ALSO in THIS ISSUE + Contactless Redux at Chase + a Common OS for Smart Terminals? + Not Your Older Brother’S POS + Mastercard’S Real-Time Strategy Hello Future

VOLUME FIFTEEN, NUMBER TWELVE • DIGITAL TRANSACTIONS.NET • DECEMBER 2018

THETHETHE

BATTLINGABATTLINGBATTLING swarm of malicious bits of code BOTSBOTSBOTS threatens to plunder online assets. What’s to be done?

ALSO IN THIS ISSUE + Contactless Redux at Chase + A Common OS for Smart Terminals? + Not Your Older Brother’s POS + Mastercard’s Real-Time Strategy hello future.

Tomorrow’s payment possibilities today. TSYS® has harnessed the power of payments so you can help businesses achieve their full potential in today’s ever-changing world. Through continuous innovation and our comprehensive suite of solutions, the possibilities are endless.

UNIFIED COMMERCE • INTEGRATED POS • PAYMENTS • PREPAID CARDS

Call 866.969.3350

DIGITALTRANSACTIONS.NET

CONTENTS December 2018 ■ Volume 15, Number 12 Malicious bots are 18 Battling the Bots ‘something [retailers] There are plenty of good bots out there, but the bad ones are making life difficult for financial institutions and merchants. And it’s only getting worse. haven’t dealt with before. What’s to be done?

For criminals, this is 4 The Gimlet Eye almost as good Chase Tries Again as going to the bank.’ 6 Trends & Tactics PAGE 18 Chase Reconnects With If Only Mobile Wallets Contactless Cards Functioned More Like Remember blink? The country’s Leather Wallets ... biggest credit card issuer is hoping Could it be that lukewarm mobile- consumers don’t—or at least will set payments adoption could heat aside that old venture in contactless up if people could stuff things payments and welcome its new one. in those mobile wallets besides A Startup Player Wants To Be the credit cards? Common OS for Smart Terminals An Industry Group Takes on It’s an ambitious move—but could Faster Payments also be a savvy one as smart The 22 inaugural members of point-of-sale devices proliferate the U.S. Faster Payments Council on merchant countertops. include retailers, card networks, Shades of Amazon: banks, tech companies, processors, and the automated clearing 7-Eleven Brings Mobile house network. Checkout to the C-Store Convenience stores may be a natural for the so-called cashierless checkout. Plus, Security Notes explains the If so, Amazon won’t be the only one advantages of cloud computing to find out. for payments.

14 Acquiring POS Terminal? What’s That? Cloud connectivity, apps, and features beyond payments are shaping the next evolution of the point-of-sale terminal.

26 Networks The Promise—And Threat—of Real-Time Payments Three years ago, Mastercard shelled out big money for a U.K. technology firm. As faster payments take hold in the States, the rationale for that deal will soon be put to the test.

30 Endpoint Balancing Consumer Expectations And Fraud Prevention There are no perfect solutions for account-takeover fraud, but tactics such as consumer education and prevention at log-in can make a big difference, says Rich Huffman.

Cover illustration: Jason Smith

Digital Transactions (USPS 024-247) is published monthly by Boland Hill Media LLC, 800 Roosevelt Road, Building B, Suite 212, Glen Ellyn, IL, 60137. Periodicals Postage Paid at Glen Ellyn, IL, and at additional mailing offices. POSTMASTER: Send address changes to Digital Transactions, P.O. Box 493, Northbrook, IL 60065-3553.

THE GIMLET EYE DECEMBER 2018 • VOL. 15, NO. 12

PUBLISHER Robert A. Jenisch EDITOR-IN-CHIEF John Stewart Chase Senior Editor Jim Daly Senior Editor, Digital Tries Again Kevin Woodward Correspondents ne thing that can help put over a new payment technology is backing Jane Adler from a bank or technology company that controls a huge chunk of the Lauri Giesen Karen Epper Hoffman Oconsumer universe. But the key word here is “help.” Consumers and Peter Lucas merchants have to be ready for the technology, as well. Linda Punch Elizabeth Whalen With contactless cards, that readiness may finally be there. Thirteen years ago, Art Director/Production Editor when JPMorgan Chase & Co. launched its blink card with hearty fanfare and big Jason Smith ambitions, it wasn’t. After lingering in the market like the ghost of a long-forgotten Editorial Advisory Board icon, the card finally met its demise in 2014 when Chase mercifully euthanized it. Eula L. Adams John Elliott Circumstances are much better now for a contactless product. The EMV rollout, Alex W. “Pete” Hart as messy as it was, finally put terminals capable of near-field communication on Former Chief Executive Officer, the countertops of millions of merchants. The advent of mobile wallets has trained MasterCard International at least some consumers (though not as many as Apple and Google would like) William F. Keenan President, De Novo Corp. to appreciate the convenience of tap-and-go. And the need for fast throughput in Dr. Gideon Samid some sectors has only grown more urgent with EMV’s leisurely transaction times. Chief Technology Officer, AGS Encryptions Ltd. Sensing the opportunity, Chase is back in the contactless card business (see Director of Advertising page 6). The market’s contours are different now, of course. The cards are so- Robert A. Jenisch, 877-658-0418 called dual-interface plastic, meaning they can be inserted into chip-reading ter- [email protected] minals or waved at or tapped on them. They are fitted with NFC technology now Advertising Sales Representatives Robert Mitchell, 877-658-0418, x7 for fast and secure interactions. And Americans who venture abroad have had a [email protected] chance to see for themselves how fast contactless has developed in places like Rob Akert, 877-658-0418, x6 the United Kingdom. [email protected] Chase’s heft in the credit card business—it is the nation’s biggest issuer— Digital Transactions, Digital Transactions News, and digitaltransactions.net are publications of doesn’t guarantee success. It didn’t a decade ago. But a swarm of contactless credit Boland Hill Media LLC, 800 Roosevelt Road, and debit cards unleashed across the country can’t hurt, and in combination with Suite B212, Glen Ellyn, IL 60137 John Stewart, Managing Director dual-interface plastic from other issuers might induce more merchants to enable Robert A. Jenisch, Managing Director NFC in those EMV terminals they’ve deployed. For advertising information, call 877-658-0418. That should help cure the merchant indifference blink encountered. Consumers To subscribe or give us a change of address, go to www.digitaltransactions.net and click on weren’t so sure they wanted or needed the technology either, a problem that in turn “Subscriber Care” or call 847-559-7599. might be overcome by growing familiarity with mobile wallets. The views expressed in this publication are not necessarily those of the editors or of the members Indeed, it’s hard to say how much longer physical, plastic cards are going to be of the Editorial Advisory Board. The publisher with us. A recent report from the global processor Worldpay says wallet usage is makes reasonable efforts to ensure the timeliness and accuracy of its content, but is not engaged in growing fast. Its report it focused on online usage of cards and wallets, but it says any way in offering professional services related to financial, legal, accounting, tax, or other matters. the population of in-store wallet users in the United States is growing at a 33% Readers should seek professional counsel regard- annual rate. Of course, while credit and debit cards may dwindle over time, they ing such matters. All content herein is copyright © 2018 Boland Hill Media LLC. No part may be will be with us for a while yet. It’s good to know they will be so much easier to use. reproduced without the express written permis- sion of the publisher. Subscription prices: $59/year John Stewart, Editor | [email protected] for subscribers in the United States; $69/year for Canadian subscribers. All other subscribers, December 2018 $119/year, payable in 4 • digitaltransactions • U.S. currency. Your Payment Partner of Choice

E800 E500 E600 A920 Smart Retail Solutions Introducing PAX’s new Smart Retail Solutions. Sleek designs that make them look more like a tablet than a payment terminal.

PAX has launched an application management platform for resellers and partners to manage applications with the PAX Smart Retail Solutions.

