So, what’s the difference between the two?  If a merchant has single web site but sells to customers in various countries, using global shipping options such as UPS or Fedex, that is considered global ecommerce.  If a merchant is based in one country but has a country specific web site in another, and they use country specific distribution channels and logistics, country specific payment options, etc., they are engaging in cross-border ecommerce.

Amazon, for example, practices cross-border ecommerce.  They have country specific web sites, each which cater to the country-specific consumer base, including the types of products and services offered there.  Even if both the U.S. and the U.K. utilize the English language, consumer taste, product choices and vernacular are different in each country.  Amazon sells “sweaters” in the U.S. and “jumpers” in the U.K.   That is a simple example.  Even if cross-border ecommerce is desired and attainable, there are a host of other business decisions to make in that scenario.  Merchants have to consider other challenges such as the local language, local regulatory laws, taxes, distribution issues, fraud concerns, customer service, international fees, increased settlement time and payment types preferred by consumers or otherwise governed by local laws.  Since a merchant needs to stay afloat to stay in business, obviously payment and settlement issues can cause a severe impact on a merchant’s existence.

Merchants who decide to go the cross-border route also need to research, understand and offer payment options that will be attractive to consumers in each country.  While the credit card is the payment type of choice for U.S. consumers, the debit card is king in the U.K. and cash is the preferred payment method in China.  Merchants need to also understand and comply with payment regulations, as they will differ in each country.

Most U.S. merchants are accustomed to 24-72 hour settlement timeframe for card payments.  International, online payments will take longer to settle and involve additional fees.  Fees for merchants receiving international payments will vary by country, by the amount of the transaction, the type of payment method, transaction processing system and merchant processor that is used.  For example, PayPal charges 3.9% + $0.30 for transactions up to $3,000 for anyone selling to buyers outside the U.S.  Google Checkout charges a 1% fee (on top of set transaction fees) for cross-border transactions.  (Their final fees pretty much match PayPal when it all adds up.)   Fees from other merchant processors and other merchant fees will vary of course.  Currency conversion may also need to be taken into account, although buyers are traditionally charged the fees for conversion when purchasing something using a payment card issued from a bank in a different country.  Some banking networks have come together to ease the burden of global payments and processors have developed solutions that encompass things like global payment networks and fraud protection, including localized risk management and currency conversion.  In the end, solutions continue to be developed to help ease the hassles merchant have when they want to expand into the global ecommerce space.

During the decision process for global expansion into global or cross-border ecommerce, a merchant should evaluate what that leap will entail and all the options available.  If venturing into cross-border territory, they need to make sure they adhere to local laws, engage in best business practices, put proper fraud controls in place, as well as present a consumer friendly shopping environment that provides ease of use and supported customer service for any issues that may arise, paying specific attention to time zones as well.  While an ecommerce site may be available 24/7, is support available for international consumers during the off-hours in the merchant’s home country?  It may be a while before a simple solution for global payments is available. Until then, merchants should provide the payment options most desired by their potential customers – which will be different for each country specific ecommerce site they maintain.

Finally, looking at the bottom line before taking that global leap can’t be ignored.  Merchants need to decide how any fees imposed for cross-border transactions will affect their profit margin and the pricing of their products.  Even if a merchant desires a presence globally or in a specific country, the cost of conducting cross-border business may not enable the merchant to be competitive with local merchants – online or off.

Following the Epsilon breach in April, consumers became more aware of third parties managing personal consumer information, as it affected huge companies such as Target, Walgreens and Best Buy.  Many companies, including small mom and pop outfits, outsource functions, such as data storage and marketing, so they can concentrate on what they do best (even if it’s just managing retail sales).  Businesses love automated programs that help ease the burden of time consuming marketing tasks, but what they don’t realize is that any time a third party company has access to customer data, sensitive information could be at risk.  Hackers don’t just look to target single company databases anymore, as we might think.  They have gotten a lot smarter.  Why hit a single company when they can hit a conglomerate who manages large amounts of data for other companies?  Epsilon manages email marketing for roughly 2,500 clients.  Even if the hackers were able to obtain just email addresses, that information can be used for phishing to obtain more sensitive data.  What about old databases that have not been scrubbed?  Data sources on the Sony PlayStation Network breach stated that the initial breached information, affecting 77 million accounts, was contained in an outdated database.

Hackers don’t just look to target single company databases anymore…

PCI security guidelines, as well as credit card associations, stipulate rules and regulations for how sensitive data (i.e. credit and debit card numbers) is to be stored, not stored, encrypted, etc.  However, even the breach of non-sensitive customer data (email and mailing addresses) can foray into consumers voluntarily giving away their sensitive information and thereby becoming victims of fraud.

