Payments Business Magazine July/Aug 2019

Page 1

July/Aug 2019

The Merchant’s Guide to Transactions, Cards & e-Commerce

How to outwit fraudsters ❱ Enabling faster (and secure) payments ❱ Tackling the regulations challenges ❱ The reality of RTP

PM 4 0 0 5 0 8 0 3

TableKey of Contents theme

July/August 2019 Volume 10 Number 4 Editor-in-Chief Steve Lloyd Editor Brendan Read Publisher Mark Henry

Security, Fraud and Privacy 4 Enabling faster 6 8

(and secure) payments The truth about AI and fraud Preventing ATM cash-outs

Contributors Greg Brown; Roy Farah; Stacy Gorkoff; Arjun Kakkar; Jason Mugford; Roman Mykhaylyshyn; Amber D. Scott; Roger Sholanki; Rick Snook; Rich Stuppy


The value of robust surveillance

Creative Direction Jennifer O’Neill

Cover Story


Photographer Gary Tannyan President Steve Lloyd For subscription, circulation & change of address information, contact Publications Mail Agreement No. 40050803 Return undeliverable Canadian addresses to: Circulation Department 302-137 Main Street North Markham ON L3P 1Y2 t: 905.201.6600 f: 905.201.6601 Subscriptions available for $40.00 year or $60.00 two years. ©2019 Lloydmedia Inc. All rights reserved. The contents of this publication may not be reproduced by any means, in whole or in part, without the prior written consent of the publisher. Printed in Canada. Reprint permission requests to use materials published in Payments Business should be directed to the publisher.

Made possible with the support of the Ontario Media Development Corporation

How to outwit fraudsters

Compliance 14 Responding to evolving cyberthreats 15 Why compliance for blockchain/cryptocurrencies? 16 Tackling the regulations challenges Payments Processing 18 The reality of RTP 20 Rejuvenating payments cards 22 EMV snapshot Next issue…

Sept/Oct Data Analytics • FinTech • IoT & Wearables • Customer Service • Open Banking July/August 2019



Security, Fraud & Privacy

Enabling faster (and secure) payments By Arjun Kakkar


igital commerce is growing1, but it still represents less than 15 per cent of the total global retail business value2. One key reason is a far-from-seamless shopping experience. According to a study by the Baymard Institute, almost 70 per cent of U.S. shoppers end up abandoning their shopping carts3. Of these, about a fourth of users who were not just browsing abandon checkout due to a long or complicated checkout process. In Canada, six out of ten people surveyed say that a smoother checkout experience motivates them to choose one online retailer over another4. This hassle shoppers undergo extends to payments. In the U.S. last year, 97 per cent of physical store orders were approved by Mastercard. Yet barely 82 per cent of online orders were authorized5. This gap would be acceptable if it reflected elevated fraudulent attempts online, but that is not the case. According to a U.S.-based study, 25 per cent to 35 per cent of declined card not present transactions are false declines6.

By giving consumers unrestricted access you risk high fraud and chargeback costs. Changing the rules The resulting global cost of friction in online commerce could be well above a trillion dollars, according to estimates of my company, Ekata. What’s stopping us from capturing this massive opportunity? The biggest reason is the lack of trust between consumers and businesses. From the consumer’s standpoint, they may not trust the merchants or payment providers enough to start sharing data. In Canada, more than half the respondents to a recent survey were concerned about the security of open banking, which allows third parties to make payments on behalf of customers and get secure access to customers’ financial transaction data7. Meanwhile, merchants and payment providers struggle with the balancing act between the customer experience and fraud prevention. If you focus more on improving the user experience 4


by giving consumers unrestricted access, you risk high fraud and chargeback costs. Canada and other countries are moving to faster payments. But faster irrevocable payments also require faster fraud monitoring. If consumers can move money quickly, so can criminals, making it more difficult to trace the final destination accounts. On the other hand, if you focus on reducing fraud losses, you give your consumers a lousy user experience and lose lifetime revenue. Most importantly, in both these cases, the merchant loses customer trust. Fortunately, we can mold this dichotomy to lower friction and fraud by utilizing data and machine learning.

A practical faster fraud prevention approach We recommend three interrelated imperatives. 1. Utilize relevant data across the ecosystem. The first step is to utilize all data that could help with risk signalling, including the device, behavioural, identity (including name, e-mail, IP, phone and address) and transaction data. In our experience, risk signals based on customer networks are invaluable. Industry players should also collaborate to share data that aids risk decisions. In a world where fraudsters are increasingly sophisticated in recreating customer identities, data from multiple sources will help find unique markers that identify the human behind a digital identity. Sourcing the data is only a part of the challenge, even after ensuring security and privacy. The more significant struggle is in putting this data to good use. 2. Use machine learning (ML) modelling before authorization to assess risk. The unique needs of real-time fraud detection, including large and diverse data sets, real-time decisions and continuous learning cycle times, make it an ideal candidate for ML models. We observe it in practice: our customers that use ML models realize disproportionately higher benefits versus those who use rule-based systems. That said, ML for fraud is a challenging problem. It is hard to get model training data since more than 99 per cent-plus of cleared transactions are not fraudulent. The data may not be labeled right since some of the "friendly fraud" or legitimate transactions may be marked as fraud. If your model is doing its job well, only the hardto-find fraud will go undetected, and subsequent models you build July/August 2019

Courtesy Ekata

Security, Fraud & Privacy

An excellent user experience also drives consumer trust. on this new data will start getting worse at detecting the easier fraud. Finally, another problem with ML when you use diverse data sources is “preprocessing” or preparing data for modelling. These are hard but solvable problems, but you do have to invest in longterm capabilities to capture the power of ML in fraud. Merchants and payments providers also need to assess risk before account opening or payment authorization. The additional information is useful to determine the signup process. Without such a process, merchants tend to put all customers into a single high-risk high-friction bucket. For example, Europe’s new Payments Services Directive 2 (PSD2) directive requires “Secure Customer Authentication” or SCA, a high-friction authentication in case the payment service provider has not assessed the transaction risk. 3. Understand the customer's context to drive better user experience. Each merchant and payment provider need to earn consumer trust. It starts with ensuring security and privacy. Luckily, regulations, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, give us an excellent framework for taking responsibility for consumer data. They put the consumers back in charge of their data, and consumers will only share their data with the brands they trust. As a result, brands that consumers trust have a differentiated market advantage. For example, PSD2 has a provision that may let consumers whitelist a business and avoid the need for future July/August 2019

