Updated: Friday, December 19, 2014
Ingenico spots six payments trends to watch in 2015
A t the close of 2014, payments leaders are reflecting on the year's highlights and looking ahead to what many believe will be a defining year for the industry. An unprecedented number of disruptions have occurred over the past twelve months, led by emerging technologies, the expanding role of data analytics, and changes in purchasing behaviors and banking environments.
The digital transformation of payments is perhaps most evident in the changing role of payments industry equipment manufacturers. Top brands have evolved from device-centric models to holistic, end-to-end solutions that are compatible with diverse populations of POS hardware and software.
Thierry Denis, North American President of Ingenico Group, a global enterprise dedicated to seamless payments with U.S. headquarters in Atlanta, expects to see more disruption in 2015, as EMV (short for Europay, MasterCard and Visa) adoption, mobile payments and improved security standards continue to shape the future of merchant services. For this article, Denis discussed six top payments trends Ingenico identified for 2015.
1. Security to remain a key driver in payments
As the last region in the world to adopt EMV, the United States became an easy target for cyber criminals who found it relatively easy to steal cardholder data processed on mag stripe card readers, compared with the more secure method of smart card payment processing. A record number of data security breaches occurred in the North American region in 2014.
Ingenico Group advises all merchant services providers to work closely with retailers to address this. Many companies are revisiting security strategies to improve their protection of card data environments in conformance with guidelines of the PCI Security Standards Council (PCI SSC).
2. Companies to combine P2PE and EMV to optimize security
Also known as end-to-end encryption, P2PE encrypts card data from the entry point of a merchant's POS device to a point of secure decryption outside the merchant's environment, such as a payment processor.
Many Tier 1 and 2 merchants are preparing for the Oct 2015 EMV liability shift with a shortcut approach that links EMV and P2PE planning, an approach that Ingenico calls "semi-integrated." This aims to take the entire merchant environment out of Payment Card Industry (PCI) Data Security Standard (DSS) scope and solve the EMV piece at the same time via a seamless payments system that addresses both PCI and EMV compliance.
3. Security upgrades, outsourcing expected to grow in 2015
Ingenico noted that small to midsize business owners have been slower to implement EMV technology that would help protect their processing systems from malicious attacks. This is puzzling, considering that a majority of data security breaches have taken place at Level 4 merchants, according to data provided by the PCI SSC.
Even the upcoming liability shift has not made a significant impact on EMV adoption in this segment. Ingenico predicts that over half of Tier 3 and 4 merchants will not have implemented EMV payment processing by the October 15, 2015 deadline.
Ingenico believes online fraud and chargebacks will become increasingly complex to manage in the global marketplace, as merchants shift their focus to international markets and mobile commerce continues to drive growth in many developing countries.
Fraud rates in cross-border and mobile commerce experience generally exceed those of domestic e-commerce. Ingenico expects merchants to increasingly outsource fraud management to online payment or fraud specialists in 2015.
4. In-store mobile payments to drive merchant-consumer engagement
Merchants of all sizes and categories have expressed the desire to partner with their customers in every step of the commerce journey. Many brick-and-mortar retailers have implemented in-store mobile POS solutions with smart posters and kiosks that facilitate consumer purchasing decisions without being overly intrusive. Solutions such as iBeacon help retailers stay connected to their consumer base and better understand and track who's shopping in their stores, Ingenico noted.
In an ongoing effort to support customers' preferred payment methods, many Tier 3 and 4 merchants are upgrading processing systems to support near field communication and Apple Pay. Ingenico sees increasing adoption of ApplePay by Tier 3 and 4 merchants as evidence that Apple is inspiring technology upgrades in this market where EMV could not.
5. Role of e-commerce to expand
Consumers, increasingly willing to spend online, have been driving the global expansion of e-commerce and adoption of new, more secure methods of online shopping.
According to Ingenico, mobile commerce is driving overall online commerce growth in many international markets. Consumers increasingly expect a seamless buying experience that's integrated across multiple platforms, including mobile devices, automobiles and wearable technology.
