Updated: Tuesday, June 30, 2015
NYPAY, Deloitte take on real-time payments
N ew York-based payments organization NYPAY and Deloitte LLP co-hosted an event on June 26 to explore the meaning and impact of real-time payments. Approximately 60 financial services executives attended the three-hour session at Deloitte's New York offices, which included a networking hour and panel discussion.
The combined effects of high-speed communications technologies and changing trends in card-present, mobile and ecommerce payments schemes have spurred interest in real-time payments from all sides of the equation. Recent payments industry developments include:
- NACHA's banking initiative designed to speed up ACH payments from 1 to 3 days to same-day
- Private payment networks Dwolla Inc. and FIS current support of real-time payments
- The Federal Reserve's task force effort involving payments industry stakeholders to define a real-time national payment system
- Real-time payment network infrastructure companies ACI Worldwide Inc. and VocaLink facilitation of faster payments in the United Kingdom, Singapore and Australia.
Diverse views spark lively debate
In his opening comments, NYPAY President David True noted that there are many variations and definitions of real-time payments. This diversity of viewpoints was evident throughout the spirited discussion among panelists and audience members. Moderator Eric Piscini, Consulting Principal at Deloitte Banking and Technology was joined by the following panelists:
- Ben Isaacson, Executive Director of Payments Strategy at JP Morgan Chase
- Dan Gonzalez, Vice President of Payments Industry Relations for the Federal Reserve Bank of Chicago
- Eric Purdum, Vice President of FIS’ PayNet Payments Network
- Shari Krikorian, Senior Business Leader - Emerging Payments at MasterCard Worldwide
With no clear-cut definition at this point, achieving an overarching definition of real-time payments will continue to be a work-in-progress for the foreseeable future.
Shari Krikorian advanced MasterCard's focus on real-time payments through the eyes of the consumer. She said consumers want immediate access to funds in their bank accounts when making purchases. From a technology perspective this means a real-time authorization that results in an issuer posting money to a bank account.
PayNet's Eric Purdum concurred with the definition, stating "I'd add business to that concept, with funds posted to a business account immediately," as opposed to the inevitable delays involved with other transmittals such as fed wire transactions.
Chase’s Ben Isaacson said, "I'd echo Shari's comments about immediate availability of funds. Banks need to be an end-to-end system with risk management and governance that gives the bank the confidence to give the money [to a particular customer] right away."
Dan Gonzalez stated that the Federal Reserve has been involved in a far-reaching initiative to energize payments providers and make payments faster. He said the initiative extends "beyond the four walls of the banking system." Desired outcomes include faster payments; ubiquity of applications and technology, and safer payment processing that "doesn't exist today." Gonzalez framed his remarks with a disclaimer that his views were his own and not the official position of the United States government.
"We created a task force to bring together industry stakeholders to help define [real-time payments] where the commitment to pay can be as important as the settlement," Gonzalez said. He further noted that the Federal Reserve is exploring real-time payment as it relates to the following five use cases: emergency bill and healthcare payments; person-to-person payments; consumer-to-business bill pay; business-to-person payroll; and adhoc high value payments. Many of these categories are a vital concern for unbanked and under-banked consumers.
Future NY events slated
NYPAY has been hosting events since 2006 with the goal of connecting innovators and leaders from the payments-commerce arena. Merchants, networks, payment processors, startups, regulators and others are welcome to participate in future events.
NYPAY members and guests will reconvene on July 22 at MasterCard's New York City Tech Hub to explore "APIs in Fintech: What They Do and Why They Matter." The organization's third annual Unconference, a full day event co-hosted by Consult Hyperion, will be held on September 15 at the Microsoft Technology Center in New York City.
Criticism of CFPB grows
Friday, June 26, 2015
R ecent reports about computer hacks of government data bases, notably those run by the Internal Revenue Service and the federal Office of Personnel Management, are raising new concerns about the Consumer Financial Protection Bureau and the security of consumer financial information the agency collects to inform its policy making.
The CFPB was created as an independent federal consumer watchdog under the 2010 Dodd-Frank Act. That legislation gave the CFPB sweeping powers to collect all types of transaction-level information from financial institutions and their processing partners in support of its consumer protection activities.
At least one processor has already complained about the resulting workload, and has said it may pass along the costs to bank clients, according to the American Bankers Association. In a June 2, 2015, memorandum to state banking associations, the Washington, D.C.-based trade group urged its state affiliates to work with it to rein in the CFPB's financial data collection efforts
Soon after, Republican lawmakers delivered a stern rebuke to CFPB Director Richard Cordray concerning the agency's data collection efforts. "We are gravely concerned by the CFPB's inability to confirm that the massive amount of data it collects and stores could not be reverse-engineered and traced back to one of our constituents," a group of 23 U.S. Senators wrote in a letter to Cordray. "Our constituents have an absolute right to the security of their personal information, whether contained in a tax return at the IRS, personnel records at OPM, or in the bulk data that the CFPB is collecting on an ongoing basis."