high-friction authentication. An excellent user experience also drives consumer trust. To build a better online user experience, you need to understand the context that brings consumers to your app and purchase your product. But there is no silver bullet to achieve this goal, and the context keeps changing even within each customer’s journey. The context during the purchase experience (which products does the customer care about?) differs from that during payment (which payment option to offer in an uncluttered interface, e.g. Amazon Pay for Prime members). Remember, there is almost always a person, not a segment behind the digital data. The common thread is the need for reliable data that improves the consumer experience and helps catch fraud. It is not a zerosum game for online commerce players in the overall goal to create customer value and grow the share of online commerce. Those who will collaborate will win. Together. Arjun Kakkar is vice president, strategy and operations, Ekata ( He works with Ekata’s operating teams to drive customer value across e-commerce, payments, marketplaces and online lending verticals. Before Ekata, Arjun was a Principal with Booz & Company. He has a B.Tech. from IIT Bombay and an MBA from The Wharton School. 1 Global Ecommerce Association, “Global Ecommerce Report 2017”. 2 Corey McNair, “Worldwide Retail and Ecommerce Sales: eMarketer's Updated Forecast and New Mcommerce Estimates for 2016—2021”, eMarketer, report, January 29, 2018. 3 Baymard Institute, “41 Cart Abandonment Rate Statistics”, web site, 2019. 4 Payments Canada, “Payments Pulse Survey: Consumer Edition”, May 2019. 5 Mastercard, “EMV® 3-D Secure A new frontier in battling fraud in digital commerce”, infographic, 2019. 6 Vesta, “False Positives: The Undetected Threat to Your Revenue”, study. 7 “Payments Pulse”, Ibid.



Security, Fraud & Privacy

The truth about AI and fraud By Rich Stuppy


any merchants are increasingly turning to machine learning (ML) and artificial intelligence (AI) to help make faster and smarter decisions to automatically approve good transactions and reject fraudulent ones. The problem is that many companies that claim to use AI are just using rudimentary ML based on simple data. However, there is a better world on the horizon, where unsupervised and supervised ML come together and use technology to look at the patterns of safety that exist and weigh them against risk signals and anomalies to catch things that are “low safety” and high risk, including new types of fraud attacks. This is the sweet spot of stopping fraud and maximizing revenue.

Why AI When it comes to fraud, AI has the ability to emulate the judgement and decision process of an experienced fraud analyst, yet do it faster, more accurately and at a much larger scale. It also can detect if a new type of attack is underway, thus greatly increasing the effectiveness of fraud prevention. Utilizing AI for fraud prevention is especially important in Canada where the digitization of payments is quickly evolving. Payments Canada reports that Canadian consumers are increasingly opting for digital methods of payments, such as contactless, online transfers and in-app purchases, rather than traditional forms like cash and cheques. For example, contactless transactions accounted for about 29 per cent of all point-of-sale card payments in 2017, up from only seven per cent in 20141. Here are best practices for deploying an AI fraud prevention solution that can truly help transform your digital business.

Implement supervised and unsupervised ML Here’s why. Supervised ML models, which are trained on past activity, can detect known fraud attacks, but they fall short in detecting new attacks. Unsupervised models, for their part, can identify anomalous behaviour that indicate a new type of fraud attack. However, those anomalies are not always malicious. For example, maybe you just launched a new marketing campaign that went viral, and suddenly you have massive amounts of new customers making purchases that 6


are different from what you’ve seen before. That’s an anomaly, but it’s not fraud. Once the anomaly is detected it still takes human intervention and supervised ML to make the proper judgement calls and ensure that these good transactions are not rejected. The combination of supervised and unsupervised ML then allows businesses to better weigh key variables and patterns against each other, so they catch high-risk transactions: while allowing legitimate transactions to move forward without any friction.

It’s essential for any fraud detection system to not restrict its focus to the payment instrument itself. Build more complete digital identities It’s crucial to gather a lot more data than is typically collected by payments processors, whose ML models use just a handful of basic payment details—such as the credit card number, expiration date and postal code—to detect fraud. Instead, data sets should include additional critical information like e-mail addresses, device fingerprinting, mobile phone numbers and about how long those people have been customers. All that data can be used to build more complex ML models that are significantly better at detecting fraud. What’s more, building a more complete digital identity for each customer is increasingly vital, especially as payments today are becoming less credit card-focused thanks to the rise of digital wallets and mobile payment systems. It’s essential, then, for any fraud detection system to not restrict its focus to the payment instrument itself, and instead to piece together a true digital identity for each customer.

Understand your risk tolerance Here’s an illustrative comparison. A gaming company that sells high-margin virtual goods typically doesn’t mind a little bit of fraud if it makes the buying process more frictionless for all their good customers. The gaming company wants to make sure they get as many transactions as possible with the lowest number of declines. July/August 2019

Courtesy Kount

Security, Fraud & Privacy

By contrast, a business selling expensive diamond jewellery has a much lower tolerance for fraud. So, what is your tolerance for fraud? Can you afford to introduce more friction for customers in order to reduce your number of chargebacks? And can the AI and ML in your fraud detection system be modified to support your level of risk tolerance? The ability to easily customize your AI to match your risk tolerance is a critical requirement.

it originated in an area that traditionally experiences a lot of chargebacks due to that factor. Providing the right data and proper tagging can help eliminate that issue. Protecting data and ensuring the authenticity of every transaction is the key to earning and keeping the trust of customers. The biggest benefit of AI is the ability for businesses to quickly arrive at highly accurate decisions that not only reduce fraud, but also drive bottomline outcomes, such as lower operational costs and higher revenue. Now that’s just smart business.

Keep improving data quality Giving the right information to your ML model can vastly improve its accuracy and effectiveness. For example, there are many reasons a transaction can result in a chargeback, such as delivery delays. You don’t want your model to decline a transaction simply because

July/August 2019

Rich Stuppy is chief customer experience officer at Kount ( 1 Michael Tompkins and Viktoria Galociova, “Canadian Payment Methods and Trends: 2018”, Payments Canada, report, December 2018.



Security, Fraud & Privacy

Preventing ATM cash-outs By Stacy Gorkoff


he ability to detect ATM cash-out attacks as they are unfolding—not after the damage is done—continues to be a priority for IT operations and payments security teams. In today’s complex and ever-changing threat environment there remains no “silver bullet” that provides financial institutions blanket protection from fraud. In fact, according to the 2018 True Cost of Fraud study, published by LexisNexis Risk Solutions, every dollar of fraud now costs banks and credit unions roughly $2.92 in associated costs, a 9.3 per cent increase over 2017. Early warning fraud detection is becoming more challenging due to: • High-risk visibility gaps. Many of today’s advanced persistent threats are designed to fly under the radar of traditional singlepoint monitoring payment fraud defences or bypass back-end fraud management systems entirely; • Increasing logical attack complexity and evolving criminal methodologies. New payments system vulnerabilities are being exploited through a combination of specially crafted malware, social engineering, siphoning and coordinated attacks; and • Increasing infrastructure costs and resources. Many small to medium-sized financial institutions often have less sophisticated cybersecurity controls, fewer resources and smaller budgets, but face more third-party vendor liabilities.

