Transaction trends The Official Publication of the Electronic Transactions Association
| August 2010
State-of-the-art technologies make convenience and security priorities
Innovation LIVES HERE ALSO INSIDE: Experts Debate Compliance Best Practices What’s Fueling the Prepaid Explosion? Startups Set Priorities
Transaction trends The Official Publication of the Electronic Transactions Association
Vol. 15 | No. 8
cov er s tory
10 Innovation Lives Here By Chris Morris
While new POS devices are making a splash with convenience and portability features, a lot of the latest security innovations come from the software side.
10
F EATUR ES
14 Prepaid Tidal Wave By Richard H. Gamble
The economy is playing a part in prepaid’s boom among consumers, as are an uncertain regulatory environment and niche market potential.
17
SP EC IAL SE RIES
Startup Stories: The Short List
By Julie Ritzer Ross Prioritizing becomes job number one for our newly formed ISOs.
19 Security Guards
Participants in the 2010 ETA Best Practices Committee’s roundtable discussion contemplate compliance, regulation, and the future of payments security.
6
19
d epartm e n tS
5 6 7
President’s Message Insights from ETA’s elected leader
Industry News
Trends, strategies, and news in the payments business
ISO Corner
Training ISOs to sell the latest and greatest
28
Risk in Review
30 32
Ad Index
Industry bands together against child pornography
Industry Insider
PacNet Services finds niche in overseas processing
Transaction trends | August 2010 3
Trust. Innovation. Collaboration. – TransFirst.
From zero To Transfirst
®
do you have a need for speed?
• Proprietary leading-edge tools: TransLead, which delivers pre-qualified leads, and TransGuard®, alerting agents when their merchants might be at risk of leaving • Available investment capital • Aggressive revenue share program • Timely and accurate monthly residuals • 96%+ merchant application approval rate • State-of-the-art training
With 15 years of experience in secure transaction processing technologies and services, TransFirst ® is now transforming the ISO/ISA arena. We’re more than a processor, we’re a valuable business partner, blending uncommon support to help streamline the merchant boarding process, as well as a menu of proprietary cutting-edge products. Whether it’s working capital, commission enhancements, or residual advance programs, TransFirst is here to keep your business on the fast track. Take TransFirst for a test drive today! Contact us at 866.969.3350, salesrecruiting@TransFirst.com, or visit www.TransFirstSales.com.
Electronic Transactions Association 1101 16th Street NW, Suite 402 Washington, DC 20036 202/828-2635 www.electran.org ETA Chief Executive Officer Carla Balakgie
President’s Message
ETA Director, Communications & PR Thomas Goldsmith
How Do You Measure Up?
Transaction Trends Publishing office: Stratton Publishing & Marketing Inc. 5285 Shawnee Road, Suite 510 Alexandria, VA 22312 703/914-9200
he industry has struggled to pin down the most basic statistical information around which the ISO and payments processing businesses revolve. This poses practical difficulties: How can your company know what developmental metrics it should be tracking, what benchmarks it should be hitting, and how you stack up? The ETA is launching a research initiative to provide the answers. Over a year of planning and research will result in ETA’s ISO Benchmarking Study, to be launched over the next few months. You may soon be invited to participate in the study, and if you are, I hope you will accept the invitation. This sets the ETA off in a new direction: that of producing and providing to member companies primary research information critical to the success of their businesses.The study will be the first scientifically rigorous and statistically valid research to measure and track key metrics that reflect the health of independent sales organizations. It also will gather data about important business practices and trends within the ISO community. ETA recognizes that the information from member companies necessary to conduct the study is highly sensitive and proprietary. So we’ve taken extraordinary steps to ensure that the identities of the participants and the raw data are kept strictly confidential.The need for this confidentiality, in fact, is why we elected to engage a highly respected business school to conduct the research, which will put it through its paces via the university’s review process. Researchers from American University Kogod School of Business in Washington, DC, will head up the study in collaboration with ETA staff and members of the Research and Information Resources and ISO Advisory Committees. The study will ask for numerical data such as new boardings, attrition, processing volume, and revenue. These will be tracked quarterly. It also will request business practice metrics such as employees versus 1099s, hiring, purchasing plans, and the existence of training programs.These will be tracked year over year. Key metrics will be published quarterly. T hat publication will include additional survey results that will vary from quarter to quarter, along with an analysis that examines trends and puts them into a payments industry context. Study participants and ETA members will have complimentary access to the results. By taking part in this study, you will not only give our industry a unique new tool for measuring performance, but also will contribute to a better understanding of an important part of the business world and our economy. The Benchmarking Study has another role: It will be important in bolstering ETA’s advocacy efforts. By gathering information about the health of the ISO community, employment levels, its economic impact and other key measures, the research will help ETA emphasize the heft and importance of the payments industry as we talk to the government on your behalf. So if you are invited to take part in the ISO Benchmarking Study, please do so. It’s a great opportunity to contribute to the industry—and create value for your own organization in the bargain.
