Our CEO Benny Nachman had a great conversation on retail security and payments fraud issues last week with Jeff Peters, host of the Cybercrime and Business Podcast. You can listen to the whole exchange here. Below are some of the highlights that we’ve summarized for quick reading.
On the aging payment processing infrastructure
“The credit card that we have today is almost the same as what we had in the early 50’s. Since that time, the basic philosophy and business procedures of how merchants and banks treat credit card transactions has not really changed.
In the mid-70s we had swipes, and then came digital and then online. But the basic system that most of the big retailers and banks are currently using are very obsolete.
When Internet and e-commerce came onboard [in the 90s and 2000s], at first, it was a separate system. Initially, they used the offline back-end processing system and they put some patches and somehow linked them into the online world.
But the basic vulnerability remains. If you remember 10-12 years ago, people were very afraid to make online purchases- using credit cards online was deemed very unsafe. But today, e-commerce has become even safer than the offline world.
It always amazed me that there are people who would give their credit card number to the pizza place over the phone, but those same people would be so worried about typing it in online.
One of the main reasons for this is because of the historic perception of how “dangerous” online transactions could be. Thanks to this perception, a lot of attention went to online security which led to PCI standards and their enforcement. But unfortunately, the backbone processing never changed. They are the same way now that they were 30 years ago. That goes for the large and small retailers. What you see is that the platforms that they use to process and secure their processing activity is really outdated. The infrastructure is obsolete. So little attention has gone into offline security, as compared to online security that, ironically, online has become more secure than the offline.
Today, merchant acquiring banks like Credorax, who have been focused on the online payment processing world, are in a good position to go into the offline world and to try to merge the two into a true omni-channel payment solution. So a merchant can offer online and offline shopping experiences, with good security and unified experience for both types of transactions.”
On the increase in cybercrime and EMV adoption
“Many countries around the world, especially Europe and Japan, have been using the chip/EMV cards for 8-9 years. If you go to Europe, they can’t understand swiping the card and signing a slip of paper. Dipping the chip card and typing in a PIN code as for a debit card is much more secure, especially with the addition of tokenization.
This hasn’t happened in the U.S. for 2 reasons: It would require a major overhaul of the terminals, where you would need to change all of the terminals and points of sale all over the country from the biggest retailers to the smallest gas station. This is difficult and costly.
For years, when the fraud levels weren’t high, the big retailers and banks were saying to themselves, well, if fraud is at the level of 2 basis points, it’s part of the cost of doing business. Therefore, it doesn’t make sense to invest billions of dollars in upgrading the system.
But when fraud goes up, and it includes not only loss of money but also public perception of trust, this starts to become a problem for banks and retailers. If people start to feel that their credit cards aren’t secure, they will start to use them less. In this situation, it makes more sense to invest in security upgrades and move towards more secure solutions.
One of the things you see in the last number of years is the vast number of attacks and how successful and easy they are. These attacks have really increased public awareness and concern about security issues. Hopefully, just as the public was motivated to increase online payment security, the public will push banks and retailers to secure offline transactions as well.
Apple Pay solution is EMV. It’s tokenized and more secure than other payment formats. If that will help push EMV adoption across U.S. merchants, then it’s a great step forward. From a security perspective, it’s a huge step.”
5 Payment Security Tips for Retailers
- Pay attention to your payment system and make sure it’s as secure as it possibly can be. If you do not have the resources, invest in outside experts to get the job done.
- If you are an administrator with control of accounts- change your passwords frequently and use sophisticated ones.
- If you have an ATM device in your store- put a camera in or near it.
- Choose the right processing provider- if you need emphasis on online or offline payments, ask the provider where their expertise lies. If you need both, make sure your provider can do both.
- Choose the right implementation for your business- if you are a small business, hosted payment pages which are hosted by the provider will probably be more secure than hosting it on your own page.