Payments Business Magazine SeptOct 2014 by Lloydmedia Inc

Sept/oct 2014

The Merchant’s Guide to Transactions, Cards & eCommerce

REPORT ON SECURITY, FRAUD & PRIVACY From combatting payment card fraud to minimizing data breaches, the experts say it’s time to get serious about security

also in this issue:

❱ Celebrating Women in Payments

❱ Canada’s payment standards: ISO 20022

❱ Currency Risk and

International Payments PM 4 0 0 5 0 8 0 3

Table of Contents

September/October 2014 Volume 5 Number 5 Editor Karen Treml karen@paymentsbusiness.ca Publisher Mark Henry mark@paymentsbusiness.ca Contributors Gary Conroy, Christian Damour, Roy Farah, Kevin Gonyea, Richard Heilman, Catherine Johnston, David Ripley, Ellen Joyner-Roberson, Douglas Kinloch, Mark Sullivan, Ray Wizbowski

COLUMNS & DEPARTMENTS 4 News 43 ACT Update

42 POV 44 Events

FEATURES

Creative Direction Jennifer O’Neill jennifer@paymentsbusiness.ca

Emergency card replacement and mass issuance strategies

Fraudsters focus on the weakest point in the chain

Photographer Gary Tannyan

Senior Account Managers Brent White brent@paymentsbusiness.ca Chantal Goudreau chantal@paymentsbusiness.ca President Steve Lloyd steve@paymentsbusiness.ca For subscription, circulation and change of address information, contact subscriptions@ paymentsbusiness.ca Publications Mail Agreement No. 40050803 Return undeliverable Canadian addresses to: Circulation Department 302-137 Main Street North Markham ON L3P 1Y2 t: 905.201.6600 f: 905.201.6601 info@paymentsbusiness.ca www.paymentsbusiness.ca Subscriptions available for $40.00 year or $60.00 two years. ©2014 Lloydmedia Inc. All rights reserved. The contents of this publication may not be reproduced by any means, in whole or in part, without the prior written consent of the publisher. Printed in Canada. Reprint permission requests to use materials published in Payments Business should be directed to the publisher. Made possible with the support of the Ontario Media Development Corporation

Preparing for the Unexpected

Successfully Combatting Payment Card Fraud Card safety combines policies technology, fraud detection, and collaboration

New Payment Methods Fuel Cyber-Attacks Best practices for balancing risk and consumer experience

Five Best Practices for Minimizing Data Breach Risk It’s time to focus on what your company can do to prevent a breach

mPOS: Getting Serious On Security

HCE-Based Mobile Payments Enabling mass adoption with software security

Managing Currency Risk and International Payments Regardless of a company’s size, unexpected currency swings can take a huge toll

CELEBRATING WOMEN IN PAYMENTS The life journeys of three influential women in payments

REGULAR COLUMNS

SEGMENT UPDATE Canadian merchants say benefits of credit card acceptance outweigh costs

PAY CHANNEL Bitcoin – An alternative payment method

INSIDER REPORT ISO 20022 aims to improve efficiency of domestic and international transactions

VERTICAL MARKET Getting payments right is essential for gaming companies to succeed

Next issue…

November/December — B2B Evolution: Beyond Retail – Finding Revenue Streams in Other Markets september/october 2014

PAYMENTSBUSINESS

News

Canadian Tire unveils next evolution of its iconic loyalty program

Apple Pay to transform mobile payments

Canadian Tire and its iconic Canadian Tire ‘Money’ have long been synonymous with customer rewards and value. Canadian Tire announced the evolution of its loyalty platform, introducing My Canadian Tire ‘Money’, an easier way to collect and redeem Canadian Tire ‘Money’. The program will launch in Nova Scotia on October 10 and nationally on October 28, 2014. The digital rewards program will complement paper Canadian Tire ‘Money’, which will remain in circulation. My Canadian Tire ‘Money’ combines the best attributes of Canadian Tire’s paper ‘Money’ with the benefits of a digital rewards program, making it easier and faster for customers to collect and redeem. Members can collect e-Canadian Tire ‘Money’ on qualifying purchases at Canadian Tire stores, at canadiantire.ca, and at participating Canadian Tire gas bar locations. e-Canadian Tire ‘Money’ can also be redeemed for merchandise and gift cards or donated to Canadian Tire’s Jumpstart charity. Customers can also collect and redeem e-Canadian Tire ‘Money’ on automotive services, a benefit to the updated program. “As Canada’s oldest loyalty program, we know Canadian Tire ‘Money’ holds an extraordinary place in the hearts of Canadians,” says Allan MacDonald, chief operating officer, Canadian Tire. “We’re building on it by introducing another way to reward loyal customers who prefer the ease and convenience of digital currency and rewards, further improving the Canadian Tire shopping experience and ultimately helping our customers tackle the jobs and joys of everyday life in Canada.” As part of the program, members can collect e-Canadian Tire ‘Money’ when making payment by cash, debit, and credit cards, providing enhanced value and convenience. Importantly, e-Canadian Tire ‘Money’ has no expiry date and can be shared with other members by request. To fully take advantage of the program’s benefits and features, customers are being encouraged to download Canadian Tire’s enhanced Mobile App. The updated version, available for download at launch, allows users to collect, redeem and manage their e-Canadian Tire ‘Money’, view bonus offers, review transactions, and return products instore without presenting a receipt.

Apple Pay, according to many firms, could be a game changer. It supports credit and debit cards from the three major payment networks, American Express, MasterCard, and Visa, issued by the most popular banks. “Security and privacy is at the core of Apple Pay. When you’re using Apple Pay in a store, restaurant, or other merchant, cashiers will no longer see your name, credit card number, or security code, helping to reduce the potential for fraud,” says Eddy Cue, Apple’s senior vicepresident of internet software and services. “Apple doesn’t collect your purchase history, so we don’t know what you bought, where you bought it, or how much you paid for it. And if your iPhone is lost or stolen, you can use Find My iPhone to quickly suspend payments from that device.” Apple Pay will change the way you pay. When you add a credit or debit card with Apple Pay, the actual card numbers are not stored on the device or on Apple servers. Instead, a unique Device Account Number is assigned, encrypted, and securely stored in the secure element on your iPhone or Apple Watch. Each transaction is authorized with a one-time unique number using your Device Account Number and instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction. Online shopping in apps with iPhone is also as simple as the touch of a finger. Users can pay for physical goods and services including apparel, electronics, health and beauty products, tickets, and more with Touch ID. Checkout can happen with a single touch, so there’s no need to manually fill out lengthy account forms or repeatedly type in shipping and billing information, and card details are kept private and are not shared with the online merchant.

coming in the

nov/dec issue of

EXECUTIVE ROUNDTABLE The Winning Combination Technology & Payments: Beyond the Hype

There is a great amount of activity in the payments sector, driven by advances in communications and associated technology. Financial services companies and payment companies are making major investments, launching innovative initiatives, and jostling for leadership in a rapidly changing market. However, it is far from clear that anyone has identified a winning proposition that will be able to dominate the market. Providing real benefit to the consumer will be key to widespread adoption of new platforms. But what is that winning combination?

PAYMENTSBUSINESS

September/october 2014

MERCHANT-FRIENDLY PAYMENT SOLUTIONS Monetico, a result of the partnership between Desjardins Group and Crédit Mutuel-CIC Group.

Security, Fraud & Privacy

Preparing for the Unexpected Emergency card replacement & mass issuance strategies

By Ray Wizbowski

PAYMENTSBUSINESS

he well-documented financial card breaches of late 2013 and early 2014 shine a bright light on two key concerns for banks, bureaus, and other large card issuers. The first concern, of course, is prevention. After dissecting recent high-profile breaches, security experts generally conclude that more than 90 per cent of the breaches that have occurred in recent years were preventable given the right strategies (which, interestingly, are focused more on policy and process than technology). Clearly, the deployment of EMV cards and other multifactor solutions will provide extra lines of defense against financial cybercrime. However, few if any security experts are claiming that breaches can be stopped all together. The vulnerabilities surrounding personal data and financial credentials are simply too numerous and too varied to get to 100 per cent prevention. Also, cyber criminals tend to be smart and adaptive, which means issuers will need to do their best to remain one step ahead. The second concern centers on the replacement of both cards and trust across a national — or global — cardholder base. Getting high-quality cards

into the hands of consumers enhances spending power and minimizes the disruption in revenues for financial institutions. It also helps strengthen the issuers’ brands and positions them as responsive and customer-centric.

for banks and credit unions to work with millions of affected consumers. Many brands were at stake. When consumer perception is hindered, it can be detrimental to an organization’s brand and overall customer confidence. Given the timing

Addressing consumer demand with responsive card operations

of the breach – just before Christmas – customers wanted their cards replaced very quickly. But such a large data breach and the need for large-scale card reissuance can cause a

In the days following a significant breach in late 2013, it was extremely important September/october 2014

SecuRity, Fraud & Privacy

significant backlog for card issuers, prolonging emergency card replacement and creating an even greater challenge for consumer confidence. For financial institutions, there was further cause for concern as they saw their daily card issuance volumes more than double. Not only did financial issuers need to complete their regular run-rate of reissues, they now had to deal with mass issuance of many replacement cards for those at risk. For example, many operations were optimized for approximately 20,000 cards per day, but after the breach, there was a jump to 40,000-50,000 new cards per day for some issuers – presenting a difficult challenge for many operations. There is a way to address this, however, by ensuring card operations are prepared and have the necessary strategy in place to increase service levels and optimize operations. There is a growing trend for financial institutions to provide instantly issued, fully personalized cards at the bank branch. During this last crisis, financial institutions that had already deployed this solution were able to reach out to their customers and offer to provide a replacement card right in the branch location. As a result, cardholders were able to receive permanent magnetic stripe credit and debit cards within minutes and start using their card right away at point-of-sale terminals. As it turned out, instant issuance was an optimal complement to these financial institutions’ central card operations – providing a much-needed outlet for the unexpected card

volumes. While systems and staff in central locations had to scramble to make quick adjustments, tens of thousands

is instant, the banking industry needs to respond with relevant technology to ensure customers have

of cards were issued ondemand in branch locations. In addition to alleviating volume issues, many of the banks and credit unions offering instant issuance leveraged the breach to promote this benefit to their customers who were otherwise unaware of the offering. The message delivered to consumers was that these financial institutions were prepared, cared about their customers, took measures to protect cardholders, and offered a means to resolve the issue quickly. Utilizing both central and instant issuance models for mass issuance of replacement cards ultimately helped financial organizations provide unprecedented customer service, increased security, and tremendous cost savings. In a world where almost everything

the best possible banking experience. When there is a need for a replacement card, the financial institution’s that are best prepared to meet their customers’ needs have consistently reported higher customer retention rates and incremental revenue gain from the instantly issued cards.

september/october 2014

Constructing an effective issuance ecosystem Financial organizations’ vision continues to evolve to enable “the ultimate consumer experience.” Implementing instant issuance as a complement to central card operations ecosystem clearly does this – not only from an emergency card replacement

standpoint, but also as a means to pave the way for various future technology advancements in the payments industry. For example, in addition to on-demand issuance of traditional magnetic stripe credit and debit cards, instant issuance infrastructures can be configured to issue mobile wallets, mobile commerce applications and EMV smart cards. The question then becomes ‘how do we get started to better prepare for the next breach?’ We’ve outlined some key considerations to help you establish a timeline.

Evaluate current card operations An optimized central and instant issuance ecosystem requires cross-functional cooperation from marketing (consumer experience), operations, IT, and security teams within the issuance institution. Ideally, the ecosystem enables the vision the marketing team has for the emerging customer experience. This means consumer-driven criteria must serve as the foundation for the expanded ecosystem. Since a majority of the day-to-day responsibility of managing, optimizing, and advancing

PAYMENTSBUSINESS

Security, Fraud & Privacy

the issuance ecosystem rests with the operations team, their insights are required to ensure the ecosystem that is designed can actually be built — and sustained. Data security and compliance responsibilities reside with IT and security teams. While they make decisions about technologies, deployment, and technical support, they also must address the policies and processes required for operating instant issuance systems in branch locations.

Consider technologies needed for instant issuance There are various technologies that can easily complement centralized card operations. Think about the holistic instant issuance solution – including the software and hardware needed to implement in branch locations. Software can be implemented directly at the branch level or through a hosted model, and can help

with reporting capabilities. In addition, there are various desktop printers that can be implemented at branch location that offer several personalization and printing capabilities. For example, there are unembossed or embossed personalization capabilities; various printing resolutions and capabilities for background images; magnetic stripe or smart card encoding capabilities; among others. By understanding what type of instant issuance technologies are on the market, it will better equip issuers to implement an instant issuance solution that can fit and grow with their needs, and be an extension of their central issuance operations. This ultimately protects their investments and sets them up to future-proof their solutions so that they can easily add in capabilities such as mobile or EMV.

