half of Tier 3 and 4 merchants will not have implemented EMV payment processing by the October 15, 2015 deadline.
Ingenico believes online fraud and chargebacks will become increasingly complex to manage in the global marketplace, as merchants shift their focus to international markets and mobile commerce continues to drive growth in many developing countries.
Fraud rates in cross-border and mobile commerce experience generally exceed those of domestic e-commerce. Ingenico expects merchants to increasingly outsource fraud management to online payment or fraud specialists in 2015.
4. In-store mobile payments to drive merchant-consumer engagement
Merchants of all sizes and categories have expressed the desire to partner with their customers in every step of the commerce journey. Many brick-and-mortar retailers have implemented in-store mobile POS solutions with smart posters and kiosks that facilitate consumer purchasing decisions without being overly intrusive. Solutions such as iBeacon help retailers stay connected to their consumer base and better understand and track who's shopping in their stores, Ingenico noted.
In an ongoing effort to support customers' preferred payment methods, many Tier 3 and 4 merchants are upgrading processing systems to support near field communication and Apple Pay. Ingenico sees increasing adoption of ApplePay by Tier 3 and 4 merchants as evidence that Apple is inspiring technology upgrades in this market where EMV could not.
5. Role of e-commerce to expand
Consumers, increasingly willing to spend online, have been driving the global expansion of e-commerce and adoption of new, more secure methods of online shopping.
According to Ingenico, mobile commerce is driving overall online commerce growth in many international markets. Consumers increasingly expect a seamless buying experience that's integrated across multiple platforms, including mobile devices, automobiles and wearable technology.
Merchants will require a developer-centric approach from vendors with easy access to modern application programming interfaces to be able to sell goods and services in the omni-channel world.
6. Data analytics, trusted relationships to optimize performance
Ingenico also expects advanced data analytics and visualization software to play a central role in identifying and removing bottlenecks in the payment process and improve conversion rates. Many enhanced intelligence solutions enable merchants to benchmark payment performance against peers and discover new market opportunities.
Greg Boardman, Senior Vice President of Product Development at Ingenico Group, sees the next several years as challenging but exciting times for large and small retailers. He has been involved in a number of payments industry initiatives focused on improving adoption of P2PE and EMV, technologies that he considers as critical priorities.
Boardman believes broad implementation of these solutions will require more than just technical savvy; it will increasingly depend on the cooperation of all stakeholders in the value chain, and partnerships that are based on respect and trust. Both retailers and acquirers have benefitted from the new collaborative model, and Boardman and his colleagues expect to momentum to continue in the New Year.
"The fundamental but long overdue technology implementations of P2PE and EMV acceptance requires a long runway and will dominate most budgets and human resources, [and] unfortunately comes at a time when innovation in payments is at a fever pitch," Boardman said. "Choosing the right strategies to benefit from both sides of this equation can be difficult. Satisfying the base requirements while also entertaining the possibilities for new payment schemes and mobility initiatives demands a level of focus and partnership that very few organizations in payments understand."
Charge Anywhere breach puts spotlight on TPSPs
Wednesday, December 17, 2014
R ecent news of a security breach at Charge Anywhere has raised concerns about vulnerabilities that may exist in payments industry middleware and third-party service providers (TPSPs).
Charge Anywhere, a New Jersey-based payment gateway, has long been considered an innovator in the mobile payments space, marketing payment solutions and services through ISO and reseller distribution channels since 2002. Now, the company is working with its channel partners to help them mitigate risk, as well as teaming up with security specialists to forensically investigate malware initially discovered on Sept. 22, 2014. The malware has since been removed.
In a written notice posted on the company's website, Charge Anywhere stated its investigation had "revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic. Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.
"While we discovered the malware on September 22, 2014, it required extensive forensic investigative efforts to de-code it and determine its capabilities. During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified. Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009."
The malicious act struck a collective nerve in the vast, interconnected payments ecosystem. Other reports of high-profile data breaches such as those at Bebe Stores Inc., The Home Depot Inc., and Target Corp. made no mention of the processors or middleware service providers behind compromised big-box brands.
However, the Charge Anywhere breach provided news media with a rare behind-the-scenes peek at the payments industry. Charge Anywhere senior management said they appreciate the gestures of support received from industry friends and colleagues and told The Green Sheet the company needs a bit more time before its representatives can make further comments. The ultimate impact the apparent five-year intrusion will have on Charge Anywhere's business is as yet unknown.
PCI provides guidance, not guarantees
Chris Bucolo, ControlScan's Senior Manager of Security Consulting, noted that hackers have become more advanced, sophisticated and innovative at exploiting vulnerabilities in merchant and processor environments, prompting some clients to debate the overall effectiveness of Payment Card Industry (PCI) Data Security Standard (DSS) security.
"Some of our clients claim that PCI security doesn't go far enough because you can pass a couple of tests but still be at risk for a data breach," Bucolo said. He added that PCI is designed to provide guidelines but not guarantees. He recommended that payment professionals and merchants perform due diligence when vetting prospective service providers and make sure they fully understand the potential providers' security practices. He would like to see more clients push for detailed explanations about the ways in which service providers manage security.
"We encourage clients to ask the tough questions," Bucolo said. "When their processor says, 'We're compliant,' clients can ask processors how frequently they test security levels and how they assess the compliance of other third-party service providers in their networks."
Build relationships with trusted TPSPs
ControlScan is a member company of Third-Party Security Assurance Group, a special interest group of The PCI Security Standards Council (PCI SSC) that's focused on security best practices by TPSPs. The committee published a report in August 2014 providing guidance to businesses that use TPSPs to "store, process, or transmit cardholder data on the entity's behalf, or to manage components of the entity's cardholder data environment (CDE), such as routers, firewalls, databases, physical security, and/or servers."
