Updated: Tuesday, October 28, 2014
Customer service, not breaches, more important to consumers
I t is a given that damage to a retailer's reputation is one of the biggest negative outcomes from a big data breach. However, research from the Ponemon Institute LLC said that customer service, or the lack thereof, is a bigger turn-off for consumers than a data breach, and by a wide margin.
In April 2014 research entitled The Aftermath of a Mega Data Breach: Consumer Sentiment, 75 percent of almost 800 survey respondents said poor customer service would have the greatest impact on a company's reputation. Some type of environmental incident was the second most determining factor in reputational damage, at 33 percent, with a data breach coming in third at 30 percent.
In fact, when respondents read about data breaches happening to particular companies, 41 percent said the breaches did not change their opinions of the companies, while 29 percent said the data breach news would make them less likely to frequent that company, and only 15 percent would sever relationships with breach-affected companies.
These survey results are apparently not idle talk, as over half of the respondents said they had been victimized by a data breach and their sensitive personal information compromised. Of 797 respondents, 400 said they had been data breach victims. Additionally, the main damage from a data breach was in the stress it caused individuals, not the financial damage.
In fact, 81 percent of respondents who had their accounts compromised said they had no out-of-pocket expenses as a consequence of the breach; and if they did, the cost averaged $38. However, the stress caused by a breach was the overwhelming fall-out for consumers. Seventy-six percent of respondents said stress was the chief result of a breach, followed by time spent repairing problems caused by the breach (39 percent) and fraudulent charges appearing on their accounts (25 percent).
Customer service in data breach management
Ponemon's 2014 research, sponsored by Experian Data Breach Resolution, was a follow-up to 2012 research focusing on the same topic. In comparing consumer sentiments from 2012 to 2014, more consumers believe today that data breach-affected companies should compensate their consumers in the form of cash, products or services – 67 percent to 63 percent (2012) – and provide identity theft protection – 63 percent to 58 percent (2012).
It also seems that retailers, especially, are becoming more proactive in informing customers of breaches, which shows a higher level of customer service and emphasis on damage control. Respondents in the 2014 survey said 35 percent of retailers notified them of breaches, up from only 7 percent in 2012. The same can be said for credit card companies, presumably card issuing banks and the card brands, which notified affected customers 35 percent of the time in the 2014 study, compared to only 3 percent in the 2012 report.
According to the 2014 survey, businesses can do themselves the most good in the wake of breaches by explaining the potential risks or harms of the compromises, disclose the facts of the incidents and tell the unvarnished truth. Sixty-seven percent of respondents believe explaining the risks/harms to them of data breaches is the best way companies can improve communications, followed by fact disclosures (56 percent) and not "sugar coating" the message (33 percent).
When asked what businesses could do to prevent customers from ending relationships with them following breaches, 54 percent of respondents said nothing would change their minds, but 43 percent said a sincere and personal apology would result in them keeping relationships intact, and 41 percent said offering free identity theft protection and credit monitoring services would help out, too.
Contradictions in consumer attitudes
Ponemon's research revealed some seemingly contradictory results as well. When consumers are victimized by data breaches, their fears of also becoming victims of identity theft increase. Following a data breach, that fear nearly doubles, from 11 percent to 20 percent of respondents in the "extremely concerned" category, and from 13 percent to 25 percent in the "very concerned" category. Furthermore, following breaches, 48 percent of victimized consumers in the survey said that their identities were at risk for years, or forever.
But curiously enough, when consumers received data breach notifications that they may have been victimized, 32 percent of respondents ignored the notifications and took no action and only 18 percent followed the advice provided in the notifications.
Nevertheless, most consumers seem to recognize what types of data are the most sensitive and would cause the most stress and financial damage if compromised. Seventy-eight percent of respondents said the compromise of Social Security numbers would lead to the most potential damage, followed by password/PIN (71 percent) and bankcard account information (65 percent).
ISO lesson in PayPal's digital gaming domination
Friday, October 24, 2014
P ayPal Inc. is the dominant payment provider for online gamers, according to SuperData Research LLC. With over a quarter of all digital gaming revenue worldwide flowing through PayPal's online payment engine, the question is why. The answer may be taken as a warning for ISOs and merchant level salespeople about complacency pertaining to the growing but still underdeveloped mobile payments realm.
