update on developments in online payments vol. 7 issue 3, 13 may
TRANSCRIPT
1 | 11 www.thepaypers.com Copyright © The Paypers
Update on developments in online payments Vol. 7 Issue 3, 13 May 2014
The Paypers Special:
Data breaches keep on rising, collaboration is key in
fighting fraud 1
Exclusive Interviews:
Exclusive interview with Aaron Kline, ID Analytics 7
Experts’ Corner:
Cybersource: What can organisations do to protect
their customer’s payment data? 2
We live in a constantly changing world. Things that were just a thought a while ago, are
now becoming a reality. Nowadays technology, as well as the disruptive innovation that
drives it, is present in almost every single aspect of our lives. The internet, for instance,
which in its early years was both praised and damned, is currently the leading channel for
most of our daily activities. Evolution is an ongoing process and the best is yet to come.
However, things are never that simple, progress also has its downsides. We have more
freedom and more choices, we have access to advanced technologies which enable us to
perform complex activities, but at the same time we are exposed to numerous threats.
The payments industry makes no exception in this case. Each time we make a transaction,
check our banking details, or authenticate on a new device, we undergo a major risk.
Fraudsters are just around the corner, waiting to find that weak spot so they can gain
access to sensitive financial data such as credit card or bank details, personal health
information (PHI), personally identifiable information (PII), trade secrets of corporations or
intellectual property.
Lately, data breaches seem to be the new wave when it comes to fraud. In 2013, US
retailer Target unveiled that it experienced unauthorized access to payment card data. The
breach, which extended to almost all Target stores in the US, captured data stored on the
magnetic stripes of the cards that customers swipe at the cash register. During the same
year, another major US retailer confronted with a similar situation. Neiman Marcus
revealed that hackers invaded its systems for several months in a breach that involved 1.1
million credit and debit cards.
According to data from the Ponemon Institute, the average cost of a corporate data
breach grew 15% in 2013, reaching USD 3.5 million. Furthermore, the same source unveils
that the cost incurred for each lost or stolen record containing sensitive and confidential
information increased more than 9% to a consolidated average of USD 145.
The report also mentions that the root causes of data breaches vary per country. Countries
in the Arabian region and Germany had more data breaches caused by malicious or
criminal attacks. On the other hand, India had the most data breaches caused by a system
glitch or business process failure. Human error was most often the cause in the UK and
Brazil.
Another study, this time conducted by Verizon, points out nine threat patterns, namely
miscellaneous errors such as sending an email to the wrong person, crimeware (various
malware aimed at gaining control of systems), insider/privilege misuse, physical theft/loss,
web app attacks, denial of service attacks, cyberespionage, point-of-sale intrusions and
payment card skimmers.
DATA BREACHES KEEP ON RISING, COLLABORATION IS KEY IN
FIGHTING FRAUD
Update on developments in online payments
2 | 11 www.thepaypers.com Copyright © The Paypers
Vol. 7 Issue 3, 13 May 2014
The same research shows that in the financial services sector, 75% of the incidents come
from web application attacks, distributed denial of service (DDoS) and card skimming. In
the retail sector, the majority of attacks are tied to DDoS (33%) followed by point-of-sale
intrusions (31%).
Findings reveal that the use of stolen and/or misused credentials (user name/passwords)
continues to be the main way to gain access to information. Two out of three breaches
exploit weak or stolen passwords. In addition, retail point-of-sale (POS) attacks continue
to trend downward, exhibiting the same trend since 2011. Industries commonly hit by
POS intrusions are restaurants, hotels, grocery stores and other brick-and-mortar
retailers, where intruders attempt to capture payment card data.
Taking into account these statistics as well as the latest major security incidents, it is
obvious that both companies and consumers need better and more sophisticated
measures to fight fraud. In order to be able to keep up with cybercriminals, companies
should acknowledge the fact that they have to implement different solutions aimed at
combating more types of attacks. One-size-fits-all solution does not work. The best
approach implies a constant collaboration between the parties involved, permanent
industry knowledge acquisition and keeping an eye on fraudsters – trying to understand
the way they think and act may help in better identifying the appropriate steps to
counteract these problems effectively.
With more data being collected, from more consumers and across more channels,
payment security has become top of mind. Today, payment data is gold – with
sophisticated criminals using an array of methods to reach this sensitive information.
The whole area of data security is highlighted in Verizon’s latest Data Breach
Investigations Report, based on interviews with 50 large organisations around the globe,
which cites more than 60,000 security incidents and 1,367 confirmed data breaches as
having taken place in 2013.
