June 30, 2018, is the effective deadline for merchants to implement TLS 1.2, according to the PCI Security Standards Council (PCI SSC). The newer version of Transport Layer Security (TLS) is required for merchants with Internet-facing systems. The technology addresses flaws in previous security protocols, which include Secure Sockets Layer (SSL) and earlier iterations of TLS, the council stated. An April 2015 information supplement, titled Migrating from SSL and Early TLS, called SSL a 20-year-old technology, adding, "The time to migrate is now." The PCI SSC has seen widespread man-in-the-middle attacks compromise large and small retailers. It urges merchants to upgrade to secure protocols and disable SSL and early TLS. "The SSL protocol (all versions) cannot be fixed; there are no known methods to remediate vulnerabilities such as POODLE," council researchers wrote.

read more

The Green Sheet Inc. has always been committed to advancing the knowledge and professionalism of merchant level salespeople. Now we're taking that commitment to a new venue: podcasts. Beginning in July, The Green Sheet, in partnership with CCSalesPro, will launch Merchant Sales Podcast. Headquartered in Altoona, Pa., CCSalesPro provides how-to videos, blog posts and other sales training resources for MLSs. James Shepherd, CEO at CCSalesPro, and The Green Sheet Senior Editor Patti Murphy are hosting Merchant Sales Podcast. Podcasts include interviews with industry veterans and subject-matter experts, insider reports on industry trends, and questions from the field.

read more

Friday, June 29, is the last day The Electronic Transactions Association will be accepting nominations for its inaugural class of ETA Hall of Fame inductees. The criteria for this honor include:

• Recognition within the industry as a founder, pioneer, visionary or icon
• Enduring legacy and impact of contributions to the industry for a minimum of 10 years
• Active industry engagement and indisputable service as an ambassador of the industry
• Established record of innovation within payments technology

read more

San Jose-based PayPal Holdings Inc. revealed June 21, 2018, that it plans to acquire Simility, a fraud prevention and risk management platform. The purported $120 million transaction is expected to close in the third quarter of 2018. PayPal was an early investor in Simility when it launched in 2014, along with Accel Partners and Trinity Ventures, the company reported. PayPal representatives said Simility solutions will enhance existing fraud and risk capabilities, a critical need in its expanding global enterprise. Bill Ready, chief operating officer at PayPal, said cyberattacks have become more sophisticated and innovative; merchants need better methods to monitor, detect and mitigate them.

read more

It is no surprise that directly after the Supreme Court decided a Department of Justice antitrust lawsuit in favor of American Express Co., the company and retailer groups issued differing opinions on whether the ruling would be good for consumers. Stephen J. Squeri, AmEx chairman and CEO, issued a statement praising the ruling. "The Court's decision is a major victory for consumers and for American Express," he stated. "This was a long battle, but well worth the fight because important issues were at stake: consumer choice, fair market competition, and the ability to deliver innovative products and services to our customers, both consumers and merchants."

read more

The 2018 Spotlight Report on Financial Services, published by Vectra Co. on June 20, describes how cybercriminals use hidden tunnels to access encrypted networks. Researchers believe this methodology may have been used in the 2017 Equifax data security breach, when hackers stole 145.6 million consumer records while remaining undetected for 78 days. Chris Morales, head of security analytics at Vectra, observed that hackers mimic user behavior to blend into networks, which makes them difficult to expose. Once they are in a network, they burrow even further, escaping detection while setting up remotely accessible command and control centers to exfiltrate data.

read more

After 26 years, the Supreme Court overruled its decision in Quill Corporation v. North Dakota. At the time, the justices decided the U.S. Constitution prohibits states from forcing businesses to collect sales taxes unless those businesses have a substantial connection to the state, such as a physical location. In a 5 to 4 ruling handed down June 21, 2018, the court ruled in favor of the plaintiff in South Dakota v. Wayfair Inc., et al., which means Internet retailers can now be required to collect sales taxes in states where they have no physical presence.

read more

A Javelin Strategy & Research study, underwritten by Verifi and published in May 2018, cites communication gaps as a leading cause of disputes and chargebacks. The 36-page report, titled The Chargeback Triangle, examines chargeback costs and impacts while demonstrating how to prevent chargebacks by resolving open issues. In 2017, chargeback volumes reached $31 billion, including $19 billion in merchant losses and $12 billion in issuer losses, researchers found. Matthew Katz, CEO at Verifi, said improved collaboration among industry stakeholders would dramatically reduce these numbers.

read more

Alior Bank developed a new digital platform with the intent to establish a bank that bundles best-in-class financial services from different fintechs and financial institutions. Four distinct enterprises have now joined forces to create such a bank. Set to launch in the fourth quarter of 2018, the pan-European digital bank is a collaboration between Alior Bank, solarisBank, Mastercard and Raisin.

