Payments Industry Taking the Lead on Security – Let’s Keep It That Way

February 23, 2014 14:00 pm

by Charlie · 6 comments

Because I want a brief break to talk about anything other than Sam Moore for a few hours, here’s an issue that affects a lot of Georgia based companies that process credit cards. It deserves a bit more attention than it is getting.  This is a guest post from Jason Oxman.

As Congress considers legislation following the recent large-scale data breaches, it’s important to consider the technological innovations that will best protect consumers and sort out any well-intended, yet unintended consequences of new regulations or legislation that may lead to the suppression of marketplace innovations best positioned to address the ever changing threat of cybercrime.

Headline-grabbing events inevitably lead to calls for additional government regulations. But our payments systems are built to detect and prevent fraud and to insulate consumers from any liability. Even where a retailer is breached, our payments systems are designed to protect consumers with zero liability and fraud prevention and detection tools.

Fraud accounts for less than six cents of every one hundred dollars spent on the payments systems – a fraction of a tenth of a percent.

The members of the Electronic Transactions Association (ETA) are the front lines of defense in the fight against financial crimes against consumers. ETA members detect and deter crime everyday through innovative marketplace solutions while also complying with regulations from 50 states and more than 20 federal agencies.

Georgia’s concerns on this matter go well beyond consumer data protection. Georgia is arguably America’s leading state when it comes to the development, manufacture and sale of payment technologies. Over 60 percent of payment card transactions travel over the networks of companies headquartered in Georgia. Companies like TSYS, Global Payments, Priority Payment Systems, First Data, Elavon, just to name a few, are worldwide industry leaders.

These Georgia-based financial technology companies employ over 25,000 Georgians and their annual revenues exceeds $20 billion, according to the Technology Association of Georgia.  They are doing amazing work in the financial security space, and their solutions will be key in leading to more efficient, more secure payment systems.

Advanced technologies like chips embedded in credit and debit cards (so-called “EMV” cards) are already present in the U.S. market, and will be well established by 2015, which will help deter criminals from producing counterfeit cards.

New technologies like tokenization and other forms of encryption, as well as mobile payments and digital wallet cloud solutions, also hold great promise to deter and prevent fraudulent activities on our payments systems. All of these new innovations are being deployed today in the marketplace without government mandates that would pick technology winners and losers at the expense of innovation and competition in the market.

The U.S. Congress has an important role to play in protecting consumers in the United States from the criminals who prey upon the financial system. One area ripe for reform: regulations regarding consumer notification of breach events.

Currently, there is a patchwork of 46 separate state data breach notification laws with which retailers and the payments industry must comply, making uniform notifications virtually impossible. A uniform national standard would protect consumers by providing reasonable and effective notification requirements. Consumers and businesses would have a common and consistent expectation of breach procedure, and company time and resources could be devoted to innovative security solutions to protect against new threats.

As Congress continues to hold committee hearings and sorts out various bills, payments companies will continue to compete for customers by providing consumer protections beyond requirements of current law. These protections and flexibility are why U.S. consumers are going cashless and carry more than one billion debit and credit cards in their wallets. More than 70% of retail purchases are made with electronic payments, and ETA member companies, many headquartered in Georgia, process more than four trillion dollars in electronic payments on behalf of U.S. merchants each year.

The best and fastest way to protect the safety and security of consumers’ financial data is to allow payments companies and the merchants they serve to collaborate on industry standards and innovative solutions, in addition to Congress passing a preemptive uniform notification system for reporting financial data security breaches.

Jason Oxman is the CEO of the Electronic Transactions Association, which represents more than 500 payments and technology companies.

{ 6 comments… read them below or add one }

greencracker February 23, 2014 at 11:19 pm

Any idea why we don’t have cards with chips yet like in other countries?

Harry February 24, 2014 at 1:03 am

Bank of America has them now, but you have to ask.

bgsmallz February 24, 2014 at 10:25 am

Chicken and the Egg. Retailers want them, but don’t want to pay to put the systems in if the banks (aka the card companies) don’t supply them to consumers. Banks want them, but they are useless unless retailers have the equipment.

Visa has been the first to add some teeth. MasterCard followed. They changed their merchant agreements to shift some liability to merchants for fraud if they don’t have EMV capabilities by 10/2015.
http://blogs.wsj.com/corporate-intelligence/2014/02/06/october-2015-the-end-of-the-swipe-and-sign-credit-card/

Of course, they stopped short of requiring pin signatures rather than regular signature.

Target has embraced EMV in the wake of the data breach…
http://www.securityweek.com/target-making-100-million-push-toward-chip-enabled-smart-cards
Whether it would have prevented the breach is debatable, but it’s a good PR move with real benefits for consumers regardless.

I think the author overreaches by saying EMV will be well established by 2015…there just isn’t enough teeth in the merchant agreement changes to force retailers to spend on upgrading their equipment. However, I’ll be using my free market ability to shop retailers that accept EMV when possible.

Also, completely agree on the need for a uniform notification standard/system. The story of how Target and Nieman Marcus notified their customers is one of confusion and unnecessary delays.

Notification is in the news today actually…

http://www.cbsnews.com/news/eric-holder-consumers-must-be-notified-about-data-breaches/

John Konop February 24, 2014 at 10:44 am

One factor you are missing is interchange fees ( base cost merchant pays per transaction) are based on risk of transaction…Mail order transactions cost more than card present swipe transitions for instance….

I started in the business when 99% of merchants were paper ie higher risk ….the reason merchant went electronic was based on saving money via interchange…..

John Konop February 24, 2014 at 7:46 am

As I have said for years…..the government should embrace concepts used in the payment industry to help fix Medicare/Medicade fraud.

George Chidi February 24, 2014 at 11:03 am

I’ve been watching this industry space for years here. Payments processing is one of the few real technology clusters operating in Georgia, along with network security, some esoteric medical software, satellite telecom and server hosting. The payments industry is importantin Georgia.

And Jason’s got a good point. There should be a national standard for notification worthy of the word. My concern is that the rate of growth in cybercrime isn’t being matched by increasing capabilities to track and arrest criminals.

I fear that we’re one or two serious breaches away from an electronic payments system that is nigh unusable, given the speed with which a home-brew rack of reconfigured graphics processing chips can crack what passes for strong encryption right now.

I’d like to see a federal notification standard coupled with a higher degree of consumer protection for debit card theft. But I’ll take what I can get.