While Verizon tags 2013 as the “year of the retailer breach,” it acknowledges that
retailers understand the need to protect customers’ personal identifying information,
and that there are associated risks with it being compromised. As an organisation, you
can certainly try to lock-down and contain this data, however your efforts will need to
scale with your expanding operations. Costs can increase, and you’ll strive to keep ahead
of criminal minds.
A ‘data-out’ strategy can help to mitigate concerns and contains two essential
components:
1. Eliminate contact with sensitive payment data during acceptance
The use of cloud-based technologies allows you to transmit payment information
directly to the cloud to be processed and stored in a PCI DSS-compliant network, so that
the data doesn’t enter your environment.
Customers making a purchase online or via their mobile can then be directed to a
payment page in the cloud where they can enter their payment information. In doing so,
payment data never actually enters your environment; instead it can be transmitted to a
fully compliant level 1 PCI compliant network, removing liability at the point of
interaction.
EXPERTS’ CORNER
“What can organisations do to protect their customer’s payment data?”
By Pritesh Patel, CyberSource
Responsible for establishing & leading a team of diverse Value Added Ser-
vices Consultants across CEMEA to provide dedicated implementation,
technical & presales support for driving ecommerce/CNP acceptance.
Working closely with management to influence & drive sales and Value
Added Services pipelines to ensure revenue targets are met or exceeded.
Update on developments in online payments
3 | 11 www.thepaypers.com Copyright © The Paypers
Vol. 7 Issue 3, 13 May 2014
2. Avoid storing payment data in your systems
Remove payment data from your environment by tokenising it. A payment token is a
‘non-financial identifier’ that can be used in place of an original payment credential to
initiate a payment transaction. After a payment has been processed, your payment
provider should store the card data in a PCI DSS-compliant secure data centre and return
just the payment token.
Payment security risk arises from the fact that payment data is present in your
environment in the first place. By not touching, storing or handling sensitive data, you
can help reduce the complexity of PCI compliance management, and help protect
sensitive customer information.
Sift Science is a US-based technology company dedicated to making world-class fraud
detection accessible to everyone. Sift designed its automated, real-time, large-scale
machine learning solution to make finding and stopping online fraud as quickly, easily,
and accurately as possible. Comprised of a multidisciplinary team of innovators, Sift
Science has the backing of investors like: Spark Capital, Union Square Ventures, First
Round Capital, PayPal co-founder Max Levchin, Salesforce CEO Marc Benioff, Zillow co-
founder Rich Barton, angel investor Chris Dixon, Y Combinator.
What is Sift Science’s approach when it comes to ecommerce fraud?
Jason Tan: Sift takes a “no rules, just data” approach to ecommerce fraud. We’ve built
our product to be:
• Accurate: Accurate scores mean great results. Our goal is to have Sift customers catch
all of their fraud with very low false positive rates.
• Fast: Sift’s learning and analysis work in real time. Fraud scores are available
immediately and updated continuously to incorporate customer feedback as soon as it’s
given. With Sift, our customers never need to set rules.
• Comprehensive & customized: With large-scale machine learning, Sift leaves no stone
unturned in looking for fraud patterns. Sift users get their very own Sift models that
adapt to each unique business; by combining our existing fraud library with each store or
website’s data, every customer’s Sift model is specially-tailored to his or her needs. For
example, if a customer sells shoes, we might learn that size 10 shoes are more suspicious
than size 15 shoes.
• Transparent: Scores and signals are available to customers via our real time console,
APIs and email notifications, so the information is available whenever and wherever you
need it. Our console is a one-stop shop; there, users can find all of the information that a
fraud team requires to streamline decisions as well as view data visualizations to better
understand customer patterns and actions.
• Easy: With Sift, it’s easy to get started and there’s no risk to try our fraud-fighting
product. Integration is simple and we require no contract lock-in or setup fees. Every
customer gets a 30-day free trial. Our pricing structure is transparent and designed to
support every customer’s growth.
The online environment as well as the payments industry are changing at a faster pace.
What is the impact this constant development has on online security?
Jason Tan: Online security companies are subject to intense pressure because online
payments and ecommerce opportunities continue to rapidly evolve. This environment
requires a two-fold response:
EXCLUSIVE INTERVIEW WITH JASON TAN, SIFT SCIENCE
“Sift takes a 'no rules, just data' approach to ecommerce fraud”
Jason Tan (@jasontan) is the Co-Founder and CEO of Sift Science, a
US technology company that fights online fraud with large-scale ma-
chine learning. He previously served as CTO of BuzzLabs, a machine
learning startup acquired by InterActiveCorp. Prior to that, he was an
early engineer at two Seattle startups, http://Zillow.com and Optify.