Factor in data security While adding instant

capabilities to an issuance ecosystem adds new “endpoints,” the data security requirements are mostly policy- and process-oriented. The same technologies and processes used for protecting cardholder data and financial credentials in a central issuance environment are simply extended to the broader instant issuance network. Ideally, all data — in use, in transit, and at rest — is always encrypted and never stored on a server, issuance device, or anywhere else on a network. Protecting the new instant issuance endpoints requires multi-factor credentials for employees accessing the system and compliant procedures for managing passwords and other credentials. It is also importance to consider the underlying security architecture that must be in place in general to protect every transaction, every connection and to ultimately protect every end

Process flow for turning blank or near-blank cards into branded and differentiated financial cards 8

PAYMENTSBUSINESS

September/october 2014

user and device’s identity when consumers or bank employees are accessing the network. It is critical that this security be completely hidden to the end user. Just as we see today, there is limited tolerance for excessive security requirements such as entering security codes from hard tokens, completing detailed Q&As or even navigating username password schemes. Making the security architecture as seamless as possible while never compromising the integrity of cardholder data – from all users’ perspectives – is the ultimate goal. There are real time fraud detection technologies on the market today that transparently monitor cardholder behavior over time, identify anomalies, and automatically calculate risk associated with particular transactions and/or cardholder behavior. If risks are identified, the software should be able to increase authentication

SecuRity, Fraud & Privacy

requirements and only complete transactions if identification criteria are met.

The role of increased card vault efficiencies Card stock is another area to think about when preparing for mass issuance of emergency card replacements. While personalizing and delivering replacement cards after a breach can be a challenge, that process cannot take place if the right cardstock is not available in the right place and at the right time. Often times this can be overlooked, but it is a key consideration for card issuers when thinking about how to be prepared for a breach in the future. If a breach happens, not having the proper card stock readily available in the card vault can be a potential bottleneck when issuers need to move fast. It’s known that vault management costs have plagued issuers since financial cards were introduced. Millions of dollars are wasted every year on producing and storing cardstock that is not needed because of overruns or due to card designs being retired. The data breach threat accentuates this problem. If card volumes double overnight, the vault cost problem escalates at approximately the same rate. Think about how you can alleviate this potential bottleneck by having ondemand printing technology that allows issuers to keep more generic cardstock in their vaults, then use on-demand printing technology to create specific card types. Essentially – blank card stock in, a customized card out. Today, this is highly important as

consumers are demanding more personalized offerings and more customization — which means more small jobs and more “on-the-fly” personalization for operations teams. Adding the urgency of mass emergency card replacement to the docket creates complex management issues. Having the capability to personalize blank card stock – both centrally or instantly – helps with costs, efficiency, and flexibility and continues to provide personalized services to consumers, which adds to the overall “consumer experience” element of differentiation.

Card delivery and the consumer experience Data breaches clearly create a need to communicate with customers. Issuers want to explain how they are protecting customer data, what they are doing to ensure september/october 2014

product continuity, and how customers can get answers to their questions. From a central issuance perspective, much of this highly targeted, one-to-one communication can be accomplished with new card delivery systems. Customized card carriers — in various sizes and in full color — can be printed as part of the inline issuance process. The same data that drives card personalization drives the custom form printing process. Advance card delivery systems, which can be configured inline or standalone, can also be used to deliver promotional messages or required information, such as terms and conditions.

Crisis resolution and the consumer experience The next several years in the financial market could broadly be called the ‘age of the consumer experience’. Banks

that leverage technology to anticipate and align with consumer demands will have a great advantage in the battle for customer loyalty. How banks and other issuers react to crises, such as a data breach, will directly contribute to the composite picture of the consumer experience. The technologies and strategies deployed to gain market share and loyalty advantages are the same as the ones required to deal with data breaches and other crises. Exploring concepts such as central and instant issuance infrastructures gives banks and other consumer marketers the agility and flexibility to quickly address crises – or capitalize instantly on new marketing opportunities. Ray Wizbowski is Vice-president of Marketing, Financial Vertical, Datacard Group

PAYMENTSBUSINESS

Security, Fraud & Privacy

Successfully Combatting Payment Card Fraud Payment card safety is championed by a combination of sound policies, investments in technology, world-class fraud detection, and solid collaboration with industry partners and law enforcement

By Mark Sullivan

n a constantly evolving global payments landscape, consumers and merchants are presented with seemingly limitless options of how to pay and be paid. As new technologies emerge, consumers must ask themselves whether the security features of the product are clear and factual; if their money is being protected; and whether their personal information is safe. The Interac Association and Acxsys Corporation has expertise in ensuring the safety of its products – with prevention as the cornerstone of all initiatives. Through leveraging strong partnerships with financial institutions, acquirers, merchants, and law enforcement – alongside fraud prevention programs and detection and response tools – it has been tremendously successful in efforts to combat fraud. In 2013, for example, Interac debit card fraud skimming losses declined to a record low, decreasing to

PAYMENTSBUSINESS

$29.5 million from a high of $142 million in 2009. Additionally, fraud exploitation within Canada dropped 62 per cent year-over-year. Criminals are increasingly migrating their payment card fraud activity to international exploitation in non-chip environments and card-notpresent (i.e., ecommerce and telephone) exploitation, often on credit cards and other networks’ debit products. Interac policies do not allow card-not-present, offline, and signature transactions. For example, for Interac transactions, the number on the front of the bank card is an identifier only, not an account number, and cannot be used to conduct card-not-present transactions. Merchants benefit because they receive secure and non-refutable transactions. Interac e-commerce transactions are conducted through Interac Online, which leverages the security of web banking. No personal financial information is provided to merchants. These policies also protect cardholders from fraud resulting from payment card data security breaches, such as those recently reported in the media. Chip technology is another key part of the Interac fraud

prevention strategy. It gives the card the ability to store and process data securely. This technology also enables advancements like Interac Flash – the contactless enhancement of Interac Debit. The solution is secure because it has all the benefits of Interac Debit, including leveraging secure chip processing, not magnetic stripe data type processing. This, along with the policies noted previously, e.g., not allowing card-not-present transactions, protects against counterfeiting and transaction replay types of fraud, including electronic pick-pocketing. There are also added security features to protect cardholders, such as single transaction and cumulative spend limits. No single transaction can exceed $100 and the total of consecutive contactless transactions (cumulative spend) without a PIN cannot exceed a specific amount set by a cardholder’s financial institution – typically set at $200. When the single transaction limit or cumulative spend limit is reached, the cardholder is prompted to insert his/her card and enter his/her PIN to complete the transaction. This will validate that person as the legitimate September/october 2014

cardholder and reset the limits. Finally, the information on an Interac debit card is basic payment-related codes needed to process individual ‘one time’ transactions. These are things like services codes, bank card number (not account number), card capabilities, version numbers, currency codes, language preference, and information about how the card and terminal talk to each other. The information cannot be unwrapped or duplicated to produce a counterfeit card or transaction or build a personal profile of a cardholder. In basic terms, the information on the card is useless to a criminal. Being successful in the fight against criminals necessitates involvement from many stakeholders, each playing their respective role. From consumers and businesses to payment networks and law enforcement, these networks serve as the launch pad for information sharing, which is an integral piece of the puzzle in the fight against payment card fraud. Mark Sullivan is the Director of Fraud Programs at Interac Association and Acxsys Corporation. He is responsible for fraud risk mitigation programs as well as being the contact point for global risk professionals and international law enforcement.

#retaildelivery

Reimagine Retail Banking A FRESH PERSPECTIVE TO FORGE NEW PATHS TO PROFITABILITY The industry’s most innovative leaders from across the globe will converge at BAI Retail Delivery 2014 to Reimagine Retail Banking. As one of the world’s top-ranked global financial centers, Chicago is the perfect host city for this one-of-a-kind opportunity to gain inspiration and fresh perspectives on what it takes to increase profitability and thrive in the face of today’s most critical industry challenges and consumer behavior trends.

RETHINK THE NORM WITH VISIONARY LEADERS BAI Retail Delivery 2014 features best-in-class experts, speakers and solutions providers – all focused on helping you resolve key challenges and identify new growth opportunities. Visionary leaders featured in our general sessions all dared to challenge the status quo and carve out their own unique path to success. They will share their perspectives as non-traditional industry disrupters and discuss how to navigate our hyper-competitive, ultraconnected, dynamic and digital world.

REIMAGINE WHAT’S POSSIBLE WITH THE NEWEST TECHNOLOGY Experience first-hand the technologies that are reshaping retail banking with 200-plus leading solutions providers in the world’s largest retail banking Expo, where the FinTech Forward Pavilion will shine a spotlight on the new forces and influences that are impacting the industry from the ground up. The BAI Innovation Showcase will feature rapid-fire demos and, be inspired by the year’s most trailblazing banks, recognized as recipients of the BAI-Finacle Global Banking Innovation Awards.

ENGAGING, COMPELLING, PROVOCATIVE Mark King President of adidas Group North America and Chairman of TaylorMade Golf Company Danae Ringlemann Co-Founder and Chief Development Officer of Indiegogo

John Mackey Co-Founder and Co-CEO of Whole Foods Market

Gary Vaynerchuk Entrepreneur, Social Media Expert, New York Times and Wall Street Journal Best-selling Author

November 12-14 | Chicago

BAIRetailDelivery.com

Register at BAIRetailDelivery.com | Save $250 off the Summit Only Pass | Code D20 | Expires October 15 The Summit Pass includes all sessions within the chosen summit and it also includes access to the Expo, General Sessions, BAI Innovation Showcase and BAI-Finacle Global Innovation Awards. Discount offers are not retroactive to registered attendees and cannot be combined with other offers. Onsite registration will incur an additional $100 to the full conference registration price. Offer valid through October 15, 2014 when you use code D20.

Security, Fraud & Privacy

PAYMENTSBUSINESS

September/october 2014

SecuRity, Fraud & Privacy

New Payment Methods Fuel Cyber-Attacks Law enforcement and financial institutions discuss balancing risk and consumer experience By Ellen Joyner-Roberson

september/october 2014

ith new payment methods fueling cyber-attacks around the world, collaboration between law enforcement and financial institutions is critical for protecting consumersâ&#x20AC;&#x2122; money. Discussions about collaboration between the private and public sector are not new, but theyâ&#x20AC;&#x2122;ve recently come to include Internet service providers, communication companies, and regulators. M-payments, the umbrella term for payments performed on mobile devices, change the way traditional banks and money service businesses operate. Mobile banking is on the rise for conveniences such as accessing bank accounts; receiving debit and credit alerts and statements via SMS; checking

balances and recent transactions by browsing a mobile-enabled website; conducting basis operations via a menu; and transferring funds and paying bills using a smartphone. Even though mobile banking poses many challenges for increased fraud attacks, it can also fundamentally change the banking experience and strengthen customer-bank relationships.

Growth projections Juniper Research projects mobile payments to reach $1.3 trillion globally in five years. With this projected growth in m-payments, cybercrime, identity theft, and intrusion detection are the top three targets for fraud attacks. Javelin Strategy & Research consumer data shows that more than 10 per cent of identity fraud victims â&#x20AC;&#x201C; PAYMENTSBUSINESS

Security, Fraud & Privacy

who were aware of the breach – knew their information was stolen while making online purchases. Another nine per cent reported that leaked information was due to stolen password or keystroke capture. The report shows that mobile devices are more prone to severe threats than personal computers, due to lack of security measures such as antimalware, personal firewalls, and built-in browser security tools, which are common to personal computers. Account takeover is one of the first steps in a cybercrime and identity theft process. With the current lack of security for the new mobile channel, this becomes one of the biggest vulnerabilities for financial institutions. Phishing or smishing (using a mobile device), a type of attack that is often used with account takeover, has evolved. It not only looks to steal customers’ credentials, but also infects their machines with malware. This scenario is a growing threat for mobile and e-channel fraud. As financial institutions introduce broader capabilities for money movement to the mobile channel, criminals will intensify attacks, invent new techniques, and continually challenge fraud-prevention professionals who try to keep this channel safe. Today’s criminals can easily collect data on company, vendor, and employee practices from half a world away. Victims often aren’t even aware when an attack is in progress. An innocentlooking email that appears to have come from a friend or colleague may invite an 14

PAYMENTSBUSINESS

employee to a corporate event or encourage recipients to click on a link. As soon as someone does, the hacker gains access to the system and can roam at will. In Target’s case, the attacker managed to get around the company’s defenses by stealing the network credentials of a third party. “Criminals gained access to [Target’s] networks through a contractor that was servicing heating and air-conditioning systems at several stores.” – KrebsonSecurity.com According to the ‘2014 Verizon Data Breach Investigations Report’: • 85 per cent of point-of-sale intrusions took weeks to discover, and 43 per cent of web application attacks took months to discover. • 24 per cent of those studied have already suffered a data breach where personally identifiable information was stolen or accessed by intruders. • 36 per cent of respondents do not have confidence in their incident response plan. • 51 per cent of respondents are only somewhat confident that their security controls can detect malicious applications.

