Embed Size (px)
Citation preview
Mobile Payments and Payment Card Industry Compliance: Controlling Security and Fraud…..
Casey Reid
Merchant Services Sales Advisor
Capital One Merchant Services
Laura MitchellLaura Mitchell
Merchant Services Sales Advisor
Capital One Merchant Services
LITDA Conference
March 2, 2013
Great Ideas in Technology: Fantasy or Reality?
• The history of technology is full of
exciting new ideas – some that
ultimately flourished, and others that
faded away.
• When a new idea in payments • When a new idea in payments
technology comes along, it’s
important for merchants to stay
informed. But you always need to ask
yourself: Is this dream the “real deal,”
or just a fantasy that may never
come true?
One Idea That Never Got Off the Ground:the Rocket Belt
• aka “jet pack” or “rocket pack”
• This flying device was worn on a
person’s back and propelled by jets of
escaping gases.
• The rocket belt concept emerged from
science fiction in the 1920s and there science fiction in the 1920s and there
were efforts to develop the device in
the 1960s for use in the military or for
personal transport.
• Development was grounded by safety
and other technical issues.
The Latest Cool Technology Concept in Payments:the Mobile Wallet
• Technology that enables a consumer to
tap a phone on a terminal device to pay for a
purchase
• The mobile wallet is expected to be enabled by
near field communication (NFC) contactless
technology embedded in mobile phone technology embedded in mobile phone
handsets.
• The consumer’s phone will be able to store
secure payment and identity information, as
well as provide a secure access channel to
payment services.
Potential Impact on Consumers
• No more need for a leather wallet and plastic cards or cash
• Use a phone to store cards and make card purchases
• Also use phone to store coupons and special offers, reward and loyalty cards,
tickets and transit passes
• “The promise of the mobile wallet is you’ll be able to manage your entire financial
life from a single device.” – Andy Schmidt, research director for commercial
banking and payments, TowerGroup*
*Source: “When will we be paying for stuff with our smartphones?,” USA Today, July 25,
2011.
What’s Driving Mobile Wallet – Phone Mania
• Younger generation loves its phones –
and isn’t likely to leave home without
one.
• About 34% of U.S. consumers now
own a smartphone and that number is own a smartphone and that number is
growing at a compound annual growth
rate of 17%.*
* Source: Javelin Strategy & Research, January 2011.
What’s Driving Mobile Wallet – Fraud
• The U.S. leads the world in credit card
fraud.
• Payment card fraud losses totaled
$3.56 billion in 2010 in the U.S. from
all general purpose and private label,
signature and PIN payment cards.
• The U.S. currently accounts for 47%
of global credit and debit card fraud,
even though it generates only 27% of
the total volume of purchases and
cash.
Source: The Nilson Report, September
2011.
What’s Driving Mobile Wallet – Magstripe Concerns
• Card brands want to move away from magnetic stripe technology, which is
perceived as less secure than computerized chips.
• NFC technology envisioned for mobile wallet includes a microprocessor embedded
in a phone (eliminating swipe card technology).
• Chip and PIN technology is pervasive in Europe and other areas of the world, where
fraud experience is significantly less than in the U.S.fraud experience is significantly less than in the U.S.
• The Nilson Report credits chip technology and related stricter security procedures
for the worldwide decrease in global card fraud (as a percentage of volume) in
2010.*
*Source: November 21, 2011, news release.
Chip and PIN – EMV Standard Coming to U.S.
• EMV is the global standard for credit and debit card payments. Named after
developers Europay, MasterCard and Visa, it features cards with embedded
microprocessor chips that store and protect encrypted account user data.
• In August 2011, Visa announced its intention to speed the adoption of EMV
technology in the U.S., offering incentives to merchants and processors and the
promise of increased card security to banks and other card issuers.
• Visa is requiring U.S. acquirer processors and sub-processor service providers to
support merchant acceptance of chip transactions no later than April 1, 2013.
Enabling Merchants
• If NFC technology becomes the
standard for Mobile Wallet, many
merchants already have the capability
today to accept such contactless
payments.
• Accepting contactless card payments
requires the same type of terminal.requires the same type of terminal.
• Some merchants may need to invest in
NFC-enabled payment terminals.
Turning the Dream into Reality – Obstacles
Old habits die hard. Consumers have been pulling cash or plastic cards out of
their leather wallets for generations.
