GS Logo
The Green Sheet, Inc

Please Login

Banner Ad
Skyscraper Ad

Tuesday, May 3, 2016

PCI road map to bypass SSL

T he PCI Security Standards Council (PCI SSC) released an updated security standard on April 28, 2016, designed to protect merchants and consumers from increasing attacks against payments infrastructures. Merchants will have six months to comply with new guidelines, which may require up to two years to fully implement, security analysts have said.

The Payment Card Industry (PCI) Data Security Standard (DSS) Version 3.2, which becomes effective Oct. 31, 2016, was based on council member feedback and data breach trend analysis. The new standard has performed well in preliminary testing. "PCI DSS 3.2 includes a number of updates to help these entities demonstrate that good security practices are active and effective," said PCI SSC Chief Technology Officer Troy Leach.

Platform changes, enhancements

PCI DSS 3.2 mandates multifactor authentication for anyone with access to payment card data. This requirement previously applied only to remote access from unknown or untrusted networks.

Primary changes include "new requirements for administrators and services providers and the cardholder data environments they are responsible to protect," PCI SSC General Manager Stephen Orfei stated. "PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint."

Additional changes in PCI DSS 3.2 include:

Multifactor road map

Security analysts have raised concerns about complexities related to migrating from customary, embedded platforms to more secure authentication methods. Michael Petitti, Senior Vice President of Global Alliances at Trustwave, suggested full implementation could take up to two years. This is largely due to the need to migrate from SSL and early Transport Layer Security (TLS), which were widely used and undisputed until inherent vulnerabilities were exposed, he said.

"The PCI SSC is mindful of the substantial scale of changes that are taking place, especially with regard to new technologies such as the use of chip cards in the U.S. and other technologies that are part of the transaction supply chain, such as mobile," Petitti said. "By communicating the new standard well in advance of migration deadlines, the PCI SSC is providing a window to enable all the transaction stakeholders, acquirers, ISOs, PSPs and merchants, to best determine how to prioritize their future security investments."

Requiring two-factor authentication for administrators within the cardholder data environment is a significant change to the standard and "a nod to internal threats," Petitti added. "As merchants migrate to PCI DSS version 3.2, they should consult with their acquirer/ISO and their PCI DSS security provider to ensure that the migration does not create any security risks, which is unlikely if handled properly," he said.

People, process, policy

Steven Grossman, Vice President of Program Management at Bay Dynamics, a cybersecurity firm, sees potential gridlock ahead on the PCI compliance road map. "For large organizations that have legacy systems combined with legacy companies, adhering is a huge effort, because there are so many moving parts," he said. "What frequently happens is the effort to become compliant becomes the driving force, taking precedence over protecting data."

If companies spent more time and energy protecting data, compliance would take care of itself, Grossman stated. "Compliance is simply a set of guidelines and not a guarantee against data breaches; Target, despite being compliant was quite exposed," he said. "We see a lot in our travels around PCI reporting and PCI audits but that's backward, equivalent to a CFO deciding to pay suppliers once a quarter."

Grossman and other analysts view the new standard as a logical outgrowth of existing best practices. They emphasize that many companies already have multifactor authentication, encryption, penetration testing and reporting in place. PCI DSS version 3.2 takes things a bit further, and large conglomerates, in particular, may require more than six months to update their infrastructures.

"Large companies typically perform tens of thousands of scans across their entire organizations," Grossman said. "Automated tracking of vulnerabilities in a live mode every day should be integral to any company's security policy, particularly when studies show a high percentage of vulnerabilities have been known [to their victims] for more than a year," he said. "Continued compliance is a more effective approach to security than a quarterly or annual fire drill."

For a copy of PCI DSS version 3.2, including a summary of the changes it includes, please visit www.pcisecuritystandards.org/document_library.


World banks play digital catch-up
Friday, April 29, 2016

A joint study on global banking trends by the consultancies Capgemini and Efma found financial institutions are adopting digital technologies to attract, retain and upsell bank customers. The World Banking Report, published in April 2016, is based on surveys of 16,000 customers in 32 countries.

Nearly two-thirds of the world's consumers are using fintech solutions in lieu of banks, posing the threat of bank disintermediation and making it imperative for banks to communicate with customers in mobile and online channels, the report stated.

"Consumers have become accustomed to using mobile technology to transfer funds in and out of their accounts," said Michael Leyva, Vice President, Global Banking Practice at Capgemini. "They'd still be able to do these things without digital; what's more interesting are just-in-time value-added offers, such as triple points or short-term loans based on segmented, collected data."

Leyva has seen banks try to reinvent themselves to compete in multiple channels and expects increasing collaboration among banks and fintech firms to enhance product offerings, particularly those related to peer-to-peer lending, fraud protection and digital currency solutions. "Banks are buying pieces of fintech to create unique product sets," he sid. "But I think the word 'fintech,' like other buzzwords before it, has been overused and may soon be obsolete. When was the last time you heard anyone say 'object oriented'?

