Trends & Tactics: Feeling Insecure? It’s No Wonder

If a recently released annual survey is any indication, small merchants remain unconvinced they are vulnerable to data breaches, pay far too little attention to security, and regard PCI simply as a cost item.

“We still see drastic deficiencies in the number of merchants who think they’re at risk,” says Jenn Reichenbacher, senior director of corporate marketing at Merchant Warehouse, a Boston-based merchant processor that co-sponsored the research with ControlScan Inc., an Atlanta-based security-technology vendor.

Meanwhile, it turns out that plenty of organizations that sustain data compromises aren’t reporting them, according to a survey of corporate security officers released last month by ThreatTrack Security Inc., a Clearwater, Fla.-based vendor of cybersecurity services.

Small-merchant vulnerability to card-data breaches is a rising concern because hackers target these businesses on the theory that they are less likely to have protected their data. Some 95% of all credit card data breaches, in fact, involve customers of small businesses, according to Visa Inc. data cited by Merchant Warehouse.

Yet 71% of small merchants see themselves as at little or no risk of a compromise, according to the latest ControlScan/Merchant Warehouse survey. That’s down from 79% last year and 82% in 2011, but still much too high, say Reichenbacher and Heather Foster, vice president of marketing at ControlScan.

“They just don’t think they’re big enough to be targeted,” says Foster. Given the reality that criminals target small merchants, the percentages should be “inverted,” says Reichenbacher, with 71% seeing themselves at risk.

The risk is especially poignant for those businesses that leave themselves unprotected and sustain a data breach. Just 5% of respondents said they had suffered a breach, but of these victims, half said the impact had been either “medium” or “high,” with “high” meaning the compromise had nearly forced them out of business.

Yet most small merchants spend pitifully little time or money on PCI compliance. Fifty-six percent of respondents said they had spent $500 or less on compliance in the previous 12 months, with 17% reporting they had spent nothing. Almost half—48%—reported spending eight hours or less on PCI in that time. The most common compliance tactic is “completing paperwork,” rather than buying new technology, doing system scanning, or upgrading terminals or Web carts.

The good news is that some 70% of small merchants have completed an annual validation of their compliance with the Payment Card Industry data-security standard, up dramatically from 50% a year ago. Sixty-nine percent say they are now somewhat or very familiar with PCI, a big jump from 54% in last year’s survey.

Of the survey respondents, 43% were physical merchants, 20% were e-commerce sellers, and 37% fell into the mail-order/telephone-order or “other” category. Some 82% had been in business for more than five years. This fifth annual survey was fielded in September and drew 615 responses.

Meanwhile, the actual number of data breaches taking place in the United States may be much higher than generally understood. In the ThreatTrack canvass of some 200 so-called malware analysts working for large and small enterprises, fully 57% said they have dealt with a breach that their companies never reported to customers or other parties.

Sixty-six percent of security officers with organizations of more than 500 employees report that they have investigated a breach that was never disclosed, according to the ThreatTrack survey. Among those with organizations with fewer than 50 employees, the incidence drops to 18%.

Some observers are more shocked by the candor than by the non-disclosure. “The results actually don’t surprise me, what surprises me is that people admitted to the under-reporting as part of a survey,” says Julie Conroy, a senior analyst at Boston-based Aite Group LLC who follows security issues, in an email message.

Forty-six states have enacted legislation requiring some kind of data-breach notification, so why such rampant silence about breaches? In short, it’s fear of regulatory backlash, according to Dipto Chakravarty, executive vice president of engineering and products at ThreatTrack.

“Companies are often concerned about what fines they will face, in the event they disclose a breach,” he says in an email message. “These expenses can often be a deterrent to full disclosure.”

Data compromises plague all industries, but are especially troubling for the payments business because of the sensitivity of the records held by banks, processors, and merchants, including card numbers, expiration dates, Social Security numbers, and the like.

