PCI road map to bypass SSL
T he PCI Security Standards Council (PCI SSC) released an updated security standard on April 28, 2016, designed to protect merchants and consumers from increasing attacks against payments infrastructures. Merchants will have six months to comply with new guidelines, which may require up to two years to fully implement, security analysts have said.
The Payment Card Industry (PCI) Data Security Standard (DSS) Version 3.2, which becomes effective Oct. 31, 2016, was based on council member feedback and data breach trend analysis. The new standard has performed well in preliminary testing. "PCI DSS 3.2 includes a number of updates to help these entities demonstrate that good security practices are active and effective," said PCI SSC Chief Technology Officer Troy Leach.
Platform changes, enhancements
PCI DSS 3.2 mandates multifactor authentication for anyone with access to payment card data. This requirement previously applied only to remote access from unknown or untrusted networks.
Primary changes include "new requirements for administrators and services providers and the cardholder data environments they are responsible to protect," PCI SSC General Manager Stephen Orfei stated. "PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint."
Additional changes in PCI DSS 3.2 include:
- Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates as outlined in the Bulletin on Migrating from SSL and Early TLS, a PCI SSC resource guide.
- Expansion of requirement 8.3 to include use of multifactor authentication for administrators accessing the cardholder data environment
- Additional security validation steps for service providers and others, including "designated entities supplemental validation criteria," which previously were contained in a separate document of that name.
Multifactor road map
Security analysts have raised concerns about complexities related to migrating from customary, embedded platforms to more secure authentication methods. Michael Petitti, Senior Vice President of Global Alliances at Trustwave, suggested full implementation could take up to two years. This is largely due to the need to migrate from SSL and early Transport Layer Security (TLS), which were widely used and undisputed until inherent vulnerabilities were exposed, he said.
"The PCI SSC is mindful of the substantial scale of changes that are taking place, especially with regard to new technologies such as the use of chip cards in the U.S. and other technologies that are part of the transaction supply chain, such as mobile," Petitti said. "By communicating the new standard well in advance of migration deadlines, the PCI SSC is providing a window to enable all the transaction stakeholders, acquirers, ISOs, PSPs and merchants, to best determine how to prioritize their future security investments."
Requiring two-factor authentication for administrators within the cardholder data environment is a significant change to the standard and "a nod to internal threats," Petitti added. "As merchants migrate to PCI DSS version 3.2, they should consult with their acquirer/ISO and their PCI DSS security provider to ensure that the migration does not create any security risks, which is unlikely if handled properly," he said.
People, process, policy
Steven Grossman, Vice President of Program Management at Bay Dynamics, a cybersecurity firm, sees potential gridlock ahead on the PCI compliance road map. "For large organizations that have legacy systems combined with legacy companies, adhering is a huge effort, because there are so many moving parts," he said. "What frequently happens is the effort to become compliant becomes the driving force, taking precedence over protecting data."
If companies spent more time and energy protecting data, compliance would take care of itself, Grossman stated. "Compliance is simply a set of guidelines and not a guarantee against data breaches; Target, despite being compliant was quite exposed," he said. "We see a lot in our travels around PCI reporting and PCI audits but that's backward, equivalent to a CFO deciding to pay suppliers once a quarter."
Grossman and other analysts view the new standard as a logical outgrowth of existing best practices. They emphasize that many companies already have multifactor authentication, encryption, penetration testing and reporting in place. PCI DSS version 3.2 takes things a bit further, and large conglomerates, in particular, may require more than six months to update their infrastructures.
"Large companies typically perform tens of thousands of scans across their entire organizations," Grossman said. "Automated tracking of vulnerabilities in a live mode every day should be integral to any company's security policy, particularly when studies show a high percentage of vulnerabilities have been known [to their victims] for more than a year," he said. "Continued compliance is a more effective approach to security than a quarterly or annual fire drill."
For a copy of PCI DSS version 3.2, including a summary of the changes it includes, please visit www.pcisecuritystandards.org/document_library.
World banks play digital catch-up
Friday, April 29, 2016
A joint study on global banking trends by the consultancies Capgemini and Efma found financial institutions are adopting digital technologies to attract, retain and upsell bank customers. The World Banking Report, published in April 2016, is based on surveys of 16,000 customers in 32 countries.