Best practices for arming your organization Cross-sector communication and education. Companies are finding it more difficult to contain news of cyber-attacks. Details of such attacks are emerging with regularity, and governments are increasingly moving to mandate disclosures

through legislation, particularly when personal privacy is involved. By understanding new technologies and sharing topologies, companies can understand the latest threats and update fraud monitoring systems to detect attacks. It also helps to build relationships with mobile network providers and law enforcement. New legislation is emerging to help support greater communication of attacks. For example, the Canadian government offers valuable cyber-security information and services to Canadian industry through the Canadian Cyber Incident Response Centre (CCIRC). CCIRC is Canada’s national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from electronic attacks. As the single point of contact for the government, CCIRC helps to coordinate the national response to significant incidents with key government agencies, such as the Canadian Security Intelligence Service, Communications Security Establishment Canada, and the Royal Canadian Mounted Police. When CCIRC becomes aware of malicious activities, it notifies owners of compromised systems. CCIRC offers: • Technical products: timesensitive information related to specific electronic threats, including detection indicators, mitigation information, and best practices. • Operational products: information about incidents to help support September/october 2014

organizations’ operational and security decision making. • Services: the provision of incident response coordination, mitigation advice, technical analysis, and reporting on malware samples and tailored malware notifications. Link information across channels, products and businesses. Investigators need to more easily link information so they can see a holistic picture of how fraud or cyber-attacks might be occurring. Is it starting in the call center and then moving to the online channel and possibly the mobile payment channel? With the use of highperformance big data analytics for network transactions, security events, and data fusion for contextual enrichment, organizations can rapidly prioritize and mitigate security incidents so they can be prioritized and mitigated. • More accurate alerts: Advanced analytics identifies normal behaviors and patterns of entities – servers, workstations, and users – to spot when an entity steps outside of its normal range of behavior. By categorizing assets combined with event time series analysis and other techniques, organizations can derive contextual awareness to provide a pattern of life behavior. For example, a user connecting with IP addresses overseas or sending packets of information during off hours might be a sign the user’s account has been hacked.

SecuRity, Fraud & Privacy

• Speed of prioritization to corrective action: By automating the cumbersome manual process through event stream processing with real-time, in-memory analytics, firms can derive contextual awareness in a fraction of the time taken by manual search. When used in combination with correlation (i.e., several suspicious events happening at once), analytics can also classify, or score, alerts based on priority. This way, when a breach occurs, it can be identified early in the kill chain before sensitive information is stolen.

balance risk with client appeal. These new mobile payment channels are very appealing to fraudsters, so they will continue to lure consumers for quick and convenient transactions. Banks can seize mobile payments as a new

revenue opportunity, provided they define a clear strategy, weigh the risks, and invest accordingly. Ellen Joyner-Roberson serves as the Security Intelligence Principal Marketing Manager for Worldwide Alliances and Solutions for SAS. She is a veteran

of 26 years with the institute and provides expertise with technology and marketing strategies based on industry objectives and market trends. Ellen leverages her knowledge and extensive experience in order to develop highly effective and targeted marketing strategies to promote SAS as the leader in security intelligence analytics.

Fraud waiting to happen...

• Operationalizing analytics: Frequently alerts aren’t addressed until too late in the attack progression, leaving an organization’s assets exposed. Numerous varying alerts are addressing a single event, which ends up going unnoticed. That leaves organizations with a handful of alerts in a sea of information that’s coming in at high speed. By using analytics early in the attack phase of a compromise, an organization can get in front of the attack and stop it in its tracks. Increased security measures. New payment companies and apps are constantly entering the market. Understand the security threats they pose. For example, some of these new payment systems do not encrypt the data. Keep in mind that, ultimately, consumers want their money to be safe and protected, so banks need to

Learn how to prevent criminals from tampering with your PIN Pad terminals.

halometrics.com/pinpad september/october 2014

PAYMENTSBUSINESS

Security, Fraud & Privacy

Five Best Practices for Minimizing Data Breach Risk It’s inevitable – prepare now! By Richard Heilman

PAYMENTSBUSINESS

hen it comes to data theft, store-front retail merchant breaches generate the biggest news headlines. Target Corporation: at least 40 million debit and credit card numbers stolen. TJX Cos.: 90 million records stolen. Harbor Freight Tools: several million card numbers stolen. And security expert Brian Krebs believes the recent Home Depot breach might turn out to be “much, much bigger than Target.”1 The breach problem is so acute that the Department of Homeland Security and the U.S. Secret Service have issued a warning to organizations about the point-of-sale (POS) malware dubbed ‘Backoff’. Officials say this malware is suspected to have infected P)S systems at more than 1,000 small, medium, and large businesses.2 If this is true, we’ve barely begun to see the effects. With the attention focused on breaches in bricks and mortar stores, you might think your business isn’t at risk if you don’t operate a physical POS. Not only is it untrue – it is a dangerous assumption.

In a second quarter 2014 report published by TrendMicro, security researchers in the TrendLabs group wrote: “Data breaches in particular are moving from being exceptional events to nearly commonplace. According to an Identity Theft Resource Center (ITRC) study, more than 10 million personal records have already been exposed across over 400 separate data breach events as of July 15, 2014. EBay, P.F.Chang’s, Evernote, Code Spaces, and Feedly account for the highest profile data breach events this quarter, but not all of them. This quarter is showing that data breach events can affect anyone that stores data. There is no such thing as a ‘safe’ industry or website now.3” Given that every business that stores data is at risk of a breach, it’s time to focus on what your company can do to prevent a breach – or in a worst case scenario, to survive a breach. This article provides advice for businesses that store (or want to store) their customers’ credit card information for recurring payments or to make September/october 2014

future transactions easier. This includes business-to-business (B2B) (e.g., business suppliers, manufacturing, utilities, etc.) or consumer-to-business (C2B) (e.g., subscription services, installment plans, e-commerce, etc.) types of payments. To protect customers’ credit card account information and to minimize the risk of experiencing your own data breach, here are tried-and-true best practices for your business to adopt.

1. Understand where your systems are vulnerable. Though you might not have POS terminals to swipe credit cards, you do have other systems that collect, store, and transmit your customers’ account numbers. Cybercriminals know how to exploit vulnerabilities and steal data at virtually every point in these systems. For example, hackers utilize sophisticated malware that runs in the memory of computer systems to collect primary account numbers (PANs) in the clear (i.e., unencrypted) while they are being processed for transactions. Some of the areas where

SecuRity, Fraud & Privacy

your systems could be highly vulnerable to attack include web pages that host card data input forms; databases, especially those that allow structured query language (SQL) code to interface with the data; virtual private networks (VPN), and other remote access systems; and mobile applications that customers use on their smartphones and tablet computers. This list is just the tip of the technology iceberg. It’s important to do regular vulnerability scans and penetration testing of your own systems. You’ve got to think like a hacker and come after your own systems as a criminal on a mission would. If you lack the in-house expertise to do this, there are penetration testing companies that specialize in fleshing out the weaknesses of your computer systems. Once those vulnerabilities are uncovered, it’s imperative to remediate them, and then start the testing process all over again. If you maintain your own systems, there are a few common-sense rules to observe: • Change all the default passwords of the system components such as routers and VPNs. • Strictly limit the number of people with access to your payment processes. • Keep all software patched and up to date. • Use two factor authentication for login to all systems.

2. Follow the PCI DSS and PA-DSS guidelines for hardening your systems

The Payment Card Industry Security Standards Council (PCI SSC) has issued detailed guidelines on how to harden your applications, systems, and processes for handling sensitive cardholder data. Follow them! These standards are always evolving in order to keep pace with changes in technology and emerging threats. The Data Security Standard (DSS) provides specific steps for protecting the data in your care, and the Payment Application – Data Security Standard (PA-DSS) outlines the best practices for building security into the applications you develop to accept and process card data. Even complete adherence to these guidelines won’t guarantee that you won’t experience a data breach, but it will greatly reduce the likelihood of a serious event.

3. Tokenize your sensitive data If you need to keep your customers’ account data on file to facilitate future transactions, tokenization is a highly effective and convenient way to protect this data. This process safely replaces a customer’s PAN or bank account information with a randomly generated string of characters called a token. You can engage a third party service provider that specializes in tokenizing payment data to securely store the sensitive data on your behalf and return a token that is completely safe to store in your systems. The provider might also process payments, if you so choose, to further minimize the presence of live account data in your september/october 2014

environment. If your systems are breached and the tokens are stolen, they cannot be monetized in any way by the criminals. Tokens offer strong protection for your customers’ data.

4. Utilize a secure web gateway to collect payment data Websites and web pages where you collect cardholder data are among the most vulnerable technologies you can use. Hackers can easily plant malware or exploit a vulnerability (e.g., SQL injection, cross site scripting) to steal data as its being entered by a client or a customer service representative. If you are going to collect cardholder data via a web page, consider deploying a third party gateway that is purpose-built for securely collecting and storing this data. Invoking the secure gateway is usually transparent to the customer, and it gets your company out of the risky business of collecting cardholder data via the web. The gateway provider can return a token to you to utilize for repeat payments by that customer.

5. Prepare ahead to survive a breach Preparation for a data breach should be a regular part of your disaster recovery/ business continuity planning. Understand what steps must be taken after a breach and assign roles and responsibilities to your team members. Establish contracts with expert providers whose services you might need to stabilize and remediate your

systems, conduct a forensic investigation, properly notify customers and state attorneys general, conduct crisis communications, perform customer credit monitoring, and so on. Good planning on how to react to a breach can minimize the trauma of having it happen to you. Payment card fraud and account number theft has been part of the payments industry since the inception of the payment card. Industry security experts strive to be one step ahead of the criminals. In this digital age – fixes, counter measures, and security schema must be deployed proactively. Waiting for an event to occur at your business is the wrong time to begin securing sensitive data. Be ahead of the criminals and review your security measures today. Otherwise you may find yourself in the position that no business owner, CEO, or CIO wants to be in – the lead story for the national media. Richard (Rich) Heilman has more than 20 years of experience in senior leadership positions at premier banking and financial institutions. As vicepresident of business development for 3Delta Systems, he is responsible for maintaining current and developing new relationships with industry payment processors, card brands, and major acquiring organizations. richard.heilman@3dsi.com 1. Brian Krebs, KrebsonSecurity blog post, http://krebsonsecurity.com/2014/09/ data-nearly-all-u-s-home-depot-stores-hit/, September 2014 2. Department of Homeland Security and United States Secret Service Advisory, “Backoff Malware: Infection Assessment,” August 22, 2014 3. TrendMicro report, 2Q 2014 Security Roundup Report: Turning the Tables on Cyber Attacks, July 2014

PAYMENTSBUSINESS

Security, Fraud & Privacy

PAYMENTSBUSINESS

September/october 2014

SecuRity, Fraud & Privacy

mPOS: Getting Serious On Security Fraudsters will always focus their efforts on the weakest point in the security chain

By Christian Damour

here is increasing market interest in enabling mobile devices as merchant acceptance terminals. Yet, everything that makes the mobile device unique and innovative represents challenges for the payment landscape. It is vital that the consistency of user experience, interoperability across solutions and, very importantly, security are not compromised. As the mobile point of sale (mPOS) community evolves, we are seeing many new market entrants â&#x20AC;&#x201C; players that are new to the payments industry. They face two key challenges: 1. Identifying potential threats. The payment industry is mature and offers users a barrier of protection against malware, software, and hardware attacks. Fraudsters within the mobile industry, however, are now september/october 2014

focusing on identification and exploitation of specific mobile weaknesses. In order to create a security chain, the mobile community must identify and implement techniques to successfully defend the increasingly secure services that are residing on the device while also addressing the mobile point of sale. 2. Understanding payment security. As mainly new actors in the payment industry, mPOS manufacturers are used to focusing on the functionality of the device. Yet, to enable the solution to be considered for payment, the role of security and achieving industry standards becomes paramount. Without this level of knowledge, product time to market can be significantly delayed resulting in additional and

unforeseen costs. So, what do mPOS solution providers have to do to get serious about security? Firstly, they must understand their role in the security chain. The payments ecosystem involves several components, of which the card reader is one. To ensure safe and secure payments, each player within the ecosystem must understand their liabilities, undertake a risk assessment, seek clarity on areas of responsibilities, and investigate ways to confidently optimize security. A security chain needs to be created. The weakest point in the security chain will always be where fraudsters focus their efforts. A weak security chain will be vulnerable to attack, which could ultimately lead to payment card fraud. This is why payment brands require all PAYMENTSBUSINESS

Security, Fraud & Privacy

payment terminals, including new mPOS models, to undergo security evaluation – essentially protecting the established global payments landscape. As well, mPOS solution providers must know the security requirements for payment terminals. The Payment Card Industry – Security Standards Council (PCI SSC) is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.

The Council’s five founding global payment brands – American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. – incorporate the technical requirements in their individual security compliance programs. The PCI PIN transaction security (PCI PTS) is a mandatory requirement from all major payment brands and is applicable to both chip and magnetic stripe card readers, including mPOS terminals. The role of the specification is to raise standards of card data and payment transaction handling by ensuring point of sale (POS) terminals are highly secure and resistant to hacking.