Publisher Debra Stratton Features Editor Angela Hickman Brady Managing Editor Josephine Rossi Art Director Janelle Welch Contributing Writers John J. Brady, Richard H. Gamble, Chris Morris, Bryan Ochalla, Julie Ritzer Ross Advertising Sales Steve Schwanz or Fox Associates (800/440-0232; adinfo.eta@foxrep.com) Fox Associates Offices Chicago 312/644-3888 Atlanta 800/699-5475 Los Angeles 213/228-1250
New York 212/725-2106 Detroit 248/626-0511 Phoenix 480/538-5021
Ad Production/Billing Carrie Wood Editorial Policy: The Electronic Transactions Association, founded in 1990, is a not-for-profit organization representing entities who provide transaction services between merchants and settlement banks and others involved in the electronic transactions industry. Our purpose is to provide leadership in the industry through education, advocacy, and the exchange of information. The magazine acts as a moderator without approving, disapproving, or guaranteeing the validity or accuracy of any data, claim, or opinion appearing under a byline or obtained or quoted from an acknowledged source. The opinions expressed do not necessarily reflect the official view of the Electronic Transactions Association. Also, appearance of advertisements and new product or service information does not constitute an endorsement of products or services featured by the Association. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided and disseminated with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice and other expert assistance are required, the services of a competent professional should be sought. Transaction Trends (ISSN 1939-1595) is the official publication, published monthly, of the Electronic Transactions Association, 1101 16th St. N.W., Suite 402, Washington, DC 20036; 800/695-5509 or 202/828-2635; 202/828-2639 fax. Postage paid at New Richmond, Wisconsin and additional mailing offices. POSTMASTER: Send address changes to the address noted above. Copyright © 2010 The Electronic Transactions Association. All Rights Reserved, including World Rights and Electronic Rights. No part of this publication may be reproduced without permission from the publisher, nor may any part of this publication be reproduced, stored in a retrieval system, or copied by mechanical photocopying, recording, or other means, now or hereafter invented, without permission of the publisher. Nonmembers, government agencies, $150 per year; single copy, $20. Subscriptions are available for 12-month periods only, at the quoted rates.
T
Warm regards, Holli Targan Holli Targan is president of ETA and a partner at Jaffe, Raitt, Heuer & Weiss, P.C. Transaction trends | August 2010 5
INDuSTRYnews Dodd-Frank Act Becomes Law Passed by a 60-39 margin days before by the U.S. Senate, the DoddFrank Act was signed into law by President Obama on July 21. Besides overseeing derivatives trading market, establishing a council of regulators to monitor the financial system as well as a new consumer watchdog group, the new law contains language from the Durbin amendment, which directs the Federal Reserve to now set prices in what was previously a pri“ETA is working to vate, business-to-business market. ensure that “ETA opposed the Durbin amendment and will continue to payments system oppose amendments like it that businesses are not institute federal price controls in needlessly harmed by private business-to-business agreethe implementation ments,” says Mary Bennett, ETA’s diof the Durbin rector of government and industry amendment.” relations. —Mary Bennett Although it is hard to predict what will come of interchange fees, the law now authorizes the Fed to set rates paid to debit or prepaid card issuers with $10 billion or more in assets. Rates for issuers with less than $10 billion in assets or general-use prepaid and debit cards, including those not marketed or labeled as gift cards as well as those used for
government-administered benefits, will stay the same. During the next nine months, the Fed is required to set standards for determining if the amount of any interchange transaction fee is “reasonable and proportional” to the cost incurred by an issuer in connection with a particular electronic debit transaction. New rates will then go into effect in July 2011. “Looking ahead, ETA is working to ensure that payments system businesses are not needlessly harmed by the implementation of the Durbin amendment,” Bennett notes. Other provisions of the new law include that are now in effect: • Merchants can set a $10 minimum for credit card payments. • The Fed and higher learning institutions can set credit card payment maximums; merchants cannot. • Issuers and networks cannot restrict the number of networks on which an debit transaction may be processed.They also cannot prevent a merchant from routing debit transactions over a nonproprietary network. • Merchants can continue to offer cash discounts and other consumer incentives based on payment method. For more information about the law and its effect on the industry, visit www.voiceofpayments.org.
