Need an early warning system for what payment system hackers are about to do? Then knowing what’s happening on the dark net is imperative.

In this episode of Payments on Fire®, George speaks with Aamna Zia, VP of Finance and Growth at Flare Systems, and David Hetu, its Chief Science Officer. Based in Montreal, Flare Systems operates a dark net monitoring system that brings intelligence to the InfoSec and fraud management teams at banks.

The dark net is a mysterious place for most of us. It exists on something called Tor, an internet overlay that is designed for anonymity. Using a purpose-built browser, users can access websites, chat rooms, and the like, similar services to those we use on the open internet. The anonymity feature makes performance slow but it also works.

And that’s why it is the hub that marketers of stolen card numbers, user IDs and passwords, personally identifiable information, and hacking tools use to buy and sell. It’s this activity and the discussions around it that Flare Systems monitors and reports on.

Among the findings of Flare’s analytics is the fact that the vast majority of card data sellers probably have to live with their parents to get by. There’s not a lot of money in that particularly tired approach.

Obviously, there’s plenty of money to be made in payment fraud, though. Account takeover (ATO) fraud is growing quickly as recent losses on the UK’s Faster Payments system demonstrate. Synthetic identity fraud is fueled by the kind of data sold on the dark web.

Take a listen as Aamna Zia and David Hetu as they describe how Flare Systems works and what the hackers are up too. Then, if you’re on a bank’s infosec or security team, try to get some sleep.

Listen to George and Jacques Soussana, General Secretary, of nexo Standards, an organization based in Europe with global goals to establish interoperability of hardware, software, and data across the point of sale and e-commerce domains.

Interoperability in a Complex Ecosystem

The payments industry is in a period of especially swift change. New methods of payment, new payment systems, new ways to initiate a purchase.

Innovation can be wonderful, improving convenience, speed, and reliability. But there is a downsides to all of this creativity: Interoperability. Connecting disparate systems is technically challenging and faces business questions such as “what’s the ROI on connecting to yet another system?”

Today interoperability may be difficult or impossible by design. Payment methods stood up by individual companies often remain closed or must rely on other payment systems to actually move transactions.

In what is an increasingly integrated world with payments as an embedded experience, interoperability challenges show up both at the physical point of sale and online. Acquirers often use proprietary adaptations of standard protocols to “enhance” their capabilities and, to a degree, erect competitive barriers. The software used to connect point of sale terminals processed by one vendor must be changed when those same POS devices are connected to another provider.

Further complicating the merchant challenge is the merchant-facing software that connects to those terminals. That software connects to each brand of payment terminal in a proprietary fashion. While gateway providers simplify the payment interface for these independent software vendors (ISVs), each gateway provider has its own approach.

For merchants, then, there’s no such thing as “plug and play” software to connect to terminals or to connect those terminals to payment networks.

This complexity was bad enough when card rails were the only payment method of consequence. Today, however, domestic and regional payment methods are changing, adding account-to-account push payment systems like the U.S Real Time Payment Network from The Clearing House or the European SEPA Instant Credit system.

In other words, there are new payment rails, the systems that actually move money, that matter.

So, this complexity problem must overcome and that is the goal of nexo Standards, the organization Jacques represents and the topic of today’s Payments on Fire® discussion.

Getting stakeholders to work on the common goal of interoperability is no easy task. Most often, participants come from competitive companies. Most of these organizations are large because, first, they have to be large to afford the investment in participation, and, second, they have to be large to realize the financial benefits of actual implementation.

This is known as the “Herding Cats Problem” and they aren’t kitty cats.

nexo Standards, and its prior incarnations, has been working on point of sale standards for over a decade. The nexo FAST standard that addresses the physical point of sale, EMV, and how to connect within the SEPA framework is nearly 1,000 pages long. And there are multiple nexo specifications including the Retailer protocol that describes the interfaces between a card payment application and a retail point of sale system

Other nexo standards address security, terminal management, the acquirer connection, and implementation.