US Headquarters: Regional Office: 8880 Freedom Crossing Trail 40 West Baseline Road, Suite 210 Building 400, 3rd Floor, Suite 300 Tempe, AZ 85283 Jacksonville, FL 32256 +1-877-859-0099 | [email protected] +1-877-859-0099 | [email protected]

© 2017 PAX Technology Limited. All Rights Reserved. PAX’s name and PAX’s logo are registered trademarks of PAX Technology Limited. All other products or services mentioned in this advertisement are trademarks, service marks, registered trademarks or registered service marks of their respective owners.

pax-eta-smartretail(digitrans).indd 1 2/12/18 12:42 PM Trends & Tactics

Chase Reconnects With Contactless Cards

Giant card issuer Chase may not be big enough to single-handedly make contactless cards commonplace in the United States, but now that it plans to once again issue tap-and-go credit and debit plastic, the money-center bank (Photos: JPMorgan Chase) could come close. Chase, a unit of JPMorgan Chase & Co., says it will begin before the year is out issuing contactless EMV cards bearing the Visa Inc. brand, first to its After a failed attempt several years ago, it’s contactless redux at Chase. Chase Freedom Unlimited and Chase Slate cardholders as their cards reach Other issuers followed, but contact- as of June, meaning the merchant’s renewal or on opening a new account. less payments failed to catch on. The point-of-sale equipment was enabled Following on will be all other blink brand lingered until its last incar- for, not just capable of, conducting a Chase Visa credit cards, including nation was discontinued in 2014. These contactless card payment. cobranded ones through 2019. In the newest cards use EMV contactless tech- In October, Visa predicted 100 second half of 2019, Chase contact- nology to secure the payment data. million contactless cards would be less debit cards will begin appearing. Different this time, too, is that one issued by U.S. banks and credit unions Chase said the timing is right leg of the stool already is in place. by the end of 2019. It’s an attainable because 70% of U.S. merchants have Since the 2015 EMV liability shift, number because of the readiness of the point-of-sale technology to accept point-of-sale terminal makers have the market, suggests Dan Sanford, contactless EMV cards. It’s the same shipped their devices not only enabled vice president of product at Visa. technology used by mobile wallets for contact EMV acceptance, but with The technology is in place at like Apple Pay, Samsung Pay, and near-field communication wireless merchants, and now, with at least Google Pay. capability built in. one issuer moving ahead and oth- Thirteen years ago, Chase, with NFC is the enabling technology ers expected to follow, the payments its blink card, was one of the first to for the smart phone-based mobile wal- industry soon can focus on consumers. issue a contactless payment card on lets and for contactless EMV cards. Part of that consumer message will be a broad scale. Those cards relied on In September, Visa said 50% of its the value of using contactless cards, magnetic-stripe-equivalent radio fre- face-to-face transactions happened at which will retain the contact chip inter- quency technology. contactless-enabled merchant locations face, instead of cash, Sanford says.

6 • digitaltransactions • December 2018 As other markets, such as Austra- an EMV card into a reader, can’t hap- “When the big guys move, the lia and the United Kingdom, added pen at other merchants, he says. little guys don’t want to be left contactless capability to their EMV Card costs also may be a factor. [behind],” he says. “There are a num- cards, consumers began using the On the low end, the cost may be ber of financial institutions that are cards instead of cash, he says. That 50 cents to 60 cents per card, and going to migrate to this technology. could happen in the United States. on the high end between 90 cents It will take off.” That’s where consumers will have and $1.10. Morrison says volume and —Kevin Woodward a critical role, not only for using a other elements affect card costs. Even card instead of cash but to prompt global demand for contactless cards A Startup Player Wants merchants to offer contactless accep- helps lower costs, he says. A contact- To Be the Common OS tance, says Kevin Morrison, senior only EMV card may cost between for Smart Terminals analyst at Aite Group LLC, a Boston- 60 cents and 80 cents. Chase would based advisory firm. not disclose its costs for the new cards. “It will largely be driven by the Another factor that bodes well is Poynt Co., a startup supplier of intel- spending habits of the average con- that other issuers are expected to fol- ligent payment devices, argues so- sumer,” Morrison says. A consumer low Chase’s lead. Morrison’s research called smart terminals should have who gets accustomed to tap-and-pay indicates that large and small financial a common operating system like at a fast-food restaurant may won- institutions are planning contactless smart phones do. And in the course der why a similar experience, which cards, a trend that picked up momen- of announcing a $100-million fund- likely will take less time than dipping tum in the last five months, he says. ing round last month, the Palo Alto,

Let Be Your EMV Expert! Your EMV Eco-System Made Affordable! eProcessing Network has the secure payment solutions to help you stay current with the technologies that keep your merchants connected. And with real-time EMV capabilities, retailers can not only process contact and contactless payments, Apple Pay and Android Pay, they’re able to manage their inventory as well as balance their books via QuickBooks Online.

is EMV-Certified

1(800) 296-4810 eProcessingNetwork.com

December 2018 • digitaltransactions • 7 Trends & Tactics

from the likes of Square Inc., First Data Corp. (Clover), Verifone Systems Inc., and North American Bancard LLC. “It’s a long way from developing a standard to ubiquity,” says Thad Peterson, a senior analyst at Aite Group LLC, a Boston-based research firm, in an email message. “The legacy players are already populating (Photo: Poynt) their ... payment systems with apps that enhance the functionality of the terminal, like Clover from First Data.” Poynt in action: The next OS for smart POS? But by creating an OS that works across a spectrum of smart devices, Calif.-based company also argued it up efficiency by allowing apps to run Poynt just might lock in the relevance should be the one to provide that OS. on any device. of its app store for outside develop- Investors in Poynt’s Series C raise “Smart phones changed the ers. “Developers need to focus on the include Elavon, a major payments way we search, buy, and commu- operating systems that can provide the processor and a unit of U.S. Bancorp, nicate—not only because the hard- most downloads,” says Rick Oglesby, and National Bank of Australia. Poynt ware was beautiful, but because iOS principal at AZPayments Group in will use the funds to expand its talent and Android transformed a ubiqui- Mesa, Ariz. “That normally means base, invest in its product, and pursue tous utility into a platform for inno- the ones that attract the most eyeballs. “its vision to become the operating vation where developers could build If Poynt’s OS is tied only to its hard- system (OS) on smart payment ter- once and distribute everywhere,” said ware, the eyeball exposures are more minals worldwide,” according to a Osama Bedier, Poynt’s founder and limited, so this is a very smart move.” release from the company. chief executive, in a statement. “Our Even so, while he agrees that “an Four-year-old Poynt, whose vision is to transform retail by becom- open system in POS would make a L-shaped device relies on a collec- ing that innovation platform for pay- great deal of sense” and “may well be tion of apps that can support a vari- ment terminals everywhere.” the future of POS,” Peterson argues that ety of merchants’ business needs, Don’t look for this vision to mate- “it’s going to take a long time before says it has shipped 150,000 units in rialize any time soon, some observers critical mass is sufficient to drive adop- the past 16 months, and it projects caution. They point to a payments world tion of an open OS by competitors.” its installed base will process more that now includes competing devices —John Stewart than $25 billion in transactions in the course of the next 12 months. Some 8,000 developers have now written Shades of Amazon: 7-Eleven Brings Mobile Checkout to the C-Store applications for the Poynt device. And besides Elavon, which came Starting last month, consumers shop- all 7-Eleven merchandise except items on board last year, several more banks ping at 14 7-Eleven Inc. stores in requiring cashier help, such as hot food, and processors have signed on to sup- the Dallas area began trying out the alcohol and tobacco, and lottery tickets. port Poynt over the years, including convenience-store chain’s new Scan & 7-Eleven says consumers can use Evertec, Worldpay, JPMorgan Chase, Pay feature to make purchases without Apple Pay, Google Pay, or a credit or Itau Unibanco, Alipay, Nexi, EVO, stopping at the checkout counter. debit card to pay for items. Purchased and Mashreq Bank. The service, part of the 7-Eleven items are placed in clear shopping But the company leaves no doubt app that also houses the 7Rewards bags. Users also must be in or around its major thrust will be to create a uni- loyalty feature, enables consumers to one of the 14 test stores for the shop- fied operating system for the burgeon- avoid long checkout lines, 7-Eleven ping feature to appear in the app. ing market for smart POS devices. says. Scan & Pay is available for iOS Upon completing their shopping, The common OS, it says, will drive and Android devices and can pay for users scan a quick-response code

