Biometrics Scare Sends a Reminder About the Need for Thorough Data Protection

What appears to be only a scare about a breach of fingerprint data from a kiosk deployer is sending a reminder to the payments industry that biometrics are no panacea for data-security problems.

“Any security system is not 100% bulletproof,” says David Lott, payments risk expert at the Federal Reserve Bank of Atlanta. “Anything can be penetrated. You have to take very strong steps to protect that data.
The scare came late last week when Tukwila, Wash.-based Avanti Markets Inc., a deployer of payment card-accepting kiosks that dispense food and snacks in company break rooms, disclosed that malware compromised an undisclosed number of its kiosks. Some of the compromised machines were provisioned with fingerprint readers that enable cashless payments through Avanti’s Market Card, a payment and loyalty service that includes a mobile app. The malware may have captured Market Card users’ fingerprint data as well as names and email addresses, Avanti said in a notice on its Web site late last week.

The KrebsOnSecurity news service reported that many of the kiosks did not use point-to-point data encryption. Later, however, Avanti updated a notice on its Web site to confirm that the biometric data were protected.
“In an abundance of caution, our original notice advised customers who used their Market Card to make payment that they may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk’s biometric verification functionality,” the notice says. “We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data, and as such this biometric data would not be subject to this incident as it is encrypted.”

The company did not make a spokesperson available to Digital Transactions News for further comment.
Avanti Markets, which claims 1.6 million customers, said the breach affected about 1,900 kiosks. The malware, which the company believes got into its system shortly before July 4 through a workstation belonging to a third-party vendor and became active July 2, may have captured cardholder names, account numbers, and expiration dates of the payment cards used by employees who weren’t paying with cash or the Market Card. Avanti turned off the cashless-payment functions on the compromised machines soon after discovering the breach on July 4.
Avanti said it worked with the vendor to remove the malware within hours of discovering the attack. The company is working with a forensics investigator to investigate the attack, the perpetrators of which aren’t yet known. Avanti Markets in May began working with its partner operators to provision all of its kiosks with point-to-point encryption technology, a project that as of last week was about half done.

Lott of the Atlanta Fed, who moderated a panel about biometrics at a recent payment-industry conference, notes that biometric technologies convert fingerprints, voice patterns, irises, and other physical attributes into data, which means where and how that data are stored is highly important. For example, Apple Inc.’s iPhone stores fingerprint data on the phone’s secure element, which means a compromise of one phone is limited to that device, whereas systems that store biometric data in central databases could be the source of widespread damage if hacked.
“If they compromise a central database … they could compromise thousands, millions of records,” Lott says.
Security experts say biometrics are most effective as part of a so-called layered security approach that includes other data protections. Rather than relying on physical attributes, some companies are rolling out so-called passive biometric systems that record consumers’ physical motions and usage patterns of payment-originating mobile phones and computers.

Al Pascual, senior vice president and research director at Pleasanton, Calif.-based Javelin Strategy & Research, says it is not surprising that fraudsters are interested as usage of biometrics increases. The Avanti incident is the kind of event “that the industry needs to learn from before biometrics are even more broadly deployed,” Pascual says by email. “If true, it is fortunate that the biometric data is encrypted, but there are undoubtedly a wealth of systems where biometric data is co-located in the clear with other data of value” such as payment information and customer personal identifying information.

“If this type of data was consistently compromised, then it would diminish consumers’ perception of the security value of biometrics,” says Pascual.

COMMENTARY: A Look at the Top 4 Security Trends for 2017 in the Payments Industry

After years of card-data breaches and other bad news, four very encouraging trends are emerging that bode well for better security. Here’s a quick look at all four:

Integrators are taking the QIR program seriously. When the PCI Security Standards Council and Visa Inc. initially released the Qualified Integrator and Reseller (QIR) certification program in 2015, it was welcomed with little to no enthusiasm. Many thought the short timeline for QIR certification was unfair; most did not take it seriously. The initial due date overlapped with the EMV liability shift, and resources were strained just to keep up with EMV certifications.

