The FTC has recently called for reforms to the Federal Telemarketing Sales Rule and as a result has issued a Notice of Proposed Rule Making. The proposed amendments would prohibit the use of certain novel payment methods by telemarketers and extend the ban on recovery services. If the amendments are approved remotely created checks and remotely created money orders as well as cash to cash money transfers and cash reloaded mechanisms, would be permanently banned.
After filing several lawsuits against payment card processors for their deceptive practices of accepting payments using remotely created checks or payment orders, the payment processors were forbidden from ever processing payments but other payment processor were free to continue these deceptive practices. As a result the FTC issued a NPRM if enacted would expand the rule making authority of the FTC concerning any deceptive practices by telemarketers and prevent the novel payment method.
The FTC finds payment processors are liable for ensuring the consumer is not subject to fraud and for monitoring merchants responsible for committing frauds against the consumer. If the TSR is amended the FTC would expect all payment card processors to comply with the new changes. The new amendment would only apply to the telemarketing merchant. Other non telemarketing merchants can continue to use these payment methods for legitimate purposes only.
Using your cell phone as a primary method to make contactless payments may finally become a reality in the U.S. AT&T and Verizon are indeed encroaching into the electronic payment space, possibly creating a real threat to Visa and MasterCard. According to Bloomberg, the two wireless carriers have created a new venture with Deutsche Telekom AG, a unit of T-Mobile. The partnership is working with Discover and Barclay’s to test their mobile contactless payment system in four U.S. cities. All payments would be processed through Discover’s network, which is currently fourth in the card market behind Visa, MasterCard, and American Express.
In 2008, Juniper Research forecasted that mobile payments would reach $600 billion globally by 2013. Mobile contactless payments have been in place in other countries (Korea, Japan, Spain) for some time and the demand in the U.S. has been increasing, especially with the growth of the smartphone market. Discover has been trying to increase their market share using reward programs and partnerships, so what better way than to jump on the mobile payment wave? Joining the leading wireless carrier and cell phone provider partnership is a smart move.
About the Technology
Contactless payments have actually been around for a while. Introduced with Mobile (Exxon)’s Speedpass in 1997, the technology has only recently evolved and become more popular for several reasons. Consumers want faster ways to conduct face-to-face transactions. People are constantly on the move and standing in any line to make a purchase is considered an inconvenience. There have been recent advances in Near Field Communications (NFC) technology, a more secure payment method for mobile devices. (Basic RFID was used in the previous contactless cards and devices.) Merchants are trying to find ways to circumvent interchange and association fees from Visa and MasterCard. (Merchants persuaded Congress recently to approve a cap on interchange fees. An antitrust lawsuit filed in 2005 is still pending.)
To enable mobile payments, the mobile phone is equipped with a smartcard which contains payment card data. Merchants would need to have a compatible payment card reader and, to help prevent fraud, a PIN would be required to complete a transaction. For merchants already accepting contactless payments, most existing readers are supposedly compatible with NFC devices.
The Faster, Faster Checkout
Some retailers have already instituted Visa’s No Signature Required program and MasterCard’s Quick Payment Service, both of which do not require signatures for swiped credit card purchases ranging up to $50 at certain merchant categories. Skeptics claim that this business practice can increase fraud, since a cardholder signature is used as proof of purchase at a brick and mortar merchant and most fraudulent transactions start out in small amounts. Gas stations have long employed this practice, but usually require a billing zip code for fraud prevention. In this case, a PIN is not enough protection for one group of consumer advocates. Each country has its own set of government regulations with regards to mobile payments and consumer protection. Nothing currently exists in the U.S. Recently, Consumers Union, the nonprofit publisher of Consumer Reports, has requested that regulators “use their current statutory authority to ensure that existing consumer protections are applied to all new payment methods.” They are also asking that companies providing the payment systems provide consumer rights in their contracts for “zero liability” to the cardholder. With the current government administration’s involvement in financial matters, a lot more work may need to be done before this becomes reality.
One challenge with this new payment channel involves basic business. Right now, the major card networks, issuing banks, and payment processors earn the bulk of the revenue from card transactions. Contactless payments using mobile phones introduces new players – wireless carriers, phone manufacturers, and application providers. Why wouldn’t the players enabling the mobile payments want some of the transaction revenue?
The Privacy Issue
Retailers and consumers both like the idea of mobile payments when it comes to faster checkouts. However, they may differ on the amount of information shared. Retailers would love to gather more information about their customer and the transfer of CRM data wirelessly is the easiest way to do that. Consumers however, may not want to share anything else about themselves. Mobile payment applications could limit the amount of data stored, or allow the customer to control what data they want to share, such as loyalty card information and purchase history.