Evolving fraud prevention requirements Cash-out schemes that involve multiple attack vectors over a very large attack surface continue to happen, despite the high level of security implemented within many PCI DSS-certified environments. Here are several high-profile examples. May 2018. The Central Bank of Mexico announced that hackers had stolen as much as USD $15 million from five companies by tapping into bank payment systems and performing numerous fraudulent transactions, including cash withdrawals. August 2018. The Federal Bureau of Investigation (FBI) issued warning of a global ATM cash-out scheme. Within days of that alert, India’s Cosmos Cooperative Bank was attacked. Cybercriminals installed malware on the bank’s debit card payment system, access card information, remove fraud controls, such as maximum withdrawal amounts, and exploit unlimited network access via fake or proxy servers. Criminals made off with over USD $13.5 million, 8


using cloned cards to orchestrate 12,000 ATM transactions over a two-day weekend across 28 countries including Canada, Hong Kong and India. October 2018. The United States Computer Emergency Readiness Team issued a joint Technical Advisory from the Department of Homeland Security, the FBI and the U.S. Treasury warning banks about the ATM cash-out scheme called “FASTCash”. In this attack, very specific financial request and response messages, for example ISO 8583, were targeted and fraudulent transactions went under the radar as traditional monitoring does not detect these kinds of attacks. This attack was also conducted across borders so that incountry controls were bypassed. January 10, 2019. Visa issued an advisory to U.S. payment card issuers, advising them to be on alert for suspected ATM cash-out fraud schemes. Card issuers have been asked to increase their monitoring of ATM traffic and report any suspicious activity, especially ATM withdrawals involving prepaid cards. May 2019. Dutch Bangla Bank Limited (DBBL), a local Bangladeshi Bank, was hit with a USD $3 million ATM cash-out attack when a Russian hacker group installed malware on one of the bank’s switches, thereby creating a proxy switch that went undetected for months. The malware was only uncovered after Visa tried to settle payment transactions with DBBL. By routing transactions through the proxy switch, hackers were able to withdraw funds from ATMs located in Cyprus, Russia and Ukraine without the bank ever knowing.

There remains no “silver bullet” that provides blanket protection from fraud. Why a multi-layered approach Traditional fraud system management tools that make use of contextual information to analyze transactions will provide one layer of defence against cash-out attacks. But common single point monitoring solutions, such as those listed below, still run a risk of being compromised. MAC’ing. Message Authentication Code or MAC’ing solutions add an additional layer of security by ensuring message integrity from the sender (ATM) to the receiver (Financial Switch or Authorization Host). But sometimes the fraudulent transactions never reach the July/August 2019

Security, Fraud & Privacy authorization realm that would normally perform MAC verification. In the case of the “FASTCash” attack, which in essence is a variation of the “man-in-the-middle” attacks we have seen in card-notpresent transactions, this lack of visibility therefore causes MAC’ing to offer little in the form of protection. Transaction signing. Similar to MAC’ing, transaction signing may also fail to stop certain cash-out schemes. If the proxy switch or malware is in-line, the transaction never reaches the real authorization realm and an ISO 8583 approval response is provided to any transaction being routed to the transaction switch, rendering transaction signing irrelevant in this situation. Malware management. In the case of the attack launched against Cosmos Bank, many banks may be inclined to assume that a malware management tool will suffice in preventing this sort of attack. Yes, malware management tools will be one layer of defence against such an attack, but it should not be the only one. These solutions can be compromised as well. EMV chip and pin. Another common layer of defence is EMV chip and pin, and this has definitely limited the number of ATM cash-out attacks happening in Canada. But if attackers are using terminals from across the world that allow fallback transactions, EMV chip and pin will not be able to stop this attack. Fraudulent fallback transactions would be intercepted and approved by the proxy switch or malware and would never reach the real transaction switch or back-end, meaning the EMV check is never done.

Adding real-time, transaction-level monitoring With the right set of real-time, statistical and machine learning techniques that build adaptive behavioural models, transaction-level monitoring and alerting has proven to be a reliable and cost-effective way to monitor for suspicious card activity and identify outlier transactions. Furthermore, it also provides the ability to monitor for message field tampering, missing transaction links and routing issues. Having a tool that independently analyzes every end-to-end transaction protects you from rogue switches approving fraudulent transactions. Multi-point, network-based data collection capabilities give you the power to immediately identify potential fraud attacks, even if these transactions bypass fraud management systems or if the fraud management system has been overridden by malware. Risk scores can be assigned to each individual transaction. Flexible real-time alerts flag high-risk transactions and anomalies such as: • Missing back-end transactions for identifying “man-in-themiddle” attacks. Fake processing where a transaction enters the payment switch, but never reaches the host for authorization due to switch malware or card compromise; • A rise in transaction declines, unexpected EMV fallbacks, consecutive magnetic stripe transactions or reversal rates. They would be for a certain BIN (bank identification number) range, card type or group of devices; • Excessive transaction clearing or stand-in transactions by the switch: over a set amount of time; • Unexpected transaction anomalies and a rise in failed July/August 2019

transaction rates. The transactions from a certain card or switch are failing or flagged as suspect activity due to high transaction volumes or unusual repeat card usage by device or geography; • Increase in foreign card transactions. High volumes or unusual repeat foreign card usage from on-us and off-us locations. • Status codes and response code errors. When a MAC or other TCP network error occurs, causing transactions to decline or be incomplete; • Suspicious repeat terminal usage. This could be triggered by repeat card usage or transaction volume limits exceeded within a set amount of time; • Isolating terminals used in a coordinated ATM cash-out attack. Creating visibility into implausible transacting scenarios, such as multiple devices or countries where the same bank card is being used in a limited period; • High withdrawal velocity or abnormal numbers of highvalue transactions. Flagging transactions based upon high volume, high amount or unusual repeat card usage at the same terminal or across an unlikely geographical area; and • Distance-based card fraud. Knowing when the same card is being used for two consecutive ATM transactions that are not physically possible or likely.

Extending real-time detection to real-time prevention Immediately detecting suspicious activity and receiving real-time risk advice for every transaction is a great advance in the battle against fraud: often helping IT operations and payments security teams evaluate and take action within minutes. While real-time suspicious activity monitoring is an essential layer to any fraud prevention strategy, it can still be too late to stop fraudulent transactions. When selecting a real-time transaction level monitoring tool, it is essential that it also include fraud prevention capabilities, such as intelligent infrastructure adaptation rules and port blocking that identify and reject transactions that do not conform to end customer behaviour patterns. With a combination of real-time fraud detection and prevention, IT operations and payments security teams can now halt fraudulent transactions before they are approved. By utilizing real-time alerts to instruct firewalls to block suspicious traffic in flight, you can stop fraudsters in their tracks before they impact your bottom line. In light of all the headline-grabbing ATM cash-outs and cyber security breaches we are continuously hearing about today, it’s understandable that your financial organization might be looking for ways to prevent being thrust into the spotlight. If this is the case, a multi-layered defence strategy will help you secure your systems and information assets, meet customer security expectations and be ready to defend against cash-out attacks. Stacy Gorkoff is vice president of marketing and channel development for INETCO Systems Limited ( She is responsible for overseeing strategic marketing, brand awareness and communication initiatives. Stacy has over 15 years of experience working with leading edge network monitoring and application performance management companies in a marketing, communications and business development capacity.