8 • digitaltransactions • December 2018 displayed on the final confirmation Retailers miss out on a lot of payment experience is positioned as screen at a Scan & Pay station. sales—$37.7 billion in the past an attractive way to help retailers in “Customers can now take con- year according to 451 Research— certain verticals reclaim these missed trol of their shopping experience and because of shoppers abandoning long revenue opportunities.” earn loyalty points at the same time,” lines, McKee says. “A ‘grab-and-go’ —Kevin Woodward Gurmeet Singh, 7-Eleven chief digital officer and chief information officer, said in a press release. “We are taking If Only Mobile Wallets Functioned More Like Leather Wallets... the in-store retail experience to the next level with a series of innovations. Ever since mobile payments first cap- These moves could pay off hand- Scan & Pay is one of them.” tured the public imagination four years somely for Apple and Alipay, according 7-Eleven says it plans to expand the ago with the launch of Apple Inc.’s to research results released last month availability of the proprietary payment Apple Pay, experts have debated why by Auriemma Consulting Group. In technology to more cities in 2019. usage of the iOS and Android wallets the latest edition of the firm’s quarterly Scan & Pay, because it’s coupled has fallen short of the original, lofty Mobile Pay Tracker, more than one-third to the c-store chain’s loyalty program expectations. of mobile-payment users Auriemma within one app, is another example Some speculate that usage would surveyed said they’d be interested in of how retailers “increasingly view rise markedly if the mobile wallets using a mobile wallet to store ID cards their app as a platform where they functioned more like their leather or government documents. can intertwine payment, rewards, loy- counterparts, only with the twist of The New York City-based con- alty, and engagement into a tightly digital convenience. sulting firm canvassed 1,518 people integrated and controlled experience,” And now evidence is emerging to who had both a major credit card and says Jordan McKee, research director support that claim. an Apple or Android phone capable at New York City-based 451 Research. In October, Apple said students of mobile payments. Overall, 31% of Still, that tight integration likely at three universities could load their these consumers had ever used mobile will be most valuable to a minor- student IDs into Apple Pay, allowing payments, the firm found (the break- ity of shoppers. “It’s unrealistic to them to use the credential for such down among brands is 35% for Apple think that every shopper will use a routine tasks as going to the gym, Pay, 28% for Google Pay, and 23% retailer’s app,” McKee says. “Retail- opening dorm rooms, or checking out for Samsung Pay). branded apps will only see adoption library materials. Auriemma’s analysts say the con- by frequent shoppers that have a pre- Also in October, Ant Financial Ser- venience of storing digital versions of existing affinity for shopping with vices Group’s Alipay wallet started sup- documents people might otherwise stuff that specific retailer.” porting marriage certificates in Jiangsu into a leather wallet or store in a safe Nonetheless, the effort to produce province in China, easing the way for could pump up mobile-wallet usage. an app with multiple features could be users to apply for a mortgage, transfer “We’ve been doing this survey worthwhile. property, or open a startup company. since Apple Pay launched, and usage “Convenience is a top vertical for implementing a ‘grab and go’ payment experience thanks to the They Like P2P frequency of purchase, small basket Apple Pay users who have Google Pay users who have sizes, and limited inventory,” McKee used Apple Pay Cash used Google Pay Send says. “7-Eleven’s move toward this type of shopping experience is a clear indicator that it sees Amazon Go as a long-term competitive threat.” 42% 36% 25% Amazon.com Inc. this year opened 16% the first of its Amazon Go convenience stores outside of Seattle with Q1 2018 Q3 2018 Q1 2018 Q3 2018 plans to add more. Source: Auriemma Conulting Group

December 2018 • digitaltransactions • 9 Trends & Tactics among those eligible to use hasn’t seen the major wallets appear to be gaining average in the past week. By contrast, any spikes,” says Jaclyn Holmes, direc- popularity. Apple Pay Cash, in partic- the average spend in store was $145; tor of the firm’s payment insights prac- ular, has been catching on fast since on a Web site, $142; and in-app, $133. tice. “Without additional functionality its launch a year ago (chart, page 9). Ironically, Alphabet Inc. said in July it built in, the sentiment we’re seeing is, The P2P apps also engender plans to phase out Google Pay Send in ‘we see no use for [mobile payments].’” higher spending. For the two services favor of a new P2P service. Still, peer-to-peer payments on combined, users had sent $162 on —John Stewart

An Industry Group Takes on Faster Payments

Following through on plans disclosed The group’s first major tasks So-called founding sponsors pay earlier this year, the Federal Reserve include a membership drive and anywhere from $25,000 to $162,000, in November formally unveiled the recruitment of an executive to lead it. which includes up to five years of U.S. Faster Payments Council, an Duties for the next two years include prepaid dues if they pay by Feb. 28, industry group charged with col- support for adoption of practices that 2019. The annual fee for non-voting laborating to spur the adoption of enhance payment safety; development associate members is $250. faster payments and identify market of an education and awareness program “We want to have an inclusive opportunities. about faster payments, and “identify- approach that brings everybody The 22 inaugural members range ing, developing and supporting prin- that has an interest in this space from retailing giant Walmart Inc. to ciples, guidelines, and market prac- together,” Reed Luhtanen, Walmart’s Visa Inc. and Mastercard Inc. to some tices that will address opportunities and senior director of payments strat- big banks, tech companies, proces- emerging issues in an open and collab- egy, said in October while preview- sors, and automated clearing house orative way,” the Fed said. ing the council at a Fed conference governing body NACHA. Council decisions will not be bind- in Chicago. The council, an outgrowth of the ing on members, according to the Fed. The council’s board of directors Fed’s multiyear Payment System The group is open to any payments- will have up to 21 voting members, Improvement project and the successor industry company or organization with three seats each for financial to that project’s Governance Frame- that pays a revenue-based annual fee. institutions, payment networks, tech work Formation Team, will focus on Nine fee tiers for voting members providers, business end users, and private-sector approaches “to solving range from $500 for firms with less consumer groups. Three seats will be problems and addressing issues that than $5 million in annual revenue reserved for other organizations, and inhibit adoption of faster payments,” to $90,000 for those with revenues there will be three at-large seats. DT the Fed said in a news release. above $20 billion. —Jim Daly

MONTHLY MERCHANT METRIC Growth in Same-Store Sales Year Over Year Annual volume change/growth of retained (non-attrited) accounts for given period divided by total portfolio volume from same period of the prior year.

7.08% 7.00% 7.01% Note: This is sourced from The Strawhecker Group’s 5.77% merchant datawarehouse of over 3 million merchants in the U.S. market. The ability to understand this data is important as SMB merchants and the payments providers that serve them are key drivers of the economy. 5.03% All data is for SMB merchants defined as merchants Q2 2017 Q3 2017 Q4 2017 Q1 2018 Q2 2018 with less than $5 million in annual card volume.

10 • digitaltransactions • December 2018

Trends & Tactics

Security Notes Payments in the Cloud

Gideon Samid • [email protected] have found out that many but you are not privy to the particulars of the data handling. payments professionals, That means you are not responsible for that configuration. It I who claim to use and com- is what the cloud does professionally. prehend the cloud, view it sim- You are also relieved of worries about a breakdown. A ply as a remote repository of professional cloud is built with massive redundancy. If some accounts. So this month I have hardware burns out, or some miswiring takes place, there is decided to dedicate this column enough backup machinery to keep your services running. It to one purpose: elucidating this is all built into the fee, which is usage-determined. remarkable technology as a service to my readers. Payment innovators who understand the fundamental Early in my life in Israel, I lived in a “kibbutz.” There were advantage of cloud configurations are signing up in droves. no private cars, but there was a fleet of vehicles ranging from Then, when I tell them that their customers’ data is exposed small sedans to large pickup trucks. Members checked out what to any credentialed employee at the cloud company, they are they needed at the moment. In this way, we achieved effective shocked. Alas, that is the price of convenience. mobility at a fraction of the “car parked in every garage” cost. Also, while clouds are highly resistant to hacking and Maintenance was centralized and professional. Also, a personal malfunctions, they are not foolproof. The cloud is not the Fed- vehicle is often too small or too big for the current purpose. eral Deposit Insurance Corp. Its responsibility is linked to the These savings and efficiencies can be likened to what data per se, not the money that is reflected in your database. cloud technology offers its users. The big commercial clouds accumulate so much expe- Suppose you have a grand idea for loyalty payments, so rience and improve so fast that no private alternative can you set up a database to manage it. Your idea catches on, and compete. Much as the Internet, as it grew, killed most private more and more customers log in. Now you have maxed out networks, so it is with cloud technology. your server. Response is getting slow, customers drop off. Even highly secretive government agencies use com- Not good. If instead you contract a cloud provider to host mercial clouds, but with “before-and-after” encryption. This your data, then expansion is seamless and painless. You pay means the data is encrypted before it is passed to the cloud, more, but in proportion to your usage requirements. You can and decrypted after it is returned from the cloud. A power- start small, but if you become an overnight success, your ful new technology called homomorphic encryption enables database resources expand accordingly. this protection, which denies the cloud access to private data The idea is that you are excused from the need to pre- while enabling the cloud’s sorting and selecting capabilities. estimate your capacity requirements. The cloud provider Payments are so essential to civil order that it is impor- stays ready to accommodate your overnight growth. This tant to understand how the growing dependency on wireless is a big help for any payments startup counting its pennies. connectivity makes the cloud a juicy target for hostile agents The cloud operates with its client via an interface. The and places it at risk during natural catastrophes. Serious pay- client requests database services and receives them. It is ments planners ensure continuity by keeping money hosted important to understand that this communication between in phones and other personal devices. Such personally-hosted the cloud and its client takes place through a veil. This means funds can transact between two battery-operated devices that you, as the client, are clueless as to the mode, configu- when the Internet is down. ration, and location of your data. This remains the domain For example, BitMint developed a dedicated money of the cloud. It takes your data and organizes it as it sees fit. language to accommodate a seamless shift from network- When you query your database, or change some entries enabled payment to network-disabled payment. For the there, you pass the request to the cloud and the cloud takes country that is most advanced in that regard, look at the care of it—again through a veil. You get proper responses, Peoples Republic of China.

12 • digitaltransactions • December 2018

ACQUIRING December 2018 digitaltransactions

POS Terminal? What’s That?