MOBILE PAYMENT USERS TO REACH 108.6 MILLION IN 2010 The number of mobile payment users worldwide will reach nearly 109 million in 2010, a 55 percent increase from 2009, according to research firm Gartner Inc. Mobile payment users will represent 2 percent of all mobile users this year. In the Asia/Pacific area, mobile payment users will surpass 63 million in 2010, representing 3 percent of all mobile users. In Europe, the Middle East, and Africa, mobile payment users will total 27 million, and in North America, mobile payment users will number 4 million. Latin America will have approximately 8 million users, up from 5 million in 2009. The unbanked and underbanked populations that lack ready access to the banking infrastructure or PCs are driving strong demand for mobile payments in de-
Fast Fact World Cup Action Spurs Spending
veloping markets, according to Gartner.At the same time, the firm says regulators in early-adopter markets are tightening up policies to provide better user protection and fight against unlawful financial activities relating to money transfer.
During the first 20 days of June, spending by international visitors in South Africa on Visa-branded payment cards exceeded $128 million, up 54 percent from $83 million during the same period in 2009.
Source: Visa
6 August 2010 | Transaction trends
ISO Corner
Keeping Up With the Times
POS technology training emerges as an essential tool for selling the latest and greatest By Julie Ritzer Ross
A
s POS hardware and software solutions continue to grow ever more sophisticated, industry players must step up their technical/product knowledge to effectively sell them to merchant clients. While some ISOs and vendors have yet to address this issue, others are stepping up with formal educational programs and tools to help ISOs position themselves to profit from the next-generation payment tools—and to keep them on par with value-added resellers (VARs). Several factors render POS technology training for ISOs essential. Notably, training opens doors not only to increasing revenues through deals with existing customers, but also to servicing merchant accounts ISOs might otherwise be unable to board. “There are a lot of merchants that are open to switching ISOs, but just offering POS technology isn’t going to induce them to make the change,” observes Henry Helgeson, co-CEO of ISO Merchant Warehouse in Boston. “Merchants want to work with ISOs that understand the nuances of individual systems, what fits where, what a final system may look like, and a lot more. This cannot be accomplished without training.” Merchant Warehouse conducts its own in-house training via Webinars.Topics range from the various features of POS technology and how to explain them to merchants to the limits of technology and different equipment configurations. These issues also will be covered at a Merchant Warehouse agent conference slated for September 2010. The ISO also looks for training reinforcement from one of its major POS technology vendors, which Helgeson declined to name. Merchants have learned to differentiate between a salesperson attempting to “sell” them on products without a true understanding of what he or she is touting, and when they are speaking with a seasoned professional, Helgeson notes. The confidence that exudes from the latter—built up via training—goes far toward sealing
the deal, while a lack thereof has the opposite effect. Moreover, training is instrumental in leveling the POS technology playing field on which many ISOs are battling VARs.“Selling POS equipment is VARs’ full-time job, and they have become experts at it,” Helgeson asserts. “For ISOs, training is the only way to get on equal ground.”
Answering the Training Call Among vendors in the ISO training arena is Scottsdale, Arizona-based Apriva, which recently launched the AprivaPay Partnership Program for ISOs that sell its AprivaPay and AprivaPay Professional solutions. Under the AprivaPay Partnership Program umbrella, ISOs are afforded a detailed view of the technology that composes AprivaPay and AprivaPay Professional. The functionality displayed by the two applications, as well as information about how they differ from similar solutions on the market and the benefits they afford to end users, also are covered. Training and tools are delivered in the form of partnerbranded Webinars, mobile-enabled product videos, presentations, and end-user promotional collateral, such as data sheets, advertising, and mailers. The training is intended primarily to give ISOs a foundation for focusing their sales endeavors on how wireless smart-
