Jul /Aug 2017
The Merchant’s Guide to Transactions, Cards & e-Commerce
Security, fraud & privacy ❱ Identifying (and closing) cybersecurity gaps ❱ Preparing for, detecting and recovering from fraud ❱ Biometrics, AI and the future of identification
also in this issue:
❱ Online retail report
PM 4 0 0 5 0 8 0 3
Freedom in the palm of your hand. Open Wallet mobile solution now available. Cardtronics now offers an open wallet mobile solution for Credit Unions and financial institutions across Canada. Our mobile offering is ready and supports all major open wallet solutions and in-app transaction processing, so cardholders can pick their favorite wallet service and enjoy the vast range of features.
Open wallet solution
Donâ€™t Compromise with a Closed Wallet Offering. Contact Cardtronics today, and explore the freedom of an open wallet mobile solution for your business.
Join Canadaâ€™s premier payments processor and enjoy the benefits experience offers.
1 888 414 3733 e email@example.com tf 1 888 414 3733
TableKey of Contents theme
July/August 2017 Volume 8 Number 4 Editor-in-Chief Steve Lloyd firstname.lastname@example.org Managing Editor Sarah O’Connor email@example.com Publisher Mark Henry firstname.lastname@example.org Contributors Joe Bernik; Casey Bullock; Arnaud Crouzet; Kevin Deveau; Tom Donlea; Philip Flores Jr.; Justin Fox; Jean Harvey; Amer Matar; Jim O’Reilly; Rick Rennie; Joanna Schoneveld; Ryan Stewart; Ryan Wilson Creative Direction Jennifer O’Neill email@example.com Photographer Gary Tannyan President Steve Lloyd firstname.lastname@example.org For subscription, circulation and change of address information, contact email@example.com Publications Mail Agreement No. 40050803 Return undeliverable Canadian addresses to: Circulation Department 302-137 Main Street North Markham ON L3P 1Y2 t: 905.201.6600 f: 905.201.6601 firstname.lastname@example.org www.paymentsbusiness.ca Subscriptions available for $40.00 year or $60.00 two years. ©2017 Lloydmedia Inc. All rights reserved. The contents of this publication may not be reproduced by any means, in whole or in part, without the prior written consent of the publisher. Printed in Canada. Reprint permission requests to use materials published in Payments Business should be directed to the publisher. Made possible with the support of the Ontario Media Development Corporation
Security, fraud & privacy 4 10 14 Cybersecurity gaps tricky to identify, tougher to close
Overcoming security myths key to universal acceptance of digital payments
Not if, but when: The necessity of preparing for cyberattacks
From detection to recovery
Keeping your data secure
Four tools and strategies for surviving business fraud
(And keeping your job secure, too!)
Cybercrime in Canada New study from FICO and Ovum compares Canadian organizations’ cyberreadiness against global benchmarks
How payments security can fuel VR/AR adoption
How safe is your data?
MARKEt REport: Online Retail 18 22 26 Protecting consumer data with passive biometrics and behavioral analytics
Three fraud challenges crossborder businesses face
The human side of fraud prevention MasterCard research reveals consumer habits and emotions that impact your security strategy
Human touch in FinTech is key to growth
Industry updates 27 Industry news Next issue…
September/October july/August 2017
Empowering global e-commerce with a single payments solution
A single version of the truth The transformative power of global card payment acceptance standards
28 2017 Industry events
The mobile wallet • Acquirers • B2B • Points & rewards PAYMENTSBUSINESS
Security, fraud & privacy
Cybersecurity gaps tricky to identify, tougher to close By Joe Bernik
hrough highly publicized and continually reported data breaches, cyber criminals have made it clear that financial institutions— keepers of non-public information (NPI) and private financial information (PFI), remain highly attractive targets ripe for attack. These organizations face the unique challenge of criminal organizations not only actively profiling and targeting their employees, but also looking for free agents (someone from the inside who is motivated enough to become an inside operator) or simply planting one of their own. As highlighted in Closing the Cybersecurity Gaps in Financial Services, a global survey from Ovum and commissioned by McAfee, financial institutions are juggling an overwhelming number of disparate tools deployed to provide temporary relief from attacks. According to the survey, a large per centage of tier one and two financial institutions deploy between 100–200 disparate security solutions, while 37 per cent of respondents deal with over 200,000 daily security alerts. It’s a vicious cycle—as attackers develop new malware, IT teams implement new tools in response. These tools leave security departments drowning in events and data without the necessary resources and automation to process it all. The complexity of these ever-expanding security architectures reduces the effectiveness of incident response efforts and therefore create additional risk. As if this weren’t enough, an industry shift toward the cloud presents additional complexity for organizations to navigate. McAfee’s Building Trust in a Cloudy Sky report from earlier this year found that financial services organizations are among the leading adopters of cloud services. According to the Ovum study, nearly three-quarters of respondents believe that 20 per cent of their enterprise workloads will be in the public cloud by 2020. As banks continue to move workloads to public and private clouds, they will inevitably be transporting and storing sensitive data on customers' transactions, leaving many worried about data protection in the face of looming regulations. Not surprisingly, most Ovum respondents list data protection and cloud security as their top strategic investment areas. 4
It is important to note that regulations are not intended to punish but, rather, protect an interconnected ecosystem where hundreds and thousands of entities are connected to the financial system. It is therefore necessary for everyone to pursue the same set of guidelines and regulatory stipulations. To best protect their customers and themselves, financial organizations must ensure that access to cloud-based services is tightly monitored and secure. One noted cultural change was how many financial institutions are providing seats at the decision-making table to individuals outside of the IT department, when it comes to cybersecurity. Ovum found that forty-eight per cent of respondents from the fraud team reported they were a decision maker in their company’s cybersecurity initiatives, followed by compliance and risk management. By opening lines of communication across the organization, companies can ensure that they are adequately prepared to address data breaches with consequences that impact fraud, HR, compliance and risk management. Financial organizations are not blind to the uphill battle ahead. According to Ovum, over a third of respondents listed integrating and maintaining disparate security tools as their top operational pain point, and over 60 per cent agree that the industry needs standards, not merely more security products. The call for standardized tools extends beyond financial services. Large enterprises are all searching for ways to integrate security into their architecture and infrastructure. Once established a standardized and unified threat defense model will allow organizations to identify emerging threats more readily and better defend themselves against attacks, while keeping an eye on what new hazards loom on the horizon. For more details on cybersecurity trends in the financial services industry, please visit mcafee.com and download Closing the Cybersecurity Gaps in Financial Services. Joe Bernik has two decades of experience creating and implementing cyber security management programs at global financial institutions. While serving as CISO and head of Information risk and security at ABN AMRO, Fifth Third Bank and BNY Mellon, Joe led teams dedicated to protecting customer data, complying with data-related laws and regulations, and managing incident response programs.
Want to know more about your card programs? Do you issue fleet cards? Manage transactions? Is it vital to keep on top of technology which affects your mobile solutions?
Sign up NOW for a free subscription to Payments Business magazine. Visit our website at www.paymentsbusiness.ca and learn more about the magazine Payments Business is a Lloydmedia, Inc publication. Lloydmedia also publishes Financial Operations magazine, Canadian Treasurer magazine, Canadian Equipment Finance magazine, Direct Marketing magazine and Contact Management magazine.
Security, fraud & privacy
Overcoming security myths key to universal acceptance of digital payments By Joanna Schoneveld
onsumer use of digital payment methods is growing, thanks to their speed and convenience. But reaching universal acceptance will require the payments industry to continue to educate consumers so they overcome a misconception many have about the security of such payments. At a time when the security of digital payments is reaching all-time highs, consumers are becoming more concerned, not less, about the possibility of fraudulent activities such as skimming and electronic pick pocketing. Take debit, for example, which consumers and merchants use more than any other payment type in Canada. The latest fraud statistics for Interac Debit show losses due to skimming dropped to a record low of just $11.4 million in 2016, with just $1.5 million of that occurring in Canada. That’s down almost 92 per cent from the $142 million of fraud recorded in 2009, largely due to the completion of the transition to chip technology that began in 2008. Yet a survey conducted for Interac Association/Acxsys Corporation, which operates Canada’s debit payments system, found an increase in consumer concerns about security over the past year, with threequarters of Canadians saying they were somewhat or very concerned about skimming in 2016, up from 49 per cent with similar concerns in 2015. The figures are similar for electronic pick pocketing, with 71 per cent somewhat or very concerned last year compared with 40 per cent in 2015. These concerns have a direct impact on consumer behaviour. Despite debit being one of the safest ways to pay in Canada, the survey found that more than a third of cardholders said they had used their debit card less frequently than they otherwise would have due to concerns about security. 6
Nevertheless, consumers and merchants are increasingly demanding more convenient and faster ways to pay for their purchases, something digital payment methods can provide. But achieving universal acceptance of these methods will only happen if everyone in the industry can alleviate those concerns about potential fraud.
Canada is already far ahead of many other countries in putting in place the security infrastructure needed to keep digital payments safe. To do that, we need to address the two main reasons for incorrect perceptions about the relative safety of digital payments: first, a lack of understanding about digital payment methods—particularly contactless payments—and second, the occasional media coverage of isolated cases of fraud or identity theft that can make it seem the problem is bigger than it actually is. In both cases, the solution can be found in educating consumers and merchants about the technology involved in digital payments and the many security elements that are in place to prevent fraud. Canada is already far ahead of many other countries in putting in place the security infrastructure needed to keep digital payments safe. Unlike the United States, which is only now seeing the widespread availability of basic EMV chip and PIN payment terminals after many July/August 2017
Security, fraud & privacy years of having consumers swipe magnetic stripe cards, we have already converted all debit cards and payment terminals to chip technology. We are also much further ahead in upgrading POS terminals to accept contactless payments such as Interac Flash and digital wallets on smartphones, including Apple Pay and Android Pay. Despite this, some consumers still assume it’s not secure to tap their card at checkout because their personal or financial information can somehow be intercepted. Even if they have the tools to conduct a contactless payment—and many of them do—they still prefer a contact transaction such as chip and PIN, which takes longer to complete, because they think it is more secure. This stems in part from confusion about the difference between EMV and RFID (radio-frequency identification) technology. Many consumers and merchants mistakenly think contactless payments use RFID, a system that reads static, stored information, usually as part of an inventory control system. EMV technology, on the other hand, leverages the security of the chip and cryptogram to send information securely, which protects against skimming, counterfeiting and electronic pick-pocketing.