In Payment Preferences of Online Gamers 2015, SuperData said PayPal represents 26.2 percent of digital gaming revenue, followed by Visa Inc. (20.1 percent), MasterCard Worldwide (9.8 percent), Google Wallet (3.6 percent) and paysafecard (1.1 percent). The results, based on the aggregation of transaction data from 38 million unique digital gamers in 40 countries worldwide, suggest that more gamers choose to pay with PayPal not only because the service works, but also because PayPal simply got there first.
"It's the type of payment method that grew up with the Internet," said Dr. Joost van Dreunen, Lead Analyst and Managing Director at New York-based SuperData. "And so a lot of people who grew up online or in this digital space use it. It makes a lot of sense."
Less than 20 percent of digital games do not employ PayPal as a payment option, according to van Dreunen. That dominance combined with the fact that approximately two-thirds of all gamers in developed markets like North America and Western Europe have PayPal accounts; that PayPal is easy for game developers to integrate into their games; and that gamers can easily turn to PayPal when they need to buy particular weapons or abilities in-game to boost the powers of their avatars, and PayPal's popularity becomes clear.
"You can integrate it pretty cleverly within a game," van Dreunen said. "It reduces a lot of the steps of paying. So that's why it's cool. And it has a degree of safety attached to it."
The digital gaming market continues to enjoy massive growth. SuperData pegged the total market at $48.8 billion in 2014, with the U.S. market contributing $12 to $13 billion, while the Asia-Pacific region works out to $18 billion.
Van Dreunen said Visa dominates over MasterCard as gamers' payment preference simply because of brand recognition. And Google Wallet lags far behind its competitors in digital gaming, even though Google Inc. operates its own Google Play app store, because Google Wallet has not provided gamers a compelling enough reason to change their payment preferences.
"There's no real incentive to change," van Dreunen said. "What Google Wallet is doing is saying, 'We're the same. We're just as reliable.' So they are always at a deficit and trying to catch up in terms of signing up vendors. As a gamer you are confronted with these options. If it really comes down to PayPal or Google Wallet, there's no strong incentive to jump ship."
Van Dreunen believes new payment players in digital gaming, namely Apple Inc. with Apple Pay and Alibaba Group Holding Ltd. with Alipay in the U.S. market, will find it hard to unseat the incumbents.
"I'm cautious when it comes to the potential for Apple Pay to really make a big dent in the gaming space per se," van Dreunen said. "And this is because there is no clear incentive. They can remove some obstacles. They can do in-app purchases and all that. But people are spending pretty healthily already. So, sure, it will move things up or down a few percentage points. But it's not going to be a game changer."
The same rationale applies to Alipay, with China-based Alibaba recently entering the U.S. market through its record breaking initial public offering. In China, Alipay is the payment mechanism used for one in every five digital game purchases, van Dreunen said; the online giant will not be able to generate those numbers in the U.S. market. However, Alibaba/Alipay will still gain gaming market share simply as the market continues to grow, van Dreunen noted.
The ISO choice
A parallel can be made between the solidified payments market in digital gaming and the choice ISOs are faced with today regarding mobile payments. With the mobile payments market still in flux, many players are vying to come up with the best solutions and trying to time the market correctly.
Apple Pay may succeed in that endeavor where Google Wallet has so far apparently failed. But one day the mobile market will find its equilibrium and a hierarchy of dominance will emerge, as it has in gaming. Where will ISOs be when that happens? Will they be PayPal or Google Wallet?
Van Dreunen agrees that it is difficult for companies to break into maturing markets. "Newcomers have to make sure they cover all their bases," he said. "Especially for a market as volatile as interactive entertainment, you'll need all the help you can get. Plus, providing a proficient payment system is a critical piece of the puzzle for smaller firms because the extra money makes all the difference for cash flow purposes and the initial proof of concept."
Does Apple Pay debut usher in new era of banking?
Monday, October 20, 2014
T oday, Apple Inc. went live with its much anticipated mobile wallet scheme, Apple Pay, in conjunction with the launch of an update to its mobile operating system, iOS 8.1. The tech giant's near field communication (NFC) -enabled mobile payment solution has been praised for its seamless consumer experience, its Touch ID biometric authentication technology, and its in-app functionality, which could render the traditional POS obsolete. But is the end game for Apple Pay that it allows Apple to become its own digital bank?
That is the contention of an Oct. 2, 2014, Deloitte Digital blog post titled "From tech giant to digital bank?" In the post, Deloitte wrote, "Banks, carriers and credit card companies have been struggling to find a solid model for mobile payments over [the] years. Apple Pay could close the puzzle as they have every ingredient to make Apple Pay the new standard for consumer payments."