phone-based POS products can help merchants solve various business problems, rather than merely on how the technology works, according to Bill Ramsey, Apriva’s vice president of business development. He notes that AprivaPay and AprivaPay Professional, like other applications that let merchants employ mobile devices to accept card payments, are “new and intimidating” to merchants but also to some ISOs. “We want our partners to sell confidently, and the educational program is a ‘cheat sheet’ for that,” Ramsey asserts. WAY Systems of Woburn, Massachusetts, also has put together an ISO reseller training program built around its Mobile Transaction Terminal (MTT) wireless credit card acceptance application. Touted as a “value-added” bonus for the company’s reseller partners and their sales agents, the free training program comprises group sessions available on a first-come, firstserve basis with advance pre-registration required. Sessions take about 20 to 30 minutes and cover a wide range of topics, including product and service highlights, instructions for using the MTT (and how to impart that information to merchants), free sales support materials, and miscellaneous hints and tips. Similarly, UP Solution of Hackensack, New Jersey, has ventured into ISO training territory, albeit for a different subcategory Transaction trends | August 2010 7
ISO Corner
of POS technology.The company provides hardware and software for restaurants, salons, and retail locations nationwide and offers a proprietary product line—the UP 7000 and UP 5200—of touchscreen-based POS devices. Ongoing training and support for UP Solution’s product encompasses initial training for the hardware and software, including the development of more complex specialty applications such as digital signage. ISOs also can hone more in-depth knowledge at one of the company’s showrooms in Atlanta, Los Angeles, Chicago, New York, and Philadelphia, or at one of the additional 60 showrooms slated to open throughout the United States over the next 18 months. ISOs also have access to a technical support staff to help them answer merchants’ questions about various applications, and a series of training Webinars exploring related issues is on the drawing board. ISOs with their own proprietary POS systems are getting in on the act, too. Hampton, New Jersey-based United Bank Card, whose Harbortouch POS system is available to its own ISOs as well as to
those outside the fold, has developed an offering known as the Interactive ISO System (IIS). Launched to facilitate real-time portfolio management, IIS yields access to training materials and manuals, along with daily announcements, sales and marketing materials, and product/quick-service reference guides. “One of the biggest concerns from the beginning of our endeavors with POS was to make the process as simple as possible on our ISO and MLS partners,” says Jared Isaacman, CEO. “By taking all the training in-house, we believe we have created a revolutionary way to sell and service POS systems.”
A Deciding Factor For those ISOs that do not offer their own POS systems, the question of whether or not an outside vendor offers training—particularly for more sophisticated applications—as well as the comprehensiveness of its training package, weighs heavily in deciding on a vendor partner. Several months ago, Brooklyn, New York-based ISO Paymint Associates began charting POS system waters. Company
principals consider training for its in-house staff an essential element of any alliance Paymint Associates would forge with a solutions provider. “There were several (candidates) with which we did not feel comfortable, for a variety of reasons,” notes Steven Feldshuh, vice president of business development. “However, training was even more of a deal-breaker than some of the other factors. POS isn’t something our (staff) understands that well yet and is accustomed to; education was and is imperative.” At press time, the ISO had just decided to ink a partnership with UP Solution.“Getting started is just a matter of scheduling now,” Feldshuh reports. “Training in POS cannot be underestimated—nor should it be overlooked.” Helgeson concurs.“The competition out there is fierce,” he concludes. Vendors that do not assist ISOs with training are remiss, and ISOs that do not seek it out have nothing to gain and perhaps a lot to lose. TT Julie Ritzer Ross is a contributing writer for Transaction Trends. Reach her at jritzerross@gmail.com.
Processing
Everything
Everywhere
Credit • PIN Debit • ACH • Gift Card • Loyalty Cash • Inventory Management Point-of-Sale • Internet • Mobile • Recurring Accounting Software PlugIns
(800) 296-4810
eProcessingNetwork.com
Processing Network
The
8 August 2010 | Transaction trends
everywhereProcessingNetworkSM
The Future of Payments, Today.
SAVE THE DATE
October 26-28, 2010 THE BREAKERS • PALM BEACH, FL
KEY NOTES 8 MagTek’s new solution tokenizes and encrypts data whenever a card is swiped. Data is dynamic and can only be used once, so even if there’s a security breach, the thieves can’t use the card data.
8 VeriFone is giving online merchants another solution with its PAYware Mobile for iPhone. Merchants get an instant multi-use system rather than a dedicated device.
8 The FD30 near-frequency terminal from FROM LEFT TO RIGHT: Hypercom’s Wymix PIN pad device; SoundPOS’ vECR software; Ingenico’s iPP350 PIN pad device; USA ePay’s PaySaber; MagTek’s iDynamo card reader and QuickPAY software; and First Data’s GO-Tag contactless solution.
First Data lets customers tap the device with either a go tag or chip in their phone. It’s becoming popular with businesses that cater to the in-and-out consumer.
8 With the ROAMpay Swipe solution, merchants can process card swipe transactions on a wide variety of phone models, including the Blackberry and Android.