Nearly two-thirds of the world's consumers are using fintech solutions in lieu of banks, posing the threat of bank disintermediation and making it imperative for banks to communicate with customers in mobile and online channels, the report stated.
"Consumers have become accustomed to using mobile technology to transfer funds in and out of their accounts," said Michael Leyva, Vice President, Global Banking Practice at Capgemini. "They'd still be able to do these things without digital; what's more interesting are just-in-time value-added offers, such as triple points or short-term loans based on segmented, collected data."
Leyva has seen banks try to reinvent themselves to compete in multiple channels and expects increasing collaboration among banks and fintech firms to enhance product offerings, particularly those related to peer-to-peer lending, fraud protection and digital currency solutions. "Banks are buying pieces of fintech to create unique product sets," he sid. "But I think the word 'fintech,' like other buzzwords before it, has been overused and may soon be obsolete. When was the last time you heard anyone say 'object oriented'?
Collaborate, incubate, acquire
The report cited three approaches to digitizing banking services: collaborating with fintech firms, creating homegrown systems through innovation labs, and acquiring fintech firms. These strategies can help banks reduce the risk of being marginalized in the increasingly mobile, digital world, report authors stated. The authors noted the following findings support such methods:
- Partnership: 65.3 percent of banking executives surveyed view fintech firms as partners. The most popular partnership models are collaboration (45.5 percent) and investment (43.6 percent). "Fintech firms excel in their ability to move quickly, innovate, and exploit new technology, while the banks have capital, deep customer bases and expertise in dealing with regulators," the authors wrote.
- Homegrown digital systems: Transforming legacy systems will enable banks to leverage digital assets while maintaining a 360-degree view of their customers by facilitating both financial and nonfinancial transactions. Barclays Bank in the United Kingdom and Wells Fargo & Co. in the United States are testing ideas in innovation labs designed to improve customer relationships.
- Acquisition: Banks are also acquiring technology firms. One notable example is the U.S. unit of Spain's Banco Bilbao Vizcaya Argentina S.A., which acquired online banking startup Simple in 2014. The acquisition has helped Simple double its customer base at a rate of 10 percent per month. Leyva expects these acquisitions to continue, due to high volume banks' need for super fast database technologies.
Step-wise approach to innovation
Transforming a closed legacy infrastructure into an open digital banking ecosystem will require patience, perseverance and a measured approach, the report stated. "[Banks] will first have to identify their focus areas," the authors wrote. "The next step would involve making strategic decisions around planning and execution." These recommended approaches would help banks collaborate with fintech firms to create an open application programming interface (API) system designed to leverage new technologies, products and services.
An infographic in the report highlights the phased road map from static banking infrastructures to open source, collaborative marketplaces:
- Identify: The first step for banks is identifying core areas in need of transformation, where added capabilities can make them more competitive and sustainable.
- Strategize: Once the areas requiring improvement are identified, banks will need to decide on how to add capabilities. They can build, buy, collaborate or make strategic investments to achieve these goals.
- Collaborate: Banks can collaborate with fintech firms in a number of ways, including creating APIs to foster collaboration and innovation and using technologies to create new products and services.
- Transform: When banks transform their legacy systems, they will be able to participate in the global digital banking ecosystem and gain additional competitive advantages. They will become more agile by improving time to market from concept to implementation. They can adopt service-oriented architecture to open their systems through APIs. They can remove data duplication by enabling real-time analytics.
A long way to profitable
Like many fintech firms before them, banks may face a steep uphill climb toward more profitable customer relationships. The report provides numerous snapshots of leading banks around the world, contrasting consumer adoption by region and age group, and identifying Gen Y consumers as largely indifferent to bank efforts to drive digital engagement.
"Rising levels of trust in fintech firms may threaten what bank executives see as their greatest strength," the authors wrote. "Nearly three-quarters (70.3 percent) view customer trust as the most potent advantage banks have over fintech firms, followed by established customer relationships (65.3 percent) and robust risk management (65.3 percent)."