So, a complex technical and business environment with nexo Standards bringing a comprehensive set of specifications to address it.

nexo Standards Annual Conference (attendance is free, in London)

Talking Faster Payments

In this Payments on Fire® episode, Faster Payments Council Executive Director Kim Ford discusses the Council’s work, the U.S. Faster Payments Barometer survey, and where we are today with Glenbrook’s Beth Horowitz Steel and Elizabeth McQuerry. Take a listen and take the survey. You’ll contribute to the Council’s education, planning, and prioritization work.

Take the survey

A Better Way, Please

Last week I tried to connect my accounts at two different banks. Between account type mismatches (my bad), long account numbers, ACH micro-deposits, and balky websites, well, I’ll confess I put a check in the mail as a “quicker” way of overcoming the electronic barriers. Snail mail. Really?

That situation, and many more where speed matters, is exactly why the world is turning to faster payment systems that allow the accountholder to push money from an account she controls to a recipient in near real-time. To eliminate entry, and sharing, of bank routing and recipient account numbers, today’s faster payments systems are often enhanced by a directory that maps the recipient’s name to a mobile number or email address. The director connects those to the underlying bank account.

This is great stuff, especially for the United States where so many push payment methods exist based on closed loop or incumbent payment rails. The U.S. now has providers like Venmo using balance transfers and card rails (Visa Direct, Mastercard Send) to make realtime P2P transfers workable. NACHA has sped up the automated clearinghouse (ACH) system to run batches a few times a day to accomplish its Same Day ACH service.

We have Zelle, the P2P service stood up by Early Warning Services,  that combines a directory with immediate funds transfer availability for the recipient and interbank settlement running over, yet again, an incumbent payment system, in this case the ACH.

Every one of these approaches has merit and traction.

New Rails, New Rules

That said, the new real-time systems are growing here too. Built with modern software and messaging protocols, they promise to change how both end-user settlement and interbank settlement is accomplished.

The first on the scene was the Real Time Payment (RTP) network from The Clearing House (TCH). Launched in 2017, the largest financial institutions and bank processors are integrating their core systems—the software that manages accountholder balances and transaction activity—to the RTP Network.

And this summer, the Federal Reserve announced it will build and operate its own faster payments system called FedNow. Like TCH, the Fed has operated multiple payment systems and been the preferred operator for the nation’s smaller financial institutions.

New Complexities

Competitive pressures, market guidance, and regulation are what move the U.S. economy. The Federal Reserve provided plenty of guidance to encourage development and deployment of faster payments systems. THC’s RTP Network was among the first to respond.

These new rails are a result of a multi-year effort by the Federal Reserve to shepherd the highly competitive U.S. payments industry toward the development of these faster payment systems. The RTP Network and FedNow are proof of its success and that of the Faster Payments Task Force, the group convened by the Fed to define the characteristics of the new approaches.

But there’s still a lot of work to do. Questions of governance, implementation, and more abound. Interoperability concerns are especially high. These are, after all, competitive systems.

The New Organizing Principle – The U.S. Faster Payments Council

To keep the evolution of the U.S. faster payments moving forward, the U.S. Faster Payments Council was formed. Many Task Force members have joined as members of the Council.

The Council serves as an industry-led organization that supports collaboration across multiple areas including security, end user education, and interoperability.

In other words, the Council will be herding some very big cats.

The U.S. Faster Payments Barometer

To support its education and collaboration efforts, the U.S. Faster Payments Council is conducting a survey of industry views on faster payments advancements. A multi-year survey, to monitor the momentum and evolution of Faster Payments here in the U.S. market.

The survey is designed to identify key criteria for market adoption, broadly gauge momentum for various use case applications, and seek to address challenges to be solved in order to have a well-established Faster Payments ecosystem.

Take the survey

Talking Faster Payments

In this Payments on Fire® episode, Faster Payments Council Executive Director Kim Ford discusses the Council’s work, the U.S. Faster Payments Barometer survey, and where we are today with Glenbrook’s Beth Horowitz Steel and Elizabeth McQuerry. Take a listen and take the survey. You’ll contribute to the Council’s education, planning, and prioritization work.

For a nanosecond, about seven years ago, I thought the payments industry was entering a steady state where change, while sure to be accelerated by technology, was going to settle down to the familiar sedate pace the payments industry had taken for decades.