Those signing the letter included several members of the Senate Banking Committee, which has oversight authority for CFPB.
Consumers say whoa
Results of a consumer poll released June 18 were equally critical of the CFPB. A majority of U.S. adults contacted by the polling firm Zogby Analytics said the agency's data collection efforts were as worrisome as the National Security Agency's controversial monitoring program.
That survey, commissioned by the U.S. Consumer Coalition, also revealed significant consumer opposition to CFPB proposals to rein in nonbank financial services companies, such as prepaid card and payday loan companies. The USCC describes itself as "a grassroots consumer advocacy organization." Its website lists two initiatives: consumer protection regulations and saving the alternative taxi service Uber.
"We have a powerful agency unilaterally regulating products and industries while subjecting Americans to an unprecedented invasion of their personal financial data, and it's clear Americans don't like it," said Brian Wise, Senior Advisor at the USCC. "They clearly oppose the agency's activities to invade their privacy, track their purchases, and efforts to tell them what products they can and cannot use."
Proposed prepaid, payday rules under fire
The CFPB, controversial from its inception, has come under increased criticism with its release of proposed new rules that would come down hard on payday lenders and extend many of the consumer protections for credit and debit cards to prepaid cards. (See "Congressman blasts CFPB's prepaid card plan" under Breaking Industry News, www.greensheet.com/breakingnews.php?flag=breaking_news&id=1563, for more on the CFPB's controversial prepaid card rules.)
The Zogby-USCC survey, conducted June 5 to10 2015, queried 3,604 adult Americans about the agency. Here are some specific findings:
- 55 percent believe the CFPB's data collection program is equal to or worse than the NSA's controversial monitoring program.
- 80 percent believe the CFPB should not be collecting consumers' credit card statements without their knowledge.
- 70 percent said the government should not be able to tell consumers how to spend money or make other financial decisions for them.
- 71 percent said it is a consumer's responsibility to determine whether to take out loans with unfavorable terms, provided the terms are presented clearly.
Wise said the survey – the first poll to focus on consumer attitudes toward the CFPB ‒ validates concerns raised by his group and other detractors of the CFPB. "Americans have spoken loudly for the first time in this survey that they believe this agency is invading their privacy and restricting their freedom of choice in a way that makes them very uncomfortable," he said.
FCC declares Robo-geddon
Wednesday, June 24, 2015
I n response to numerous complaints from consumers and business owners about unwanted robocalls and spam text messages, The Federal Communications Commission released new, restrictive guidelines on June 18, 2015, for automatic telephone dialing systems that use prerecorded messages and artificial voice technologies for telemarketing. The newly updated FCC ruling has the potential to significantly affect companies that use call center software, exposing them to harsh penalties and statutory damages of between $500 and $1,500 per unsolicited message.
The FCC reportedly received 23 petitions filed under the Telephone Consumer Protection Act (TCPA), a law passed in 1991 and updated in 2013 that restricts unsolicited telemarketing calls, faxes, pre-recorded calls or autodialed calls, also known as robocalls. The new ruling brings much-needed clarification of TCPA guidelines for calls to landline and wireless phones. As the regulatory body tasked with enforcing the TCPA, the commission can review complaints, impose fines against noncompliant businesses and award damages to complainants.
The TCPA ruling also applies to text messages delivered to mobile phones. Merchants, marketers and consumer brands must have consumers' written permission to deliver short message service (SMS) calls for marketing, call center or collection purposes, the FCC said.
The FCC exempted financial and healthcare institutions that initiate urgent messages to consumers, such as fraud alerts or prescription refill notifications. However, it pointedly prohibits "other types of financial or healthcare calls, such as marketing or debt collection calls." It further grants consumers the right to opt out of these permitted calls and SMS messages at their discretion.
Attorney Kristi Lemoine of the FCC's Consumer and Governmental Affairs Bureau noted that downloadable applications installed on mobile devices with autodial capability are subject to TCPA guidelines. Individuals whose phone numbers are included in a mobile phone's directory of contacts must provide written consent prior to their being contacted by an autodial application. However, companies that develop and market the app would not be blamed if the app is used for noncompliant messaging unless these companies had initiated the calls.
Interactive, retroactive opt-outs
The FCC upheld the TCPA's October 2013 mandate requiring companies to obtain "unambiguous written consent" from consumers for autodialed phone and text solicitations. Manually dialed, scripted telemarketing calls that do not use pre-recorded messages are exempt from this ruling.
New TCPA guidelines stipulate that advertisers must announce interactive opt-out mechanisms at the beginning of every call and provide a way for consumers to opt out for the duration of every call. Advertisers must also maintain updated records of "abandoned calls," averaging no more than 3 percent for each campaign over a 30-day period.