Unlike some software programs that offer early users access to beta versions that may contain bugs or which could malfunction from time to time, payment systems must be fully secure from the outset to maintain trust in their integrity. There are even more layers of security when using a digital wallet like Apple Pay or Android Pay. When a cardholder adds a debit card to one of those wallets, for example, a Device Account Number is created for that card which is unique to the device and distinct from the physical card number. All transactions go through the Interac Token Service Provider, a proprietary token platform that generates a sequence of numbers valid for a single transaction only. And for smartphones equipped with fingerprint technology, there’s no need even to enter a PIN to complete a transaction. In addition to the technological safeguards, Interac Flash contactless payments are also subject to transaction limits that, when exceeded, require the payer to insert their card and enter their PIN for verification in the event a card is lost or stolen. And all of these security measures are backed by a Zero Liability policy which fully reimburses cardholders should any type of unauthorized transaction take place. Most of this infrastructure is never seen by consumers or merchants, but it had to be in place and fully operational before July/August 2017
In just three years, Chinese consumers have embraced mobile payment technology, moving from an almost exclusively cash society to one where mobile payments totaled US$5.5 trillion in 2016. any rollout of digital or contactless payments. That’s because, unlike some software programs that offer early users access to beta versions that may contain bugs or which could malfunction from time to time, payment systems must be fully secure from the outset to maintain trust in their integrity. Of course, if you can’t see these anti-fraud measures, it can make it more difficult to reassure consumers that their contactless payments are secure. That said, Canadians have always been avid adopters of new technology, including for payments. As awareness grows of the availability of contactless payment solutions and digital wallets and as people become more familiar with the anti-fraud measures that are in place to keep contactless payments secure, we are seeing adoption rates increasing. Outreach can’t be limited to consumers, however. The payments industry must also continue to inform merchants about the convenience and security of contactless payments so they not only install the POS terminals needed to accept such payments but also encourage their customers to use contactless. As we work toward the day of universal acceptance of contactless payments in Canada, we should consider the case of China, where in many places smartphones are used to pay for just about everything. In just three years, Chinese consumers have embraced mobile payment technology, moving from an almost exclusively cash society to one where the consulting firm iResearch estimates China’s mobile payments totaled US$5.5 trillion in 2016. To put that into perspective, that’s about 50 times the size of all mobile payments in the United States last year, which totaled just US$112 billion. We will probably take a bit longer than three years to reach those levels of acceptance here in Canada, but by implementing the strongest possible anti-fraud measures, conducting outreach to consumers and merchants about the security and convenience of digital payment systems and countering any misinformation about contactless payments, we will get there—probably a lot sooner than many people expect. Joanna Schoneveld, senior manager of fraud programs, is responsible for the day-today operational management of fraud programs and services at Interac Association and Acxsys Corporation (Interac), where she has been analyzing fraud trends and leading the development and delivery of fraud programs for more than 12 years. Before joining Interac, Joanna worked at CIBC and Sears Canada Bank, where she analyzed and investigated fraud. Her focus at Interac is to empower consumers and businesses to make informed risk decisions by offering innovative and flexible fraud solutions. PAYMENTSBUSINESS
Security, fraud & privacy
Not if, but when:
The necessity of preparing for cyberattacks 8
Security, fraud & privacy
By Ryan Wilson
nother month, another breach—the frequency and severity of cyberattacks are escalating worldwide and require our increased attention. For a society dependent on technology, we have lagged behind in protecting mission critical systems and applications. It appears that part of the reason individuals and especially businesses remain so vulnerable is the outdated belief that cybersecurity is expensive or time consuming. With a credible security strategy and investment in the right mix of people, process and protection and detection mechanisms, we can win this cybersecurity war in a financially responsible way. Another common fallacy is companies believing that attackers will not target them. In reality, organizations of all sizes and in all industries are potential targets for various reasons. Threat risk assessments are a cost effective and great first step for organizations to better understand their key risks and the types of controls (people, process and technology) required to protect what’s most important to your business.
One thing we know for sure is cyberattacks will continue to increase in both frequency and sophistication; proper preparation will be the difference between an annoying attack and a devastating one. One thing we know for sure is cyberattacks will continue to increase in both frequency and sophistication; proper preparation will be the difference between an annoying attack and a devastating one. A great example of this is ransomware, as new variations of ransomware not only encrypt and make unreliable the data on your computer, but allow attackers to actually steal your data, providing them with a copy of all of your documents, pictures and other files. Organizations have a decision to make—prepare before the attack, or try and recover after it (if even possible). Businesses can no longer operate under the assumption that one of these attacks won’t hit them because, as we’re seeing, the number of intrusive attacks is growing exponentially with no end in sight. Businesses need to realize that once data is stolen and in the hands of the attacker, you have lost control of that data and your business. We need to stop thinking that security breaches as an annoying part of life and start acknowledging them as something that can put an organization out of business. These days, an organization’s data management and security strategy are two of the most vital parts of its operations. Just as we manage financial risk in our businesses we need to manage cyber risks. This includes making sure a strong cyber July/August 2017
strategy is in place and that you partner with an organization that can advise and recommend how to best protect your business information and assets. That’s why many businesses choose to let a third party, like Scalar, help to establish a strong risk-based security program and help to manage the day-to-day activities of remaining secure.
Businesses need to realize that once data is stolen and in the hands of the attacker, you have lost control of that data and your business. As these high-profile attacks continue to occur, the public will continue to put their trust in properly prepared organizations. Making sure that all client information is properly protected and backed-up will ensure the public’s confidence in a business. Our 2017 security study last year found that 53 per cent of respondents had a cyber incident occur that resulted in the loss or exposure of sensitive information. This is the kind of incident that only proper planning beforehand can prevent. Once that information is out there, it’s out there. The silver lining to all this is that as attacks evolve, so have security responses to them. Even with tricky ransomware like Petya, recovery is still an option. Instead of waiting to succumb to the next wave of cyberattacks, organizations can prove themselves to be proactive by ensuring they have the right protocols in place. Appropriate training is equally important in this manner. A business can take what it deems to be the appropriate precautions but still have an attack worm its way in due to an ill-informed employee clicking on the wrong email. According to our research, lack of inhouse technology proficiency is considered one of the main issues preventing the creation of a formidable security plan. The last thing we want to see is organizations slowing down progress out of fear of vulnerability. An advance in business technology is something to be encouraged and cybersecurity risks should not get in the way of that. When organizations are properly trained on cybersecurity and vigilant third-parties like Scalar are utilized, businesses can focus on what they need to while knowing they’re well-equipped to handle oncoming, eventual cyber threats. Now that the public is starting to become more aware of the increasingly growing danger of ransomware and other threats, this is the best time to proactively set up a plan to prevent real damage to your organization and its digital infrastructure. Being prepared will help retain customer trust and mitigate the cost of recovery. With the frequency and scope of these attacks increasing, it’s not a matter of if you’ll be hit, it’s when. Ryan Wilson is CTO security at Scalar Decisions.
Security, fraud & privacy
From detection to recovery
Four tools and strategies for surviving business fraud By Philip Flores Jr.
rom phishing, email takeovers and data breaches to fraudulent payments, false invoices and identity theft, there are many different forces within the worldwide web of deceit that put companies at risk for fraud. Exposure to cybercrime and fraudulent activity is dangerous and costly, and no company is immune—according to a recent survey from AFP, 74 per cent of businesses worldwide report their organizations were exposed to either attempted or actual payment fraud in 2016, with this type of vulnerability ringing up $2.7 million in damages per case. Fraud is a pervasive issue for the payments space and one that is exacerbated by the highly connected, digital world in which we now live. Increased connectivity and digital channels bring many benefits to the commercial payment process, but with that comes the greater likelihood of fraud risks. The most targeted fraud methods in payments include: • Cheque fraud; • Credit and debit card fraud; • Wire fraud; and • ACH debits fraud. A recent AFP report indicates that cheque fraud results in the biggest losses for most firms, followed by credit and debit card fraud. Loss can be considered financial or take the form of reputational damage, including loss of identity information, intellectual property theft or service disruptions. Direct and indirect consequences of fraudulent activity can be avoided with the right approach.
The foundation for fighting fraud There are four key elements of a fraud risk management framework that companies should proactively incorporate into their business policies and processes. When implemented and enforced properly,
these steps will help teams forge against internal and external fraud risks and keep crucial business and payments information safe. Detection: Understand where exposure and vulnerabilities lie within the organization and identify any gaps in anti-fraud controls. Recognizing fraud issues in a timely fashion is key for survival; discovering the signs once a tangible issue arises is too late, as losses will result and the situation could grow into an even bigger problem. Prevention: Know which tools and strategies to implement for continuous monitoring and mitigation that stops fraud from occurring in the first place. This can include anything from formal policies and procedures to employee training and communication. This stage is where signs of fraud are noted and taken care of—do due diligence to ensure vendors and contractors are who they say they are and internal controls are in place to avoid rogue employees. Investigation: Examine cases of confirmed and alleged fraud to understand the root causes and where breakdowns in processes may be occurring. Look for signs of vendor impersonations, missing dual authorization processes and the targeting of temporary employees. Email exchanges are also great places to look for suspicious activity and questionable communication. Recovery and analysis: Analyze the outcome of the situation and identify areas for continuous improvement. The timeliness and chance of recovery are maximized by properly implementing the prior steps, but knowing what to do differently moving forward literally pays for itself.
