Industry pundits have been anxiously declaring the “Year of NFC” for the past several years. Near Field Communication (NFC) was supposed to revolutionize the way customers interact with the point of sale. Various beneficial consequences of NFC adoption have been touted - everything from security to efficiency and just about everything in between.  Large companies have put a tremendous amount of resource behind igniting NFC platforms.  So much emphasis was placed on the likely success of NFC that three wireless giants formed a joint venture, ISIS, dedicated to the prospect.  However, NFC has failed so far to take off as has been expected.  In fact, at least one company recently jettisoned its NFC plans after tests revealed that “NFC is actually a step backward” in the Point of Sale (POS) experience. While plans remain to work with NFC technology in some capacity, the company has stated that it doesn’t fit with its POS strategy.  So what does this mean for NFC?

First, it should be noted that a number of companies remain devoted to the notion that NFC will enjoy mainstream adoption in one capacity or another in the near future.  The card brands and other companies are still experimenting with NFC technology in a variety of capacities.  That means that we’re going to continue hearing about the Year of NFC for some time yet.

Secondly, it should also be noted that the emphasis in payments now, particularly with mobile technology, is moving away from the traditional POS.  Mobile technologies should allow merchants greater freedoms.  NFC, by nature, requires customers to go to the checkout counter in order to make a purchase, so while it’s a mobile technology in that it’s deployed on a SmartPhone, it is not mobile in allowing merchants to accept payments in a mobile fashion.  Nor does it free customers from having to stand in line at a terminal in order to make a payment.

When examining mobile solutions, merchants are well-served to ask some questions of themselves before selecting a vendor.  First, merchants should have a sound understanding of what their mobile strategy is.  If the merchant has a high-volume, low-price business, like a convenience stores, then NFC may be a good option. However, many small merchants are looking for mobile solutions that will free them from the check-out counter.  So, if a merchant is looking for a truly mobile solution, what are the options?

Text – Simple Message System (SMS) is a system for sending short text messages between mobile devices.  Text or SMS payment solutions are growing increasingly popular in the realm of digital sales and Peer to Peer (P2P) payments.  In this model, a payment authorization is transmitted via text message and the amount of the payment is charged to the user’s mobile phone bill.  This method proves effective in high-volume, low ticket sales, such as P2P or digital goods.  However, there are still some points of concern for merchants, not the least of which is “When does the merchant get paid?”  Customers, too, may have questions.  When using a payment card, there are fraud and theft protections.  If the card is stolen or used for a fraudulent transaction, the customer is not held liable.  Similar regimes do not necessarily exist in this model.

Portable Card Swipe Device –  The most prevelant form of mobile payments to date, is not surprisingly, the portable card swipe device (See ProPay’s JAK).  The reason this is so prevalant is because it offers mobility without requiring a significant change in behavior from either the merchant or the consumer.  The action of paying is almost exactly the same as it would be “in store.”  The caveat to this type of solution is that merchants should ensure that the product they are using is what is called an “encrypted swipe” device.  Using and encrypted swipe device ensures that the payment data is protected before it even gets to the phone – it is encrypted by the magnetic head that reads the card data.  If the merchant loses the phone, or if a “hacker” breaches the payment application on the phone, no card data would be available to them.

Application Based -The application based mobile payment has not been as prevalent in the mobile payment movement as the previously discussed methods.  With the rapid adoption of Smartphone technology, though, these types of solutions are likely to become more prevalent.  In this model, a consumer downloads an application to their Smartphone and configures his or her user profile and payment methods.  The consumer and the merchant can then interact through that application.  Merchants and consumers should do due diligence to ensure that security has been built into the application, but these types of applications are on the rise.  (See ProPay Link)

NFC will not be abandoned in its entirety, but neither will it be the paradigm shifting payment technology that had been envisioned. At the end of the day, there are applications for each of the mobile technologies discussed here.  The challenge for merchants is to find the one that best fits their overall business strategy and offers robust security for their customers.

Dr. Heather Mark, PhD; SVP of Market Strategy

For small merchants, and really for any merchant, PCI DSS compliance can offer any number of difficulties.  For small merchants, though, lack of resources and information about the Standard can have a crippling effect on compliance.  Fortunately, there are now services like ProtectPay that can help small merchants comply with large portions of the PCI DSS with minimal resource investment.  For very small merchants, encryption and tokenization efforts can ensure that cardholder data doesn’t traverse your computer, your equipment, or your network.  (This works well for larger merchants, as well, though more integration may be necessary to ensure coverage for all payment acceptance channels.)  However, the PCI DSS does not apply only to digital data or to the transaction itself.  It applies to “hardcopy” data and to stored data, as well.  How can small merchants help maintain PCI DSS compliance for these types of data?  Here are a few tips.