Overall, there were 621 confirmed data breaches involving 44.8 million records in 2012, according to the “2013 Data Breach Investigations Report” from Verizon Communications Inc.

—John Stewart

A Candy-Coated  Pep Pill for NFC

Google Inc.’s stunning move last month to decouple NFC payments from a phone-based secure element may help Google Wallet, but it could also present opportunities for independent sales organizations. Much depends on how the mobile carriers, which have held tight control over the secure element, react to Google’s ploy.

What’s at stake is a market based on payments using mobile devices equipped with near-field communication technology. The market hasn’t been moving very fast. Until recently, most smart-phone models didn’t have the required NFC chip. And even now, after years of banks flogging contactless cards, relatively few merchants have the necessary readers hooked up to their point of sale.

But with KitKat, the latest update to its Android mobile operating system, Google may have just breathed new life into NFC.

The country’s major mobile networks have pushed NFC based on the SIM card as the secure element, the chip that locks down consumers’ sensitive card credentials. Generally, the secure element is regarded as safer, and since the carriers control the SIM card they have an opportunity to charge fees to issuers to load payment credentials.

Google’s latest move, which depends on a technology called host card emulation, severs that link between NFC and the secure element.

Up to now, NFC has relied on a configuration called card emulation, so called because it makes the mobile device appear to the point-of-sale reader as if it were a contactless card. In this configuration, commands from the reader are routed to the secure element via the NFC chipset, bypassing the operating system.

With the new host card emulation, the NFC chipset still receives data from the POS reader but routes them instead to an NFC service manager, which is part of the Android OS. This lets any application on the phone act on the instructions. Payment credentials, meanwhile, reside on a remote server.

What excites mobile-payments enthusiasts is that host card emulation could liberate NFC from dependence not only on the mobile carriers but also so-called trusted service managers, companies that provision the secure element with payment credentials.

It could also revive the fortunes of Google Wallet, an NFC-based product that has struggled in part because of Google’s reluctance to pay the tolls the carriers demand for access to a phone-based secure element. Three of the country’s biggest carriers—AT&T Mobility, T-Mobile USA, and Verizon Wireless—offer a competing wallet called Isis that relies on the SIM card as the secure element.

Tech-oriented ISOs also see a big opportunity. “It’s a brilliant move by Google,” says Henry Helgeson, chief executive of Boston-based Merchant Warehouse, a merchant processor that has invested heavily in a platform called Genius to enable mobile forms of payment and rewards processing for merchants. “I’ve always been bullish on NFC. We’ve been pushing out NFC in all our Genius deployments.”

Getting more ISOs behind NFC will be critical to getting more NFC readers installed in stores, especially small ones. “That’s where all the friction is right now,” Helgeson notes. “If Google can just demonstrate [NFC’s] value, merchants may start to adopt it.”

Most observers agree the mobile networks’ options are limited. The SIM card aside, other pieces of the NFC puzzle are largely outside of their direct control. While the carriers enjoy considerable sway with smart-phone manufacturers, “it would be very difficult for carriers to lock down the NFC radio,” notes Rick Oglesby, a senior analyst at Aite Group LLC, a Boston-based research firm, referring to the dedicated chipset in the phone.

Another option could be to induce phone makers to branch off from Android and create a derivative OS that would disable host card emulation, a process known as “forking.”

Cherian Abraham, mobile commerce and payments lead at Experian Global Consulting, calls this a “shortsighted” strategy that would likely come back to haunt the carriers if it invited attention from regulators. Also, forking Android is “not easy, and the upsides are unclear,” Abraham says in an email message.

Yet another tactic might be to try to enshrine the secure element in the Payment Card Industry data-security standards, making a bypass hard to justify. “The only thing [carriers] can do is point to the secure element and say it should be mandated,” says Helgeson.

AT&T Mobility and Verizon Wireless, the two largest U.S. mobile networks, did not respond to requests for comment.