Merchants will require a developer-centric approach from vendors with easy access to modern application programming interfaces to be able to sell goods and services in the omni-channel world.
6. Data analytics, trusted relationships to optimize performance
Ingenico also expects advanced data analytics and visualization software to play a central role in identifying and removing bottlenecks in the payment process and improve conversion rates. Many enhanced intelligence solutions enable merchants to benchmark payment performance against peers and discover new market opportunities.
Greg Boardman, Senior Vice President of Product Development at Ingenico Group, sees the next several years as challenging but exciting times for large and small retailers. He has been involved in a number of payments industry initiatives focused on improving adoption of P2PE and EMV, technologies that he considers as critical priorities.
Boardman believes broad implementation of these solutions will require more than just technical savvy; it will increasingly depend on the cooperation of all stakeholders in the value chain, and partnerships that are based on respect and trust. Both retailers and acquirers have benefitted from the new collaborative model, and Boardman and his colleagues expect to momentum to continue in the New Year.
"The fundamental but long overdue technology implementations of P2PE and EMV acceptance requires a long runway and will dominate most budgets and human resources, [and] unfortunately comes at a time when innovation in payments is at a fever pitch," Boardman said. "Choosing the right strategies to benefit from both sides of this equation can be difficult. Satisfying the base requirements while also entertaining the possibilities for new payment schemes and mobility initiatives demands a level of focus and partnership that very few organizations in payments understand."
Charge Anywhere breach puts spotlight on TPSPs
Wednesday, December 17, 2014
R ecent news of a security breach at Charge Anywhere has raised concerns about vulnerabilities that may exist in payments industry middleware and third-party service providers (TPSPs).
Charge Anywhere, a New Jersey-based payment gateway, has long been considered an innovator in the mobile payments space, marketing payment solutions and services through ISO and reseller distribution channels since 2002. Now, the company is working with its channel partners to help them mitigate risk, as well as teaming up with security specialists to forensically investigate malware initially discovered on Sept. 22, 2014. The malware has since been removed.
In a written notice posted on the company's website, Charge Anywhere stated its investigation had "revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic. Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.
"While we discovered the malware on September 22, 2014, it required extensive forensic investigative efforts to de-code it and determine its capabilities. During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified. Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009."
The malicious act struck a collective nerve in the vast, interconnected payments ecosystem. Other reports of high-profile data breaches such as those at Bebe Stores Inc., The Home Depot Inc., and Target Corp. made no mention of the processors or middleware service providers behind compromised big-box brands.
However, the Charge Anywhere breach provided news media with a rare behind-the-scenes peek at the payments industry. Charge Anywhere senior management said they appreciate the gestures of support received from industry friends and colleagues and told The Green Sheet the company needs a bit more time before its representatives can make further comments. The ultimate impact the apparent five-year intrusion will have on Charge Anywhere's business is as yet unknown.
PCI provides guidance, not guarantees
Chris Bucolo, ControlScan's Senior Manager of Security Consulting, noted that hackers have become more advanced, sophisticated and innovative at exploiting vulnerabilities in merchant and processor environments, prompting some clients to debate the overall effectiveness of Payment Card Industry (PCI) Data Security Standard (DSS) security.
"Some of our clients claim that PCI security doesn't go far enough because you can pass a couple of tests but still be at risk for a data breach," Bucolo said. He added that PCI is designed to provide guidelines but not guarantees. He recommended that payment professionals and merchants perform due diligence when vetting prospective service providers and make sure they fully understand the potential providers' security practices. He would like to see more clients push for detailed explanations about the ways in which service providers manage security.
"We encourage clients to ask the tough questions," Bucolo said. "When their processor says, 'We're compliant,' clients can ask processors how frequently they test security levels and how they assess the compliance of other third-party service providers in their networks."