1) Do not store cardholder data in spreadsheets or other computer files.

It may be tempting to store your customers’ payment information so that you can easily process a payment the next time a purchase is made.  Unfortunately, storing the data on your computer leaves you and your customers vulnerable.  If your computer is compromised, a thief could easily access that information.  Additionally, having cardholder data on your computer, particularly in an unencrypted format, is a violation of PCI DSS.  If you are storing data like that, merely losing your laptop could result in a finding of a data breach, with the attendant fines, fees, and penalties.  Many services, including ProtectPay, allow merchants to securely store customer data, without having to worry about PCI DSS compliance or data security.

2) Do not write down cardholder data, if you can avoid it.

It seems so easy.  Just write the data down and process the transaction when you get home.  However, even written cardholder data can bring companies “in scope.”  That data must be protected, just as electronic data must be.

3) Make sure that sensitive data has a secure storage location.

If you must write down data, you should make sure that you have a safe place to store it.  Leaving sensitive information on desk or otherwise out in the open can leave it vulnerable to misuse.  Large companies often have “clean desk” policies, which require that employees clear their desks of sensitive papers and ensure filing cabinets and desk drawers are locked at the end of the day.  This helps to protect company data as well as customer data.  Small merchants can also adopt this policy to help protect themselves and their customers.

4) Ensure that any data that is written down is properly disposed of when it is no longer needed.

It is a fact of business that you may be unable to completely forgo writing down card numbers.  Whatever the reason, you must ensure that once the data is no longer needed, it is destroyed or rendered unrecoverable by thieves.  “Dumpter diving,” in which a thief goes through trash trying to find personal and financial information, is a popular technique among identity thieves.  Papers that contain personal information, including credit or debit card numbers, driver’s license numbers, social security numbers and other sensitive information, should be shredded before it is placed in the bin.  Crosscut shredders are preferable, as this type of shredding makes recreating the document more difficult.

Certainly there are other practices that can also help protect small businesses, but these four steps can help significantly reduce the risk of a “hardcopy” data compromise.

Dr. Heather Mark, PhD; SVP Market Strategy

Over the past year, the payments industry has been abuzz with news of Visa’s plan to encourage adoption of EMV technology.  While many in the payments industry have a clear understanding of what EMV is and how it might impact our business, for small merchants the term just adds on to the growing list of acronyms with which they must now be familiar.  PCI DSS, PA DSS, QSA, SAQ, and now EMV.   But what is EMV and what do small merchants need to know about it?

EMV itself is a standard begun by Europay, MasterCard International and Visa International. (Its current members are American Express, MasterCard, Visa, and JCB.)  The three companies joined together to form EMVco, whose purpose is “to manage, maintain and enhance the EMV™ Integrated Circuit Card Specifications for Payment Systems.”  In other words, the company was formed to promote the use of “smart cards.”  A “smart card” is essentially a payment card with an embedded micro-processor, or chip.  Because the chip can hold much more information than a magnetic stripe can, EMV enabled cards support multiple methods of authentication.  This ostensibly makes the process more secure for both the merchant and the consumer.   Since the chip can support dynamic and static authentication as well as online and offline authentication, the theory is that using EMV means that the risk of compromised card data being used fraudulently is significantly lower than with magnetic stripe data.  In other words, even if the data is compromised, it is less likely that it can be used to perpetrate fraudulent transactions.  As a result of its capabilities with respect to fraud prevention, Visa is strongly encouraging the US payments industry to move towards EMV.  So, what does this transition mean for merchants?

1) The requirement to comply with PCI DSS will remain - Visa’s program states that if a merchant can verify that at least 75% of its transactions are EMV, then the requirement to validate compliance with the PCI DSS can be waived.  It should be noted, though, that it is only the requirement to validate compliance that is being waived, not the obligation to comply itself.  Another important caveat to this validation waiver is that only Visa has so far extended this offer.  Merchants will still have to validate compliance as required with the other card brands.

2) EMV  does not replace data security – The use of EMV cards does not inherently provide protections against the unauthorized access or disclosure of the data itself.  Data thieves would still be able to compromise the data.  However, the utility of the data is significantly lessened as a result of the layering of authentication mechanisms employed by EMV cards.

3) Acquirers/ Processors have to transition by 2013 – As of April 1, 2013 acquirers and processors must be able to support EMV transactions.