At the heart of this contention is the deal Apple struck with card issuing banks. The agreement, which has not been made publicly available, rewards Apple with a lower per-transaction processing rate because of the widely believed robustness of the data security measures, such as tokenized payment data and biometric authentication, incorporated into Apple Pay transactions.
Deloitte said Apple will receive 0.15 percent of all transactions made with Apple Pay. "0.15 percent may seem a very small share, but it has great potential with an existing $390 billion [in the United States] in retail transactions and still an enormous number of replaceable offline payments," the blog said. "As Apple will take care of your transactions it can also become a risk for consumer banks as consumers will more and more loose [sic] contact and loyalty with their bank. When Apple Pay really takes off, it could be handling all your current online as well as offline payments and basically become your new digital bank!"
No 'Apple Bank' in foreseeable future
Brandes Elitch, Director of Partner Acquisitions CrossCheck Inc. and frequent contributor to The Green Sheet, does not see the logic of Deloitte's position. "The only way that Apple could 'handle all your current online' payments would be if Apple displaced First Data, or Paymentech, or Heartland, and became the merchant’s processor directly," Elitch said. "And this would be a very dramatic move indeed."
Elitch noted that Apple seems content at the present time to leverage the traditional merchant processing business model and infrastructure already in place. "The merchant has an acquirer that underwrites the merchant and processes the transaction, on the MC and Visa rails, crediting the merchant and debiting the consumer’s issuing bank," Elitch said. "Apple does nothing to change that, except charge a toll to the processor for using their fraud management software."
Elitch stated that consumers will still be using their bank-issued and network-branded credit and debit cards to facilitate Apple Pay transactions, and interchange from those transactions will still flow to the various players on the payments value chain. "How can Apple become the consumer’s bank?" Elitch said. "Are they going to open demand deposit accounts and offer FDIC insurance, and offer ancillary services that consumers need to accompany their DDA? All payments begin and end in the DDA, which is at a bank, a government regulated and inspected bank."
Apple Pay still a game changer
Whether or not Apple Pay ultimately results in the "Apple Bank," Rick Oglesby, Senior Analyst/Consultant at Double Diamond Consulting, believes Apple Pay is a game changer, especially for in-app payments, as opposed to in-store NFC-enabled payments. "Once Apple Pay becomes second nature to consumers for in-app payments, that behavior could extend to in-person purchases," Oglesby said. "But lots of NFC infrastructure needs to be installed, and lots of consumer behavioral changes need to take place before that happens. I expect in-store adoption to be gradual."
Apple Pay may eventually be the mobile payment model that renders the traditional POS obsolete, but not so fast. "We are a long way from registers becoming obsolete, but opportunities to convert in-store sales to in-app checkout solutions is growing, and Apple Pay will facilitate that growth, along with Passbook, BLE and beacons," Oglesby said. "However we can expect many cards to be in-market for a very long time, and therefore traditional checkout solutions aren’t going away any time soon."
Payments industry stalwarts were quick to announce their Apple Pay integrations to coincide with its launch and availability in 220,000 retail locations across the United States. Harbortouch unveiled the Apple Pay-enabled Perkwave app for its pay-at-the-table capability in restaurant settings.
“Pay-at-the-table is a critical component of the new EMV requirements," said Harbortouch Chief Executive Officer Jared Isaacman. "However, the only pay-at-the-table solutions currently on the market require costly equipment for the merchant and require customers to change their ingrained behavior. Now, the Perkwave app delivers a far better solution for our restaurant clients."
Isaacman believes Apple Pay will succeed where other mobile wallets have failed. “The app leverages a familiar technology – mobile phones – to limit the consumer pushback that many other solutions have faced," he said. "With Apple’s proven track record of shaping trends on a global scale, Apple Pay is likely to be the first mobile payment solution to gain mainstream adoption. Perkwave helps facilitate this shift by enabling millions of iPhone users to use Apple Pay in a setting where it might not otherwise have been utilized."
Additionally, First Data Corp. launched its Apple Pay-supported Payeezy in-app payment solution. First Data said Payeezy affords merchants and their app developers the ability to build Apple Pay-based iOS apps. "Developers begin by visiting Payeezy.com, downloading the software development kit (SDK) and supporting documentation needed to build the app," First Data stated. "This SDK also provides the tools to be able to accept Apple Pay in their iOS apps."
