GS Logo
The Green Sheet, Inc

Please Login

Banner Ad
Skyscraper Ad

Monday, August 21, 2017

Contactless lifting off

I n "The payments journey: From point of sale to points of commerce – Part 1", The Green Sheet, April 10, 2017, issue 17:04:01, Dale S. Laszig wrote that the payments industry's history is "replete with examples of wide-scale migrations, from paper to electronic data capture, and from mag-stripe to contact and contactless EMV (Europay, Mastercard and Visa) cards." Only months later, it appears the migration to contactless form factors is escalating. A new study from Juniper Research predicted 53 percent of global POS transactions will be contactless within five years, compared to 15 percent this year.

The United States, which was the last developed economy to implement EMV, is expected to experience a significant increase in contactless payments. In POS & mPOS Terminals: Vendor Strategies, Positioning & Market Forecasts 2017-2022, Juniper reported that contactless payment adoption in the United States would rise sharply over the period, from less than 2 percent of transactions this year to 34 percent by 2022. Juniper stated that "customer dissatisfaction at the slower speeds of chip card transactions, allied to burgeoning contactless infrastructure, would provide further impetus for smartphone-based payments currently dominated by Apple Pay."

Visa and Mastercard both mandated that all POS terminals in a number of regions must be contactless-enabled by 2020. According to Juniper, in markets where contactless has been heavily promoted, Poland and the United Kingdom, for example, "adoption has soared."

Report author Dr. Windsor Holden said, "While U.S. card issuers haven't yet made contactless a priority, the extremely positive response across Europe, both from merchants and consumers, suggests the US would see very rapid migration at POS if and when contactless cards become mainstream." However, he also cautioned that the United States' reluctance to implement PIN at the POS for non-contactless payments means that the full benefits of card-present fraud reduction, experienced elsewhere by the migration to EMV, are unlikely to be realized.

Juniper researchers also concluded small merchants ‒ the sweet spot for many ISOs and merchant level salespeople (MLSs) ‒ will increasingly embrace mobile POS accessories, which facilitate payments via connections to mobile devices, and further predicted that growth in this market would accelerate the transition from cash to card payments, particularly for lower-value transactions.

POS systems offered throughout the United States are increasingly able to accommodate contactless payments, and based on prior migrations, there is no doubt MLSs will be prominent among those who help merchants embrace this change.

Uber agrees to FTC privacy guidelines
Friday, August 18, 2017

U ber Technologies Inc. disclosed Aug. 15, 2017, it will cooperate with a proposed consent order by the Federal Trade Commission by implementing stricter privacy guidelines. A court ruling upheld the FTC's proposal for repairing what the FTC deemed to be Uber's egregious privacy policies.

FTC Acting Chairman Maureen K. Ohlhausen said Uber had both underplayed employee access to databases and failed to secure user and driver information. Uber called one of its publicized practices "Creepy Stalker View," suggesting it was fully aware of its unauthorized and illegal behavior.

Peter Sims, founder and Chief Executive Officer of parliament inc., said he was contacted in October 2014 by an attendee at an Uber launch party where the company was streaming celebrity avatars in real time as they took Uber rides in New York City.

"After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission," he later blogged. "She told me to calm down, and that it was all a 'cool' event and as if I should be honored to have been one of the chosen." Sims said he later quit the ride-sharing service, despite having been impressed by its product design and user experience.

GDPR, global privacy concerns

As previously reported July 19, 2017, in The Green Sheet, a joint study by Crowd Research Partners and Stealthbits Technologies Inc. found most companies may not be ready for the European Union General Data Protection Regulation (EU GDPR), which becomes law May 25, 2018. The companies surveyed 500 cybersecurity professionals who belonged to LinkedIn's Information Security Community. Nearly 90 percent of survey respondents in the 2017 EU GDPR Readiness Report were familiar with the EU GDPR; only 32 percent considered themselves compliant or nearly compliant. The guidelines will affect U.S. companies that work with European individuals and organizations, researchers noted.

Willy Leichter, Vice President of Marketing at security firm Virsec Systems Inc. said the Uber settlement highlights the need for companies to take customer privacy more seriously or face significant penalties and fines. "Regardless of fines, it's no longer acceptable or prudent for companies to handle customer data carelessly," he stated. "If this type of breach occurs after the EU GDPR takes effect in May 2018, Uber could be liable for up to 4 percent of [its] annual revenue, no doubt a huge number."

Leichter further noted that compliance requirements increasingly demand security practices that are up to date, well documented and actively enforced. This includes using current technology like encryption and advanced malware protection. "Even if a company is hacked, they will be held responsible for the lost data," he noted.