The security specification includes the following features: • Core requirements. Logical and physical requirements of PIN acceptance devices. • POS terminal integration. Ensures that the integration of previously approved components does not impair the overall security, supports the cost-effective maintenance of components, and includes security management requirements applicable to the integrated device. • Open protocols. Confirms that the interface of point of interaction (POI) terminals to open networks using open protocols will

not have public domain vulnerabilities. • Secure reading and exchange of data. A set of requirements that ensures cardholder data is protected. • Device management security requirements. Lifecycle requirements for POIs and their components up until the point of initial key loading. mPOS solution providers also must identify the approach to security. They understand and are familiar with the functional testing that is required, which is often their key focus when advancing new products. Security evaluation,

Guarantee your liquidity within 8 business hours

905.670.4838 1.888.503.4528 1

By depositing your current invoices at IPS, you gain total control of your cash flow, reduce administrative costs, minimize the credit risk posed to your business and increase your productivity.

PAYMENTSBUSINESS

September/october 2014

SecuRity, Fraud & Privacy

however, is more intricate and time intensive. To consider security at the end of product development can prove costly as security mechanisms are required in both the hardware and software of the device. To try to back-integrate security at this stage can result in significant delays in product time to market. There are three stages to security evaluation: • Scoping. This identifies the applicable security requirements for the mPOS terminal. For efficient product development, it is important to understand this as soon as product development commences so that the security features can incorporated.

• Exploration. Vulnerability analysis, security function evaluation, and resistance against attacks should be undertaken throughout the product development lifecycle. This will ensure any security issues can be resolved during the development and offers penetration test plans. • Penetration. A security evaluation will be undertaken at an independent laboratory to finalize the analysis and produce the required certification prior to product launch. Each of these stages must be completed before an approved mPOS terminal can

september/october 2014

be launched to market.

Learning from the industry Product evaluation takes time; usually eight to 12 weeks. Too often, mPOS manufacturers haven’t calculated this requirement into the product launch timeline and assuming it aligns with functional testing timeframes. It can be surprising how little focus (if any) has been placed on the fundamental security requirements. There are many payment security experts in the marketplace. To ensure the effective use of resources, it is vital to tap into this knowledge and understand ‘what’ needs to be done and ‘when’. To

start scoping the security requirements once a product is ready for launch can be detrimental to the project and can cause costly and timeconsuming delays. Get serious about security by speaking to the payments industry to get an understanding of what needs to be done and to ensure that your mPOS product is a robust part of the security chain. Christian Damour is Security Business Line Manager at FIME. Christian joined FIME in 2011 to develop and manage FIME’s security offering, after spending 12 years as a certification leader within a licensed security evaluation lab. On behalf of FIME, he attends and actively contributes to GlobalPlatform Card Security and TEE Security Working Groups.

PAYMENTSBUSINESS

Security, Fraud & Privacy

HCE-Based Mobile Payments:

Enabling Mass Adoption with Software Security

Software-based solutions secure transactions on consumer devices and provide a solid foundation of trust

F By Douglas Kinloch

PAYMENTSBUSINESS

or the last decade the payments industry has anxiously awaited the arrival of the mobile payments boom. The mobile payments’ potential offers convenience and ease of use and would seem to offer real growth potential, but the challenges of mobile payment deployments due to the necessity of dealing with multiple gatekeepers has proved an insurmountable obstacle. Until the recent introduction of Host Card Emulation (HCE) architecture by Google, payment solution providers and issuers were only able to store card credentials on mobile devices in a Secure Element (SE). This is a type of specialized hardware security chip that mimics the functionality of the chip on an EMV card and makes the phone a highly secure mobile payment device. However, access to this hardware-based solution has been controlled by network operators and handset manufacturers, whose up-front costs and level of complexity have acted as a brake on innovation and has limited the applications available to consumers. HCE is now backed by major payment brands such as MasterCard and VISA, heralding

a potential explosion of consumer adoption as developers rush to release innovative payment applications. However, one barrier remains – securing the transaction on the consumer device to provide a solid foundation of trust in mobile payments. Recently, software-based security solutions have emerged to close this critical gap. Token protection using software secure element techniques such as tamper proofing, white box cryptography, obfuscation, and entropy-based identity has allowed developers to close the gap and provide high performance, practical solutions to HCE security.

A primer on HCE In October 2013, Google introduced a new mobile operating system which included the HCE Near Field Communication (NFC) feature. Since then, HCE has garnered much attention in the NFC and payment industry as the long anticipated solution that finally lowers the adoption barriers sufficiently to enable mass consumer adoption. Confidence in HCE has been further bolstered with Google’s introduction of its September/october 2014

first HCE-based NFC payment system for Google Wallet which completely eliminates the use of the hardware-based SE. HCE allows for the presentation of a virtual payment card using only software. HCE enables NFC-enabled mobile devices to perform contactless transactions in a virtual mode where the payment mechanisms and associated credentials are hosted in the operating system (OS) rather than the SE. Google’s implementation of HCE leaves the security of this data to the developer. Google and the new HCEbased payment schemes have opened the potential use cases for proximity payments and other transactions – including loyalty programs, building access, and transit passes. Increasing availability of NFC capable phones in conjunction with new HCE technologies now make widespread adoption of contactless mobile payments a much more realistic pursuit for the mobile payment industry and consumers alike. HCE holds the potential for merchants to offer payment card solutions more easily through mobile, closed-loop contactless

SecuRity, Fraud & Privacy

payment solutions with tokenized payment cards, and easy deployment scenarios that do not require software changes inside the point-ofsale terminal. And yet for all the touted benefits of HCE, obstacles still exist. The use of applications running in non-secure mobile devices creates significant security challenges for mobile payment solution providers. These challenges must be solved in order to realize the full potential of HCE.

Overview of HCE security challenges and solutions To provide a secure implementation of HCE, payment credentials are generated in the cloud and sent to the mobile device to be used when payment is performed. These credentials can either be stored on the device as a static image or by a secure server in the cloud. However the Smart Card Alliance warns that serious security issues are associated with storing static data on the device, while the cloud presents security risks because the payment credentials can be exposed by malware residing on the device. To mitigate this risk and protect sensitive payment card data, payment schemes such as (EMVCo, VISA, MasterCard) and the Smart Card Alliance recommend the use of payment tokens generated in the cloud and transmitted over the Internet for transactions. Therefore, mobile payment use by consumers requires a secure process for enrollment, application installment, and payment token provisioning to the device. At time of

payment, the consumer’s mobile payment app provides the tokenized payment credentials to the merchant’s POS using NFC. The merchant then routes the transaction to the acquirer and the issuer receives the transaction over the payment network for authorization. Even using tokenization, substantial risks still exist if the device is exploited, jailbroken, or rooted. To enhance security, solution providers can use software secure element techniques such as white box cryptography, obfuscation, and tamper proofing to mitigate security risks. Additional techniques such as risk-scoring of mobile payment transactions prior to authorization are also desirable.

Balancing security versus market requirements With a host of commercial HCE security solutions coming on to the market, it is now easier than ever for mobile payment solution providers and issuers to find the right fit security solution for HCE applications without delaying time to market. However, as with any technology, issuers and merchants must be able to sort through the hype in order to find the right solution for their customers. So, if you are considering an HCE-based mobile payment application, you may want to keep these tips in mind: 1. Avoid all HCE payment solutions written only in Java. When used on an endpoint Java exposes all data and functionality simply by operating, and because it is an interpreted september/october 2014

language it is impossible to prevent a hacker accessing sensitive data. While Java applets are traditionally used for hardware-based NFC payments, Java cannot provide the level of security needed for a softwarebased HCE solution; 2. Make sure the mobile payment application you choose includes both device and server-side security measures. Hackers will easily breach server-side security alone; 3. Ask your HCE payment application provider how they secure the cryptographic functions and credential storage that were previously handled in the SE. Solution providers serious about HCE should provide a white boxed cryptography implementation, in a securely tamper proofed and obfuscated nativedeveloped app; 4. Ask how solution providers protect tokens on exploited, jail-broken, or rooted devices. Almost all cryptographic operations rely on secrets, typically in the form of symmetric keys or private keys. If a hacker can gain access to these secrets, then the cryptographic operations that depend upon them immediately become insecure. Techniques such as white box cryptography can protect keys and other secrets that are critical to security even if the device is exploited, jail broken, or rooted;

5. Know which mobile operating systems your customers use and whether the mobile payment application will support the most popular devices. At a minimum, Apple iOS and Android should be supported.

Conclusion HCE introduces far-reaching implications for the payments industry in general by enabling new opportunities and solutions for service providers and issuers. HCEenabled apps also hold promise for merchants who want to control the shopping experience of customers from beginning to end – integrating merchant loyalty, promotions, and offers with HCE payment on a smartphone can offer seamless transactions at the point of sale. Of course, HCE based applications must come with a mobile application implementing the right level of security to see all of these rewards. Security challenges must be taken into account to prevent mass consumer adoption failure. When we choose to understand convenience versus the security risks of HCE and mitigate these with robust software based security, we can make significant progress towards the long expected boom of mobile payments. Douglas Kinloch is a principle with Metaforic – an INSIDE Secure company – where he is in charge of the company’s line of protection technology; Metaforic Core, Concealer and Authenticator and now Metaforic WhiteBox. Doug is a commercially focused senior business development & marketing manager, experienced in developing international markets across a range of sectors.

PAYMENTSBUSINESS

Securing Mobile Life.

Creating Confidence. Giesecke & Devrient offers a comprehensive range of payment products and solutions based on the latest EMV, contactless and dual interface technologies. Our smart debit, credit and prepaid products are available on a wide range of platforms based on secure and highly flexible operating systems. Alongside the comprehensive portfolio of easily configurable card products and card solutions, we offer all services related to electronic payments including m-commerce and transit. Our services include personalization, system integration, project management and technical consulting from a single source. For more information, please visit: www.gi-de.com/ca

Risk

Managing Currency Risk and International Payments Seven international payment issues commonly faced by Canadian corporations

By Roy Farah

PAYMENTSBUSINESS

egardless of a companyâ&#x20AC;&#x2122;s size or whether itâ&#x20AC;&#x2122;s publicly traded or privately held, unexpected currency swings can take a huge toll on business results. These swings can impact quarterly earnings and dampen the outlook for the year. Compared to many American companies, Canadian corporations are often savvier when dealing with the effects of foreign exchange rates. The dominant use of the U.S. dollar for global trade means Canadian businesses have become well-versed in foreign exchange markets and the benefits of using local

currencies. What they are less aware of, however, are some of the newer options they have to manage currency risk and international payments more effectively. Oftentimes, they investigate alternatives to current processes only after an unexpected issue arises, such as a large loss due to unforeseen FX exposure, or delayed payments leading to a loss of foreign business. While corporations in different industries will have different needs, we have found that there are common pain points amongst our corporate clients, all of whom have some September/october 2014

international aspect to their business and therefore must manage international payments. Here are tips on how to handle seven of the most common international payment issues that Canadian corporations may encounter:

Automate international payments and reconciliation processes Mid- to-large-sized corporations are beginning to recognize that their current, largely manual, payment processes are fairly inefficient and costly. This is especially true for any rapidly growing company or for

Risk

companies that are expanding internationally. We often find that companies continue to use the processes they had when they were smaller and this can drive inefficiencies that, once identified, can easily be remedied. The first thing to note is that there are tools available that can effortlessly automate the payment process. These allow corporations to process a very large number of international payments automatically without the need for manual input, which can be costly, inefficient, and prone to human error. We find that customers who use our automated payments tool find particular value in its reconciliation file, which can be uploaded in the company’s general ledger or ERP systems. By implementing this tool, our clients have observed significant enhancement in productivity and efficiency, while reducing manual errors and improving controls.

payment to a supplier in France can be as easy (and almost as inexpensive) as paying for your utility or phone bills online from inside Canada. As an added benefit, the international payee will rarely incur incoming wire charges.

Work with a specialist that can simplify international payment processes Keeping up with different formatting, regulatory, and various other international payment requirements can

be daunting, and may prove to be highly distracting and inefficient for a corporation. Collecting and verifying payees’ international banking information requires time, but consulting with an international payments expert

Each Click is a Residual Payment.

Reduce the costs of international wire charges As a company grows, often so too does its number of international payments – and costs can add up quickly. For larger companies, these costs may include high international wire charges, intermediary bank charges, and incoming wire fees charged to the beneficiary. Luckily this is an area where corporations can use a number of solutions to achieve relatively quick and easy wins. An example of this is to find a financial services partner that has its own international bank-to-bank transfer functionality. Making a

Authorize.Net has paid out more residual payments than any other payment gateway. Contact us to learn why. Call 1.866.437.0491 or visit www.authorize.net

september/october 2014

PAYMENTSBUSINESS

Risk

may assist in navigating some of these complex requirements. An expert in this field may also be able to provide a number of strategies to assist corporations, from simple tools that provide lists of all global bank codes to sophisticated payee management tools that are designed to simplify and streamline the collection and verification of the payee’s bank information.

Ensure on-time international payroll and pension payments The above is particularly relevant to companies with international or expatriate staff, or corporations with pension payment obligations

outside Canada. A good international payment solution assists large corporations by embedding directly into their own systems and ensuring that regularly recurring payments, such as international salaries, are delivered in the right amount and on time every month without the need for constant manual oversight.

