The President and the Standard: Does an Executive Order make payments more secure in the USA?
Last Friday afternoon, as work was winding down, an executive order came down from the President of the United States, nearly knocking me out of my chair.
This year has been so bad for merchant data breaches, with more likely in the margins, that the President felt the need to ensure that the government would offer itself as a more safe and secure place to do business with, by advancing the timeframes to be EMV-compliant at government points of sale. The chip card standard, where the magnetic stripe in a face-to-face transaction will be phased out and replaced with a SIM-card looking chip built into your credit and debit card, should serve to increase the security of payments in card present transactions. This is the leadership that I’ve been looking for, where the government has required something faster than the private market has, for the collective benefit of the financial system. Opponents (yes, there are, I hear from some at least weekly!) have been saying that chip cards will be too expensive, the technology is not comprehensive enough to really secure plastic payments, and that we don’t need the change.
Moving through these concerns in reverse order:
- We don’t need the change: Let’s break this down a bit. In the last calendar year, we have had two of the most significant merchant data breaches on record affecting over 96MM cardholders. Additionally, there continues to be a steady flow of not-so-insignificant payment card breaches and as a result, various calls for moving back to cash and/or widespread adoption of newly emerging technologies to maintain payment security (and contrary to popular belief, not everyone wants a new iPhone 6 with Apple Pay).
- The technology is not comprehensive enough: Yes, fine. It’s not a silver bullet. What is? The capacity for this development to dramatically increase the security of card present payments at POS will ultimately reduce the frequency and volume of merchant data breaches that include payment data. I sometimes hear from security professionals that some of the card data is sent in clear text within an EMV transaction, that the technology doesn’t do enough to protect the payment information. To this, I usually respond with the following: UK card present fraud declined by 75% after implementation. We will get to the additional security technologies on the card not present side shortly, with the next step, tokenization, which is already on the march.
- It’s too expensive: This one is particularly ill-founded. Let’s ask some high-profile merchants who were compromised last year how fast they would trade their data breach for a POS terminal conversion project. At a cost of nearly $200 per record in the U.S.A. (Poneman Study), merchant data breaches cost the affected retailer a lot more than they may think in indirect costs. Further, the new POS devices themselves come in at prices just below that. OK, yes, there is a lot more to it, but my point is that it’s a small price to pay to get on the train.
So, it’s an easy case to make, right? I have one more for you, and it will come in as an anecdote. Every fraud manager I know has had at least one situation where they declined someone special with a fraud rule, and eventually got into a mess over it. For me, it was the CEO of a credit union I was consulting with years ago. He was declined over the weekend for a card at the very institution he managed, and it embarrassed him in front of his friends. Everything I had done with them was then called into question and all work scrutinized. Eventually, he was made more confident in his fraud program after all the facts and metrics were laid out on the table, but there was a heightened visibility into the strategies after that. It was wise for the CEO to hear us out, understand why his decline was valid and appreciate the benefits of our strategies.
The same scenario was put forth to the CEO of the U.S.A., who was declined at a restaurant with his wife. Apparently, he rarely used the card, and a strategy caught up with him. The President ultimately decided that the problem was not the strategy, the problem was the rampant abuse of our merchants, banks and their cardholders. His progressive perspective on the matter leads me to the belief that this shift in policy will begin to change others’ perspectives in the coming year.
As we move toward International Fraud Awareness Week in early November, I’ll share more in another blog update about how to begin to tackle the challenge of engaging your customers in the fight.
Related Blog Posts
How Italian Banks and Processors Can Capitalize on Digital Transformation
The European payments landscape is in an era of significant change thanks to PSD2 and other macro factors, but there is more than one way to deliver real-time and open payments to meet PSD2 requirements and its technical standards. Banks and processors must manage this alongside their own set of domestic challenges and opportunities.
Overcoming Cyber Threats to Payments Security
Recently, Gene Scriven, chief information security officer at ACI, spoke at NACHA Payments 2019 on the ever-changing landscape of cybersecurity. Here are a few highlights from his session, including the impacts of cybersecurity breaches, today’s emerging threats and the new strategies to keep your organization safe.
Removing Gender Bias and Enabling Women to Succeed in Leadership Roles
The recent UK Women in Payments (WIP) Symposium 2019 took place in London, recognizing unique leaders who help uplift women in the payments industry. Among those recognized was ACI’s Melissa McKendry, vice president, Retail Banking Implementation Services, who was honored by WIP as the 2019 Advocate for Women.
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.
Payments and Fraud: The Paradox Twins
Digital commerce through web and mobile is where merchants predominantly experience shopper growth today. This has become a hugely important domain for their focus. It offers a means for international growth, new market penetration and a way to engage with shopper-hungry Millennials in their culture. Merchants frequently adopt a Digital-First, eCommerce-First or Mobile-First strategy to ensure full corporate buy-in to this strategy.
Open Payments Systems for Merchants: Don't Close Down Your Options
Remember “Open Systems”?
It was a big industry nom du jour in the 80s and 90s. Every IT system had to be open and therefore flexible and future-proof. Nobody can argue with the logic behind this; making systems easy to integrate with other systems, ensuring vendors could cooperate with one another; creating agility to improve time to market and drive down costs.
Issuing and Acquiring in a Real-Time and Open Payments Ecosystem – The Global Picture
Dr Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments, stemming from the findings of the new white paper, Get More from Real-Time. See part one.
Why It’s Time for Women to Rise UP
As a senior software engineer at ACI Worldwide, Rawan Shawar helps to guide her team’s priorities and enhance processes at both the team and organizational level. Recently, Rawan was selected by the organizers of Money20/20 Asia to be part the Rise Up Class of 2019.
Can Digital Payments Be Kind?
There is no doubt that the era of less (or minimal) cash is truly upon us. According to the Access to Cash Review, cash could fall to just 10 percent of all payments in the UK within the next 15 years.
Other countries, such as Sweden, have already seen significant changes – cashless payments have grown so quickly that only 10 percent of the 20 SEB banks in Stockholm now hold cash. Beyond Europe, China is leading the way with USD$12.8 trillion in mobile payment transactions in 2018.