An October amendment to the original 1991 ruling explicitly refutes the practice of businesses continuing to solicit consumers based on pre-existing relationships. "Established business relationship no longer relieves advertisers of prior unambiguous written consent requirement," the FCC stated.
Additionally, consumers who had previously opted in to receiving marketing communications from companies, including autodialed phone and text messages, can now change their minds by revoking "prior express consent," thus rendering former opt-in offers to be noncompliant with TCPA regulations and subject to penalties.
Expanded consumer resources
The Do-Not-Call Registry has been left largely intact, providing an additional resource that consumers can use to restrict unwanted telemarketing calls. The FCC noted its intention "to build on the Registry's effectiveness by closing loopholes and ensuring that consumers are fully protected from unwanted calls, including those not covered by the Registry."
TCPA guidance holds that consumer opt-ins and express consent do not apply to reassigned numbers, making it necessary for callers to continuously update their customer databases. The FCC recognizes that sometimes despite best efforts and due diligence a company may inadvertently autodial a reassigned number. The Commission provides an exemption for the first call to a reassigned number, giving the company the opportunity to remove the number from its active subscriber database. Subsequent calls to the reassigned number, in the event that the new subscriber has not consented to receive marketing calls, could result in fines and penalties.
Landline and wireless carriers may also offer new ways for subscribers to block autodial messages and robocalls. Business analysts expect the FCC to issue more guidance on emerging "robocall-blocking technologies."
Harbortouch aims to turn AmEx OptBlue into merchant green
Monday, June 22, 2015
H arbortouch, a merchant services and POS provider based in Allentown, Pa., launched a new version of the American Express Co.’s OptBlue program. On June 11, 2015, the company and sales channel partners began offering select merchants a 1.99 percent rate plus $0.10 on AmEx card-present transactions processed on Harbortouch POS systems.
Restaurant merchants must have active Harbortouch processing and POS system service agreements in place with average tickets below $150 to be eligible for the program. The company expects this to drive adoption of Harbortouch POS systems while providing a point of differentiation for its agents and partners. Participating merchants will be guaranteed the discounted AmEx rate for a full year, the company reported.
“Fundamentally, the OptBlue program that powers this pricing initiative is a real game changer for the industry,” said Jared Isaacman, Chief Executive Officer at Harbortouch. “We are excited to participate in that program and pass on those benefits to our sales partners.”
AmEx has steadily implemented third-party sales models over the last two decades. Its External Sales Agent (ESA) program, which began in the 1990s, pays ancillary bonuses to merchant level salespeople (MLSs) who submit AmEx merchant agreements with new merchant processing applications. The OnePoint program, established in 2007, pays ongoing residuals to agents who solicit, process and service AmEx merchant accounts.
In both the ESA and OnePoint programs, AmEx owns the merchant relationships and sets the pricing. OptBlue, introduced in 2013, was the first AmEx reseller program to enable third-party acquirers to own the merchant relationship, manage credit and chargeback risks, service the accounts, and use AmEx wholesale pricing to set their own rates.
Doubling down on OptBlue’s all-in-one program
OptBlue was created to complement other AmEx initiatives such as Shop Small, a program that encourages AmEx cardholders to patronize small, local businesses. Designed for merchants with projected AmEx charge volumes of less than $1 million per year, OptBlue aims to simplify credit card processing for small-business owners. Resellers can consolidate AmEx transactions with other major card brand activities to provide merchants with an all-in-one merchant statement and point of contact for all their processing needs.
Both AmEx and Harbortouch strive to evolve their programs in response to payments industry trends. Harbortouch introduced a free POS initiative in 2011 with a flat monthly fee for related services that he described as being “no different than the free cell phone you get when you sign a Verizon or AT&T service agreement.”
Ed Jay, AmEx Executive Vice President, Merchant Services Americas, described OptBlue as part of the card brand’s ongoing commitment to enhance the small merchant experience in the United States. "The program will help deliver a smart and easy solution for U.S. small merchants to enjoy the benefits of American Express Card acceptance while making it convenient for consumers to Shop Small year round," he said.
Isaacman has observed a steady increase in boarding of small to midsize merchant accounts, many of whom are price sensitive and averse to AmEx acceptance. “As Harbortouch became more focused on offering POS technology, our target market evolved into the small and midsized restaurant and hospitality industry,” he said, noting that this market segment has traditionally perceived AmEx to be a premium and highly priced card brand.
“We want to reverse that perception and appeal to that market by lowering the American Express rates,” Isaacman added. He expects the program to deliver substantial cost savings to merchants who already accept American Express, freeing up funds that could be used to upgrade outdated equipment to Harbortouch POS systems. He also anticipates the special pricing to lower barriers to entry for merchants who have never accepted AmEx due to perceived higher costs.