Common perpetrator profile: Know the signs The person who conducts fraudulent activity typically isn’t the employee that first comes to mind. The culprit often doesn’t seem like an offender, has no prior criminal history and is well liked by coworkers. They’ve typically been in the company for a while, between
Adopting fraud control practices, keeping them up to date with the latest antifraud technology and using these tools proactively and regularly within the organization will capture issues teams cannot identify on their own and protect the organization on an ongoing basis. 10
Security, fraud & privacy one to five years. Signs of fraudsters typically include compulsive shopping or gambling. Other ostentatious or extravagant lifestyle clues could also be indicators. Owners and executives of companies are generally less likely to commit occupational fraud, according to an ACFE global study, but the financial impact of their fraudulent activity tends to be greater, with a median loss reported of $703,000 per case versus $173,000 for managers and $65,000 for employees. Outside the organization, fraudsters often take the form of suspicious customers or vendors. When considering a contractor, it’s important to check for a legitimate website, a commercial address instead of a small home and that the business number listed is not a cell phone. Having mutual connections with the owner is a good sign that they are who they say they are and speaks to their credibility. When communicating with potential customers or partners via email, it’s important to watch out for the following signs of potential fraud: fake sender domains, suspicious subject lines, email attachments that could contain malware, links with questionable URLs and messages that ask for confirmation of sign in credentials.
Equipping your team on the front lines with the knowledge to recognize the warning signs is the foundation for mitigating these types of risks. Employing ongoing monitoring to establish norms and spot anomalies is also important. One of the biggest deterrents of fraud is strong oversight and having the right checks and balances in place helps enlist employees in the fight against fraud, because they can identify risks before they turn into farther reaching problems. From a systems perspective, adopting fraud control practices, keeping them up to date with the latest anti-fraud technology and using these tools proactively and regularly within the organization will capture issues teams cannot identify on their own and protect the organization on an ongoing basis. Staying current with fraud protection is the best way to fight— failing to keep up with modern protocols, policies, tools and strategies creates vulnerabilities for the organization that, once compromised, has little potential for a smooth comeback and will likely result in a hefty financial and reputational loss.
You can reduce your fraud risk
Philip Flores is the senior vice president and managing director of treasury and payments solutions of BMO Harris Bank. Flores has over 20 years of experience as a banking professional, with expertise in cash flow management, dispersion and collection of funds, risk and fraud mitigation and integrated business banking.
To truly fight fraud, it’s important to enforce a workplace fraud mitigation policy and proper training for employees so that everyone in the company knows how to identify fraud risks and detect scams.
Boost Sales. Beat Fraud.
ACCEPT MORE ORDERS, FROM MORE PEOPLE, IN MORE PLACES
Visit www.kount.com to learn more.
Security, fraud & privacy
Cybercrime in Canada New study from FICO and Ovum compares Canadian organizations’ cyber-readiness against global benchmarks By Kevin Deveau
espite the advances in technology over the past decade, the amount of cybersecurity threats and reported breaches continues to rise at an alarming rate. For those in the payments industry the risks can be heightened, as these organizations often handle large amounts of sensitive customer data. So how well prepared do Canadian firms think they are now— and will they be better prepared next year? To take the pulse of businesses, FICO and Ovum executed a survey of 350 business executives throughout Canada, the U.S., the UK, Finland, Sweden and Norway. It became immediately clear that there are some distinct areas of cybersecurity defense and preparedness where Canadian organizations are lagging behind their global peers, some others where they are excelling and some where there appears to be outright confusion.
per cent of Canadians reported that their firm’s volume of attempted data breaches had increased. The survey found that 76 per cent of surveyed Canadian executives believe the number of data breach attempts will be even higher in a year, yet fewer than half say that their organization’s investments in cybersecurity will increase in that same time period. There is, however, variation by industry. Telecommunications emerged as the biggest spenders—64 per cent expect an increase in spending.
Cyber-readiness It is interesting to discover that despite all of this, companies in Canada assessed their preparedness as quite high. Across all organizations surveyed, 52 per cent of companies believe that in terms of cybersecurity, their firms are above average or a top performer. These results suggest some organizations are over-confident when assessing how cyber-ready they are. This may be because they measure their security status based on their own benchmarks and
Investments in cybersecurity It is interesting to note how Canadian businesses perceive the actual threat of cybercrime, regardless of whether it has affected them or not. Comparing the answers of Canadian executives to those from other countries, it was noted that here in Canada executives are aware of the risks and are expecting to see an increase in cyberattacks over the next year. Compared to the U.S. some might call Canadian organizations pessimistic—while others might simply say they are realists. Either way, only 36 per cent believe that an assessment of their organization’s cybersecurity in a year’s time will show an improvement, compared to 53 per cent of respondents in the U.S. When looking at the past year, 68 12
Security, fraud & privacy criteria, which 46 per cent of respondents say they do. This is particularly evident in the financial services sector, where no organization surveyed felt that they are below average, yet 54 per cent of them are using their own benchmarks and criteria to assess their security status. Without defined industry benchmarks and measures, organizations are left to determine their own key performance indicators (KPIs), and therefore lack the context to be able to measure themselves accurately against their peers. This creates a lack of accountability and motivation to improve which ultimately leaves customers vulnerable.
Cyber-insurance Currently, only 18 per cent of respondents have cyber-risk insurance that covers them for all likely risks. Another 62 per cent either have some level of coverage or are planning on taking out some form of cyber-risk coverage. Although the survey showed an opportunity for Canadian organizations to ensure they are more fully protected in the event of a cyber-attack, it also showed that these organizations are often ahead of the curve compared to many of their global counterparts when it comes to insurance—especially when compared to the U.S.
While only 16 per cent of Canadian organizations say they have no intention of taking out cyber-risk insurance, more than a quarter of U.S. executives responded the same way.
Clear metrics are essential When it comes to measurement and evaluation, a clearly defined metric gives peace of mind and allows an “apples-to-apples” comparison. Whether you are measuring weight, credit, intelligence or cybersecurity preparedness, the only way to create a reliable assessment is through a universally understood metric. Imagine discussing height without measurements—how many people would assess themselves as “below average”? Clear metrics also allow leaders to gain an objective perspective into their organization, to identify weaknesses and ultimately fix them. This allows for transparency through the insurance underwriting process as well. Many organizations are wary of cyber-risk insurance because they are not confident they are being scored accurately or fairly. In fact, 20 per cent feel that the premiums calculated based on their business do not accurately reflect their risk profile. Further, 80 per cent of Canadian firms feel that more could be done to help organizational decision makers understand how risk price structure is calculated. More than a quarter of respondents feel that the introduction of an established industry standard to benchmark cybersecurity risk would be beneficial. This would allow organizations to understand how they measure against peers and the industry. Solutions that help achieve this are available and use analytics to help organizations to accurately self-assess and score. Preparing your organization for the cyber threats of today can seem like a daunting task, but a critical aspect of selfimprovement is self-awareness. With the risk of cyberattacks growing every day, it is time for Canadian organizations to do some critical thinking and evaluation. By having a clear understanding of your firm’s cyber-readiness, you can better understand your needs and determine an investment strategy and employ the services you might need in case the next big hack hits you. Kevin Deveau is vice president and managing director, Canada, at FICO. He is responsible for growing FICO’s Canadian market share and strengthening client relationships.
Security, fraud & privacy
Keeping your data secure (And keeping your job secure, too!)
By Jim O’Reilly
here seems to be a ritual that companies go through when a hack occurs. First, there’s the “silent” phase, ostensibly to investigate the extent of the problem, but really to allow the CIO’s blood pressure to recover. This is invariably followed by the “tentative disclosure” phase, where a company spokesman admits some issues but usually understates the magnitude by a large factor. Next is the “leak” phase, when some dirty rat talks to the press or, perish the thought, a real customer. This phase is followed by the “painful admission,” “anodyne words” and “promises of a pristine future” phases, all in short order. Then comes the “witch hunt,” followed by the “firing the CIO and staff” phases. This approach to handling security just isn’t good enough! The problems we see are typically ones that should have been easy to stop. Physical hacking of a point-of-sale terminal, useless passwords, fired admins are just the tip of an iceberg. As Hillary Clinton demonstrated, being both sloppy and a bit conceited is going to get you in trouble at some point. It’s not like security is an arcane art. There are well established best practices. Change passwords often; use complicated passwords; use 14
a password strength test; fire anyone who uses presets or default passwords; don’t write them down; don’t share with ANYONE; change all the passwords when an admin leaves or, better still, use two-factor authentication. There’s always the smart ass who thinks he knows better than IT. They open access to the key financials, then leave the screen active while they go out for a beer at lunchtime. They think they are golden and that no one will hack them. I have news for this person: you are just hacker-bait!
Threats from malicious idiots For serious IT professionals, you have to assume that your users are essentially malicious idiots (MIs). Most aren’t, of course, but you’ll have a hard time figuring out who’s who. Begin by assuming every worst case scenario. There is a lot written on this, but most miss a few tricks. My favourite is the one where an accountant keeps a copy of all the key files on a USB stick just in case the CFO calls him at home! Two-factor authentication is “de rigueur” for safe data handling in a mobile environment. Passwords can be guessed, because MIs don’t July/August 2017
Security, fraud & privacy like all those funny symbols and prefer their birthday or 123456 as something nobody will guess. The next important step is to assume that, if data can be downloaded, it will be downloaded. The only way to stop the USB trick is to turn off writing to USB ports—yes, it can be done! Lockbox turns up surprisingly often as a back door, though and in fact online storage like that is a major issue. Needless to say, that whiz in marketing found it as a quick, cheap way to send stuff (mainly photos of him and his new car, but you get the gist!). Most printers, incidentally, put identity markers on every printed page. These can timestamp and identify when and where printing took place. Let the employees know that pages can be tracked and data theft by printout may be stopped. Lockbox is generally a mobile issue. The fix is a segregated work environment, with only safe programs being loaded into the working phone or tablet image. This keeps the MIs from sending out the company’s secrets, but it can be frustrating. Switching in and out of a secure environment is a chore. My own answer is to ignore the joys of BYOD and give the employee a company-controlled phone or tablet, with a strictly managed app set and access controls. The alternative, building and maintaining a secure space on the MIs own device, is an open-ended pain since you also have to expect that he or she will download a thousand apps, some of which are carrying malware. A lot of the grief you’ll take for forcing the employee to carry two of every device can be mitigated if you have your own (carefully controlled) app store. They are easy to set up and allow you to limit what goes on a device, while giving the employee a sense of ownership and control. Don’t be a sourpuss and only have the company’s standard six apps. At least put Angry Birds and some other game favourites on the list! Making the app store comprehensive and friendly is crucial to preventing an employee from rolling in their own apps or griping about the IT department. This will help control costs, since you can negotiate volume discounts. Personally, I hated the “IT requires you to use Microsoft Word 2010” type of edict letter. Treat the users as customers. If they go elsewhere, Pandora’s digital box just opened!