Customer data sharing adds more fuel to the fire.  While customer data storage practices might change, customer data sharing will not be going away – likely ever.  Data sharing amongst financial institutions and creditors is very common and recent privacy notices now communicate this information more clearly, telling card holders what data sharing they can and cannot limit.  Even if an account is closed, the consumer’s information remains available for at least seven years.

Cloud computing, as we can see being pushed by Google and Microsoft, is a contributing factor as well.  Using a web-based service to store personal data of customers may be convenient, but it also puts that data at risk.  Underneath it all is the need for consumers to share their basic sensitive data, such as credit card and social security numbers, to live and function in our world today.  It is very rare that someone uses only cash, doesn’t have a bank account or hasn’t provided at least their social security number for some purpose or another.

Additionally, breaches don’t just come from people accessing data through the internet or insecure firewalls.  Data being transferred on portable devices, printed material stored in insecure locations, disgruntled employees who have access to personal and/or secure data (even if it is names and email -addresses)  and personal information that is discarded without being shredded first can all be a target for fraud.

In addition to engaging practices to protect customer data, every business can learn from how affected businesses have responded to recent highly publicized data breaches.  Some followed up rather quickly with communication regarding the exposure and warned their customers of phishing emails and phone calls.  Financial institutions, such as WFNNB, which many merchants use as a credit card provider, issued new cards to their customers.  Sony took a more severe approach and has announced that their network will not be up and running again until the end of May.

The one good thing about these data breaches is the development of the next generation encryption technology.  Unfortunately, it will likely continue to be a cat and mouse game.  As far as best business practices, no matter what businesses do to protect customer data, those who communicate their privacy practices clearly and take precautions immediately following a breach (even if it did not affect them) will certainly keep more customers than lose them.

On a side note, if you want to read more about all the breaches that are reported, check out the Privacy Rights Clearinghouse chronology.  You just might be surprised.

The smart phone application market is booming with some very clever and useful tools.  However, this open source development wave is also enabling the creation of mobile payment applications that may not be secure enough to protect sensitive data.  Thus far, PCI compliance has been focused on purchasing environments that initiate at the merchant (whether that be card present or card not present).  Where card data is entered, the PCI DSS stipulates the security controls that should be in place, such as address verification (AVS), security codes (CVV2), PIN or SSL encryption.  The PCI DSS is a standard that puts the responsibility of data security on any organization involved with processing a payment transaction (i.e. merchant, bank, payment processor, etc.).  It has yet to provide guidelines for mobile payment technologies.

The PCI DSS Version 2.0, released in October, with an effective date of January 5, 2011, did not introduce any new requirements, but provided clarification to make it easier for merchants to understand and adopt the standards for use.  Surprising, considering how hot the mobile application market.  The next PCI DSS update (which will be Version 3.0) is not scheduled until 2013.  You see, the PCI DSS lifecycle process is 24 months long and encompasses 5 stages, from market implementation to discussions about new versions.

It would make sense that mobile applications would fall under the Payment Application (PA)-DSS guidelines, which address secure payment applications.  However, the council has yet to approve any mobile payment applications as PCI compliant and will not do so until they have “completed a comprehensive examination of the mobile communications device and mobile payment application landscape.”

With mobile payment demand growing so fast, the PCI SSC was prompted to take at least one intermediate step to address the security issues surrounding mobile payments.  While they investigate updates to the PA-DSS, they have assigned a specific task force, which plans to offer guidance about how to protect secure data on NFC-enabled phones.

It’s no secret that there is still a push for NFC-enabled phones.  Google, which seems to be constantly taking the lead, announced that it has joined forces with MasterCard and Citigroup to deploy NFC, first into Google’s Nexus S phone.  They have also officially become a principal member in the NFC Forum, which is focused on advancing the use of NFC.  As a principal member, Google has voting rights for the technical, marketing, and compliance committees, thereby giving them some influence on forum decisions.

Skepticism is plentiful for NFC, since sensitive data would reside on the device.  NFC does not answer the mail for all mobile payment technologies, and it likely never will, but phone manufacturers are betting on its popularity in other countries to persuade adoption by smart phone users in the U.S.