Security, Fraud & Privacy

The value of robust surveillance By Rick Snook


n 1957 a bank robbery in Cleveland, Ohio, where a man and his accomplice forcefully approached a teller, stuffed over $2,000 in a bag and ran out to their getaway car, became the first ever to be captured on film and caught soon after1. Fast-forward from that single analogue camera to today’s sophisticated digital security system and it’s clear that surveillance has come a long way. With every new step that financial institutions take, from adding more ATMs to launching mobile banking platforms, criminals try equally novel methods to circumvent security measures. While the age-old hold-up has given way to cybercrimes like sophisticated phishing campaigns and identity theft, it’s at the ATMs and the branch level where the final criminal acts are often committed. The losses are staggering. In 2016, Canadian banks reimbursed customers for more than $900 million in losses as the result of credit and debit card fraud, according to the Canadian Bankers Association2. A robust surveillance system based on high-definition (HD) cameras remains one of the best ways to investigate a crime while providing a deterrent. Here are the key areas that these systems can help. ATM vestibules. Most ATMs today have built-in cameras that can provide high-resolution images of the persons conducting the transactions while protecting the privacy of their PIN entries on the keyboards. A flexible HD camera installed discreetly can capture and identify features of the users. Comparing transaction data and tying it to the videos can be useful when investigating claims of card theft. In-camera analytics can detect “card mining”: when someone has been using multiple cards to withdraw money from multiple accounts for a prolonged period. Remote access allows you to facilitate investigations quickly without accessing the ATMs. An anti-tampering alarm will immediately alert security if someone has covered or redirected the camera and audio detection functionality sends an alert when specific sounds are produced, like glass breaking. Behind the scenes security. Bank and credit union branches handle significant amounts of cash, and supervision of areas behind 10


July/August 2019

Security, Fraud & Privacy the ATMs is therefore also required. Whether it is the process of reloading ATM machines or pulling out and reconciling the day’s deposits, transactions and cheques, this is a vital area that needs to be secured and monitored. Loitering and peeking. Another concern with ATMs is loitering: a predominant problem notably in urban areas where homeless people use ATM vestibules as shelters. Loitering software can detect when someone has been in the vestibule for a set period and will send an alert to a central investigation office or directly to security staff, who can move them along. While loitering is generally more of a nuisance than a crime, it does create a risk for individuals using ATMs and an uneasiness about the level of safety. In Europe, cameras with audio capabilities have been deployed to detect when a person comes too close to someone using an ATM. If this happens, it will queue an audio message that is played from a speaker to alert the ATM customer as well as prevent someone from creeping up and looking over one’s shoulder to obtain a PIN number. Entrances and exits. Branch exits and entrances should be secured with HD cameras that can capture clear facial shots, even in poor lighting, so that it would be possible to identify a person if a crime was committed. Lightfinder technology allows for colour video even in very low light conditions, which can be of utmost importance for accurate identification of people, vehicles and/or incidents. When most day-and-night cameras would switch to night mode and grayscale video, cameras equipped with Lightfinder technology keep delivering colour video at all hours of the day. Facial recognition software can be utilized as well, to flag people who’ve already been identified as a security risk, either from previous activities at that branch or as someone who is known to police. Teller lines. Robberies at the branch level still happen. Installation of HD cameras at teller lines have become the norm to aid with the identification of individuals. In the cash handling process, mistakes

July/August 2019

and light fingers can cost money. But with the right cameras in place, the smallest details can be captured in every situation, so you can determine what went wrong and who was involved, with video evidence captured for use in possible claims. If analogue cameras are still in play, they can be upgraded with digital encoders, allowing the entire system to record in digital format for easy search and advanced functionality. Analytics for branch and ATM transformation. Surveillance is primarily used for security purposes, but using it to enhance the business for operations, safety and marketing purposes can transform the customer experience. Camera analytics provide information of when peak periods occur by monitoring the foot traffic and length of time spent in the branches and at the ATMs. With this valuable data the bank or credit union can provide an enhanced customer experience by adjusting their branch staffing levels, opening additional tellers to reduce delays, and adjusting the number and location of ATMs and vestibule features, resulting in improved customer satisfaction. We’ve come a long way since the 1957 bank robbery video footage, and today’s changing threats and business needs require enhanced security solutions. With a robust network of HD cameras armed with analytics we are innovating for a smarter and safer world. Rick Snook is business development manager for Axis Communications (, which provides network video and security and surveillance solutions. He has over 34 years of sales, marketing, technical and design experience in the electronic security industry. Rick has been involved with industry associations such as the Canadian Security Association, ASIS and the Security Industry Association for many years. He was awarded the R.A. Henderson Award for his achievements within the security industry and making significant contributions to the advancement of the interests of the entire industry. 1 Alaina Nutile, “In 1957, Cleveland was the first city in the world to capture a bank robbery on film”, Cleveland Scene, October 29, 2014. 2 “Focus: Protecting Canadians from Fraud”, Canadian Bankers Association, web site, September 20, 2017.



Security, Fraud & Privacy

How to







rs July/August 2019

Security, Fraud & Privacy

By Greg Brown


tealing a person's hard-earned money is nothing new. However, in today's world of almost instant payments, the methods used by fraudsters for payment fraud have evolved. While the digitization of payments has made making financial transactions more convenient for consumers and financial institutions (FIs), it has also made detecting fraudulent transactions increasingly difficult. After all, instead of days, transactions worth millions can now be completed in a matter of mere seconds. On average, 12 million transactions are conducted via debit card in Canada each day, stated the Canadian Bankers Association. This makes Canadians among the highest users of debit cards and hence puts the group at high risk for payment fraud. Most Canadian banks offer zero liability fraud policies. In 2017, retailers lost a total of $31 billion due to chargebacks alone. The industry is now losing 1.8 per cent of all revenue to fraudsters and related fees, according to Chargebacks911®. Thus, the need for fighting payment fraud is very apparent.

Common payment fraud types With payments turning digital, fraudsters no longer need to be in the same geographical vicinity to steal a person’s money. Identity theft is the most common form of payment fraud. Given the ease with which information about a person is available on social media platforms, criminals can easily impersonate an individual and hack into their bank accounts. Once they have access to the individual’s card details, they can use it for card-not-present (CNP) transactions on online platforms. Other common types of payment fraud include false invoicing, which relies on individuals not paying adequate attention to invoice details, scam e-mails and phone calls. According to a report released by Emerging Payments Association, up to two-thirds of all payment frauds involve deceiving individuals into disclosing their security details.

