Monday Mar 02, 2015

Payment Consolidation

What do you get when you add the following pairs?  Samsung+LoopPay, Google+Softcard, PayPal+Paydiant?  Answer: Viable ApplePay competitors.

First everyone and his brother had a mobile payment solution, then a select few rose to the top and got acquired.  The cycle goes like this: innovation, consolidation, standardization.  In this case, there's room for multiple standards, but not too many.  When the music stops, somebody will inevitably be left without a chair.  Today I feel like that's Samsung.

Google wants to play by established rules, but for the longest time telcos weren't letting them in the game.  Their recent agreement with the backers of Softcard now level's the playing field.  I think their ultimate strategy is the obvious one: advertising.  Being part of offline transactions gives them access to the customer's eyes and intentions.  Combine that with their existing online efforts and you have omni-channel marketing.

Approaching from a different angle, Apple is constantly looking for ways to remove the friction in everyday lives.  Their focus is on the user experience of payments, making sure its as smooth and simple as possible.  This either drives sales of existing devices or creates new markets.  With ApplyPay they'll sell more iPhones and create a new market by eventually charging fees (that consumers won't see directly).  They managed to dodge the telcos and get the backing of the banks, but that's no surprise given their track record in other industries. 

On the other hand, PayPal is more aligned with the merchants so their acquisition of the MCX technology-provider makes lots of sense. Their goal is to offer an alternative to swipe fees that satisfies both consumers and merchants.  Their work with Discover, beacons, and their Square-like fob are seeing some success with smaller retailers.  The ability to create orders and do person-to-person payments also sets them apart.

Then there's Samsung, the smartphone manufacturer.  LoopPay has very cool technology that transmits the card data to an existing magstripe reader through the air.  So for terminals that don't support NFC, the consumer can still put the phone within 3 inches of the magstripe terminal and send the card data.  That means that generally every existing merchant can already accept SamsungPay.  But there are two issues.  First, I'm not confident this system works 100% of the time.  And second, its predicated on dying, insecure technology.  Clearly Samsung isn't worried about either of those issues.

All these moves coupled with the occasional security breach makes this space very exciting.  Sit back and enjoy the ride.

Wednesday Feb 25, 2015

Eight Things Retailers Need to Know About EMV in the US

If you’ve received a new card from your bank in the last six months, it’s likely an EMV card with a chip.  Banks are issuing EMV cards, and retailers are installing EMV-capable terminals to accept those EMV cards.  Both are working toward the October 2015 deadline whereby the liability shift occurs.  Today, when a counterfeit card is used in a store, the bank takes the loss.  But after the liability shift, if the bank has issued an EMV card, but the retailer has not upgraded to an EMV terminal, then the retailer takes the loss resulting from counterfeit cards.

In that scenario the bank has done its part but the retailer hasn’t – so the retailer is the weakest link and takes on the risk.  If the retailer has an EMV terminal, but the card is not an EMV card, then the risk goes back to the bank since it’s the weakest link.

Most retailers understand the situation and have carefully weighed the risk versus the cost of upgrading terminals.  But there are many other nuances with the EMV migration.  Below are eight things every retailer should know:

1. If you’re not already testing EMV-capable terminals, you’re behind.  But you’re not alone as many retailers are questioning the cost of upgrading terminals.  The rollout in the UK and Canada took several years, so don’t expect anything special to happen on October 1 when the liability shift occurs.  It will be just like any other day.

2. The EMV specifications allow several methods for cardholder validation: online PIN, offline PIN, signature, and none (for low value transactions like vending machines).  The issuing bank decides which method to use when the card is programmed.  Then when the card is inserted into the terminal, the terminal will request a PIN or signature to verify the cardholder’s identity.

The card brands are recommending online PIN (where the PIN is sent to the issuer for verification, similar to debit transactions) instead of offline PIN (where the chip validates the PIN), but this decision will be transparent to both the cardholder and merchant.

In the US, a PIN is not mandated so many banks will configure their cards to request signatures.  Obviously this is not as secure and also places a burden on the retailers to retain signatures.  For this reason the NRF has been advocating “Chip and PIN” vs “Chip and Signature.”  Only Mexico and Brazil continue to use signatures.

3. The chip in the EMV cards is really aimed at preventing counterfeit cards, but it does nothing to help with other types of fraud.  Creating a counterfeit card, which is relatively easy with mag-stripe cards, is nearly impossible with chip cards.  The liability shift only impacts counterfeit cards; retailers are still not responsible for stolen card usage.