Positive consumer experiences may improve customer retention and referrals, but the report found only marginal improvements in profitability, concluding, "Despite the overall rise in CEI [customer experience improvement], profitable customer behavior improved only marginally, and was especially low in terms of additional purchases, pointing to the need for banks to continue to improve the customer experience, especially through more innovative product development."
Visa unlocks innovation
Tuesday, April 26, 2016
V isa Inc. recently introduced two initiatives designed to advance the payments industry by improving transaction times and accelerating innovation. The Visa Developer platform, released Feb. 4, 2016, opened the company’s technology suite to software developers worldwide. Quick Chip for EMV (Europay, MasterCard and Visa), launched April 19, 2016, enables chip card transactions to be completed in two seconds or less.
“Visa is advancing a streamlined approach to chip transactions to make them faster and more efficient, while still providing a safe and secure experience,” said Mark Nelsen, Senior Vice President of Risk Products and Business Intelligence at Visa. “Quick Chip for EMV helps make the checkout experience comparable to the ease and speed of magnetic stripe transactions.”
Quick Chip, as its name implies, is all about speed, not only in checkout lanes but in the U.S. transition to secure EMV chip card technology, according to Visa representatives. More than 265 million Visa credit and debit chip cards have been issued to cardholders, making the United States the world’s largest chip card market. The company further noted that approximately 1 million merchants, representing 20 percent of all merchant locations, are EMV compliant.
Faster EMV checkout, adoption
Visa revealed the Quick Chip for EMV program at the Electronic Transactions Association’s Transact 16 conference in April, noting the enhancement is free to acquirers and can be implemented with a simple software update. Additional program benefits Visa pointed out include:
- Streamlined processing: Quick Chip-enabled terminals allow chip cards to be inserted and removed while items are being rung up, speeding the consumer checkout process.
- Interoperability: Once installed, Quick Chip technology works with all cardholder verification methods, including PIN and signature, and does not require modifications to routing or transaction handling.
- No additional testing: Quick Chip does not require additional Visa or EMVCo testing if a merchant’s checkout system has already been EMV chip certified.
Visa sandbox, developer goldmine
The Visa Developer platform marked the first time in 60 years that app developers could use Visa’s software libraries, application programming interfaces (APIs) and technology suite to build their own solutions, leveraging such popular technologies as person-to-person payments, Visa Checkout, currency conversion and consumer transaction alerts. The sandbox environment improves transparency and accelerates innovation, the company stated.
“We are unbundling Visa’s full suite of products and services and giving developers open access to the underlying payment capabilities,” said Rajat Taneja, Visa’s Executive Vice President of Technology. “We believe this will lead to the creation of entirely new commerce experiences with Visa technology integrated to enable greater security, scale and convenience when it comes time to pay.”
Visa noted the following resources are available to participating app developers:
- Visa developer engagement centers in major markets such as San Francisco, Dubai, Singapore, Miami and São Paulo link application developers with subject matter experts.
- Visa’s developer web portal streamlines search functions within the company’s extensive suite of payment products and services.
- Visa provides access to API libraries and software development kits for popular payment products and capabilities.
- Visa’s testing sandbox facilitates a plug-and-play experience and access to Visa test data.
Positive pilot feedback
Feedback from pilot partners including Capital One Corp., TD Bank, Total System Services Inc., U.S. Bank, Scotiabank, and National Australia Bank has been positive.
“Their exciting new APIs allow us to deliver next-generation products and services that our issuing, acquiring and merchant clients can use to grow their businesses,” said Craig Ludwig, Head of Product for TSYS’ Merchant Services segment. “By implementing Visa’s new technology, we will be at the forefront of payment product innovation.”
Antony Cahill, NAB Group Executive, Product & Markets, added, “Australians are among the world’s fastest adopters of new technologies and our partnership with Visa enables NAB to act more quickly to deliver market-leading innovations and great experiences for our customers.”
More collaboration planned
Visa envisions its global developer platform will create a marketplace where financial institutions, merchants and technology companies can share innovative approaches to digital commerce applications and services. The net result will make payments secure, simple and seamless for consumers and business owners, the company stated.