10 August 2010 | Transaction trends
[ COVER STORY ]
Innovation LIVES HERE HOT NEW TECHNOLOGY SOLUTIONS FOCUS ON SECURITY AND MOBILITY By Chris Morris
A
review of the hot new technology products available today indicates that tech companies are leading the charge to develop new systems that better protect merchants and their customers from data breaches. “From our standpoint, there’s nothing more sacred for a merchant than protecting its customers’ information,” says Souheil Badran, senior vice president and division manager for First Data eCommerce Solutions. Card fraud now accounts for up to $100 million in merchant losses per year. And while new hardware often takes a bigger share of the spotlight, a lot of the work occurring today is on the software side.“The foward movement regarding protecting merchants and cardholderdata is quite good at this point,” says Ted Svoronos, vice president, business development and strategic partnerships with Group ISO in Newport Beach, California.“But, I also believe that the proper methodology has the proactive and not reactive, and we need to make it seamless, easy, and non-intrusive to business.” California-based MagTek has been building and refining its MagnaSafe transaction security architec-
ture and is now using that as the centerpiece of its latest product offerings. Mag- naSafe tokenizes and encrypts data whenever a card is swiped.The data transferred to merchants is dynamic and can only be used once—meaning that even if there’s a security breach, the thieves will be unable to use the card data. MagnaSafe uses the magstripe to verify the card is an authentic one and not a counterfeit. “If you really want to stop losses and fraud, let’s authenticate the card at the point of swipe,” says Andy Deignan, MagTek’s vice president of global marketing and strategy.“It’s not just a question of ‘Am I compliant with PCI,’ but ‘Am I really going to stop the fraud?’” At First Data, the company’s Trans-armor security solution encrypts and tokenizes card numbers for 5.4 million merchant locations. It also allows merchants to track user behavior across multiple channels for loyalty purposes, but because of the encryption, hackers are unable to access the data. And VeriFone’s VeriShield Protect security program has been embraced by both Chase Paymentech and RBS WorldPay. (Other processors will be announced later this year.) The service Transaction trends | August 2010 11
[ COVER STORY ] offers end-to-end encryption—eliminating usable cardholder data from a retailer’s POS applications, networks, and servers. This protects against a data breach even if the retailer’s system is compromised. “As long as white collar crime/fraud continues, we will always be working at a solution, morphing it, and adjusting for threats,” says Svoronos. This is a daunting task that not only requires out-of-the-box thinking and integrated turn-key solutions, but an adoption methodology with stickiness.
Terminal Upgrades While strong security protocols are essential, a lot’s happening on the terminal side as well.The FD30 near-frequency terminal from First Data is a device that’s meant for merchants with consumers on the go. Rather than swiping their credit or debit card, customers can tap the device with either a go tag or chip in their phone. Payment is automatically deducted from an affiliated card. The FD30 has proven popular with a variety of businesses that cater to the inand-out consumer, including fast food restaurants, airport shops, and taxis. As user adoption increases, Badran says the company is getting inquiries from larger retailers. VeriFone’s VX Evolution line of terminals (which span across countertop, mobile, and PIN pad) incorporate the VeriShield encryption technology and are backward compatible with older VX Solutions products. They’re ARM 11 (500 MIPS) based and come with 160MB of memory standard, and they are expandable to 512MB. But not all terminals are brick-and-mortar retail-oriented. The QwicKey card readers are designed to attach to consumers’ computers, letting them swipe their cards— generating dynamic card data via MagnaSafe, and never having to leave their card data on file with an online retailer. Convincing consumers to add the device itself is an uphill battle, so QwicKey also features a forward-facing password management service that allows people to enter different, random passwords at every site they log into (which, despite warnings from security experts, few do). They can easily keep track of them via a dual-layer security system. (Users enter a username and password for the QwicKey and swipe their card for verification.) 12 August 2010 | Transaction trends
Online Movement As e-tailing continues to gain strength, many merchants are looking to expand their reach.The global marketplace has been challenging to some, though, since currency exchange rate fluctuations can result in items that are inadvertently over- or underpriced. Global e-pricing from First Data aims to fix that, allowing merchants to show the price in whatever the local currency happens to be. Reading the customer’s IP address, the system determines his or her location and calculates that country’s rate. The system currently supports more than 150 currencies in 200-plus countries. “We have an ongoing dynamic system that draws from different published [exchange] rate numbers, so the merchants themselves do not have to play around with the rates,” says Badran. For online merchants who don’t have any sort of physical storefront, investing in a payment terminal has been something that was rarely done in the past. The expense and hassle haven’t generally been worth it.VeriFone is hoping to change this with PAYware Mobile for iPhone. “Because they can slip the card encryption sleeve over the iPhone, they’ve got an instant multi-use system rather than a dedicated device, so the investment decision is a lot easier,” says Pete Bartolik of VeriFone. “We’re opening up a whole new market to acquirers and ISOs who’ve never been able to reach this audience in the past.” Merchants who do a lot of business on the road are quickly learning that their iPhone can be their best friend. By downloading the recently launched QuickPAY app from Apple’s App store and purchasing a $130 peripheral for their phone from MagTek, they can swipe a customer’s card from anywhere and know that the data is as secure as it would be if they were swiping it from a fixed terminal. That peripheral, dubbed the iDynamo reader, effectively turns the iPhone into a terminal. It does not, however, store any customer data on the phone, meaning the only worry if a consumer loses the device is re-entering his or her contact list. “It gives merchants the ability to have a very low-cost, flexible solution for accepting payments,” says Deignan.“After he or she gets the customer’s information, it goes to the merchant for authorization.