In fact, only 73 companies completed and passed the QIR program in 2015 with the original due date of Jan. 1, 2016. The PCI Council and Visa took quick notice and moved the due date to Jan. 31, 2017, when, under Visa rules, acquirers had to begin using only QIRs for integration work with small merchants.

In 2016, with the help of associations such as the Retail Service Providers Association (RSPA), which helped promote QIR awareness, and companies such as Vantiv Inc., which helped sponsor QIR certifications, many more companies jumped on the QIR bandwagon. In fact, 233 U.S. companies received their QIR certification in 2016.

This trend is continuing to grow. Another 51 companies have passed their certification so far in 2017, and it is expected that the number of companies to pass this certification will rise in the coming years, which is good news since it doesn’t look like PCI will extend the due date again. However, with an estimated 5,000 ISVs and VARs in the U.S. alone, there is still have a long way to go.

More payment solutions are seeking P2PE validation. When the PCI Point-to-Point Encryption (P2PE) certification requirements were first released three years ago, the process was very costly and somewhat ambiguous. This is probably why, until recently, only a few companies in the U.S. pursued and completed their PCI P2PE validation.

A little over a year ago, the PCI Council released its new certification requirements with more transparent rules. It also allowed companies to certify in the individual components that they participate in in the P2PE chain. For example, key-injection facilities (KIFs) are allowed to obtain certification for the key-injection, key-management, and device-tracking services required by PCI for a P2PE- validated solution. One such company to explore this was ScanSource, which was part of one of the initial validated solutions in the U.S., completed its PCI validation in January as a standalone PCI P2PE-validated KIF. This allows any gateway to use ScanSource’s key-injection services.

The demand for a PCI-certified P2PE solution is also on the rise. Since merchants can’t be out of scope or obtain reduced scope status without a PCI-validated solution for credit card processing, more merchants are putting the PCI validation in their requests for proposals to reduce the risks and costs of compliance associated with having credit card data in their network. For these reasons, more payment providers will pursue their P2PE certification in 2017, keeping qualified security assessors in heavy demand.

EMV certifications are faster and more robust. In 2015, EMV certifications came at a snail’s pace, and most were not released until after the liability shift due date. The few that were released were basic, excluded debit support, and only included one processor. Some of the EMV upgrades even broke the transaction process and had to be turned off shortly after being implemented.

Now that the initial certifications are complete and everyone has been trained on how to get EMV-certified, we are seeing more merchants with EMV fully deployed.

The EMV solutions are also more complex now, including debit, near-field communication, and a shorter transaction time, as well as being available for more intricate environments, such as pay at the table and health care. Certified solutions are being released much faster because of changes made around “faster EMV” and Visa’s allowing acquirers to self-certify their merchants’ solutions. This increased pace for EMV-certified solutions will continue well into 2019 now that many have figured out the EMV puzzle that until recently plagued the payment industry.

End users are willing to pay for security. Data breaches, credit card fraud, and cyber attacks are the new normal. Gone is the shock that we felt when we first heard of the TJX Cos. Inc. and Target Corp. breaches. Every other day, we hear of yet another breach, shrug our shoulders and move along. These days, it isn’t about if a merchant will be breached but a matter of when. For that reason, there are more and more services that help meet PCI compliance.

Many resellers have developed a software-as-a-service solution for PCI services for things such as patch management, antivirus monitoring, password management, and terminal management. Merchants are willing to outsource these services instead of developing and maintaining the tools to stay in PCI compliance. Additionally, merchants are also willing to invest in PCI security in order to protect themselves. In many cases, merchants are even electing to outsource these services as an added layer of protection.