Build relationships with trusted TPSPs
ControlScan is a member company of Third-Party Security Assurance Group, a special interest group of The PCI Security Standards Council (PCI SSC) that's focused on security best practices by TPSPs. The committee published a report in August 2014 providing guidance to businesses that use TPSPs to "store, process, or transmit cardholder data on the entity's behalf, or to manage components of the entity's cardholder data environment (CDE), such as routers, firewalls, databases, physical security, and/or servers."
The comprehensive 44-page report covers everything from how to identify an appropriate TPSP to how to perform risk assessments and maintain a satisfactory, ongoing relationship with aligned interests and optimal security practices. The guidelines list five milestones in a business relationship with a third party: setting expectations, gaining transparency, establishing communications, requesting evidence and obtaining information about PCI compliance.
The report gives several reasons that justify the time and effort involved in developing and implementing a strong TPSP monitoring program. Such a program:
- Improves the security of the cardholder data environment
- Sets expectations for businesses and their service providers
- Keeps the lines of communication open with a formal monitoring program
- Shows businesses how to actively participate in protecting their card data environments by taking a proactive—instead of reactive—position
- Can demonstrates compliance with a key section of the PCI DSS if requested by a party performing an assessment
Biff Matthews is President of CardWare International, a full-service provider of hardware, software, supply logistics and call center services in Heath, Ohio. Matthews saw similarities in the PCI SSC guidelines and the federal guidelines that require banks to know their customers. He noted that all financial institutions, ISOs and merchant level salespeople should really know their vendors, including the individuals who download their POS and PIN entry devices.
Matthews advised to ask plenty of questions before establishing a working relationship. "Is that service provider PCI compliant, and a certified ESO [encryption services organization]?" Matthews said. "Don't hesitate to validate their computer system, physical location security and perform employee background checks. Be secure."
Holiday shopping gets ‘pay-by-pay’ analysis
Friday, December 12, 2014
M idway through the holiday shopping season, analysts are crunching the numbers, providing a “pay-by-pay” analysis of consumer spending patterns. The reports give some merchants and payment professionals reason to celebrate while others may be motivated to revisit their promotional strategies.
Year-over-year growth in consumer spending grew a modest 5.3 percent compared with a 7.4 percent increase in 2013, according to First Data’s 2014 SpendTrend Holiday Shopping analysis, a comprehensive report issued December 8, 2014. The study measured in-store transaction data and consumer spending at over 1 million merchant locations.
Consumer debt, confidence growing
First Data Senior Vice President of Information and Analytics Solutions Krish Mantripragada was encouraged by the shift from debit to credit card usage during Cyber Week. He said this trend “may indicate that consumers are feeling more confident about their current financial situation, likely driven by the improvement in the labor market and reduction in gasoline prices.”
An Equifax report issued on December 10 noted a rise in consumer debt in major markets across the United States that industry analysts attribute to a rebounding economy and improved housing market. Among the 25 top metropolitan areas, 17 reported a bump in consumer debt in the third quarter of 2014 compared with the same period of the previous year. Houston was the highest at an increase in consumer debt of 6.5 percent, followed by Denver at 4.3 percent and Dallas at 4.1 percent.
The National Retail Federation noted an increase in retail sales of “0.6 percent seasonally adjusted over October and 3.2 percent unadjusted over November 2013,” in its December 11 report. NRF President and Chief Executive Officer Matthew R. Shay, encouraged by moderate but steady growth in consumer incomes and spending patterns, noted that “shoppers are clearly in a better place than last year and the extra spending power could translate into good news for retailers.”
Omni-channel retail bronze, silver and gold
First Data cited building materials, garden equipment, electronics, appliances, furniture and home furnishings as the highest performing retail categories, each achieving greater than 8 percent growth in year-over-year consumer spending. Retail winners shared an aptitude for omni-channel commerce, defined by Lorena Harris, Vantiv Inc.’s Vice President of Corporate Marketing, as “the ability to provide a seamless payments experience across channels.”
Shop.org, the NRF’s digital retail division, explored omni-channel trends in its annual summit held in Seattle in September 2014. One of the key insights from the conference was the cross-pollination between the in-store and online shopping experiences.