We’re taking advantage of what the iPhone can do and making it very easy to use, but above all else it remains a highly secure POS system.” ROAM Data, winner of ETA’s 2010 Technology Innovation Award, offers a similar service, dubbed the ROAMpay Swipe solution.What makes this program unique is its ability to allow merchants to process card swipe transactions on a wide variety of phone models besides the iPhone. Included in the list are devices from Blackberry and those that use the Android operating system.Tablet computers can also be used. “Mobile commerce is very complex, and we have built a system that makes it much easier,” says Will Graylin, CEO and founder of ROAM Data. “Our goal is to deliver the most secure, cost-effective, and scalable mobile commerce solutions for merchants to transact with their customers.” ViVoTech, meanwhile, recently won the 2010 Mobile Commerce Mobility Award from MobileTrax for its ViVOwallet mobile wallet software for NFC mobile phones. The product is an application for NFCenabled phones that manages credit, debit, prepaid, gift, loyalty, and other cards that are stored on the mobile device. Consumers, meanwhile, receive personalized offers and coupons as well as rewards from merchants and/or card companies. One advantage: The ViVOwallet makes it easy for consumers to load their card information onto the phone without visiting Web sites or bank branches. Looking to the future, companies like Dejavoo are hoping to bring forth new electronic transactions revolutions. The company is currently working on the ZPOS retail system, which integrates the company’s embedded PC-based touch screen with its Smart PIN pad terminals. The end result will provide merchants with a multi-station advanced POS system that is light, modular, and easily upgraded. Other companies are working on terminals that accept PayPal payments during in-person transactions, given consumers’ high comfort levels with the payment system and the fact that it adds another layer of security. TT Chris Morris is a contributing writer to Transaction Trends. Reach him at chris.r.morris@gmail.com.
Advertising
Technology Solution Section How has technology enhanced your products/services, or how has technology advanced the electronic transactions industry? Double Diamond Group
eProcessing Network
The payments industry as we know it was launched as a result of developments in telecommunications technology, which paved the way for electronic authorizations, electronic draft capture, and POS technology. Ironically, telecommunications technology is still driving industry innovation today. With developments in NFC, the proliferation of smart phones, and expansion of 3G networks, the industry is poised to see explosive growth in mobile payments, as we are already seeing in 2010. Double Diamond Group helps companies predict emerging technology trends to develop strategies, products, and relationships that are on the leading edge of industry innovation.
Payment gateways were initially created to meet the needs of a growing Internet merchant community. Fifteen years later, with Internet access available in every home, office, and retail environment, the need to provide secure financial transactions is greater than ever. But many ISOs only look to a gateway for eCommerce merchants and miss out on a large number of sales opportunities. eProcessing Network has payment solutions for many merchant types, including retail, MOTO, wireless, recurring, and eCommerce, which provide merchants with faster, more cost-effective POS applications.
4Access Communications
Network Merchants Inc.
Two big technology changes have transformed the payments industry. The first is the continuing advance of microprocessor power. Power means a richer set of payment services with greater security than ever before. The second change is the electronification of the check, making checks more convenient for customers, secure for merchants, and efficient for banks. The 4Access Orion terminal embodies these changes, supporting a full spectrum of card services, and accepting all types of checks at point-of-sale or the back office. Now all forms of non-cash payments work with one device.