US to Hand Over Control of the Internet ‘Address Book’ to ICANN

A tiny branch of the U.S. Commerce Department is preparing to hand over control of the Internet’s “address book”—the highest level of the Domain Naming System, or DNS—to the Internet Corp. for Assigned Names and Numbers, a Los Angeles-based international nonprofit, effective Oct. 1, Ars Technica reports.
Republican lawmakers have tried to block the move, with the attorneys general for Arizona, Oklahoma, Nevada and Texas filing a lawsuit in a Texas federal court Wednesday, according to Politico.
The lawsuit contends that the transition amounts to the illegal giveaway of U.S. government property. The plaintiffs also fear that ICANN could prohibit speech on the Internet and revoke the U.S. government’s exclusive use of .gov and .mil domains.
Republican presidential candidate Donald Trump’s campaign weighed in on the issue, according to Ars Technica:
The Republicans in Congress are admirably leading a fight to save the Internet this week, and need all the help the American people can give them to be successful. Congress needs to act, or Internet freedom will be lost for good, since there will be no way to make it great again once it is lost.
Ars Technica also reports comments that Sen. Ted Cruz (R-Texas) made in a recent speech on the Senate floor:
Today our country faces a threat to the Internet as we know it. … If Congress fails to act, the Obama administration intends to give away the Internet to an international body akin to the United Nations. I rise today to discuss the significant, irreparable damage this proposed Internet giveaway could wreak not only on our nation but on free speech across the world.
ICANN says that these assertions by Republicans are unfounded.
“The US government has never, and has never had the ability to, set the direction of the (ICANN) community’s policy development work based on First Amendment ideas,” ICANN said in a statement, as reported by Ars Technica. “Yet that is exactly what Senator Cruz is suggesting. The US government has no decreased role. Other governments have no increased role. There is simply no change to governmental involvement in policy development work in ICANN.”
The change has been characterized as a symbolic takeover. The only thing that changes, according to Ars Technica, is that the U.S. will not have oversight over a contract between ICANN and Virginia-based company Verisign over the maintenance of the Internet’s global DNS.
Facebook, Amazon.com, Google and Twitter are some of the bigger tech companies that back the change, according to Ars Technica. They say it is imperative that Congress not block it.

‘Digital ID’ Is the Solution for EMV’s Online Blind Spot

In order to successfully and scalably combat card-related fraud and digital payments hacking, organizations need to rely less on standards like EMV and PAN/PRN, and recognize today’s currency is no longer just about money.

Instead, digital identity has emerged as a new form of currency, and it requires protection too.

Counterfeit fraud, card-not-present fraud, fraudulent applications, card-not-received fraud, and lost and stolen fraud have all contributed to the digital payments fraud so many U.S. organizations and consumers are experiencing.

Additionally, hackers have become adept at compromising user account data, rendering protective tactics like PAN (i.e. the personal account number or the 16 digit number on credit cards) and PRN (i.e. the provisional receipt number or a unique 15-digit token) nearly useless.

What is digital identity? Previously, money was transacted via highly tangible items such as coins, symbols or even farm animals. But in the 21st century, money has become increasingly digital. The way people interact online directly affects their digital reputation, and that resulting digital identity gives people access to their bank account, allows them to apply for peer-to-peer loans, and enables them to participate in our shared economy.

A helpful way to consider digital identity is to think of it as the bridge between physical identities and online user identities. Digital identities are unique and impossible to fake, as they leverage the infinite number of connections users create when they transact online, so they work well to ensure legitimate users are recognized and provided with seamless online experiences. At the same time, digital identities can help accurately detect fraudsters using stolen or spoofed identities before the fraudulent transaction is processed.

In order to facilitate advanced fraud protection and accurately authenticate valid users, organizations need to capture and fully understand the complete digital makeup of each of their individual users. There are a variety of unique data points that make up a user’s digital DNA, including the following five elements:

User Credentials: This includes any/all associations between an individual’s accounts and email addresses with anonymized, non-regulated, personal information. This data might include user names and telephone numbers, or even more advanced intelligence relating to devices, locations and online behavior.

Trust Tags: Trust tags are digital labels that can be applied to various combinations of entities within a user’s persona to indicate their trustworthiness. Trust can be associated dynamically with any combination of online attributes such as devices, email addresses, or card numbers, allowing for trusted users to be quickly recognized.

Persona ID: This element captures connected entities such as email addresses, transactions, accounts, devices, IP addresses, geolocations, proxies, and physical addresses relating to an individual.

Links and Associations: Leveraging persona IDs, organizations can benefit from real-time linkage of a current transaction to related transactions through a matrix of attributes associated with the user, device and connection.