Brad Brown, Senior Vice President of Digital Retail at Recreational Equipment Inc., views this trend as a driving force behind his company’s identity and brand. In an interview with NRF blogger Artemis Berry, Brown said that the REI brand offers a consistent experience across all points of a customer’s journey that extends beyond any one particular website or store.
“We believe these cross-channel experiences will only grow,” Brown said, attributing the increase to the growing adoption of mobile platforms that customers can use to get real-time information such as, “Where’s the closest store? Do they have what I need in stock?” and “What is the snow forecast for Tahoe?”
Payment platforms facilitate omni-channel growth
A recent report by Goldman Sachs predicted that half of e-commerce will be conducted on mobile devices by 2018. The investment leader predicted that 535 million consumers will use mobile payment technology in 2014, and 686 million will use some form of mobile payments in 2015, with overall mobile payment revenues climbing above 1 billion by 2018.
Growing adoption of mobile payment technologies has changed the retail experience by adding new levels of complexity to transactions. Consumers can review products online and purchase in-store or research in-store and buy online.
Shoppers can change their payment methods even beyond the point-of-purchase, choosing from a variety of products including cash, credit, loyalty points and digital currencies. Most retailers agree on the need to provide a seamless shopping experience that facilitates all phases of the sale, from initial research, to comparison shopping, to managing post-sale purchases.
Don Kingsborough, Vice President and General Manager of Prepaid at PayPal Inc., noted that the impact of omni-channel trends on payment technology has made open-source software and interoperability an imperative for leading-edge payment platforms. In remarks at an annual summit of the Smart Card Alliance in 2011, Kingsborough said that the new commerce landscape is a changing dynamic in which consumers have emerged from “unknown to known to [finally being] understood.”
NSA unleashes Nifi protocol for commercial, government use
Tuesday, December 9, 2014
T he National Security Agency released the first in a series of hyper-adaptive software solutions designed to improve efficiencies in the government and private sectors. Niagarafiles (Nifi) is a new protocol conversion method developed by the NSA's Technology Transfer Program (TTP) that the NSA made available to open source software developers on Nov. 25, 2014. This is viewed as a positive step for many market sectors, including the payments industry.
The NSA established the TTP in 1990 to strengthen the U.S. industrial base by sharing technical expertise among government and non-government entities. The TTP helps stakeholders leverage "dual use" technologies that work in public and private sectors, and use commercial, off-the-shelf technology to reduce government overhead.
Over the years, TTP "dual-use technologies" have been broadly applied by governments and commercial enterprises. Many of these applications have been documented in The Next Wave, a quarterly publication of the NSA Research Directorate that reports on research and activities in telecommunications and information technologies.
In The Next Wave's 20th anniversary issue, NSA Deputy Director Deborah Finke, Ph.D. wrote:
"People are less users who interface with a specific computer than they are beneficiaries of a digital team, in which multiple devices and software are expected to work together smoothly to support the goals of the whole and even integrate with other digital teams to support social interaction. The ways to engage and the opportunities to improve are seemingly endless. Also, as we move into the next 20 years, it is worth pointing out that the challenges for those who seek to make user experiences safer and more secure are becoming harder, not easier—and it is even more important that we get this right."
The TTP shares federally owned technologies and resources with business owners and invites leaders from the business community to educate government agencies on a range of substantive issues.
The business, technology, and academic communities have actively participated in a number of the TTP's strategic initiatives in the areas of acoustics, advanced mathematics, communications, computer technology, information processing, microelectronics, networking, optics, security and signal processing.
Linda L. Burger, Director of the TTP, sees the NSA's national security focus as a creative force that the agency has channeled into designing and producing leading-edge technical solutions. "NSA's innovators work on some of the most challenging national security problems imaginable," Burger said. "We use open source releases to move technology from the lab to the marketplace, making state-of-the-art technology more widely available and aiming to accelerate U.S. economic growth."