Jason graduated magna cum laude from the University of Washington in 2006 with a
Computer Engineering degree.
Update on developments in online payments
4 | 11 www.thepaypers.com Copyright © The Paypers
Vol. 7 Issue 3, 13 May 2014
1) Solutions must be flexible & adaptive (whether to new business models, or to the ways
that consumers can spend money): Models must be customized to the unique and
constantly changing methods that fraudsters use when attacking a customer’s site.
Strength comes in the ability to learn from and predict the unique patterns seen in a
vertical, business model or geography. Online security companies must leave no stone
unturned and adapt to even the most sophisticated fraudster’s tactics.
2) Solutions must be comprehensive and work in real time: The payments industry must be
able to analyze all available data and discover all available patterns in real time. Best-in-
class technology is essential in order to stay ahead of fraudsters.
Cybercrime attempts have increased lately, with more and more companies being
targeted. What could they do to stay ahead of security risks?
Jason Tan: We all need to take a proactive approach to fraud prevention and leverage the
fraud patterns seen globally across the internet. For example, fraud patterns displayed in
the gaming industry often show up in other industries years later. Companies can stay
ahead of these risks by getting access to pooled learnings. For example, Sift Science has a
library of 5M fraud patterns that our customers can leverage and apply their fraud-finding
models.
What are the biggest challenges when it comes to payment security for retailers and
customers nowadays?
Jason Tan: Although fraudsters are growing more sophisticated, the data that retailers
need to protect themselves from fraudsters is available and always increasing. However,
taking advantage of it - e.g. collecting, processing, and deriving insights from this data -- is
incredibly difficult. The technology exists, but the skills required to execute on the
intricacies of the technology are scarce and, usually, are only found at places like Amazon,
PayPal, and Google. At Sift, we’re making this state-of-the-art technology accessible and
offering our customer lessons learned on a global scale.
INFORM develops and markets software systems to optimize business processes on the
basis of operations research and fuzzy logic. INFORM Risk & Fraud division is specialized in
fraud prevention and provides a high performance multi-channel fraud detection and risk
assessment solution that helps banks, acquires, issuers and PSPs mitigating payment risk
and avoid chargebacks. RiskShield prevent fraud losses and increase customer confidence
with the most adaptive and fastest deployable anti-fraud software in the market today.
We are thrilled to be the 2014 METAwards winner. To be honored by our peers,
customers and industry leaders at MRC is incredibly humbling. We will rise to
the expectations and esteem that come with the METAwards, and will continue
to innovate and deliver more value for our current and future customers. We
believe that our unique large-scale, real-time machine learning technology is
the way to solve fraud in the next decade, and want to help online merchants
of all shapes and sizes.
Jason Tan, Sift Science
EXPERTS’ CORNER
“Match the payment authentication process with the consumer’s
risk profile”
By Stanley Harmsen van der Vliet, INFORM
Stan is currently product marketing manager for INFORM's fraud pre-
vention solution for both the financial and insurance market and an
online marketing advisor for several smaller companies in The Nether-
lands. Stan recently served as a freelance consultant at EastNets and
as a Business Developer for Fiserv Inc. EastNets is a global provider of
compliance and payment solutions with main offices in Dubai, Amman
and Brussels. He was responsible for the overall training development program for em-
ployees and partners.
Update on developments in online payments
5 | 11 www.thepaypers.com Copyright © The Paypers
Vol. 7 Issue 3, 13 May 2014
More than 1000 companies worldwide benefit from advanced optimization software
systems by INFORM in industries such as transport logistics, airport resource management,
production planning, financial crime risk management and insurance claims handling
optimization. INFORM employs over 500 staff from more than 30 countries.
It must be an odd feeling: always being one, or a few steps behind. Fighting fraud can be
achieved by implementing additional safety measures; but the cost of these measures is
high for the payment providers and they don´t always deliver consumers the perfect
online experience. So, it might be better to adapt to this and implement security measures
that keep costs down and truly help consumers make safer payments. The overload of
payment verification tools and processes feels like an extra layer of inconvenience to
consumers and they can hardly be seen as a help in executing a payment for ecommerce
platforms such as Amazon, John Lewis, Ikea or Zalando.