Threats from true black hats We’ve dealt with the plain careless side of IT—what about the real black hats. They operate way beyond bad iPhone apps. They go in for breaking into the OS on a phone with an exploit. Assume that you WILL be attacked! It’s a fact that hackers troll the web looking for vulnerable sites. Have a strong firewall. Audit any open ports weekly, looking for changes. Better still, have the firewall alert you on any change or require your permission to make the change happen. Make sure you use strong encryption on wireless routers and don’t leave the sticker with the password on the side of the unit! Strictly segregate VLANs. Don’t put the key financials on the same net as the HR announcements. Have a guest login, but segregate it. Do not allow departments to set up their own routers. Make sure the admin password for your wireless routers isn’t “admin” (that’s often the default!). July/August 2017
For hardwired networks, employ effective monitoring. Limit the admin access to routers, etc. to as few as possible and plan to change passwords monthly. Use those gobbled-gook passwords with funny characters. When any admin leaves, assume they’ve dumped as much as possible and change the passwords. Data security is naturally last on the list. Encryption is a royal pain. All those keys to manage! We keep seeing data being lifted in the cloud because the admin didn’t bother to encrypt it. All data in the cloud should be encrypted. That’s not to protect you from the weak cloud security, since on the whole it’s better than your in-house processes. The problem in public clouds is that some of the millions of tenants are bozos who don’t control data access properly or who write sloppy apps. There are also trolls looking for them. Do not encrypt using “drive-level” encryption. I remember one drive company that had just 32 different keys! Anyway, common sense and the law in many countries require you to own and keep your own keys. Do it right and don’t leave your keys in the cloud. Only use AES 256 and go to AES 512 or whatever comes next as soon as it’s available. Remember to compress objects before storing them, since that cuts retrieval costs and times considerably. Deduplicate your cloud storage. Multiple copies increase your attack surface and also the chance of mislaying and so exposing data. The cloud will still apply replica protection to your copy. This is a good point to talk about backup and archive copies. The idea of these is that they are offline from the mainstream systems. That means an attack on those systems, at least in theory, won’t change the offline data. Remember the salt mines? They kept a copy safe. Make sure your cloud-based process doesn’t expose your fallback data. Snapshots keep all the data ever written (at least up to some consolidation point). The good news is they are robust, but if anyone breaks past the snapshotting code to the underlying file systems, true mayhem can ensue. Make sure that this vulnerability doesn’t exist if you are relying on snapshots to recover from hacks. Offline is definitely better! If this all sounds like teaching grandma about eggs, please realize that every one of these problems has been reported in the last few years. Security’s biggest weakness is the person who implements it. Over 30 per cent of retailers do not encrypt their data at rest, including major operations, while governments score worse. We are our own worst enemy. CEOs need to make fixing IT security a priority. They should remember that losing hundreds of millions of dollars could cost them their job, as well as wounding their company severely. Jim O'Reilly has been an executive at a number of corporations and startup companies. Recently, he was vice president of engineering at Germane Systems, creating ruggedized servers and storage for the U.S. submarine fleet. He has also held senior management positions at SGI/Rackable and Verari; was CEO at startups Scalant and CDS; headed operations at PC Brand and Metalithic; and led major divisions of Memorex-Telex and NCR, where his team developed the first SCSI ASIC in the industry, now in the Smithsonian. Jim is currently a consultant and writer, focusing on storage, infrastructure and software issues. His book on the future of storage, Network Storage, has just been published.
Security, fraud & privacy
How payments security can fuel VR/AR adoption By Casey Bullock
ecurity can go a long way. When it comes to payments in particular, the ability to secure transactions and safeguard data serves as a true differentiator for any business or technology. In the case of virtual reality (VR) and augmented reality (AR), the consumer intrigue and appetite is there—but security concerns aren’t far behind. In fact, 42 per cent of global consumers surveyed as part of Worldpay’s 360 Consumer: How VR is Reshaping the Buying Experience report identified security of payment details as one of the biggest barriers to VR/AR adoption, coming in second only to the high price tag of devices. Though unease around security is present, consumers are also aware of the benefits that these technologies can bring, including saving time, more immersive shopping experiences and the ability to experience products or services they otherwise wouldn’t be able to purchase. Despite concerns, three fifths (59 per cent) of the 16,000 consumers surveyed across eight countries are looking for retailers to utilize VR/AR in-store and 63 per cent want to begin seeing the technologies used within shopping apps. Rather than focusing on payments security as a hindrance to the growth of VR/AR technology usage, it may actually present enterprises with a unique opportunity to surprise and delight customers.
Shifting from interest to confidence Demand for VR and AR technologies has never been higher. With predictions that the VR/AR market may be worth as much as $108 billion by 2021, according to Digit-Capital, it’s no wonder there’s an increased interest in seeing how these advanced technologies will transform the ways in which enterprises and consumers interact. Though plenty of buzz surrounds these engaging platforms and the drastic changes they seek to bring, it doesn’t mean taking commerce into the virtual or augmented world will be easy. Consumers are craving more compelling and digitally driven experiences, but not if that means sacrificing the security of payments. For virtual commerce to thrive, the purchasing of goods and services in virtual environments must deliver peace of mind—and a user experience that provides a feeling of security above all else. Just a quarter (25 per cent) of global consumers surveyed view VR/ AR devices as secure enough to buy products and services, but the comfort levels vary drastically based on the country. Only 23 per cent of Dutch consumers surveyed view these devices as safe for making 16
payments, compared to 59 per cent of shoppers surveyed in China. In the UK, only 35 per cent of respondents would even consider making a purchase using VR/AR. Consumers in Western markets tend to be less comfortable with the idea of making payments in VR, which contrasts starkly to the Chinese market, where mobile-driven consumers are open and eager to expand their interactions with merchants beyond the desktop environment. For VR/AR adoption to grow on a global scale, the technologies and how they approach payments have to be positioned as more than just the latest, greatest innovation—consumers must see a true need for virtual commerce and the benefits it brings to their everyday lives.
The new security opportunity In approaching VR payments, thinking about the methods being used to safeguard online purchases can ease some of the uncertainties associated with virtual commerce. While a fifth (19 per cent) of consumers surveyed expressed that they would never be comfortable using VR/AR to make purchases, Worldpay’s research also found that there is still an opportunity to help change those perceptions. Consumers from around the world said they would be more comfortable using VR/AR devices for payments if various advanced security capabilities were made available. For instance, 38 per cent of respondents said fingerprint scanning would make them more comfortable with VR payments. Integrating trusted security capabilities within the VR/AR environment helps to replicate real-world commerce experiences and establish confidence in the security of purchases. Security methods like entering a secret code or password (32 per cent) or providing alternative payment methods such as PayPal (29 per cent) were also identified by consumers as ways to alleviate payment security concerns in VR/AR. From retina scanning to allowing payments to take place similarly to how they do in the real world, there are many security and data entry considerations that can positively impact VR as a commerce platform. By seeing payments security as a ripe VR/AR opportunity—not solely an adoption barrier—enterprises have the potential to deliver unmatched user experiences that are both engaging and secure. Casey Bullock is general manager, global e-commerce – North America for Worldpay. Current responsibilities include managing all commercial personnel working directly with Worldpay’s clients in the North America region. Prior to Worldpay, Mr. Bullock was VP, GM fraud solution for Chase Paymentech focused on the creation and delivery of enterprise-class fraud prevention capabilities into the e-commerce marketplace.
Security, fraud & privacy
How safe is your data? By Amer Matar
Card-present fraud prevention
or businesses operating in a digital economy, data breaches are both disruptive and costly. Recent statistics from Ponemon, on behalf of IBM, show that the average cost of a cybersecurity breach in Canada is $5.78 million. Despite this, Ovum reports that fewer than half of Canadian business executives plan to increase data security spend. It’s a frightening statistic and something that shouldn’t be taken lightly by any business that accepts payments from Canadian consumers. Businesses can protect themselves and their customers effectively through traditional vigilance of transactions and by implementing payment security solutions to help minimize risk. However, to understand best practices, businesses need to understand the most common types of fraud their business faces. Face-to-face fraud, commonly referred to as card-present (CP) fraud, is initiated by someone who intercepts card data or a cardholder’s PIN to duplicate a card for subsequent use, like accessing cash at ATMs or to make online/in-store purchases. The introduction of chip-based payment cards has made reproducing secure chip data impossible. However, advanced techniques to intercept basic card data like a card number at the point-of-sale (POS) are still possible and fraudsters exploit these for purposes of fraudulent activity in the online space. As Canadian businesses continue to adopt digital commerce (online and mobile purchases), fraud concerns shift to card-not-present (CNP) fraud. CNP fraud covers illegitimate purchases made online (PC, tablet, mobile phone), over the phone or by mail. Fraudsters gain access to consumer data through methods like skimming, phishing, ransomware and other manipulation tactics. The online fraud industry is a growing concern. For example, phishing scams occur when a fraudster claims to be a reputable source via phone or email and persuades cardholders to reveal sensitive information such as passwords or credit card numbers. In the first quarter of 2016, PhishMe reported a 789 per cent increase in phishing incidents globally. Data is valuable and, in many cases, sold to fraudsters through the dark web—an anonymous and untraceable area of the internet. To aid in creating a viable list of credit card numbers, criminals will often test card data online. Card-testing fraud employs bots to test thousands of cards within seconds on websites that have weak payment verification in their check-out process—allowing fraudsters to identify valid card information. In any instance of card payment fraud, without the correct safeguards in place businesses can incur monetary losses resulting from chargebacks, loss of fraudulently purchased goods and more. It doesn’t have to be doom and gloom for businesses. There are effective data security processes and best practices available to help mitigate some of these risks.