Behavioral Biometrics: Behavioral biometrics evaluate current user and device interactions, and compare that information to historical user and device interactions and to known bad behaviors.

The reality of today’s business landscape is that all customers are digital, and unfortunately it’s becoming harder and harder to verify the authenticity of these valued, online customers. Organizations are growing more adept at adapting their business to a more online-centric user experience, but in terms of preventing digital payments fraud, the majority remain focused on the wrong problem.

So much of digital payments security is focused on the protection of networks and devices, however determined and persistent hackers are usually undeterred by such safety measures. Organizations should instead focus their valuable resources on the digital identities that hackers may have already stolen. By stitching together verified customer data points such as location, payment details, websites visited, login credentials or typical transaction behavior, organizations can more effectively identify and transact with legitimate users, and at the same time thwart nefarious hackers in real-time.

‘I Need Knowledge:’ Merchants Express Befuddlement About EMV, Breaches, System Issues

Merchants would like nothing more than to decipher what they call the “mysteries” of the payments universe, a select group of them told attendees Thursday at the Western States Acquirers Association conference in Scottsdale, Ariz.

These mysteries, they said, include knowing whom to call when a problem crops up, what to know about EMV chip cards, and how to protect their point-of-sale systems from hackers.

For merchants, much of the mystery is wrapped up in the problem of how to avoid juggling payments issues while also trying to manage a retail business. “We don’t want to think about it,” J. Brandon Maxwell, president and chief executive of M Culinary Concepts, a Phoenix-based catering business, said of payments. “We don’t want to be burdened by it.”

For Jim Buhr, chief financial officer and chief information officer at Bashas’ Supermarkets, a Chandler, Ariz.-based grocery chain, knowing what’s going on with payments is a constant attention getter. “If we’re down for an hour we can lose millions,” Buhr told attendees. The chain’s payment system did indeed fail for a few hours in August, costing the company $1 million in sales, some of which was not recoverable, Buhr said. Seventy percent of its overall transactions are made with credit, debit, or electronic benefits transfer cards.

When something like that happens, or when there is a breach, the merchants agreed they need someone to help them understand what happened and how it can be corrected.

For many merchants, like Michelle Simpson, controller and chief financial officer at Thunderbirds Charities, a charitable organization that distributes funds raised by the Waste Management Phoenix Open golf tournament, her merchant-sales provider is the go-to resource. “We want to have the best experience for our customers,” Simpson said. “We have huge payments coming in the lead-up to the Open. When the Open hits, people want to instantly use their credit cards for $20.”

Buhr discovered which payments organizations could help him in the aftermath of a data breach that occurred a few years ago. “You don’t really find out who can help you until you have a breach,” he said. Contacting the card brands and processors Bashas’ Supermarkets used yielded little aid until a fraud expert at First Data Corp. guided him.

Merchants also are perplexed by the lack of a unified message about EMV adoption from the payments industry.

“The chip has always confused me,” Maxwell said. His business usually involves a contract covering a large upfront payment, and secondary payments in a workplace café. “I know where that person works,” he said, alluding to employees patronizing the café. “All I care about is the speed of transaction on that second type of transaction. If chip ever becomes the rule, it needs to become a hell of a lot faster.”

Others have been more proactive about chip enablement.

“I spent millions of dollars and I get chargebacks,” Buhr said. Bashas’ Supermarkets achieved 100% EMV enablement in July, and installed the terminals in 2014 while it waited for its payments vendors to be EMV-certified. “It’s very important that we work together,” he said. “I ask the industry to start with the retailer. He’s the guy who eats it all,” referring to the costs of implementing EMV.

“What is frightening is this chip business,” said Kerry Dunne, principal of R Entertainment, a Scottsdale, Ariz.-based event-production company. “We have to get our customers in and out in seconds,” he said. “One fear we have is chip takes so much longer to process.” Impatient consumers, especially when they’re at an entertainment event and just want to grab a beer and return to the event, won’t like waiting for a chip transaction, Dunne said.

He too admitted he knows little of how payments work, calling it a “mystery.” His advice for the payments industry is to do a better job educating merchants. “I need knowledge,” Dunne said.

