This Week In Payments News: Target Undecided On Who Will Be In Charge Of Stopping Hackers
This week's payments roundup comes from Payments Insider, the daily briefing delivered first thing every morning exclusively to BI Intelligence members.
TARGET PLANS MORE POWERFUL INFORMATION SECURITY ROLE
Target has yet to settle on key personnel decisions and management structures as it recruits for a new Chief Information Security Officer role following a massive data breach in December, in which up to 40 million credit and debit card accounts were compromised.
Before the breach, Target had different CISOs in three separate groups, says Ira Winkler, president of the Information Systems Security Association, citing familiarity with the company's internal structure. A Target spokeswoman acknowledged CISO functions have been distributed among several groups, but said the company is "actively recruiting" for a role that would oversee the formerly distributed functions.
Asked if the new role would be peer-level with the company's Chief Information Officer, the spokeswoman said that reporting structures had yet to be determined.
As online and offline retailers become more conscious of data breach risk, the CISO role is becoming increasingly important, eroding CIOs' authority.
"It's not uncommon for a CISO to be a director-level role," although that is changing, says Winkler of the Information Security Association.
"CIOs are extremely worried now that positions are being created that are equal to the CIO level to handle security or even replacing the CIO from a security perspective," one executive in the information security sector tells us. "I think you are starting to see the shift where CISOs are becoming the next CIOs."
KREBS ON INNOVATION IN PAYMENT FRAUD
Investigative journalist Brian Krebs, whose KrebsOnSecurity website first reported the Target data breach, detailed some of the latest payment fraud tactics this week at the CNP Expo in Orlando, Florida. "Fraudsters absolutely love payments innovation, because with all of these new things, fraud detection gets bolted on as an afterthought," Krebs said in a keynote address on day two of the conference.
The value of stolen account data declines dramatically once a breach is discovered, so hackers often engage in a practice Krebs described as "making sausage," blending stolen data from different breaches so that bank and credit card company monitoring systems can't pinpoint the source.
But increasingly, cybercriminals are finding that a "buy local" strategy is more effective, said Krebs. When stolen card data is used to make purchases near victims' homes, data thieves can evade location-based fraud monitoring tactics. "Bad guys think ahead," said Krebs.
FRAUD PREVENTION TOP CONCERN AT CNP EXPO
This week, we reported from the Card Not Present Expo in Orlando, Florida. Security and fraud detection are topics of particular concern in card-not-present transactions, which don't involve a physical payment card (such as e-commerce transactions). Since merchants typically bear more liability for fraud in these transactions, there is a great deal of demand for tools to help identify and weed out fraudulent activity.
Here are the key solutions we encountered at CNP, their advantages and drawbacks:
Biometrics
Decreasing costs and new standards make biometric-based solutions, such as fingerprint readers or eye-scanners, an increasingly promising way to authenticate online or mobile transactions, according to a number of experts. Journalist and cyber-security expert Brian Krebs questioned early in the CNP conference whether consumers would trust companies to store their biometric data in light of data breaches like Target's. But Andi Cook of Transaction Network Services was more optimistic: "If it makes shopping frictionless, consumers will be willing to give up biometric information," she said while moderating a panel. "I think we can convince you with a 20% discount," added Bill Clark, CEO of mobile voice recognition service Spindle.
Big Data
Statistical modeling is the classic approach to card-not-present fraud detection, and it continues to evolve and diversify. Transaction Network Services is building a data-based tool that can verify the identity of of cellphone subscribers. The decline of land lines has made it more difficult to authenticate purchases over telephones. Recurly, a recurring billing service, tries to limit declines of legitimate transactions by analyzing data on past "false declines," which it has built over time. Fraud experts agreed that the more data they had about a customer, the more accurate their fraud detection became.
