The Magazine of Transactions, Cards & EBPP in Canada
Fuelling the Mobile Revolution also in this issue:
❱ Paper, plastic or neither? ❱ Optimize online banking security ❱ Mobile strategies for credit unions
PM 4 0 0 5 0 8 0 3
tableKey of contents theme july / august 2013
COLUMNS & DEPARTMENTS 4
22 Association Spotlight
Vertical Market: Credit Unions Strategies for a mobile member
Pay Channel: Credit Cards
Keeping an eye on spend
More people around the world have mobile phones than bank accounts and now wireless payments are opening doors to vast opportunities
Paper, plastic or neither?
Yeah, but is it safe?
150 million reasons to stop fraud at the checkout
Optimizing online banking security using a five-layered strategy
july / august 2013
New face of the ISO
Richard Giannini of Ingenico talks breaking down silos
One On One
Editor’s Key theme Desk
Talking about a revolution T
here’s a revolution going on in the Canadian payments industry. A survey by KPMG ranked “mobility” as the second most “indispensable consumer technology” over the next three years, behind only cloud computing and well ahead of social networking (see page xx for more on this) and the numbers show that more people have mobile phones than bank accounts. The way we bank, the way we pay for things and the way we process transactions bear little resemblance to the experiences most of us remember from our younger days. In this issue of Payments Business we’re delving deeper into the Mobile Revolution to see how businesses are riding the wave of one of the fastest growing channels. Our cover story shows us a future beyond cash or plastic and talks about how to “build a better mousetrap” when it comes to mobile payments. We’re also looking at security issues surrounding mobile payments and how to make sure that your customer’s data is safe. Credit Unions have long seen the value of mobile for their customers and in this issue we’ll look at credit union strategies for mobile members. Our pay channel features this month focus on credit cards and we’re bringing you some great insight on how keeping on eye on credit card spend can help businesses know there customers better. I’m very excited to be taking over as editor for Payments Business. This is a dynamic and changing industry and one with many stories to tell. I’d love to get your feedback on trends within the payments world and what articles you would like to see in 2014. Please feel free to email me at firstname.lastname@example.org anytime to chat. Cheers, Amy
July/August 2013 Volume 4 Number 4 Editor Amy Bostock email@example.com Publisher Mark Henry firstname.lastname@example.org Contributors Stephanie Cohen, Matt Cotter, Will Giles, Gord Jamieson, Jordan Rinaldo, Christy Serrato, Amie Silverwood Creative Direction Demigroup demigroup.com Photographer Gary Tannyan Advertising Sales Rep Brent White email@example.com President Steve Lloyd firstname.lastname@example.org For subscription, circulation and change of address information, contact subscriptions@ paymentsbusiness.ca Publications Mail Agreement No. 40050803 Return undeliverable Canadian addresses to: Circulation Department 302-137 Main Street North Markham ON L3P 1Y2 t: 905.201.6600 f: 905.201.6601 email@example.com www.paymentsbusiness.ca Subscriptions available for $40.00 year or $60.00 two years. 2012 Lloydmedia Inc. All rights reserved. The contents of this publication may not be reproduced by any means, in whole or in part, without the prior written consent of the publisher. Printed in Canada Reprint permission requests to use materials published in Payments Business should be directed to the publisher.
September/October — Security, Fraud and Privacy 4
july / august 2013
Made possible with the support of the Ontario Media Development Corporation
vertical Key Market theme
Strategies for a Mobile Member By Matt Cotter, Senior Vice President â€“ Marketing, D+H
odayâ€™s credit unions have a tremendous opportunity to gain more than their fair share of the financial services market, thanks to changes in demographics and the way consumers interact with financial institutions. But seizing that opportunity will require them to implement strategies that attract and serve their increasingly mobile members. As with most commercial sectors, itâ€™s the younger generation that is driving much of this change. There are 45 million more credit union members under the age of 45 today than over 45. Filene Research Group reports that 39 per cent of underjuly / august 2013
30s have never visited a branch, with 30 per cent of them using mobile banking every month and 84 per cent using online banking at least four times a week. These younger, technically savvy consumers are an attractive target for credit unions, particularly as research also shows Millennials have a very real sense of mistrust and dissatisfaction with their current financial institutions. The challenge for credit unions is to adapt to the shifting requirements of their increasingly diverse and mobile members and to rethink the type and depth of services they offer across channels. Most CUs will offer some form of mobile banking by the end of 2013 and about a quarter of membership will use be using it, according to a survey by the Aite Group, which also found that almost half of members will use online banking, too. So it’s clear that CUs need an aggressive presence at each point of interaction, whether it’s mobile or online or in-branch.
Implications and Strategies for Credit Unions Building a strategy to enable a mobile membership is not as simple as adding a mobile feature – it’s a critical component of the overall channel strategy and must be enabled across channels. But in enabling mobile, CUs must take into account that members still respond to and look for a personalized experience. And they need to
integrate the huge investments CUs have already made in their people and branches. A few years ago, the concept of “member service” was very institution-centric: more branches, longer hours and other ways to allow members to come to the credit union more easily. But today’s consumers expect to be served 24/7, with speed and convenience, access through a range of channels and a consistent experience across all of them. That means member service is now increasingly consumer-centric, with CUs presenting themselves through channels that members find attractive and which allow them to consume the services being offered how and when it’s convenient for them, not the other way around. The need to offer flexibility around channels can be seen in some of the research D+H has done in the United States about usage of our Mortgagebot solution. A time analysis of online applications showed that 40 per cent of the roughly one million applications last year were made outside business hours, demonstrating the absolute necessity of having a point of presence where a significant share of business is coming in order to capture that volume. But equally important is that 60 per cent of applications came in when branches were open. Members made a conscious choice to interact online, even though they could have accessed services in branch or on
The challenge for credit unions is to adapt to the shifting requirements of their increasingly diverse and mobile members and to rethink the type and depth of services they offer across channels.