Hah! Payments industry evolution has leapt forward since then based on, yes, technology, but also new rules, regulations, business models, and changes in attitude toward how money moves, security, and privacy.

One major trend I didn’t anticipate then was the global phenomenon of faster payments, now in active implementation or operation in some 40 countries around the world. Another, of course, is cryptocurrencies but I’ll leave that one alone for now.

The emergence of faster payments is a function of new technology with new transaction switching infrastructure and (mostly) a common messaging standard in the form of ISO 20022. But it’s also a function of rules and market response.

Even in the United States, a nation whose payments strategy is largely set by competitive forces, the central bank has had significant influence in launching new settlement capability. (And now, the Fed is planning to build its own version).

Europe and India are standouts when it comes to government guidance and strategy setting for banking and payments systems.

The European Union’s active role in evolving payments policy is recently expressed in the second Payment Services Directive (PSD2).

PSD2 has chosen to address one of the most vexing digital security challenges: strong customer authentication or SCA. Article 4(30) of the directive defines SCA as:

“an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”

For anyone familiar with authentication requirements, this is hardly a novel approach. That said, as far as the payments ecosystem goes, however, this is a sea change.

This is also a necessary change. Faster payment systems, where the sender pushes the payment to the recipient, make the sender’s bank responsible for authenticating its accountholders. The accountholder has to prove to her bank that she has the right to access her own account and to initiate a payment.

Unfortunately, phishing and malware are attacks that make account takeover easier than ever. There’s been an uptick in authorized push payment fraud in the U.K. due to ATO.

Therefore, enforcement of multi-factor authentication is seen as a necessary response.

Point of sale transactions already meet the SCA requirement. The card is something you have; The PIN is something you know. That’s enough to meet the SCA requirement. Oh, right, in the U.S., we don’t put PINs on credit cards. They do in Europe. We’re going to need biometrics in the U.S. (something you are).

PDS2’s SCA mandate requires that multi-factor authentication be used whenever a user logs into her bank account or makes an eCommerce payment. Whenever payment risk is a possibility, SCA has to be used (there are plenty of exemptions but that doesn’t change the point).

Every stakeholder—every bank, every eCommerce site—must comply by doing something they have not done before.

That means a lot of work.

In this Payments on Fire® episode (Episode 100!), I speak with Russ Jones, Glenbrook’s partner in charge of our Payments Education Program and a preeminently insightful payments consultant. Russ takes us through SCA, its relationship to other standards, and the impact of its now somewhat delayed implementation.

Russ concludes the conversation with the rather chilling observation that history is about to repeat itself. The U.S. will experience in the digital arena what the U.S. experienced at the physical point of sale.

When EMV chip cards were mandated in Europe, card fraud at the POS and the ATM migrated to the U.S. Reliant on the static data of the mag stripe, the U.S. became a global magnet for magstripe card fraud.

Once SCA becomes broadly implemented in the EU, in 2021 and beyond, online fraudsters will redouble their already considerable attacks on U.S. financial institutions, tech providers, and merchants. While security tools are more common than ever—FIDO capable smartphones are one example—the U.S. lacks a single entity to mandate and enforce multi-factor authentication in payments.

Scared yet?

One of the privileges of using a card to make a payment is the ability to dispute that charge should something go wrong. Maybe you ordered one garden rake but got charged for two. Perhaps you ordered a sweater and, as my colleague Allen Weinberg puts it, “got shipped a box of rocks.” Or you discover a charge that you didn’t make on your card account and believe it’s fraudulent.

In all those cases, the dispute process involves a chargeback.

The cardholder disputes the charge, the issuer credits the customer for the amount of that charge if it’s an obvious mistake or fraud, and, depending upon the chain of liability rules and the type of transaction, one party—the issuer, the acquirer, or the merchant—will have to bear the cost of the chargeback.

For merchants, just getting a chargeback message is a cost in the form of a fee paid to its acquirer. How does $5 and (way) up sound? Chargebacks, as a payments cost, are no financial joke.