Kevin Woodward

Cloud connectivity, apps, and features beyond payments are shaping be integrated with new or existing sys- the next evolution of the point-of-sale terminal. tems. It allows the developer to integrate other software into that system without having to create software to ith all the discussion sur- likely has a tablet-based POS system bridge the two together.” rounding merchant adop- in place. Since 2010, when Apple Inc. Such developments mean that the W tion of point-of-sale sys- debuted its iPad and POS software outlook for conventional POS termi- tems and integrated payments, one developers flocked to the form factor, nals is quickly changing. “Conven- might think the days of the conven- tablet-based POS systems have steadily tional countertop devices are going tional POS terminal are numbered. gained favor among merchants. to be around for a very long time, but Their days as an isolated piece of the growth of that category is very, equipment with a sole function as the ‘Very Limited’ Growth very limited,” says Thad Peterson, entry point for payment transactions At first, the tablet form factor, like the senior analyst at Boston-based Aite may be dwindling. But, that does not smart phone before it, was innova- Group LLC. mean the venerable POS terminal is tive and attracted businesses. Then, That’s because a dedicated POS about to become an historical artifact, as cloud connectivity improved, the and payment device isn’t as useful or as long as it’s not in isolation. opportunity developed to bundle other cost-effective as an integrated plat- “Any system today, whether it’s services, such as employee schedul- form like, for example, Square, he a point-of-sale or hardware device, ing, inventory management, pricing, says. Square Inc. introduced a mag- that is not cloud-based is dying,” and detailed sales reports, making netic-stripe-only card reader in 2009, proclaims Jared Drieling, senior cloud-based POS systems the pref- but followed up with POS software for director of business intelligence at erence for many businesses, espe- the iPad, and now, interestingly, offers The Strawhecker Group, an Omaha, cially small businesses that now could its own Square Terminal for $399. Neb.-based payments advisory firm. afford them and had a need for them. Today, a conventional POS terminal That has had a dramatic effect on ‘Reactionary Mode’ may still sit on the countertop, but with the market. For sure, Square is one of many to increasing likelihood it’s connected to Even traditional POS systems, launch so-called smart terminals, which POS software. It still captures payment which typically had updates performed use apps and enable easy integration data, but now it may act as the cita- when the maker sent a technician to POS software. Square chief execu- del, protecting the integrity of the data to install new software or hardware, tive Jack Dorsey even heralded the and sharing only the minimum infor- are losing ground against cloud-based new Square Terminal during a Novem- mation necessary with the software. systems, Drieling says. Some mer- ber earnings call as the replacement The POS terminal may have a PIN chants avoided these updates because for “dinosaur” POS devices. The same pad or signature-capture capability. It they might cost thousands of dollars. month, payments provider North Amer- may enable consumers to enter loyalty- “In legacy systems [POS system ican Bancard Holdings LLC launched program information or redeem offers. makers] developed the code and would its own smart terminal, joining competi- In instances where there is no con- try to customize it for you,” Drieling tor Poynt Co., which debuted its device ventional POS terminal, a merchant says. “Cloud-based POS systems can in 2014. (For more on Poynt, see p. 7.)

14 • digitaltransactions • December 2018 Co-Branded E-Mail Marketing Get the Results You Need Here’s how it works: You select the part of Digital Transactions’ subscribers you want to reach, sorted how you need it, by function, location, or title. Just ISOs? No problem. Just executives on the East Coast? No sweat. Just CEOs? No worries. Or choose our entire circulation base. It’s up to you! You give us your HTML creative. We create both a text version and a Web version of the e-mail deployment. After the deployment, we track deliveries, opens and clicks, and give you all the stats.

It’s really that easy! To get started, contact Publisher Bob Jenisch today: 877-658-0418 [email protected] Verifone’s Carbon line of smart terminals targets small and medium-size businesses.

(Photo: Verifone Systems Inc.) The common denominator in all This all points to a very cloudy which went private this fall, has been these devices is the connectivity. That future. For the likes of Verifone Sys- emphasizing services revenue for is a boon to small businesses, which tems Inc., Ingenico Group, and Equinox years and launched its Carbon line of had to forgo POS systems of the past Payments, which sprang from the for- smart terminals to better compete. because of the costs. “The most criti- mer Hypercom Corp.’s U.S. unit, their Paris-based Ingenico, too, has cal point to why these cloud-based roles as providers of traditional POS grown its services revenue and made systems are growing, primarily in the terminals will change, Peterson says. changes. In April, it launched the small and mid-size space, is they allow “The challenge with the Ingeni- Moby/C150 ECR that features an a lot of integration,” Drieling says. cos and Verifones of the world is they Android-based tablet with a 15.6-inch This ability to integrate payments are in reactionary mode,” he says. display. with software that can run other busi- “But they’re easily disrupted by play- As it adapts to changes among ness functions is much sought-after ers coming in with more flexible and merchants and consumers, Ingenico in retail. In August, for example, pay- lower-cost offerings.” finds itself examining the point of ments provider Global Payments Inc. interaction between consumers and paid $700 million for AdvancedMD, Going Up Market merchants. While Mark Bunney, developer of medical-office manage- It’s not for lack of effort on their Ingenico North America director of ment software. part. San Jose, Calif.-based Verifone, go-to-market strategy, says there will still be customers for standalone POS terminals, the market is changing. “Lots of the tablet or mobile POS providers are definitely changing some of the dynamics in the market- Square Terminal: place,” says Bunney. “We have to Square’s latest change not only from a hardware POS device. perspective, but [in] how it’s going to impact our software and services.” Bunney points to Apple’s own retail stores and Amazon.com Inc.’s Amazon Go locations as examples of this change. There is no POS station in an Apple store. It’s all mobile, Bun- ney says. And in Amazon Go stores, the consumer’s own smart phone with the Amazon app is the payment (Photo: Square) mechanism.

16 • digitaltransactions • December 2018 Of the three primary categories of POS-terminal technology—the standalone device, the integrated POS, and mobile POS—demand for standalone devices is declining, Bun- ney says. “That’s part of the market migrat- ing to an integrated solution or going to a more tablet solution,” he says. “The other thing we’re seeing in the integrated market is merchants as well as the consumer want to have additional interaction beyond just the pay- The Ingenico Moby/C150 ment with the merchant.” POS system is a wholly That mirrors what Peterson sees in different look for an Ingenico the market. “The customer experience payment-acceptance device. used to be managed by the merchant,” Peterson says. “Now, the consumer (Photo: Ingenico) controls their own experience.” “The standalone device where it’s devices that are not POS devices, he That control has been enabled by not talking to the POS is in decline,” says. More use of mobile devices, the versatile tablet. “Now, the POS Bunney says. Yet he doubts it will dis- especially for in-aisle checkout, and could look like a tablet,” Bunney appear completely, despite Square’s increasing awareness and availability says. It depends on the type of interac- claim the older tech is a “dinosaur.” of alternative payment methods are tion consumers want, he says. “People “In some areas, it may not be grow- two other trends. want sleeker-looking solutions,” he ing at as fast a rate,” he says. “There says. “They don’t always necessar- is still that interest level.” The Ultimate Payment ily want to have a separate payment The hardware side may not The so-called traditional POS makers device from the tablet.” change too much in the near future, will have to evolve, says Drieling. That’s not to say that a tablet, or Bunney says, with the exception “They need to come out with some cloud-based POS system, is for every of some devices, like tablets, gain- competitive products,” he says. “They type of merchant. Bunney doesn’t ing contactless-payment acceptance. know the POS industry very well. think large merchants would be as Most POS terminals shipped since at They probably have the capability to satisfied with a tablet-centered POS least 2015 by the likes of Verifone, bring out some competitive cloud- as they would be with something Ingenico, and Equinox have contact- based POS products. I don’t see them designed for their complex needs. less tech built in, if not yet activated. doing very much in the independent Still, some cloud-based POS Better contactless identification software vendor space.” system providers have made moves marks may be part of future devices, ISVs increasingly look for a part- to go up market. Square Terminal, Bunney suggests. “How do you make ner to handle the payments element, with its integration capability, is one it easier for the consumer to interact alleviating much of the issue sur- example, and First Data Corp. is pro- from a hardware perspective?” he asks. rounding payment-device certifica- moting its Clover POS system for POS software, in all forms, will tion with their software. fine dining. evolve much faster, he says. Not only The future POS may not even will industry standards from EMVCo, resemble a POS device or tablet. Postponing Extinction which sets the specifications for Even Amazon’s Alexa voice assis- How the POS experience will adapt is EMV chip-card acceptance, influence tant almost qualifies as a POS device, uncertain, with its dependence on how this, so will PCI Security Standards Drieling says. Echo and other in- consumers shop and the technology Council standards on PIN-on-mobile, home devices enable consumers to they use and how merchants react to which enables commercially available use their voice to authorize orders. these changes. devices to securely accept PINs. “The next step is unified commerce,” However it evolves, there will PIN-on-mobile is one of the he says, allowing a consumer to start be integration of the payment-accep- trends Peterson sees influencing the a transaction in one channel and go tance device into the overall checkout evolution of the POS experience. through others until making the ulti- experience. It’s devolving the POS into smart mate payment. DT