the phone, and any credit union that doesn’t have a mobile-optimized approach across every channel will be at a significant disadvantage. A key challenge is how to make that digital experience personal, because there’s a critical sense of trust that comes with a personalized experience. One tactical way we’ve done that is to create personalized loan officer sites for institutions where loan officers can put their picture on the web page. This simple, enhanced personal connection reinforces the relationship with the member and produces a 10-point increase in conversion rates. Another challenge is to create an anytime, anywhere business where members can interact with CUs and their staff whenever they need to. For most credit unions, building the necessary IT infrastructure is time consuming and expensive. Fortunately, there are many cloud computing solutions that offer a way to do this, at a much more predictable cost and with a greater degree of flexibility and speed to market for different products. A great example of this is the White House Federal Credit Union (http:// www.whcu.org) which adopted a cloud computing solution that allowed it to provide anytime, anywhere service for its more than 6,500 members, improve critical systems uptime and align its IT spending with its strategic initiatives.
Conclusion Credit unions are already showing they can increase their market share by embracing mobile to take advantage of the demographic and membership trends that play in their favor in an era of increasing mistrust and dislike of many larger financial institutions. The most successful are adopting cloud-based solutions and embedding mobile in everything they do from a go-to-market standpoint and in every channel.
july / august 2013
Pivotal Payments would like to thank its clients, shareholders, suppliers and partners for their support over the past 10 years and pay tribute to its employees who have been instrumental to the company’s success. From the company’s humble beginnings to becoming a top tier North American Merchant Services Provider, Pivotal Payments currently powers the success of over 60,000 merchants, processing more than US$10 billion in annual transaction volume. The company continues to invest in strategic growth, new technologies and improved point-of-sale, mobile and online payment services that push the boundaries of technology, security and ease of use.
Standalone and Integrated Payment Solutions • • • • • •
Enables faster time to market. Lowers capital requirements. Removes PCI-DSS from scope. Faster deployment for merchants. Better reporting and reconciliation. Single point of integration for ISVs.
Commerce Platform and Payment Gateway • Multi-currency online and mobile payments application with smart BIN routing. • Gateway solution with seamless global expansion possibilities. • Advanced fraud management tools and vast reporting features.
Pivotal Payments charges into the future celebrating its 10th anniversary
July marks Pivotal Payments’ 10 year anniversary in the competitive and continuallyevolving payment processing industry. Established in 2003, the Montreal-based company has become a leader in
merchant services and payment processing solutions in North America, servicing over 60,000 merchants and processing more than US$10 billion in annual transaction volume. In an industry replete with
competition, Pivotal Payments has grown year-over-year through organic growth, targeted acquisitions and by forming new partnerships to adapt to and exceed their customers’ growing needs. The company’s success can be attributed to its investment in people, technology, processes and products. In the previous year alone, Pivotal Payments posted annual revenue growth of 34 per cent. “We understand the power and value of relationships and that thousands of people, from the merchants we serve to our partners and employees, depend on Pivotal for their livelihood,” said Philip Fayer, president and chief executive officer of Pivotal Payments. “As a customer-centric organization, we’ve had the courage to take responsibility for issues and learn from them in order to enhance our company.” Pivotal Payments celebrated the anniversary with an event for its staff and local business partners in Old Montreal at the
july / august 2013
historic Terrasses Bonsecours. The company commemorated not only its decade long existence, but the over two dozen employees whose tenure spans this period. “One of Pivotal’s greatest strengths is promoting its leaders from within,” said Fayer. “Combined with seasoned industry executives who have joined us over the years, the passion and dedication our employees have shown has endured and has been a tremendous factor to our success. We are all excited to see what the next ten years will bring.” Determined to continually exceed their merchants’ expectations, Pivotal Payments is working to provide new and improved point-of-sale, mobile and online payment services that push the boundaries of technology, security and ease of use. The company is also continuing to invest in strategic growth initiatives to stay at the forefront of the payment processing industry for years to come.
Payza names new Chief Compliance Officer
Swiff partners with Affinitas to launch Mikit mPOS in Mexico
Payments industry expert to lead global risk and compliance for company
Canadian technology provider Swiff has closed a partnership with Affinitas, a Mexican payment solutions provider, to launch a chip and PIN & Sign mPOS solution in Mexico. Swiff is a mobile POS service for merchants to accept credit card payments on the move on their mobile devices. Swiff operates on an open platform, aggregates with payment service providers, payment gateways and acquiring banks. Under the agreement, Swiff will provide its mobile payment expertise through its authentication technology and hardware for Affinitas’ client ecosystem. Swiff’s white-label mPOS solution will launch under the Mikit brand for Affinitas Clients. Swiff’s technology gives the tools to roll out mobile strategies that enable bank-level secured, authenticated transactions. The Swiff mPOS platform’s key differentiating factor is a 2-Factor Authentication (2FA) technology, which allows mobile tracking, user authorization and fraud prevention. As a result of Swiff’s secure authentication, Swiff Technology was chosen to participate in the Visa Ready Program, a selective program that certifies mPOS providers to boost mobile payment adoption worldwide.