As if there wasn’t enough confusion about how best to secure sensitive data, threats have now surfaced in mobile applications that have nothing to do with mobile payments.  Cyber criminals know that open source development is ripe for intrusion.  As much as Google is chasing mobile market domination, recently they had to remove over 50 applications from its official marketplace for containing a dangerous Android Trojan called DroidDream.  This malware, intent on accessing personal data stored on the phone, was only a sample of what was discovered by several security vendors in altered versions of legitimate applications.  Rich Cannings, head of Google’s Android security, said the company is putting new measures in place to help prevent malicious web sites from appearing in Google search results and prevent risky applications from being distributed in the Android marketplace.  The reason Android apps have become more popular than iPhone apps is also the reason for the security issues.  Apple has a much tighter control over the applications it offers.

Even if the PCI SSC is a little slow introducing new guidelines, and until the council decides on the best way to approve compliant mobile technologies and applications, companies would serve consumers best by using existing mobile payment technologies that are already approved and working successfully.  On the same page, consumers need to be extra diligent about protecting their card holder data by not storing secure data on mobile phones or entering card data into unsecure mobile sites.  Mobile payment technologies are slowly evolving, but that also means that consumer security is important to vendors and application developers who wish to earn the trust of cardholders.

In order to make sense of which option is best, merchants should take a step back and put on their consumer shoes. According to news from ABI Research, mobile e-commerce will reach roughly $119 billion in by 2015, representing about 8% of the total e-commerce market.  Merchants that don’t personally use app-enabled smart phones should go buy one.  The only way to understand what mobile consumers want from an e-commerce merchant is to see what they are seeing.   To serve consumers best, merchants should ask themselves questions such as:   What do I want to be able to see and how fast does the site load on my phone?  What do I want to be able to do on the site (search for products, update account information, etc.)?  What information (graphics) is not necessary when surfing ala mobile?  What design enhancements (Flash, etc.) are too cumbersome for mobile viewing?   On the same note, some information is key to include, like data security (if the merchant is processing credit cards in that version) and merchant contact information.  Additionally, merchants should always provide a link for mobile viewers who want to see the regular site.

At minimum, a mobile optimized site would be the first step, as it requires less customization and is available to more users.  Mobile apps require development for several platforms, keeping up with the changes in those platforms, as well as new ones that come about.  No matter what, some investment in the design will be required, with mobile apps obviously being more costly.  Large merchants like Amazon and Netflix, for example, offer mobile sites and mobile apps (maybe they can afford to do so, but more likely because these options serve their customers best and they want stay current with what mobile users want).  What a merchant decides to offer comes to down considerations such as their business model (Is a mobile app in the budget for a small merchant?); what services/products they offer (Think CNN, best served with a mobile site, versus Netflix, where customers can manage their account using a mobile app); or if the merchant wants to push information to consumers or merely wants them to have mobile access to their site.

Either way, if a merchant provides the ability for customers to manage their accounts online, customers will be more likely to purchase products and services using their mobile phone if the process is streamlined and they don’t have to enter sensitive information (i.e., credit card data), thereby eliminating some security concerns.  However, even if consumers are not purchasing goods using their mobile phone, they are doing a lot of comparison shopping.  No matter what, the only way an e-commerce merchant can compete today is if they are in the mobile game.

A few weeks ago, Starbucks officially announced their mobile application, Starbucks Card Mobile app, available on the iPhone, iPod touch and select Blackberry phones.  Not wanting to wait for Near Field Communication (NFC) to come to full use (NFC requires a lot more than two way communication between the mobile phone and the retailer), Starbucks decided to utilize existing technology, 2D barcodes, for their new app.

NFC Versus Barcode Scanners

Let’s step back a minute to the basics.  NFC employs “tap and go” technology, where the NFC-enabled phone just needs to be within a short range of the NFC reader.  An application needs to be open on the phone to enable the 2D barcode scanner.  NFC, unlike a barcode scanner, is a two-way communication system.  NFC technology also enables mobile users to download information, either from the NFC device or from ‘smart’ posters (i.e. train schedules, restaurant locations).

The Starbucks Example

Back to the 2D barcode solution.  How the Starbucks app works is pretty simple.  Before making a purchase, the user sets up an account (linked to a gift card number) at Starbucks.com and funds it (using a major credit card or PayPal).  Assuming the user already has the app on the phone, he adds the card information to the mobile app.  At Starbucks, the user brings up the card account, enters a security PIN (optional), and allows the scanner to read the barcode.  The purchase is communicated to the user’s account and then the mobile phone syncs (which can be in set intervals – once a day, etc.) to the user’s account.  The app also allows users to view their account information and reload the card with a major credit card.  One neat thing about this type of set up is that more than one user can use the same card account.  Instead of having three different cards, each person can use the same account, using the app on their mobile phones – or one person can use the physical card if need be.

