Okay, so what exactly does that mean?  Well, traditionally, merchants only had the option of accepting electronic payments online in the form of bank drafts, and debit and credit cards from the major card brands – Visa, MasterCard, American Express, Diners Club and JCB.  That is until payment product innovators discovered that merchants were losing potential business from consumers who did not have bank accounts or credit cards.  Most importantly, in the ecommerce space, some consumers are simply wary of using cards and bank account information for online transactions because of the fraud risk.  Most of this concern stems from consumers’ lack of trust in web site security.  Additionally, with card companies cutting cardholder credit limits, alternative payment methods are the only option.

Merchants:  Think Outside the Credit Card Box

Merchants not offering alternative payment options online are limited to accepting cash, money orders or checks from those customers.  Checks require clearing and cash can only be paid in person.  Those options can delay revenue (or limit or restrict revenue in the case of a check not clearing) for the merchant. Merchants offering payment alternatives reach a wider consumer base and satisfy more customers as a result.

Merchants operating ecommerce portals should consider two avenues when researching and implementing alternative payment options:

• Offering a variety of payment methods, such as PayPal^™, Bill Me Later^®, Google^™ Checkout and RevolutionCard (a physical card and new payment network)
• Enabling the acceptance of foreign currency

PayPal^™ has a large consumer base of roughly 150 million users.  Bill Me Later^® was acquired by eBay (PayPal’s parent) last year.  RevolutionCard^™, the first PIN-based credit card, is not embossed, so no personal data is stored on it.  There are smaller players in the market as well, but they have yet to take as much hold as these industry leaders.

Click and Buy, a payment system based in London, offers 126 different currencies and 46 different payment methods to their merchants.  According to an alternative payment study conducted by YouGov for Click and Buy, more than 50% of regular online shoppers will cancel a potential purchase if their preferred payment method is not available.  Although U.S. online retailers are not pressured as much for foreign currency acceptance (major brands are accepted internationally, but cardholders are charged foreign exchange fees), it would certainly enable a merchant to grow globally.

Ecommerce merchants are becoming favorable to alternative payment offerings, simply to reduce their expenses in relation to interchange fees, which have risen 25 to 90 percent (depending on card type and a merchant’s business operations) over the last 20 years.  PayPal doesn’t pass along interchange fees and Revolution Money’s RevolutionCard saves merchants money by charging no interchange fees and lower processing fees per transaction than major card brands.  Merchants are turning these savings into loyalty and cash-back programs for their customers.

Looking Forward:  The Future is a Bright Alternative

Innovation in alternative payment products has been primarily outside the banking world.  Research consulting firm Celent estimates that by 2012, banks will see a decline of $1.2 billion in interchange revenue due to increasing acceptance of online alternative payments. Banking institutions are adopting alternative payment options of their own – for their customers as well as merchants.  Secure Vault Payments, a new payment solution, is now offered by NACHA, the electronics payment association that oversees the Automated Clearing House (ACH) network, (the electronic network for financial institution transactions in the U.S.)  Labeled NACHA SVP, it is an up and coming contender in the alternative payment space.  It is helping banks to retain customers and expand their merchant offerings.  Still in its infancy, it has become popular in the education industry.  The University of Georgia launched SVP in April as a new tuition payment option.  Other educational institutions are following suit.

Celent also estimated that by 2013, online payments will climb to $268 billion and 30% of those payments will come from alternative payment sources.  This increased market acceptance will certainly move alternative payments into the mainstream.

Here are some tips to help prevent identity theft:

1. In Part I of this series, I discussed the importance of generating secure and strong passwords. Make sure your corporate files are safe and all passwords are required to be at least 8 characters long. Make sure they have a random mixture of characters and numbers.
2. One way to ensure your computer is secured is to drop it in a vat of concrete and build a 10-foot tall statue over it. But of course this would make your computer very difficult to use. Keeping your computer safe is much easier than that. First, make sure only authorized people have access to your network. Use a secure network router between your computer and network connections so hackers will have a tougher time finding the computer.
3. Make sure you are keeping your website, software and operating systems updated with the latest patches. You may want to consider purchasing hard drive data encryptors.
4. You should know who has access to your mail (personal and company’s). Access to bank statements, social security numbers, insurance statements, utility bills, and any other mail that may contain financial information. It is also important to protect your trash by always asking yourself the question “Is there any personal information written on this document?” Make sure to shred all important documents, as well as seemingly innocent items like credit card offers and sky miles statements.
5. Order free credit reports to monitor your score and activity every year.

