Peter Guidi's Blog

Archive for the ‘Retail Payment’ Category

“Torch it, Shane. Burn everything”: Snidely K. ‘Whip’ Whiplash. Ransomware and protecting your organization from the bad guys.

In Internal Scanning, PCI, Platforms, Retail Payment, Uncategorized, Zone Routers on December 28, 2016 at 10:29 am

In 1986, evolutionary biologist Dr. Joseph Popp infected many people with AIDS, just not the way you might think.  “AIDS Information Introductory Diskette” was the world’s first known ransomware attack and was introduced into systems through a floppy disk which Popp mailed to his victims. 30 years later, the bad guys are still relying on human error to bring forward a new generation of even more dangerous ransomware threats. If you’ve missed out on encryption ransomware, lock screen ransomware, master boot record (MBR) ransomware, consider yourself lucky! Dr. Popp defended his hostage taking by explaining that the money was going to the PC Cyborg Corporation for AIDS research. Today’s hostage takers are harder to find and more interested in stealing your money than social causes. These days, if your network, mobile or desktop computer, falls victim to “ransomware” your financial data and business records could be locked with strong encryption along with a demand that you to pay for a key to unlock the files. Are you familiar with Bitcoin and the dark internet?

The evolution of IP connected devices at retail has changed the nature of threat vectors. Today, retailers must be as concerned with their Non-Card Data environment as they are protecting the card data environment. Ransomware is one of the clearest examples of the expanding data security threats. According to an analysis published by Trend Micro the average ransom demanded was approximately $722. Hollywood Presbyterian Medical Center paid $17,000 and The University of Calgary paid $20,000. Trend Micro found the majority of organizations that are infected by ransomware end up paying the ransom. Three-quarters of companies which had not suffered a ransomware infection reported they would not pay up when presented with a data ransom demand. Clearly, people tend to see things differently when they’re the ones in the hot seat. Retailers have millions of dollars in sales at risk, would you pay if your stores where offline?

How big of a problem is ransomware within the C-store space? During this year’s NACS conference at the “Technical Tools of Data Protection” session, Hugh Williams, CIO of Maverick said: “We focus so much on the CDE, but probably the biggest threat out there is ransomware. It’s looking for ingress right now. They are not some much interested in your card data, they want your other stuff”. When the room was asked who had been attacked by ransomware, nearly a dozen retailers raised their hand.

Protecting yourself from ransomware attacks, or how not to be the next ransomware victim, is a major challenge.  The first step is to understand that this challenge is beyond the scope of PCI and your POS. Ransomware finds its way into your environment in a number of ways. Two common threat vectors are leveraging iOT devices or tricking people to inadvertently undermining the security of their device, like enabling a marco on a windows document.

Stopping employees from opening the door to the bad guys takes “people and process”. Maintaining a secure network that closes the door to the bad guys requires good tools and proper scanning and patching. Management often doesn’t prioritize internet security until it’s too late. CIO’s work to develop ROI analysis to drive budget for investment network security. CEO’s need be educated on protecting the business from internet threats like ransomware, and having a full disaster recovery scenario that is fully backed up and periodically tested.  To harden defenses against ransomware attacks, retailers can adopt policy changes. IT departments can close the door by expanding the objectives of data security beyond PCI with an emphasis on scanning and patching outside of the card data environment. In the c-store business, iOT is only growing. Are your pumps IP enabled?snidly

Advertisements

The EMV illusion: the connection between EMV and mobile payment.

In connected consumer, credit card, debit card, EMV, merchants, mobile payment, payment, Payment card, Petroleum retailing, Platforms, Retail Payment, Uncategorized on December 2, 2016 at 10:18 am

Dai Vernon, “The Professor”, who died in 1992 was a Canadian magician and the greatest sleight of hand figure in the history of the art. He rarely performed, but he invented magic and had an enormous influence on the whole range of “sleight of hand”. And so often, the magic he was doing was to fool other magicians. Such is the case with yesterday’s announcement that the EMV AFD mandate, scheduled for 2017, is moved to 2020. The “sleight of hand”; create a crisis, propose a solution and when the true motivation for the project evaporates, move the requirement far enough into the future that its purpose fades until the need is so obscured as to not be necessary. The Professor would be proud, but for the many retailers, hardware manufactures and professionals betting on EMV at the pump, this is a cruel trick.

