Recently, Chris Mark, EVP of Data Secrurity and Compliance and Dr. Heather Mark PhD, SVP Market Strategy spoke with several Press about ProPay’s Zumogo app.  Below are articles relating to the discussions.

PaymentsSource: “ProPay Social-Media Tool Keeps Card Data Out Of Phones”

http://www.paymentssource.com/news/propay-social-media-payment-keeps-data-out-phones-3004983-1.html

The Paypers: “ProPay rolls out Zumogo m-payment platform”

http://www.thepaypers.com/news/mobile-payments/propay-rolls-out-zumogo-m-payment-platform/743244-16

Digital Transactions: “ProPay Launces a Mobile App That Does What NFC Does, Only at a Little More Distance”

http://www.digitaltransactions.net/news/story/2912

I received a call a few minutes ago from Colleen who represents NACHA.  She was very pleasant and pointed out that the article which I referenced in my blog post had some critical mistakes, omissions, and errors.  She asked that I listen closely to the audio recording and, if appropriate change the post.   Having been on the receiving end of interviews in which I was misquoted I can understand the frustration.  It is a lesson for me and others to NOT rely on an article without closely comparing the facts and comments to the actual audio recording.  

In the article it was written that that Ms. Estep claimed that ACH account fraud represented 8% of total transactions.  It was this, and a few other select quotes, that formed the basis of my opinion.

After listening to the audio more closely, I did NOT hear Ms. Estep say anything related to 8% fraud. Where this came from is anyone’s guess.  Several of the quotes attributed to Ms. Estep were clearly taken out of context or flat wrong.  I am going to dissect the audio over the next day and provide a very accurate post on what was and was not said as well as the context in which it was written.

I applaud NACHA for taking a personal interest in correcting this and will update this blog in short order. 

In the interview, NACHA’s CEO, Jan Estep states: “ACH fraud is not so much of a problem,” and then goes on to articulate that “The number of compromises and losses are relatively low, when compared with the number of dollars and transactions that go over the ACH annually.”  NACHA has found that “corporate account takeover fraud perpetrated via ACH or wire transfer accounts for only 8% of all transactions.”  (emphasis added)

What is troubling about this particular inteview is the fact that is appears acceptable and simply a part of business to accept that 8% of all transactions will be fraudulent.  The article suggests that the problem is much less than that of credit or debit card transactions.

While this may or may not be true, there is a fundamental difference.  Liability is limited on payment card transactions.  The Federal government limits liability to $50 while the major card brands have zero liability.  This means that if someone steals your credit card and fraudulently makes a purchase than you are limited to $50 liability and in most cases will have no liability.  Due to extensive travelling as a consultant I have been the victim of credit card fraud several times.  I have never had to pay a single dime.

ACH fraud occurs through account takevover.  This means that the person is able to authenticate to the bank or system and initiate an ACH transaction.  Because the criminal is able to authenticate as you or your company it is very difficult to prove that it was not a legitimate transaction.  Furthermore, often the only recourse is to try to sue to recover your money.  Criminals, while operating illegally are not stupid.  They use mules to transfer the money.  The chance of recovering money from an ACH takeover is slim to none in the vast majority of cases.  While it may be true that ACH fraud occurs less relative to credit and debit card fraud the impact to the victim is disproportiately greater. 

Regarding the 8% number.  Imagine a car company that stated that only 8% of the time the breaks failed on their newest model and justified it by saying that it is better than bicycles whose breaks fail more often.  Imagine if your bank stated that they are only robbed 8% of the days they are open but that this number is less than the hair dresser that is robbed more often.  It is difficult to justify  an 8% failure rate as acceptable where there is such a profound impact to the victim. 

The interview provides some guidance for preventing ACH fraud.  According to Estep: “Keeping the computer secure is really the key.”  It is at this point, as a security professional, I must disagree with her position.  The end point “computer” can never really be considered “secure”.  Operating under the assumption that the computer will not be secure, it is incumbent upon the businesses which support ACH transactions to require more robust authentication.  Multi-factor authentication, out of band authentication will go a long way toward preventing account takeover.

In 2009 in anticipating of ACH fraud rising, ProPay developed a tokenization solution specifically for ACH.  Companies are able to initiate ACH transactions without requiring the sensitive data to be stored.  When coupled with robust authentication this provides greater security than traditional methods of ACH.

Chris Mark, EVP; Data Security & Compliance

I was reading an article today where the author espoused a number of theories and ideas about mobile security.  As I was reading it became glaringly obvious that the information was not simply incorrect but much could be considered dangerous.  It further underscores the importance of choosing where to find expertise.   Some of the interesting ideas promoted by this article:

“Your payment data should solely be stored on your phone and not in someone else’s database with tens of thousands of other credit card numbers. It’s hard to steal from someone if there’s no money in the safe. This is the only thing that truly deters hackers from going after a big score.”

The author of the article appears to be suggesting that your money is better held in your wallet than in a bank.  First, it should be noted that the Federal government limits personal liability for unauthorized charges on cards to $50 and the major card brands all have zero liability protection.  Second, the data is stored in processors, gateways and other databases anyhow.  To suggest that the best option is to keep sensitive payment data on a smart phone is questionable at best.  Tokenization and other data replacement technologies have proven their value in the industry.  Another comment that raised some eyebrows:

“For consumers, you can usually find out where data is being stored by perusing a website carefully or reading well-researched articles and reviews. Journalists are doing a better and better job of ferreting out where your data lives, and how it is being passed around.”