There are ways to fight back if your site has been compromised or your identity has been stolen. You may find local police unable to assist because of the complexity of these types of crimes, as well as their lengthy investigations. But if you persist, you can get a report filed. Make sure to keep adequate records of all occurrences, police filings, and contacts.

Part one of this series talked about identity thieves wanting your password, and we discussed ways to protect against having your passwords compromised. Securing your password seems to be only 25 percent of the battle these days. Many network security breaches, like the Heartland Breach, occurred from within. So it is important to be PCI Compliant internally and know who is working for you.

I wish there were a specific set of characteristics I could post to detect an identity thief, but unfortunately they are as broad as the criminal population itself.  I like to divide attacks by criminals into two categories: internal attacks and external attacks.

Internal attacks are usually traced back to disgruntled, dishonest, and/or careless employees. Some common characteristics of an internal attack are:

1. Computer and data theft:  An employee stealing a PC, laptop, memory stick, or external hard drive.
2. Desk snooping: Look out for employees snooping around a co-workers’ desk for reminders and notes. Sometimes they might even ask a coworker to look something up to see if they should happen to keep a sticky note under a tissue box with their password.
3. The roaming employee: This employee typically wanders around looking over cubicle walls and observing keys that other employees type.

External attacks are usually done by a person that has no direct access to the company or its website. These types of thieves are crafty. They come in many different forms and are always coming up with new ways to get into a website. Some examples of theft to look out for are:

1. Bogus websites: I have only recently learned about how these actually work. These website ape legitimate sites. The design is so similar it can often fool the website owner himself. Consumers enter in their personal information and the thief captures it for their own use.
2. Forceful attacks: The techies call this a brute force attack. This is where a computer is set up to methodically try every combination of letters, numbers, and symbols to break a password.
3. Web page hijackers: These savvy criminals load malicious code on to your computer. The code is designed to redirect your typed web address to another site. This also can cause you to be redirected to one offensive site after another.

Protecting your network and website against identity theft can be costly, but there are many cost effective ways to secure your network. Privacy protection laws must inform customers that their private information has been compromised. This notification alone can cost around $20 per customer. Better to be safe and secure now, than pay the price later.

It is important to first understand what different types of identity theft occur, and then you can find out how to get protection.

The easiest item for a criminal or hacker to obtain is your password. Some common mistakes made when setting up passwords is using names of kids, birthdates, or hometowns. Spelling your child’s name backwards is another frequent mistake. I have even seen people write their passwords on a sticky note, in a notebook or in your PDA. Do not give office assistants your passwords. Remember passwords are used in more than 90 percent of all online network security practices. People use passwords for online banking, shopping, stock trading, and network logons. It is imperative to create a strong password. 

A password alone may not secure your online purchases. Many are turning to smart card security and Power LogOn. Power LogOn combined with Smart Card technology provides the ability to securely store your passwords in a smart card chip, like an electronic safe. This can help prevent a criminal from getting your passwords and personal information. A smart card is a plastic card with an embedded chip that can offer advanced security features to prevent unauthorized access to retrieve and modify stored data.

Power LogOn provides many security benefits such as:

• Passwords can be created by using 20 out of 96 available keyboard characters.
• PIN protected smartcard technology locks the data after three wrong authorization attempts.
• The software works with your PC or network logon, password protected data files, windows-based applications and web accounts.

Password security, without convenient implementation, is not free to the company or website that lacks it. Resetting passwords can take 20 to 50 percent of IT support’s time and costs approximately $70 per incident. This is time and money that could be more wisely used to increase other aspects of a company’s network security.

Although many large retail chains such as Regal Cinemas and McDonalds have the technology available, the process has been put under a great deal of scrutiny because it is said to be more susceptible to identity theft and other types of fraudulent activity. The devices are easily hacked using a wireless frequency. Regardless of the security risks, all the major credit card companies were ready to get their piece of the action. In July of 2005, AMEX launched ExpressPay, which was quickly ditched because of a lack of response by consumers. The Discover Network released its Zip technology, Visa Inc released payWave, and MasterCard has PayPass.

MasterCard Mobile recently released its Secure Set-up for MasterCard PayPass on mobile phones. They call this the Over-the-Air Provisioning Service, and it is the first program to enable issuers to perform over-the-air personalization of their cardholders’ mobile devices. Mobile MasterCard PayPass enables mobile devices to perform payment transactions at merchant locations with PayPass enabled point-of-sales terminals. In order for account holders to use their mobile phones to make purchases, their mobile phone must be equipped with Near Field Communications (NFC) and a mobile data subscription. First, the PayPass application is downloaded onto the consumer’s mobile phone. The application is available through their issuing banks website. Then, the PayPass application is personalized with the consumer’s individual account details.