There are simple, affordable ways to prevent CP fraud. Use of a reputable payment provider, deployment of secure payment technology, end to end encryption and tokenization software can reduce, if not eliminate, access to sensitive data needed to commit fraud. In addition, businesses should be diligent in payment acceptance procedures that ensure they monitor their equipment, restrict access to it and regularly check terminals for tampering. Additional best practices can be found at www.moneris.com/fraud.
Card-not-present fraud prevention Increased security at the POS with chip and PIN technology has forced fraudsters to the CNP environment. To avoid CNP fraud, businesses can implement best-in-class online fraud prevention techniques, including payment validation tools like address verification and credit card security codes found on the back of physical cards. In addition, there are tools available through payment processors and third-party vendors that can analyze hundreds of data points in real-time, allowing businesses to determine the risk factor of a particular transaction. For example, a payment originating in Africa for a cardholder that resides in North America should trigger an alert, especially if the goods are shipped to a place other than the cardholder address on file. These tools help to thwart fraud, minimize potential losses and reduce the need for manual review. Having seen the evolution of security-based software solutions, I also recommend that businesses remove the risk of storing Payment Card Industry (PCI) data locally by adopting solutions like tokenization. Tokenization allows a business to transfer the responsibility of storing PCI data to a payment processor and replace that data with an unidentifiable value or token that can be stored and limit the risk of customer data exposure should a data breach occur. Payment processors have started adopting cloud-based technologies and project to see continued public adoption with card-on-file payment apps, which are continuously evolving. Take parking meters for example—you can now pay using a physical plastic card or with an app that accesses securely stored card-on-file information, a capability that transpires in the cloud. As digital innovation continues, we can expect criminals to evolve their fraud methods and create new ways to exploit businesses within this channel. Payment processors like Moneris work closely with businesses to help combat fraud by offering applicable security tools. With the proper safeguards in place and a trusted partnership between businesses and processors, we can continue to thrive in the evolving payment landscape. Amer Matar, Moneris’ chief technology officer, has spent over two decades in the field of data management and is responsible for all technological aspects at Moneris— including software development, information security and integration engineering. For additional tips on preventing credit card fraud, visit Moneris.com/Fraud. PAYMENTSBUSINESS
Protecting consumer data with passive biometrics and behavioral analytics By Justin Fox
or several months, sophisticated online criminals attacked the customer loyalty page of one of our clients, a Fortune 200 company. They started small at first to test the viability, then drew larger and larger sums over time. The fraudsters ran sophisticated scripts to create loyalty point numbers unused by legitimate users, creating a database of potentials for fraud. The goal was to redeem loyalty points for products that would then be sold on eBay or other sites. Our customer was losing millions of dollars until they implemented behavioral biometrics on the site, halting the fraudsters in their tracks. Keeping up with criminals and their inventive exploitation has long
Online retail been an issue for e-commerce merchants. Passive biometrics and behavioral analytics are an almost spoof-proof solution to prevent breached data and devalue its accessed data for fraudulent use.
A new way forward Passive behavioral analytics work in real time to determine and authenticate legitimate users while machine learning analyzes and predicts users’ behavior when they access their online accounts. Behavioural biometrics technology mitigates account takeover (ATO) fraud and new account fraud—two types of fraud that are expected to increase 60 per cent by next year. The technology works from the moment consumers begin interacting with the site. Enhanced device intelligence, such as whether they are using a mobile phone, PC or tablet, along with device identification information, browser language, screen size and location and so much more, is all compared to an existing digital identity. It then looks at personal behaviors and biometrics such as how a device is held, keyboard use and hundreds of signals. The collected data points are analyzed and can determine if there is a human behind the transaction and, if so, authenticate that it is the correct human.
By constantly monitoring and understanding the behaviour of users, it’s easy to verify and authenticate good users from bad. For example, each person has a unique method and rhythm of typing. They may use two fingers or usually type with their right or left hand, or hold their phone in a specific way. Behavioural biometrics take all those unique personal characteristics and build a full 360-degree view of each user. By constantly monitoring and understanding the behaviour of users, it’s easy to verify and authenticate good users from bad. This means that even if you share your banking password or loyalty account credentials with a family member or a partner to use on your behalf, the way they hold their phone or the speed at which they type would not match your digital identity and would raise a risk flag for the transaction. As an added bonus, behavioural biometrics technology not only detects suspicious or anomalous activity, but the process is passive to the consumer. There is no added friction to the sign-in or sign-up process, so you avoid the fatigue caused by making customers jump through multiple hoops just to sign into their account.
It’s all about technology NuData Security clients find benefit in our solution, NuDetect, to help suss out would be fraudsters from legitimate customers. The solution works in the background churning out results in near real-time— queries are handled within less than 100 milliseconds of processing July/August 2017
time, meaning the customer doesn’t notice a lag on their end but the system is validating if the user is who they say they are through those biometric markers. This is able to happen because of advances in cloud computing. Some of our customers take advantage of our global footprint through Amazon Web Services (AWS), meaning they can use a data centre’s processing power that’s closest to their customer—making sure the user experience is unimpeded. However, not all clients are comfortable processing data outside of their home country. In Canada, for example, NuDetect clients can run in-country only at the AWS Canada Region in Montreal fulfilling data residency requirements—whether those are regulatory or even emotional in nature. Clients can even opt to run the solution on premises.
Long-term benefits Passive behavioural biometrics is always predicting, detecting, learning and protecting in real-time, making accurate decisions about emerging threats and verifying good users for accurate authentication. Companies can realize the benefits of these types of solutions almost instantly. A year ago, a global e-commerce website discovered bad actors had begun a large-scale ATO scheme on its systems, causing several hundred false orders over a period of two months and revenue losses of hundreds of thousands of dollars. Utilizing the existing account, the criminal was able to masquerade as a genuine customer to transfer funds, use the payment method on file to make a high-value purchase, or simply use their legitimate history to mask fraudulent transactions. The deployment of behavioural biometrics resulted in an immediate drop-off of automated attacks, saving the site $1.8 million over the last year. The reality is, in today’s ever-evolving world of sophisticated cyber criminals, consumer data is always going to be vulnerable, but this does not mean organizations should be complacent about keeping the customer safe. Passive behavioural biometrics make it possible to provide identity verification with higher accuracy and lower fraud while delivering a better customer experience. Justin Fox is lead solutions architect at NuData Security – a Mastercard company – helping develop the technology that powers NuDetect. NuDetect analyzes 80 billion online interactions yearly, monitors 3.4 billion user profiles per year, and is trusted by some of the largest global brands in the world to verify users with their own natural behaviours.
Fast fraud facts • Account takeovers and new account fraud are expected to rise by 60 per cent by 2018. • Fifty-five per cent of users re-use the same password almost everywhere. • Accounts created between 2:00 a.m. and 4:00 a.m. are 50 per cent more likely to be fraudulent. • Thirty-two per cent of customers stop shopping after a false positive.
Three fraud challenges cross-border businesses face And how to overcome them
By Tom Donlea
dvances in technology have made it easy for retailers to embrace cross-border sales, gain new customers and expand their businesses. But there is a dark side to greater reach: a higher risk of fraud. While fraud rates have slowly declined for North American companies since 2012, the fraud rate for international orders is 1.5 times higher than domestic. This is no small matter for retailers hoping to capture a piece of a market that is expected to reach $27 trillion by 2020. Companies can sell successfully across borders if theyâ€™re aware of the challenges and have made plans to overcome them. In particular, 20
the following three challenges, while common, shouldnâ€™t stand in the way of international sales growth:
Challenge #1: Data and risk types vary by region Unfortunately, there is no global standard for customer identity verification. Country-by-country variations in the availability, format and reliability of individual identity data makes it impossible to implement a uniform global fraud strategy. This forces fraud teams to piece together different identity data in nearly every region to properly verify a new customer. July/August 2017
Online retail Email, because it’s ubiquitous, is often the primary data validation point or verification component for companies conducting international e-commerce. When it’s positively linked to the name of the customer and has been in existence for a period of time, an email address can provide a measure of assurance that a transaction is more likely to be legitimate. Dwelling addresses are another standard identity factor for countries such as the U.S., UK, Canada and Mexico, but are less useful in a country like Saudi Arabia where address styles vary greatly. Across the globe, non-fixed VoIP numbers, like Google Voice or Skype, prove much riskier than fixed VoIP, mobile phone or landlines. In regions like Brazil, which represents an e-commerce market projected to reach $27 billion by 2018, certain mobile carriers are known to be associated with a higher degree of risk. In Brazil shoppers also use a unique identity number called a Cadastro de Pessoas Físicas or CPF. Social Security Numbers (SSN) serve a similar purpose in the U.S. In both cases, the numbers can be compromised, proving neither data point alone can be relied upon to verify an identity. Some regions of the world are simply less risky for cross-border e-commerce. Denmark, Finland, New Zealand, Norway and Switzerland are among countries with the least amount of fraudulent activity, while Indonesia, Venezuela, Romania, Brazil and South Africa are currently the world’s fraud hotspots. It’s estimated that more than a third of all online transactions from Indonesia are fraudulent.
attempted fraud during special sales and promotions.