A few years back I wrote that EMV, while being presented as an antifraud tool, was really a disguised methodology to bring NFC to the pump. After all, if the goal was simply to eliminate counterfeit card use, swipe and PIN would have essentially eliminated that counterfeit card fraud.  So, why was EMV/NFC so important, if there were cheaper ways to reduce fraud? The answer lies in mobile payment.

During the last five years the world has witnessed the conversion to a mobile digital society. Initially the card associations sought to enable mobile through the use of NFC. This was critical because the Card Brands sought to protect their business model against disruptive models and bake bank issued cards into payment terminals and the AFD.  The ROI on mobile payment is elusive and so the EMV liability shift was created (the sleight of hand) to create the ROI needed to drive NFC to the pump. What went wrong?

Two major issues have pulled the curtain back from the EMV illusion; cost (how) and need (way). There is little to say about the cost of EMV, other than prohibitive. One MOC showed me an estimate where the cost was north of $100M, WOW!

The “why” is more complicated. Over the last two years, cloud based payment models that leverage the POS, rather than NFC at payment terminal are now proving themselves in the market. MasterCard and Visa’s agreement with PayPal, the release of standards and multiple pilots, are an indicator of their belief that cloud based solutions will lead the way in mobile. Cloud based systems do not require communication between the payment terminal  the phone, and therefore many of the arguments about NFC are eliminated.  Further, there are many use cases, like vehicle based payment or drive-troughs where cloud based solutions are more effective than NFC. If cloud-based solutions become wide spread, then NFC is no longer relevant. Further, if you believe, as many do, that millions of consumers will adopt mobile, and mobile payment will be cloud based, then as card based usage at the pump declines, the rational for the investment in EMV evaporates.

 

ApplePay User Review: The Default Card process and Top of Wallet Implications.

In mobile payment, Retail Payment, retailers on November 18, 2014 at 1:25 pm

Last week, First Annapolis Consulting released “Tracking Apple Pay: 11//13/2014. First Annapolis has been tracking Apple Pay and keeping their professional community informed. The key focus of this review is to outline how consumers enter and select payment cards; the “Default Card Process”. I was intrigued by the implications of the review. Most intriguing is how the Default Card Process alters the relationship between the consumer, their default card and “Top of Wallet” position. Top of Wallet position is one of the most significant factors when a consumer chooses a method of payment. If ApplePay impacts which method of payment a consumer chooses by virtue of the “user experience” and the “default card feature”, then many new questions arise. Perhaps the most important question is how this alters the consumer payment relationship and fees between the issuers and merchants. As importantly, since ApplePay charges the issuer and controls the user experience, could this create a new layer of competition between issuers for the Top of Wallet Position? The obvious result is higher transactions fees.

Setting out to understand how ApplePay and the User Experience might alter the consumer’s payment behavior requires actually using the product and for that I turned to one of my mist trusted associates, Mile Kuzel, Client Solutions Executive, Toth Consulting. Mike was good enough to listen to my questions. He agreed to help out on this blog, here is his review. I’ll look forward reading about your experience with ApplePay.

Mike Kuzel: My ApplePay Adventures, Part I

I’m an admitted tech geek and willingly drink the Cupertino Kool-Aid. I’m also a professional in the retail technology field with some experience in the mobile payments world. My motivation to get the iPhone 6 was in no small part because of ApplePay and the promise of a world class mobile payment / digital wallet user experience from the people who make things I love to use and want to use all the time.