Using the Starbucks example, it sounds like an easy transition for retailers to process purchases using the 2D barcode scanners.  Since everyone walks around with their cell phones practically glued to their hands, consumers are less likely to leave their cell phones at home than their wallets.  Most people are also trying to minimize the number of cards they carry and check out faster, so waving a cell phone at a reader makes perfect sense.   Why is it that more retailers haven’t employed this type of mobile payment technology?  Apps, such as CardStar, which can store reward card data on mobile phones, are already out there.  Unfortunately, a lot of retail scanners are still old school CCD readers and not 2D scanners.  Ah…yet another hardware upgrade for merchants to stay current.

If retailers did go this route on their own, these types of transactions would be in a closed loop environment like Starbucks.  (Closed loop cards are accepted only by that retailer, i.e. Starbucks.  Open loop cards, i.e., major brand credit and debit cards like Visa, can be used at any retailer accepting that type of payment.)  With most closed loop cards, the user needs to have an account with that retailer and ensure that there are funds available on the account.   Therein lies the conundrum of too much work for the consumer and the complexity of having too many accounts along with the retailer having to purchase new hardware.

So you think that it would almost make sense for the credit card companies to employ the same type of technology in the meantime.  Most banks already have mobile apps (account access, transfer money, pay bills, etc.).  Why can’t credit card banks (i.e. Bank of America, USAA, Discover, Amex) build mobile apps that would simply require a PIN to process a transaction using a mobile phone?  Well, it’s not as easy as that.  There are many players involved in a credit card transaction, with everyone getting a piece of the revenue pie.  Plus, credit card transactions are an open loop system.  Besides having the NFC-enabled handsets available, enabling mobile payments in an open loop environment still has a lot of kinks to work out.  Until that is settled, mobile users will have to settle for other contactless solutions.

How Will NFC Payment Ability Become More Available to U.S. Consumers?

While NFC has been available since 2004, it is widely used only outside the U.S. in countries like Japan and Korea.  In most cases today, NFC is still tied to a separate closed loop account that has to be fed using other funds.  NFC payments have been successfully tested in a variety of areas, most notably in transit systems in London, Germany, San Francisco, Dallas, Atlanta, New York and Philadelphia.  A recent NFC Forum white paper reports that Frankfurt currently uses NFC technology with the Handy Ticket service for their RMV public transport system.  Users who have NFC enabled phones can purchase tickets and download transit schedules.  The users are then billed at the end of the month for any tickets purchased.  (One caveat for the merchant – they have to wait for revenue; but then again, it comes in a lump sum.)

Like a cat and mouse game, the systems aren’t quite in place yet in the U.S. because the technology (i.e., NFC capable phones) has not been readily available.  Contactless, open-loop, payment options, using Visa payWave and MasterCard PayPass are out there, but these cards use RFID chips.

Even though Google has implemented NFC into its new Android phones, the Nexus S and next generation Android OS, and Apple has plans to include it on the new iPads and iPhones, NFC-based mobile payments rely upon the convergence and agreements between all parties involved, including phone manufacturers, wireless carriers, merchants and banks.  According to Bob Egan of The Sepharim Group, “NFC in handsets is meaningless without the rest of it, including agreements between parties, infrastructure, processing procedures for data, security and reconciliation of accounts.”

Retailers are fully aware of the benefits of mobile apps, so adapting to accepting NFC payments may not be that big of a hurdle.  However, many are likely holding out for NFC phones to be more commonplace before investing in new technology (i.e., NFC readers, designing “smart” posters).  Not to mention that U.S. consumers are a bit reluctant to have credit card data stored in their cell phones.  Banks, alike, are concerned about the data security of their customers.  One thing that is clear – mobile users will be more confident using a bank-issued mobile application anyway.  So, we wait.

As far as the Starbucks app goes, it is not yet available at the drive thru window or non-company owned stores (i.e. in the grocery, bookstores).   For Android users, a third party app, the Starbucks Card Widget, is available until Starbucks releases the Android version.  While Starbucks is at it, maybe they can also add the ability to sync the menu to the phone (even if it is pushed from the online site) and provide a way to place an order using the mobile phone.  Soon, there would almost be no need for us to speak anymore.  Our mobile phones will do all the talking.

The innovation of contactless payments has brought several options forward, most notably including RFID and NFC technology.  RFID cards (i.e., contactless smartcards) came to light with MasterCard’s PayPass and Exxon/Mobil’s SpeedPass.  Concerns with these cards include data security, to include card loss/theft.  Thieves have adapted (as they always do) and use RFID readers to steal card data, needing only to be close by (near you at the mall court or coffee shop) to snatch your info.  One suggestion offered is to wrap your RFID card with aluminum foil to prevent RFID theft.  Another is to use a RFID blocking wallet or shield.  As a result, some consumers have abandoned the RFID cards all together in favor of the old fashioned magnetic strip cards.