December 2018 • digitaltransactions • 17 THETHETHE

BATTLINGBATTLINGThereBATTLING are plenty of good bots out there, but the badBOTSBOTSBOTS ones are making life difficult for financial institutions and merchants. And it’s only getting worse. What’s to be done? BY JIM DALY To paraphrase Glinda, the good witch in L. Frank Baum’s Oz novels and the 1939 film The Wizard of Oz: Are you a good bot or a bad bot? There are plenty of good bots out there that perform useful tasks in the Internet age. They’re bits of software code, artificial intelligence really, that are programmed to react to human inputs—typed messages or voice commands—and react fast with information or advice (“The Age of Bots,” January, 2017). An example is an automated assistant that facilitates e-commerce purchases. The trouble for merchants, banks, and the payments industry is there are too many bad bots—malicious software applications designed to run repeated code on their own. They can unleash massive attacks on the login pages of retailers, banks, and credit unions, or any organization with personal or financial data accessible through the Internet. “With bots, they get all of these credentials from data breaches, and they just hammer until they find one that matches,” says Shirley Inscoe, senior analyst at Boston- based research and consulting firm Aite Group LLC. Account takeovers, a type of fraud in which a criminal gains control of a legitimate credit card, bank, or other type of financial account, are a frequent result of successful bot attacks. Bad bots can pull data from a database, for example, a retailer’s customer list with valid passwords and usernames, and, in a type of attack dubbed credential stuffing, attempt to get into a consumer’s online account without much operator action. A SWELLING STREAM Bots typically run from servers, while some attacks rely on connected computers or Internet of Things devices surrep- titiously recruited into the attacking swarm, or botnet. These botnet attacks are generating a swelling stream of new business for a small army of specialist vendors with anti-bot technology. And most informed observers agree the scale of bot attacks is huge.

December 2018 • digitaltransactions • 19 Ninety percent of login attempts may now be using bots, estimates Colin Sims, chief financial officer at New York City-based fraud-prevention firm Forter Inc. “One of Bombarded by Bots the ways you try to brute-force your way into an account is using a bot,” he says. The attacks are only growing more numerous. In both May and June there were 8.3 billion malicious login attempts by bots, according to Akamai Technologies, a There were 8.3 billion Account takeovers, Cambridge, Mass.-based Web-services company. malicious login often linked to bots, In the eight months from November 2017 through attempts in May and an tripled in 2017. June, Akamai tracked more than 30 billion malicious equal number in June. login attempts, says the company’s 2018 State of the Internet report released in September. Only a relative few of the bot attacks actually breach the defenders’ electronic walls, tech executives say, but more are succeeding. Based on a late-2017 survey of more than 5,000 U.S. Account-takeover 89% of nancial- adults about their experiences with identity fraud, Javelin losses hit $5.1 billion. institution executives Strategy & Research estimates that account takeovers say account takeovers tripled over the preceding year to hit a four-year high. are a top-three cause of fraud losses. The Pleasanton, Calif.-based firm estimates losses reached $5.1 billion. Sources: Akamai Technologies, Javelin Strategy & Research, Aite Group

authentication strategist at NuData Security, a Vancouver, LIKE GOING TO THE BANK British Columbia-based antifraud specialist owned by Bot-deploying criminals are devoting plenty of atten- Mastercard Inc. that uses behavioral biometrics to spot tion nowadays to retailer Web sites, which tend to have suspicious activity. “We see a lot around retail, we see a lot weaker defenses and are subject to fewer data-protection around payment services. We’re seeing this drumbeat pretty regulations than banks and credit unions, security much around anyone who has value behind that login.” experts say. Plus, fraudsters try to take advantage of the In an October report about data protection, Aite said proclivity of consumers to use the same passwords across 89% of financial-institution executives it surveyed stated multiple sites. that account takeover is a top-three cause of fraud losses “It’s something [retailers] haven’t dealt with before,” in digital channels, and 42% said application fraud also is says Al Pascual, senior vice president of research and a top-three source of losses (see the Endpoint column on head of fraud and security at Javelin. “For criminals, this page 30 for more about account-takeover fraud). is almost as good as going to the bank.” While retailers are popular targets nowadays, there are many other ones, including health-insurance providers, and the more skilled fraudsters continue to ‘UNSATISFIED CUSTOMERS’ probe banks for weaknesses. Even if they’re not causing actual fraud, bot attacks can “We are seeing a massive number of account-takeover wreak mayhem because of the sheer volume of traffic attempts,” says Robert Capps, vice president and directed at target Web sites.

‘We are seeing a massive number of account-takeover attempts.’ ROBERT CAPPS, VICE PRESIDENT AND AUTHENTICATION STRATEGIST, NUDATA SECURITY

20 • digitaltransactions • December 2018 ONLY ONE OF THESE BIRDS CAN GIVE YOU THE LATEST NEWS IMPACTING THE PAYMENTS MARKET

Today and every day follow DIGITAL TRANSACTIONS @DTPAYMENTNEWS on Twitter The traffic can resemble a digital denial of service developers work with a particular program, but they’re (DDoS) attack, in which the goal is not so much to steal often vulnerable from a security standpoint, he says. as to disrupt by causing a site to slow down or crash, leading to “unsatisfied customers,” says Rich Bolstridge, chief strategist at Akamai Technologies. “The botnets keep trying and trying,” he says. ‘THAT’S A PROBLEM’ One retailer client of Cequence Security was hit with Thwarting malicious bots could soon become harder a 10-fold increase in Web traffic, 90% of it malicious, because of the rise of so-called open banking in parts when it ran a sale over the Memorial Day weekend, of the world, including the European Union, according notes Larry Link, president and chief executive of the to Bolstridge. Open banking refers to regulations that Sunnyvale, Calif.-based fraud-control technology firm. allow financial-technology firms to access some of the “I was surprised at the level of sophistication customer payment data held by banks. that hit them,” Link says. “It’s anybody that’s got a The intent is to enable fintechs to offer a broader big retail presence.” array of services to consumers. But these intermediaries Link adds that another weak spot bots try to exploit now represent a new group of targets for criminals. involves application programming interfaces (APIs), “It’s going to make [fraud control] even more chal- the communication protocols and tools developers use lenging,” Bolstridge says. in creating their programs. APIs help outside software What to do?

Fallback Fraud Falls While merchants and financial institutions are fighting Control Roundtables with representatives of 34 financial a pitched battle against bots, they are winning in institutions, including 14 of the 15 largest U.S. credit another arena of fraud. Fallback fraud, an offshoot of card issuers, says Ira Goldman, senior director of the the counterfeit fraud that EMV chip cards are meant to Roundtables operation. The firm also collects fraud data reduce, declined over the past year, according to new from issuers through monthly and quarterly surveys. findings from Auriemma Consulting Group. Fallback fraud is an activity that typically comes Fallback fraud refers to dollar losses resulting from and goes fairly quickly after a nation converts to EMV would-be EMV payments resorting to the credit or debit chip card payments, though it has stuck around longer card’s back-up magnetic stripe because of a problem than usual in the United States, ACG said. But issuers with the chip. Such transactions typically occur when are getting smarter about identifying and thwarting it, the fraudster damages the chip, covers it with clear according to Goldman. film, or otherwise renders it inoperable. “They’re looking at dollar amounts, they’re looking That forces the point-of-sale terminal to read the at velocity thresholds [the number of transactions in a card’s mag stripe, which likely has been counterfeited. given time period], any sort of prior fallback activity on Incorrect insertion of an EMV card into a POS terminal the same account,” Goldman says. occasionally initiates a fallback transaction, too. Fraudsters often try to get the most bang for their In 2017, fallback fraud made up more than 20% of buck by trying to buy TVs and other pricey consumer counterfeit fraud and 4.5% of total credit card fraud, electronics goods, thus issuers’ increased emphasis on according New York City-based ACG’s Card Fraud dollar limits on fallback transactions. “The fraudster is Control Benchmark Study released in November. Fraud looking to purchase an expensive item,” says Goldman. was rising even as fallback transactions, including Issuers also are looking more closely at fallback legitimate transactions, made up less than 2% of overall history as they try to sort the good from the bad. “There purchase authorizations, ACG reports. are legitimate fallback transactions,” he notes. But in 2018’s second quarter, fallback fraud made up Banks that have implemented new fallback-fraud just 11.5% of counterfeit fraud and 3.2% of total credit policies are reporting minimal disruption to customers, card fraud, respective declines of 45% and 30% year- according to Auriemma. Fallback transactions and over-year, according to ACG. declines fell 12.6% and 20% year-over-year, respectively, Auriemma gets its data from its quarterly Fraud the firm reported.