Receive foreign currency payments

Companies with significant sales in international markets can find that taking the simple step of invoicing clients in their domestic currency can make it easier for their customers abroad to buy from them. Canadian exporters, however, can be impacted by significant

Payments Business invites you to a

FREE breakfast briefing in November on Remote Deposit Capture Take your RDC “pilot” to a “high flying” revenue generator For banks exploring the mystery that is corporate remote deposit capture, moving from a testing phase to a full fledge offering solution is complicated and a bit scary. There is a lot to consider while weighing the pros and cons of moving forward. A must attend! • Gain insights into what customers expect from their RDC solutions. • Discover how to mitigate pain points on the front end of this immerging business opportunity.

EVENT DETAILS: Nov 6, 2014 • 7:30-10am

SPEAKER: Jim Harris,

Vice-President of Sales, Panini Presented by

The National Club 303 Bay St, Toronto M5H 2R1

BRING YOUR TEAM.

Register now to reserve your seat at www.paymentsbusiness.ca For more information call Chantal Goudreau (905) 201-6600 x224 or email chantal@paymentsbusiness.ca • Seating is limited.

PAYMENTSBUSINESS

limitations associated with receiving funds from outside Canada from their target markets. Currently, the only main-stream options are wire transfers from outside Canada or payment by credit card. Both these options can be expensive and inefficient. Setting up a foreign currency holding account and working with a specialist payments provider that can facilitate direct local currency payments are two methods that can make the process more effective. Exporters can also look to grow their international sales by reducing the cost and complexity of the buying process for their global customers.

Gain visibility over foreign currency exposures As corporations expand their international presence, their foreign currency exposure starts becoming increasingly complex and difficult to manage. Fluctuating markets mean the costs of international payments can change drastically, leading to potential gaps in cash flow. The reduced visibility leads to uncertain budgets and challenges when it comes to forecasting. Many of our corporate clients use our visibility and control tools, which range from the most sophisticated software which can be fully integrated with the companies’ GL to simple, yet very powerful, reporting tools. A foreign exchange services partner can also help firms reduce the risk of currency fluctuation while allowing corporations to potentially participate in favourable market movements. September/october 2014

Expand control functions over international subsidiaries

Another growing trend we are seeing is a desire for increased control and visibility over payments that are flowing to and from subsidiaries outside Canada, including the ability to audit them. There are tools available that allow a Canadian parent corporation to view, approve, and control the payments of any number of international subsidiaries. Moving funds around the globe can be a complex and lengthy process. Taking the time at the start to set the right strategy, however, can lead to long term efficiency and time savings. The above are seven tactics that can enable corporations to maximize their cash flow, increase efficiencies, and improve their overall competitiveness. The very first step, however, is to find a strong financial services partner that will bring to the table the right solutions for your business, from embedded automated payment systems to foreign exchange hedging capacities and beyond. The right partner will be able to help build an overall international payment strategy so a company can focus on growing its overall business. Roy Farah is the head of Corporate Business for Western Union Business Solutions in Canada, a financial services partner for companies engaged in international business. He has more than 15 years’ experience working with Canadian companies and organizations on their international payment and cash flow strategies. Roy holds an MBA from McGill University and is a CFA charterholder.

AWARDS 2014

Women in Payments™

Awards 2014

Dear Reader, This is the third year we’ve held the Women in Payments™ Symposium in Canada, an event where women earn, network, and celebrate their achievements in the payments industry. Participation has grown from 160 women in the first year, to over 300 this year, and I’m delighted that we are able to meet a real need in the market. As an important part of celebrating our achievements, it is with great pleasure that I’d like to introduce this year’s award winners. The Awards Committee was impressed by the quality of the nominations submitted this year, a tribute to the overall excellence and professionalism of women working in our field. We were also delighted that the nominations came from across the payments ecosystem, including women working with consumer payments, business payments, as well as emerging payments. The Women in Payments™ Award for Leadership honours a woman in the industry who demonstrates professional excellence and a commitment to advancing and supporting women working in the payments field. This leader is co-chair of the Canadian Banking Women’s Forum, and is dedicated to mentoring, sponsoring, and coaching women and visible minorities. Her positive influence in the financial community is a result of her strong support and encouragement for diversity, learning, and professional excellence. Linda Mantia is this year’s winner of the Award for Leadership. The Women in Payments™ Award for Innovation honours a woman who has been instrumental in fostering and promoting innovation of products or services in the payments industry. This year’s winner is recognized in the international payments world as one of the leading innovators of specialized, multi-currency payment card solutions including credit, debit, and prepaid card products. We are pleased to present this year’s Award for Innovation to Andrea Wilson. The Women in Payments™ Distinguished Payments Professional Award is a lifetime achievement award that recognizes a woman who has served as a role model and contributed to the overall positive image of the payments industry. The winner of this award has had a dynamic 30 year career, including Director of the Visa Canada Association Board, Director of the Visa International Board, Chair of the Chip Executive Council, and most currently Executive Vice President and Head of Global Transaction Banking at Scotiabank. She was also named to The 25 Most Powerful Women in Banking five years in a row by American Banker and US Banker. This year’s winner is Alberta G. Cefis. In closing, I’d like to thank our Awards Committee, themselves leaders in the payments industry here in Canada. The Awards Committee members include Linda Hartley from CIBC; Pat Daley from Deloitte; Fay Freiman from Scotialbank; Lorna Johnson of Interac; and Cathy Pin of CGI. These women put great thought into reviewing the nominations and selecting the winners. I’d like to extend my sincerest congratulations to the winners of this year’s awards, and I look forward to your ongoing interest and support for Women in Payments™ in 2015.

Kirsty Duncan, P. Eng. Founder & Chair, Women in Payments 30

PAYMENTSBUSINESS

September/october 2014

Women in Payments™

Award for Innovation internationally with First Data – a very big accomplishment. Subsequently, Wilson worked with the Bermuda government on private and public ecommerce legislation and putting a legal infrastructure in place, complete with standards, codes of conduct, and an ecommerce advisory board.

With vision comes challenge “Getting people to understand that what I was saying or planning could actually work was a challenge. I could see a vision that other people couldn’t and the biggest struggle was getting people to sufficiently understand to want to support the projects.” The other challenge was compliance, says Wilson. “You can have a great idea and a great invention and then someone comes along and asks, how are we going to manage anti-money laundering and how we going to manage KYB and KYC? That takes a long time and time in itself can be a challenge particularly in the payments industry, which moves so quickly. By Karen Treml

“I think my career was destiny. There was a path. That was the way I was headed and that’s how it was going to be. And that’s the way it has happened.” With experience working on a project implementation team for a nationwide customer information facility system and a background in conversions and system infrastructure, Andrea Wilson knew how to set up new systems. So in 1993 when she landed in Bermuda, an island that had basic credit card products, no ATMs, and a very limited card infrastructure, she became the ‘card expertise’ the Bank of Butterfield relied upon to implement its credit card processing platform and credit card product portfolio. Wilson and her team(s) were instrumental in getting the island certified initially with First Data for credit and debit card issuing and then for ecommerce merchant services. And that was how she landed in the payments business. “The Bermuda government’s vision for ecommerce was very early in the grand scheme of things. The U.S. market was just emerging with internet payments, the European market really wasn’t quite there yet. Without that vision and their support, I don’t think I would be where I am today. The government had the vision, the understanding, and the adaptability to allow the work to be done. They took a big chance on it so early in the ecommerce industry.” In 1998, Wilson founded First Atlantic Commerce and American merchants began contacting her about wanting to process Internet transactions with Bermuda banks “I honestly had no idea what to do. First Data steered me to the CyberCash website, the first certified payment gateway in North America, and when I contacted First Data about their online processing platform and how it worked, I thought if they can do it in the U.S., we can do it in Bermuda.” And they did. In June 1998, First Atlantic Commerce was certified for processing Internet commerce transactions to First Data. It was the first online payment gateway to certify september/october 2014

An award amidst peers The ‘Woman in Payments™ Award for Innovation’ is huge because it is an acknowledgement, in my group of peers and in my own country, of the work I have completed and the strengths I bring to the industry, says Wilson. “When you win an award on your own turf amidst women who have more experience and have been in the industry for more years, that is a huge accomplishment. I’m over the moon.” Wilson loves the payments industry, its advancements, and its innovation. She wants to be remembered for changing the way people pay and over the years, certainly internationally, she’s been successful at driving some of those changes directly. “That’s the core of my substance. I love innovation, I love being able to figure out how to fit the square peg into that round hole, how to take that transaction and make it something that nobody has done before or has even thought about trying. You can do that in the payments industry – particularly now with digital and mobile payments.”

Advice to others As a mentor, Wilson’s advice to other women is to absolutely dive in, adding that it is the best industry in the world to be in. It is highly rewarding, you meet some awesome people, and it is always changing, always evolving. Everyone must be paid in this world, whether by paycheque, invoice, card payment, wire transfer etc., so those working in payments will always have a career. It’s like fashion, she says, there may be some good ideas, some bad designs, and sometimes it’s a fad, but for the most part the payments industry is highly evolved and well received by consumers. “My education is in microbiology. I wanted to be an architect but my dad wanted me to be in sciences, in the medical field. In the end, I’m an architect – in the payments industry. And I am certainly privileged to be a part of it all. PAYMENTSBUSINESS

Women in Payments™ Distinguished Payments Professional Award type of mentors, when you have them, and where you have them that is important, she says. “It’s also important to have sponsors. They are different than mentors. Sponsors are there at the table when you are being discussed for a job – it’s about people that can help you with that next opportunity.”

Award win shared with many women

By Karen Treml

“Like everything in life, a part of our path is based on what we set out to do and the course we chart. The rest is what happens along the way.” A strong desire to work in a multi-national or corporate position gave early direction to Alberta Cefis’ career, which started in technology but soon turned to the financial services sector. With several choices available to her, and because she’d always had a great interest in globality and international matters, Cefis joined Scotiabank in 1991. As Canada’s only truly international bank, she says Scotiabank gave her the opportunity to manage a global business line, and take her career to the next level. Here, Alberta reflects on some of the keys to her successful career. “When I first started in banking, it was a very different world. I was in my 20s and an educated woman. I started working in the corporate strategy and acquisition area, which was all male. I was very different in demographic and psychographic, and I didn’t look the part of a banker – and I was Italian and had a name everyone wanted to pronounce like a Canadian landmass. Over the years, holding one’s own as a woman in banking required, and still does require, having a performance metric, says Cefis. “You have to have leadership capabilities, be able to show progress and success, and you have to have EQ and IQ. And it’s not only about technical knowledge; it’s how you can play, or are interested in playing, the different roles required to be successful and in developing the skillsets within them.” Your team is always a part of your success, so you need people that share and are committed to your goals and vision. You are a conductor of an orchestra and your job is to ensure everyone plays to the best of their abilities, she explains, adding that there’s a lot of collective factors that all come into play. “It’s not just about me, it’s about the environment and the people who believe in you – teams that have that can be very successful.” Alberta also identifies the need to have good mentors, supporters, and sponsors. Mentors are always needed and it’s the 32

PAYMENTSBUSINESS

Receiving the ‘Women in Payments™ Distinguished Payments Professional Award’ is very humbling for Cefis. “Because there are so many deserving people, it is always humbling to be given an award in the first place. I’m very grateful and I share it with everyone who was nominated for it, as well the many other competent women that exist in the payments industry.” Cefis finds the ‘Women in Payments™ Awards’ special because they encourage, promote, and reward the aspirations of women who are coming up in the industry so that they can see the opportunities and receive the encouragement. “Many of these awards did not exist when I started in business. I am, and always have been, very dedicated to supporting the progress and advancement of women in the sense of creating a level playing field. It is very gratifying to see awards such as these, recognize women for their dedication and progress in their field.

The journey forward “You never can tell,” says Cefis, when asked what stones are yet unturned. She has many other interests, such as the arts and sitting on four not-for-profit boards. She very much believes in giving back to the community, in the advancement of women, and in supporting LGBT diversity – and all are very important to Cefis. She is also very connected with the education side of life and to giving back. “I’ve done a lot of guest lecturing and guest teaching. Giving back can be in terms of mentoring and sponsoring, as well as giving advice and sharing real life lessons I’ve learned, with the up and coming classes of graduates. “Work has been a very important part of my life, but so are the other things. I have personal interests, such as sports and travel and there’s still a lot of world for me to see. I have always said, you can have a destination, but the journey is just as important. Things will happen along the way. You have a roadmap, yes, but you also have to know how to adapt. Life throws you opportunities that alter the journey.” For Cefis, the journey continues, as she has recently announced her retirement from Scotiabank.

An exciting industry ahead “The payments industry will continue to be a very exciting industry for women and men. There is a lot of change as a result of technology, regulation, and new entrants,” says Cefis. “It’s a very satisfying career and there are lots of very interesting things going on in the field, whether you are with a technology, financial, or new entrant company”, she adds. The payments field by definition is an exciting and very evolving one from a business industry perspective and it touches people and enterprises at every level – worldwide. September/october 2014

Celebrating a world of potential As a leader in the Advancement of Women, Scotiabank is committed to supporting women in reaching their full potential. Through our Bright Future philanthropic program, we continue to support local communities and womenâ&#x20AC;&#x2122;s initiatives around the world. Today, Scotiabank congratulates all of the Women in Payments Award winners and celebrates the innovators and leaders in the payments industry.

scotiabank.com

Local strength. Global reach. C o r p o r a t e & I n v e s t m e n t B a n k i n g | C o m m e r c i a l B a n k i n g | C a p i t a l M a r k e t s | C a s h M a n a g e m e n t | Tr a d e F i n a n c e

Trademark of The Bank of Nova Scotia. Used under license, where applicable.