Fighting fraud As the payment industry evolves and the digital economy facilitates faster transactions between individuals, businesses and FIs, fighting payment fraud has become a priority. Existing security measures such as chip-based cards have already significantly reduced the extent of card-present fraud. FIs like banks and credit unions also advise consumers to follow simple strategies such as: • Informing suppliers after invoices have been paid; • Verifying requests for changes to supplier’s account details; • Removing personal information from social media platforms that could be used to hack into your account; and • Not divulging account and security details to anyone. Here are several other key steps and tools to take to fight fraud. 1. Two-step authentication. In many cases, thieves can conduct fraudulent transactions by hacking into smart devices. Introducing two-step authentication makes conducting these transactions July/August 2019

more difficult as long as the second step of authentication is through a different mode. One-time passwords sent to mobile numbers or e-mail addresses are the most common form of twostep authentication. 2. Biometric authentication. Biometric authentication uses an individual’s unique physical characteristics to verify their identity as an additional security layer. Fingerprints, voice recognition, iris recognition and face recognition are the most common biometrics used. Biometric systems are difficult to fool and are easily accessible. Embedding biometrics in payment systems ensures that transactions are being made by the person holding the account and not by an imposter. 3. Stringent Know Your Customer (KYC) procedures. These include electronic Identity Verification (eIDV), which is a tailorable process that helps secure financial transactions without compromising on convenience. Real-time authentication provides a quick solution to KYC by matching names to addresses. It ensures fast onboarding or e-commerce checkout while protecting against fraud and money laundering without having to spend a ton of money. Additional levels of authentication can be added on depending on a company’s specific sign-up process and risk management requirements. EIDV can check national ID and age, match against international watch lists and perform Politically Exposed Persons (PEP) screening. For this to be enabled, organizations must have access to reliable data that can be verified across multiple sources. This is known as 2x2 verification. Once completed, KYC procedures must also be constantly updated. Accurate customer identification not only protects the consumers, but it also protects FIs from transactions involved in money laundering, thus protecting their reputations. 4. Machine learning and behavioural analytics. Machine learning uses historical data associated with an account and complex data analysis to understand patterns of legitimate payment transactions. Combining this with human insight, it can help identify and prevent potentially suspicious or unusual transactions that may be fraudulent. Neural networks and artificial intelligence (AI) can also be used to spot suspicious or erratic card usage.

The bottom line When companies truly know their customers, they greatly reduce the risk of fraud and chargebacks, save time, money and resources and are able to provide more efficient customer service. As FIs and criminals strive to outwit each other, the combination of technology and human expertise will play a crucial role. Above this, it is also important for governments, law enforcement agencies and industry players to collaborate and work together to win the war on payment fraud. Greg Brown is vice president of global marketing, Melissa ( Greg powers Melissa’s brand management, business-tobusiness, Internet and e-mail marketing strategies. He is an ANA-certified Marketing Professional and having worked for more than 15 years on both the client and the agency side, he brings a unique perspective to developing creative, results-oriented marketing programs to acquire and retain customers.




Responding to evolving cyberthreats By Roman Mykhaylyshyn

ew and constantly evolving technologies, including in the payments industry, are resulting in new products and services, and as such they have become an integral part of day-to-day lives: and this trend is far from over. However, as with most things, innovation comes with risks. With digital information becoming increasingly valuable, data breaches, private information exposure and cybercrimes (like ransomware, malware, cracking and social engineering) have caused disruption and have forced many organizations to invest in cybersecurity. But despite these security risks, the benefits of speed and convenience of these new technologies to the consumer (like contactless and mobile payments) can outweigh the risks of potential compromise.

While the onus and responsibility for abovementioned actions often falls on the organization, being proactive and prepared to respond to information incidents has become a critical element of successful breach response strategies. Mandatory security safeguards breach notification came into force in Canada as part of the Personal Information Protection and Electronic Documents Act (PIPEDA) in November 2018, and advanced preparations for incidents can be useful as a mitigating factor with regulatory bodies. Credit reporting agencies can help as they have access to personal and financial information of millions of Canadians. Some of them offer breach response solutions available to help manage the customer lifecycle in response to a data security incident. Organizations can embrace advanced solutions that provide a robust breach response toolkit, comprising products, services and consultative assistance.

Payment trends

Steps to take

A few industry-wide trends are evolving in the payment eco-space that have impact on consumer information and security: • Payment streamlining. In the spirit of enhanced consumer experience, organizations will look to further improve payment processing by adopting innovative technology. With more players entering this space, data flow, cross-border information traffic, ongoing upkeep and maintenance of tech stacks—and encryption innovation and information security—will become even more important; • Fraud. While traditionally considered a problem of financial institutions or individuals, organizations that process payments run the risk of improperly safeguarding consumer personal and financial information. In some instances, storing too much information or focusing on the transaction processing aspect of the interactions with cyber protection can be considered lower priority; • Cost versus benefit balancing act. Frictionless transactions will demand businesses to carefully consider the trade-off between potential fraud mitigation and revenue decline due to consumer attrition; and • Cross-border transactions. With scale and market share gain being of importance to most businesses, especially in North America, one must be careful to determine the impact of data being shared across the border with regards to privacy and legal ramifications as well as data safeguarding.

While each incident is unique and will require a tailored response, there are certain actions organizations will need to take, regardless of the nature of the incidents. Investing in breach response solutions that assist in protecting consumers from potential identity theft and the preservation of organizational reputation and credibility is no longer an option for organizations. An organization’s cyber protection framework can be built on three key pillars. 1. Readiness. “It is not a matter of if, but when and how badly” is not just a catch phrase. Having a proactive plan and arrangements in place could save a lot of time and cost, especially in a crisis. In the event of a breach, it’s important for organizations to prepare and activate a response plan to help protect their customers, and to have the right processes and partnerships in place to minimize potential damages. 2. Response. Credit monitoring is often considered as a default breach response tactic. While credit reporting agencies provide these services, organizations should continuously look to assist consumers by not just offering access to credit scores and credit alerts, but by also incorporating relevant value add enhancements. Examples of such enhancements can include identity theft insurance, dark web monitoring and identity restoration. 3. Remediation. While providing consumers with a level of protection is important, it is also important to have frameworks


Continued on page 21



July/August 2019


Why compliance for blockchain/ cryptocurrencies? By Amber D. Scott


ost compliance professionals first hear about cryptocurrencies, like bitcoin, and blockchain projects in terms of risk. Questions then arise: from whether these products can be used to launder money and finance terrorism (yes, as can every other payment method, but they aren’t great for this purpose), to whether or not it’s prudent to expose personal information on a public blockchain (it isn’t). Nonetheless, there is a massive potential for both good and malfeasance. As a result, the Financial Action Task Force or FATF has recently issued guidance related to anti-money laundering (AML) for virtual assets and virtual asset service providers1. While bitcoin wasn’t the first cryptocurrency, it may have been the first to garner something resembling longevity and widespread adoption. Two of the most common questions that I hear from the “traditional” financial world about bitcoin are why any Canadian use would it, and whether it is only useful for criminal enterprises.