A tool for data security
Payment professionals have noted the vibrant culture of the security community where innovation is born out of necessity to stay ahead of malicious attacks. Chris Bucolo is Senior Manager of Security Consulting at Atlanta-based ControlScan, a provider of integrated security and compliance solutions designed to help business owners secure sensitive data and comply with information security and privacy standards.
Bucolo, who has extensive experience in Payment Card Industry (PCI) Data Security Standard (DSS) and security consulting, brings a unique perspective to discussions on PCI scope issues as well as practical applications of PCI requirements in the merchant environment.
"The fact that the NSA is able to share advancements in this area with others in industry and academia is a very positive step," Bucolo said. "I am part of the Merchant and Financial Cyber Security Partnership [working group]. I have seen unprecedented cooperation and information sharing among agencies, law enforcement, retailers, financial institutions, trade groups as well as large retail trade groups, in order to combat the world of threats we find ourselves living in. There is a strong sense of urgency and information sharing."
ANX, a Michigan-based data security organization, sees the NSA's new open-source tool as beneficial to government and business. On a weekly basis, ANX Executive Vice President Mark A. Wayne sees new forms of malicious software infiltrate POS systems and steal customer credit card information.
Contrary to popular belief, much of the software is not being developed by bored college kids in their parents' basements; it's the work of sophisticated criminals that belong to organized, underground cybercrime groups, usually in Eastern Europe.
"The government doesn't generally get involved in an isolated credit card data breach until after it's already happened," Wayne said. "The business owner simply receives a knock on the door from the Secret Service telling them they've been breached, but at that point it's too late; hackers have already compromised the system."
He added that retailers can leverage the expertise of Qualified Security Assessors and Approved Scanning Vendors to help secure their networks from hackers and guide them into compliance with standards set by the PCI Security Standards Council. This will help them avoid the heavy costs they would incur in the event of a cyber-attack.
"We're hoping the technological enhancements developed by the NSA will assist programs like ours in intercepting malware traveling into business networks before it gets there," Wayne said.
For more information about the NSA's TTP, visit www.nsa.gov/research/tech_transfer/index.shtml .
Bebe breach a reminder of security vulnerabilities this holiday season
Friday, December 5, 2014
C yber Week 2014 unleashed big deals and bigger threats in the omni-channel retail environment, where emerging consumer trends and a rash of high-profile security breaches have altered the holiday shopping playing field.
The latest breach at Bebe Stores Inc., initially reported by KrebsOnSecurity Dec. 4, 2014, and confirmed by Bebe today, involved cybercrime operation Goodshop, which was selling counterfeits of cards used at Bebe stores Nov. 18 through 28, according to Krebs' bank sources. The extent of the crime and the number of consumer accounts affected has not yet been determined.
Observers have noted that U.S. consumer confidence in data security was already at historic lows in the weeks leading up to the holiday season. In a report published Oct. 21, 2014, San Diego-based Identity Theft Resource Center disclosed that 621 data breaches occurred in 2014, affecting more than 77 million customers.
Other high-profile breaches include last holiday season's attack on Target Brands Inc., which involved data pertaining to 40 million credit and debit cards, and the more recent The Home Depot Inc. intrusion, in which 53 million email addresses and 56 million cardholder accounts were compromised. Additional notable breaches occurred at Kmart, Michael Stores Inc., Sears Holdings Corp., Dairy Queen, Staples, Goodwill, Neiman Marcus, JPMorgan Chase, Verizon, and EA Games.
Findings by Princeton Research Associates on behalf of CreditCards.com confirmed that 45 percent of consumers would not shop at any of the retail stores that had been breached, and 48 percent would use only cash throughout the holiday shopping season instead of credit or debit cards.
Security analysts give retailers mixed reviews
Consumers have been doing more shopping on smartphones and tablets, creating more entry points for hackers and a new set of challenges for information technology (IT) professionals throughout the retail and payments industries.