NFC technology, targeted for mobile phone usage, is slowly coming about.  While RFID can only transmit data, NFC can also receive data.  This key feature requires a password or PIN information to enable the payment, thereby adding a level of security important to consumers.  NFC can be used a few different ways, but the current plan by mobile phone manufacturers and wireless carriers is to have NFC embedded within the mobile device.

NFC phones are not entirely new, but the technology is finally gaining some ground as popularity grows.   Not surprisingly, the U.S. is behind other countries as this technology already exists in other countries.  However, NFC-enabled phones are still in limited use.  Samsung, Nokia and a few other manufacturers have NFC phones available outside the U.S.   Some carriers are taking the initiative and not waiting for phone manufacturers.  Softbank, Japanese wireless carrier, introduced a NFC sticker for the iPhone 4 and communicates with the FeliCa payment system.  There are concerns about how effective the sticker will be if the phone is within a case (protection used by a good portion of smart phone owners).  Maybe the iPhone 5 will be NFC-enabled.

Google, who seems to be taking leaps over Apple, introduced a new Android touch screen phone, the Samsung Nexus S, which was released on Dec 16 in the U.S.  It features a NFC chip and “tap and pay” ability and is available locked or unlocked (obviously more expensive) with T-Mobile.  The company has also launched Google Places, providing retailers with window decals that are NFC enabled so consumers can find them.  The one hurdle for retailers is the need for NFC readers, which are fortunately now being combined with magnetic stripe readers.

The trend that keeps growing involves credit card companies getting pushed out of the loop, as mobile carriers and shopping sites introduce new payment technology and enable alternate payment options.  PayPal continues to grow at 300% annually, and Isis, a joint venture between AT&T, Verizon and T-Mobile to enable NFC mobile payments, was announced in November.  In my August blog, I discussed the joint venture (known as Project Mercury at the time) and their partnership with Discover and Barclay’s to process the payments.  Unfortunately, they do not plan on having anything available until mid-2012.

No matter what the new payment vehicle, it will come when it is ready.  The storage of payment data, whether on a device or online, will always prompt some security concerns.  Wireless phone manufacturers and carriers have been careful about releasing new capabilities, trying to couple innovation with data encryption so as to prevent theft but enable payment evolution.  Before we know it, all computers will come with NFC technology and you will be able to use your mobile phone to shop instead of entering your credit card data online.  However, I wouldn’t leave your wallet at home just yet.

Here are some simple practices, although may sound like no-brainers, many merchants forget to employ, but could mean a make or break with the success of their business.

A Recognizable Billing Descriptor: This is the company name that appears on cardholder credit card or debit card (i.e. checking account) statements.  Most, if not all, merchant applications ask for the legal business name as well as the DBA (Doing Business As) name, i.e., ABC Kitchen Products.  For card not present transactions (mail/telephone order and ecommerce), the company name and customer service phone number must appear in the descriptor field.  In most cases there is a 25 character limit, not including the phone number.  By default, processors will use the DBA name for the descriptor field.  However, if a processor has the ability, this field can be customized.  If need be, merchants should choose a name for the descriptor field that customers can easily recognize.  E-commerce merchants should use their website address, if possible (i.e., ABCKitchenProducts.com 18771234567).  If the cardholder does not recognize the transaction or business name in the descriptor, a merchant risks having a cardholder initiate a chargeback, which creates an unnecessary hassle for the merchant, not to mention a delay in payment or the sale being reversed.

Communicating Security Policies: With data privacy being a top concern, any web site that does not provide a secure checkout procedure is asking for trouble – or shouldn’t have a merchant account at all.  It goes without saying (but yet we still need to mention it) that merchants need to show that they are employing data security policies to protect consumer data.  Explain what data is collected from consumers and for what reason.  An online merchant conscientious about data privacy should clearly post their data security policies.  For example, including information about adhering to PCI DSS compliance, SSL certificates (Verisign, GeoTrust, SSL.com, etc.), what shoppers should look for (i.e. site seals) to show the site is secure and the importance of consumer data privacy to the merchant.  A responsible merchant who genuinely wants to gain and maintain consumer trust will also give consumers an option to “opt out” of receiving emails (promotional, from third parties, etc.) and refrain from collecting or sharing data with third parties, even if for the purpose of marketing research.