Once ApplePay launched I scanned my cards into my iPhone 6’s Passbook and the first card was a Delta SkyMiles AMEX, which went in automatically as my default. Then I loaded a Citi MasterCard Credit Card and lastly my USAA MasterCard Debit Card that is tied to my checking account.

I was ready to experience the future! My first stop was Walgreens, as I needed some allergy medicine. I approached the counter; handed the item over, presented my Walgreens loyalty card (from Apple Passbook of course) and that first beep sounded a lot like “Gentlemen, start your engines!” to me. The cashier then rang up my item…beep! Now was the moment I’d been waiting for, my inaugural ApplePay transaction. I touched the phone to the pin pad and the iPhone presented the picture of my default AMEX and the prompt to hit Touch ID. Thumbprint and done! It was easy and quick and it felt as great as I imagined. Over the coming weeks I repeated this process a few more time at Walgreens, once at Office Depot and ApplePay life was good. Then came yesterday. The day I decided I wanted to pay with a different card than my default AMEX. I made this decision, quite normally, at the checkout while my items were ringing up at my local Whole Foods. My glorious happy “Apple is Awesome” song playing on loop in my head hit the proverbial record scratch moment and ApplePay fell back to earth for this user.

The cashier was almost finished scanning. Beep, beep, beep… I’d made my decision to use my checking via my USAA card loaded into my ApplePay. I hit the card in my Passbook to pick it and assumed that would do the trick.

“That will be $21.41 sir” I’m not sure when I graduated to sir but I’ll take what pleasantries I can get these days in the world of retail service.

“Sure thing let me just…” I hit the USAA card picture one more time in the Passbook app then touched the phone to the pin pad. I fully expected another awesome ApplePay transaction. Wait…“Hmmmm”… the AMEX, not the USAA card presented itself as payment on the screen. My inner voice that normally whispers seemed to yell at me “does not compute”!

I’m standing there a little confused and politely asked for just a second longer. I glance behind me and realize the woman queued up next had noticed my inability to pay quickly. You’ve all experienced the body language of judgment upon holding others up in a grocery line, no? I fumble with the phone. Home button, go to settings… let’s see…where is it? Oh yeah “Passbook & ApplePay” I’ll just hit that, pick my card and all good. Not perfect but can’t be harder than that right? I mean this is Apple, their stuff just works! Bingo! I see all the cards listed I hit the one I want and it takes me to a screen to either open my USAA app or remove the card… nope…that’s not what I need to switch payment. Tick, tick, tick… already way to long for a normal checkout. Body language lady behind me has shifted into the verbal realm, “Why don’t you just pay the old fashioned way?” I laugh at what I presume is humor and agree with her that she might be onto something there. I’m determined to do this now, if for no other reason than geek pride. My neighborhood legacy shall not remain Whole Foods ApplePay version of the Star Trek “redshirts”!

Now I’m back to settings. How do I switch cards…? Aha! “Default Card” maybe I make the choice there. Thumb of fury… tap, tap, tap and I pick the USAA card which actually changes my default card. This is different from what I expected or wanted and a seemingly extreme measure, so final, but I’m already on borrowed time. I back out of screen and hold the phone to the pin pad feeling a little like a gambler on his last bit of luck “just one last bet”. Jackpot! The USAA card picture shows on the iPhone. I Touch ID and on I’m finally on my way. Walking out I’m a little bewildered and frustrated by the user experience cooked up by the normally on point Apple folks.

I wasn’t timing the transaction yet by any measure it took way too long to pay simply because I chose to use a different card. I’m tech savvy and an early adopter; I knew intuitively what steps I should be looking to take to solve this issue but what about the general public using Apple Pay? Would they give up and pay with cash or a card from their wallet or just keep the default even though it wasn’t their desire?

My experience with switching cards for payment in ApplePay proved less than stellar, as it was too clunky and involved with too many steps. Critics might say now that I know the process it will prove faster and they’d be correct yet they’d be missing the proverbial point, it shouldn’t be that cumbersome.