Why use or accept bitcoin? On the first question, it’s important to set the stage. When I’m making or receiving payments within Canada, in Canadian dollars, I generally have a lot of choice. The banking system is stable and connected. Snafus happen from time to time, but they get sorted out. This is all true: but in each of those instances, I am relying on “trusted” third parties to complete my transactions and hold my funds. For anyone who has escaped an oppressive regime or survived the type of economic event where funds are seized or otherwise disappear from bank accounts, there will be a degree of discomfort in trusting any third party entirely. While Canada’s economic system is relatively stable and well-regulated, this discomfort remains. The ability to have financial sovereignty, and to complete transactions without intermediaries, is a significant part of Bitcoin’s value proposition. Beyond Canada, different payment challenges emerge, even within G-20 countries. Paying a vendor, even a vendor using the same bank in another country, can be expensive and arduous. Now imagine that instead, you could pay that vendor directly. Imagine that once that transaction is confirmed on the blockchain (a public July/August 2019

ledger that can be verified by anyone), it is complete and irreversible. Imagine that this process generally takes less time than it takes to brew a pot of coffee, regardless of the amount that is sent. Imagine that the fees to send a transaction are a fraction of what you would pay to send a wire via a bank. This is how Bitcoin has been operating. It is the most hassle-free way that I’ve experienced to handle international settlements: even when accounting for learning about security, the technical jargon and bitcoin’s price fluctuations.

The dark web of payments? Now, let’s get to the second question: aren’t bitcoin and other cryptocurrencies just hotbeds for crime? We’ve all read about sites on the dark web selling everything imaginable. Powerful investigative tools have been developed and are being used by law enforcement and cryptocurrency exchanges. Although Bitcoin’s blockchain can be seen by anyone, names and other personal information are not generally attached to transactions. It is possible to see that the transaction happened, but it takes a bit of work to figure out who the transaction belongs to. Another important note is that transactions on Bitcoin’s blockchain are immutable. This means that they cannot be altered or erased. Taken together, this is bad news for criminals that think of bitcoin as being an anonymous and untraceable way to move value.

Clear guidance is needed Nonetheless, there are real compliance challenges. Regulations that will see “dealers in virtual currency” regulated as money services businesses in Canada has just been published and will come into force in 20202. While many Canadian exchanges have already put compliance programmes and other controls in place, this is not always the case. Moreover, some of the tokens that have been traded on exchanges have been deemed to be illegal securities offerings (although most Canadian exchanges have been relatively conservative and have not offered this type of product). There Continued on page 21




Tackling the regulations challenges By Roy Farah


sk any financial services professional, like those in a major bank or in a small credit union, and they will universally name their biggest challenge in one word: regulations. Canada has some of the strictest rules in the world, and while newer initiatives like open banking are still in the discussion phase here, they’ve already been in place in the U.K. for over a year. It should come as no surprise then that compliance with them is a hot topic amongst financial leaders in a recent piece of research Western Union (WU) commissioned with Bobsguide, titled “A New Payments Paradigm”. Industry experts identified several key concerns relating to the headache of implementations. The top challenges are technical complexity, sourcing talent, impact on the client experience, cost and timelines. Together these factors are the major contributors to the success of regulation adherence. As new rules come into play, the ability for a financial institution (FI) to efficiently implement and communicate the change can vary greatly as a result.

Technical expertise deficiency Each of these factors are interrelated. And of these, technical complexity is of chief concern. Many FIs run off legacy systems and joint programmes. Making significant changes is often an overwhelming task. Anyone overseeing this part of the business is under great pressure to ensure it does not negatively interfere with client activities, such as causing service interruptions or requiring numerous new steps for transactions. The core of these issues lies with the talent problem. There is a major deficiency in technical expertise in the financial services industry. Those with a keen understanding of technology and how to best serve the customer are in high demand. The ability to attract —and retain—these individuals will be a strong focus in the next few years, especially as FinTechs continue to grab enterprising young brains from more established organizations.

Preparedness for new rules Canadians can be excused for experiencing regulation fatigue, as recent years have brought an onslaught of new rules. In fact, more than half of professionals are less-than-confident in their institution’s level of preparedness for new directives. But it’s not that the regulatory landscape is suddenly impossible or unworkable. It’s a huge undertaking due to the infrastructure and 16


processes that are deeply embedded in the industry. Simply put, banking infrastructure isn’t easily adjustable. A straightforward requirement like an activity timeout on an online platform can end up taking a substantial amount of staffing and money. The underlying platform—coupled with countless updates and fixes—likely never planned for such a need. Consequently, challenges such as these allow FinTechs, that can design from scratch with these shortcomings in mind, to swoop in and snatch customers with their easy interfaces.

Potential solutions Is there a possible solution in sight? After all, frustrated banking and credit union professionals have been dealing with the cycle of new regulations and implementations for decades. Recently, the industry has become more open to collaborating in order to tackle these new rules. In fact, more than one third of surveyed North Americans from the WU report think this is the optimal solution. After all, many businesses are dealing with the same technology and process frustrations. Working together could save both time and money. It’s still unclear just how cooperative institutions truly wish to be. One year in the U.K.’s open banking initiative has brought both innovation and an avalanche of compliance, depending on who you ask. Canada started 2019 by receiving a comprehensive report on the possibility of implementing such a process. After weighing the pros and cons, there could be legislation in the near future. Financial professionals are asking for better support from regulators and increased staff training. On average, compliance departments worldwide have increased their headcounts based on the added demands placed on them by recent regulations. As banks of all sizes look to streamline and cut costs, continuously swelling this number is not a sustainable strategy. Industry experts hope that emerging technologies can help alleviate the burden, but current landscapes call for more manual efforts. Future hopes also include the prospect of treating regulations as an opportunity, rather than a burden. After all, recent legislation has aimed to facilitate innovation and competition. If financial professionals start to pursue their solutions to this ongoing problem, FIs can finally stop dreading the next big change. Roy Farah is the Canadian vice president of Western Union Business Solutions (https://

July/August 2019

Payments Processing

The reality of RTP

By Jason Mugford


ach year, payment processing inefficiencies cost Canadian businesses between $2.9 billion and $6.5 billion1. Business-to-business (B2B) cross-border payments is one notable example of this as they are particularly time-consuming and can be prone to error. Treasury professionals across industries are frustrated by the legacy systems of correspondent banks. B2B payments make up almost 80 per cent2 of all cross-border payment revenues. Yet financial institutions (FIs) have not focused on innovating the B2B customer experience for seamless digital banking to the same extent that they have for business-to-consumer (B2C) payments. Global B2B payments also have the thinnest margins for 18


service providers, and FIs have historically lacked the incentive to improve the inefficiencies associated with them. As small-midsized enterprises expand their global reach, however, the B2B cross-border payments market is poised to grow, presenting an untapped opportunity for payments disruption.

Need for speed Real-time payments (RTP), also known as instant payments, have a role to play in addressing the key pain points of inefficient payments processing, including speed, traceability and transparency. They offer a way to deliver payments in a matter of minutes or hours at any time of day, 365 days a year and with lower return rates. For banks, RTP is a necessary offering to stay competitive. July/August 2019

Payments Processing

Globalization has led consumers and merchants to expect a consistent and hassle-free payments experience wherever they are. In addition to speed, innovation in the RTP space centres around the transparency and traceability of payments. According to a SWIFT/EuroFinance survey, 47 per cent3 of corporate treasurers want competitive pricing, transparent charges and extended global coverage before embracing new technology. It is no surprise that RTP players are also looking at transparent pricing.