Christian Vezina, Chief Information Security Officer at Vasco Data Security International Inc., said the approaching GDPR deadline and massive privacy breaches around the world make it imperative for organizations to focus on protecting personal information and improve how they manage and protect that data. "We will see more fines and penalties among companies that fail to apply generally accepted privacy principles," he said. "A true focus on data privacy, like applying the Privacy by Design principle, and limiting data collection to what is strictly required will become a differentiator for data subjects who are tired of getting notified that their personal information has been breached, again."

Proposed consent order

Uber has agreed to the terms and conditions of the FTC ruling by observing the following guidelines:

The FTC has invited the public to review and comment on the ruling until Sept. 15, 2017, when the proposed consent order becomes final. "This case shows that, even if you're a fast-growing company, you can't leave consumers behind; you must honor your privacy and security promises," Ohlhausen said.

Uphill battle for cybersecurity pros
Thursday, August 17, 2017

A n online survey of more than 400 IT cybersecurity professionals revealed threat detection as the top cybersecurity challenge among 62 percent of those surveyed. ControlScan, in partnership with Crowd Research Partners and the Information Security Community on LinkedIn, conducted the in-depth survey and published findings in the 2017 Threat Monitoring, Detection and Response Report.

"This new research report is timely, because it shows that organizations are missing important opportunities to detect cybersecurity threats before they become business disruptors," said Mark Carl, Chief Executive Officer at ControlScan. "A big part of the problem is that in-house IT teams lack the necessary manpower and, in many cases, the specialized knowledge to effectively defend against today's attacks."

In fact, among those surveyed, 49 percent cited employee lack of cybersecurity skills and/or training as an organizational shortcoming, only 39 percent of the firms deployed advanced endpoint security to combat ransomware, and 23 percent of those surveyed were unsure how long it would take for their organization to recover from a cyber attack.

Sobering statistics, encouraging developments

The report statistics were sobering, especially when ransomware, phishing attacks and attendant data loss were tagged as the top three security threats by IT pros surveyed and the level of concern about threat in each of these categories has risen sharply within the past six months. Insider threat due to careless behavior on network systems was credited for inadvertent data breaches or compromises at 64 percent of the firms surveyed.

Lack of budget (51 percent) and lack of skilled personnel and security awareness (49 percent) may be nothing new, as indicated in previous ControlScan surveys, but organizations that remain complacent face increasingly advanced risks, researchers noted.

The survey did find that a large percentage of organizations are currently using threat intelligence platforms, with 57 percent using one or more commercial threat intelligence providers, and 47 percent using open source platforms, respondents stated. Among the firms with such platforms in place, 49 percent reported a reduction in security breaches.

To reduce security vulnerabilities moving forward, hiring advanced security staff, offering employee security awareness training and deploying systems that reduce response time were identified as critical areas for improvement by survey participants.

"The cybersecurity threat landscape is rapidly advancing and organizations must shore up their threat management efforts to effectively address it," said Holger Schulze, founder of the Information Security Community on LinkedIn.

ETA sets forth recommendations on prepaid rule
Wednesday, August 16, 2017

T he Electronic Transactions Association went to bat for the prepaid sector this week as part of its ongoing advocacy on behalf of the payments industry. In response to the Consumer Financial Protection Bureau's June 2017 request for comments on proposed amendments to prepaid account rules under the Electronic Fund Transfer Act and the Truth in Lending Act, Regulations E and Z, respectively, the ETA sent a concise letter to the CFPB.

The association offered several recommendations to the bureau. Among them were to:

In its letter, dated Aug., 14, 2017, the ETA also recommended the proposed exception apply in full to business arrangements and affiliate issuers so long as all of the conditions are met. This includes imposition of the 30-day waiting period for covered separate credit features.

Finalized but not finished

The prepaid rule in question was finalized in October 2016 and applies specific federal consumer protections to broad swaths of the prepaid market for the first time. It requires financial institutions to limit consumer losses, investigate and resolve errors, offer free and easy access to account information, and provide consumer protections.

"We know that effective implementation helps our rules deliver their intended value to consumers," said CFPB Director Richard Cordray in June. "Today's request for comment shows we are listening closely to feedback on our rules to decide whether certain adjustments will help to achieve that goal."

The CFPB noted that prepaid accounts are among the fastest growing consumer financial products in the United States, usually purchased at retail outlets or online. The amount consumers put on "general purpose reloadable" prepaid cards grew from less than $1 billion in 2003 to nearly $65 billion in 2012. The total dollar value loaded onto these prepaid cards is expected to nearly double to $112 billion by 2018. Prepaid accounts may be loaded with funds by a consumer or by a third party, such as an employer. Consumers generally can use these accounts to make payments, store funds, withdraw cash at ATMs, receive direct deposits, or send money to others.