If Apple has designs on Passbook as a true digital wallet, and all signs point to that, then they need to rethink how it works. I’m focused on user experience here, which doesn’t even touch the implication for who gets and how they get the coveted “top of wallet” status in the digital wallet. I believe the success (and by that I mean adoption by actual people) of mobile payments via digital wallets rides on user experience. A poor design could stunt enthusiasm as more people make the natural choice to use another card from their ApplePay wallet and wonder why it’s so much harder than the old fashioned way.

“Contractual conflict”; Apple Pay and MCX, the new front in the mobile payments war.

In ACH decoupled debit, alternative payment, merchants, mobile payment, payment, Platforms, Retail Payment, Uncategorized on November 3, 2014 at 8:38 am

A few years ago, while at one of the major POS annual user conferences, I had the opportunity to socialize with one of the initial members to MCX. At the time, I was with PayPal and mobile payments was more of an idea than a technology. MCX had just been announced and I was learning about the “hush hush, MCX Exclusivity” requirements. I was floored. How could that be good for either the merchant or the consumer? His answer; “They really did not care if MCX ever conducted a single transaction. If allowing Visa/MC into the mobile wallet forced lower overall fees (read cards as well) then MCX would have done its job”. When asked about how profitable CurrentC would be, Lee Scott, former CEO of Walmart said, “I don’t know that it will, and I don’t care. As long as Visa suffers”. It never seemed like much of a business plan to me.

It was all such a secret. I can’t count the number of times I heard; “The first rule of MCX is; you don’t talk about MCX”. Well, judging from the news, things appear not to have worked as planned. The veil was lifted on the MCX story when Rite Aid and CVS Health pushed aside Apple Pay and in doing so revealed a new wrinkle in the mobile payment war, contractual conflict. The notion that an exclusive MCX mobile payment solution might be a lever to force card acceptance fees down seems to have reached its apex. Are retailers willing to say no to Apple Pay? The consumer is caught in the middle.

One of the ingredients in the MCX secret sauce is the idea that retailers will adhere to an exclusive arrangement thus locking out competing payments systems in the mobile channel. As Karen Webster speculates in her 10/27 blog, MCX is likely to have told both Rite Aid and CVS “You simply can’t do it. And, the fact of the matter is that you’ve been caught two-timing with Apple Pay, and that’s clearly a violation of your contract with us.” In doing so MCX is leveraging its big stick, not its economics, product features, or consumer demand, but the strength of its legal teams and the adverse contract its members have signed. “This act by CVS and Rite Aid heralds the advent of the imminent battle in the mobile payment system,” said Anindya Ghose, a marketing and information-technology professor at New York University. Now that lines have been drawn, we will learn if MCX can drive the cost of payment down, or will its own member retailers instead chose to provide their consumers with choice. Call the lawyers.

The Battle of the Titans continues as NACS squares off with the ETA over mobile payment.

In Convenience Store, merchants, mobile payment, Retail Payment on October 30, 2014 at 12:05 pm

Greek Mythology and the payments industry seem to have a lot in common. There’s something similar about CVS and Rite Aids decision not to accept Apple Pay that reminds me of when “Cronus attacked Uranus, and, with the sickle cut off his”…..well, you get the point.

There has been a lot of noise about mobile payment over the last few years. Confusion about technology and economics clouds the issues. Now, in the same tradition of Durbin (legislation) and Brooklyn (litigation), banks and retailers are setting the stage for another battle over mobile payment. The new issue is; does Apple Pay, Softcard and other NFC based solutions simply enable the traditional payment providers (read fees), or is MCX just an anti-competitive alliance of retailers created for no other reason to leverage the emerging consumer acceptance of mobile payment systems to drive the cost of payments down? In the middle is the consumer who simply wants convenience and choice.