The card system also views the chargeback rate—the percentage of transactions that result in a chargeback—as a leading indicator of poor merchant behavior. Once a merchant’s chargeback rate approaches one percent of its transactions, the merchant’s acquirer or PSP is going to put it on notice. If the merchant doesn’t lower that rate pronto the merchant could lose the ability to accept card payments.

The chargeback process is also a cost to issuers who are generally the party first called by the unhappy customer (issuers will often ask the customer if she or he has called the merchant, too).

In other words, chargebacks are a result of something going wrong and they can be a costly hassle for everyone because, for many stakeholders, chargeback handling is still dealt with manually.

In this Episode 99 of Payments on Fire® we talk with Rick Lynch, VP of Business Development from Verifi, about the impact of chargebacks on merchants and issuers. He updates us on rule changes by Visa and Mastercard. And he addresses the process and techniques needed to handle these post-authorization events.

While only mentioned in passing during the episode, Verifi is being acquired by Visa, in another example of expansion by card network operators into adjacent payment ecosystem roles.

The global spread of digital payments gets a huge boost from giants like Google. Google’s Google Pay is far more than just a wallet, and the subject of this Payments on Fire® episode with Steve Klebe.

Steve heads Google’s Processor and Partnerships business and has terrific experience in our industry, working with payment gateway CyberSource, payment security firm RSA, and carrier billing firm BilltoMobile. He’s also served multiple times on the board of the Electronic Transaction Association.

In other words, a true payments geek.

Here’s what we talked about:

• The evolution of Google Pay from its 2011 launch as Google Wallet and the various incarnations since then
• Google’s business model for GPay and the degree to which the data generated by GPay transactions influence (or not) the advertisements we see on sites using Google’s advertising services
• Transit payments, Google’s role in the W3C’s Payment Request API, and how Google pulls it into its own tools
• The Google Pay value proposition and how it combines the value of hundreds of millions of cards on file, their organic growth through Chrome’s auto-fill, Google’s own sales, and making those credentials available to third parties via Google Pay
• The new Google Pay APIs that focus more on convenience than payments: event ticketing, airline boarding passes, and more
• Google Pay India, renamed from Tez, and its role in the UPI framework that enables secure bank-to-bank transactions.

We conclude with thoughts on the Open Banking phenomenon and Google’s intentions in that area.

Here on Payments on Fire® we’ve spoken a lot with risk and fraud management firms that generally offer some combination of services and technologies that promises to lower customer exposure to payments fraud, data theft, and operational risk.

There’s another dimension to cyber security that’s based on expertise – before and after a data breach. That’s the subject of this episode.

First, a company needs to understand its overall exposure. What do we have and what can we afford to lose? That takes a technical assessment of the firm’s internal and external defenses. It also takes an understanding of what the company has to lose, from reputation-based good will to loss of R&D investment through the theft of intellectual property. Such concerns are now top of mind for corporate directors tasked with shepherding their companies in the complex cyber domain.

Yes, there’s a role for insurance.

Post breach, there is the work of uncovering what happened, the maintenance of evidence so that proper forensic procedures can be taken, and the painful resolution process that may include fines (PCI) and litigation.

All of this is well understood territory for Chris Uriarte, Chief Information Officer at Aon Cyber Solutions who joins George in this episode.

Topics discussed include:

• The kind of activities and efforts needed to address today’s cyber risk
• How IoT threats are no longer confined to cheap surveillance cameras
• The sophistication of the cyber criminal industry
• The interlocking roles of threat analysis, risks assessment, and insurance
• The rise of ransomware and the particular exposure larger organizations face from this threat

The task of risk management in the payments business keeps getting bigger. Where once the concern was confined to payments alone – starting with counterfeit checks and currency – payment electronification has created a universe of potential risks. Risk now includes fraudulent cards, system and network hacks, data breaches, and account takeover with all the havoc that can produce.

And we’re seeing how these impact the reputation and value of businesses even when the hack has nothing to do with payments. (By the way, bogus checks and counterfeit twenties are *still* a problem.)

We’ve touched on this topic in multiple ways on Payments on Fire®. We’ve spoken with Ethoca about its data sharing capabilities. We’ve spoken with Feedzai about its AI and machine learning technology. We’ve spoken with White Pages Pro and its data correlation capabilities. And we’ve spoken to companies deeply involved in the problem of online identity.