Credit Card Surcharging Expected To Continue Despite Rejection of Interchange Settlement

“Visa is disappointed by the decision of the U.S. Court of Appeals for the Second Circuit,” a Visa spokesperson says in a statement. “We are reviewing the specifics of the ruling and will decide our next steps. Visa remains committed to working with retailers to grow their businesses and provide them with efficient and valuable payment options.”

Though MasterCard Inc. and Visa Inc. have their own rules for surcharging, generally the amounts are capped to actual acceptance costs, or 4%, whichever is lower. The rules also require consumer disclosure. Debit card surcharges are not permitted.

According to a person familiar with surcharging practices, no changes are anticipated, at least for Visa’s rules.

Others, too, expect that surcharging will remain in place.

“If anything, this upset is more likely to increase exposure to the existing petitions for the Supreme Court to hear this case, and eventually decide that surcharging should be legal everywhere,” says David Leppek, president of Transactions Services, an Omaha, Neb.-based payments provider.

The company offers a surcharging program for merchants in the 42 states that allow it, Leppek says. Certain merchant types are good candidates for it, including those that don’t accept payment cards because of costs and those that deal primarily with business-to-business transactions. Other prime candidates include providers of highly emotional purchases, those frustrated by payment-acceptance costs, and merchants selling high average-ticket items that consumers are more likely to use credit cards than debit cards to pay for.

Leppek views the appeals court’s veto of the settlement as based on procedural issues pertaining to class-action lawsuits. “As a result, the card brands changed their rules and have no motivation to now change them back,” Leppek says.

At Berwyn, Pa.-based JetPay Corp., which late last year debuted its Limitless program that enables merchants to offer discounts to consumers who pay with cash, Peter Davidson, vice chairman, expects a similar outcome.

“Given the reasons why the settlement was overturned—that it was essentially being too lenient towards the card networks for the merchants in the later class—it should have no long-term impact on JetPay’s Limitless program,” Davidson says via an email. “We believe any future final settlement will incorporate the allowance for different prices for cards versus other payment forms.”

Others, however, are less than enthused about surcharging in general.

“The new ruling by the appeals court is a significant victory for merchants,” says Alex Nouri, president of EFT Direct, an Ann Arbor, Mich.-based payments provider. “I applaud the reversal. The 2012 settlement is effectively null and void. While it’s usually good to have a choice, surcharging should not have been one of the facets of the lawsuit because it would hurt merchants more than not. Consumers frown on having to pay for extras, let alone an added fee for using their credit card.

Nouri says he would be surprised at a discontinuation of surcharging, but he argues nonetheless that the networks should ban the practice “because it never made practical sense and is being used by some merchants to increase their bottom line instead of counting it as a business expense.”

Nouri says the 4% cap often results in some unscrupulous independent sales organizations and agents setting the discount rate automatically at 4% and also charging “hefty” terminal-lease fees, “thereby guaranteeing themselves a huge windfall on the back of both merchants and consumers.”

Both Visa and MasterCard have online forms for consumers to complete if they suspect a merchant violation of the surcharging rules.

“There are limits on what we can do about proactive compliance with over 9 million merchants in the U.S. alone,” says a MasterCard spokesperson. “However one thing ensures an investigation: It’s receiving a compliant form from a cardholder who believes that he or she has been wrongly surcharged.”

Eye on Data Breaches: A ‘Scary’ Legal Standard; Details Released on the Coming PCI Update

As federal regulators increasingly zero in on data breaches, lawyers at a payments conference on Wednesday warned that organizations that suffer breaches are likely to have a tougher time avoiding legal liability in the years ahead. And the PCI Security Standards Council disclosed some of the major changes in its upcoming version 3.2 of the Payment Card Industry data-security standard, including a requirement for multi-factor authentication by anyone with administrative access to cardholder data.

Until recently, regulators and the class-action bar have had a tougher time establishing liability in cases where they cannot show that consumers suffered any losses from breaches of card data, speakers said during a session at Transact16, an event in Las Vegas sponsored by the Electronic Transactions Association, the merchant-acquiring industry trade group. But that standard is changing, the speakers said.