Women in Payments™

Award for Leadership intellectual property we were creating around RBC Secure Cloud became an extensive part of that mandate,” she says. And that led to Mantia receiving the ‘Women in Payments™ Award for Leadership.

Proud of the team “Honestly, I am so proud to be representing this team. I am constantly amazed at the capabilities and the conviction our people have to do what is right for our clients and for the business. I have a team that is incredibly curious, wants to learn, and likes talking to our clients just to make sure we are doing the best we can every day.” “When you are in a business as mature as credit cards you have to be paying a lot of attention to the big strategies but also the daily blocking and tackling and everyone on this team is willing to be the CEO of the business when needed, but also to be the janitor. That is how you win these days.” By Karen Treml

“For me, payments has always been very exciting. It’s one of the most dynamic businesses – it’s very client facing, moves with the market, and is heavily intertwined with the commerce space.” Linda Mantia has a pretty diverse background which she feels is actually a good thing in a rapidly changing business. While she has been with RBC for 11 years, she started her career as a corporate securities lawyer at Davies and subsequently moved into management consulting, working with McKinsey & Company as a co-leader for its ecommerce practice in Canada. “A lot of the things we are seeing in payments now is quite similar to what we saw in our practice in the late 90s only everything is real now – everything that people envisioned that the internet would do back then, it does now.” When she first joined RBC, Mantia worked in the innovations side. For a period of time she was COO for the bank’s international wealth business based in England. Upon returning, she worked for the CFO in enterprise services and worked very closely with the cards team to build the supply chain management capability. Two years ago, she took over the cards side of the business. “At that time, we had our core business with our Avion product and all the hyperactivity was about to occur within that premium space. One of the challenges was ensuring our flagship product continued to succeed, as well as our cobrand partnerships. Also, within the mobile payments industry, despite an existing solution in the market, adoption was stalled due to the complexities of enabling payments on mobile. This resulted in an end solution that was complex for issuers and more importantly, for consumers.” Mantia worked towards ensuring that RBC’s broader value proposition was instrumental to achieving the goals of the cobrand partners. With the massive digital transformation underway, the focus was on digitizing the business and learning how to acquire customers digitally. Engaging them became a very big part of the mandate. “We suddenly stumbled into being inventors – the 34

PAYMENTSBUSINESS

Mentoring – what resonates With mentoring, Mantia recommends getting a lot of advice and seeing what resonates. “The value of getting lots of advice is you get a sense of what excites you. I don’t think anyone can be successful doing what they are supposed to do unless they find a true passion in it.” But some advice Mantia can readily give is that some of the biggest successes in a career have nothing to do with the career itself. Prior to joining RBC, while working as a management consultant, Mantia underwent a serious health situation that required massive open heart surgery for a birth defect. “That actually made me stop and pause from my usual ‘oh this is interesting, let’s go do this and do that’. It made me realize that I could actually die and it made me question whether I was doing the things I wanted to be doing. That became my pivotal moment. I truly believe the most successful people are the most resilient people and it’s about moving forward and finding what’s new and what’s next. We each should try to force ourselves to really think about what we want to do.”

What comes next “I have had a diverse amount of roles in my career. Simply put, I am curious. As long as things are changing and I can be a part of a team that has the capability and the room to adapt and as long as it’s something exciting where I can have impact, I will remain engaged. It doesn’t sound very predestined but I like solving tough problems and moving on from there to see where it leads me.” Mantia says, half-jokingly, that she really doesn’t know what she wants to be when she grows up. But she does want to tell people to not put so much pressure on themselves. “Don’t lock yourself in to a predetermined path because then you become political and you start to time things and wait for people to retire or move on. And that takes all your energy away from just doing a fabulous job on the task that you were lucky enough to be given to do.” September/october 2014

Leader. Innovator. Champion. Congratulations to Linda Mantia, Executive Vice President, Cards & Payment Solutions, RBC, on receiving the 2014 Women in Payments‡ Leadership Award. Your vision, passion and accomplished record for leading change and delivering strong, lasting results, inspires us all.

® / ™ Trademark(s) of Royal Bank of Canada. ‡ All other trademarks are the property of their respective owner(s).

Want to know more about your card programs? Do you issue fleet cards? Manage transactions? Is it vital to keep on top of technology which affects your mobile solutions?

Sign up NOW for a free subscription to Payments Business magazine. Visit our website at www.paymentsbusiness.ca and learn more about the magazine Payments Business is a Lloydmedia, Inc publication. Lloydmedia also publishes Financial Operations magazine, Canadian Treasurer magazine, Canadian Equipment Finance magazine, Direct Marketing magazine and Contact Management magazine.

Segment update

Acceptance Makes Good Small Business Sense Large majority of Canadian merchants accepting credit cards say benefits outweigh costs

By Kevin Gonyea

he Canadian economy is built on a foundation of small businesses and contrary to some suggestions, small business owners and operators who accept credit cards do so because they understand the benefits and costs of digital payment, says a recent Harris/Decima survey. In fact, despite some reports that small businesses prefer cash over credit cards, the poll conducted for MasterCard found that more than two-thirds of small businesses that accept credit cards (69 per cent) said the benefits of accepting credit card payment outweigh the costs. It’s a matter of customer service, and it’s also a matter of good business management. Most respondents said they accept credit cards because that’s the way their customers want to pay. But while it may start with customer service, the merchants surveyed found a lot of other benefits to digital payment. They say card acceptance makes it easier to manage their business, with 59 per cent citing ease of processing as a benefit, and 57 per cent citing certainty of getting paid. Major credit cards guarantee the merchant gets paid, and they protect the consumer from fraud, which means the institution providing the credit card bears any risk in a transaction. Merchants see september/october 2014

the benefit of that, and also the benefits of precise record keeping and effective cash management – both tools that help them run their businesses better. The small business leaders also pointed to greater sales opportunities. More than half (52 per cent) said their customers are more likely to make a purchase if they can pay with a credit card. Research has shown that when merchants accept credit cards, they attract more customers and the average purchase per customer goes up. Credit card acceptance also enables small businesses to punch above their weight, significantly expanding their geographic reach beyond their local neighbourhood. Two-thirds of small business respondents reported making remote sales (telephone, internet) to consumers who paid with a credit card. And they said those remote sales had a big effect on their business. For those merchants who sold online, 20 per cent said remote sales accounted for between 11 and 50 per cent of their total sales. For 14 per cent, remote sales accounted for more than 50 per cent of their sales, none of which would have been possible without credit cards. Accepting credit cards also enables retailers to make it easier for foreign visitors to

purchase, without the need and expense of currency exchange. Among survey respondents, 43 per cent said they have made credit card sales to visitors from outside Canada. And for those small businesses that benefit from sales to foreign visitors by credit card, the increase in business is not inconsequential. Ten per cent of small businesses surveyed said credit card sales to visitors from outside Canada comprised more than 10 per cent of their business. The merchants surveyed by Harris/Decima were savvy about their payment options, including their option to offer consumers a discount for paying with cash or debit cards. But it appears most respect the customers’ desire to pay with a credit card. Besides the convenience and security of credit card payment, Canadian consumers also seem to be motivated by love of loyalty programs that help them stretch their dollars. Consumer research has shown nine in 10 Canadian adults use loyalty programs to collect points or miles, with each active on average with three different loyalty programs. When those loyalty programs are part of a premium credit card, 40 per cent of merchants surveyed by Harris Decima said those premium card holders are PAYMENTSBUSINESS

Segment Update

their best customers. The Harris/Decima survey is important because despite overwhelming consumer preference for digital (credit, debit) payment, there are still a few penny-wise and poundfoolish merchants who think they are helping their business by accepting only cash. They operate under the mistaken belief cash is free to them. It is not. Far from it. Cash exposes merchants to the risk of theft (including inside job), robbery, and counterfeit currency, as well as the risk of human error during the exchange. Managing cash to avoid human error or ‘shrinkage’ often means the time-consuming process of counting, recounting, and

counting again, which makes cash the slowest payment medium. Even then, there are inevitable errors. With cash on hand, merchants must also pay for security (e.g., surveillance cameras and security guards), secure storage (vaults and cash registers), and for counterfeitdetection equipment and training. Larger merchants often need armoured car services to carry cash, and ﬁnancial institutions charge them fees for cash deposits, cash withdrawals, and coin ordering. Smaller merchants have to carry cash themselves, or rely on employees to carry it to deposit boxes. Merchants also pay

insurance premiums in an effort to protect themselves from losses due to theft. Smaller merchants spend less on security, which means they are in effect self-insuring. They must absorb any losses. Cash transactions also tend to be slower at the register, especially compared to new tap-and-go payment methods. The result is that retailers are able to process fewer customer payments in cash, and consumers using cash average smaller total purchases. Cash customers spend less than credit card customers. Small business operators need all the help they can get. They need to maximize sales opportunities, find the best customer service options,

and manage their time, manpower, budgets, accounts, administration, HR, and financial strains. It’s hard work, but don’t underestimate Canada’s small business people. The ones who accept credit cards have done the cost-benefit analysis and understand the full value they get from that, whether it’s attracting the big spenders, providing the customer service and payment options their customers want, cutting the cost of handling cash, or managing risks and adopting more effective businesses processes. Kevin Gonyea is Vice-President, Head of Acquirer Merchant Relationship Management at MasterCard Canada.

Banks and Financial Institutions can benefit in numerous ways from deploying a Remote Deposit Capture (RDC) solution. It offers substantial cost-savings opportunities, while opening the doors to a whole new set of revenue streams. Businesses of all sizes have recognized the tremendous efficiencies associated with transitioning to an RDC solution: with remote deposit capture, Financial Institutions offer their business clients the opportunity to scan and transmit images directly from their business location(s) to the bank, providing them with convenience, improved funds availability, and faster return item notification, while the FIs in return can improve their market share and achieve lower operational costs. With over 20 years of experience in distributed cheque capture, Panini offers reliable, affordable, and scalable cheque scanners that meet the specific requirements of a wide range of RDC users.

Visit us at www.panini.com or call (937) 510-6617 Interested in learning how to take your RDC “pilot” to a “high flying” revenue generator?

Join us for a Free Breakfast Briefing on Remote Deposit Capture on November 6 in Toronto. Visit www.paymentsbusiness.ca for more details.

PAYMENTSBUSINESS

September/october 2014

Pay Channel

Bitcoin – An Alternative Payment Method

By David Ripley

s many readers know, bitcoin has received a lot of attention in recent months with proponents keen to highlight the numerous benefits of bitcoin relative to the existing financial system. From a payments perspective, bitcoin offers a more secure, seamless, fast, and cost effective method of value transfer. As if this wasn’t enough, it also offers a globally available and open platform, ripe for building new innovative applications. The relative benefits of bitcoin vary when compared to the existing payment methods (e.g. credit card, cheque, bank transfer, cash, etc.). Today, consumers and merchants (or buyers and sellers) typically choose different preferred payment methods for small, medium, or large value transactions. These decisions are generally driven by buyers and sellers assessment of the ‘cost vs. ease of use’ tradeoff. Similarly, we can expect bitcoin, as a new payment mechanism, to have different adoption rates across the various transaction sizes due to these same drivers.

Large-value transactions For large value transactions (i.e. several thousand dollars or more), cheques and other

types of bank transfers turn out to be the most common methods used today. The reason is that it comes back to the ‘cost vs. ease of use’ trade-off. Credit card fees typically become untenable when transaction values reach this size. The fees vary greatly, ranging from one to four per cent plus a fixed fee that can reach ~$0.30. For example, the fee associated with a $5,000 transaction could exceed $100. Thus, consumers and merchants frequently choose to endure the friction of other payment methods (e.g. bank cheques) to avoid these credit card fees. Bitcoin can offer a lower cost and easier option, but the friction associated with cheques and bank transfers is seen by some as manageable given the limited frequency of these transactions.

Medium-value transactions Credit cards typically own the mid-level commerce transactions that range from ten to several thousands of dollars. In this range, they happen to be the method that optimizes the ‘cost vs. ease of use’ trade-off for both online and physical transactions. Specifically, for point of sale transactions at bricks and mortar stores, they are fairly convenient and although costly, the per-transaction fees are more manageable than for very large transactions. In the online world, the story becomes more challenging for credit cards. The ease of use deteriorates substantially as users are required to type in a september/october 2014

credit card number, expiration date, name, and address. Further, security challenges arise as merchants have difficulty managing fraud. Bitcoin offers the ability to solve these challenges for merchants and greatly improve both cost and ease of use in the online world. For the bricks and mortar settings, bitcoin still offers a compelling cost improvement and similar ease of use in the near term. In the longer term, bitcoin can potentially offer greater ease of use through delivering new user experiences, such as paying for products in the aisle and avoiding the checkout lane.

