Last week, I had the privilege of attending NACHA’s Internet Council Meeting in Salt Lake City.  Its focus this year was the rapidly growing mobile payments market.  Speakers covered a wide variety of topics, from the Obama Administration’s National Strategy for Trusted Identity in Cyberspace (NSTIC) to the range of technologies available to meet the mobile demand.  The voices there represented stakeholders from all aspects of the industry.  Financial institutions presented their perspective on the evolving role of banks and credit unions in mobile payments.  Device manufacturers reassured about the security of payment data in the “secure element,” while merchants posed questions about the ubiquity of mobile payment technology.  Which method would come out on top and how could a merchant “time the market?”

The mobile payments market is still in a very nascent stage.  Merchants are right to be skeptical to some extent.  Every solution vendor is trumpeting their answer to the mobile question.  How is a merchant to make the right decision?  The answer is: introspection.  “Me, too” is not, and likely never will be, a successful mobile strategy.  Determining the right solution requires that merchants understand their business, their target customers, and their overall objectives for growing the business.  The mobile solution needs to make sense for the business as a whole.

The larger question revolves around the consumer experience.  The mobile payment method should provide the consumer with a robust experience and enough “value-add” to keep them in the application.  It must provide significant advantage over traditional payment methods.  Compare the traditional cardswipe method to the mobile application.  To swipe a card, I simply need to pull a card out of my purse or wallet and run it through the terminal.  To use a mobile application, I have to get my Smartphone,  unlock my screen by entering my passcode, pull up the application, authenticate to the application, initiate the payment and then authorize the payment by entering another code.  As a consumer, it seems much less convenient to use the mobile application – unless there is something that will keep me going back to the application like special offers, discounts, loyalty or programs.

Similarly, the solution should provide significant value-add to the merchant.  Many of the mobile solutions coming to the market now are simply methods of pushing transactions through the merchant.  In the meantime, the merchant may be required to upgrade equipment or systems in order to facilitate these transactions.  It does not add anything of value to the merchant, either in terms of operational efficiency or new marketing or communications opportunities.  A successful mobile solution will have to provide real value-add to both sides of the equation – both merchant and consumer.

Most likely, the mobile payment solution that rises to the top will be the result of partnering.  An environment of co-opetition will likely prevail, as the common wisdom in the industry is that no one solution will be able to meet the needs of every merchant and every consumer.  The next 12-18 months will likely be very active in the mobile payment space and the landscape that we see today will be very different from that of tomorrow.

Dr. Heather Mark, PhD; SVP Market Strategy

It is an interesting experience to search the term “data breach” on Google News, then scroll through the first five pages or so.  The number of well-known, well-funded entities reporting data breaches, even at a daily rate, is an impressive sight.  Cyber attacks are quickly earning the status of “all but inevitable” and business owners and other holders of personal data should ensure they are prepared to handle the consequences of such an attack.

One such consequence is the breached party’s responsibility for data breach notification. Forty-six states have adopted breach notification laws that govern an entity’s actions subsequent to a compromise of sensitive personal information.  Achieving compliance with the multitude of states’ data breach notification laws is a bit like arriving on the scene of an accident where dozens of victims require first aid but each has his or her own unique language, accepts help subject to an individual timetable, and requires an exceptional set of measures.  It is a complex process. 

In light of the difficulty in deciphering and complying with the multitude of laws, entity’s concerned with compliance should consider the following steps:

(1)  Develop a Data Breach Notification Plan.  Effective data breach notification plans will dictate internal team members’ responsibilities, contain model notices, and outline when, and under what circumstances, to notify law enforcement, regulators, and customers, since the timing of when customers in a given state should be notified is critical.

(2)  Know State Law Requirements.  Breached entities must be aware of the customer notice requirements on a state-by-state basis, including when and under what circumstances notice to those customers might be required, and whether less costly substitute notice is available.  Consider outsourcing this expertise as the sheer volume of statutes and annual changes in this arena requires almost full-time vigilance.

(3)  Create a Remediation Plan.  An entity’s response to a data breach is extremely important, both from an internal repair perspective, and external, public and customer relations perspectives.  It is advisable to create relationships with forensics, security, public relations, and legal experts in advance of a cyber attack and include those experts in the planning process.

(4)  Stay Current on Pending Federal Legislation.  Bills have been introduced in both the House and Senate over the past several years in an attempt to nationalize and bring some unification to the patchwork of states’ breach notification laws.  At least three have been introduced this session, along with a proposal from the White House.  A federal data breach law would likely preempt state laws and address some of the headaches associated with data breach notification, although consensus on the level of preemption and other issues, like the timing of notification have so far made passage into law a difficult proposition.  Nevertheless, if such legislation passes, and some experts believe this will be the year, entities subject to breach notification laws should be prepared to adjust their plan and notification requirements accordingly.