Advancements in technology have allowed NMI to differentiate themselves as the leading e-commerce gateway by providing a unique feature set. With Transparent Branding, ISOs and agents gain ownership and instant credibility with their customers. Technology advancements allow our partners to remain one step ahead. NMI’s Patent Pending Three Step Redirect API ensures secure data transmission by keeping the merchant from handling any sensitive payment information. NMI offers a non-compete guarantee by not boarding or offering merchant accounts directly. Contact NMI at 800-617-4850 or e-mail sales@nmi.com.
Learn without leaving your desk
Do you want an affordable and flexible way to learn more about the electronic payments industry? ETA is proud to announce a new series of online, cutting-edge, educational seminars to help enhance your knowledge in a wide variety of payment topics.
You will learn: Commonly used industry terminology The roles of various industry participants The principles of effective sales and marketing The basics of establishing your sales office and much more.
Choose the online course that’s right for you: Introduction to Electronic Processing Introduction to Sales and Marketing Introduction to Operations Sales Channel Development
Member $195/each • Non-Member $295/each Register online:
www.electran.org Or call ETA:
1-800-695-5509 Transaction trends | July 2010 13
[ FEATURE]
Prepaid
Tidal Wave ALL SECTORS TAKE OFF, BUOYED BY SEGMENTED MARKETING AND DISCRETE USES By Richard H. Gamble
KEY NOTES 8
repaid cards have graduated from a P modest supplemental product to part of the mainstream. Banks want to have credit, debit, and prepaid all in their starting lineup.
8
ayroll cards are taking off. Walmart, P for instance, has launched payroll cards across its entire employee base.
8 Reloadable branded prepaid cards are blurring the line between debit and prepaid. In fact, MasterCard considers prepaid a segment of its debit product.
8 The next wave is filtering that limits where the card can be used, but it still settles through the brand infrastructure. HSAs are the best example right now.
14 August 2010 | Transaction trends
I
n a market where not much is booming, prepaid cards stand out. They are hot and growing exponentially, reports Neil Dugan, vice president for prepaid products at MasterCard International. The three core sectors—government, corporate, and consumer—all are showing rapid growth. “In the public sector, prepaid card payments have become part of the everyday payment fabric, just like checks used to be,” he says. “In many areas, prepaid cards have become the default payment type of choice.And that will only increase.” Prepaid products have seen double-digit growth each year since 2004 (see the chart on page 15). Part of their success may be due to the economy. Prepaid cards are a natural preference in an environment where consumers are trying to cut back on debt and only spend what they budget, notes Ben Jackson, senior analyst at Mercator Advisory Group. But it’s bigger than that. Prepaid cards have recently graduated from a modest supplemental product to part of the mainstream, observes payments consultant Ali Raza, executive vice president of Speer & Associates Inc. in Atlanta. “Banks are looking at prepaid as a key part of their payments continuum,” he says.“They want to have credit, debit, and prepaid all in their
starting lineup so they can serve different segments effectively.” If you can see the customer’s spending with all three card types—credit, debit, and prepaid—you get a richer understanding of consumer behavior, Raza says. And processors love it because it means more transactions, he points out. “It’s one more product to move people away from cash and checks.” Recognizing the importance of prepaid to merchants, Atlanta-based Global Payments, while it does not issue or provide the technology platform for prepaid, does process the transactions for its merchants, reports Sid Singh, vice president of worldwide products.“We keep prepaid cards on our radar as we develop products. We follow the markets and look for opportunities to partner” with companies more directly involved in selling prepaid services. “It’s part of our strategy of pushing alternatives to cash and checks,” he says.
Regulatory Ripples Prepaid programs may also benefit from the uncertain legal and regulatory environment. As new government-imposed rules cut into the profitability of issuers, prepaid will benefit and become the primary option left available to certain segments, says Greg Cohen, president of Moneris USA. It’s not necessarily a safe bet, however.