Each of those has a particular approach, a particular technology, or a combination of approaches, to apply to the problem of eCommerce or CNP fraud.

In this podcast, we talk to Tricia Phillips, SVP of Product and Strategy, at the fraud and risk management firm Kount. Protecting some 6,500 eCommerce merchants, banks, and payment platforms, Kount takes a deeply layered approach to the risk and fraud management.

This deep dive discussion takes us into not only Kount’s approach but into what fraudsters are doing today and the damage they can do, even to non-payments companies like Yelp. It’s a scary scene. Tricia takes us through it with insight and experience.

If Risk in Payments is a topic of interest, check out our upcoming Insight Workshop by the same name. Led by Russ Jones and Yvette Bohanan, you won’t find a more knowledgeable team to guide you through what is, as I hope we’ve demonstrated, one very complex topic.

One of the biggest payments challenges for merchants is how to handle payment data – whether it’s at the POS or in the remote domain where eCommerce and mobile payments take place. A lot of this concern is driven directly by PCI DSS compliance and broadly by the reputational risk data breach represents.

One of the major techniques merchants employ, in order to remove the need to store payment data, is tokenization – the replacement of the high value card data with a low value representation managed by another party. Merchants just store the token for lookup purposes while the third party maintains the database that links these low value tokens to the true primary account number or PAN.

At Glenbrook, we refer to these as merchant tokens because they are specific to and paid for by the merchant. We’ve also heard them referred to as acquirer tokens because the tokenization function is often performed by the merchant’s acquirer, processor, gateway, or payment service provider.

Makes sense, right? Put the radioactive payment card data into another party’s hands.

But for large and mid-size merchants, the provision of tokenization services to an acquirer has a few downsides:

1. The token database maintained by the provider is specific to the merchant. If the merchant wants to shift to another provider, tokenization portability can be an issue and a costly one.
2. In our merchant work, we are seeing the largest ones looking at a multi-acquirer topology for cost, redundancy, and channel flexibility purposes. But each acquirer will use its own tokenization scheme, adding complexity and limiting functionality.
3. Omnichannel merchants may employ one provider for POS transactions and another for eCommerce. That doesn’t work when you want to provide a consistent experience to your returning customer. You want a token that works across channels, i.e. an omnichannel token.

In this Payments on Fire® episode we talk with Alex Pezold, CEO of TokenEx, an acquirer neutral, independent tokenization provider. We talk a lot about protecting payment and bank account data. But we also address the growing need for protecting other data assets and how tokenization can help accomplish that.

Digital identity is one of the most solution-resistant challenges to online commerce and, indeed, our online lives. It is basic to online trust, an elusive condition undermined by data breaches, abuse of our data by service providers, and fraudsters.

That’s not to say we aren’t trying. Providers of all stripes are applying their value add to the problem. Smartphone makers have a role. Fraud management providers see themselves as having a role because they see so many users visiting their merchant customers’ websites or using their apps.

Networks do, too, as evidenced by Mastercard’s recent interest in identity services.

Then there are specialists in identity who play a role between the end user and the party granting access to a service, i.e. a bank. Today’s podcast is with SecureKey, a Canadian firm that has built a system to generate online trust while not sharing too much data between the parties.

Blockchain technology has increasingly gotten the attention of those in the identity space because the idea of having an immutable database as a single source of truth for identity credentials just seems so obvious.

Well, it’s not exactly as simple as putting your drivers license on a blockchain. SecureKey has partnered with IBM to use blockchain technology in support of its function as a provider of identity services.

SecureKey’s Verified.Me service gives the user the ability to quickly identity themselves and to share only the personally identifiable information they consent to share. Customers include Canadian banks CIBC, Desjardins, RBC, Scotiabank and TD. BMO and National Bank of Canada will be available later this year.

Take a listen to this conversation with Andre Boysen, SecureKey’s Chief Identity Officer, and Glenbrook’s George Peabody and imagine the power of coupling a service like this to strong authentication services that use biometrics.