Convenient Ordering Process: Don’t add a bunch of unnecessary scripts to collect user data (browsing history, IP address, etc.).  Browsers, such as Firefox, now use script blockers, which although is comforting for the user, can cause issues with ordering procedures.  Additionally, providing a shipping process that includes tracking details is always appreciated by shoppers.  Even if you choose the least expensive route (i.e. USPS), tracking options are available.  Customers love knowing where their order is and when it will arrive.  On that note, automatically sending emails that provide these tracking details or updates for any delays in shipment are way more convenient than having to manually access the information.

Cancellation, Return, Exchange Process: Who pays for shipping?  How many days does a customer have to return an item for a refund?  If it’s too late for a refund, does customer receive store credit for a return?   Is there a mechanism in place for order cancellations?  This information should be clearly posted and explained.

Smart Marketing: Employ marketing tactics that aim to keep customers, not make them go elsewhere.  For instance, deducting value from gift cards is just plain mean.  New FTC rules for gift cards went into effect in August.  While the FTC ruled that gift cards can’t expire for five years, it does allow merchants to charge inactivity fees if the card has not been used for a year, provided all this information is clearly displayed on the card.  If a merchant chooses to charge fees, how about asking for an email address and reminding the purchaser about expiration or impending inactivity fees?

Sales promotions like “Buy something today and get 50% off next week” don’t always work in the way intended.  While this is meant to entice a quick future purchase, consumers feel duped and would rather have a coupon that has a longer expiration period.  With today’s economy, it’s tough enough to bring in initial sales, let along repeat sales in that period of time.

Asking customers for their email addresses will only be effective if the information is not abused.  Mention that the email address is not sold, shared, or used for behavioral marketing practices, in which browsing behavior is collected to target the advertisements which are displayed to an individual.   Until the FTC puts “do not track” rules to enforce online consumer privacy into place, industry self regulation will have to suffice to protect consumer data.  On the flip side, adding email addresses to a customer database for email promotions is fine, but merchants should be wary of flooding customers with daily emails.  Once a week – or a few times a month – is better.   Daily email promotions (we all get these, so we know how annoying it is) will make them hit the delete key even faster – and is more likely get your <from> address or web site URL added to an automatic junk filter.

Contact Information: Even if you are a small e-commerce outfit, you need to have basic contact information – a phone number (preferably toll-free) and at least an email – clearly listed on your web site.  Better yet, 24/7 access to a live agent is attractive to night owls.  If not, infomercials wouldn’t still be around today.

Customer Service: Whether brick and mortar, over the telephone, by mail or online, merchants need to make customer service a top priority.  A merchant can have awesome products and/or services, have a kick-butt web site, do tons of cool marketing, send out attractive email promotions, and offer free shipping, but if it doesn’t provide a secure shopping environment, a convenient and hassle-free shopping experience or excellent customer service for any inquiries, returns, exchanges or issues with an order, it might as well kiss customers goodbye.

Lastly, to keep up with, or stay ahead of, the pack, always be open to offering new payment options for your customers.  Accepting major card brands (V, MC, Amex, Discover, JCB) is the least you should offer.  There are a lot of companies and technologies forging forward in this arena, as merchants want lower cost payment alternatives and, for the ones with a bigger picture in mind, more options to fuel global growth.

Measures to protect consumers today involve both regulation and legislation.  There is a big difference between the two.  Right now, regulations exist regarding data security and breaches, but those regulations come from entities such as the card companies, industry associations, and councils (i.e., PCI Data Security Council – PCI DSC).  While some states have passed data breach notification laws, current federal legislation regarding data security only affects financial institutions, consumer reporting agencies, and data security procedures.

As the U.S. consumer protection agency, the FTC enforces several laws and rules regarding data security, but none so far have targeted data breach notification.  According to the FTC testimonial, the following legislation exists:

• The Commission’s Safeguards Rule under the Gramm-Leach-Bliley Act (“GLB Act”) provides data security requirements for financial institutions.
• The Fair Credit Reporting Act (“FCRA”) requires consumer reporting agencies to use reasonable procedures to ensure that the entities to which they disclose sensitive consumer information have a permissible purpose for receiving that information, and imposes safe disposal obligations on entities that maintain consumer report information.
• The Commission also enforces the FTC Act’s proscription against unfair or deceptive acts or practices in cases where a business makes false or misleading claims about its data security procedures, or where its failure to employ reasonable security measures causes or is likely to cause substantial consumer injury.