Challenge #2: Criminals are constantly evolving their methods
Automated fraud screening offers an efficient means of detecting and controlling fraud as businesses enter new geographies. But successfully catching fraud requires utilizing global consumer identity data as part of a layered process. You need to examine the endpoint to determine the device location or fingerprint (or other endpoint data like location, device point, device behavior, phone, mobile ID, etc.). User behavior during sessions can also provide important clues. Does the behavior (like web session navigation, in-app behavior, gesture analytics, etc.) look legitimate or malicious? Other data retailers should examine includes credit card information, external personal identifiable information, social network info, internal records, etc. Finally, making connections between dynamic identity data (like person, business, phone, email address, etc.) can help in verifying the identity of the customer. Today’s API and web-based services can conduct multiple searches at once and link together real-time identity data to facilitate order authentication. One common example is to verify that a customer’s name, addresses, phone numbers, email and IP address match from an order or transaction. As the global economy moves online, it’s becoming more difficult to quickly and accurately confirm consumer identities. Even historically useful authenticators like SSNs are no longer enough. Retailers that choose global consumer identity data can be confident they’re getting the full picture of a customer’s identity no matter where they live. They can fulfill orders faster, reduce customer insult rates and quickly identify truly risky transactions or new accounts.
Cybercriminals are always testing new tactics to circumvent fraud management systems. They often sell or share fraud information with other criminals, establishing powerful networks. Companies doing business across national boundaries need to be aware of and responsive to the changing dynamics of global fraud. Most businesses already sufficiently protect themselves from chargeback fraud, friendly fraud and account takeover fraud tactics. But other, more sophisticated tactics like synthetic identity fraud require a new set of rules. Some highly organized crime groups make a concerted effort to reverse engineer online transaction processing to uncover thresholds in a company’s risk models or vulnerabilities in code. For example, if criminals learn a company’s review threshold for purchase amounts is above $1,000, they buy below that amount since there is less chance of being detected. Additionally, fraud teams needs may need to prepare for alternative payment methods (i.e. installment payments in Latin America) by updating fraud policies, expanding their team and more. Some companies may unintentionally be inflicting fraud on themselves due to a lack of internal communication. For example, an online store introducing high demand, new products can lead to a sudden influx of orders, overloading the fraud team’s operational threshold. Flash sales and discount codes also increase order frequency and may cause issues with fraud rules. Criminals can take advantage of these high volume windows. Retailers need to coordinate internally to ensure they’re prepared for likely increases in July/August 2017
Challenge #3: Being overly conservative can drive down revenue According to research from CyberSource, up to 10 per cent of the orders vendors reject due to suspicion of fraud may actually be from legitimate buyers (also known as false positives). Overreacting to the fear of fraud results in lost revenue and can negatively impact the user experience for legitimate customers. In the worst cases, entire countries can be blacklisted. While sweeping policies may lower the cost of fraud they should be weighed against the potential loss of both immediate sales and long-term revenue from insulted customers. Tips to prevent overcompensating for risk include: • Track an accurate tally of false positives and review multiple period analyses of false positives; • Coordinate with your chief revenue officer to thoroughly understand the global expansion roadmap to prepare well in advance for unique risk factors in new markets; and • Utilize identity data in conjunction with fraud scoring to confidently auto-approve orders to save time and speed good orders without using costly manual review.
Keys to success: Global data and a multi-layered approach
Tom Donlea is vice president of marketing at Whitepages Pro.
The human side of fraud prevention MasterCard research reveals consumer habits and emotions that impact your security strategy By Rick Rennie
ow would you feel if your financial information were exposed to thieves? Would you rather have nude photos of yourself leaked online or have your financial information compromised? These are questions Mastercard posed to Canadians—with fascinating results. Canadians, our survey revealed, would much rather have their personal photos leaked than their financial information compromised. It seems vulnerability is tolerable—as long as it doesn’t apply to financial security! Fraud prevention is so crucial to a functioning economy that we dedicate a whole month to it each year. And we’ve seen that Canadians place a priority on the protection of their financial information. But the survey revealed even more: Canadians will engage in behaviour they know to be risky when it comes to their financial security. They admitted in large numbers to using the same passwords across multiple accounts, rarely changing these passwords and leaving them written down on a piece of paper rather than committed to memory. According to our research, Canadians fear a security breach but are fatigued when it comes to taking responsibility for protection into their own hands. At Mastercard, our strategy involves securing all parts of the payment process including the account and device, the cardholder, and the transaction itself—all of which enhances the experience when you’re shopping in-store, on your mobile or online. The very successful rollout in Canada of chip cards with PIN validation and cards with contactless abilities is an example of how a payment account and device are secured. We are now applying that same technology and security protocols to mobile devices so that when you’re making a payment from an app or website, the approving financial institution can be certain the account and device is valid and secure and approve the transaction. 22
Authenticating the cardholder is also critical in our increasingly complex digital environment, especially when you consider the stats I mention above about Canadians admitting a laxness in their password behavior. Ensuring the cardholder is who they say they are is critical and so is offering choice to consumers in how they manage their digital identity. Alongside traditional proven methods, biometric authentication is an exciting development. Fingerprint, facial or iris scanning technology and more are the next edge of authentication, especially when you consider that it’s been predicted that by 2020 100 per cent of smart mobile devices will include biometric sensors as a standard feature. Canadians are ready to adopt new secure payment features. Seven out of 10 Canadians surveyed are on board for biometric payment options. Mastercard is currently testing the application of facial recognition ‘Selfie Pay’ technology to validate digital transactions and recently launched a new biometric card that includes a fingerprint sensor embedded in the card. While these exciting technologies start to gain traction with consumers, we continue to diligently monitor for fraud, particularly in the online shopping space. Many of our fraud detection tools are designed specifically for our financial institution partners to quickly identify which transactions are genuine and which are fraudulent. These systems typically monitor activity round the clock, across the globe. As technology grows to allow these new frontiers in commerce, adopting safe and secure practices will be the number one to-do item to protect financial security and elevate consumer experience. The future of payments looks financially—and emotionally—secure indeed. Rick Rennie is responsible for fraud management at Mastercard Canada. He works with banks, merchants and industry associations to help ensure fraud management systems and practices protect the ecosystem of cardholders, merchants, banks and networks. July/August 2017
Reach marketers & financial executives Our magazines are must-reads for key executives in core corporate competencies.
Can you help our readers: • Create a strong ﬁnancial structure and healthy economic ecosystem to ensure capital and cash ﬂow keep their engines running? • Determine who their customers should be, how they can reach them most effectively, and how they can turn data-driven marketing into proﬁtable sales? • Build efﬁcient and effective ﬁnancial systems to enhance payments and billings between their companies and their customers and vendors? • Convert all the data and information they collect from every contact point into tangible beneﬁts that increase revenue and reduce costs? • Equip their companies with the tools, technology, systems and hardware needed to manage their operations, to create new services or products, and deliver them to their market? • Manage their customers with smoothly functioning support departments that are properly staffed and equipped to solve problems, foster loyalty and retain customers? • Make any or every step in that chain better, faster, cheaper, and more proﬁtable?
We can help you tap into the ecosystem at the points that will drive your campaigns. To advertise or get more information and media kits:
905-201-6600 | 1-800-668-1838 | 302-137 Main Street North, Markham ON L3P 1Y2 Visit our websites:
Direct Marketing magazine, www.dmn.ca Contact Management magazine, www.contactmanagement.ca Payments Business magazine, www.paymentsbusiness.ca
Canadian Treasurer magazine, www.canadiantreasurer.com Canadian Equipment Finance magazine, www.canadianequipmentfinance.com Financial Operations magazine, www.financialoperations.ca.
Human touch in FinTech is key to growth Ryan Stewart is chief commercial officer for Bambora North America.
By Ryan Stewart
n 2016, global venture investment in FinTech grew by 11 per cent to $17.4 billion. The industry has grown and diversified, yet merchants seem to be overwhelmed by the sheer number of choices and, even worse, bewildered by what FinTech is. Businesses are facing pressure like never before to sell online and, while there are now more approaches to selling online, a thread of uncertainty and confusion links all newcomers. In the following article I will highlight the pressures faced by Canadian merchants to go digital and what causes them to hesitate, including the vast amount of FinTech options available. Finally I will outline how and why in five years those in FinTech who succeed at offering a human touch will win against those who don’t. Let’s dive in.
The pressure for merchants to go digital Just recently, Jack Ma, founder of Alibaba, one of the world’s largest e-commerce companies with a market value over US$360 billion, spoke of a third technological revolution coming, warning businesses that AI and globalization are not to be ignored: “The way to figure out job creation, one of the best ways, is to help small business to sell their local products across the board. And we have to prepare now. Because the next 30 years are going to be painful [if they don’t].” We see the beginning of this today, as 80 per cent of Canadian consumers are shopping online yet only 17 per cent of Canadian SMBs are selling online. This has caused Canadian shoppers to look south, with 67 per cent of purchases going to other countries even though 62 per cent of them prefer to buy from Canadian businesses. Canadian businesses are currently losing out to globalization. Moving online will not only broaden their customer reach but increase their revenue substantially. Yet 70 per cent would never consider selling online. With so many startling figures on why moving online would be healthy for their business, why the hesitation? According to a recent PayPal report, 30 per cent are worried about sliding customer service, 21 per cent fear online fraud and 19 per cent lack the technological understanding. All these concerns can be easily alleviated by customer centric payment solutions. It is up to those in the FinTech industry to make the transition to selling online as easy as possible by offering simple, seamless solutions that address their fears and position them to be successful.