Payza has named Ferhan Patel to Chief Compliance Officer and Director of Global Risk and Compliance. In his new role with the company, Patel will oversee the Risk, Fraud and Compliance Departments, and be responsible for the company’s AML/CTF, Compliance, Fraud and Risk Mitigation policies. Prior to his new position, Patel led the company’s product development strategies, marketing operations, strategic alliances and new market opportunities. He was influential in leading Payza to win the 2013 Paybefore Award for Outstanding Newcomer in Prepaid/ Emerging Payments category. “Ferhan already has a thorough knowledge of our product design, which means that as Chief Compliance Officer, he can
bring a unique perspective to both our emerging products and our global policies,” noted Payza’s CEO Alastair Graham. “His active involvement in our overall product lifecycle ensures that compliance is built in from the beginning and not bolted on. In addition, he will also see that the customer experience is still addressed at every stage, and we see that as a significant advantage in the market.” “Finding the right balance between compliance and usability permeates to the very core of our industry,” Patel explained. “Our customers want the highest level of protection with the least amount of intrusion. In order to keep the customer experience at the forefront of our offerings, when we request information from our
customers, we must keep in mind how this affects our customers. Customer experience necessitates that our behind-the-scenes departments, meaning our AML/CTF, Fraud and Risk units, communicate and cooperate internally, rather than reach out to potentially impose unnecessary or duplicate demands on the customer. Therefore, when we design our products and our policies, we have to include the customer experience, which can only be done by incorporating compliance at every stage of development.”
Emerging Mobile Payment Systems: Legal and Regulatory Risks Get the key insights and expert advice you need to know to understand and master the risks and legal pitfalls of mobile payment solutions
November 4 - 5, 2013 | Toronto, ON | Attend Live or Online For more information and to register, please visit: www.osgoodepd.ca july / august 2013
Keeping an eye on spend
By Stephanie Cohen
f the advice in baseball is ‘keep your eye on the ball’, the credit card and financial industry should be told to keep our eye on the “spend.” Monitoring the activity of your cardholders provides valuable insights that should not be ignored. Unfortunately, most issuing institutions don’t give this crucial aspect of their business the attention it deserves. With predictions of a lukewarm Canadian economy in 2013, it’s tough to fault card issuers for putting their efforts into generating revenue via acquisitions, fees and on interest from revolving balances. But making spend assessment a low priority is as short sighted as taking your eyes off the ball. Examining
trends in spend activity provides a clear indication of customer engagement and card relevance, which gives you a keen sense of the overall health of the business. Just as important, issuers should pay close attention to spending patterns beyond physical in-store card transactions and look at cross-channel sales on e-commerce and mobile platforms. In Canada, the increasing consumer and merchant adoption of mobile payment solutions has warranted recent changes to the Payments Code of Conduct to be inclusive of emerging payment technologies. With the proliferation of mobile innovations and e-commerce solutions, issuers should view this as an opportunity to understand differing customer purchasing trends across multiple channels to tailor card offerings. july / august 2013
Spend analysis To begin examining your customer spending trends, ask yourself the following questions: • Are your customers increasing or decreasing their spend volumes with you? (Dont let new acquisition mask spend trends.) • Are they increasing or decreasing their purchase frequency? • Are they spending in broad categories, or are they using their cards for very category-specific purchases? • Has there been much change in seasonal transaction trends, year-over-year? • How are credit card promotions affecting consumer spending during economic fluctuations? • Are there distinct purchasing trends across various channels, such as in-store, online and mobile? • How do changes in their spend correlate to your share of wallet? By developing answers to these key questions through careful examination of spend patterns, you will be able to better manage your portfolio and remedy problems before they become too big to handle. Particularly with cards with no annual fee, inactivity is an indicator of attrition. By proactively monitoring spend and taking decisive actions to target issues and opportunities, you can improve the stickiness of the relationship and improve your customers’ engagement with your cards.
Declining spend While analyzing spend patterns through the previous questions, the data may reveal that some of your high-value customers are spending less. Pay attention to emerging data trends and determine why these customers are decreasing spend, and whether or not the change is connected to a shift in their perception of the card. Cardholder spend can decline for a variety of reasons, including seasonality, change in cardholder lifestyle/life stage, or change in financial situation. Those reasons certainly invite further exploration, but aren’t necessarily cause for alarm. However, in other cases the card has lost enough relevance to drift from its primary position in a customer’s wallet. These situations call for more aggressive analysis and decisive action: • Customers shifting spend to another card (a highpriority alert). • Cardholders reaching their 11comfort limit on the line of credit and dont want to exceed it (an opportunity to examine your credit line policies). If you begin to spot trends in decline, especially july / august 2013
Just as important, issuers should pay close attention to spending patterns beyond physical in-store card transactions.
with high-value customers, then it’s time to examine whether or not there are problems with engagement and relevant card offerings, and take a proactive approach to solving the problem.
Assessing decline Like the baseball player mired in a hitting slump, the first step is to determine what’s driving the decline, and then develop a strategy to reverse the trend. The analysis begins with the following questions: • Is there a problem with your card’s value proposition? Perhaps it’s time for a refresh. With new programs and incentives popping up so frequently in the current market, has yours lost some of its luster? • Have you continued to remind your customers about your value proposition through relevant marketing? Perhaps their lack of engagement isn’t due to the value proposition but to a failure to sustain excitement about it. • Are you using acquisition channels/strategies that don’t drive profitable behavior? Evaluate the channels and strategies you’re using currently with an eye toward the type of customers you’re drawing. Are they the high-value cardholders that will keep your program healthy, or ones perpetually hunting for the next new deal? • Are customer service issues driving dissatisfaction? Engagement is a two-way street. How often are you talking to your customers and determining their level of satisfaction? By assessing your cardholder spend patterns, you’ll gain a new, sharper understanding of your business, one you will not get from focusing too much on other short-term areas. By keeping your eye on the right ball, you can strategically manage risk and more productively engage your customers, who will respond with renewed card activity. And in the world of banking, that’s a home run. As a partner at LoyaltyOne Consulting, Stephanie Cohen leads the Financial Services Consulting Practice, helping organizations better understand customers and grow their business through datadriven insights and enterprise loyalty.