With fraud being a common concern amongst consumers, it still may be a while before mobile payments using NFC really take off. Sure, there will be the early adopters and people who are tapped to do trials (Discover used employees last year to trial its mobile contactless sticker where Discover Zip payments were accepted). Adoption requires all the pieces be in place – consumers with Discover accounts who are also using mobile phones equipped with the NFC payment technology and merchants who have the equipment and capability to accept contactless payments from Discover.
Visa, who has always been the strictest association regarding PCI compliance, data security, and cardholder protection, has set the pace again. Merchants who accept multiple card types are required to follow the strictest card operating guidelines, which usually come from Visa. They issued series of mandates requiring its acquirers to ensure that their U.S. merchants, VNPs, and agents use only PA-DSS compliant payment applications and that PIN pads connected to Visa’s network use triple DES (triple data encryption standard technology). The final mandate in this series went into effect on July 1.
A Little History
In 2005, Visa established the Payment Application Best Practices (PAPB), “to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and support overall compliance with the PCI Data Security Standard (PCI DSS)”. In 2008, the Security Standards Council (PCI SSC) adopted Visa’s PAPB and released it as the Payment Application Data Security Standard (PA-DSS). The PA-DSS relates to vendors who develop secure payment applications and its goal is to ensure that the applications are PCI compliant and do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data. The standard requires vendor software applications to be validated for compliance on an annual basis.
On January 1, 2008, Visa implemented a series of mandates that requires its acquirers to ensure that its merchants and agents only use third-party payment software that is compliant with the PA-DSS. The mandates, in line with Visa’s Cardholder Information Security Program (CISP), intent is to eliminate “vulnerable payment applications from the Visa payment system”. Failure to do so could result in financial penalties for acquirers. Since the mandates were established over two years ago, and there have been 4 prior checkpoints, acquirers have had plenty of time to get their merchants geared up for this final mandate and July 1 deadline.
Visa’s global merchants have until July 1, 2012. MasterCard has also set a July 1, 2012, global deadline for PA-DSS compliance for its merchants, under their Site Data Protection (SDP) program. According to their SDP update issued in June, MasterCard will also establish new PA-DSS compliance validation requirement for Level 1, 2, and 3 merchants and Level 1 and 2 Service Providers.
However, Visa is not completely rigid on the July 1 date. According to an article in ISO & Agent Weekly, Visa intends to work with merchants who do not meet the July 1 deadline. The exception to this assistance will be for merchants who are purposely avoiding compliance. (Visa welcomes information regarding merchants who are not in compliance.)
What Merchants Need To Do
Merchants need to be proactive from the gate. To avoid non-compliance, and subsequent data security risks, they should not wait to hear the news of new policies from their processors. They need to stay ahead of the pack by checking the PCI SSC site, as well as staying abreast of any pertinent news from the card companies. Most importantly, they should always ensure they are using vendors who are PCI compliant. How can they do that? For starters, and for the purpose of Visa’s security mandates, they should only use vendors who are on the list of PCI SSC validated payment applications, which have been assessed for compliance with the PA-DSS. Merchants should also only use vendors who use Payment Application Qualified Security Assessors (PA-QSAs), who are certified by the PCI SSC. Even if a vendor states their payment application is PA-DSS qualified or have been evaluated by a PA-QSA, merchants should check the PCI SSC site for its validation. Vendors are on the list for one year for only the software version which has been evaluated. If a vendor has released a new version, a merchant should only consider using the compliant version and never use a beta version. The PA-DSS never validates beta versions.
If a merchant discovers that their vendor is non-compliant with the PA-DSS, it should either switch to a compliant vendor (which many not be as easy as it sounds) or assist the vendor in gaining compliance. That’s not to mean that the merchant should assist them financially, but guide them if they can. By working together, they can build a stronger relationship, resulting in secure data protection for their customers and cardholders.
So, what happens if a merchant uses non-compliant vendor? Aside from the risk of compromising cardholder data, if a breach occurs, the merchant can be fined by the card associations and/or forced to undergo a forensic audit, which is not free. Merchants are having a tough enough time in this economy and should not jeopardize their business further by using non-compliant third-party payment processing vendors, nor risk adding costs that can be otherwise avoided.
Information regarding PCI SSC Validated Payment Applications and Payment Application Qualified Security Assessors (PA-QSAs) can be found at http://www.pcisecuritystandards.org
Visa CISP – http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html
MasterCard SDP – http://www.mastercard.com/us/merchant/pdf/SDP_Program_Revisions.pdf
Social networking meets the credit card industry – in a new way this time. Although, I’m sure a recent new venture would have preferred a more favorable type of news release.