22 • digitaltransactions • December 2018 Merchants, banks, credit card issuers, insurance compa- billion transactions per month, including banking and nies, and others increasingly are looking to tech firms to credit card applications. Bot-supplied data “is going to help sort out bad bots from legitimate traffic, all the while look like a machine, but a human will have many, many trying to minimize the risk of rejecting honest transactions. different nuances.” One of the anti-bot technologies being brought to Zelazny describes one trick BioCatch has used to the front lines is behavioral biometrics, which involves thwart bot-driven credit card applications. Banks, card software programs that can measure hundreds of issuers, and others that need a customer’s birth date variables, everything from the strength of the person’s often display “wheels” containing days, months, and keyboard tap to the width of fingertips on a touch screen years from which the applicant is supposed to select to typing patterns. his or her birthday. BioCatch’s technology can make the “People, when they enter [data into] a machine, they wheels spin faster or slower, a move that humans adjust don’t have even typing patterns,” says Frances Zelazny, to much easier than bots, Zelazny says. chief strategy and marketing officer of BioCatch, a “They weren’t able to react, they expect the wheel at 5-year-old firm based in New York City that monitors six a certain speed,” he says.

‘The botnets keep trying and trying.’ RICH BOLSTRIDGE, CHIEF STRATEGIST, AKAMAI TECHNOLOGIES

ATMs and Apps: the New World of Customer Experience Join us for the 20th US event that will focus on the industry’s Next-Gen ATMs initiative and a world of exciting new capabilities in the self-service channel. Making Connections: This is the largest ATM‐focused that will explore Next-Gen ATMs, current security event in the world and an opportunity to network concerns, the future of cash! with over 1,200 colleagues and professionals from all sectors of the industry. Product Showcase: Over 100 exhibit booths. Showcase your products and services in the largest Educational Sessions: Take advantage of workshops, ATM industry exhibit hall, or come to see the latest breakouts, and general sessions from over 70 speakers technologies and network with your vendors. Register now and save $100! To register go to www.atmiaconferences.com

Platinum Sponsors: Diamond Sponsors: Gold Sponsors:

Silver Sponsors: Bronze Sponsors: Conference Sponsors:

December 2018 • digitaltransactions • 23 Bots have improved over the years, data-security account, according to Forter’s Sims. As an example, why executives admit, but they still often betray themselves use credentials good for a relatively low-ticket food- with robotic behavior, however subtle. delivery service if, with a little time and effort, you find “If all those touches are uniform, they’re all the same out those credentials also work at a high-end retailer? size, that might be automation,” says NuData’s Capps. “If “A popular one today: take over the account and not something’s too perfect, that’s a problem. If something’s transact because they’re trying to get other data points too random, that’s a problem.” because they want to take the information to commit a Adds Zelazny: “There are certainly bots that are bigger type of theft,” Sims says. trying to behave like humans, but they can’t react because they’re scripts.” ‘SINKHOLING’ It’s attacks like these that are prompting data-security ‘LOW AND SLOW’ vendors to roll out new anti-bot products. One of the most Despite their scripted behavior, some bots have their own recent comes from Cequence, which in November unveiled tricks, and these can help them evade attention. One is to its Cequence ASP, for application security platform. slow down their normally very high rates of login attempts. The platform uses artificial intelligence, machine In a recent report about credential stuffing, Akamai learning, and other technology to first identify the Web describes the unpleasant situation a large credit union found assets that a client needs to protect. It then monitors the itself in: Under attack by three separate botnets at once. client’s Web and mobile applications, as well as its APIs, The first sign of trouble was a more than tenfold for signs of attack, Cequence CEO Link says. increase in malicious log-in attempts per hour, from A point of differentiation for Cequence ASP from about 800 under normal conditions to a spike of 8,723. older anti-bot technology is its ability to work with But Akamai calls the botnet responsible for this attack clients’ existing Web applications, says Link. JavaScript, a “dumb” because all of its traffic came from two Internet popular Web-coding technology, requires code injections Protocol (IP) addresses based on a cloud platform, and for and software development kit changes for each Web or other characteristics. mobile application, according to Cequence. The second “bot herder,” as Akamai’s report calls “We do this with absolutely no change to the applica- it, “was impatient and attacked at such a high rate it tion environment,” Link says. couldn’t escape notice.” Over the course of three days, Another differentiator, Link says, is an open architec- this botnet generated more 190,000 malicious login ture. That means the service can be deployed on-premise attempts from thousands of IP addresses. This one or in the cloud, and easily exchange data among other needed more work to defuse than the first. systems and devices. But the third bot proved to be the most dangerous The service is tailored for very high volumes—it and difficult to detect. “This bot used a ‘low-and-slow’ comes with a tiered, subscription-based pricing model approach to attacking the site, averaging one malicious starting at $150,000 a year based on analyzing 10 million login attempt every other minute,” the report says. It transactions per day. used 1,500 IP addresses, but the average of login attempts Once a botnet is identified, defenders have various per address over the time of the attack was very low. options to neutralize the attack. A common one has This third, more subtle attack “does highlight the been “sinkholing” the traffic, where it’s re-routed to a increased sophistication of the botnets,” says Bolstridge. so-called negative address where the bot’s credentials Another technique gaining favor among account- can’t be tested. Such an address is one “where’s there’s takeover fraudsters is to lie low after capturing an basically nothing,” says Javelin’s Pascual.

‘I was surprised at the level of sophistication’ of a botnet attack on a retailer. LARRY LINK, PRESIDENT AND CHIEF EXECUTIVE, CEQUENCE SECURITY

24 • digitaltransactions • December 2018 When the new Cequence ASP confirms a bot attack, the “You really need to monitor every stage of the system attempts to squelch it through blocking, limiting customer lifecycle,” he says. “If you just look at the point traffic, deception, and other techniques. Cequence says of the transaction, you’re setting yourself up to fail. Avoid it has tested the new service in several deployments, the traditional rules-based analyses, try to monitor as including a Fortune 100 multinational financial-services many different touch points in the customer lifecycle as provider and a Fortune 500 cosmetics retailer. possible, not just the checkout.” Good bot defense also goes beyond technology and defense strategy to factor in consumers’ perceptions of how well companies guard their data, according to ‘RAISING THE BAR’ Pascual. That’s especially true for retailers, who are Apart from using this or that anti-fraud product, merchants, newer to the data-protection game than banks. financial institutions and others with data to defend need to “If my competitors offer better security ... that could be take a broader approach to fighting botnets that focuses on a competitive advantage,” he says. DT more than just transactions, according to Sims at Forter. —With additional reporting by Kevin Woodward

‘You really need to monitor every stage COLIN SIMS, CHIEF FINANCIAL of the customer lifecycle.’ OFFICER, FORTER INC.

Digital Transactions News We deliver the payments industry news to your email inbox daily!

Digital Transactions News is packed with news and information from the $123.4 billion transaction industry:  Two original stories every issue  Trending stories, so you know what our subscribers are reading  Links to Digital Transactions magazine  Calendar of events  PLUS! “In Other News” The most complete listing of announcements from the payments community

Subscribe today at Bolandhill.omeda.com/dtr/ or email publisher Bob Jenisch at [email protected]

December 2018 • digitaltransactions • 25 NETWORKS December 2018 digitaltransactions

The Promise—And Threat— of Real-Time Payments

John Stewart

Three years ago, Mastercard shelled out big money for a U.K. technol- which card payments may not figure ogy firm. As faster payments take hold in the States, the rationale for so prominently as they do now. “In the past, whatever the problem was, the that deal will soon be put to the test. answer was always a card,” says James Anderson, the company’s executive ack in July 2017, the Federal payloads as it transmits requests for vice president of commercial products. Reserve issued a challenge to payment and requests for information With faster—especially real- Bthe U.S. payments industry: between parties. time—payments, that outlook had to create a nationwide real-time pay- That extra transmission channel change, Anderson says. “One threat ments regime by 2020. While that may sound mundane. To TCH, it’s [Mastercard analysts] identified was challenge set many hands wringing, anything but. “We’re catching up, real-time payments,” he says. That’s at least one company figured it was but in a lot of ways we’re leading because what VocaLink and others already set up to meet the goal. the rest of the world,” says Irfan offered was faster payments without In May last year, Mastercard Inc. Ahmad, a former health-care expert a card on rails that could conceivably had closed on its $920 million acqui- who is senior vice president for prod- do what card networks do. sition of VocaLink Holdings Ltd., uct development at TCH. At the stroke of a pen, the Voca- a London-based software house Largely because of VocaLink’s Link deal “moved [Mastercard] from renowned for its expertise in real- work with TCH, real-time business- a card network to a payment-solution time transactions. The firm, after all, to-business and business-to-consumer provider. That’s quite subtle but very had built the network for the United volume in the United States will hit powerful,” says Dean Wallace, practice Kingdom’s Faster Payments Service, $849 billion by that crucial year, lead for real-time and digital payments which is already a decade old. 2020, nine times the volume in 2017, at ACI Worldwide, itself a developer of By the time it joined Mastercard, according to projections by Mercator real-time payment technology. VocaLink had already gone to work Advisory Group (chart, page 29). Both Mastercard and Visa offer on a real-time switch for The Clearing real-time products, but Mastercard House, the New York City-based bank Real-Time Chops Send and Visa Direct depend on card processor owned by 25 U.S. finan- For Mastercard, however, VocaLink’s pipes and card rules. Both are deriva- cial institutions, including the nation’s real-time payment chops are impor- tives of a protocol called the orig- money-center banks. That technology tant for reasons that go beyond inal credit transaction, which was went live in November 2017, process- meeting a Fed deadline. Indeed, the developed in the first place to get ing transactions in mere seconds. rationale may well go beyond its refunds instantly to customers when But the TCH system involves more acquisition of a key position in faster- they returned merchandise they had than just fast clearing and settlement. payments development not just in the bought on a card. It also includes some extra twists that U.S. but in other parts of the world “It was a threat if someone devel- could prove crucial for a wide range where VocaLink is active, including oped real-time [capability] that was not of applications now served by card Singapore and Thailand. on card rails,” Anderson says. Hence, and automated clearing house rails. With this deal, Mastercard has it wasn’t hard to develop a strong ratio- By design, the system can handle data bought insurance against a future in nale to buy VocaLink, he says.