About the Bebe breach, Steve Hultquist, Chief Evangelist at security analytics company RedSeal, said, "Breaches of credit card data are now so widespread that cybersecurity experts refer to the 'breach of the week.' While details of this breach are sparse, it appears to be another example of point of sale malware capturing scanned card information and sending it to data collection receptacles.
"This approach underscores the requirements of a successful breach: initial access into a network to place the malware, vulnerable systems on which to place it, vulnerable systems to use as data collection points, and outbound access from the network to external data repositories. There are enough steps in the attack that automated analysis of the entire network is a critical and necessary defense.
"Leaving to reactive technologies the task of defending the organization without even knowing that they are properly placed within the network leaves the organization open to persistent attack. It is time for organizations to move beyond passive reactive defenses to active preventative technology."
Companies that have experienced data breaches are generally considered to be safer after the intrusions due to their remedial activities and protections, but security analysts have found that is not always the case. Cambridge, Mass.-based BitSight Technologies, which evaluates threat detection procedures, downgraded 58 percent of its retail clients in 2014, citing sub-par security infrastructures.
In a Nov. 18 report that scrutinized 300 retailers, BitSight drew conclusions that do not come as a surprise: the retail sector is still under wide scale attack, retailers breached in the last year have seen improvement, securing the supply chain remains a big challenge, and infection through malware, viruses, etc. is increasing in almost all threat vectors. More information from the report, including an infographic, can be found at http://info.bitsighttech.com/retail-security-performance-2014 .
Good fences don't always make good neighbors
New York-based SecurityScorecard, a security analytics company, provides real-time intelligence to enterprise-scale client organizations. Chief Executive Officer and co-founder Aleksandr Yampolskiy said that legacy security systems such as firewall and perimeter protection methods increase retailers' risk of data breaches.
Yampolskiy suggested that implementing real-time analytics and having better communication within the retail community would help "fight the bad guys and [improve best practices by] getting better at sharing information with each other."
James Nunn-Price, a partner and cyber lead at Deloitte Consulting LLP's UK office, said that complex IT infrastructures require equally complex security strategies that go beyond the traditional practice of perimeter protection.
Most organizations have "multiple perimeters of different strengths, and effort must move to managing the internal threat to detect what is happening within the [organization]," Nunn-Price said.
According to some experts, increased connectivity in the hyper-connected global marketplace has rendered perimeter protection and similar legacy practices obsolete. Peter Vlissidis, Technical Director at NCC Group, suggested that bring-your-own-device and cloud computing trends have forever changed IT infrastructures globally, making it imperative for organizations to "to think about how information is structured and flows through not just their own networks, but the whole cyber world."
No happy holiday for Bebe
Meanwhile, instead of focusing exclusively on its holiday season sales strategies, Bebe is in the midst of mopping up after a breach. As many as 174 Bebe stores and 35 outlet stores located in the United States, Puerto Rico and the U.S. Virgin Islands may have been affected. The retailer maintained that no online transactions were affected, and, in a prepared statement, the retailer's CEO Jim Wiggett said, "We moved quickly to block this attack and have taken steps to further enhance our security measures."
Analysts have begun to comment on the breach, based on the limited amount of information available. Eric Chiu, co-founder and President of cloud control company HyTrust, stated, "A year has gone by since the Target breach with no end in sight – major breaches are happening more often with the most recent victim being Bebe, on the heels of Home Depot, Sony, eBay and many others."
Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, said, "It looks like the payment systems for [Bebe's] U.S. stores were attacked, meaning that most likely they were all using the same software/hardware that had the same vulnerability. Unfortunately, without additional technical explanations, exactly what was vulnerable on those systems will remain a secret, and we can only hope that the same vulnerability isn't going to be used against another retailer.
"Not only are these attacks getting bigger where attackers are able to siphon off massive amounts of data from the inside, but also the consequences are getting much larger with recent court rulings allowing banks to sue Target for its breach in 2013. The stakes are high for both companies and consumers – security has to be THE top priority, especially when customer data or intellectual property is at stake."
View prior breaking news