Breached entities “have been able to deflect [regulators] if they can show no consumer harm,” said Leonard Gordon, a partner at Venable LLC, a New York City-based law firm. “That worked until last year, when a court ruled that fear of harm alone was sufficient injury for a case to go forward.”

Gordon warned the audience to “keep an eye” on this development. “It’s a scary case going forward,” he said.

In payment card data breaches, consumers are often reimbursed under the terms of their card agreements in cases of fraudulent use of their cards. In a well-known breach, that of the Wyndham Worldwide Corp. hotel chain, the Federal Trade Commission sued the chain but “couldn’t find any consumer who was out of pocket,” leading to a settlement that was “mild” in its terms toward Wyndham, Gordon said. That sort of outcome now might be more difficult to achieve for breached entities when consumers suffer no loss, Gordon warned.

The FTC sued Wyndham in 2013 after the chain sustained three breaches that the regulator said involved more than half a million card accounts and $10.6 million in fraud losses.

At the same time, the smallest merchants are still struggling to comply with the PCI data-security standard years after PCI was introduced and as a new version is under development. Gregory Holmes, another expert who spoke during the session, cited an estimate that just 40% of so-called Level 4 merchants are “truly compliant with PCI.” Holmes is a San Francisco-based director at PwC, a consulting firm that acts as a qualified security assessor for PCI compliance.

Level 4 merchants are those that process fewer than 1 million card transactions annually.

Meanwhile, the Wakefield, Mass.-based PCI Council, which administers the main PCI rule set and its related standards, plans to release version 3.2 of the PCI DSS later this month. The Council this week posted on its blog some of the key changes that card-accepting merchants, processors and other entities that handle general-purpose credit and debit cards can expect.

One change will be a requirement for multi-factor authentication for anyone with administrative access to computer systems containing card data. Multi-factor (sometimes called two-factor) authentication means at least two sets of credentials are required to access the data, for example, a password, a token or smart card, or a biometric.

The existing standard required two-factor authentication when access to cardholder data is coming from a so-called “untrusted” remote environment.

“The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network,” PCI Council chief technology officer Troy Leach said in the post. He later added: “This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment.”

The update also will include several new requirements for service providers, the individuals or companies that help merchants set up and maintain card-accepting systems. Third parties often do poor work regarding data security and have been the sources of numerous data breaches.

A summary of the coming changes can be accessed here.

After Years of Retreat, Payments Fraud Has Come Roaring Back, AFP Survey Shows

For years, the wave of fraud receded like an outgoing tide for companies that accepted electronic payments from consumers and other businesses. But last year, a tidal wave crashed on shore.

Fully 73% of companies reported they had suffered actual or attempted payments fraud in 2015, up 11 percentage points from 2014 and 13 points from 2013, according to the latest annual survey released Tuesday by the Association for Financial Professionals Inc.

As it does every year, the Bethesda, Md.-based AFP surveyed its members on their experience with fraud via checks, cards, wire transfers, automated clearing house transfers, and other payment methods. This year, the January survey yielded 627 responses from members across a wide range of industries and company sizes.

Between 2009 and 2013, the actual and attempted fraud rate slid from 73% of reporting members to 60%, then ticked up in 2014. The results for 2015, with fraud back at 2009 levels, show that uptick was an ominous sign. “We’ve seen a trend break here,” Magnus Carlsson, the AFP’s manager for treasury and payments, tells Digital Transactions News. “I think [our members] are surprised to see such a large increase in one year. That is a big surprise.”

Even the AFP report itself is blunt about the matter. “In last year’s 2015 AFP Payments Fraud and Control Survey Report [documenting 2014], we noted that the downward trend of payments fraud reversed, although by just a few percentage points. The situation has since deteriorated further,” says the report.

Still, while fraud rates took off, actual dollar losses remain muted. A solid majority—72%—of companies that sustained fraud exposure reported no actual losses at all, while another 14% reported actual losses totaling less than $25,000. In contrast to fraud exposure, “actual losses are quite different,” says Carlsson. Similarly, 49% reported no costs to manage, defend against, or clean up after actual or attempted fraud, while another 35% spent less than $25,000.