Blippy, a new social networking site which allows users to share their credit card purchases, unintentionally exposed the financial information of some of its members.
How It Works
The site operates like Twitter, where members can follow other members. Members sign up one of their credit cards to the site and any time a purchase is made with that card, the information is streamed, like a tweet or Facebook post, on the member’s page.
A member gives Blippy access to a card account (i.e. provides Blippy with access to the online bank account). Blippy then obtains the transaction data, or raw data, from the card purchase and cleans it up for the web post. For instance, “Starbucks USA 00075424 04/25 CARD #
Members can also add accounts that Blippy has signed on (i.e., iTunes and Zappos), which can also include more details of the card purchase. With some accounts, a member can choose to show full product details:
Michael purchased 1 app from iTunes (and then a graphic of the app, i.e., the iTunes song, is displayed below the stream)
Or just the amount spent:
Michael spent $3.75 at Starbucks
Members are using Blippy to find hot deals, compare costs (i.e. cable, utilities, cell phone), share restaurant experiences or post their own movie reviews. Like Facebook, members and followers can comment on the post or hide posts from certain people. (Maybe you don’t want a friend to know that you spent $80 golfing when you cancelled previously scheduled lunch meeting during the same time.) Some see the revelation of spending habits as a conscience for shoppers. Others see it as sharing too much information. Certain purchases and excessive spending can be potentially damaging to someone’s reputation. For consumers who want to share everything and have nothing to hide, this is perfect for them.
“Users who share information online are becoming slowly aware of the risks of this new technology.”
Like any social networking site, retailers and manufacturers could use the posted information to get feedback on products, shopping experiences and consumer behavior in general. On the flip side, it could create more competition. If full details of a purchase are posted, a competitor could lower prices to steal future business.
Privacy Concern and Security Risks
Information sharing and web collaboration were made possible with Web 2.0 technologies. Users who share information online are becoming slowly aware of the risks of this new technology. Companies who promote the sharing of information online need to ramp up security and take responsibility to help protect their users.
The exposure of members’ credit card data on Blippy was discovered during the site’s beta phase, when some raw data could be viewed on the HTML source page of a Blippy member’s page. Experienced (and certainly determined) web users could see the raw data, which Blippy claims was mainly harmless (i.e. store numbers, etc.). After that issue was discovered, the glitch was fixed quickly.
According to Blippy cofounder Philip Kaplan, there was a “’technical oversight’ in February which resulted in raw transactional data showing up within the HTML code on some Blippy pages for half a day.” Because of the indexing power of Google, the HTML data, which included full card numbers of four Blippy members, turned up in close to 200 search results. Even though Blippy’s site went through several modifications since then, the Google snapshots of these pages were not updated. Blippy worked with Google immediately to remove the indexed pages.
Blippy then discovered another member’s card number in a web search on Saturday, which turned up in 20,000 pages. The company again worked with Google to remove the data. In both cases, Blippy also contacted – and apologized to – the members affected.
Blippy – and its members – were quite lucky. The damage could have been a lot worse had the site been in a more viral stage, ala Facebook or Twitter.
Who is in Control?
Social networking has given people the power to open up that privacy door – all on their own. At the same time, secure data is at risk when financial information is released into the air.
Amazon was leary of Blippy in the beginning, as it blocked buyers from publishing their purchases. Blippy went around the roadblock by requesting members who used Gmail for access to their accounts to obtain the purchase data that Amazon emailed to them. Other retailers have joined Blippy without as much concern, seeing it more like a promotional tool.
Even though a cardholder would not be responsible for fraudulent charges, it doesn’t help our economy if retailers are left holding debt as a result of credit card fraud. As discussed in a previous two-part blog, when data is compromised, fingers are usually pointed to the merchant receiving the card information. However, all parties involved are responsible for ensuring data security. On the top, merchants need to be extra careful about business relationships which may affect the data protection of their customers. Unfortunately – for banks and retailers – if a cardholder volunteers access to his or her account, and card information is jeopardized, the cardholder is still protected.
While Blippy thought they were on top of security on their site, the recent data exposure has changed their course. In their April 26 blog, they outlined a new security plan which includes hiring a chief security officer and conducting regular security audits to protect members.
On the positive side for Blippy – the company has certainly gained more exposure since the data security issue hit the news. Oh, and Blippy will soon have company in this playing field as Swipely is soon to go live.
If your merchant account is set up to accept only credit cards (i.e. you are on online merchant or you do not have the ability to accept PIN-based transactions), then the answer is simple – you can only accept credit card transactions at this time. If you accept POS (Point of Sale or in-person) transactions, you can offer your customers the option. That is, if your processing system is set up to accept PIN-based transactions. So, if you have that option – of offering debit or credit – what’s the difference you ask? Merchants have different motivators for their choice, as do cardholders. Each method goes through different transaction processing networks, so varying cost structures exist for merchants and issuing banks. The benefits and risks of each method also vary for all parties involved.