In line with other new consumer protection laws being instituted, data security legislation has been proposed requiring companies to adhere to certain data security policies.  The bill, also known as the Data Security and Breach Notification Act of 2010, S.3742, was introduced in August by Senators Mark Pryor (D-AR) and Jay Rockefeller (D- WV).  (Rockefeller, chairman of the committee on Commerce, Science, and Transportation was behind the post transaction marketing investigation, which was discussed in a previous blog last year.)  Last month, the FTC testified to a Senate Subcommittee on Consumer Protection, Product Safety, and Insurance that it supports the proposed legislation.  The subcommittee also heard testimony from Symantec CTO Mark Bregman and Maneesha Mithal, Associate Director of the Division of Privacy and Identity Protection at the FTC, who outlined three items the FTC would like to see included in the legislation:

• The provision that requires companies to notify consumers in the event of a data breach should not be limited to electronic information
• The proposed requirements should be extended to telephone companies
• The bill should grant the FTC rulemaking authority to determine the circumstances under which providing free credit reports and monitoring may be required

Companies who handle consumer data are guided against storing sensitive data, from a multitude of associations, agencies, and councils, such as the PCI DSC.  Violations to data security regulations usually result in financial penalties or fines from those entities, with not much automatic legal recourse.  However, since 2001, the FTC has been able to use its authority to bring 29 cases against companies who failed to protect consumer data.

Having business experience in the card and electronic payment industry makes those of us more aware of data security practices on a daily basis in places where we do business.  The FTC and consumer advocacy groups are doing a great job of providing consumers with information on various ways to protect their information.  It’s unfortunate that consumers are becoming more informed and businesses are learning lessons as a result of incidents, such as major fraud cases or class action lawsuits, instead of being more proactive about data security.  The FTC is trying to change that.

No matter what legislation or regulations are put into place, even if they are enforced, consumers still need to be vigilant about their own personal data security.  The new laws are being put into place because companies handling sensitive consumer data are not holding up their end of the bargain.

Other References

FTC Bureau of Consumer Protection

State Security Breach Notification Laws

In 2008, Juniper Research forecasted that mobile payments would reach $600 billion globally by 2013.  Mobile contactless payments have been in place in other countries (Korea, Japan, Spain) for some time and the demand in the U.S. has been increasing, especially with the growth of the smartphone market.  Discover has been trying to increase their market share using reward programs and partnerships, so what better way than to jump on the mobile payment wave?  Joining the leading wireless carrier and cell phone provider partnership is a smart move.

About the Technology

Contactless payments have actually been around for a while.  Introduced with Mobile (Exxon)’s Speedpass in 1997, the technology has only recently evolved and become more popular for several reasons.  Consumers want faster ways to conduct face-to-face transactions.  People are constantly on the move and standing in any line to make a purchase is considered an inconvenience.  There have been recent advances in Near Field Communications (NFC) technology, a more secure payment method for mobile devices.  (Basic RFID was used in the previous contactless cards and devices.)  Merchants are trying to find ways to circumvent interchange and association fees from Visa and MasterCard.  (Merchants persuaded Congress recently to approve a cap on interchange fees.  An antitrust lawsuit filed in 2005 is still pending.)

To enable mobile payments, the mobile phone is equipped with a smartcard which contains payment card data.  Merchants would need to have a compatible payment card reader and, to help prevent fraud, a PIN would be required to complete a transaction.  For merchants already accepting contactless payments, most existing readers are supposedly compatible with NFC devices.

The Faster, Faster Checkout

Some retailers have already instituted Visa’s No Signature Required program and MasterCard’s Quick Payment Service, both of which do not require signatures for swiped credit card purchases ranging up to $50 at certain merchant categories.  Skeptics claim that this business practice can increase fraud, since a cardholder signature is used as proof of purchase at a brick and mortar merchant and most fraudulent transactions start out in small amounts.  Gas stations have long employed this practice, but usually require a billing zip code for fraud prevention.  In this case, a PIN is not enough protection for one group of consumer advocates.  Each country has its own set of government regulations with regards to mobile payments and consumer protection.  Nothing currently exists in the U.S.  Recently, Consumers Union, the nonprofit publisher of Consumer Reports, has requested that regulators “use their current statutory authority to ensure that existing consumer protections are applied to all new payment methods.”  They are also asking that companies providing the payment systems provide consumer rights in their contracts for “zero liability” to the cardholder.  With the current government administration’s involvement in financial matters, a lot more work may need to be done before this becomes reality.

Sharing Revenue

One challenge with this new payment channel involves basic business.  Right now, the major card networks, issuing banks, and payment processors earn the bulk of the revenue from card transactions.  Contactless payments using mobile phones introduces new players – wireless carriers, phone manufacturers, and application providers.  Why wouldn’t the players enabling the mobile payments want some of the transaction revenue?