Ever since credit cards began to be widely used by the general public in the 1950s, people have begun to increasingly prefer their use for day-to-day commerce due to the added security, convenience, benefits, and ease of use.  These days, very few people actually carry a significant amount of cash on their person; even fewer people seem to carry their checkbooks.  This trend makes it virtually impossible for small businesses to stay competitive among prospective clients unless they can cater to their payment preferences- namely, by accepting card payments.  Fortunately for merchants and business owners, the payment services industry is one of the most competitive, and such competition yields innovations in security, technology, and convenience at a stunning rate- to say nothing of increasing affordability for small businesses.  Most businesses can attest to the fact that if they fail to enable their customers to pay in convenient and easy ways, sales ultimately suffer.  Consider the following scenario:

A customer walks up to a booth at a trade show and expresses an interest in a product being sold there.  The salesman explains the features and pricing of the item and the customer pulls a debit card out of their wallet.  The salesman, unequipped to process the card, politely explains that there is an ATM across the street.  The customer leaves for the ATM.  By the time they come back, they have decided that they don’t actually need the item right now, or perhaps they are running late for a seminar and plan to come back later – and just never get around to it.  For some reason, it’s harder to part with a handful of cash than it is to swipe a card.  At any rate, the short-sighted salesman loses customers because he was not able to immediately process payments through a variety of means. 

Just as online shopping cart abandonment can be as high as 25% – 50%, merchants at trade shows and mobile venues who fail to accommodate the preferred payment methods of their customers can expect similar results in lost sales.

On the other hand, those who accommodate their customers with easy, fast, and secure payment options can count on substantially increased sales, which can vastly outweigh the cost of making those payment options available.

-Stephen Taylor, Sales Representative

One of my favorite things about the Payments industry is the pace of innovation.  Five years ago, when the Payment Card Industry Data Security Standard became mandatory, the industry buzzed with ingenious new ways to secure cardholder data.  Today, terms like “end-to-end encryption,” “tokenization,” and “encrypted at the swipe” are commonplace.  In fact, those technologies are now more often the rule than they are the exception.  Today, the industry is abuzz with a new phenomenon, the mobile payment platform.  Again, it is startling to see how quickly companies can develop both hardware and software to meet the clamoring demands for mobile methods.  Here is a brief discussion of those methods.

Near Field Communications (NFC) – In NFC technologies payment data is stored on a chip or device in the consumer’s phone.  When a purchase is to be made, the phone or other NFC-enabled device is “waved” near special equipment on the merchant side.  The purchase is approved and the consumer can walk out.

The benefits of such a solution are its speed and ease of use.  The consumer is required to do no more than wave the device near the merchant’s specialized POS.  For small purchases, the convenience is difficult to beat.  The challenges include the limits on the size of the purchase, its storage of data within the NFC device, and the requirement for the merchant to purchase special equipment to accept those payments.  With more and more providers offering NFC, the prices for the merchant-side equipment are beginning to fall, but merchants have been reluctant to adopt this technology as it does require a purchase of equipment.

Text/SMS – Also referred to as carrier billing, Text/SMS payments are particularly popular for merchants of digital goods, such as games, music, and ring tones.  The carrier billing model is growing increasingly popular in the realm of digital sales and Peer to Peer (P2P) payments.  In this model, a payment authorization is transmitted via text message and the amount of the payment is charged to the user’s mobile phone bill.  This method proves effective in high-volume, low ticket sales, such as P2P or digital goods.

Application-Based Payments – With the rapid adoption of Smartphone technology, these types of solutions are likely to become more prevalent. In this model, the user downloads the payment application and enters their preferred payment methods.  The secure storage of this data is fertile ground for debate, as there are proponents of storing the data on the phone itself, and others that prefer the data securely stored with the application’s provider in an encrypted or tokenized form to reduce the likelihood of misappropriation of data.  The application based model provides significant opportunities for value-add functionality, such as coupons or reservations.

In addition to these technologies, the eWallet, or at least the term, has become ubiquitous.  The eWallet allows users to link their payment cards to an application or device (usually an NFC chip) in order to facilitate payment.  Many companies are pursuing mobile payments through the adoption of the eWallet.

The next 12-18 months will be interesting in that the market will likely settle on a preferred model.  Of particular note is the very real possibility that the model that emerges will be a combination of those technologies discussed previously, or even one that has yet to be introduced.

Dr. Heather Mark, PhD;  SVP Market Strategy

Preventing fraud is a constant challenge for banks, merchants, and consumers.  This battle can be a complex one as the fraud schemes become more and more sophisticated. There are however, a few simple fraud prevention tools and steps that can prevents and/or identify fraudulent or high risk transactions. The average consumer may be unaware that these checks are in place and used regularly by their financial institutions. The following list outlines a few of the most effective fraud prevention tools:

Address Verification Service (AVS) - Allows merchants to check the cardholder’s billing address. AVS provides merchants with a key indicator that helps verify whether or not a transaction is valid.

Card Verification/Validation 2 (CVV2/CVC2)- A three digit number imprinted on the back of a credit card to help validate that the customer has a genuine card in his/her possession and that the card account is legitimate.

Verified by Visa and MasterCard Secure Code- These are online, real time services that allow merchants to validate that a cardholder is the owner of a specific account number. Each cardholder creates a unique password at the time of registration. Once the card is activated by this service, the card number will be recognized whenever a consumer purchases at participating stores. The unique password is required to complete the transaction.

There are other more sophisticated fraud prevention measures such as transaction velocity monitoring, IP geo-location, and website reviews that will be discussed in more detail in an upcoming blog post. ProPay utilizes all of these tools and more in our fraud prevention measures.