read more

BBC News confirmed reports of a second major data breach at Dixons Carphone PLC, a publicly held British electronics retailer that operates as Currys PC World and Dixons Travel. The company reportedly found anomalies in its POS network in July 2017 but took nearly a year to disclose the malicious activity. In a June 13, 2018, statement, Dixons Carphone revealed the attack may have compromised 5.9 million credit and debit cards and more than 1 million consumer accounts. Security analysts criticized the delayed disclosure and failure to protect critical infrastructure after suffering an earlier attack in 2015. Lee Munson, security researcher at Comparitech Ltd., said the Dixon Carphone breach highlights how commonplace massive data breaches have become. "What is worrying here is the delay between the breach occurring last year and the disclosure today," he said. "Thankfully, under GDPR, non-disclosure for business reasons is no longer possible as the ICO [the Information Commissioner's Office] must be informed within 72 hours whenever possible."

read more

According to an annual survey of merchants, two major mobile wallet providers lost traction over the past year. Merchants accepting Apple Pay slipped from 48 percent to 35 percent in 2018, while Google Pay dropped from 38 percent 25 percent year-over-year. Support for PayPal, however, surged from 48 percent to 64 percent. Looking at the overall picture, mobile wallet support grew from 22 percent to 29 percent. Pain points cited by merchants in the 2018 Mobile Payments & Fraud Survey, conducted by Kount Inc. and The Fraud Practice, included maintaining ease of use for consumers for 60 percent of those surveyed. The ability to detect fraudulent order attempts was a challenge for 52 percent. Even with these challenges, nearly one-third of merchants were optimistic that the mobile channel will represent at least half their total revenue by 2020.

read more

Security experts are debating the Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act, proposed legislation to create a uniform national encryption policy. Introduced June 7, 2018, by Reps. Ted Lieu, D-Calif., Mike Bishop, R-Mich., Suzan DelBene, D-Wash., and Jim Jordan, R-Ohio, the bill would enable federal agents to access “back doors” into encrypted data. It would also prevent individual states from enacting separate data access policies. ENCRYPT Act supporters call it a necessary protection against counterterrorism; opponents argue it gives too much power to federal law enforcement. Rep. Lieu believes the bill has received bipartisan support because it addresses conflicting encryption standards for interstate commerce, economic security and cybersecurity. “I can tell you that having 50 different mandatory state-level encryption standards is bad for security, consumers, innovation, and ultimately law enforcement,” he stated. “Encryption exists to protect us from bad actors and can’t be weakened without also putting every American in harm’s way.”

read more

On June 1, Token.io Ltd. became the first licensed Payment Initiation Service Provider to conduct an end-to-end payment through a public bank application programming interfact (API). The San Francisco-based open-banking platform provider received confirmation by the UK Open Banking Implementation Entity that it was indeed first to execute this type of transaction. The initial API payment was executed via Token's network using Santander's API payment initiative endpoints, the company noted. "Billions of payments will follow," said Marten Nelson, co-founder and chief marketing officer at Token. "Ours was the first."

read more

Paysafe Group, a global provider of end-to-end solutions with U.S. headquarters in Houston, disclosed June 7, 2018, that its prepaid product, paysafecard, will be accepted in the Google Play Store. Paysafe plans to roll out the card in Europe following a pilot test in Poland, which is home to more than 1 million paysafecard cardholders, company representatives stated. By removing the need for online shoppers to share banking or credit card credentials, Paysafe expects paysafecard to appeal to underbanked, video gaming and privacy-conscious consumers while also complying with European Union privacy regulations. Udo Müller, CEO at paysafecard, said these expectations are consistent with company research on consumer trends.

read more

The state of New Mexico reached a $3.4 million settlement with Visa and Mastercard. The settlement stems from a 2014 lawsuit that called into question credit and debit card interchange fees assessed New Mexico merchants and state agencies, alleging they were excessive in violation of state law. Visa and Mastercard agreed to settle "without any admission of liability or wrongdoing whatsoever," according to the settlement document. Under terms of the agreement, Visa paid about $2.2 million into a settlement fund and Mastercard paid about $1.1 million. The two companies also agreed to join and pick up the cost of a consumer financial education campaign to be launched by the state attorney general's office.

read more

The University Blockchain Research Initiative (UBRI), underwritten by Ripple and launched June 4, 2018, will support academic research and development of blockchain and cryptocurrency schemes. Ripple, a global financial and blockchain settlement network headquartered in Amsterdam, with offices in San Francisco, New York, London, Sydney, India, Singapore and Luxembourg, stated it will donate $50 million to participating universities. Eric van Miltenburg, senior vice president of global operations at Ripple, said Ripple looks forward to facilitating faculty and student-led projects that explore digital payments use cases. "Academia has traditionally been a critical driver of technical innovation," he said.

read more

Karim Baratov, a 23-year-old Canadian hacker, was formally sentenced in Northern California, May 29, 2018, in connection with a massive Yahoo! data security breach first reported in September 2016. Baratov, whose aliases include Kay, Karim Taloverov and Karim Akehmet Tokbergenov, will serve five years in prison and was ordered to pay restitution of $250,000 to millions of consumers whose identities and personal information were compromised, authorities stated. His sentencing concluded a multinational FBI investigation and led to the arrest of other offenders Baratov named as part of a plea deal.

read more