The Privacy Issue

Retailers and consumers both like the idea of mobile payments when it comes to faster checkouts.  However, they may differ on the amount of information shared.  Retailers would love to gather more information about their customer and the transfer of CRM data wirelessly is the easiest way to do that.  Consumers however, may not want to share anything else about themselves.  Mobile payment applications could limit the amount of data stored, or allow the customer to control what data they want to share, such as loyalty card information and purchase history.

With fraud being a common concern amongst consumers, it still may be a while before mobile payments using NFC really take off.  Sure, there will be the early adopters and people who are tapped to do trials (Discover used employees last year to trial its mobile contactless sticker where Discover Zip payments were accepted).  Adoption requires all the pieces be in place  – consumers with Discover accounts who are also using mobile phones equipped with the NFC payment technology and merchants who have the equipment and capability to accept contactless payments from Discover.

Per Bloomberg, trials for the project, named Mercury, might possibly take place in Austin, Minneapolis, Salt Lake City, and Atlanta, starting in mid-2011.

A Little History

In 2005, Visa established the Payment Application Best Practices (PAPB), “to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and support overall compliance with the PCI Data Security Standard (PCI DSS)”.  In 2008, the Security Standards Council (PCI SSC) adopted Visa’s PAPB and released it as the Payment Application Data Security Standard (PA-DSS).  The PA-DSS relates to vendors who develop secure payment applications and its goal is to ensure that the applications are PCI compliant and do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data.  The standard requires vendor software applications to be validated for compliance on an annual basis.  

On January 1, 2008, Visa implemented a series of mandates that requires its acquirers to ensure that its merchants and agents only use third-party payment software that is compliant with the PA-DSS. The mandates, in line with Visa’s Cardholder Information Security Program (CISP), intent is to eliminate “vulnerable payment applications from the Visa payment system”.  Failure to do so could result in financial penalties for acquirers.  Since the mandates were established over two years ago, and there have been 4 prior checkpoints, acquirers have had plenty of time to get their merchants geared up for this final mandate and July 1 deadline. 

Visa’s global merchants have until July 1, 2012.  MasterCard has also set a July 1, 2012, global deadline for PA-DSS compliance for its merchants, under their Site Data Protection (SDP) program.  According to their SDP update issued in June, MasterCard will also establish new PA-DSS compliance validation requirement for Level 1, 2, and 3 merchants and Level 1 and 2 Service Providers.

However, Visa is not completely rigid on the July 1 date.  According to an article in ISO & Agent Weekly, Visa intends to work with merchants who do not meet the July 1 deadline.  The exception to this assistance will be for merchants who are purposely avoiding compliance.  (Visa welcomes information regarding merchants who are not in compliance.) 

What Merchants Need To Do

Merchants need to be proactive from the gate.  To avoid non-compliance, and subsequent data security risks, they should not wait to hear the news of new policies from their processors.  They need to stay ahead of the pack by checking the PCI SSC site, as well as staying abreast of any pertinent news from the card companies.  Most importantly, they should always ensure they are using vendors who are PCI compliant.  How can they do that?  For starters, and for the purpose of Visa’s security mandates, they should only use vendors who are on the list of PCI SSC validated payment applications, which have been assessed for compliance with the PA-DSS.  Merchants should also only use vendors who use Payment Application Qualified Security Assessors (PA-QSAs), who are certified by the PCI SSC.  Even if a vendor states their payment application is PA-DSS qualified or have been evaluated by a PA-QSA, merchants should check the PCI SSC site for its validation.  Vendors are on the list for one year for only the software version which has been evaluated.  If a vendor has released a new version, a merchant should only consider using the compliant version and never use a beta version.  The PA-DSS never validates beta versions. 

If a merchant discovers that their vendor is non-compliant with the PA-DSS, it should either switch to a compliant vendor (which many not be as easy as it sounds) or assist the vendor in gaining compliance.  That’s not to mean that the merchant should assist them financially, but guide them if they can.  By working together, they can build a stronger relationship, resulting in secure data protection for their customers and cardholders. 

So, what happens if a merchant uses non-compliant vendor?  Aside from the risk of compromising cardholder data, if a breach occurs, the merchant can be fined by the card associations and/or forced to undergo a forensic audit, which is not free.  Merchants are having a tough enough time in this economy and should not jeopardize their business further by using non-compliant third-party payment processing vendors, nor risk adding costs that can be otherwise avoided. 

References:

Information regarding PCI SSC Validated Payment Applications and Payment Application Qualified Security Assessors (PA-QSAs) can be found at http://www.pcisecuritystandards.org  

Visa CISP – http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html

MasterCard SDP – http://www.mastercard.com/us/merchant/pdf/SDP_Program_Revisions.pdf