Risk-based authentication opportunities
Banks and credit card companies do, of course, have good reasons for implementing these
security authentication measures as they do help to reduce Internet fraud. But they should
not close their eyes to alternative eCommerce security and authentication solutions that
also meet the ever-changing needs of the consumer. There are better ways of providing
consumers with a far more satisfying online and mobile shopping experience: Card issuing
banks and card service providers should adopt tools that offer differentiating possibilities,
such that a consumer with a high risk will still betaken through the strict security steps and
those with a lower risk profile will be able to progress with a much ‘lighter’ security
process. This approach maintains the stringent security at the high end of the risk scale,
but at the same time, fast-tracks the lower risk consumers giving a far better experience
for the majority.
Lower cost, higher revenue and enhanced consumer satisfaction
By differentiating the payment method and security steps to individual customers, based
on a shoppers’ buying behaviour and transaction history, both issuers, acquires and online
merchants can benefit from better results. The majority of customers (and their
computers) can be trusted; they simply want to purchase an e-book, a flight or shoes.
About 90-95% of all transactions fit within the low risk profile. There is really no point in
demanding that all consumers fulfil all high security steps required in a complete
authentication process. By implementing the right solution: payment service providers will
save costs; online shops will benefit from higher revenues; and the majority of consumers
will be far happier and more likely to complete their transaction.
Step by step, the world seems to be going mobile as well, how does Jumio address the
need for a more secure and improved mobile customer experience?
Marc Barach: As mobile consumers, we seem to have a voracious appetite to get the full
range of life’s tasks accomplished on our connected devices. Conducting shopping, travel,
banking, investing and more are now commonplace, but each one of these activities at
some point requires the consumer to fill out long forms on their device. And that’s the
problem. Numerous studies show that the more data a consumer must key enter in order
to complete a process, the greater is their drop off. That’s something businesses cannot
EXCLUSIVE INTERVIEW WITH MARC BARACH, JUMIO
“The challenges of payment security have always been a balancing act”
Marc leads Jumio’s worldwide marketing efforts and brings over 20
years of marketing innovation and operational experience in emerging
technologies and the financial sector to Jumio. Previously, he served as
CEO of mobile applications company Emotive, CMO of enterprise
search SaaS pioneer Marin Software and CMO of Ingenio, where he
sparked creation of pay-per-call technology; a multi-billion USD adtech
product which lead to Ingenio’s acquisition by AT&T in 2007.
As CMO of online insurance first mover InsWeb, Marc drove revenue which enabled the
company to raise USD 100 million in its IPO. Additionally, Marc has held executive-level
marketing posts at a number of financial institutions including Charles Schwab and First
Nationwide Bank. A frequent speaker at prestigious conferences worldwide, Marc has
been widely quoted in national and business press.
Update on developments in online payments
6 | 11 www.thepaypers.com Copyright © The Paypers
Vol. 7 Issue 3, 13 May 2014
afford. Jumio’s mobile offerings use computer vision technology to scan and validate
credentials obviating the need for time-consuming key entry. This allows consumers using
our clients’ apps to speed though sign-up and checkout processes, which translates into
higher completion rates and satisfaction. This service is offered through three of our
products: Netverify, Netswipe and Fastfill.
Netswipe turns a customer’s phone into a secure credit card reader, eliminating the need
for customers to manually enter credit card payment information. Consumers hold their
credit card up to their mobile device and their card is automatically scanned, extracting
cardholder name, 16-digit card number and expiration date. This takes seconds as
opposed to typically a minute for key entry. By removing that friction from the process,
Netswipe addresses the critical issue of shopping cart abandonment, which plagues almost
every online and mobile merchant. Businesses using Netswipe in their mobile apps see
conversion rates increase as much as 20 to 30% and sometimes higher.
Netverify allows businesses to authenticate their customers’ identities in real-time by
validating their source credential of a passport, driver license or ID card. Consumers simply
hold their ID up to their smartphone or desktop camera and Netverify validates the ID,
extracts the personal info it contains and fills it into the sign-up on the checkout form.
Identification documents issued by more than 100 countries are processed this way. In
order to confirm that the person presenting the ID is the person shown in the ID, Jumio
uses its proprietary Face Match technology to help businesses assess the extent to which a
photo on an ID presented during a mobile or online transaction matches the customer’s
actual face. This is a key differentiator in the industry, as no other solution provides the
same breadth of real-time identity verification. Jumio’s Netverify also helps organizations
meet KYC requirements and industry regulations, while reducing fraud and chargeback
costs in purchase transactions.
Fastfill automates key entry of personal customer information in mobile apps, providing a
faster and more convenient way for consumers to open accounts, complete web
registration forms, and remove friction from the checkout process. With Fastfill, customers
tap the “Scan ID” button on a business’ mobile app, hold their ID up to the device’s
camera, and their personal data is extracted from the ID and populated into the new
account form in an instant. Customers are no longer subjected to minutes of data entry on
a small keypad entry and merchants don’t have to worry about losing customers in the
sign-up process.