The study also found fewer organizations reporting an expected impact from the move to EMV chip cards, as indicated by investment in software, hardware, and training, as well as fraud losses after the liability shift. That shift took place in October and placed responsibility for counterfeit card losses on the shoulders of merchants that couldn’t accept EMV cards. In the 2013 survey, just 11% reported they expected “no impact,” but by January, three months after the shift, that number had risen to 35%.

Delays in getting hardware and software certified for EMV, which have frustrated many merchants and have already led to a federal class-action suit, are a separate matter. “Obviously, that’s an issue,” notes Carlsson. “I can understand the frustration.”

While checks remain the payment method most targeted by criminals, it’s fraudulent wire transfers fueled by an explosion in highly sophisticated phishing attacks that have spiraled upward in recent years, according to the report. In 2009, just 3% of companies that had experienced actual or attempted fraud reported they had been hit by wire fraud. Last year, that rate was 48%, leaving fraudulent wires ahead of fraud on corporate and commercial credit and debit cards (39%). The check-fraud rate, meanwhile, was 71% in 2015, but that’s actually down from the high of 93% in 2010.

Actual and attempted fraud on ACH credits (11%) and debits (25%) remain low and stable relative to the other payment methods surveyed.

The AFP membership comprises corporate finance executives worldwide.

New Visa Security Requirements Aim To Reduce Small Merchants’ Data Breaches

Visa Inc. has announced new data-security requirements for small merchants, one of which says that beginning Jan. 31, 2017, merchant acquirers must annually validate compliance by their so-called Level 4 merchants with the Payment Card Industry data security standard.

Other new Visa requirements involve qualified integrators and resellers, or QIRs. These are entities that install business-management software, or integrate such applications, for use with point-of-sale terminals and payment applications. Effective next March 16, newly boarded Level 4 merchants may only use QIRs that are certified by the PCI Security Standards Council, the body that oversees the PCI DSS and its related standards, to install POS terminals and software. Effective Jan. 31, 2017, the QIR requirement will apply to all Level 4 merchants.

The new requirements are listed in an Oct. 29 Visa security bulletin. Visa did not make a spokesperson available to comment on the bulletin, but the company indicated that one of the deadlines might be delayed in early 2016.

“Using QIR companies provides small merchants some protection against a common vulnerability exploited by criminals,” the bulletin says. “However, this alone will not prevent small-merchant compromises. As such, Visa is expanding its PCI DSS validation program to include Level 4 merchants. Effective 31 January 2017, acquirers must ensure their Level 4 merchants validate full PCI DSS compliance annually.”

Visa is trying to fill two well-known security holes in card payments. Level 4 merchants, the smallest among the four tiers by which Visa ranks merchants, are businesses that process up to 1 million Visa transactions annually, or fewer than 20,000 Visa e-commerce transactions. Level 4 merchants represent more than 90% of the 5-million-plus card-accepting merchants in the U.S., and they also account for a lot of data breaches—some 94% of the compromises Visa tracked in 2015, according to an October Visa presentation for small merchants. Unlike breaches involving big, Level 1 merchants such as Target Corp. or The Home Depot Inc., breaches at Level 4 businesses are small in scale and rarely make headlines, but collectively they present a security headache for the card networks, acquirers and issuers.

All card-accepting merchants must comply with the PCI rules, but only big and medium-sized ones currently must validate their PCI compliance through annual tests and probes that can be complicated and expensive. With Level 4 merchants, Visa requires PCI compliance but leaves actual validation up to the acquirer. The network says acquirers must attest to their Level 4 merchants’ PCI compliance and recommends merchants complete a self-assessment questionnaire.

The bulletin notes that acquirers can avoid the new annual validation requirement if they participate in Visa’s incentive program to grow EMV chip card payments. Dubbed the Technology Innovation Program, or TIP, the program says a merchant does not need annual PCI validation if it submits 75% of its Visa transactions through EMV terminals, and does not store sensitive cardholder data after transaction authorizations.