With the wide range of savvy hackers out there, it may still be hard for consumers to feel safe about the contactless payment technology – whether it be on a mobile phone or on a credit card. As for merchants, my advice is hold of off on buying your contactless equipment just yet.

In the PCI DSS 1.2 Summary of Changes, the PCI Security Standards Council announced several adjustments to the wireless network security requirements:

• Wireless must be implemented using strong encryption for authentication and transmission. The Council cites IEEE 802.11i as an appropriate example.
• Merchants are no longer permitted to deploy any new Wired Equivalent Privacy (WEP) networks as of March 31^st, 2009.
• Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA) security no later than June 30, 2010.

Converting to WPA should be a fairly easy process. Most technical websites show that all wireless equipment manufactured since late 2003 comes standard with WPA (Wireless Application Protocol), which is an open standard for application layer network communications in a wireless environment. It is mainly used to enable mobile phones.

Many retailers will have to replace their existing obsolete hardware, and the upgrade may force retailers to spend a lot of money on new systems. PCI DSS also states that “Wireless must now be implemented according to industry best practices (e.g., IEEE 802.11i) using strong encryption for authentication and transmission.”

Most large retailers have IT professionals correctly put in place authentication methods. There are also additional requirements for companies that run on enterprise networks. It is important to get more than one opinion when trying to get compliant because some options are definitely more costly than others.  PCI DSS is still new and has many different rules and regulations.  You don’t want to put your company at risk and have to pay fines later.

Previously, I have talked about Google’s Android platform working with Visa on a service that sends you an alert if any payments have been made on your Visa card. This is great in helping to protect against fraud, and will also help in locating ATMs, but I don’t consider this to be a new technology.

In 2007, Visa partnered with Qualcomm, a wireless chip developer, to create technologies that allow consumers to make credit card transactions with a cell phone and a reading device. This would add another way for wireless carriers to make additional revenue by being paid a percentage of the transaction.

Now in 2008, in Brazil, Visa announced the availability of remote payments by Banco do Brasil. The service allows Visa cardholders to pay with their mobile device and confirm the transaction via text message. In Korea, T-Money provider Korea Smart Card Company, card issuer Shinhan bank, and Korea Telecom Freetel have partnered to make it possible for commuters to add funds to their T-Money balance automatically on their cell phones. T-Money is a rechargeable card used to pay for the Korean transit system.

Here in the United States, Visa is in a pilot program with Chase Bank to provide personalized offers sent to cell phones via SMS text giving discounts and special deals from online merchants. I wonder if standard text rates apply to this. I am not a big fan of this program but I can see how it can enhance advertising for businesses.

Visa is also working on providing NFC (Near Field Communication) with several large banks across the United States. NFC is a short range high frequency wireless communication technology that enables the exchange of data between devices. This technology is most frequently used for mobile phones.  This technology is also in its pilot stages in France with “Payez Mobile” and in Spain using “payWave”.

Is this mobile technology going to cause an increase of stolen cell phones and future security issues? Is cell phone payment technology going to be the way of the future?

Technology in the payment card industry has grown tremendously in just the last 5 years. Merchants are able to accept payment using any java enabled cell phone, and can even turn their laptop into a credit card terminal. But the best is yet to come.

• Google recently announced the Android smartphone, and Visa is planning to develop e-payment applications for the device. This technology will allow merchants to receive notifications of account activity to their mobile device, locate ATMs that accept Visa, and Google maps to quickly locate a wide arrange of merchants to redeem visa rewards.  Soon, you will be able to make purchases at retail locations using your mobile smart phone.
• Visa also plans to release a money transfer pilot program by the end of 2008, which will allow Visa cardholders to use their mobile phones and PDAs to send funds directly to another visa card holder. I guess you better make sure you are not dialing the wrong number.
• MasterCard is introducing Chip and PIN.  Instead of swiping a card with the magnetic strip on the back, you will insert a card that has a computer chip embedded on the front. Instead of signing to verify a payment, you will enter a PIN.
• PayPass is MasterCard’s “contactless” payment technology. A tap of your card is all it takes to pay at the checkout; however your purchase must be under the pre-specified floor limit.

I am still a big fan of Biometrics. I believe that we will be able to pay for items using our finger print or a retinal scan. Although there have been recent failures by some companies to create the technology, my opinion is it’s the future of payment processing.