What are the biggest challenges when it comes to payment security for retailers and
customers nowadays?
Marc Barach: The challenges of payment security have always been a balancing act. The
industry is often toggling between making the payment process as convenient as possible
for the consumer yet safe for the merchant. If that’s out of balance, which is often the
case, the merchant is always on the failing end from either losing customers or having high
chargeback and fraud costs. The two objectives, ease-of-use and fraud control, have
historically been at opposite ends of the continuum – typically when security goes up, the
consumer suffers and, if security is lax, the merchant suffers. Jumio has developed a
service that breaks open that paradigm – so that both security and consumer experience
are improved.
Companies such as Amazon pioneered the ‘one click’ purchase which is incredibly popular
with consumers but, in our view, isn’t the end of the line. We’re working toward the goal
of ‘no key entry’ transactions, which represents the next step on the ease-of-use
trajectory. This means that real-time authentication activities need to take place behind
the scenes while the consumer sails through the transaction. Online merchants spend so
much time, money and energy getting people to their websites and apps and often forget
that getting them successfully through the sign-up and checkout processes are just as
important to meeting their revenue goals.
In your opinion, what is the best approach to ensure secure payments and online fraud
prevention?
Marc Barach: Most security processes today use indirect ways such as knowledge-based
authentication to authenticate the ID of the transacting customer. These can be effective,
Update on developments in online payments
7 | 11 www.thepaypers.com Copyright © The Paypers
Vol. 7 Issue 3, 13 May 2014
but none of them are as good as using the source document (passport, driver license,
government ID) or as consumer friendly. Fast, easy and intuitive processes are what
create great consumer experiences, which contribute to higher completion rates and
revenue. As consumers become more sophisticated, especially on mobile, the tolerance
for slow and complex processes is diminishing. At the end of the day, merchants have to
figure out how to manage fraud without turning away legitimate consumers. Our whole
business is built around making sure we do exactly that.
Jumio has recently launched the Bitcoin Identity Security Open Network. With cyber-
criminals often using digital currencies like Bitcoin to commit illegal transactions, how
does the network plan to boost trust and confidence in the Bitcoin ecosystem?
Marc Barach: BISON was created to instill greater confidence in the Bitcoin system by
providing the industry with a standardized way to validate buyer identities when in the
process of establishing a relationship or conducting a transaction. It’s a reaction to some of
the confidence-shaking events that have plagued the Bitcoin industry. The industry
recognizes that smart self-regulation is much better than external regulation and now is
the time to put that infrastructure in place.
The Bitcoin exchanges, wallets, ATMs and mining companies in the BISON network have
come together as a first step in this self-regulatory process. Using Netverify, these
providers can meet KYC practices while weeding out fake or manipulated IDs, which is
usually a precursor for fraud or other illegal activities. BISON members also receive
aggregated fraud trend information across the network. Lastly, and perhaps the most
exciting feature of BISON, is that customers’ validation status and PII travel with them
wherever they transact within the network.
That means that a customer presents and scans their ID the first time with one Bitcoin
company, and when they go to transact with another member, their validated status and
data is automatically imported into that transaction, and vice-versa. The friction removal
manifests itself in higher completion rates and consumer satisfaction. This feature of the
Network launches later in 2014.
Aaron Kline is director of eCommerce Solutions at ID Analytics,
where he leads the company’s efforts to reduce online and card-not-
present fraud. He has extensive ecommerce experience that enables
him to balance the need for optimal user experiences with the
requirements of fraud management. Prior to joining ID Analytics,
Kline led the New Business Initiatives Team within the Consumer Group at Intuit. In
addition, he held leadership roles at Provide Commerce, including leading ProFlowers
International, organic growth initiatives, and various M&A activities. Kline has also held
MRC’s 2014 eCommerce Payments & Risk Council in Las Vegas is the place to
gain insight into important industry trends, network with industry colleagues
and review the latest technology offerings from a wide range of innovative
companies. We were gratified to be selected by the MRC membership to win
the METAward for the Best Innovative Emerging Technology in the established
company category. In his presentation, CSO Mike Orlando demonstrated
Jumio’s Fastfill and Netswipe mobile technologies which enabled him to make
in-app purchases without having to key enter PII or payment data. We wish to
thank the Membership for this acknowledgement and recognize the great
offerings of all the other nominated companies. Together, we are moving the
ball forward to create a safer and more efficient transactional environment for
merchants and consumers.