Overcoming FinTech overload The FinTech industry includes a broad range of companies from payments to blockchain. The good news is that consumers are curious about our industry. The Google Search trends for FinTech companies over the last five years have been trending up. Yet people are still confused about what FinTech is and how it can help their business grow. FinTech companies that build customer centric solutions will not only be able to address uncertainties surrounding FinTech, but July/August 2017
also simplify daily operations. Continuing to win market share and customer loyalty. The value of human touch can come in many facets. From helpful staff available to assist customers while signing up, to always being there to troubleshoot an issue. We all know the frustration of dealing with inadequate support in a time of need. But did you know that over 44 per cent of U.S. consumers are taking their business elsewhere as a result of inadequate service—at a cost of $41 billion a year? Their number one complaint? Unhelpful and rude call centre staff. Now more than ever, top FinTech leaders are investing in their human capital to help businesses navigate the tricky world of online payments. A recent Gartner Survey found that as of 2016, 89 per cent of companies expect to compete mostly on the basis of customer experience, versus 36 per cent four years ago. The customer centric approach will drive FinTech to build solutions that actually solve the right problems. Canadian merchants know their customers better than anybody else. The more FinTech entities work to understand the mindset of the consumer, the more we can bring the Canadian FinTech industry forward. This includes enabling new and traditional payment types that matter to Canadian consumers, opening and aligning the right sales channels for merchants spanning online, in-app and in-store—all driven from customer needs. With so much hesitation from Canadian business owners to sell online, finding the right FinTech solution will make or break the transition. For those looking for more support, a customer centric provider will be able to make the move painless. Before signing up, merchants should take a deep dive into the provider’s developer and support documentation. Is the platform easy to navigate? Do they use simple language or is it filled with industry jargon? Merchants should also compare providers on how easily they can be reached whether it is through an online chat function or simply over the phone.
Summary While investment in FinTech continues to rise, so does the uncertainty of what it means to the business community. As we continue to raise the bar in innovation, it is important to keep in mind the end customer and how it affects their businesses. Many Canadian merchants are hesitant to make the move online, so it is our responsibility to show them the way. While there is a place for complexity, it should never stun new consumers. Those who invest in making a customer-centric company will continue to grow with the industry. Those who ignore all the signs will get left behind by their customers. This is true across all industries, but rings true even more within the world of FinTech. Ryan Stewart is chief commercial officer for Bambora North America where he leads the sales, marketing and product teams. He is passionate about the dynamic payments space and focuses on delivering a simple, elegant payments experience to merchants and software providers globally. Ryan has launched numerous disruptive payments products in Canada, the US and Europe, from online, to in-app, mPOS and merchant online onboarding automation.
Empowering global e-commerce with a single payments solution By Jean Harvey
he rise of e-commerce is creating an increasingly borderless global economy. Businesses and customers are no longer bound by geographical barriers in finding ways to exchange goods and services. Internationalization has allowed 57 per cent of customers to shop cross-border, bolstering an unprecedented market for businesses to tap digitally across the globe. In 2015, the three largest e-commerce markets totaled $778 billion (U.S. $312B, China $310B, UK $156B). By 2019, these markets are expected to grow to over $1.3 trillion (China $573B, U.S. $536B, UK $210B) and the top 15 e-commerce countries combined will total over $2.25 trillion. As the global economy becomes more prevalent through the growth of international e-commerce, payment methods have largely remained distinctive by region and country. Trust, security concerns and cultural behaviors all influence the payment methods chosen by customers even in an always-on, digital environment. For example, credit and debit cards are preferred in North America whereas bank transfers, invoices and direct debit are preferred in Europe. Electronic cash payments are widely used in South America, but mobile wallets are used in Africa and e-wallets are popular in Asia. Within regions, payment methods continue to differ. Bank transfers are the most common payment method in The Netherlands. Local bank transfers, vouchers and invoices are also common in the country. But in Poland, online banking is a common payment method in addition to card payments. To tap a global market of customers, e-commerce businesses must understand local payment preferences and offer a variety of payment methods that suit potential customers. More payment options increase the likelihood that a buyer will complete their purchase, as almost 50 per cent of customers say they will end a sale if the preferred form of payment is not available. Businesses can attract the attention of potential customers in multiple regions by using a solution that can manage varying online payment methods through a single interface, using a single collection model. To help businesses make their e-commerce offerings competitive on a global scale, First Data recently launched the Local Payments solution. With a single solution like Local Payments that allows customers to make a purchase easily and safely with their preferred payment method, online retailers can expand their reach to markets 26
they may have previously missed out on due to not offering payment capabilities aligned with customer preferences. Now, a retailer can enable a customer in Europe who wants to use a mobile wallet or a customer in Latin America who prefers making electronic cash payments. Local Payments facilitates numerous payment methods, including real-time online banking, direct debit, cash/voucher payments, payment wallets, payout schemes and more. While regional preferences for certain payment methods should be a consideration for any e-commerce business wishing to operate globally, other critical factors influencing purchases that are especially common in developing countries include a lack of banking access, technological limitations and political restrictions. The Local Payments solution provides greater flexibility for payment acceptance, supporting customers with less options. The solution enables e-commerce transactions for those customers who may be unbanked or underbanked through particular local payments schemes. This accessibility for customers represents a sales uplift opportunity for businesses. First Dataâ€™s Local Payments solution provides access to 195 local payment options when fully implemented. Businesses can deliver better customer experiences and encourage loyalty by accommodating customer preferences and requirements. We are frequently adding innovative new payment methods, driven by customer demand that will continue with meaningful market share in their respective countries. Specific local payment methods also can be added upon request. Customer payment method preferences will continue to evolve, especially with the fast pace of technological development. Payment methods that are popular now will be outpaced by newer methods in the future. While credit cards remain popular, demand for noncard payment methods are growing faster than major card schemes. These alternative payment methods are designed to meet local needs and demand, often covering one or only a few markets, which is a major contrast with card processing. As a result, e-commerce businesses will need to adapt to evolving customer preferences by understanding payment trends on a local level and how to accept a wide variety of local payments on a global scale. First Data supports more than 175 markets, working with a complete client landscape from multinational corporations to sole proprietors operating online stores. Working with such a diverse July/August 2017
Industry news set of clients is what allowed us to recognize the need for a new solution for e-commerce businesses to be able to accept preferred payment methods around the world. The introduction of Local Payments expands First Data’s robust e-commerce portfolio, and we will continue to advance our capabilities to match the expanding global e-commerce market and serve the needs of businesses and customers within it. Jean Harvey is director of global e-commerce solutions at First Data. She has 15+ years of experience in product management, including First Data’s Card Not Present (CNP) processing platform and Global Alternative Payments program. Jean received her MBA from Stanford Business School and holds a BA in Economics with Honors from Spelman College.
Retail banks will increasingly use artificial intelligence to help determine credit ratings: GlobalData LONDON -- Artificial intelligence (AI) is anticipated to make a significant impact on the retail banking sector, such as using nontraditional data types to assign credit ratings to potential borrowers, according to research and consulting firm GlobalData. The company’s latest report explains how technologies such as machine learning, predictive analytics and natural language processing (NLP) are already making their mark in banking, with both front-office and back-office operations set to be transformed. From the consumers’ perspective, NLP technologies such as chatbots are starting to allow more effortless and intuitive interactions with banks. These chatbots often employ highly advanced analytics to offer financial insights to consumers, such as warning them when they are likely to go overdrawn or recommending changes in behavior that will allow them to save money. “Consumers, especially younger ones, can lack confidence around financial matters and find it hard to manage their finances effectively," states Daoud Fakhri, principal analyst for retail banking at GlobalData. "There is therefore a potentially large market for AIbased services that offer a guiding hand or can assume some of the responsibility for making appropriate decisions.” AI will also transform behind-the-scenes operations. One area that is already experiencing significant change is lending. Traditional credit scoring techniques are ill-equipped to deal with consumers who lack conventional credit records, which is a common occurrence in developing markets. However, some lenders are now using AI to analyze non-traditional types of data, such as mobile phone usage and social media profiles, to predict the creditworthiness of borrowers. “Although these consumers may not have access to regular banking services, many are heavy users of mobile phones and social media, and this generates huge amounts of data that can be analyzed to model their financial reliability," according to Fakhri. "There is therefore huge potential to widen access to credit without exposing lenders to higher levels of risk.” July/August 2017
Canada's FinTech adoption rate more than doubled in the last 18 months Insurance, money transfer and payments to see biggest increase in uptake
TORONTO -- FinTech adoption in Canada has increased from eight per cent to 18 per cent since 2015, according to EY's 2017 FinTech Adoption Index. The trend means both traditional banks and FinTechs are feeling the pressure to develop simpler, more transparent, customercentric financial services products. "Canadians know more about the FinTech options available than they did two years ago, and this trend is going to continue," says Ron Stokes, EY Canada's FinTech leader. "When it comes to banks and FinTechs, we're seeing what used to be a competitive mindset turn into a desire to collaborate. It's becoming clear that working for mutual benefit, rather than competing with each other, will result in more meaningful innovations, faster." Still, our traditional financial services sector holds strong—Canada has one of the lowest FinTech adoption rates around the world. Only 18 per cent of survey respondents in Canada have used two or more FinTech services in the last six months, compared to 33 per cent globally.
What's behind the adoption rate EY finds the primary reason Canadians haven't used a FinTech is because they likely don't know of any. But that could be poised to change. In EY's most recent survey, 22 per cent of respondents reported they had not heard of any FinTech—a lot fewer people than the 49 per cent who reported the same thing almost two years ago. EY expects awareness to increase rapidly, boosting the adoption rate to 34 per cent in the future. The second-most cited reason for not using a FinTech—respondents simply prefer to use a traditional services provider for their needs. This attachment to traditional players means FinTechs have to double down to build their brands and establish themselves in this competitive market. But the threat from FinTechs is still real and continuous investment in FinTechs or FinTech-like products is the name of the game for banks. "Because of the strength of the banking sector in Canada, we're seeing a lot of partnerships between banks and FinTechs," adds Stokes. "Banks are looking for faster and easier ways to boost their digital capabilities, both on the consumer side and in the back office. At the same time, Canada's FinTechs need access to more customers and resources to improve their offerings." EY's Unleashing the Potential of FinTech in Banking shows that banks are increasingly looking for improvements across the entire value chain— from gamification of compliance training to surveillance software. But collaboration is easier said than done. Banks need to be smart in picking the right FinTechs to collaborate with, and have strong innovation cultures to implement any new technologies. By the same token, FinTechs need to better articulate the clear benefits of their technology and work with banks to deliver change.