150 million reasons a day to stop fraud at the checkout Gord Jamieson
amiesonSecurity is a big deal for consumers today. It’s why many invest in high-tech alarm systems for their homes and expensive anti-virus software for their PCs. Despite that, many consumers aren’t aware of what happens after they pay with credit or debit cards, either at the checkout or online. They don’t know where information goes, or who is protecting it. In fact, in just a few short seconds after using their card, they’ve paid and gone on their way, with little thought to the process that takes place behind the scenes. Behind each transaction is actually a carefully orchestrated process. When a Visa cardholder uses a card to buy a pair of shoes online, it’s actually the acquirer — the merchant’s bank — that pays the merchant for the shoes. Then, the issuer — the cardholder’s bank — reimburses the acquirer, usually within 24 to 48 hours. Last, the issuer collects from the cardholder by withdrawing funds from the cardholder’s bank account if a debit account is used, or through billing if a credit account is used. With all the linkages and players involved, cardholders and merchants alike might wonder about the security of it all. How does the system detect that it’s really you, the genuine cardholder, who is making the purchase? What happens if you lose your card? Will a thief be able to conduct a fraudulent transaction using your information with the same ease and speed?
The art of fraud prediction When a customer pays with their card, there are various steps involved as their bank decides whether or not to authorize the request. All transactions must go through a payments processing network, a secure system that ensures that payments are not just fast and reliable, but safe too. Sophisticated risk management services 12
within the payments network help ensure that every player in the payments ecosystem is protected – from cardholders to merchants to banks – from losses due to fraud, theft, or unauthorized use of debit and credit cards. Chances are a cardholder’s bank depends on a risk management service which monitors transactions, detects any unusual spending patterns, and flags possible fraud – all in real-time. The payments network analyzes thousands of examples of valid purchase transactions and constantly updates account transaction patterns so that future purchases can be evaluated against the most current information. So for example, if a customer only ever uses their card to purchase online music, a transaction for an expensive widescreen HD television, perhaps in another country, would be identified by the payments system as unusual. A rating of that transaction’s potential for fraud is then sent to the card issuer, including information on whether it was part of a reported third-party data security compromise. With this information on hand, the bank can respond immediately to the merchant on whether to accept or decline the transaction. If suspicious, the bank may choose to temporarily put charges on hold, notifying the cardholder as soon as possible to verify the legitimacy of the charges. This is important, because the ability to analyze transactions in real-time helps stop fraud at the checkout – even before it takes place!
Transaction alerts Cardholders can also take an active role in managing spending and protecting their accounts. Transaction alerts via email or text messages can be sent directly from the payments network, typically within seconds of the transaction occurring. These alerts
are triggered when the transaction meets certain criteria the cardholder sets, allowing for ongoing monitoring of accounts for unusual activity and enabling cardholders to take immediate action, thus limiting the potential for fraud or stopping it altogether. At Visa, the reliability and security guarantee for every one of the over 150 million transactions we process each day lies with VisaNet. Every day, VisaNet connects up to 2.1 billion cards, millions of acceptance locations, 2.0 million ATMs and 14,800 financial institutions. This translates to more than US$6.5 trillion in global consumer spend through our products every year. This is why we have invested heavily in new technologies and innovations – from encryption of data to chip technologies – to make sure we are always one step ahead. This means we need to consistently and constantly upgrade our system to provide new services, enhancements and capabilities that consumers expect. Visa also collaborates with the broader payment community on innovative data security techniques, authentication solutions and technologies and fraud prevention strategies to keep payments safe. This is why over the past five years, even as global transaction volume has increased dramatically, global fraud rates have remained near historic lows. And yet we know criminals and fraudsters never stop. They are smart, nimble and determined – moving quickly to take advantage of new opportunities to perpetuate fraud. For these reasons, we must continue to innovate responsibly, to ensure we remain one step ahead and all the while ensuring that we never take the trust of issuers, acquirers, merchants or cardholders for granted. Gord Jamieson is the Head of Payment System Risk for Visa Canada july / august 2013
NOTHING HANDLES LIKE THE VX 820, THE FULLY-LOADED, SLEEK SOLUTION
VX 820. Performance. Power Packed. Get traction at the counter and stay ahead of the fast-paced demands of today’s consumer with VeriFone’s VX 820. As a handheld device, it’s ergonomic. On the countertop, it’s almost aerodynamic. Ultra-fast processing, loads of memory and maximum security under the hood.
Securing Mobile Life.