Marc Barach, Jumio
EXCLUSIVE INTERVIEW WITH AARON KLINE, ID ANALYTICS
“Understanding the consumer's identity makes us stand apart”
Update on developments in online payments
8 | 11 www.thepaypers.com Copyright © The Paypers
Vol. 7 Issue 3, 13 May 2014
various operating roles at Cox Communications, HD Supply, and The Home Depot. ID
Analytics is a leader in consumer risk management with patented analytics, proven
expertise, and real-time insight into consumer behavior. By combining proprietary data
from the ID Network—one of the nation’s largest networks of cross-industry consumer
behavioral data—with advanced science, ID Analytics provides in-depth visibility into
identity risk and creditworthiness.
How does ID Analytics address identity fraud in the US?
Aaron Kline: ID Analytics takes a risk-based approach to tracking identity fraud. We work
specifically with enterprises to detect and eliminate fraud from their daily activities. When
it comes to a new account setup, be it at a bank or a wireless carrier, consumers are asked
to provide different data inputs, for personally identifiable information. Thus, we help
enterprises assess the riskiness of those applications, which is one use case.
Another use case that we help enterprises with revolves around transaction-related fraud.
When an online merchant, or an ecommerce company, takes a certain type of information
for the purpose of an online transaction, we assist those organizations in assessing the
riskiness of that order.
Customer needs, which are related to new account applications or online transactions, are
a priority, so we also help enterprises with authentication or compliance-related matters.
As such, when it comes to authenticating the user or any compliant-related checks, like
KYC (know your customer) checks, we provide organizations with tools like KBA
(knowledge-based authentication) quizzes. Our solution fits different use cases and runs
across all of those different needs. Therefore, our approach is based on understanding the
identity of the consumer which makes us really stand apart.
Moreover, we have pervasive insight into how U.S. consumers behave both online and
offline. We work with 6 of the top 10 issuing banks, with 4 of top 5 wireless carriers and
we have good relationships with certain credit bureaus and the government in the
ecommerce arena. This vantage point has allowed us to see the U.S. adult population
taking action at some point in their lives. And, as such, we have the ability to have insights
into the consumer’s profile.
We also offer a data consortium model so that enterprises which work with us get the
value of our products. Finally, our clients submit to us performance-related information.
They let us know if a new account has gone bad or if a transaction results in a chargeback.
That standpoint allows us to understand whether someone really is a good or bad actor,
whether s/he has actually committed a fraud or not. It really helps us to have insight into
whether it’s a first-party fraud, synthetic fraud or third-party fraud. However, the identity
network that we operate is the core asset in terms of predicting those kinds of fraud cases
and we’re really helping the market understand identity fraud.
You just launched a new product with new features for the Transaction Protector and
Transaction Advanced Intelligence solutions. What does this new feature provide to
merchants?
Aaron Kline: Transaction Protector and Transaction Advanced Intelligence are both geared
at helping online merchants assess the riskiness of online transactions in a card-not-
present world. The new features are designed for device-related reputation and
recognition. We have partnered with both iovation and ThreatMetrix, companies which
are well-known in the device space, in order to gain that insight. By understanding the
individual behind the online transaction and the mechanism through which they place that
transaction, we have great insight into consumer behavior. It helps us understand whether
risk or fraud is occurring in an online transaction. We have seen great lift to our predictive
models incorporating that data.
Merchants and future clients have the ability to benefit not only from data, the identity
network that we offer, but also from wealth in repositories of device recognition in
reputation data that both iovation and ThreatMetrix offer.
We think that biometric authentication could be one of the most promising new
technologies in ecommerce. What is your view on these developments? Is it on the
Update on developments in online payments
9 | 11 www.thepaypers.com Copyright © The Paypers
Vol. 7 Issue 3, 13 May 2014
roadmap for ID Analytics?
Aaron Kline: Simply put, yes. It is on the roadmap for ID Analytics. By taking an identity-
based approach to understanding consumer behavior, we are always looking for unique
elements to define a consumer. There could be multiple email or phone addresses and
numbers, respectively, associated with an individual. In order to have laser-like focus on
understanding the consumer behavior, one must reassure that uniquely identifying each
individual is feasible.
We love biometrics because it is the thing that could potentially help us understand that
one-to-one relationship, unlike device which poses the case for a one-to-few relationship.
We like it but biometrics really can help us confirm a one-to-one relationship. There are
companies working on things like voice recognition. It would be really interesting for the
call centre environment.