RTPs is still not a priority for many FIs. From increasing the transparent nature of associated liquidity, counterparty risks and compliance costs to eliminating them altogether, RTP offers an exciting alternative to traditional methods like cheques and wire transfers in improving the B2B cross-border payments journey. However, deciding on what that real-time offering will look like is still not a foregone conclusion by FIs. Considerable debate swirls around how RTP will impact operations, risk and compliance and the usefulness of the application in general. Customer-to-business (C2B) and peer-to-peer (P2P) payments have naturally gravitated towards this technology: 75.1 million sameday automated clearing house (ACH) payments were made in 2017, totalling more than $87.1 billion. Yet, only six per cent of those same day ACH payments were B2B transactions 4.

RTP limitations There are several limitations to RTP that suggest it is not the silver bullet solution to improve the payments processing experience for B2B cross-border transactions. The adoption of faster payments is by no means universal. About 40 countries have RTP programmes in place or live5, but these networks are mostly only available in local currencies, so sending USD payments will not work. At the same time, while there is demand from customers for faster payment delivery, RTPs is still not a priority for many FIs. This is due to the method’s inherent risk and finality. Instant payments are immediate and irrevocable, and there are large unknowns surrounding the potential security and fraud risks into the instantaneous nature of payments. Given the current processes and payment networks, there will be limitations on the adoption for cross-border RTPs. Currently, payment providers need to set up relationships with the banks in each country to be able to take advantage of that country’s RTP. These same banking partners have minimum requirements and costs to consider before opening accounts. In addition, the due diligence process is very expensive and time consuming. The current antimoney laundering (AML) and regulatory environments, combined with the costs due to these controls, will continue to keep the rate of adoption moving at glacial pace for the immediate future. July/August 2019

One piece of the puzzle The reality is that while faster payments are a necessary and crucial piece of the B2B cross-border payments journey, they are still only one piece of the puzzle. Another is moving away from cheques and wire transfers. But many companies still use wire transfers and cheques still make up half of all B2B payments in the U.S.6 despite the arrival of ACH on the payments scene. Still another piece is reducing friction. Similarly, RTP has a vital role to play in the frictionless future of payments. However, it is still just one solution to reduce some of the pain points of the B2B cross-border payments experience. The potential for RTP to make fast payment settlements a reality teases relief for a major pain point currently felt by many FIs and their business clientele. While customers expect hassle-free payments, sending a payment in the blink of an eye does not directly address the visibility or flexibility that is needed to transform the traditional payments processing experience. Reconciliation errors are a common inefficiency in B2B cross-border settlements, and the ability to plan ahead is not a capability universally enjoyed by organizations that manage and operate accounts held in different banks across the world.

Success will come down to delivering a customer-centric payments experience. The shift to faster corporate payments will have profound implications for FIs and FinTech companies. Correspondent banking is already experiencing a slight decline with a 4.1 per cent decrease in the number of these relationships in 2017 compared to the previous year7. FIs are changing how they operate in order to be agile, striking strategic collaborations with FinTechs and third-party service providers to improve the efficiency and visibility of corporate payments. RTP presents FIs with the opportunity to better serve their customers. However, there are also drawbacks in the short-term. In considering the right offering that provides faster corporate payments, success will come down to banks and FinTech companies delivering a customer-centric payments experience. Jason Mugford is president and CEO at AscendantFX, a technology-based payments solutions provider. To learn more about AscendantFX, visit 1 Payments Canada, “Payments modernization could save businesses billions”, press release, February 6, 2018. 2 Olivier Denecker, Florent Istace, Pavan K. Masanam and Marc Niederkorn, “Rethinking correspondent banking”, McKinsey & Company, June 2016. 3 SWIFT, EuroFinance, “64% of corporate treasurers ask for real-time payments tracking”, press release, October 4, 2017. 4 “How B2B Payments Could Find Its Footing In A World Moving To Real-Time“, PYMNTS, December 28, 2017. 5 “From Cash To Real-Time Payments”, PYMNTS, December 6, 2018. 6 Eran Feinstein, “How Is FinTech Impacting B2B Payments?”, Medici, blog, July 4, 2017. 7 “Financial Authorities Press Collaboration To Improve Global Corporate Payments”, PYMNTS, November 21, 2018.



Payments Processing

Rejuvenating payments By Roger Sholanki


he wellness industry is increasingly turning to new technologies to automate daily operations, increase customer satisfaction and drive business growth. One of the operational areas getting a technology makeover at spas, salons, gyms and other wellness businesses is payment processing. Flexible payment options, integration capabilities, mobile functionality and e-commerce solutions are some of the trending technology features wellness companies are adopting in initiatives to upgrade their payment systems.

More payment options Payment processing solutions that provide clients with convenient payment options are a must for wellness industry businesses. Clients want to interact with businesses on their own terms, and that includes paying for products and services. For limiting customer payment choices increases the likelihood that these clients will go elsewhere to a business that accepts their preferred payment methods and makes transactions easy for them. Therefore, the more payment types offered the greater competitive advantage. The ability to accept a variety of payment types like Visa, Mastercard, American Express, Discover, debit, automated clearing house (ACH), gift cards and near-field communication, (e.g. Apple Pay) offers clients the flexibility they want and can pay dividends by engendering loyalty and repeat business. Offering a variety of payment options allows wellness businesses to take their business online and boost their bottom lines through gift card sales and acceptance of online booking deposits that reduce appointment no-shows.

Integration Payment solutions that integrate with existing cloud-based platforms can help wellness companies streamline operations and manage their business and payments all in one place. Cloud-based wellness management software that integrates merchant services to manage and complete payment processes smooths out business workflows and provides a seamless, uniform experience throughout the customer journey. These integrated cloud-based systems can handle everything from point-of-sale purchases to credit card processing, membership billing and to loyalty points tracking and redemption. An added bonus is that these integrated platforms provide easier 20


ways to handle data analysis, refunds and payment errors, freeing up wellness company staff to focus more attention on servicing clients. Another key consideration for integrating payment processing into existing cloud-based management platforms is the need for wellness enterprises to meet increased security protocols and requirements to protect sensitive customer information, including credit card data. Integrating payment systems into cloud-based platforms can help wellness businesses protect customer data and reduce the risk of costly and reputation-damaging data breaches.

Mobile functionality One of the leading payment processing trends for next year is the continued emergence of in-store mobile payments as a preferred consumer payment method. Delivering unified mobile payments experiences to clients is rapidly becoming a key driver of revenue and sales opportunities for wellness businesses in order to meet consumer demand. Here’s why. Mobile payment functionality helps improve client relationships and streamlines the payment process by automatically adding sales tax, calculating tip amounts and sending e-mail receipts to customers. Mobile payment technology can also create and offer specials and discounts, such as introductory pricing for new clients and preferred pricing for top-drawer clients, displayed directly on their mobile devices. Additionally, it provides efficient sales reporting with technology that incorporates the latest industry security standards certifications.