Creating Confidence. Giesecke & Devrient offers a comprehensive range of payment products and solutions based on the latest EMV, contactless and dual interface technologies. Our smart debit, credit and prepaid products are available on a wide range of platforms based on secure and highly flexible operating systems. Alongside the comprehensive portfolio of easily configurable card products and card solutions, we offer all services related to electronic payments including m-commerce and transit. Our services include personalization, system integration, project management and technical consulting from a single source. For more information, please visit: www.gi-de.com/ca
Paper, p or NEITHE More people around the world have mobile phones than bank accounts and now wireless payment are opening doors to vast opportunities By Will Giles
nvent a better mousetrap and the world may beat a path to your door but invent a better way to pay for the mousetrap and you’ve saved the world a trip. That’s the future of mobile payment. People adopt new technologies when they offer a clear improvement over what they would replace – a better mousetrap. In the case of mobile payments, the benefits over cash and traditional credit card payments are tangible enough to have telecom companies and financial institutions both competing
Retailers love it because it speeds transactions and enables more people to buy more things. Banks are happy at the prospect of offering new services too. The phone companies see it as an opportunity to drive further value for their customers. It is win-win-win.
and partnering with each other, while Internet companies and giant retailers look for their own path to this holy grail. Earlier this year, technology industry leaders surveyed by KPMG ranked “mobility” as the second most “indispensable consumer technology” over the next three years, behind only cloud computing and well ahead of social networking. It is a disruptive technology with global reach if ever there was one. Need more proof of a future beyond cash and plastic? The Royal Canadian Mint, which produces all Canada’s coins, launched a campaign in 2012 to motivate developers to create innovative digital payment applications. The Mint’s goal is to create a system that enables businesses and individuals to conduct transactions under $10, using smart phones, tablets, USB device, cloud technology or perhaps a device that doesn’t exist yet. It makes sense. Cash costs a lot more (to produce, distribute, record, collect and secure) than most people realize. And plastic has proliferated wildly. Why root through a bulging wallet full of credit and loyalty cards, discount coupons and IDs at the checkout when a digital wallet on your smartphone can securely pass and collect all the information needed to maximize the transaction. Tap it at the checkout counter, at the parking meter, the cab, or TTC turnstile, and you’re on your way in an instant. It can hold your gift cards, library card, governmentjuly / august 2013
plastic NEITHER? issued ID and all your loyalty cards. And it collects and records your digital receipt, perhaps also transmitting it to your expense and tax software. Retailers love it because it speeds transactions and enables more people to buy more things. Banks are happy at the prospect of offering new services too. The phone companies see it as an opportunity to drive further value for their customers. It is win-win-win. But for once, North America might not be first to adopt this better mousetrap. While Canada and the U.S. are well poised to embrace the mobile economy, it’s the emerging markets where most people don’t have bank accounts that are the biggest drivers of mobile payments. One of the first countries to use mobile payment was South Africa. In Kenya, people can transfer money to each other, mobile phone to mobile phone. Kenyans have embraced mobile payment because that country’s banking system is underdeveloped. Few have bank accounts and even fewer have credit cards. But the M-Pesa mobile payment system, which uses the cellular network, has more than 17 million Kenyan accounts, enabling Kenyans to make small transactions between individuals. Now consider China, where 95 per cent of all financial transactions are in cash. The opportunity to skip the plastic stage and go right to mobile transactions is staggering. The country is extremely well positioned to leapfrog the developed market by not needing to install the hard wired network. Now july / august 2013
that is an amazing opportunity. It’s also inevitable in Canada, and the banking industry plans to be ready. It has already adopted voluntary guidelines to govern how mobile payment capabilities can be offered in Canada, including how information is exchanged among various parties to a transaction -- financial institutions, payment card companies, telecommunications companies and merchants. That’s an essential requirement. The industry must have the confidence of consumers on security and privacy issues. The reality is people are naturally mobile, and cash and plastic cards are unnatural restrictions on our mobility. A payment system without those tethers is the proverbial better mousetrap. Will Giles is Vice President of Emerging Payments for Canada Region at MasterCard Worldwide. PAYMENTSBUSINESS
Yeah, but is it safe?
How to optimize online banking security using a five-layered strategy By Christy Serrato
nline banking customers must be able to access their accounts with the highest possible levels of security. To provide this assurance, banks must prevent the scalability of today’s malware attacks, using a layered strategy so that the most appropriate risk mitigation level can be implemented for any given consumer or corporate customer segment. This layered strategy also much be active without requiring any user participation and/or special procedures, since customers don’t always follow prescribed policy and will not sacrifice usability for security. The integrity of online banking is extremely important to financial institutions. These institutions are founded on a trust model that underpins each organization’s relationships with its customers. There are significant benefits for banks that can bring this trust model to online banking. If they
can persuade customers to enroll in online bill pay and related services, they can cut the average costs of servicing those customers in half. These services also provide the launch pad for other services such as personal finance management tools and brokerage, all of which results in a richer customer relationship, reduces customer churn, and provides additional top-line revenue. Conversely, if banks fail to protect their customers’ personal information and account data, this can undermine trust and erode the bank’s overall brand and reputation. The online banking threat landscape has changed significantly in recent years. Regulators such as the Federal Financial Institutions Examination Council (FIEC) have established robust requirements for financial institutions in order to protect customers using online banking applications and other Internet-based products and
services. Complying with these mandates requires a multi-faceted authentication solution implemented in a layered approach so that financial institutions can apply the appropriate level of risk mitigation depending on the customer segment. The stakes have never been higher. One of the latest malware examples is Operation High Roller, which is fully automated and aimed directly at online banking. Protecting online banking users against this and other threats requires more than just strong authentication. Ideally, five layers of security must be employed, without unduly inconveniencing the customer, and while maintaining a consistent user experience across different service channels. The first layer is user authentication. The best approach here is a multi-factor authentication solution that combines something the user knows (such as a password) with something the user has (such
july / august 2013
as mobile and web tokens) with something the user is (which can be ascertained through a biometric or behaviormetric solution). The next layer is device authentication. In other words, once it is determined that the user is who he or she says she is, it is important to verify that the person is using a “known” device. For this step, it is important to combine endpoint device identification and profiling with such elements as proxy detection and geolocation. After verifying the user and that the user is on a known device, the third Layer is browser protection. This ensures that the browser being used is part
of a secure communication channel. One way to do this is through simple passive malware detection, but this does not deliver the strongest possible endpoint security. A better approach is to use a proactive hardened browser with mutual secure socket layer connection to the bank application. The fourth layer increases security for particularly sensitive transactions, including signing contracts and transferring large funds. Defending against threats in this area requires the use of transaction authentication/pattern-based intelligence. A transaction authentication layer can include Out-Of-Band (OOB) transaction verification, transaction signing for non-re-
pudiation, transaction monitoring, and behavioral analysis. The final layer is application security, which is especially important with the growth in adoption of mobile banking. This layer protects applications on mobile devices that are used to deliver sensitive information. The application must be architecturally hardened and capable of executing mutual authentication. Adding this layer makes data theft much more complex and costly for hackers. Customers will only use online banking if they trust it is secure. And yet we are seeing new, sophisticated malware appearing almost daily. The answer is to a five-layer security defense against these threats.