A research study published April 25, 2016, by Mercator Advisory Group and titled The Visa Developer Platform: Opening the Gates to Innovation, defines Visa’s approach as a payments industry game changer that may lead to similar initiatives. “Visa turned the model upside down,” noted report author Tim Sloane, Vice President, Payments Innovation at Mercator. “Instead of developers trying to prove themselves and get permission to program on Visa’s network, they can collaborate with Visa developers to identify and execute their best ideas.”
Sloane also pointed out that Visa has implemented tokenization technology in different ways in different regions, which has enabled the company to build shareholder growth while increasing market share across the payments industry value chain. “They’re moving into areas that they were never in before and providing many services for free, at least for today,” he said.
Transact 16: A defining moment for post-disrupted payments
Friday, April 22, 2016
T housands of payments and fintech professionals gathered in Las Vegas for Transact 16, held April 19 to 21, 2016, at the Mandalay Bay Resort and Casino's Convention Center. The annual conference, hosted by the Electronic Transactions Association, drew a record crowd of approximately 200 exhibitors and 1,000 companies from 30 countries, according to ETA sources.
The event included a mobile app and a varied menu of exhibits, presentations and keynote addresses designed to appeal to a diverse international audience. Some of the conference highlights included:
- Educational session tracks: Six educational tracks, titled Going Global, Integrated Payments, Investments and Funding, Mobile Pay, Politics and Policy, and Security Technologies, provided in-depth information on each segment's technologies, competitors and changing customer behaviors.
- ETA University: The ETA presented Intro to Electronic Processing, a foundational course for the association's education and Certified Payments Professional program and other program-related curricula. Certified CPPs have the necessary knowledge and skills to perform competently in the complex payments environment, the ETA stated.
- Payment Facilitator Day: The second annual Payment Facilitator Day was designed for existing payment facilitators and companies considering the business model. Participants included software companies, independent software vendors and marketplace technology companies focused on a specific vertical market. "We thought that the PayFac addition was an incredible new addition to the conference," said James Ruffer, Chief Technology Officer at Paay. "We were pleasantly surprised by how many new faces we met and by how ISOs are now much more willing to adopt new technologies."
- The Payments Pitch Off: The Payments Pitch Off, a Shark Tank styled competition sponsored by Intuit Inc., was held in the middle of the exhibit hall. It gave 11 contestants 10 minutes each to wow a judging panel with innovative new electronic payments technology. "We're grateful to Intuit for making this possible," said Jason Oxman, ETA Chief Executive Officer. He noted that the competition gets more important every year due to the accelerating pace of innovation. This year's award went to Forter, a security company that provides frictionless fraud prevention to enterprise-scale retailers.
- Keynote addresses: Keynote speakers included senior executives from Square Inc., First Data Corp., PayPal Inc., Verifone Inc. and Discover Financial Services. "It was obvious by Jacqueline Reses, the head of Square's lending division delivering the keynote on Wednesday, that lending is a huge focus of Square's business," said Sean Murray, publisher and Editor-in-Chief at deBanked, an alternative lending industry trade publication. "Square's value as a loan originator is starting to overshadow its prowess as a payment processor."
Evolving ecosystem trends
Payments analysts, exhibitors and attendees spotted common threads in exhibit hall booths and breakout sessions that may reveal shifting perspectives on the changing payments ecosystem. Some speculate that the industry has entered into a new era following a turbulent decade of disruption. Several of the most established brands have notably regrouped, even rebranded, to meet the challenges of consumer-driven marketplace models, they stated.
Following are several ways in which emerging trends are reshaping the payments ecosystem:
- Identification and personalization: "With all of the changes taking place in the payments industry, there is going to be a return to focus on identification awareness that will allow for safer and more secure payment transactions," said Matt Ozvat, Vice President of Developer Integrations at Vantiv Inc. "Certain industries will be able to utilize identification tracking or recognition with a greater consumer experience. For example, a local restaurant that you frequent might be able to know your food, drink and seating preferences." Payments will continue to trend toward a much more immersive and engaged technological experience, he added.
- Secure, cloud-based, open architecture: In their keynote address, First Data's President Guy Chiarello and Executive Vice President Dan Charron emphasized the need for acquirers to provide simple, powerful, secure and open architecture designed to facilitate "simple setup, inventory and product management, orders, and payments."