The Apple Pay launch opened the latest salvo in the fee/service war. The Electronic Transactions Association is saying that the decision by CVS and Rite Aid to block mobile payments services like Apple Pay, Google Wallet, and Softcard is “anti-consumer and anti-competitive”. NACS, apparently in support of the Retailers MCX relationship is saying that Apple Pay essentially allows “Visa/MasterCard monopoly into mobile payments”. saying “Those two dominant credit card networks have faced a lengthy series of antitrust actions from the U.S. Department of Justice and merchants over the years due to their anticompetitive conduct. Now, they are working feverishly to require merchants to accept their preferred technology, near-field communications (NFC), so that they can extend their dominance into the future.” How supporting MCX, a program that requires exclusivity within the mobile payment channel, even the exclusion of non-VISA/Mastercard 3rd parties is not Anti-Competitive is a bit of a mystery.

Let’s be clear, MCX could allow either Visa or Mastercard into the CurrentC wallet, it’s a business decision, not a technology issue. Apple was clever enough to shift costs (at least for now) to the issuer, rather than the merchant. This opened the door to many merchants avoiding the interchange conversation. Why many merchants have chosen not to join MCX might have something to do with membership fees, product availability, or perhaps that it is an ACH program rather than a new low cost 4th network. After all, there are many ACH providers, why spend a lot of money joining a coalition only to pay a high membership fee for a product that is already available from other providers?

The reason the industry is lining up to fight over the CVS & Rite Aid decision is because this is another skirmish in a multi-year battle over the fees retailers pay, or banks earn, when consumers make a payment. For retailers simply wanting mobile payment at low cost, the program is available today. Retailers can compete with banks for consumer’s method of payment, that’s the “Competitors Code”. The point is, Retailers don’t need legislation or litigation to drive fees down, competition will do the job. If CVS and Rite Aid don’t want to accept Apple Pay, so be it. On the other hand, how does a restrictive exclusive contract with MCX serve the consumer?

“For their return home, the Greeks dedicate this offering to Athena”. Apple Pay and increased mobile payment fees.

In mobile payment, Retail Payment on October 23, 2014 at 12:00 pm

The Blogosphere has been alive with information on mobile payment and Apples introduction of Apple Pay. The flame-out of PayPal Off-line, Google, Amazon, ISIS (or whatever), and MCX (whenever) have the experts writing and talking about how, when and where mobile payment will become common place.

Enter Apple. While Apple may indeed be the first broad based mobile wallet to achieve consumer adoption, Retailers will remember Apple as Odysseus’ and Apple Pay as a wooden horse bearing higher payment fees. New fees may start arriving in the first statements and no doubt merchants will be asking about the tokenization, wallet storage and API fees. According to legend, “after a fruitless 10-year siege, the Greeks constructed a huge wooden horse, and hid a select force of men inside. Once inside the walls of Troy, the Greek force crept out of the horse and opened the gates to allow the Greeks to enter and destroy the city of Troy.” A fruitless siege might be a good way to describe the tug of war between retailers and banks; abetted by the technology, to describe the painful march to mobile payment. Apple brings scale and technology, but it is their Trojan Horse approach to payments fees and merchants opening the doors to Apple Pay seems eerily like the Troy opening it gates.

Apple deserves applause for devising a strategy that hides their transaction costs within the issuer as a share of interchange rather than charging the merchant directly. Herein the lies the “Trojan Horse” and the promise of higher fees in the future. Published reports indicate Apple will be paid 15 basis points by the issuer (Banks). Retailers need to ask themselves, how long before this cost is shifted to the merchant by way of a higher acceptance fees? My guess, about the same time Apple reaches 10 million Apple Pay consumers.

The big unknown is how high will fees go? The answer is as high as possible. Merchants often say there is little competition in the card fee world and therefore it’s a monopolistic business. Apple Pay can only add cost and another partner that needs to earn profit. 20 years ago banks convinced retailers to accept card based payment using low fees, the results are clear. As merchants open the gates and let Apple Pay in, they should hardly be surprised when Apple Pay is earning 100 basis points rather than 15, and it won’t be the issuer paying the bill.