26 • digitaltransactions • December 2018 The payments market is large and fragmented. DigitalTransactions.net gathers the most important news in one place, and shows you how it all ﬁ ts together to impact your business.

Concise, Breaking Calendar Complete Detailed 13 years of clean news of industry current and listings of payments interface from the events past issues payments news and is easy to payments of Digital market analysis navigate market, Transactions suppliers posted daily magazine Also figuring into the deal was the progress Mastercard had already made in bill payments, another prime ‘The U.S. is quite unusual in that lots of channel for faster payments. “We had a bill-pay directory. Faster payments the billers do it directly themselves. What comes along and that becomes a stra- tegic asset,” he says. this is trying to do is be a single interface.’ In October, Mastercard announced a service it plans to roll out next year that will rely on TCH’s real-time engine Lodge, a U.K.-based senior analyst for Observers suggest one way this to attack a U.S. bill-pay market the card payments at the research firm Celent. could unfold is through VocaLink company estimates at 15 billion annual Now the question is what else Mas- technology called the Pay By Bank payments totaling $4 trillion in value. tercard can do with its newfound real- app, which enables fast transfers via Experts see the new service taking time expertise. If the card company a mobile-banking app. Designed for share away from billers and the so- really wants to get beyond cards, some online checkouts, the app could be called biller-direct payment channel. observers say there might be an ave- adapted to some physical-world sce- “The U.S. is quite unusual in that lots nue toward merchant acceptance with narios, these observers say. of the billers do it directly themselves. existing VocaLink technology, though “Real-time payments at point of What this is trying to do is be a single such a move could upset a lucrative, sale are in fact an important part of interface for all these bills,” says Gareth decades-old interchange system. our VocaLink strategy,” says Anderson.

How Faster Payments Are Triggering Opportunity for Merchant Acquirers

When it comes to faster payments, merchants don’t want we get paid,” says Linden. “So we charge more.” Hel- to be left out, and that’s creating a big opportunity for geson points out that “there’s very little recourse” once payments processors and other acquirers. the funds are disbursed. At the same time, there’s only Indeed, as the payments industry shifts toward real- a matter of hours to vet transactions for fraud. “So there time and near-real-time money movement, payment has to be a premium,” he adds. processors can cash in on the value of getting good An example of what the market will bear for faster funds into merchants’ accounts instantly, processor funding is Square Inc.’s 3-year-old Instant Deposit fea- executives say. ture, which delivers funds to merchants within seconds “Especially in the small- and medium-size business for a fee of 1% of the funding amount on top of ordinary world, they’re willing to pay a premium for it,” says transaction fees. Henry Helgeson, head of integrated solutions at Colum- The plan at TSYS is to use its ProPay unit to manage bus, Ga.-based Total System Services Inc. (TSYS). faster funding, Helgeson says. TSYS acquired ProPay, Paysafe North America, the Shenandoah, Texas- an early entrant in what is now a crowded market for based unit of London-based Paysafe Holdings U.K. payment facilitators, in 2012. Ltd., has come to the same conclusion. In September, The pipes will come from Visa Inc. in the form of it launched a program called “Accelerated Funding” Visa Direct, a service that transfers money in real time that includes options from next-day to same-day to via an original credit transaction, or OCT. The OCT was “Express” funding. The last choice delivers funds within designed to deliver quick refunds to customers when hours to a linked debit card. “There are certain verticals they return merchandise to stores, but lately it has been where merchants really need the funding,” says Todd harnessed for fast transfers to businesses, as well. Linden, chief executive. For its real-time funding service, Paysafe is relying He agrees with Helgeson that demand is coming on Alpharetta, Ga.-based Ingo Money Inc., whose tech- largely from small and medium-size merchants. Restau- nology enables push payments between accounts. Lin- rants and bars, in particular, respond well to the idea of den sees delivering faster funding as a way to get in step getting their funds for Saturday and Sunday sales with- with a global trend toward real-time payments. out having to wait until Monday, he says. “It’s something we need to do, and we’re catching up Faster funds can command a premium because they with the rest of the world,” he says. “It seems only fair incur higher risk. “We’re funding the merchant before to give the merchant his money.”

28 • digitaltransactions • December 2018 How U.S. Faster Payments Will Take off $1,588 (Volume in billions for business-to-business and business-to-consumer payments)  B2B  B2C  Total $1,186 $956

$849 $659

$561 $439

$301 $282 $632 $527 $138 $410 $95 $260 $49 $46 $144 2017 20181 20191 20201 20211 20221

1. Forecast Source: Mercator Advisory Group “Following our acquisition of VocaLink, liquidity tool. The banking regula- price and other terms. Most small insti- we have increased our focus on tor is taking comments on the idea tutions are connecting to TCH via core innovation around real-time payments through Dec. 14, but just the sugges- processors rather than directly. globally. In the U.K., Pay by Bank app tion of its direct entry as a player in a “They feel the Fed represents a has been gaining momentum.” game over which it had been presid- choice in real-time payments,” says Indeed, progress for the app seems ing as a sort of umpire has set some Sarah Grotta, director of the debit strongest at the moment in Britain. observers’ teeth on edge. advisory service at Mercator Advisory Barclays Pingit, a mobile-transfer ser- In the view of some, indeed, the Group, a financial-services consul- vice, and HSBC are supporting the app idea of a Fed service may have come tancy in Maynard, Mass. or soon will, “and a significant number at the suggestion of smaller finan- A real-time gambit from the Fed of the U.K.’s retailers will be offered cial institutions that are wary of what could also prove to be a golden ticket Pay by Bank app as a new way to pay they see as big-bank dominance of for Mastercard. “If the Fed decides for their customers,” Anderson adds. TCH. “There’s an element of truth to to proceed, Mastercard will have an [that],” says Eric Grover, a Minden, opportunity to bid. They’d almost be in ‘Pole Position’ Nev.-based payments consultant. The pole position to win this,” notes Grover. A wild card for all real-time players Fed, he says, wants “to stay relevant surfaced in October when the Fed- with small banks.” ‘In the Dark’ eral Reserve indicated it is looking Indeed, small banks may see in a For now, Anderson is content with into starting up a service for real- Fed service the sort of competition that what he sees as an unfolding trend time gross settlements, including a could keep TCH from overreaching on Mastercard anticipated back when it made its move to buy VocaLink. That trend, he says, is even bigger than real-time payments. “What we see that others didn’t see is there’s a pent-up demand to upgrade the [payments] infrastruc- ture,” Anderson says. An opportunity that big, he adds, comes along once in a generation.

(Photo: Mastercard) Yet, so far, he isn’t seeing much reaction out of his rivals at Ameri- can Express Co., Discover Financial Services Inc., and Visa Inc. “I would be very happy,” he says, “for them to VocaLink’s Pay By Bank app: A route to the point of sale? wander along in the dark.” DT

December 2018 • digitaltransactions • 29 ENDPOINT While companies are hesitant to disrupt consumer convenience, ATO can severely damage brand reputation. When debating between the two, consider Balancing Consumer the lifetime value of a lost customer. Expectations And Fraud Prevention

There are no perfect solutions for account-takeover fraud, but tactics such as consumer education and prevention at log-in can make a big difference, says Rich Huffman.

ccording to Javelin Strategy & and processors, must address the issue with Research’s report entitled, “2018 knowledge and newer, relevant technologies. A Identity Fraud: Fraud Enters a New Era of Complexity,” account takeovers (ATOs) An Enterprise Issue tripled in 2017, resulting in $5.1 billion in Gone are the days when fraud was finite. Accord- Rich Huffman is senior director, associated losses. And the losses are more than ing to the National Institute for Technology Stan- product manage- just monetary. The same report estimates this dards (NIST), using SMS or email for out-of- ment, at Equifax crime takes, on average, 15 dedicated hours and band or multifactor authentication is no longer Inc., Atlanta. $290 in out-of-pocket expenses for a victim to secure. Reliance on passwords and “what-you- resolve. This doesn’t even factor in the costs of know” authentication methods actually increases churn by estimating the average lifetime value fraud due to tactics such as MITM attacks. of lost customers. Criminals are using automated attacks ATO is a criminal’s gold mine in more ways through online and mobile channels to expo- than one. This type of fraud offers a lot of infor- nentially expand the account-takeover fraud mation for criminals to use because of the asso- damage. Both financial and secondary accounts, ciated account credentials accessed with tactics such as email accounts, are targeted because such as man-in-the-middle (MITM) attacks. An they provide criminals with validity and help MITM attack occurs when a fraudster either them conceal the crime, as email accounts are taps into a call between a user and service pro- often the destination for password-change alerts. vider, or impersonates a service provider, to Moreover, there’s a false sense of security obtain personal information. as Touch ID and other native phone biometrics Whether it’s through MITM or hacking, don’t eliminate password vulnerability. They once criminals have their entry points, they simply make it easier for consumers to unlock can do more damage through password testing their phones. on popular Web sites by trying to find relevant Consumers’ expectations of convenience, matches. Automation, specifically the use of combined with a general lack of knowledge bots, makes this process even easier. about security, compound the issue. Consumers But with the uptick in ATO comes more expect ease of use in their payments and retail options for addressing this challenge. To face the and bank accounts, but at the same time, they rising incidents of ATOs in today’s digital envi- blame the merchant or bank when an account ronment, businesses, including retail bankers takeover happens.