The more payment types offered the greater competitive advantage. The wellness industry is seeing this client preference to forego cash in favour of secure, fast, mobile payments as more and more consumers across the globe opt to pay for purchases by waving or tapping their smartphones onto electronic readers. Canadians are embracing this trend as well. As Canada continues to modernize its payment system, cash is losing favour to contactless payments. According to Moneris, contactless transactions accounted for 41 per cent of all payments in Canada as of Q2 20181. July/August 2019

Payments Processing Contactless payment options such as Google Pay provide the opportunity for spas, gyms and other wellness businesses to offer a complete customer experience, linking payment methods, gift cards, reward and loyalty programmes and special offers together in one place. This fully integrated system not only enhances the client experience, but ultimately benefits merchants by increasing customer engagement.

Customer demand for better and more secure payment options is driving a technological shift. E-commerce solutions Many spas and wellness companies sell products online, hence need an online platform that provides the same seamless payments experiences, excellent security and payments accuracy that their customers find in bricks-and-mortar locations. These businesses are looking for e-commerce solutions that provide online payment capabilities and which enable them to expand revenue by selling everything from products to gift cards and to memberships. Convenience and 24/7 accessibility as well as a range of available products and services attract consumers to e-commerce sites, driving exponential growth of these selling channels and increasing profits for spa and wellness businesses. To put the growth of e-commerce in perspective, as of 2018, e-commerce retail trade sales in Canada amounted to almost $1.6 billion2. Meanwhile revenue generated within the retail e-commerce market is expected to surpass USD $55 billion by 2023, up from $40 billion in 20183. Clients’ experience with these products, and recommendations from the staff to them lead to both on-site and e-commerce sales, including client advocacy of them and referrals on social media. Rising customer demand for better and more secure payment options is driving a technological shift in payments solutions in the wellness industry. This shift is seeing the industry turn to payments technology that provides more payment options, integration capabilities, mobile functionality and e-commerce solutions. Investment in payments solutions that include these components can help wellness enterprises drive business growth and increase customer satisfaction by delivering flexible and secure payments experiences to customers through the channels they demand. Roger Sholanki is the founder and CEO of Book4Time, ( a cloud-based business management platform used by spa and wellness businesses in more than 70 countries. 1 Moneris, “Payment card spending in Canada up 3.3 per cent in the second quarter of 2018”, release, July 19, 2018. 2 “E-commerce in Canada - Statistics & Facts”, Statista. 3 “Retail e-commerce revenue in Canada from 2017 to 2023 (in million U.S. dollars)”, Statista, 2019.

July/August 2019

Responding to evolving cyberthreats Continued from page 14

that can empower impacted individuals with relevant and timely education. Understanding “what” usually comes first, followed by “what do I do now?” Providing educational information through online resources, coupled with expertise and guidance facilitated by the dedicated breach call centre agents, can go a long way. In today’s reality, any organization with digital access to consumer information is potentially vulnerable: from financial institutions, consulting firms, retailers and healthcare providers through to government institutions. In the event of a breach, it’s important for organizations to prepare and activate a response plan to help protect their customers, and to have the right processes and partnerships in place to minimize potential damages. Roman Mykhaylyshyn is head of consumer solutions at TransUnion Canada (

Why compliance for blockchain/ cryptocurrencies? Continued from page 15

are some fascinating problems (such as clear custody, auditing and fractional shares) that can be addressed, in part, through the issuance of blockchain-based tokens. For companies dealing in the cryptocurrency space and those that serve them, clear guidance from regulators is key to maintaining the thriving and innovative industry that is emerging in Canada. In some cases, this may include the adaptation of existing regulations, as with AML, or the creation of new regulations (securities regulations requiring many layers of custody doesn’t make sense for fully traceable digitally-native asset classes). It may also entail the enforcement of existing legislation. In any event, it will be important to bring all stakeholders to the table to engage in meaningful dialogue. Amber D. Scott is founder, CEO and Chief AML Ninja, Outlier Solutions Inc. ( 1 Financial Action Task Force, “Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers”, report, June 21, 2019. 2 “Regulations Amending Certain Regulations Made Under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, 2019: SOR/2019-240”, Canada Gazette, Part II, Volume 153, Number 14, June 25, 2019.




EMV snapshot



allowed as many payment industry participants as possible, including merchants, card issuers and payment networks, the opportunity to review and contribute. “The continued growth of global e-commerce requires reinforcing consumer convenience and confidence in payments,” said Karteek Patel, chair of EMVCo’s Executive Committee. “EMV SRC can deliver this while supporting the evolving habits of consumers as they migrate their shopping to PCs/ laptops, mobile devices and other connected devices of the present and future.”

Courtesy EVMCo


ccording to the latest data from EMVCo (, which manages and evolves the EMV® specifications and related testing processes, 58.7 per cent of cards issued are ‘EMV’ as of Q4 2018 and that 73.6 per cent of all card-present transactions conducted globally used EMV chip technology. There are 8.23 billion EMV chip payment cards in global circulation. Africa and the Middle East lead the world on EMV card adoption, while Europe holds top spot on EMV card-present transactions. Canada, together with Latin America and the Caribbean lead the U.S. with an 86.9 per cent chip adoption rate and with 93.75 per cent of cardpresent transactions compared with 60.7 per cent and 53.52 per cent respectively. But expect the U.S. percentage to climb as more American financial institutions and card issuers send EMV chip cards to their customers. Meanwhile, the U.S. leads Asia Pacific on card adoption but lags behind it on transactions. This infographic shows how EMV technologies are used. The EMV specifications are continually being developed and enhanced through EMVCo’s Associates Programme, whereby merchants, processors, vendors and other industry stakeholders participate as EMVCo Business and Technical Associates. There are presently 90 Associates worldwide, including four in Canada. For example, EMVCo recently released the EMV® Secure Remote Commerce (SRC) Specification v1.0, which is available for free public download from the EMVCo web site. The specification provides a foundation that will enable the processing of e-commerce transactions in a consistent, streamlined fashion across a variety of digital channels and devices, including smartphones, tablets, PCs and other connected devices. EMV SRC is compatible with other technologies, such as EMV Payment Tokenisation and EMV 3-D Secure. The publication of EMV SRC v1.0 follows a public consultation period on the draft specification in Q4 2018, which

July/August 2019

How payments are made and managed payments is undergoing an exciting evolution. Examples include: • Contactless cards and mobile wallets • Internet of Things • Real-time payment rails • Blockchain and cryptocurrencies • ATM, cash and cheque modernization But security and fraud risks also are rapidly evolving. There are new techniques, tools, standards and regulations to facilitate fast, intuitive, transparent and secure transactions and processing. Payments Business (, published by Lloydmedia, keeps track of these trends and provides thought leadership from industry experts.

For advertising and media partnerships contact

Mark Henry, Publisher 905-201-6600 x223 For news and contributed articles contact

Brendan Read, Editor 905-201-6600 x227 Payments Business is a Lloydmedia, Inc publication. Lloydmedia also publishes DM Magazine, Contact Management magazine and Canadian Equipment Finance magazine.