- Accelerate EMV certification: U.S. acquirers, merchants and card brands are actively seeking ways to fast track EMV (Europay, MasterCard and Visa) implementation. "Hacks mainly happen in traditional integrated POS environments," said Rhonda Boardman, Vice President of Strategic Development, Acquiring Channel at Ingenico Group. "Ingenico's semi-integrated solution removes PA DSS from the POS scope and helps our partners fast track EMV certification." The solution is part of a "constant roadmap" that Boardman expects will continue to evolve in response to market demand.
- Omnichannel solutions: "Verifone's Carbon platform is a hardware device integrated with countertop and mobile experience," said Hitesh Anand, Vice President of Product, Commerce Enablement and Mobile at Verifone Inc. "It comes with a customizable platform that supports third party apps on Android and enables third party developers to adapt solutions for numerous use cases." Anand went on to say that payment data is completely sandboxed in the semi-integrated solution, preventing malware from getting in. "It's next-generation, multi-purpose POS," he added.
- Pure hardware play: "The transition from fixed to mobile costs is frequently prohibitive," said Simon Stokes, Chief Commercial Officer at Miura Systems, a U.K.-based global device manufacturer. "Small footprint, modular solutions, such as the Miura M010 platform, have multiple configuration options designed to meet changing requirements and create flexible, future-proof POS systems."
- Peripheral-to-terminal products: Many next-generation payment devices can interface with integrated POS architecture or function on their own; many are used interchangeably by merchants who can seamlessly navigate from customer-facing to mobile environments. Many have their own EMV applications. "The Castles Technology MP200S is a perfect device at a perfect time, when a lot of developers need to have an EMV solution to integrate into their payment systems," said Dave Cunningham, Senior Vice President Sales, U.S. West for Castles Technology International Corp. "It has Bluetooth, Wi-Fi, Micro USB and GPRS/3G connectivity and can be used as a PIN pad or fully functioning terminal."
- White-label solutions: "We provide a suite of easy-to-use solutions that our partners use in a variety of vertical markets," said Mitchell Cobrin, founder and Chief Catalyst at AnywhereCommerce. "Our global EMV and mPOS experts understand payments, allowing developers to quickly and confidently integrate certified payment functionality." The company's modular POS tablet solution supports numerous clerk-facing and customer-facing solutions in one single product and platform, using self-diagnostics to continually monitor all attached devices, he added.
- The IoT: Next-generation payment solutions are increasingly becoming part of a broadening global network of connected devices known as the Internet of Things (IoT). "The IoT is exciting," said Paul Galant, CEO at Verifone. "I've never seen more money and talent flow into a space." Galant predicted that low-level sensors will carry out many small tasks, such as monitoring homes and aiding in restocking refrigerators. Legacy "feature phone" terminals lack the bandwidth and processing power to do these things, he said. Verifone is evolving from a traditional device manufacturer to a services model, he added.
- Managed security services: The evolving threat landscape combined with consumers' increasing use of connected commerce makes managed security service offerings attractive to large and small merchants alike. Atlanta-based ControlScan is a Managed Security Service Provider specializing in delivering the technical expertise and security know-how to keep businesses secure. The company's vulnerability scanning service helps large and small business owners detect and promptly remediate vulnerabilities. "The newly released PCI External Vulnerability Scanning service involves a completely redesigned delivery model that significantly advances the user experience," said Steve Robb, Senior Vice President of Security Marketing and Product Strategy at ControlScan. "We applied customer feedback, industry best practices and our internal expertise to create a dynamic and intuitive deliverable."
- PCI compliance tools and resources: Reno-Nev.-based Conformance Technologies created a PCI Toolkit, designed to help payment acquirers and ISOs ensure that all of their merchants comply with the Payment Card Industry Data Security Standard (PCI DSS) and related standards established by the PCI Security Standards Council. "Getting and keeping merchants compliant is no easy task," said Darrel Anderson, President of Conformance Technologies. "Our ToolKit solution takes the headaches and hassle out of 3.1 PCI compliance validation while helping you manage and report portfolio compliance."