Collaborate, incubate, acquire

The report cited three approaches to digitizing banking services: collaborating with fintech firms, creating homegrown systems through innovation labs, and acquiring fintech firms. These strategies can help banks reduce the risk of being marginalized in the increasingly mobile, digital world, report authors stated. The authors noted the following findings support such methods:

Step-wise approach to innovation

Transforming a closed legacy infrastructure into an open digital banking ecosystem will require patience, perseverance and a measured approach, the report stated. "[Banks] will first have to identify their focus areas," the authors wrote. "The next step would involve making strategic decisions around planning and execution." These recommended approaches would help banks collaborate with fintech firms to create an open application programming interface (API) system designed to leverage new technologies, products and services.

An infographic in the report highlights the phased road map from static banking infrastructures to open source, collaborative marketplaces:

A long way to profitable

Like many fintech firms before them, banks may face a steep uphill climb toward more profitable customer relationships. The report provides numerous snapshots of leading banks around the world, contrasting consumer adoption by region and age group, and identifying Gen Y consumers as largely indifferent to bank efforts to drive digital engagement.

"Rising levels of trust in fintech firms may threaten what bank executives see as their greatest strength," the authors wrote. "Nearly three-quarters (70.3 percent) view customer trust as the most potent advantage banks have over fintech firms, followed by established customer relationships (65.3 percent) and robust risk management (65.3 percent)."

Positive consumer experiences may improve customer retention and referrals, but the report found only marginal improvements in profitability, concluding, "Despite the overall rise in CEI [customer experience improvement], profitable customer behavior improved only marginally, and was especially low in terms of additional purchases, pointing to the need for banks to continue to improve the customer experience, especially through more innovative product development."


Visa unlocks innovation
Tuesday, April 26, 2016

V isa Inc. recently introduced two initiatives designed to advance the payments industry by improving transaction times and accelerating innovation. The Visa Developer platform, released Feb. 4, 2016, opened the company’s technology suite to software developers worldwide. Quick Chip for EMV (Europay, MasterCard and Visa), launched April 19, 2016, enables chip card transactions to be completed in two seconds or less.

“Visa is advancing a streamlined approach to chip transactions to make them faster and more efficient, while still providing a safe and secure experience,” said Mark Nelsen, Senior Vice President of Risk Products and Business Intelligence at Visa. “Quick Chip for EMV helps make the checkout experience comparable to the ease and speed of magnetic stripe transactions.”

Quick Chip, as its name implies, is all about speed, not only in checkout lanes but in the U.S. transition to secure EMV chip card technology, according to Visa representatives. More than 265 million Visa credit and debit chip cards have been issued to cardholders, making the United States the world’s largest chip card market. The company further noted that approximately 1 million merchants, representing 20 percent of all merchant locations, are EMV compliant.

Faster EMV checkout, adoption

Visa revealed the Quick Chip for EMV program at the Electronic Transactions Association’s Transact 16 conference in April, noting the enhancement is free to acquirers and can be implemented with a simple software update. Additional program benefits Visa pointed out include:

Visa sandbox, developer goldmine

The Visa Developer platform marked the first time in 60 years that app developers could use Visa’s software libraries, application programming interfaces (APIs) and technology suite to build their own solutions, leveraging such popular technologies as person-to-person payments, Visa Checkout, currency conversion and consumer transaction alerts. The sandbox environment improves transparency and accelerates innovation, the company stated.

“We are unbundling Visa’s full suite of products and services and giving developers open access to the underlying payment capabilities,” said Rajat Taneja, Visa’s Executive Vice President of Technology. “We believe this will lead to the creation of entirely new commerce experiences with Visa technology integrated to enable greater security, scale and convenience when it comes time to pay.”

Visa noted the following resources are available to participating app developers:

Positive pilot feedback

Feedback from pilot partners including Capital One Corp., TD Bank, Total System Services Inc., U.S. Bank, Scotiabank, and National Australia Bank has been positive.

“Their exciting new APIs allow us to deliver next-generation products and services that our issuing, acquiring and merchant clients can use to grow their businesses,” said Craig Ludwig, Head of Product for TSYS’ Merchant Services segment. “By implementing Visa’s new technology, we will be at the forefront of payment product innovation.”

Antony Cahill, NAB Group Executive, Product & Markets, added, “Australians are among the world’s fastest adopters of new technologies and our partnership with Visa enables NAB to act more quickly to deliver market-leading innovations and great experiences for our customers.”

More collaboration planned

Visa envisions its global developer platform will create a marketplace where financial institutions, merchants and technology companies can share innovative approaches to digital commerce applications and services. The net result will make payments secure, simple and seamless for consumers and business owners, the company stated.

A research study published April 25, 2016, by Mercator Advisory Group and titled The Visa Developer Platform: Opening the Gates to Innovation, defines Visa’s approach as a payments industry game changer that may lead to similar initiatives. “Visa turned the model upside down,” noted report author Tim Sloane, Vice President, Payments Innovation at Mercator. “Instead of developers trying to prove themselves and get permission to program on Visa’s network, they can collaborate with Visa developers to identify and execute their best ideas.”