The comprehensive 44-page report covers everything from how to identify an appropriate TPSP to how to perform risk assessments and maintain a satisfactory, ongoing relationship with aligned interests and optimal security practices. The guidelines list five milestones in a business relationship with a third party: setting expectations, gaining transparency, establishing communications, requesting evidence and obtaining information about PCI compliance.
The report gives several reasons that justify the time and effort involved in developing and implementing a strong TPSP monitoring program. Such a program:
- Improves the security of the cardholder data environment
- Sets expectations for businesses and their service providers
- Keeps the lines of communication open with a formal monitoring program
- Shows businesses how to actively participate in protecting their card data environments by taking a proactive—instead of reactive—position
- Can demonstrates compliance with a key section of the PCI DSS if requested by a party performing an assessment
Biff Matthews is President of CardWare International, a full-service provider of hardware, software, supply logistics and call center services in Heath, Ohio. Matthews saw similarities in the PCI SSC guidelines and the federal guidelines that require banks to know their customers. He noted that all financial institutions, ISOs and merchant level salespeople should really know their vendors, including the individuals who download their POS and PIN entry devices.
Matthews advised to ask plenty of questions before establishing a working relationship. "Is that service provider PCI compliant, and a certified ESO [encryption services organization]?" Matthews said. "Don't hesitate to validate their computer system, physical location security and perform employee background checks. Be secure."
Holiday shopping gets ‘pay-by-pay’ analysis
Friday, December 12, 2014
M idway through the holiday shopping season, analysts are crunching the numbers, providing a “pay-by-pay” analysis of consumer spending patterns. The reports give some merchants and payment professionals reason to celebrate while others may be motivated to revisit their promotional strategies.
Year-over-year growth in consumer spending grew a modest 5.3 percent compared with a 7.4 percent increase in 2013, according to First Data’s 2014 SpendTrend Holiday Shopping analysis, a comprehensive report issued December 8, 2014. The study measured in-store transaction data and consumer spending at over 1 million merchant locations.
Consumer debt, confidence growing
First Data Senior Vice President of Information and Analytics Solutions Krish Mantripragada was encouraged by the shift from debit to credit card usage during Cyber Week. He said this trend “may indicate that consumers are feeling more confident about their current financial situation, likely driven by the improvement in the labor market and reduction in gasoline prices.”
An Equifax report issued on December 10 noted a rise in consumer debt in major markets across the United States that industry analysts attribute to a rebounding economy and improved housing market. Among the 25 top metropolitan areas, 17 reported a bump in consumer debt in the third quarter of 2014 compared with the same period of the previous year. Houston was the highest at an increase in consumer debt of 6.5 percent, followed by Denver at 4.3 percent and Dallas at 4.1 percent.
The National Retail Federation noted an increase in retail sales of “0.6 percent seasonally adjusted over October and 3.2 percent unadjusted over November 2013,” in its December 11 report. NRF President and Chief Executive Officer Matthew R. Shay, encouraged by moderate but steady growth in consumer incomes and spending patterns, noted that “shoppers are clearly in a better place than last year and the extra spending power could translate into good news for retailers.”
Omni-channel retail bronze, silver and gold
First Data cited building materials, garden equipment, electronics, appliances, furniture and home furnishings as the highest performing retail categories, each achieving greater than 8 percent growth in year-over-year consumer spending. Retail winners shared an aptitude for omni-channel commerce, defined by Lorena Harris, Vantiv Inc.’s Vice President of Corporate Marketing, as “the ability to provide a seamless payments experience across channels.”
Shop.org, the NRF’s digital retail division, explored omni-channel trends in its annual summit held in Seattle in September 2014. One of the key insights from the conference was the cross-pollination between the in-store and online shopping experiences.
Brad Brown, Senior Vice President of Digital Retail at Recreational Equipment Inc., views this trend as a driving force behind his company’s identity and brand. In an interview with NRF blogger Artemis Berry, Brown said that the REI brand offers a consistent experience across all points of a customer’s journey that extends beyond any one particular website or store.
“We believe these cross-channel experiences will only grow,” Brown said, attributing the increase to the growing adoption of mobile platforms that customers can use to get real-time information such as, “Where’s the closest store? Do they have what I need in stock?” and “What is the snow forecast for Tahoe?”
Payment platforms facilitate omni-channel growth
A recent report by Goldman Sachs predicted that half of e-commerce will be conducted on mobile devices by 2018. The investment leader predicted that 535 million consumers will use mobile payment technology in 2014, and 686 million will use some form of mobile payments in 2015, with overall mobile payment revenues climbing above 1 billion by 2018.
Growing adoption of mobile payment technologies has changed the retail experience by adding new levels of complexity to transactions. Consumers can review products online and purchase in-store or research in-store and buy online.
Shoppers can change their payment methods even beyond the point-of-purchase, choosing from a variety of products including cash, credit, loyalty points and digital currencies. Most retailers agree on the need to provide a seamless shopping experience that facilitates all phases of the sale, from initial research, to comparison shopping, to managing post-sale purchases.
Don Kingsborough, Vice President and General Manager of Prepaid at PayPal Inc., noted that the impact of omni-channel trends on payment technology has made open-source software and interoperability an imperative for leading-edge payment platforms. In remarks at an annual summit of the Smart Card Alliance in 2011, Kingsborough said that the new commerce landscape is a changing dynamic in which consumers have emerged from “unknown to known to [finally being] understood.”
View prior breaking news