- Alternative lending: "At Transact, it also became apparent that there is value between lenders/merchant cash advance companies and payment processors beyond just boarding accounts and setting up splits to facilitate loans and advances," noted deBanked's Murray. "Lenders can still use ACH as the methodology while referring their customer to payment processors to leverage existing relationships into merchant account residuals." Murray has seen the model work especially well for processors engaged in customer acquisition. "It's not a passive [referral] arrangement anymore," he said. "In some ways the balance of power in these partnerships has shifted from the processors to the lenders."
"Disruptive innovation may feel like it has just burst upon the scene, but in reality many of these changes have developed slowly over time, as disruptors learn the space," said Mike Gardner, CEO at Agreement Express Inc. "Look at the math behind Square: the margins aren't great; losses are huge, but even if Square fails, they've rewritten the formula, profoundly changing merchant acquiring, rate structures, onboarding and underwriting models."
Gardner has observed similar trends in the wealth management industry. Three years ago robo advisors began to replace traditional wealth management advisors, creating a self-service investment space. It didn't take long for large incumbent firms, such as Vanguard and Charles Schwab, to make huge investments to compete and ultimately win back customers, he noted.
"If brands don't recognize and replicate the disruptor models, then extinction will be on their horizon," Gardner said. "Companies must progressively think their way through what is possible and if that renaissance isn't happening, we won't see those big logos in the exhibit hall next year."
Small Business Finance Association lays out guidelines
Wednesday, April 20, 2016
I n mid-April the Small Business Finance Association released a set of best practices for the alternative finance industry. The new guidelines provide essential steps in four key areas industry members should adopt to best serve small business customers.
Stephen Denis, former Deputy Staff Director of the House Committee on Small Business, was hired by the SBFA in December 2015. As Executive Director, he will oversee the creation of a unified voice to advocate for this vital small business lending source. In addition to developing best practices, Denis, who has 12 years' policy experience, is also advocating on behalf of the SBFA's alternative finance technology company members.
During his tenure with government, Denis witnessed first hand how the collapse of traditional lending sources can impact small businesses. "We were here every day with small business constituents from around the country, and the number one issue that was always brought up to us was the lack of capital out there for small businesses," Denis said. "It's really tough for a small business to go and get a smaller dollar loan."
He noted that traditional bank loans are down approximately 20 percent since 2008, and that because many traditional lenders have abandoned small business loans, alternative finance providers have emerged to fill the gap.
First order of business
To encourage small businesses to obtain financing from reputable companies, the SBFA best practices are posted online in a document titled Small Business Finance Principles. Following is a summary of the four guiding principles.
- Transparency: Alternative finance providers must disclose the fees and dollar amounts associated with all aspects of loan funding and loan transactions in clearly stated documentation that is signed by small businesses.
- Responsibility: Alternative finance providers must fully asses the affordability of the product being offered during the underwriting process; deal with account defaults fairly; and adhere to terms of the agreement and any applicable local, state and federal laws.
- Fairness: Alternative finance providers must be truthful and fair in dealing with small businesses in terms of marketing and sales practices, client treatment and complaint processing, as well as offer the ability to cancel the transaction and return all funds without penalty for a limited time after funding (three to five days).
- Security: Alternative finance providers must adhere to rigorous privacy standards regarding sharing of data under applicable laws and implement robust underwriting procedures to verify the identity and ownership of the entity receiving financing.
Lobbying for small businesses
As an advocate for small business access to finance products, Denis recently testified at the state level pertaining to a bill that would have introduced additional compliance requirements.
"It was a pretty complex bill, 14 or 15 pages of regulations for the industry, creating licensing and various legal components the industry would have to comply with and make it really difficult for our companies to operate in the state of Illinois, " Denis said. "We think there are some things in the bill that were positive."
At this point, reaching out to policymakers to ensure over-regulation does not erode the alternative finance market, as happened with banks and credit unions, will be an ongoing challenge for the SBFA. Denis expressed concern that some policymakers are looking to regulate small business loans similarly to consumer loans, which are structured differently, so more education will be needed.
"SBFA understands that small businesses take big risks to succeed," said David Goldin, SBFA President and Chief Executive Officer of Capify. "We want to be a resource in their success by providing transparent capital solutions that they can trust."
View prior breaking news