The amendments for which the CFPB seeks input pertain to adjusting error resolution requirements, providing more flexibility concerning credit cards linked to digital wallets, as well as making "minor adjustments and clarifications to aspects of the prepaid rule that prepaid companies have asked questions about or told the Bureau are presenting obstacles to implementation," the bureau stated.

The CFPB also released an updated version of its small entity compliance guide for the prepaid rule. That update reflects the recent effective date delay, and also includes clarifications on several other issues for which industry has raised questions or suggested might be unclear. The revised guide, which includes a summary of the updates, can be found at

New bill aims to protect government IoT devices
Tuesday, August 15, 2017

T he proposed Internet of Things (IoT) Cybersecurity Improvement Act of 2017, introduced Aug. 1, 2017, would create minimum security requirements for U.S. government, Internet-connected devices. Senate Cybersecurity Caucus co-chairs Mark R. Warner, D-Va., and Cory Gardner, R-Colo., and Sens. Ron Wyden, D-Ore., and Steve Daines, R-Mont., are sponsoring the bipartisan legislation, which would require government-supplied IoT devices to be patchable, updateable and protected from known vulnerabilities. Security analysts are stressing the need for similar initiatives in the private sector.

In an interview with The Green Sheet, Vanita Pandey, Vice President of Product Marketing at ThreatMetrix, said the IoT has opened new frontiers of growth and cyberthreats, creating "a third industrial revolution." Pandey warned it will only be a matter of time before a large-scale breach impacts mobile and IoT devices. As cybercriminals exploit connected devices and human failings with familiar attack patterns such as phishing and ransomware, advanced forms of detection will be critical to protect political and personal assets, she added.

"Humans continue to be the greatest vulnerability for corporations," Pandey stated. "Today, a large number of attacks come from cybercriminals looking to exploit known vulnerabilities that have never been patched despite patches being available for months, or even years, as evidenced by the WannaCry attacks, a concern the proposed legislation addresses."

Numerous security experts, including the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University, participated in the Cybersecurity Caucus research efforts, representatives stated. The experts shared ideas on how to improve IoT security for devices shipped with hardcoded passwords, which are difficult to update or patch because they are embedded in source code.

IoT benefits, challenges

Security analysts predict the IoT will include more than 20 billion devices by 2020, creating opportunities and challenges for consumers and business owners. Recent distributed denial of service attacks against websites, servers and Internet infrastructure providers, has highlighted the need for improved IoT frameworks, noted Sen. Warner, Senate Cybersecurity Caucus Co-chair. Warner, a former technology executive, also serves as Vice Chairman of the Senate Select Committee on Intelligence.

Sen. Gardner stated the IoT "continues to expand, with most experts expecting tens of billions of devices operating on our networks within the next several years. As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyber-attacks. This bipartisan, commonsense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space."

According to Sen. Wyden, enacting the bill "would also help stop botnets that take advantage of internet-connected devices that are currently ludicrously easy prey for criminals." He added that the bill would also update the Computer Fraud and Abuse Act and Digital Millennium Copyright Act by exempting cybersecurity researchers from liability from "irritated vendors" as they perform research pursuant to adopted coordinated vulnerability disclosure guidelines.

Swift passage expected

Government officials and private-sector executives have endorsed the proposed legislation. Upon passage, guidelines and disclosure policies for government contractors and connected devices would be implemented by the Office of Management and Budget and enforced by the Department of Homeland Security. All executive government branches would inventory their internet-connected devices.

"This bill deftly uses the power of the federal procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ some basic security measures in their products," said Jonathan Zittrain, co-founder of the Berkman Klein Center. "This will help everyone in the marketplace, including non-governmental purchasers and the vendors themselves, since they'll be encouraged together to take steps to secure their products."

Bruce Schneier, Fellow and Lecturer at Harvard Kennedy School of Government, agreed the proliferation of insecure Internet-connected devices presents an enormous security challenge. "The risks are no longer solely about data; they affect flesh and steel," he said. "The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests."

Burglary on steroids

Pandey praised recent advances in information security research and cyber detection solutions but warned that human errors will continue to provide entry points for cybercriminals. Shared intelligence, that can differentiate between good and bad customers and application programming interfaces, is the best defense against connected and well-organized cybercrime, she noted.

"One of the big reasons for this is the fact that adoption of new technology outpaces people's true understanding the implications or workings," she said. "This will be especially true for situations where the connected ecosystem will govern many key aspects of one's daily life or a corporation's operations."

Pandey expects IoT adoption and related threats to grow exponentially as connected and programmable devices control more aspects of our daily lives. "We may enter an era when individual households would be more at risk from potential ransomware attacks than from burglars and other criminals in the real world," she said. "At that point in time, there will be no such thing as an impenetrable system. Detection and understanding the source of compromise will be as critical as preventing them."

View prior breaking news

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services