Employing this multi-layered strategy significantly increases financial institutions’ ability to protect their customers’ security, safety and loyalty as they execute online transactions. At the same time, this multi-layered approach also ensures that banks can employ risk-appropriate solutions based on the given threat level and customers’ preferences. A common platform that supports multiple channels and multiple user communities will also lower the total cost of ownership for multi-layered online banking security solutions. Christy Serrato is in charge of Identity Assurance Solutions Marketing for Financial Services at HID Global.
New face of the ISO The role of Independent Sales Organizations in the ever-growing payments industry By Jordan Rinaldo
t wasn’t too long ago that business owners were very limited when it came to exploring the idea of moving towards accepting credit card payments over cash and cheque. The major banks had a monopoly over the payment industry, and were the only providers of the payment service today’s consumers have since come to take for granted. Over the last decade, the landscape of the payment industry has changed dramatically. Deregulation of government policies, with regards to payment processing, created a watershed of Independent
Sales Organizations (ISO’s), which in turn created the highly competitive framework ISO’s are battling within today. Although it may sound like this fierce competition may only be relevant between each respective ISO that is not the case. Competition between ISOs and the large payment processors breeds cost effective programs that are highly beneficial to all size businesses, not just the small to medium size businesses that are commonly associated with the former. As consumer-spending activity continues to grow, post the economic downturn in 2008, businesses from all industries and of all sizes are looking for payment processing partners that provide more than just the ability to accept credit and debit cards. Today’s merchant demands the same level of service they are comfortable providing to their target market and customer base, and at an affordable cost. The ISO was originally set out to service the small sized businesses, which were simply not cost effective for the large payment processors to contract and service. In today’s industry, the ISO is capable of servicing more than just the small sized businesses that were traditionally ignored. The role of the ISO has quickly altered into what is now considered as an alternative to the large payment processors. The large processors, with massive portfolios are simply unable to service the needs of their entire multitude of merchants. Turnover rate is what makes the large processors profitable. As long as there are more merchants being contracted than cancelling or switching providers, the large merchants are satisfied. This mentally july / august 2013
is much different when it comes to ISO’s. The reason why the mentality with regards to merchant retention is drastically dissimilar comes down to resources. ISO’s, no matter how big, simply do not have access to the same amount of resources that the large processors possess. ISO’s must then rely on the value add. The personalized, face to face support and service that merchants have come to expect with ISO’s. Smaller merchant portfolios mean that ISO’s are more willing to spend the time with unique merchants, with specific pain points from a number of different industries as long as it means keeping that merchant satisfied. Help desk and service centers are typically domestic, and merchants do not have to remain on the line for extended periods of time to receive support. The smaller, nimbler ISO can efficiently and effectively target the pain points of businesses cementing their position in the ever-competitive payment industry. This is not to say that all ISO’s have cemented their role in the payment industry, far from it. With the introduction of the Code of Conduct in 2010, many ISO’s that relied heavily on hidden fees, unethical contracts, and foggy terms and
Competition between ISOs and the large payment processors breeds cost effective programs that are highly beneficial to all size
conditions were faced with changes and policies that made it difficult, even impossible, for them to continue to contract merchants with the same practices that were not penalized prior to 2010. Even though the Code of Conduct was able to begin the process of weaning out the unscrupulous ISO’s, competition remains high with no signs of slowing in the future. Jordan Rinaldo studied Political Science and Economics and has worked in the payment industry for just over three years. For the last 2 years, he has been with the boutique payment processing company BNA Smart Payments – first in sales, focused on eCommerce solutions, and currently as marketing manager, looking after inbound marketing processes, website content, blog, branding, and concepts.
TOP QUALITY, TOP SPEED... Provide financial cards instantly with photo-like image quality – at top speed!- with Zebra’s® ZXP Series 8™ Secure Issuance printer.
With Zebra’s ZXP Series 8 Secure Issuance printer, your financial, educational or retail institution can issue financial cards quickly, securely and without sacrificing print quality. You’ll boost customer satisfaction by instantly printing and encoding personalized cards on-site. Meeting industry standards for the financial instant issuance market, and custom-coded for leading instant issuance applications, the ZXP Series 8 Secure Issuance printer ensures the highest levels of security and reliability.