Complete package is the real differentiator
AmEx rates can be especially steep for small merchants, many of whom lack the economies of scale to demand better pricing and pay as much as 3.5 percent to accept AmEx-branded cards. A business processing $20,000 per month in AmEx charge volume could save over $300 per month paying 1.99 percent instead. Isaacman and his team believe that the “complete package,” which bundles the AmEx offer with the company’s free touch-screen POS system, will be an important differentiator for MLSs and merchants alike.
“We believe the ‘complete package’ is really what makes the program special because it enables our sales partners to offer an aggressive cost structure on American Express acceptance, as well as an extremely economical, yet feature-rich POS system and still earn a competitive compensation package,” Isaacman said.
Isaacman noted that Harbortouch has consistently attempted to balance economical solutions with feature-rich technology while remaining responsive to sales partners and merchant customers. He feels the main message from all channels is very clear: “They want POS technology, like our Elite and Echo systems, but they want lower processing costs and more reasons to accept American Express from their customers,” he said. “We believe we are answering that demand and exceeding those expectations.”
New generation of malware hiding deep within the POS
Thursday, June 18, 2015
U pscale food emporium Eataly disclosed a security data breach on in May 2015 that involved its retail marketplace POS system in New York City. None of the adjacent seven restaurants that occupy the building were affected, the Italian retailer stated.
Subsequent forensic analysis uncovered a sophisticated form of malware that had been operating undetected from Jan. 16 to April 2. Eataly notified consumers potentially affected and offered complimentary fraud and identity protection services. A notice on the company's website stated, "The malware has been rendered inoperable and additional security measures have been put in place to further secure the impacted point-of-sale and network systems. As of now, the incident has been contained and customers can safely use their payment cards throughout our stores, including at the Eataly NYC Retail Marketplace."
Mark Wayne, Executive Vice President, Business Development at Detroit-based ANXeBusiness, stated that antiquated credit card processing systems are mostly to blame for an increasing number of security data breaches in the retail and hospitality communities.
ANXeBusiness said it detects malware in about 8 percent of new clients' operating systems during initial inspection of their cardholder data environments. These clients are not aware that malicious software had been operating, in some cases, for as long as 269 days, which is the average length of time for malware to survive incognito from its initial installation to its ultimate detection. "A majority of these systems have an encryption gap that enables criminals to get in and collect cardholder data," he said.
Resistant malware strains emerging
Wayne and other security analysts warn that virulent new strains of malware such as Punkey and MalumPOS are difficult to detect due to their ability to seamlessly integrate within their targeted host processing systems. Wayne described the majority of recently detected malware schemes as "fine-tuned and sophisticated."
The FBI recently reported that Punkey malware has been detected in a high-profile restaurant chain but it has not released details on the incident. Punkey, named after Punky Brewster, a 1980s television sitcom, utilizes RAM-scraping and encryption tools that make it difficult to detect. The malware is believed to be a variant of NewPOSthings, malicious code initially discovered in September 2014 by Burlington, Mass.-based Arbor Networks.
An internal FBI bulletin issued June 8, 2015, stated, "Cybercriminals continue to deploy point-of-sale (PoS) malware due to the number of targets connected to the Internet and large potential profits." As an example, it cited was a hospitality chain it did not identify that had been attacked recently by cyber actors. The report also noted a marked increase of cases of malware used to infiltrate restaurants, casinos, hotels and resorts "to extract credit card information and quickly monetize it within cybercriminal forums."
Trend Micro reported on June 5 that it had identified MalumPOS, a "new attack tool that threat actors can reconfigure to breach any POS system they wish to target." The RAM-scraping malware collects data from integrated POS systems such as Radiant and NCR Counterpoint that use Oracle's Micros platform.
Approximately 330,000 restaurants use the Micros operating system worldwide, according to Oracle. A majority of those users are based in the United States. These U.S. merchants are susceptible to a MalumPOS attack, particularly due to the malware's ability to replicate native environments of targeted retail and hospitality host systems.
Updated technologies, strategies needed
Government and security analysts recommend a multilayered, interdisciplinary approach to managing security. "It's important to note that there is no silver bullet for creating a secure environment," Wayne said. "Point-to-point encryption, end-to-end encryption, tokenization and Europay MasterCard Visa (EMV) comprise a layered approach to security in which people, process and technology work in harmony, using best practice and continued vigilance."
The FBI advocates community-level teams that support the broader efforts of the Comprehensive National Cybersecurity Initiative formed in 2008. The bureau has established 56 field offices exclusively focused on cybersecurity to further support local efforts at fighting cyber crime. Cyber Task Forces in these offices provide the following services. They:
- Respond to cyber incidents and conducting victim-based investigations
- Understand and address the threats, vulnerabilities, and collection opportunities that exist
- Maintain relationships and information sharing with key companies and institutions
View prior breaking news