Security and privacy. What if I lose my phone?
Infrastructure. Consumers need NFC-enabled phones and some merchants must
upgrade their checkout terminals.upgrade their checkout terminals.
Market competition. A wide range of vendors in the mobile space are scrambling
to forge a solution that will afford them a “piece of the pie.”
• Accept Credit, Signature Debit and Cash
• Print or email receipt with signature capture
• Order management
• Inventory management
• Customer Database
Mobile payment acceptance can be a reality in your
business today…
• Customer Database
• Discounts (fixed dollar or percentage)
• Calculate Tax
• Transaction based reporting in app and available via merchant console
– Includes both card and cash transactions
– 26 pre-made reports (merchant console)
– Customizable reports for both cash and card as well as custom fields
PCI DSS was formed by the networks in response to increasing fraud
2000200020002000 2004200420042004
Visa introduces Visa introduces Visa introduces Visa introduces
CISP in the U.S.CISP in the U.S.CISP in the U.S.CISP in the U.S.
20022002200220022001200120012001 2003200320032003 20062006200620062005200520052005
Others Establish Their Own Programs (e.g.,
MC’s SDP)
Payment Card Industry Security Payment Card Industry Security Payment Card Industry Security Payment Card Industry Security
Standards Council (PCI SSC) formed by Standards Council (PCI SSC) formed by Standards Council (PCI SSC) formed by Standards Council (PCI SSC) formed by
AMEX, Discover, JCB, MasterCard and AMEX, Discover, JCB, MasterCard and AMEX, Discover, JCB, MasterCard and AMEX, Discover, JCB, MasterCard and
Visa with the goal of managing the Visa with the goal of managing the Visa with the goal of managing the Visa with the goal of managing the
evolving the PCI DSSevolving the PCI DSSevolving the PCI DSSevolving the PCI DSS
Visa led the way, others followed. PCI SSC continues to evolve the Standard.
20112011201120112007200720072007 2008200820082008 20102010201020102009200920092009
PCI DSS PCI DSS PCI DSS PCI DSS
v2.0v2.0v2.0v2.0
Visa mandates Visa mandates Visa mandates Visa mandates
CISP for all CISP for all CISP for all CISP for all
merchantsmerchantsmerchantsmerchants
An industry standard known as Payment An industry standard known as Payment An industry standard known as Payment An industry standard known as Payment
Card Industry Data Security Standard (PCI Card Industry Data Security Standard (PCI Card Industry Data Security Standard (PCI Card Industry Data Security Standard (PCI
DSS) was formed resulting from a joint effort DSS) was formed resulting from a joint effort DSS) was formed resulting from a joint effort DSS) was formed resulting from a joint effort
between Visa and MasterCard. PCI DSS v1.0 between Visa and MasterCard. PCI DSS v1.0 between Visa and MasterCard. PCI DSS v1.0 between Visa and MasterCard. PCI DSS v1.0
launched.launched.launched.launched.
PCI DSS v1.2PCI DSS v1.2PCI DSS v1.2PCI DSS v1.2
PCI DSS v1.1PCI DSS v1.1PCI DSS v1.1PCI DSS v1.1
PCI SSC is responsible for the development, management, education, and awareness of PCI SSC is responsible for the development, management, education, and awareness of PCI SSC is responsible for the development, management, education, and awareness of PCI SSC is responsible for the development, management, education, and awareness of
the PCI Security Standard the PCI Security Standard the PCI Security Standard the PCI Security Standard –––– not enforcement!not enforcement!not enforcement!not enforcement!
PCI DSS v1.2.1PCI DSS v1.2.1PCI DSS v1.2.1PCI DSS v1.2.1
13
PCI DSS encompasses all card holder data…not just online data
Protecting Cardholder Data: Cardholder data refers to any information printed, processed, transmitted or stored in any form on a payment card.
Network Security: By using network security controls, entities canprevent criminals from virtually accessing payment system networks and stealing cardholder data.
Application Security: Security vulnerabilities in systems and Application Security: Security vulnerabilities in systems and applications may allow criminals to access PAN and other cardholder data.
Security Awareness and Policy: A strong security policy sets the tone for security affecting an organization’s entire company. All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it.
Physical Security: Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted.
Most breaches are avoidable with simple controls
• 96% of organizations subject to the PCI DSS were not
compliant prior to the breach.