30 • digitaltransactions • December 2018 SPONSORED CONTENT HOW ECOMMERCE SMBs ARE FUTUREPROOFING THEIR BUSINESSES IN THE WAKE OF PAYMENTS EVOLUTION Oscar Nieboer – CMO, Paysafe Group Security has overtaken reliability and cost as the top priority for businesses when selecting a PSP. Here’s why. There is a genuine belief globally that online goliaths methods we expect to feature more regularly at such as Amazon, with the nancial and human the checkout after this time include online cash resources at their disposal to be at the cutting edge replacement systems, payments by instalment, and of all and any industry it chooses, have their eyes subscription payments. xed on running every small competitor out of business; the online businesses that cannot keep pace IN THE ERA OF SEAMLESS PAYMENTS, with the latest innovations in customer experience SECURITY TRUMPS EVERYTHING ELSE will fall away as their market consolidates. Online businesses are aware of the pressure to To discover how businesses are reacting to this create a seamless payments experience, but over threat, we asked over 600 SMBs from across half (52%) of them also believe that reducing Europe and North America accepting payments friction in the payments process exposes them online to tell us how they are planning to future- to a greater risk of facilitating fraud. 74% believe proof their businesses in the face of a rapidly fraudsters are targeting online businesses more changing ecosystem and with eCommerce power- than they were this time last year in any case, houses looming over their shoulders. and 55% acknowledge that online card fraud is an increasing problem for them. CHOICE IS FUNDAMENTAL AT THE CHECKOUT OF TOMORROW So it’s not surprising that security is now the One major takeaway from our Lost in Transaction: primary factor online SMBs take into consider The future of payments for SMBs research is when selecting which payment service providers that online businesses are committed to giving (PSPs) to partner with. 59% of businesses list consumers more exibility when it comes to the security as a key consideration, ahead of reliability method for making a payment. (49%) and cost (47%).

According to our survey, 75% of online businesses This is a direct response to the need to implement agree that increasing the number of payment friction free payments in a secure way to remain methods they o er at the checkout is essential to competitive; 81% of businesses place the responsi- success. This is a recognition that the payments bility for protecting against fraud at the door of their ecosystem is fragmenting, with consumer payment PSP and 70% acknowledge they are nding it hard preferences dissipating beyond traditional card to determine the balance between improving security payments to numerous alternative payment solutions. processes whilst making the customer journey as seamless as possible. Overcoming this hurdle is the Online businesses currently o er four payment critical step to futureproo ng for an online merchant, methods on average, but this is predicted to rise which is why it is such a critical consideration factor to six within two years. The alternative payment when selecting a payments partner.

To discover more about the top SMB opportunities and concerns with payments, download Lost in Transaction: The future of payments for SMBs now. paysafe.com/lostintransaction2018 In today’s consumer-driven envi- Consumers know that passwords, device change, password-entry ronment, convenience is considered by themselves, are not the best secu- behavior, time-of-day differences, and table stakes for a good customer rity method. Yet, there are many mis- browsing time before logins can be experience. Nearly 40% of consumers conceptions about which security impactful in thwarting ATO, without would change their banks for a better solutions work. Customer knowledge harming the consumer experience. mobile app. This new lack of sticki- and participation is key to driving Account takeover numbers are ness underscores the importance of stronger, practical security options at increasing exponentially, with some driving convenience at every stage of account opening and beyond. reports indicating year-over-year the customer’s journey. growth as high as 160%. This high While companies are hesitant to No Silver Bullet number, combined with the higher disrupt consumer convenience, ATO When it comes to eliminating digital number of solutions to tackle this can severely damage brand reputa- fraud, there’s no one-size-fits- issue, can be overwhelming to mer- tion among customers. When debat- all approach. However, accuracy chants and financial institutions. ing between the two, consider the life- and response times are critical in While there is not one solution time value of a lost customer. reducing it. that reduces this number to zero, the The key to thwarting ATO attacks Financial institutions need to goal is to see numbers trending down. is detection at login. And while many explore the online-account and fraud- Financial institutions and card issu- merchants worry about increasing detection solutions that work best for ers can take certain steps to improve consumer friction through added secu- them, including ones that offer more security in their digital channels with- rity, there are many fraud-prevention insights into consumers’ identities and out adding friction to the customer tools designed to be transparent and provide the ability to stop fraud at experience. consumer-friendly. the login process. This is a key way With the proper technology and to prevent enterprisewide and multi- monitoring solutions, you can help sig- Everyone’s Business channel ATO. nificantly reduce ATO at login and pro- Only about half of consumers are There are also many protection tect your customers’ most important familiar with online/mobile authenti- services that combat ATO at login. data, without causing them to com- cation, and this number is likely lower Monitoring geographic IP change, pletely disengage from your brand. DT for certain segments of the population, like Baby Boomers. Because Millennials are more ADVERTISER INDEX likely to be acceptors and early adopt- ATMIA US Conference Page 23 ers of security measures, it is impor- www.atmiaconferences.com tant to focus on giving them the edu- Digital Transactions Pages 15, 21, 25, 27 cation and tools to continue fostering 877-658-0418 www.digitaltransactions.net their openness towards fraud preven- Electronic Merchant Systems Inside Back Cover tion and security. 866-887-8907 www.emsagent.com But while a lot of businesses are eProcessing Network Page 7 focusing on Millennial engagement, 800-296-4810 www.eprocessingnetwork.com it’s also imperative to focus on edu- Harbortouch Page 1 800-201-0461 www.isoprogram.com cating the generations that are not as accepting of this new technology. Humboldt Merchant Services Back Cover 855-767-0685 www.hbms.com Take a good look at the ways you Magtek Page 3 educate your entire customer base 562-546-6467 www.magtek.com about security solutions, especially Northeast Acquirers Association Conference Page 13 older generations who lack awareness www.northeastacquirers.com or understanding of identity theft and PAX Page 5 other security threats. 877-859-0099 www.pax.us It’s important to communicate the PAYA Page 11 damage account takeovers can do. 855-603-1090 www.paya.com By doing this, you can educate your PaySafe Page 31 800-309-0524 www.paysafe.com entire customer base on the more TSYS Inside Front Cover secure encryption offerings available 866-969-3350 www.tsys.com/solutions/products-services/acquiring/ to prevent identity theft.

32 • digitaltransactions • December 2018 No Good Merchant Left Behind.

d 1988 she Establi

O n e e m Me Ti rchant At A

CUTTING EDGE PRODUCT SUITE

CUSTOMIZED AGREEMENTS TO BUILD YOUR PORTFOLIO

SAME DAY APPROVALS

DEDICATED AGENT SUPPORT Learn More Call 866.887.8907 Visit emsagent.com

700+ Enjoying the view? Wait until you see your portfolio. Partner with

At Humboldt Merchant Services, helping you grow your portfolio comes naturally to us. After all, we’ve been providing customized payment acceptance solutions to retail, ecommerce, and specialty merchants since 1992. So partner with Humboldt today and take your profitability sky-high with solutions for every merchant,all supported by:

Specialized Multi-Currency A Full Suite of A Boutique Client Chargeback Reporting. Conversion. Anti-Fraud Services. Experience.

Whole new revenue streams for you, plus the unparalleled personal service you and your merchants deserve … How’s that for a breath of fresh air?

SinceJOIN THE 25-YEAR INDUSTRY 1992LEADER TODAY. 855.767.0685 | HBMS.COM

INDUSTRIES WE SPECIALIZE IN: Adult Content • Bail Bond Insurers • Business Opportunity • Buying Clubs • CNP Tobacco • Dating Direct Marketing • E-Cigarettes • Extended Warranty • Firearms & Ammunition • And Many More