First, the only cards that provide this debit or credit option are debit cards with a credit card company logo – also called check cards or electronic checks. Online (not to be confused with ecommerce) debit transactions require a PIN authentication (like an ATM transaction) and are processed through debit networks (i.e., NYCE, CIRRUS). Offline debit transactions require a signature and are processed through card association networks (i.e. Visa or MasterCard). All transactions from a debit card are tied to the cardholder’s bank account.
The Bank Side
Card issuing banks earn most of the revenue when their cardholders use their cards, whether they are debit or credit. Some banks entice customers to use their check card by offering incentives, such as rewards and cash back. Most rewards programs require the consumer to use the credit/signature option, which enables the bank to collect interchange fees from the merchant, helping to offset the cost of the rewards. Acquiring banks also earn revenue when either the credit or debit option is used.
Overall, card issuing banks prefer PIN-based debit transactions, hands down. Even though they pay debit transaction fees, banks save money by not paying fees to the card associations.
The Consumer Side
Consumers like using debit cards mostly to avoid writing paper checks. Many brick and mortar retailers no longer accept checks and banks are following suit. Banks in the U.K. decided to phase out their check clearing process by 2018, citing cost savings.
As stated above, consumers can be enticed with rewards. With Bank of America’s ‘Keep the Change’ program, check card purchases (using the PIN or credit option) are rounded up to the next dollar and the difference is transferred into the account holder’s savings account. The bank then matches the transfer amounts up to $250 a year.
Using funds that already exist (i.e. in a checking account) for purchases instead of buying on credit also helps keep the cardholder out of future debt. The cash back option is free with debit purchases and the funds are also deducted immediately from the cardholder’s account – instead of a few days later for credit card purchases. For cardholders who monitor their bank accounts closely, this option is best for them. However, banks do charge fees for insufficient funds on debit transactions.
From a fraud perspective, PIN-based transactions are the most secure. However, cardholders are not protected from fraudulent debit transactions as they are with credit card transactions. If a thief uses a cardholder’s debit card and cleans out their bank account, the cardholder will likely not be able to recover those funds (aside from legal action). If a cardholder uses Verified by Visa, an optional service requiring a personal password, the cardholder is protected under the Fair Credit Billing Act when making purchases online.
By choosing the credit option, as with normal credit cards, cardholders also have the right to do a chargeback if there are issues with a return, fulfillment or satisfaction with a purchased product or service.
“…cardholders are protected under the Fair Credit Billing Act”
The Merchant Side
Merchants prefer PIN-based debit transactions for a few reasons. Debit network fees are lower, there is an instant guarantee of funds and funds settle faster into the merchant’s bank account.
Merchants, particularly ecommerce, like offline debit transactions since they are able to tap into consumers who receive prepaid debit cards or payroll cards, or are unable to obtain credit cards. For those consumers, card branded debit cards are the only option for electronic payments. Meanwhile, settlement takes a little longer with offline debit transactions, but usually only by a few days.
While consumers can often make larger purchases with credit, there is always the chance that the customer will do a chargeback. Unfortunately for merchants, chargebacks are allowed with offline debit cards, since transactions are processed through the credit card networks and cardholders are therefore protected under the Fair Credit Billing Act.
The Card Associations and Merchant Processors Side
Offline debit card transactions are processed through the card networks so the card associations, like Visa and MasterCard, prefer this option – for obvious reasons. Merchant processors earn revenue from either option, but there could be more revenue for them with offline debit transactions (depending in the pricing structure). For this reason, some processors fail to offer the PIN-based option to merchants. Sometimes it may be due to an inexperienced salesperson, or the processor not fully understanding the merchant’s processing abilities. While other times, the merchant processor does not even offer the option, hoping the merchant will be none the wiser.
What merchants do have is the choice to be able to offer PIN-based transactions (again, if their processing system is enabled to accept PIN-based debit) and thereby incurring lower processing fees. Some merchant processors don’t offer this option, so merchants may need to ask. PIN-based debit transaction fees are typically less than for credit card transactions, but PIN pad equipment is required. Hopefully soon, some form of PIN-based option will be available for ecommerce as well.
In the end however, if the option is there, it is still up to the consumer to choose. Even if a POS system defaults to debit or credit, a merchant cannot dictate which option the consumer is to use.
This blog refers to debit and credit transactions in the U.S. at this time. Fees and acceptance rules vary in other countries.