4. The EMV specification supports both contact and contactless (NFC) cards with some cards supporting both.  As mobile payments mature, it’s likely that contactless gains popularity so it’s probably worth the investment in terminals that support NFC.

5. New EMV cards will continue to have a mag-stripe for several years as terminals are upgraded.  If a consumer tries to swipe an EMV card in an EMV-capable terminal, the terminal will ask them to insert instead.  If the card’s chip or the chip reader malfunction, the consumer will be told to fall-back to mag-stripe.  And if the mag-stripe doesn’t work, merchants will call for a manual authorization.

6. When a card is inserted, it must be left until the transaction completes.  The chip is a tiny microprocessor that must communicate with the terminal, verifying each other’s authenticity.  Often consumers remove the card prematurely and the transaction must be restarted.  Or worse they forget to take the card with them when the transaction completes.  Cashiers will need to be diligent as consumers are educated.

7. Initially fraud won’t decrease.  Instead, card-present fraud in stores will migrate to card-not-present fraud online.  Thieves can still steal account numbers off the front of the cards or the cards’ mag-stripe, but they won’t be able to create counterfeit EMV cards.  That will drive them online where EMV doesn’t help (yet).

8.  Account numbers are not encrypted.  Each transaction gets a unique cryptogram that ensures the card is not counterfeit, but otherwise the account number and associated data travel the same path we’re used to.  Put another way, EMV cards and terminals would not have prevented recent thefts at large retailers.  But it does make it harder to use the stolen account numbers, because EMV cards can’t be counterfeited and used in stores.

Retailers still need to follow PCI recommendations to encrypt card numbers in transit and at rest, as well as protect point-of-sale systems from malware.


Infographic from http://www.welchatm.com/blog-emv-by-the-numbers.html

The worst mistake retailers can make is not knowing the facts about EMV.  Stay informed, and be prepared for the coming changes.

Monday Feb 02, 2015

Payments in the Retail Industry

Last week I delivered a webinar for some of our Oracle Retail User Group (ORUG) members on payments in retail.  With NFC, EMV, and the many emerging payment solutions on the market, its important to keep current.  The deck is below, and a brief overview is after that.

Slide 2- The basics of credit card fees.  With a $100 purchase, the merchant actually gets $98 after fees taken by the issuing back, card network, and acquiring bank. Card fees are one of the most expensive costs for retailers.

Slide 3- The big emerging payment solutions are Google Wallet, PayPal, SoftCard, ApplePay, and MCX/CurrentC.  Google and Softcard is straightforward NFC with coupons and loyalty.  ApplePay is focused simply on payment.  PayPal is trying to extend online payments to the offline world, and MCX is trying minimize costs for retailers.

Slide 4- There are tons of smaller, emerging payment schemes including solutions from Final, Plastc, SimplyTapp, and Dwolla among others.

Slide 5- Krebs has a nice list of the types of fraud in the industry.  There are lots of opportunities for thieves.

Slide 6- Data breaches occur in many industries, not just retail.  Its a widespread problem.

Slide 7- Every retailer needs a Response Plan so they are prepared when a breach is discovered.

Slide 8- EMV is a step in the right direction, but it doesn't solve all the issues.  With base EMV, card numbers are still in the clear so memory scraper malware, the cause of several recent breaches, would still capture account numbers.  Also, retailers should be aware the when EMV is rolled out, fraud tends to migrate online.

Slide 9- There are three advanced solutions that help combat online fraud, but none of them is in widespread use due to additional friction and costs.

Slide 10- The liability shift is coming soon, so retailers need to understand what it entails.

Slide 11- The card issuer configures the card to determine the cardholder validation method, which can be online PIN, offline PIN, signature, and none.  Unfortunately, some banks are choosing signature, which isn't the most secure.

Slide 12- The process of using an EMV card is slightly different than magstripe, so lots of training will need required.

Slide 13- Some advice for retailers when they implement EMV.

Keep your eye on this space as it continues to change.

Wednesday Jan 22, 2014

Will EMV Protect Retailers?

Will EMV protect retailers?  About as well as PCI certification does today.  I used to work with the Europay/Mastercard/Visa standard when I developed software for smartcards, and the technology is certainly better than the ancient magstripe cards we use today.  But it was created before e-commerce really took off, and the US implementation of EMV isn't very secure.  Let's imagine for a moment that Target was ahead of the 2015 deadline and already had smartcard readers in its stores (like they did back in 2001).  Would they have been protected?