Sloane also pointed out that Visa has implemented tokenization technology in different ways in different regions, which has enabled the company to build shareholder growth while increasing market share across the payments industry value chain. “They’re moving into areas that they were never in before and providing many services for free, at least for today,” he said.


Transact 16: A defining moment for post-disrupted payments
Friday, April 22, 2016

T housands of payments and fintech professionals gathered in Las Vegas for Transact 16, held April 19 to 21, 2016, at the Mandalay Bay Resort and Casino's Convention Center. The annual conference, hosted by the Electronic Transactions Association, drew a record crowd of approximately 200 exhibitors and 1,000 companies from 30 countries, according to ETA sources.

The event included a mobile app and a varied menu of exhibits, presentations and keynote addresses designed to appeal to a diverse international audience. Some of the conference highlights included:

Evolving ecosystem trends

Payments analysts, exhibitors and attendees spotted common threads in exhibit hall booths and breakout sessions that may reveal shifting perspectives on the changing payments ecosystem. Some speculate that the industry has entered into a new era following a turbulent decade of disruption. Several of the most established brands have notably regrouped, even rebranded, to meet the challenges of consumer-driven marketplace models, they stated.

Following are several ways in which emerging trends are reshaping the payments ecosystem:

Innovation playbook

"Disruptive innovation may feel like it has just burst upon the scene, but in reality many of these changes have developed slowly over time, as disruptors learn the space," said Mike Gardner, CEO at Agreement Express Inc. "Look at the math behind Square: the margins aren't great; losses are huge, but even if Square fails, they've rewritten the formula, profoundly changing merchant acquiring, rate structures, onboarding and underwriting models."

Gardner has observed similar trends in the wealth management industry. Three years ago robo advisors began to replace traditional wealth management advisors, creating a self-service investment space. It didn't take long for large incumbent firms, such as Vanguard and Charles Schwab, to make huge investments to compete and ultimately win back customers, he noted.

"If brands don't recognize and replicate the disruptor models, then extinction will be on their horizon," Gardner said. "Companies must progressively think their way through what is possible and if that renaissance isn't happening, we won't see those big logos in the exhibit hall next year."


Small Business Finance Association lays out guidelines
Wednesday, April 20, 2016

I n mid-April the Small Business Finance Association released a set of best practices for the alternative finance industry. The new guidelines provide essential steps in four key areas industry members should adopt to best serve small business customers.

Stephen Denis, former Deputy Staff Director of the House Committee on Small Business, was hired by the SBFA in December 2015. As Executive Director, he will oversee the creation of a unified voice to advocate for this vital small business lending source. In addition to developing best practices, Denis, who has 12 years' policy experience, is also advocating on behalf of the SBFA's alternative finance technology company members.

During his tenure with government, Denis witnessed first hand how the collapse of traditional lending sources can impact small businesses. "We were here every day with small business constituents from around the country, and the number one issue that was always brought up to us was the lack of capital out there for small businesses," Denis said. "It's really tough for a small business to go and get a smaller dollar loan."

He noted that traditional bank loans are down approximately 20 percent since 2008, and that because many traditional lenders have abandoned small business loans, alternative finance providers have emerged to fill the gap.

First order of business

To encourage small businesses to obtain financing from reputable companies, the SBFA best practices are posted online in a document titled Small Business Finance Principles. Following is a summary of the four guiding principles.

  1. Transparency: Alternative finance providers must disclose the fees and dollar amounts associated with all aspects of loan funding and loan transactions in clearly stated documentation that is signed by small businesses.
  2. Responsibility: Alternative finance providers must fully asses the affordability of the product being offered during the underwriting process; deal with account defaults fairly; and adhere to terms of the agreement and any applicable local, state and federal laws.
  3. Fairness: Alternative finance providers must be truthful and fair in dealing with small businesses in terms of marketing and sales practices, client treatment and complaint processing, as well as offer the ability to cancel the transaction and return all funds without penalty for a limited time after funding (three to five days).
  4. Security: Alternative finance providers must adhere to rigorous privacy standards regarding sharing of data under applicable laws and implement robust underwriting procedures to verify the identity and ownership of the entity receiving financing.

Lobbying for small businesses

As an advocate for small business access to finance products, Denis recently testified at the state level pertaining to a bill that would have introduced additional compliance requirements.

"It was a pretty complex bill, 14 or 15 pages of regulations for the industry, creating licensing and various legal components the industry would have to comply with and make it really difficult for our companies to operate in the state of Illinois, " Denis said. "We think there are some things in the bill that were positive."

At this point, reaching out to policymakers to ensure over-regulation does not erode the alternative finance market, as happened with banks and credit unions, will be an ongoing challenge for the SBFA. Denis expressed concern that some policymakers are looking to regulate small business loans similarly to consumer loans, which are structured differently, so more education will be needed.

"SBFA understands that small businesses take big risks to succeed," said David Goldin, SBFA President and Chief Executive Officer of Capify. "We want to be a resource in their success by providing transparent capital solutions that they can trust."


View prior breaking news

Spotlight Innovators:

North American Bancard | Harbortouch | UMS | USAePay | Super G Funding LLC