Low-value transactions Lastly, low value transactions (under ten dollars) offer the most interesting dynamic. The cost of credits cards can be prohibitive at this level. When selling a soda and a candy bar for $2.50 via credit card, a convenience store owner might pay $0.25 (two per cent variable + $0.20 fixed), which is a prohibitive 10 per cent of the price. For this reason, merchants often prefer cash as a payment method. In the online world, the fees and usage friction make credit cards unusable. Requiring users to type in credit card information does not work for low-value transactions (e.g. viewing a single article, purchasing a single song, etc.). In these cases, merchants typically ‘charge’ consumers in one of three ways – pre-paid accounts; post-paid accounts; or advertising. Apple iTunes

is an example of a post-pay account whereby purchases are aggregated over time and the customer is then charged at a later date. Other merchants choose to make users pre-pay up-front to fund an account for future purchases. Finally, showing online advertisements ends up being the most common method of value exchange between consumers and online businesses for content. For these small-value transactions, bitcoin offers the most compelling benefits. It allows users to purchase content and digital goods with the push of a button at near zero cost. This leads to the much talked about ‘micropayment’ category that many believe will emerge in the online world given that a payment solution exists. Some examples include – paying $0.05 for an article, $0.04 / minute for streaming video, $0.25 to charge a battery, or $0.50 for five minutes of Wi-Fi access purchased from the person sitting next to you in the park. As bitcoin adoption continues, we should expect to see payments usage grow for all transactions sizes and in all areas, but likely more so in some than others. David Ripley is the founder and CEO of Glidera. He brings more than 15 years of diverse business experience to the company. He has worked across multiple industries including technology and financial services. Most recently, as principal for The Boston Consulting Group (BCG), he advised executive teams to Fortune 500 corporations on their strategic priorities. Previous to that he held roles in software engineering and product management. PAYMENTSBUSINESS

Insider Report

Raising Canada’s payment standards: ISO 20022 CPA initiative aims to improve efficiency of domestic and international transactions and create a better payment experience

usinesses, payment service providers, software developers, and financial institutions exchange a tremendous amount of information to support the financial activity of Canadians. To manage this process, they follow financial messaging standards to create financial messages, which are exchanged electronically. In the modern age, you’d think that payment instructions and the related remittance information would all travel together in one payment message, but unfortunately that’s often not the case, particularly when many payment standards in use today are older than the World Wide Web. As part of a comprehensive strategy to modernize Canada’s payment system, the Canadian Payments Association (CPA) is adopting an internationally recognized methodology for the development of financial messages. ISO 20022 will support domestic commerce, strengthen Canada’s competitiveness as a trading nation, and create new opportunities for Canadian financial institutions, payment service providers, and businesses. “There is more to this initiative than simply introducing a new standard. 40

PAYMENTSBUSINESS

It is about making Canada’s payment system more efficient – and making the payment experience better for everyone. Through the ISO 20022 initiative, the CPA is helping to bring straight through processing and electronic invoicing to Canada. We are also promoting international interoperability through this initiative as it will make it easier for Canadian businesses to transact globally in a competitive world economy,” says Gerry Gaetz, president and CEO, CPA1 The CPA is one of Canada’s key financial market infrastructures. It operates the core national clearing and settlement systems, which support the clearing (exchange and reconciliation) of the vast majority of inter-bank payments, and settlement at the Bank of Canada. CPA systems cleared and settled $43.7 trillion worth of payments in 2013, an average of $173.4 billion each business day. As the center of excellence for payments in Canada, the CPA leads its member financial institutions, businesses, government, and the public in developing the rules of the road for the Canadian payments highway. Over the years, the CPA has implemented multiple standards for electronic

payments that move across its systems: one standard for automated funds transfers or AFTs (pre-authorized debits and direct deposits), a second for electronic data interchange or EDI (business-to-business transactions and bill payments), and a third for wire payments. But the legacy standards lack the flexibility to adapt to the changing payment needs of businesses and other users of the Canadian payment system in today’s digital environment. Additionally, each of these standards, which were developed to meet particular payment needs at specific points in time, uses specific terminology that requires unique interpretation. As a result, Canadian businesses, payment processors, and financial institutions need to maintain multiple suppliers, software, processes, and business systems to support their payment operations. Valuable time can be lost when manual intervention is required to translate a message across multiple platforms. Bill Piggot, VP of international money movement for ADP and member of the CPA’s Stakeholder Advisory Council, believes that “a lack of consistency of payment format across financial institutions and countries as the world payment area evolves is one of September/october 2014

the biggest challenges facing Canadian businesses today.” There is a global convergence2 toward the adoption of ISO 20022. Since it was developed to meet the needs of the entire financial industry, as opposed to a single sector, it contains message definitions and other content required by the methodology to explain the underlying concepts and processes in the business environment in which the messages will be used. This provides the flexibility to translate existing messages to an ISO 20022-compliant format or build entirely new types of financial messages. It also ensures that the messages can be interpreted correctly by people and machines. According to Brent Mizzen, director of policy development for the Canadian Life and Health Insurance Association and chair of the CPA’s Stakeholder Advisory Council, “using one set of message definitions instead of several will save businesses time and money. We fully support this move, and we look forward to ongoing collaboration with the CPA, financial institutions, and other stakeholders in going down this road to greater payment efficiencies.” ISO 20022 also provides an increased capacity for remittance data to travel with

Insider Report

a payment – a key benefit for only afforded within the EDI straight through processing businesses looking to automate payment stream, and that and increased automation; Accounts Payable/Accounts facilitates the reconciliation to facilitate cross-border Receivable functionality in their process, has tremendous payments; and to reduce costs enterprise resource planning value,” he adds. The increased associated with operating (ERP). “The potential for capacity for remittance data under multiple standards today. enhanced remittance data”, also increases the transparency Consultation is central to states Mizzen, “is one of the of payment transactions the operations of the CPA, biggest potential benefits of and creates the potential and the association is taking the move to ISO 20022 for for financial institutions to a unique and collaborative Canadian businesses, as this is enhance the services they approach. The association will required to move from paperprovide to their clients. seek the views of payment based payments (e.g., cheques) The CPA plans to replace system users (from financial to electronic payments. To its current standards with institutions to their clients as this end, ISO 20022 will new standards based on the well as service providers) in a help facilitate more efficient ISO 20022 methodology, consultation on its proposed SET account SUPPORT SUSTAIN • ENHANCE BUSINESS SUCCESS reconciliation and BUSINESS with STRATEGIES a current focus on AFTs. standard for AFT payments, treasury operations, allowing To respond to the unique and its approach to increasing to better compete demands of Canadian the amount of remittance RISKbusinesses & REGULATORY TRANSFORMATION • COST payment MANAGEMENT • REDUCE RISK and serve their customers.” system users, it is proposing data accommodated in an AFT Piggot agrees. “Adopting a to significantly increase the payment message. Consistent OPERATIONS EFFECTIVENESS &amount EFFICIENCY • REDUCE RISKwith • CHANGE worldwide SWIFT-supported of remittance data public policy mandate, standard that offers enhanced that can be included in the consultation will be public, INCREASE CHANNEL OPTIMIZATION remittanceEFFICIENCY detail previously• CUSTOMER payment & messages to facilitate with the consultation paper

GAIN MARKET SHARE • INCREASE EFFICIENCY

TRANSFORMATION • PRESSURE • BALANCE • CHANGE • PRESSURE • INSURANCE

and associated documentation available on the CPA website. Interested parties can visit the website and subscribe to CPA updates to be notified when the consultation is released. The CPA is currently holding cross-country meetings with interested stakeholders to discuss ISO 20022 and the opportunities it offers. If you would like to explore this opportunity, please email your request to info@cdnpay.ca. 1. Canadian Payments Association, 2013 Annual Report. http://www.cdnpay.ca/imis15/ eng/Publications/Annual_Review/eng/res/ Annual_Report.aspx 2. Canadian Payments Association, 2014 Environmental Scan: Global Trends, Challenges, and Impacts on Canada. http:// www.cdnpay.ca/imis15/eng/Publications/ News/eng/res/ns/2014_Environmental_Scan. aspx

COST MANAGEMENT • BANKING BANKING • FINANCE • ASSET MANAGEMENT • FINANCIAL SERVICES

CUSTOMER & CHANNEL OPTIMIZATION • FINANCE FINANCIAL SERVICES • ENHANCE BUSINESS SUCCESS • CHANGE

REDUCE RISK • BANKING •

RISK & REGULATORY TRANSFORMATION • OPERATIONS EFFECTIVENESS & Being successful in taking an enterprise view during

transformative times can be difficult. Financial institutions FINANCE •ASSET MANAGEMENT • BALANCEare operating in a period of compounding, and often

REDUCE RISK • INCREASE EFFICIENCY • GAIN MARKET SHARE

conflicting, expectations. Regulatory requirements are

growing exponentially and customer expectations are FINANCIAL SERVICES • FINANCE increasing – all while shareholders expect healthy returns

Success

OPERATIONS EFFECTIVENESS & EFFICIENCY • CUSTOMER & CHANNEL OPTIMIZATION and capital levels that provide new levels of safety and soundness. You can rely on our expertise to help you: TRANSFORMATION • COST MANAGEMENT

FINANCIAL SERVICES • INSURANCE • BANKING • FINANCE

• Set new strategies and bring proactive thinking.

INCREASE EFFICIENCY

OPERATIONS EFFECTIVENESS & EFFICIENCY • CHANGE

• Identify issues and priorities. • Sustain the appropriate risk, governance and control

TRANSFORMATION • COST MANAGEMENT environment. SET SUPPORT SUSTAIN BUSINESS STRATEGIES • BANKING

BANKING • FINANCE • PRESSURE

We can help you create Success.

ASSET MANAGEMENT

Let’s start the conversation.

REDUCE RISK • INCREASE EFFICIENCY • GAIN MARKET SHARE ENHANCE BUSINESS SUCCESS • INCREASE EFFICIENCY

kpmg.ca/banking kpmg.ca/financialservices

GAIN MARKET SHARE • INSURANCE CUSTOMER & CHANNEL OPTIMIZATION • FINANCE

BANKING • FINANCE

© 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

TRANSFORMATION • COST MANAGEMENT

RISK & REGULATORY TRANSFORMATION september/october 2014

BANKING • FINANCE • ASSET MANAGEMENT

PAYMENTSBUSINESS

Point of View

Is it Risky Business? Until recently, payment card issuers knew where I shopped and when, but not what I bought By Catherine Johnston

PAYMENTSBUSINESS

s a consumer, I want my favourite merchants to always have what I want in stock – a desire that is likely shared by the merchant and my credit and debit card issuers. So, what am I willing to do in order to make that happen? That is where risk enters everyone’s plans. Up until now, when issuers and merchants wanted to know where to invest, they bought market research and for the most part, this was a satisfactory process. But everyone knows that what people say is not always what they do. For example, on a survey, I might say that I buy pizza every Monday night, but in reality it might be seven out of 10 Mondays. Wouldn’t it be better, then, if there was a more reliable source for information than my memory, coupled with my desire to get off the phone when the survey taker calls? Payment networks and issuers know that actual data is more reliable than market research, so it makes sense for them to want to leverage that value. They can ask their cardholders for permission to gather and use the data they collect when a payment is made by card or app. And, as long as the consumer provides that consent, the issuer and consumer are both compliant with privacy legislation in Canada. Until recently, payment card

issuers knew where I shopped and when, but not what I bought. That information – the transaction data – was known only to the merchant and the consumer. But this is changing and moving forward, payment innovations may make transaction data available to more parties. Whether that is a good or bad thing depends on how each stakeholder is engaged and how privacy is handled. It is complex; but consumers, card issuers, and merchants can all benefit – if they can find the middle ground. Merchants are concerned that digital wallets will allow third party access to transaction data that could be sold to competitors. Assuming that all data would be anonymized, it would not violate the consumer’s privacy. It could, however, bring new competition into the market, which might be good – unless it drove the original merchant out of business. So, you see, this is not at all straight forward.

Do consumers really care about privacy? It is an easy enough question, but don’t count on a simple answer. It is influenced by our age, whether we or someone we know has been negatively impacted by a data breach, and what we think we will get in exchange for our information. Then there is the privacy line September/october 2014

that we don’t want people to cross. That is something hard to predict, because it is so personal. Let’s look at the factors. Everyone talks about how many people are willing to put a remarkable amount of personal information on social media sites, including where they are at all times of the day. The question is whether that will change over time. When it comes to personal experience or knowledge, we also have to consider the media. We have been inundated with stories of breaches. Whether it is payment card information, health or other personal information held by governments, or pictures of celebrities, consumers are becoming more aware of the risks related to privacy. Merchants offering loyalty programs and even card issuers need to consider the growing sensitivity to these factors before they make investments.

What are the risks to corporations and governments? In 2009, a number of Canadian provinces were talking about the introduction of enhanced driver’s licences; privacy was an issue. After much controversy, most citizens decided they didn’t trust the privacy protection offered by the new licences and chose not to use them, in spite of assurances that there was

Association Update

nothing to worry about. The result was that taxpayers paid to develop a product that few people chose to use. Privacy is one of those things we don’t talk about very much, but we have strong feelings about it nonetheless. Many people have expressed shock and anger over the recent revelations regarding the issue of government surveillance across North America. Why should that concern payment stakeholders? Today, mobile and in-store marketing and loyalty uses personally identifiable information, as does payment and transaction data. Will concerns about government practices be the slippery slope that leads consumers to push back on these and future payment innovations?