EMV gets a boost from Obama
Friday, October 17, 2014
O n Oct. 17, 2014, President Barack Obama signed an executive order directing that the federal government lead by example and implement chip and PIN technology for government-managed credit and debit card programs. In a speech at the Consumer Financial Protection Bureau, Obama laid out the BuySecure Initiative, which, in part, will mandate chip and PIN as the security standard for such programs as Direct Express, the prepaid debit card program that electronically distributes government benefits to recipients.
The initiative will undoubtedly provide more momentum for card issuers and merchants to transition their hardware and software to the Europay/MasterCard/Visa (EMV) chip and PIN protocol.
The initiative calls for the federal government to embark on an "enterprise-wide transition to more secure credit, debit, and other payment cards, as well as the retail payment terminals at government locations like the passport office, VA canteens, and national parks." The move is meant to increase data security for consumers by transitioning away from mag stripe technology on payment cards to chip and PIN technology, which is widely believed to be the more robust security protocol.
But the transition is also meant to spur the adoption of chip and PIN in the private sector. "The goal is not just to ensure the security of doing retail business with the government, but also, through this increased demand, to help drive the market towards swifter adoption of stronger security standards," said the White House in a statement. "Institutions like the United States Postal Service have already made this transition across tens of thousands of retail facilities across the country."
The transition is expected to begin on Jan. 1, 2015, with the goal of issuing over 1 million new chip and PIN cards by the end of 2015.
Additionally, the initiative involves upgrading the POS terminals at government agencies to accept EMV chip and PIN cards. The Department of the Treasury will oversee this part of the initiative, as it is in charge of the federal payment collection system.
All in support
Both sides of the U.S. commercial marketplace, as represented by The National Retail Federation and the Electronic Transactions Association, support BuySecure. In a statement, ETA Chief Executive Officer Jason Oxman approved of the government's announcement.
"EMV implementation is a vital step in addressing counterfeit card fraud, the single largest source of card fraud in the USA," Oxman said. "Although chip cards would not have stopped recent high-profile retail breaches, they are part of an overall secure technology deployment that includes tokenization and end-to-end encryption. … ETA applauds the administration’s support for a uniform national data breach notification standard and for greater information sharing on cyber threats."
Meanwhile, NRF President and CEO Matthew Shay said, "We applaud the administration for taking proactive and positive steps by adopting PIN and chip technology for government-issued debit and credit cards, among other things.
"As the world’s largest retail trade association, NRF continues to work with our members and other stakeholders on practical and comprehensive solutions that are less about process and more about progress toward how we collaboratively prevent and combat this criminal activity. From insisting on PIN and chip cards to facilitating greater information sharing among retailers and others sectors, we are committed to finding the right answers with the latest technologies to stop these cyber thieves."
The Retail Industry Leaders Association also supports Obama's initiative. "Retailers applaud the president's action to advance card security," said RILA President Sandy Kennedy. "Today's announcement should serve as a catalyst for widespread adoption of chip and PIN card security."
Onward with EMV
Obama also commended card issuers and large retailers for making the transition to EMV. Obama spotlighted actions taken by several national retailers and service providers:
- The American Express Co. will launch a $10 million program in January 2015 to assist small businesses in upgrading their POS systems to EMV.
- The Home Depot U.S.A. Inc. is transitioning 85,000 POS terminals to support EMV in stores and has enhanced encryption of payment data at its U.S. stores.
- Target Corp. completed installation of chip and PIN readers in all of its 1,801 stores; in early 2015, Target stores will begin accepting all chip-enabled cards and reissue over 20 million Target-branded chip and PIN-enabled credit and debit cards.
- Visa Inc. will invest more than $20 million to educate consumers and merchants on chip and other secure technologies, while also embarking on a national public service campaign in 20 cities.
- The Walgreen Co. upgraded its POS terminals to chip and PIN in 8,200 stores, and will begin accepting chip and PIN-based cards in early 2015.
- Wal-Mart Stores Inc. will have activated new chip and PIN readers in nearly 5,000 Walmart and Sam’s Club U.S. stores by Nov. 1, 2014.
Lessons from the JPMorgan breach
Wednesday, October 15, 2014
T he evolution of the recent JPMorgan Chase & Co. data breach that compromised tens of millions of customer details raises more questions than answers. As a follow-up to the news story posted online on Oct. 10, The Green Sheet asked the data security experts quoted in that article for their opinions on what can be done to bolster the data security infrastructure, given the increasing frequency and sophistication of cyberattacks.