• Nearly all records in 2011 were compromised from online
assets.
• As with the 2011 report, the majority of breaches are
discovered by a third party.
– 85% of all breaches occur within the small
merchant spacemerchant space
– 96% of attacks were not highly difficult
– 97% were considered avoidable through simple or
intermediate controls
– 54% occur within the Hospitality and Retail
industries
Source: 2011 & 2012 Verizon Data Breach Investigations Report15
Most breaches occur among small merchants
The number of breached records in 2011 increased, with a continued focus on Level 4
merchants. Small businesses should pay attention.
Source: Verizon 2012 Data Breach Investigations Report16
• Storage of prohibited data
• Poorly coded Web applications (Gartner reports two-
thirds of Web apps contain exploitable vulnerabilities)
• Weak passwords
• Unpatched systems
• Misconfigured firewalls and remote access
applications
• Lack of security awareness – sloppy handling of
Basic vigilance can combat many of the common vulnerabilities
• Lack of security awareness – sloppy handling of
sensitive data
17Verizon Business, 2010
__
Vulnerability scanning is a common requirement for merchants
The Vulnerability Scanner The Vulnerability Scanner The Vulnerability Scanner The Vulnerability Scanner
probes all publicprobes all publicprobes all publicprobes all public----facing facing facing facing
internet access points to internet access points to internet access points to internet access points to
identify weaknesses that identify weaknesses that identify weaknesses that identify weaknesses that
can be exploited by hackerscan be exploited by hackerscan be exploited by hackerscan be exploited by hackers
18
Firewall to Firewall to Firewall to Firewall to
Merchant Merchant Merchant Merchant
networknetworknetworknetwork
Source: SAINT Corporation
The typical cost of a breach can significantly impact small businesses
• The costs of a data breach can range up to $250,000 or more for Level 4 merchants –
more than enough to shut down a small business.
– Mandatory forensics audit costs
– Card replacement costs
– Compliance fines
• Fines are based on the actual fraud use of the cards, which may vary
depending on the number of cards exposed.
– Productivity loss
• Significant paperwork and overhead to manage the post-breach documentation
process – similar to an IRS audit.
– Brand damage
19
Merchants are ultimately responsible for fees related to a breach
• Fines and fees typically flow downstream – passing from the credit card companies all the
way to the merchant.
• If the merchant cannot cover the costs, the acquirer is responsible.
CREDIT CARD
20
ACQUIRER
(MERCHANT
BANK)
MERCHANT
CREDIT CARD
COMPANIES
SERVICE PROVIDER
(PROCESSOR/ISO)
Small merchants have gone out of business because of these costs
Level 4 Data Breach typically has a significant financial and operational impact on a small
merchant. In some cases, it could shut down a small business.
Costs may include:
• Forensics audit costs: $8,000 to $20,000
• Card replacement costs: average $8-10 per card
• Productivity loss: Vast paperwork and overhead to
manage the post-breach process. Think “IRS Audit.”
• Compliance fines: Could range from $5,000 to $250,000 depending on the size of
the breach and the nature of the offense
• Brand damage: Hard to quantify, but at the end of the
day this could be the most damaging of all
News headlines commonly tell the story of the impact of a breach
Every Merchant should understand and comply with PCI DSS
1. PCI is here to stay: Card Brand focus/Legislative momentum.
2. Technology enhancements are bringing increased focus on PCI.
3. Hackers increasingly target small businesses.
4. Most data breaches remain very preventable.
5. Complying with PCI does not cost a lot for the typical Level 4 Merchant.
6. Not complying with PCI has the potential to be very expensive.
7. PCI helps create a strong foundation for a data security culture.
8. Data security and privacy protection are huge concerns of customers.
9. Reputational and brand damage are hard to measure if the merchant is
breached.
10. Choosing a provider that requires compliance and educates merchants is the
best thing for the merchant.
If you have questions later …
Casey Reid
Merchant Services Sales Advisor
Capital One Merchant Services
(225) 297-6085
Laura Mitchell
Merchant Services Sales AdvisorMerchant Services Sales Advisor
Capital One Merchant Services
(225) 663-3527
This presentation is for informational purposes only, does not constitute the rendering of legal, accounting or other professional services by Capital One, N.A., or any of its subsidiaries or affiliates, and is without any warranty
whatsoever.© 2013 Capital One. Member FDIC. All rights reserved.