Contact Ahearn & Soper today to discover how you can reduce operational costs and increase revenue with Zebra’z ZXP Series 8 Secure Issuance printer today! Ahearn & Soper Inc. 100 Woodbine Downs Boulevard Toronto (Etobicoke), ON M9W 5S6 1-800-263-4258 firstname.lastname@example.org www.ahearn.com Sales and Service Across Canada july / august 2013
RBC announces RBC Secure Cloud, first cloud-based mobile payments solution in Canada RBC announced its RBC Secure Cloud mobile payments service (patent-pending). This new technology, a first in Canada, will allow clients to more safely and securely pay for purchases using their mobile devices. Keeping sensitive client data secure with RBC in the cloud, not on the phone, makes RBC Secure Cloud a safer, faster, more flexible solution. RBC will bring RBC Secure Cloud to market by the end of the year with debit and credit on a number of smartphone platforms. “We have designed a mobile payment solution that offers a better client experience and increased security than has been previously available, while meeting industry standards,” said Linda Mantia, executive vice-president, Cards and Payment Solutions, RBC. “The result is a solution that offers benefits and options to everyone in the payment ecosystem.” With RBC Secure Cloud, the financial institution assumes the security burden, since sensitive client data remains with the bank, as opposed to keeping it on the phone, as is the case with other models. The data is transmitted encrypted and decoded locally on the client’s mobile device at point of sale through partnerships with mobile service providers. While the solution thoroughly protects client financial data by leaving it at its source, clients are also protected by the existing Zero Liability Policy for Interac, Visa and MasterCard. “We understand the importance of security to our clients and make safeguarding their personal information our highest priority,” said Paul Gerics, vice-president, Information Security at RBC. “RBC Secure Cloud is being built with the highest security standards in mind. We employ a diverse range of technologies and security mechanisms to help ensure the safety, confidentiality and integrity of our client’s information and transactions.” Initially focused on Near Field Communication (NFC), the RBC solution is flexible and can support new technologies such as bar or QR codes, or other standards, and allows offline transactions. “This is a critical advancement for mobile payments in Canada,” said Mark O’Connell, President and CEO, Interac Association and Acxsys Corporation. “We are excited about RBC’s announcement and our participation in the evolution of mobile payments.”
VeriFone simplifies payments complexity for US merchants and service providers In answer to the growing burden of PCI compliance, EMV migration, and the emergence of mobile wallets and value-added service options that isrequiring merchants and service providers—such as ISVs, acquirers and ISOs—to devote more resources to managing payments in order to remain current and compliant, VeriFone Systems, Inc.has announced the launch of VeriFone Point, a payment-as-a-service solution that simplifies the complexities of payment for the company’s direct merchant customers and channel partners in the U.S.. The VeriFone Point solution features a cost-predictable subscription model for obtaining and maintaining all the components of a complete payments solution including software, management services, device acquisition, and maintenance, which enables these organizations to spend less time and money on payments and devote more resources to improving their business. Additionally, VeriFone Point decouples payment transactions from the traditional POS system (e.g. cash register), ensuring more secure transactions and relieving merchants of PCI compliance issues. “Merchants and service providers don’t want to deal with the complexities of managing PCI, EMV and emerging payments and mobile wallet technologies. They want to focus on serving their customers and growing their business,” said Jennifer Miles, president, VeriFone Americas. “VeriFone Point offers these organizations a way out of the complexity of business by providing a flexible and reliable toolkit that is managed by the company they trust for payments.” The VeriFone Point solution utilizes a secure network integration between the VeriFone device and payment processor systems, enabling
merchants and service providers to quickly and easily integrate the latest mobile wallets, emerging payments technologies, and EMV specifications, again reducing the scope and expense of compliance and recertification. Additionally, with this integration, data can be encrypted, securely routed for processing to the merchant’s acquirer and tokenized, decoupling the actual payment transaction from the merchant’s POS systems. This process significantly reduces the risk of costly and embarrassing data breaches, and vastly reduces the scope and expense of PCI compliance and recertification. “VeriFone Point greatly simplifies PCI compliance and further strengthens our solution offering to our customers,” said Michael Balzer, senior vice president, OneInterface, for Global Blue. “Our customers have been asking for it, and now we’re able to provide signature capture capabilities in a semi-integrated payments infrastructure. The solution is easy for our customers to manage their payment systems centrally, including configuration updates and media management, and in their stores the solution just works, freeing up valuable sales associate time for them to focus on selling to their customers.” “Payments complexity surrounding the growing PCI compliance burden has already created a significant burden for U.S. merchants and service providers, and the migration to EMV coupled with the proliferation of value-added services will dramatically increase this burden,” said Rick Oglesby, senior analyst for Aite Group. “Solutions that remove the payment data and associated complexities from the POS create a meaningful and growing opportunity for merchants and merchant service providers alike.”
july / august 2013
HANDLING YOUR NEW POLYMER NOTES
LEARN MORE: BANKOFCANADA.CA/BANKNOTES july / august 2013
One Key theme on one
breaking down the silos By Amie Silverwood
Q: What are some of the challenges you face in product development? A: As a hardware vender, our customers typically have an 18 to 24 month certification, adoption process. We typically have an 18 month process to create a new product. So Ingenico needs to understand, from a payments perspective, what is coming literally three, four or five years down the road. We’re going to build that into the hardware because we’re going to
sell that to the customer and they’re going to have to adopt that before they can use it. If you were to talk to us ten years ago, we would have talked about a pinpad, we would have talked about a desktop. We may have talked about new cellular technology but today, Ingenico wants to bring payments to many different spaces and there’s no longer silos that we used to have.