RBC first bank in Canada to enable bill payments using Siri New capabilities also include the launch of seamless P2P transfers within iMessage
TORONTO -- Thanks to an update to the RBC Mobile app, Royal Bank of Canada (RBC) personal banking clients are now the first in Canada who can ask Siri to pay their bills on iPhone and iPad. RBC also launched seamless Interac e-Transfer payments within iMessage, which means clients can send a transfer without leaving their iMessage window. Building on its market leading, free person-to-person (P2P) money transfer services for chequing account clients launched last year, and money transfers with Siri earlier this year, RBC continues to develop simple and innovative ways for clients to make payments and bank with their mobile devices. “By offering bill payments through Siri and P2P transfers through iMessage, we’re providing more convenient solutions to support our client’s payment needs,” said Sean Amato-Gauci, executive vice-president, cards, payments and banking, RBC. “Our clients are avid users of Interac e-Transfer payments, and embraced our launch of money transfers using Siri earlier this year. By giving clients the ability to seamlessly and conveniently bank using voice commands, we’re delivering simple and innovative solutions.”
Using Siri to pay bills with the RBC Mobile app Paying your bills using Siri is simple. Once you give the voice command, Siri will confirm the name from your payee list and the RBC Mobile app automatically debits your account and sends the payment. The payment is secure and protected by TouchID. Sending an Interac e-Transfer payment is just as simple. Clients simply type the amount of money they’d like to send to their contact in the iMessage window and authenticate the transfer using TouchID. These payment solutions are the latest enhancements from the RBC innovation labs, which test new ideas by partnering with academia, FinTechs and RBC clients to make banking easier. The RBC labs are actively working on a range of client solutions that will be coming to market this year. “We’re one of the leading voices on artificial intelligence in Canada, and our integration of Siri into bill payments and P2P transfers are an example of how our clients are already benefitting from these advancements in AI,” said Amato-Gauci. “We’re committed to providing clients with exceptional experiences when, how and where it’s most convenient for them, including exploring ways to integrate into social networks and digital platforms that are essential to their everyday lives.”
McAfee expands machine learning, automation capabilities to strengthen human-machine security teams
OpenDXL.com open source community launches and McAfee alliances grow to improve manageability of security operations BLACK HAT LAS VEGAS, Nev. -- McAfee today announced several new innovations that expand machine learning and automation capabilities to strengthen human-machine teams. Plus, McAfee announces support of OpenDXL.com, a new, independent collaboration portal that offers forums, free apps and more, giving OpenDXL users easy access to ideas and resources available for application integrations. These new advances build upon the company’s commitment to innovation, collaboration and trust, bringing McAfee’s mantra ‘Together is Power’ to life. “Today’s security teams are facing 244 new cyber threats every minute, amid a serious talent shortage. Siloed security, without automation, managed by overwhelmed teams is not a sustainable defense strategy,” said Raja Patel, vice president and general manager, corporate security products, McAfee. “Expanded machine learning and integrated analytics are part of McAfee’s vision for a fundamental shift in the way humans and machines work together to secure our digital world. By aligning the strengths of humans and machines, organizations elevate their operational maturity to better defend against the cyber threats we face today—and tomorrow.” 28
2017 Industry Events August August 22-23 The Prepaid Press tppEXPO’17 Las Vegas, NV prepaidpressexpo.com August 28-30 Mobile Payments Conference Chicago, IL mobilepaymentconference.com August 30-31 Mobey Day Toronto, ON mobeyday.com
September September 20-21 NAPCP Commercial Card and Payment Conference Toronto, ON www.napcp.org September 27-28 Western States Acquirers Association 2017 Conference Rancho Mirage, CA westernstatesacquirers.com October 4-5 BAI BAIBeacon17 Atlanta, GA bai.org/baibeacon
October October 12-14 CAMA EXPO 2017 Quebec City, QC vending-cama.com October 15-17 Association for Financial Professionals 2017 AFP Annual Conference San Diego, CA afponline.org October 16-19 Sibos 2017 Toronto, ON sibos.com October 22-25 Money20/20 Las Vegas, NV money2020.com
Visit us online
www.paymentsbusiness.ca July/August 2017
Service Directory Card Manufactures
EMV & NFC Consulting Secure Solutions for Payment & Identification
Since 1852, G&D has been an integral partner that is solutions orientated and trusted by banks, governments and carriers. Our solutions are founded on trust, integrity and the creation of value through Confidence. • Contact, Contactless and Dual-Interface Smart Cards • Mobile Payment • On-line Secure Authentication • Enhanced Card Identification
Toll Free: 1-800-387-9794
Print & Mailing
CMS PRINTING SERVICE. For all your printing needs.
• plastic gift cards • loyalty cards • R.F.I.D. and N.F.C. • software and web solutions
Call 416-755-7761 ext. 227 email@example.com NEW LOWER PRICING!!!
secure payment solutions
From web procurement solutions to R.F.I.D and N.F.C. promotional concept development, Colourfast Secure Card Technology can help your data drive profits to a new level. Contact us to see how we can empower your bottom line with Great Quality Plastic Cards, Technology and Real Data Solutions that will enhance your cards... and your business. 5380 Timberlea Blvd, Mississauga, ON L4W 2S6 Tel:(905) 696-8691 www.colourfast.com
see youR company name here Contact Mark Henry firstname.lastname@example.org 1800-668-1838 x 223
A single version of the truth The transformative power of global card payment acceptance standards By Arnaud Crouzet
ecent payments conferences have highlighted some pressing issues which, when addressed, have the power to transform the world of card payments acceptance. How can merchants’ payment acceptance systems harmonize across borders and deliver the kind of seamless interoperability that merchants need to expand quickly into new territories? How can they relieve the systems integration pain experienced when establishing a relationship with a new acquiring bank? What steps can they take to deliver a consistent payment experience for customers across different card networks, payment types and ‘points of interaction’ (POI)? Moreover, what can acquirers do to streamline the whole acceptance process and better serve the international ambitions of merchants, today and in the future? At the root of these issues lies a debate about standardization and, more specifically, how card payment acceptance standards can be consistently interpreted and uniformly implemented across the global acceptance ecosystem. Only through the application of a ‘single version of the truth’ can the goal of seamless, fast and borderless interoperability in card payment acceptance be achieved for merchants, acquirers, payment service providers and other payment stakeholders. I have good news to share: much of this work has already been done. nexo Standards, an open, global association whose members represent the full spectrum of card payments stakeholders, has already developed messaging protocols and implementation specifications for card payment terminals and other points of interaction that adhere to ISO 20022 standards, are universally applicable and freely available globally. The road that has led to this point, however, has not always been easily travelled. Take ISO 8583, for example. This is a standard that defines a message format and a communication flow enabling different systems to exchange transaction requests and responses. It has been used globally since 1987 but, since the standard has been interpreted variously by different stakeholders, implementations have differed 30
between countries, resulting in a multitude of systems that, despite being ISO 8583 compliant, still can’t talk to one another. More recently, in a bid to promote greater interoperability and facilitate easy payments acceptance across borders, the card payments domain of ISO 20022 (‘twenty-oh-twenty-two’) has defined ‘a single standardization approach, including methodology, process and repository’. Again, however, the ISO 20022 standard relies heavily on the actors in the ecosystem agreeing on a universal interpretation, together with a consistent mode of implementation and testing. This has been the goal of nexo Standards since its inception. Thanks to the open collaboration between ‘acceptors’ (acquiring banks and merchants), processors, international and domestic card schemes, payment service providers and vendors, a growing portfolio of nexo specifications, ‘test specs’ and messaging protocols have been developed that address the changing needs of the card payment acceptance ecosystem. These specs are made by the ecosystem, for the ecosystem and promote simple integration, enable cross border interoperability and facilitate innovation along the entire acceptance chain, from the payment terminal or point of interaction all the way to the acquiring bank and back again. Since the beginning, nexo has focused on technical development. Today, its portfolio of specifications and messaging protocols that enable all actors to establish a universally interoperable way of exchanging payment data is ready and is being actively deployed globally, today, by both major retailers and acquiring banks. nexo protocols are already processing millions of transactions every day. So, my message to the payments ecosystem is clear: the key to facilitating innovation in global card payments acceptance, to enabling fast and borderless interoperability and to resolving integration headaches between acceptance stakeholders is, simply, to ‘think nexo’. The association’s work is commercially neutral, contributes to international standards (ISO 20022) and is already proven through live implementations. For more information on nexo’s specifications and protocols, please consult www.nexo-standards.org. Arnaud Crouzet is general secretary of nexo Standards.
Card & Payment Conference To r o n t o , O n t a r i o • S e p t e m b e r 2 0 - 2 1 , 2 0 1 7
Bring a buddy at a discount! www.napcp.org/Canada The 2017 NAPCP Canadian Commercial Card and Payment Conference is the can’tmiss opportunity of the year for Canadian industry professionals. The conference features engaging educational breakout sessions covering key topics such as: fraud and compliance, expansion and optimization, implementation, ePayables, auditing and travel management. Sessions are presented by end-user practitioners who have hands-on experience and practical expertise.
2017 CONFERENCE SPONSORS
2017 CONFERENCE EXHIBITORS
Keynote Speaker Dr. Mahendra Gupta, Olin Business School, Washington University A Review of the 2017 Purchasing Card Benchmark Survey Results, with Emphasis on the Canadian Response
Advancing Commercial Card and Payment Practices Worldwide
2017 CONFERENCE MEDIA PARTNERS
Founded in 2000, the NAPCP serves a global community of more than 20,000 Commercial Card and Payment professionals.
P.O. Box 901 Wayzata, Minnesota 55391 USA +1 952-546-1880 ext. 4 email@example.com www.napcp.org/whyjoin
Seamless & Secure Solutions / Wherever, Whenever & However Consumers Choose to Pay
Get started info.ingenico.ca/digital ÂŠ2017 Ingenico Group. All rights reserved.