Since the smartcard has a tiny microprocessor embedded, it can do calculations like encryption.  When the card is inserted, it authenticates the POS, and the POS authenticates the card using a shared secret (typically an encryption key).  But in the case of Target, the POS was legit so they would have trusted each other anyway.

The typical Chip & PIN implementation in Europe requires the cardholder to enter a PIN to unlock the card, but in the US the PIN is optional and usually not required.  Do you know the PIN number for your credit card?  No one does because the banks think it would be inconvenient.

Since trust has been established, the smartcard sends over the account number and other associated data.  Its in the clear for a brief moment before its encrypted and sent to the bank.  This is the same situation as with the magstripe.  Until the banks establish the ability to support end-to-end encryption and/or tokenization, we've still got the same issue.

There is one area where EMV helps a little.  The thieves still get the creditcard data but they won't be able to create fake smartcards.  Those chips need to be programmed with the right data and keys, which are only available at the issuing bank.  So even though they managed to get the data, they can't create forged cards. Except for one little issue -- they can just use the card data online.  No need to create cards at all.

Just as PCI didn't really make retailers safe from fraud, neither will EMV.  Its a step in the right direction, but far from perfect.

Wednesday Aug 01, 2012

EMV on its way to the US

At a past job I recall slaving away in Mastercard's facility in Purchase, NY testing my implementation of a stored value system called Mondex when the project manager walked in and told me to stop working so hard.  I was completely confused as there were deadlines to meet, but a few days later Mastercard announced is was dumping Mondex in favor of something called EMV.  That was over 15 years ago and EMV has yet to take hold in the US -- but its coming soon.

EMV is simply a standard for payments made using smartcards, which look like standard credit cards but have integrated circuits embedded.  You can think of that chip as a tiny computer that can talk with the POS to perform encryption and authentication tasks to help prevent fraud.  Chip-and-PIN is the UK's implementation of EMV.

Last year Visa announced its intention to transition the US from mag-stripe to EMV cards with a target of October 2015.  Mastercard, Amercian Express, and Discover have also aligned to that target.  This means that retailers need to upgrade their POS hardware to be able to accept contact (insert the chip card into a read) and contactless (wave the card near a reader) cards.  Acquirers must have their software updated by April 2013.

To encourage retailers, the card brands are providing both a carrot and a stick.  When 75% of a retailer's transactions are chip based, it no longer has to annually perform the PCI certification (yeah!).  However, after the deadline acquirers and retailers will take on the liability of non-chip card transactions (boo!).

Contactless chip cards use a technology called NFC to communicate with the reader.  In this case the chip can be embedded in a card or it can also be inside a smartphone.  Therefore, by adopting EMV hardware retailers will also be ready to accept mobile payments like Google Wallet and Isis.  Those payment systems include the added benefit of combining loyalty cards and digital coupons alongside payment data.  We're still waiting to see if Apple includes NFC in its next generation iPhone, but their Passbook concept is a good sign.

Here's some free advice:

  • Discuss EMV with your acquirer (and payment switch vendor) right away so you understand their roadmap.
  • Plan to upgrade your existing payment terminals to meet EMV requirements ASAP.  All the major payment terminal vendors have solutions.  Consider if you need network-addressable terminals (ones connected to your LAN).
  • Consider also participating with Google and Isis in their NFC programs.  They have pilots running in several cities with aggressive expansion plans.
  • Work with your POS vendor to understand any changes required to integrate the new payment terminals, but also to support value-added features like loyalty and digital coupons.
  • Discuss lessons-learned with peers that have already gone through the EMV migration in Europe.

This transition away from mag-stripe cards will not only reduce fraud, but there's an opportunity to use the technology to improve shopping experiences.  There will be pain along the way, but we'll all benefit from this move in the long-run.

About


David Dorf, Sr Director Technology Strategy for Oracle Retail, shares news and ideas about the retail industry with a focus on innovation and emerging technologies.


Industry Connect


Stay Connected
Blogroll

Search

Archives
« May 2015
SunMonTueWedThuFriSat
     
2
3
4
5
6
7
8
9
10
11
13
14
15
16
17
18
20
21
22
23
24
25
26
28
29
30
31
      
Today