Bitcoin
Enterprise payment processor Bitnet helps merchants accept Bitcoin and receive payment in local currency, and offers tools allowing traditional merchant acquirers to sell a similar service to their own merchants. Bitnet CEO John McDonnell, a former Visa executive, sees Bitcoin as the solution to many of the headaches that plague the credit card ecosystem, including fraud, chargebacks and false declines. Bitcoin avoids many of these issues through its unique transaction-clearing process, which connects payer and payee without intermediaries, and verifies transactions through the use of private keys and digital signatures. It's like "digital gold," McDonell says, once it changes hands, the transaction can't be reversed.
NEW APP PROMISES INTEREST-FREE PAYDAY LOANS
Palo Alto, California-based Activehours launched a new app that allows hourly workers to receive pay for hours worked before scheduled paydays.
Unlike online payday loans, a space that has come under increasing scrutiny by federal watchdogs in the U.S., the service does not charge interest or fees, and instead plans to ask users to pay the service with tips.
"We are a for-profit company, just not an obscene profit company," Activehours founder Ram Palaniappan tells us. In court documents, the U.S. Department of Justice has accused some online payday lenders of charging effective interest rates of up to 1,800%.
MASTERCARD INITIATIVES TARGET MID-EAST AND ASIA
MasterCard announced this week it will buy Indian payments processor ElectraCard in a deal with undisclosed terms, the Wall Street Journal reports.
This follows news that MasterCard is opening a new integrated processing facility in Dubai, and last month's acquisition of Pinpoint, the Australia-based company that provides loyalty and rewards services in the Asia-Pacific region. MasterCard expects to close the deal to buy ElectraCard by the end of this quarter.
In Dubai, MasterCard is preparing to open an integrated processing center, the Kahleej Times reports. Set to open by the end of this year, the facility will focus on processing prepaid and debit payments.
Earlier this week, MasterCard released a new report looking at consumer preferences of those who are excluded from the financial system or are underserved in six emerging markets in Asia and the Middle East.
The survey identifies prepaid cards as a way to bring people into the formal financial system in a number of these markets. Prepaid cards give users a way to limit spending as well as store value, and they present a much lower theft risk in comparison to carrying cash. MasterCard has actively pursued prepaid in the Asia and the Middle East, claiming 40% growth for their prepaid business in these regions last year.
EBAY CEO CONSIDERS BITCOIN FOR PAYPAL
At an annual shareholder meeting, eBay CEO John Donahoe said he was considering Bitcoin integration for PayPal, the International Business Times reports.
"We think bitcoin will play a very important role in the future. Exactly how that plays out, and how we can best take advantage of it and enable it with PayPal, that's something we're actively considering. It's on our radar screen."
The statement marks a significant shift in eBay/PayPal's attitude towards Bitcoin, and will push other online payment companies to seriously consider integration.
In the past, eBay had listed Bitcoin as a potential competitive threat to PayPal in regulatory filings. And in late 2013, PayPal CEO David Marcus said he was intrigued by Bitcoin (and owned some of his own) but did not think PayPal was ready to allow its customers to link their accounts with Bitcoin wallets.
STATE BANK SUPERVISORS FORM BITCOIN TASK FORCE
As we've written, a maze of differing local regulations on Bitcoin could be one of the biggest stumbling blocks for the growing number of startups that hope to build point-of-sale and money transfer platforms on the digital currency.
Now, Reuters reports that a body of state regulators is collaborating on producing a handbook of "model laws or regulations" on Bitcoin for local and federal officials to consider. Called the Emerging Payments Task Force, the group is composed of nine members of the Conference of State Bank Supervisors and will also examine mobile wallets and online money transfer services. The task force plans to spend about a year completing its review.
LEVELUP INTEGRATES WITH POINT-OF-SALE PROVIDER
Revention, the restaurant ordering and point-of-sale provider, announced last week that it has partnered with LevelUp, the Boston-based loyalty and mobile payment app that claims 14,000 merchant locations. The move marks the beginning of LevelUp's "phase two," an ambitious plan to become a development platform for merchant-facing software, PYMNTS reports.
LevelUp's plan is another example of the industry-wide shift toward integrated payments, which is the bundling of software-powered services like inventory data and customer management with payments technology.
Start-ups like LevelUp and legacy payment services providers are all in a race to provide the most comprehensive solutions.