The Green Sheet: It seems like the current defensive strategies are not working well enough, since the number and size of breaches seems to be growing. So what is the solution?
Dr. Mike Lloyd, Chief Technology Officer at RedSeal Networks: It’s significant to see that the attackers who broke in and stole some customer data from JPMC have been detected on the networks of other major payment companies. That said, there’s no public information yet to indicate these other locations suffered breaches – it’s quite likely that most suffered only some unwanted reconnaissance.
Attackers have an important capability, thanks to the way the Internet works: they can "twist doorknobs" on a global scale, using quite basic automation tools. That is, given one concept for a possible exploit, they can rapidly search across the attack surface of many organizations, to see if the technique causes any doors to spring open. In many cases, attackers don’t even need to look for specific targets – they can simply start searching widely, and see what pops up in their dragnet. The fact that many organizations can see the "doorknob twisting" coming from specific locations is just an illustration of the ease with which attackers can move laterally, from target to target, exploiting any weak points found.
"The necessary response for defenders is to automate the mapping, assessment, and reduction of the attack surface of the organization. No business today can have zero attackable surface – if you interact with customers, then bad actors can find a way to exploit that. But each increase in attack surface is an increase in risk, and one more door that might accidentally be left unlocked. Attackers have no difficulty searching exhaustively for weak points; defenders need to do the same, starting by mapping out and assessing their total network attack surface."
Michele Borovac, Vice President at HyTrust: Companies must assume that attackers are already inside their networks. Like the military, security best practices always incorporate "defense in depth." To both prevent and curtail these kinds of attacks, organizations need to take a look at where their sensitive data resides, and secure it from the inside out. As recent attacks have proven, administrator accounts are ripe targets, and organizations that have virtualized their data centers should pay careful attention to virtualization admins. These accounts typically have very broad powers with little controls in place to track what they can and can’t do. To build defense in depth:
- Implement two factor authentication for all admins: Even if a hacker gets a username/password for an admin through phishing or accessing credentials through an authorized third party, they will not be able to access admin accounts without the secondary token.
- Automate authorization: Put controls in place that ensure admins can only manage what they need to, and automate workflows for secondary approval for any sensitive operations.
- Encrypt your data: Encryption is the best way to ensure data is only accessible to those authorized to see it. Just make sure your system supports policy-based, enterprise ready key management – you don’t want to protect all your data with a weak password.
Martin Walter, Senior Director at RedSeal Networks: Network segmentation seems to be the holy grail of the industry to counter the majority of these sophisticated attacks. Though segmenting these networks effectively remains a dream, without automated systems that support the design of a segmented network and proper access policy validation.
Business struggle to keep up with business needs and keeping their IT agile to serve the business. With that the network is so dynamic – and has to be – that a major re-architecture such as network segmentation puts a lot of risk on the business if not properly planned. Not even mentioning the different influences and influencers who architected the network in the first place and moved on (i.e. "too many architects spoiled your network").
Proper planning is only possible if you truly understand every aspect of your network, from routing to single ACLs [access control lists] allowing exactly one business application to talk to another. Without automated applications that give you this visibility and intelligence, from big picture down to individual ACLs, enterprise will never be able to perform this type of re-architecture without putting significant risk on the business processes the network needs to support. Hence, if you try to just "figure it out yourself," network segmentation will remain a dream as it will never be successful.
GS: Given the sophistication of the attack vector(s) that fraudsters employ today, how much confidence do you have in JPMorgan's claim that the hack did not include the compromise of customers' financial credentials, like credit card and Social Security numbers?
Adam Kujawa, Head of Malware Intelligence, Malwarebytes Labs (the research arm of Malwarebytes): There is honestly no reason for a company to lie about something like that unless they are going to withhold the entire truth. If the attackers were able to grab more than just the personally identifiable information that they got (i.e. credit cards, Social Security numbers, etc.) then it would only be a matter of time before JPMC customers would start seeing things like purchases they didn’t make or other identify theft type activities. At which time, they could point the finger at JPMC who told them previously that only names, addresses, e-mails, and phone numbers were stolen and call them out on their lie.
Sophistication of attacks aside, the organizations that we put faith in when it comes to our personal information and finances do employ at least some security measures, in order to keep the easy attacks out and hopefully prevent serious attacks. JPMC most likely has far greater security on the servers containing credit card and Social Security numbers than they do on their basic customer interface or whichever system the attackers were able to extract the data from.
View prior breaking news