We also think of the advancements happening in mobile technology, like Samsung’s new
Galaxy 5 smartphone which includes fingerprint authentication technology that will open
up to third-party developers. This fact makes us consider that fingerprint biometrics are
going to be cool. As such, we are engaged in discussions with potential partners in that
space, and we’re really looking to incorporate biometrics in future product releases. I also
expect that, within the next year, we’ll either have probably one or more confirmed
partnerships in biometrics. We will also have developed our own technology, because it is
essential in tying an individual to an individual trait.
What do you see in terms of face recognition?
Aaron Kline: We are also interested in this type of biometric authentication technology
because our aim is to come up with an answer to which of these biometrical technologies
is most impenetrable to fraud. To support my opinion, the Chaos Club in Germany, for
example, demonstrated that they could quickly penetrate Apple’s finger recognition
capability. That is why we are open to all biometric technologies. It is just a question of
“Has the technology got to a place where we see it as relatively invulnerable to an
additional attack?” Otherwise it’s really not worth it. So, that is an area we are currently
exploring, I`m not sure that anybody has got a solid answer to it yet.
How long do you think that will take?
Aaron Kline: ID Analytics will look to cement partnerships in this arena within the next
year. We value partnerships in terms of learning that new technology and how it works. I
think that it’s more likely that the partnerships will be on either the voice or the fingerprint
side of things, rather than the face, the iris, or even DNA, just because those capabilities
are more established in the market. Then we’ll continue to look aggressively at developing
that technology ourselves once we prove the efficacy of biometrics. I think that’s
something we need to prove to ourselves.
Phil J. Smith is Senior Vice President of Government Solutions at
Trustwave. He has more than 14 years of federal criminal investigative and
prosecutorial experience, having served as both a Special Agent with the
U.S. Secret Service and as a Senior Trial Attorney with the U.S. Department
of Justice Terrorism and Violent Crime Section. He was involved in the
Secret Service's early efforts to combat computer and electronic crime including the
gathering of electronic evidence. Phil has significant crisis management experience
including extraterritorial matters involving bombing of U.S. facilities, air piracy and the
killing of US nationals.
Security is no longer ‘just an IT problem.’ As revealed in our recently released 2014
Security Pressures Report, 50% of more than 800 full-time IT professionals surveyed said
their owners, boards of directors and C-level executives are applying the most pressure
when it comes to security and it doesn’t stop there. Security has now become a
Congressional issue.
EXPERTS’ CORNER
“Going Beyond PCI”
By Phillip Smith, Senior Vice President of Government Solutions,
Trustwave
Update on developments in online payments
10 | 11 www.thepaypers.com Copyright © The Paypers
Vol. 7 Issue 3, 13 May 2014
On February 5, 2014, Trustwave was asked to present expert testimony before Congress
about data breaches and malware attacks. In light of the recent string of high profile data
breaches, the House Committee on Energy and Commerce held the hearing to get a better
understanding of how data breaches occur and how they can be prevented. I presented
the testimony and focused on one major theme – the importance of businesses going
‘beyond PCI compliance,’ using the Standard as a starting point, not an ending point when
building their security strategies.
In today’s internet-connected world, threats are more complex than ever. Hackers are
going after businesses of all sizes and across all industries. According to the 2013
Trustwave Global Security Report, cardholder data was the primary data type targeted by
attackers in 2012. There is a well-established underground marketplace for stolen
payment card data where criminals may get up to USD 50 per card; multiply that by
millions and you can see how selling payment card data can be a lucrative business.
The PCI DSS continues to play a critical role when it comes to data security. The Standard
has increased awareness and given businesses guidelines for basic security controls to
protect cardholder and personal data. However, in today’s environment, where the threat
landscape is more complex than ever and new business-improvement technologies are
introduced every day, keeping up with and complying with the Standard simply isn’t
enough. While the Standard helps businesses deploy some essential security controls, it
doesn’t cover security around every attack vector, such as security surrounding targeted
malware, mobile devices and cloud technology.
In addition to complying with the PCI DSS, businesses must also use a defense-in-depth
approach to security consisting of multiple layers of defense, detection, response and
ongoing testing. The strategy should include incident response preparedness, security
awareness training, risk assessments and ongoing penetration testing as well as security
controls that protect their databases, web applications and mobile payment systems. It
should also include anti-malware technologies such as security gateways that help protect
businesses in real-time from threats like malware, zero-day vulnerabilities and data loss,
and can help organizations use things like web and cloud applications securely.
According to the 2014 Security Pressures Report, 85% of IT pros said a bigger IT security
team would reduce security pressures and bolster job effectiveness. If businesses find that
they do not have the skills or manpower needed to make sure all of their technologies are
installed and working properly, they should look to augment their in-house staff by
partnering with an outside team of security experts whose sole responsibility is to manage
their security.