Q: How are you breaking down silos? A: A payment terminal is very secure and for all intents and purposes, a locked down device. As a retailer, I want to be able to walk my store floor, I want to be able to scan a product, I want to be able to look at my inventory system and I want to potentially sell to that customer but I
Richard Giannini currently serves as Ingenico’s Vice President of Product Development, responsible for hardware in the North American Region and the software development and quality assurance teams in Canada. Richard has been in his current role since 2011 and joined Ingenico in 2005. Prior to Ingenico, Richard worked in the high-tech industry, responsible for numerous successful consumer products. Richard has over 17 years of experience in developing and delivering hardware and software solutions to the market. 24
want that experience to be a good one. I want to now take payment on the spot. We create products now that hard dock into phones or are able to talk wirelessly to tablets. So if you look at it, I’ll have the payment vehicle, I’ll do everything from the tablet perspective, talk to the customer, do everything I need to and scan the product and have them pay without having to send them to stand in line. One of our key products in this case is being used by Apple. They are able to interface with their customer and access all their store systems and take payment without having to herd them down the traditional cashier path. So for us, from a technology perspective, those things are great.
Q: What’s going to happen in the next four years? A: From the customer’s perspective, we’re looking at a more featurerich interactive point of sale device. Touch technology is becoming more prevalent, we’ll see more of a reliance on NFC technology but really, a lot of the innovation is behind the scenes. Customers are used to using these devices today. Whether it’s a swipe, an insertion or a contactless transaction with a card or a phone, I think that’s a small leap for the consumer to make because it’s something they’re already doing today. Where we’re seeing a lot of innovation is in the tools to enable people who have not been able to
july / august 2013
Key one on theme ONE
take payments before to now utilize our devices in a very simple manner. Take, for instance, the charity that goes door to door. They’re going to migrate to tablets so why not enable them to monetize that right on the spot with our technology.
Q: And email you the receipt? A: Exactly. From a hardware perspective, a lot of that exists today. What we need to do is create applications and tools for people who never thought they could take payments on the spot so now they’ll be able to take payments on the spot.
Q: Can you talk about other technologies that you’re working on? A: We’re still looking for some coming together of the NFC – the NFC is still fragmented. Today, EMV co-handles EMV. The brands handle contactless. NFC is … I’d love to say here’s an organization that defines but it isn’t there. In the next four to five years, we’d like to see a consolidation of the NFC world into a standards-based organization that then would allow us to open it up to everybody as opposed to doing the one-offs. Today, even a merchant will say, if I’m Google wallets, I have to do my own work for Google Wallets. If I’m Isis, I have to do my own work for Isis. If I’m PayPal, I have to do my own work. If there was a standard that said, I do this once and I open myself up to any wallet initiative, it would help. The next revolution is taking the payment terminal and taking the smartphone or tablet and putting them together. And we’ve announced a partnership with Microsoft where we’re looking to do that exact thing. Bringing their tablet technology with a payment engine integrated into one. So you’ve gone from a device by itself, we’ve moved to devices that now talk to one
another, we’ve talked about a miniaturization of that technology and the final step is bringing them together: full tablet functionality with full payment functionality in a single device.
Q: How concerned are consumers that retailers keep up with the latest developments at the point of sale such as EMV? Can American retailers come to Canada and expect Canadians to swipe their cards? A: I met with a large retailer last week who is coming into the Canajuly / august 2013
dian market and we talked to them about how they want to position our products in their store and they were very clear – the Canadian consumer is a much more informed consumer we are going to utilize Canadian devices, we will accept all forms of Canadian payment as Canadians accept them. So here’s a very large, savvy American retailer who says, yes, this is how I do it in the US but if I’m coming here to this consumer base, I need to do what customers are accustomed to because this is an informed consumer base.
service directory Card Manufactures
Integrated Payments Solutions
Integrated Payment Solutions and Services
Secure Solutions for Payment & Identification
One of the most advanced and reliable payment delivery solutions in financial services technology.
Since 1852, G&D has been an integral partner that is solutions orientated and trusted by banks, governments and carriers. Our solutions are founded on trust, integrity and the creation of value through Confidence.
• Contact, Contactless and Dual-Interface Smart Cards • Mobile Payment • On-line Secure Authentication • Enhanced Card Identification
Toll Free: 1-800-387-9794
Toll Free: 1.866.388.0076
secure payment solutions
Secure Payment Solutions
EMV & NFC Consulting
Apriva is North America’s Leading Wireless Gateway. SECURE DEVICES | RELIABLE SERVICE | EXCEPTIONAL SUPPORT
To learn more call Paul DeRosse, Senior Vice President, Sales at 905.530.2351 or visit www.apriva.com.
Ensure a successful NFC project with FIME’s consulting team! • EMV & NFC consulting • Test tools • Security evaluation • Certification www.fime.com email@example.com
see youR company name here Contact Mark Henry firstname.lastname@example.org 1800-668-1838 x 223
july / august 2013
In the future, data will be the most valuable currency.
Dollars are digital, Sterling silicon and the Renminbi is wireless. The volume and complexity of transaction data is accelerating across markets, time zones and currencies. HSBC provides the technology to help Treasurers manage global currency flows and reconcile increasingly complex global cash positions. On the ground in over 70 markets, we have the infrastructure and data management expertise, combined with online solutions, to optimise working capital and deliver to the bottom line. This is why HSBC has been recognised as Best Global Cash Manager for Corporates and Best Domestic Cash Manager for Canada in the Euromoney Cash Management Survey 2012. Discover more on global cash management at www.hsbc.ca/cash-management
Best Global Cash Management Bank for Corporates Best Domestic Cash Manager â€“ Canada
Issued by HSBC Bank Canada