It should be noted that consumers face an almost impossible feat to find everywhere their credit card data is being stored.  In the US alone there are 255 acquirers supporting about 6 million merchants.  Supporting this is several hundred processors and gateways.  It is likely that payment card data is stored in many of these locations.  There is no way to ’scrub’ the data from these locations and no way to truly know whether it is there.  Importantly, data card theft is NOT identity theft and there is not personal liability for your data on these systems.

Finally, on the advice…there is a statement that reads encourages users to ensure that their credit card information is: “Always encrypted when it is sent to the POS system, where the transaction is taking place.”  It is required by all card brands and the PCI DSS that data transmitted over public, or open networks be encrypted.  To propose that a user should ‘ensure it is always encrypted’ suggests that other vendors are sending data in the clear, whichwould violate numerous regulations and some state and federal laws.  The article then finishes by saying: “…where the transaction is taking place.”  Anyone with a basic understanding of payment processing understands that the transaction does not ‘take place’ at the Point of Sale system.  The POS sends the transaction data (including authentication data) to the processor (often through the gateway) and the processor either forwards the data or (acting on an issuer’s behalf) receives the authorization which is then sent back to the merchant.  Clearing and settlement take place in separate steps.  The point is that the data is still transmitted from the POS into the third parties that the article intimates should not be trusted.

This post is not intended to poke holes in any particular solution rather to illustrate the issues with well intentioned but incorrect advice.  For anyone evaluating a mobile solution (or other solution) it is recommended that research be conducted and experts be consulted.  A misstep in security can have deep reaching implications.

Chris Mark, EVP- Data Security & Compliance

-ProPay’s Social M-Payment Application Allows Consumers to Make Payment through Smartphones-

Lehi, Utah – Feb 2, 2011 – ProPay (www.propay.com), an industry leader in Merchant Services, End-to-End Payment Security, credit card processing, and electronic payment services, is pleased to announce the debut of its new social mobile payment (m-payment) platform, provisionally named Zumogo™ in its initial release during the 2011 Sundance Film Festival^®. It is a mobile payment application that facilitates payments and bi-directional communication between merchants and their consumers, allowing customers and businesses to connect in a powerful new way.  With Zumogo (pronounced  “Zoo-MOE-Go”), businesses can efficiently market to new and existing  customers  and improve operating efficiencies, while customers can communicate with and make payments to businesses — all through their Smartphone.  Both groups can benefit from the efficiency and security of the application.  Importantly, no sensitive payment data is stored on the customer’s Smartphone or in the merchants’ systems, as Zumogo is designed to deliver state-of-the-art security.

“The mobile payment movement is definitely in full gear and ProPay is excited to be at the forefront,” said Chris Mark, Executive Vice President of Emerging Markets at ProPay.  “Not only does Zumogo allow consumers to connect with and pay merchants in an entirely new way, it does so in a manner that protects the sensitive payment data.  Zumogo combines data security with the flexibility of mobile payment options, and the connectedness of social media, giving merchants and consumers the best aspects of each.”

The application provides significant benefits to both consumers and businesses.  Consumers no longer need to carry all of their payment cards with them to make a payment.  They can locate nearby Zumogo merchants, and even announce themselves to the merchant and ask questions via Zumogo’s chat function.  Businesses can more efficiently service their customers while developing a deeper relationship with them.  In addition, Zumogo can enable businesses to expedite the payment and checkout processes, allowing them to more efficiently serve their customers. 

Sundance attendee Angela Edwards was excited about Zumogo at Sundance: “I love ProPay’s Zumogo!  I used it to find a great promotion, to let our server know we had arrived, to order our meals, and to pay the bill securely – all through my iPhone!  Even our server was excited about it.”

Regardless of the environment or use case, no sensitive data is exchanged between the merchant and the consumer.  The absence of sensitive payment data provides customers peace of mind and may even allow businesses to realize cost savings associated with industry and regulatory compliance programs.  Whether Zumogo is integrated into an eCommerce, call center or any other payment environment, it mitigates the risks traditionally associated with the storing, processing, or transmitting sensitive payment data – no data is stored either on the mobile device or in the merchant environment.  Zumogo leverages ProPay’s PCI DSS-compliant ProtectPay^® system, which combines end to end encryption and tokenization to secure payment data. 

According to Gary Goodrich, ProPay’s Chief Executive Officer, “Our new social m-payment platform demonstrates our commitment to leading the industry in both innovation and in the protection of consumer data.  The addition of this mobile payment application to our existing product suite is a natural evolution of our secure payment services, and we’re excited to introduce it to our merchants.”

ProPay introduced Zumogo at select merchants during the Sundance Film Festival in Park City, UT.  The participating merchants include a variety of highly regarded restaurants and pubs.  Zumogo is currently available on the Android^™ Market and the iPhone^® App Store.  It will come to the Windows^® Phone 7 platform by the end of the first quarter 2011.

About ProPay

Since 1997, ProPay has provided simple, secure, and affordable payment solutions for organizations ranging from the small, home-based entrepreneur to multi-billion-dollar enterprises. ProPay is a leading provider of complete End-to-End Payment Security solutions that reduce, and may even eliminate, the organization’s risk of having sensitive payment data compromised. ProPay is the recipient of the prestigious 2010 ETA ISO of the Year award. ProPay is a 14 year old, privately held company, headquartered in Lehi, Utah.  For information, visit www.propay.com.  For more information about Zumogo, please visit www.zumogo.com

Android is a trademark of Google, Inc.  Use of this trademark is subject to Google Permissions. iPhone is a registered trademark of Apple Inc. Windows is a registered trademark of the Microsoft Corporation in the United States and other countries.  Sundance Film Festival is a trademark owned by Sundance Enterprises, Inc.

###

PR Contacts

Heather Mark, PhD

ProPay, Inc.

zumogo@propay.com

(801) 341-5563