If businesses embrace this kind of approach to security, they can better protect
themselves against attacks and inherently maintain compliance with the PCI DSS.
Wendy Kennedy has over twenty years of experience assisting
businesses with global expansion strategies including profit
maximization, creation of new revenue models, minimization of risk,
to businesses with an emphasis on data privacy and protection. She
is the author of the eBook "Data Privacy: A Practical Guide" (April,
2014) and editor of the International Business, Trade and Taxation
Blog, and a partner at Interstice Consulting.
There can be no question that the number of data breaches is increasing with the passage
of each month. Yet data privacy and protection laws remain fragmented. The urgency to
implement data protection and privacy laws can be seen by the vast number of proposals
being adopted or introduced worldwide. The EU, for example, the undisputed forerunner
in enacting data protection and privacy laws, is set to proceed with adoption and
implementation of the Data Privacy Regulation unifying data protection and privacy law
among its member states, which will likely become effective in 2015. The emphasis is on
greater harmonization, increased regulatory enforcement and transparency.
EXPERTS’ CORNER
“Data Breach Legislation: Global Trends 2014”
By Wendy Kennedy, International Business Practice Leader,
Interstice Consulting
Update on developments in online payments
11 | 11 www.thepaypers.com Copyright © The Paypers
Vol. 7 Issue 3, 13 May 2014
Global companies should also take note of the rise in international data privacy laws. Data
protection and privacy laws have been enacted recently in Singapore, China, Malaysia,
South Korea, Serbia, Brazil and Argentina. Ensuring compliance with new laws is
increasingly difficult and time consuming.
In the US, Senator Tom Carper (D-Del) introduced a bill, the Data Security Act of 2014,
attempting to align fragmented data protection laws at the federal and state levels. The
bill is intended to address security, ensure privacy, create a notification requirement and
enhance enforcement and penalties. The proposed bill would require entities, both public
and private, to take better preventative measures safeguarding sensitive information,
investigate security breaches, and place strict notification requirements for breaches. The
proposed Data Security Act would supersede the confusing and inconsistent federal and
state laws governing data protection now in place.
One problem identified by consumer advocates is that the bill only allows consumers to
sue under federal law only, while eliminating consumer recourse for violations of state
law. Another group of lawmakers, lead by Senator Patrick Leahy (D-VT) have been working
throughout the past decade to garner support for their Personal Data Privacy and Security
Act of 2014, which was reintroduced earlier this year on the heels of the massive data
security breach experienced by Target, Inc. and Neiman Marcus. This proposal would
require businesses notify law enforcement of data breaches within 10 days after discovery
of a breach involving more than 5,000 persons or breach of a data base containing
personal information of 500,000 or more individuals. The proposal would also give the
Federal Trade Commission, the US Attorney General, and states attorney general
enforcement power with fines and penalties up to USD 1 million per breach.
States too, are jumping on the band wagon. With significant state level legislative activity
to address data breaches, some of which serve to amend existing laws to include private
liability for data breaches, others propose new legislation with primary focus on
notification upon the event of a data breach. Of course, businesses would welcome
standardization of data protection laws, it would lower the cost of compliance and provide
greater predictability and stability. Currently, the myriad of divergent laws, not just across
the US but across the world make compliance costly and inefficient. Several measures can
be put in place to reduce risks and minimize losses in the event of a data breach. First,
data protection and privacy insurance is becoming widely available, although can be quite
costly, and second, engaging a data privacy officer to develop a breach plan of action and
who will serve as an expert resource in the event of a breach.
About: Online Paypers is a bi-weekly update on developments in online payments by The Paypers, the portal for
payment professionals.
Editors: Adriana Screpnic, Ionela Barbuta , Mihaela Mihaila, Sebastian Lupu, Andreea Nita and Melisande Mual.
Website: For more information, please visit our websites: www.thepaypers.com
Contact: For more information, you can contact us at: [email protected]
Subscription info: Online Paypers is a product of The Paypers and is published 24 times per year. Year
subscription price: €295
Copyright: 2014 © The Paypers. All rights reserved. Reproduction or redistribution in any form without explicit
prior written permission of The Paypers is prohibited.
Disclaimer: The Paypers sees to the utmost reliability of all its news products. Nevertheless we do not accept
any responsibility for any possible inaccuracies.
Check out The Paypers’ "Cross-border Ecommerce Research"
section for more information on specific cross-border
ecommerce facts & figures, preferred payment methods, risk
and fraud, as well as ecommerce legislation & regulation in
developed and emerging countries.