Visa has never publicly stated small merchants’ PCI compliance rates, usually terming them as “moderate,” but the trade group the Merchant Acquirers’ Committee has estimated it at 39%.

At the same time, because of their lack of technical expertise, many small merchants rely on tech providers to protect their POS terminals and and back-office networks. These providers sometimes do slip-shod work, setting up payment systems with easily guessed default passwords and other vulnerabilities. But many such companies, including value-added resellers (VARs) and integrated software vendors (ISVs), are coming into the payments realm because merchants increasingly want POS applications that do much more than simply process card transactions.

Visa and the PCI Council are offering an incentive for VARs and ISVs to become PCI Council-endorsed QIRs. Companies that enroll in a Visa QIR training program by year’s end can receive a discounted price of $197.97 per person, the bulletin says. The standard price wasn’t listed.

While the new PCI validation requirement could affect millions of merchants, Dallas-based payment-security consultant Branden R. Williams doesn’t see Visa’s changes as radical.

“I see this as more of a nudge than a massive policy shift,” Williams tells Digital Transactions News by email. “Visa—and the other payment brands—have always said that Level 4 merchants must be compliant but were only recommended to validate. I see this impacting acquirers who have not built merchant-compliance programs more than those who have. In this case, the nudge from Visa may be to push acquirers and merchants into products and services that qualify for the Technology Innovation Program.”

Buy Buttons Have Some Traps for Retailers

Buy buttons are shaping up to be the next battleground in tech-driven retail, and retailers are gearing up to take the field on social media sites like Twitter, Pinterest and others. But the new payments technology presents challenges that retailers must consider.

It’s a shift that threatens to upend retail, which, until recently, viewed social media platforms largely as a way to promote products online or to give customers a way to share reviews and seek help with product issues. In the traditional social media retail model, sites like Pinterest and Twitter served as a way to build product awareness and direct potential customers to the retailer’s main site to complete a purchase.

“Buy buttons” are clickable buttons that can be integrated into a social media site to allow visitors to purchase a product without leaving the platform.

It makes sense that the next retail revolution will take place on social media, which is generating an increasingly large share of ecommerce revenue overall. According to an Internet Retailer report, the 500 top retailers generated well over $3 billion in revenue from social media shopping in 2014, a 26% increase over the previous year’s total.

Buy buttons give social media platform users greater purchasing power than ever before. Instead of having to leave one site to visit another to find and purchase a product seen on social media, users can buy products directly via the social media platform. Buy buttons take much of the friction out of the purchasing process, but they present new challenges for retailers:

Less incidental product exposure.Buy buttons are an impulse buyer’s dream, but there’s a downside for retailers; by eliminating the need for the customer to visit the retail site, fewer customers will view other listed products.

Social media platform fees. Retailers who pursue a buy button strategy will incur fees for making it easy for shoppers to instantly purchase their wares. It will be necessary to analyze that aspect of campaigns to determine true ROI.

Managing payments and inventory. It’s necessary to integrate inventory and product information into social platforms since purchases made using buy buttons are typically completed through a separate process than payments made via the retail site.

Updates between retailers and social media platforms. Retailers and social media platforms will have to regularly and consistently update each other when product information changes. Alternatively, they can use a product content management system to streamline the process.

New testing needs. As a brand-new channel, each social media platform will require retailer testing to ensure the retailer is reaching the right audience. Platforms have different audiences, so it may take time to find the right showcase for specific products.

Need to tread lightly to preserve brand integrity. While social media audiences can appreciate the right appeals, buy buttons can also be interpreted as an interruption of the user experience, so it’s important to make sure content and ads are relevant and aligned.

Buy buttons have much promise as a retail channel, but retailers should proceed with caution and make sure they address each of these challenges to ensure a smooth the transition. It’s also important to recognize that while social media is an excellent way to inform and influence customers by facilitating information sharing, its primary purpose is not to persuade users to make a purchase now.

For that reason, it’s crucial for retailers to manage their own expectations about ROI from buy button campaigns. Those who do so successfully can gain a powerful competitive edge in the next retail revolution.