A more enlightened reaction, says Abraham, would be for the carriers to embrace host card emulation. “Roll with it. Adapt,” he says. “Come up with new business models where they are a meaningful partner providing substantial value, not a gatekeeper controlling [NFC].”

Still, as Abraham and other experts point out, host card emulation has downsides. The card networks have not yet certified the cloud-based configuration for managing card credentials. And the configuration can be slow, making it hard for NFC to penetrate key markets like mass transit.

—John Stewart

NACHA Targets Sloppy And Risky Originators

Automated clearing house network governing body NACHA hopes to reduce the volume of returned transactions and spur banks to crack down on originators of incorrect or risky ACH payments with two proposed rules. One would set new fines that the network could assess against banks that generate high volumes of returns.

Janet O. Estep, president and chief executive of Herndon, Va.-based NACHA, says the association “is taking a holistic approach” to reducing costly returns through the proposals. NACHA is targeting returned transactions that originate from mistakes, so-called administrative returns.

But it’s also aiming at returns that result from consumers disputing ACH transactions involving high-risk merchants and businesses such as debt collectors, payday lenders, credit-repair services, sweepstakes operators, travel clubs, and telemarketers.

“We think they are complementary approaches to maintaining ACH quality by focusing on exceptions,” Estep says. “We do think as a result that everyone participating in the network will be better off.”

NACHA is taking comments on the rules until Jan. 13.

The first rule would strengthen NACHA’s existing risk-management and enforcement provisions. One provision would reduce the existing return rate threshold for unauthorized ACH debits from the current 1.0% to 0.5%.

The rule also would establish a return rate threshold for so-called account data-quality returns, or administrative returns, at 3.0%, and an overall debit return-rate threshold of 15%—big enough to accommodate a range of return rates, which vary by merchant type. Return rates above the thresholds could expose transaction originators in the outlier ranges to penalties.

The proposal further would clarify permissible and impermissible practices for collection of ACH debits that are returned for insufficient funds, and apply various risk-management rules to third-party senders.

The second rule would establish what NACHA calls “economic incentives”—fines—for originating depository financial institutions (ODFIs) to improve the quality of the ACH transactions they originate on behalf of companies.

These sums would be passed on to receiving depository financial institutions (RDFIs) to partially compensate them for their costs to correct or return a transaction sent to them for payment.

NACHA is asking for comments on its suggested fines, which include a range of 10 cents to 40 cents for account-data-related returns; 25 cents to 75 cents for a “Notification of Change” return in which the RDFI corrects the transaction information and sends it back to the ODFI, and $1.50 to $2.50 for an unauthorized entry.

The clampdown is not NACHA’s first on bad transactions. In November 2007, the association announced membership approval of an amendment to raise fines for unauthorized transactions and cut off ACH access for companies that originate too many such payments. NACHA also restricted the practice of aggregating transactions that may occur over several days or across multiple merchants into bundles for processing.

The proposed rules are the result of an effort NACHA began last year to improve transaction quality, according to Estep. While debit returns for all reasons are only 1.51% of transaction volume and administrative returns are just 0.18%, NACHA says that after years of improvements, return rates have stabilized.

And even though the administrative return rate is stable, the number of returns is increasing as overall ACH transaction volumes increase. NACHA projects there will be nearly 31 million administrative returns this year, up from 30 million in 2012 and 22 million in 2005.

RDFIs bear most of the costs of returned transactions. NACHA says the weighted average cost for handling administrative errors is 26 cents per transaction. But each bank’s costs can vary widely based on volume—as low as less than a penny for a very large bank to a high of $63.20 per exception item for a small bank in a NACHA study group.

Unauthorized exceptions are considerably more expensive, with a weighted average of $4.99 but with individual banks’ per-transaction costs ranging from $2.30 to $509.09.

NACHA estimates the proposed fines could generate $17.1 million to $43.3 million annually. They still wouldn’t cover all of RDFIs’ return-related costs, which the association estimates at $47.2 million annually. That estimate doesn’t include non-ACH operations costs such as customer service.

—Jim Daly