4) Liability Shift means Acquirers likely to encourage adoption – Visa has announced plans to implement an liability shift for fraudulent purchases.  Currently, if a counterfiet purchase is made, it is largely left to the issuing bank (the bank that issued the card) to absorb.  Under the new rules, which would take effect on October1, 2015 counterfeit purchases that occur at a merchant location that has not adopted the EMV technology may become the liability of the acquiring bank.

As the deadlines come closer, the card brands will release more detail that will help guide merchants on the path to EMV.  Moving to EMV will be a challenge for an industry as fragmented as the US card processing ecosystem.  Although there will be the inevitable growing pains, though, the technology will serve to benefit all of the stakeholders – from merchant to the consumer.

Dr. Heather Mark, PhD; Sr. Vice President, Market Strategy

Many people today that consider themselves to be internet savvy might believe that they are too clever to fall for an online scam.  They know that they should not respond to pleas for help from Nigerian princes that need to move furniture for their long-deceased, well-meaning philanthropist great uncle.  They know that any job posting that requires respondents to send their bank routing information is likely not legitimate.  They know that a bank will never send an email asking their account holders to “verify their passwords” by clicking on a link.  But do they know that they shouldn’t click on that link that promises a sneak peak of the iPhone 5?

According to a recent survey by the Ponemon Institute (in collaboration with PC Tools), the answer is “no.”  The temptation is just too much, even for seemingly savvy internet users.  “Almost half (47%) of US respondents identified an online survey with a prize as either a scam or an attempt to get you to buy something later. However, when presented with the test scenarios, more than half (55%) of US respondents indicated they would be likely to provide their personal information to redeem a prize after completing an online survey,” said Richard Clooke, Online Security Expert, PC Tools.

A recent article on CNet emphasizes point made by the survey. Last spring, a number of Facebook users were scammed by a link that offered a look at the new iPhone 5.   According to Elinor Mills, the author of the article, “People who normally ignore all the other scams involving purported free software or naked celebrity photos clicked that fake news link and even completed a captcha on a second site, which reposted the scam to their own Facebook stream. That probably says more about how fanatical people are about Apple products than anything else. But it did raise the question–what does it take to lure someone to click on something that seems fishy?” It would certainly appear that the old cliche “everyone has their price” is analogous to this situation. If scammers can target the right prey with the right bait, people seem to disregard their concerns about fraud.  Target techies and Jobs-o-philes with a promised look at a future Apple product and they’ll likely click away.

The moral of the story – “think before you click.”  Many people associate internet scams with malware and Trojans, but sometimes scammers are looking for more specific information about users so that they can launch more targeted and sophisticated attacks later on.   For example, in the scam listed above,  scammers could perhaps garner email addresses.  Those addresses could then be used in phishing attacks later on to get more sensitive data from individuals.  It’s important to remember not to let your guard down when it comes to cyberscams.

Dr. Heather Mark, Ph.D.

SVP of Market Strategy

As someone that watches with great interest as the great privacy debate unfolds, this article really caught my attention.  The issue in question is the trade-off between online privacy and discounts or special offers.  According to  a study by KPMG (Consumers and Convergence V: The Converged Lifestyle survey) a majority of US shoppers would offer up their online activity history in exchange for discounts on goods or even digital content.  Further, 43% of those surveyed would be willing to receive advertising, if they didn’t have to offer up personal details, in exchange for lower fees.

This is an interesting juxtaposition to the privacy hearings that have been occupying the US Congress of late.  Legislators have been greatly concerned with things like smartphone tracking and browsing histories.  It’s interesting to note that the issue may not be that consumers are upset about these activities on the part of merchants, but that they are not currently getting anything out of the bargain.  It is true that organizations should not be tracking consumer behavior, at least individual consumer behavior, without the consent of said individual, but there are benefits to sharing browsing history  and shopping behavior and consumers are recognizing those.  The question becomes, how can one  leverage the consumers’ self-interest to help the merchant?

It is important not to lose sight of the fact that consumer notification, awareness and choice remain priorities.  Tracking consumers without letting them know and providing them with the ability to opt out is a major faux-pas.  However, providing them some quid-pro-quo seems to ease many consumer qualms. What would be interesting to know though, is the consumer “break-even point.”  In other words, what sort of discount or service is the minimum for sharing their online behaviors?  That is not included in the KPMG survey, and is likely much more difficult to ferret out.

In today’s world, the balance between marketing research and a breach of consumer privacy can be difficult to measure.  For organizations that have questions about managing consumer privacy, there are a number of resources that can be referenced. Included is a short, certainly not exhaustive, list of privacy guidelines.

1) OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

2) Federal Trade Commission Fair Information Practice Principles

3) Generally Accepted Privacy Principles

4) Privacy by Design

Dr. Heather Mark, PhD; SVP of Market Strategy