Cyber stalking has new meaning Consumers are beginning to learn that some stores track where their customers walk and how long they look at a given item. I can understand why they do it and can see some advantage for me as a shopper, but I don’t like it. I don’t like it when an internet ad for something I looked at days ago reappears in the middle of a totally unrelated site days later. The term cyber stalking is taking on new meaning for me. I’m uncomfortable when a web site uses where I live to provide information if they haven’t asked me to identify my city. Obviously they held onto information I provided for another purpose at another time. I used to think that this was a great service, but now I don’t. Something has changed.

I think it is the cumulative effect and it is making me more aware and protective of my privacy. My line has been crossed and as a consumer, that will affect my decisions.

Investing in privacy So what does all of this mean for our stakeholders; the payment networks, issuers, merchants, and consumers? It means that decisions to invest in new payment apps, services, or products are hard to make because they depend on individuals’ perceptions and tolerances related to privacy. For consumers it means that they need to take steps to be more informed about how their privacy will be protected. The way we view privacy changes with time, so there is no hard and fast measurement that we can rely on when we are planning to introduce new products or services. Nor is the consumer the only party that we should be concerned about.

Meeting goals In order to meet the goals of all payment stakeholders and continue innovation, the safest approach is to involve everyone in an open and frank discussion in the early stages. When each group understands the impact of change on the others’ goals and processes, the middle ground can be found. That is the safety net for investments. Not easy – but achievable. Catherine Johnston President & CEO, ACT Canada Stakeholders driving the evolution of Payment and Digital ID www.actcda.com september/october 2014

ACT Canada

– An Amazing Fall Lineup

e are geared up for a very busy fall. Our third annual ‘Women in Payments’ meet, greet, and charity event is being held on October 2. Join us for our purse exchange and raffle and sale of jewelry, hats, scarves, and gloves – all to raise money for the ‘Dress for Success’ charity that helps women re-enter the work force. We’ll share some wine, do some networking, and have a great time. For more information, contact Michelle Weir (michelle@actcda.com). There is no fee to attend but space is limited. Moving forward, October 16 is a day packed with events. Our annual general meeting is followed by our very popular ‘Cardware Connections’ networking event. Following that is our 25th anniversary celebration and then the awards ceremony. Who will win the innovation awards this year? Who will be the champions? Join us to find out. For more information, visit http://www.actcda. com/calendar/. Our members continue to be very busy with Strategic Leadership Team meetings each month. We have four teams – Mobile; MultiApp Issuance; Customer Authentication; and Payment Acceptance. To learn more about what they are doing, who is on each team, and their meeting schedules, visit http://www.actcda. com/teams/slts/. If you are interested in joining one of the teams, please contact Britteny Blackman (britteny@actcda.com). Members are also attending conferences where we have arranged member discounts. • Biometrics UnPlugged, September, Tampa, 30 per cent • Fraud Summit, September, Toronto, 20 per cent • Mobile Payment Conference, October, Chicago, $100 off $895 registration • Money2020, November, Las Vegas, 20 per cent • Cartes Secure Connexions, November, Paris, 20 per cent And we, too, are on the road. We are speaking at the ‘ATM – Mobile Innovation Summit’ in Washington DC; facilitating a special interest group at the ‘MAG’ (Merchant Advisory Group) conference in Fort Lauderdale, FL; providing EMV training and chairing the EMV panel at the ‘Mobile Payment Conference’ in Chicago, IL; and speaking at the ‘Revolutionary Payment Solutions 2014 & Beyond, Legal & Regulatory Compliance Primer’ in Toronto, ON. Rounding that off is the publication of our ‘Secure ID’ paper and the development of the ‘Impact of Contactless MultiCertifications’ paper. There has never been a more interesting time to be in payments or ID. For that matter, there has never been a more interesting time to be a member of ACT Canada. Join us in this journey. Catherine Johnston, President & CEO

PAYMENTSBUSINESS

2014 Industry Events January 2014 January 12-15 National Retail Federation The Big Show New York, NY www.nrf.com

February February 5-7 Smart Card Alliance 7th Annual Payments Summit Salt Lake City ,UT www.smartcardalliance.org February 11-13 ATMIA ATMIA Annual Conference Orlando, FL www.atmiaconferences.com February 20-21 InfoTech Canadian Financing Forum 2014 Vancouver, BC www.financingforum.com

March March 10-12 BAI BAI Payments Connect Conference Las Vegas, NV www.BAI.org

April April 6-9 NACHA, The Electronic Payments Association, Payments 2014 Orlando, CA www.nacha.org April 6-9 ICMA Annual Card Manufacturing & Personalization Expo Ft. Lauderdale, FL www.icma.com April 7-10 NAPCP 15th Annual Commercial Purchasing Card and Payments Conference Palm Springs, CA www.napcp.org April 8-10 Electronic Transactions Association 2014 ETA Annual Meeting & Expo Las Vegas, NV www.electran.org April 22-25 PaymentsSource 26th Annual Card Forum & Expo Orlando, FL www.paymentssource.com

April 28-30 Finovate Finovate Spring Conference San Jose, CA www.finovate.com

MAY May 5-7 WB Research eTail Canada 2014 Toronto, ON www.wbresearch.com May 5-8 IFO Fusion 2014 Forum & Expo Dallas, TC www.financialops.org May 13-15 Cartes North America 2014 Las Vegas, NV www.cartes-america.com/ paymentsbusinessevent May 2014 (TBA) Commercial Payments International Global Commercial Cards & Payments Summit 2014 New York, NY www.commercialpayments.com

June June 1-8 Credit Scoring & Risk Strategy Association 21st Annual Conference Niagara Falls, ON www.csrsa.org June 3-4 Smartcard Alliance NFC Solutions Summit 2014 Austin, TX www.smartcardalliance.org June 4-5 ATMIA Canada Annual Canadian Conference 2014 Niagara Falls, ON www.atmiaconferences.com June 4-7 Internet Retailer IRC & Exhibition Chicago, IL www.internetretailer.com June 5-7 FEI Canada Annual Conference Lake Louise, AB www.feicanada.org June 11-13 NBPCA - Annual Congress-The Power of Prepaid 2014 National Harbor, MD www.nbpca.com

June 13-14 Payments Source International & Cross Border Payments San Francisco, CA www.paymentssource.com June 17-18 ACT Canada Cardware 2014: Payment Insights Niagara Falls, ON www.actcda.com June 25-27 Canadian Payments Association Payments Panorama Charlottetown, PE www.cdnpay.ca June TBA 7th Annual Prepaid & Payments Retreat Toronto, ON www.paymentseXchange.ca June TBA Payments Awards 2014 Toronto, ON www.paymentseXchange.ca June TBA EMV User Meeting EMVCo Location, TBA www.emvco.com

August August 3-6 Retail Solutions Providers Association RetailNOW 2014 Orlando, FL www.gorspa.org August 18-20 tppEXPO 2014 The Pre Paid Press Expo Las Vegas, NV www.prepaidpressexpo.com

September September 14-16 IFO Canada 4th Annual Canadian Financial Operations Symposium Vancouver, BC www.financialops.org/canada2014 September 23 Women in Payments™ Symposium & Women in Payments™ Awards Toronto, ON www.womeninpayments.org September 29-Oct 2 Sibos Annual Conference 2014 Boston, MA www.sibos.com

Visit us online

www.paymentsbusiness.ca 44

PAYMENTSBUSINESS

September/october 2014

September TBA CUMA CUMA Ontario Annual Conference Montreal, QC www.cuma.ca

October October 2-4 Canadian Automatic Merchandising Association CAMA Expo 2014 Quebec City, QC www.vending-cama.com October 19-22 Sourcemedia ATM, Debit & Prepaid Forum 2014 Phoenix, AZ www.sourcemedia.com October TBA Everlink Client Conference CONNECTIONS 2014 Toronto, ON www.everlink.ca

November November 2-5 Association of Financial Professionals AFP Annual Conference 2014 Washington, DC www.afponline.org November 2nd-6th, 2014 Money20/20 Las Vegas, NV www.money2020.com November 12-14 BAI BAI Retail Delivery Conference 2014 Chicago, IL www.BAI.org November TBA Comexposium CARTES & Identification Exhibition 2014 Paris, FR www.cartes.com

December December TBA Members Meeting Smart Card Alliance Coral Gables, FL www.smartcardalliance.org

January 2015 January 14-15 2015 NAPCP Canadian Commercial Card and Payment Conference Toronto, ON www.napcp.org/2015Canada

Service Directory

Card Manufactures

EMV & NFC Consulting Secure Solutions for Payment & Identification

Since 1852, G&D has been an integral partner that is solutions orientated and trusted by banks, governments and carriers. Our solutions are founded on trust, integrity and the creation of value through Confidence. • Contact, Contactless and Dual-Interface Smart Cards • Mobile Payment • On-line Secure Authentication • Enhanced Card Identification

www.gi-de.com

Toll Free: 1-800-387-9794

secure payment solutions

Integrated Payments Solutions

Integrated Payment Solutions and Services One of the most advanced and reliable payment delivery solutions in financial services technology.

www.everlink.ca

Toll Free: 1.866.388.0076

Apriva is North America’s Leading Wireless Gateway. SECURE DEVICES | RELIABLE SERVICE | EXCEPTIONAL SUPPORT

Guarantee your liquidity

905.670.4838 1.888.503.4528

To learn more call Paul DeRosse, Senior Vice President, Sales at 905.530.2351 or visit www.apriva.com.

see youR company name here Contact Mark Henry mark@paymentsbusiness.ca 1800-668-1838 x 223

september/october 2014

PAYMENTSBUSINESS

Vertical market

Don’t Gamble On Your Payment Solution Getting payments right is essential for gaming companies to succeed

By Gary Conroy

t is estimated that the worldwide gaming industry will be worth $513 billion by 2015, says reportlinker. com. This presents a staggering business opportunity and for online gaming operators wanting a slice of this growing consumer spend, an effective payments strategy is key. This means working with a payments provider that can support an aggressive acquisition strategy, provide a seamless deposit process for players, maximize conversions, reduce fraud, and keep the business safe. Maximizing conversions is imperative for any online sales business but for new and expanding companies, securing revenue can mean the difference between success and failure. Gamers need a reliable way to deposit credit and realize winnings and providing a quick and seamless payments experience is crucial to gaining and keeping customers.

Managing currency, fighting fraud Casumo.com is an online casino that quickly established 46

PAYMENTSBUSINESS

a position as one of the leading online casino brands in the Scandinavian market, bringing positive disruption to a relatively young and constantly evolving industry through continuous innovation in content and technology. To continue its rapid expansion, it needed to bring in a scalable payments solution that could deal with some extensive and specific requirements – secure and reliable and able to cope with peaks in traffic. Under its old system, sales conversions were not being maximized and better fraud tools and fraud management techniques were required. Expanding its business also meant it had to cater to the English, Swedish, and Finnish markets, therefore needing the ability to manage multiple international currencies. The previous payments solution resulted in higher merchant account rates affecting its bottom line. Integration between the payment provider and its existing platform was also essential to maintain compliance policies. Primarily though, the company needed to work with a payments company that understood the gaming industry, the company’s business goals, and the environment in which they are

to be achieved. Success in the gaming industry also goes hand in hand with fighting fraud. RealScore, a fraud solution by Realex Payment, provides the company with a comprehensive, flexible, real-time fraud-scoring tool. An extensive set of rules that covers a range of fraud prevention measures including transaction data blacklisting, data sanity checking, and pattern checking. Fraud-scoring incorporates pre-authorization and post-authorization checks and is used in conjunction with 3DSecure and Card Verification Number (CVN) checking.

The Positive Impact Partnering with a solution provider that has sector specific knowledge and expertise of fraud management will positively impact success for all merchants including gaming companies. With a variety of fraud prevention techniques in the market, it is important to select partner solutions that can operate alongside each other; software, platforms, and systems. In conjunction with RealScore, Casumo also implemented 3DSecure. The decline analysis and comprehensive reporting gives access to detailed information behind customer rejections September/october 2014

and allows senior management to make the best decisions to get the balance of fraud prevention and maximizing legitimate deposits to increase bottom line, which is crucial to continued expansion. “The implementation of 3D Secure and the decline analysis is not only making our transactions safer but is also allowing us to get preferential rates with our merchant account provider. It is literally maximizing sales and improving the bottom line simultaneously. Without such expert technology partners, we would not be in a position to grow as quickly as we have done,” says Matthew Borg Manche, CFO of Casumo. With a reliable payments solution in place, the company has realized its potential in the market very quickly, multiplying its deposit volumes month-over-month. Matthew adds that the system has helped the company with all the challenges it was facing and has helped in setting up the account structures needed. “We will keep on growing our business by strengthening our position in the markets we are in and also exploring new markets.” Gary Conroy is chief operating officer at Realex Payments which provides secure and reliable payment processing in all major credit and debit cards, and alternative payment methods.