One popular type of prepaid card, the payroll card, is in some peril until Congress acts on the Sen. Richard Durbin (D-Illinois) amendment, which would place limits on debit card interchange, including prepaid cards.“That amendment could make these cards less profitable or not even self-sustaining,” Jackson notes. Whatever the fate of the Durbin amendment, the 2009 CARD Act does create more scrutiny around how prepaid cards, especially gift cards, are marketed and managed, Jackson says. “We’ll see continued growth in prepaid cards, but instead of lumping the offerings together as gift cards or mall cards, they will be defined for a variety of more specific uses. This will be partly in response to the new rules and partly to suit consumer preferences.” Payroll cards are vulnerable because many states have laws that block employers from requiring employees to accept payment in ways that cost the employees money. Employers like to pay employees with cards because it’s cheaper than checks. If payroll cards cost more than checks, employers are unlikely to use them, Jackson says. But for now, payroll cards have real momentum. Payroll cards are taking off, Dugan notes.“Corporations see payroll cards as a great channel,” he says. “They have been available for several years, but they have really picked up steam in the past couple of years.” Companies like Walmart have launched payroll cards across their entire employee base, he says. Payroll cards still largely supplement direct deposit, but that market is not limited to lower-paid, unbanked employees, notes consultant Lori Breitzke, an associate at the Strawhecker Group.A host of mobile workers—doctors and nurses providing emergency services, engineers and construction crews, and consultants—find it useful to get paid on time on the spot and may not find bank accounts convenient to use, she explains.“The cards can come with surcharge-free ATM usage. The person being paid often has a choice of using the card to draw down cash from ATMs, to use it to pay for purchases at the point of sale, or to transfer the money to their bank account.” Exactly where the funds reside between when a card is funded and when the funds
Total Dollars Loaded on All Prepaid Products (in billions of dollars loaded) $250.00 12.4% 10.7%
$200.00 19.7% 13.0%
$150.00
$187.24
Closed Open
$179.59 $171.17
$100.00 $137.40
$150.79
$50.00
$-
$9.81
2004
$15.49
$27.89
2005
2006
$40.67
2007
$60.42
2008
U.S. Open Branded Prepaid Market Growth (in billions of dollars loaded)
$70.00 $60.00 $50.00 48.5%
$40.00 45.8%
$30.00
$40.67
$20.00 $10.00 $-
$60.42
57.8% $9.81
2004
80.1%
$27.89
$15.49
2005
2006
2007
2008
Source: Mercator Advisory Group
are spent depends on contractual relationships, but generally they are held by a bank that issues the cards, Dugan explains. That means that prepaid, unlike credit or debit cards, carries a float benefit for the issuer and no credit risk, but the cash put on prepaid cards “turns over pretty fast,” he reports. “It’s generally money people live on and use to buy what they need and pay bills. Very little of it is left sitting in an account for very long.” The money is a consumer-owned asset protected by FDIC insurance, he adds.
Debit in Disguise Whether prepaid cards should be considered a unique species or a variety of debit card is a matter of some debate. One of the beauties of branded prepaid is that it rides on the debit card infrastructure and doesn’t require much capital investment, Raza notes.
In fact, reloadable branded prepaid cards are blurring the line between debit and prepaid, he says. Debit taps the funds that the cardholder keeps in his or her own bank account. Prepaid, in many cases, can tap funds in a prepaid shadow account. Payroll cards are also authorizations to debit the cardholder’s funds from an account held by the employer or card issuer. MasterCard considers prepaid “a segment of our debit product,” Dugan says. “The cardholders get all of the benefits of a debit card.They can use it at ATMs.They can use the card and a PIN to pay for purchases at retail locations.” Fees and interchange also mimic debit cards, he adds. The prepaid gift card, one of the first prepaid applications to become popular, is becoming a much bigger, more flexible product. Starting with closed-loop cards that could be used at a single merchant, Transaction trends | August 2010 15
[ FEATURE] U.S. Closed-Loop Prepaid Market Growth (in billions of dollars loaded)
$200.00
4.9%
$180.00 9.7%
$140.00 $120.00 $100.00
4.3%
13.5%
$160.00
$137.40
$150.79
$80.00
$171.17
$179.59
$187.24
2007
2008
$60.00 $40.00 $20.00 $-
2004
2005
2006
Source: Mercator Advisory Group
growth has spread to open-loop cards that carry a card brand and can generally be used at any accepting merchant. Gift cards, originally meant for one-time use, are morphing into reloadable cards that are offered at a growing number of merchant locations, Dugan reports. “Gift cards started it, but consumers liked the cards and welcomed the idea that they could be reloaded and used again and again.” Media companies like Univision have offered reloadable prepaid cards in the Hispanic community, and Green Dot has a thriving program, he notes. While the general-purpose reloadable prepaid card, like the Walmart MoneyCard, is flexible and becoming popular, it takes a robust, secure POS infrastructure to support, which makes it challenging for smaller merchants working with ISOs to implement, says Breitzke, who hosted a day of prepaid card sessions at the recent ETA annual meeting in May.
Branded, But Restricted One major trend is the coming of branded cards that can be used at a restricted group of merchants. Until now, closed-loop cards could only be used in one enterprise, and open-loop cards might be marketed as a mall or neighborhood card, but the brand logo meant they could be used at any accepting merchant. What’s coming is filtering that would effectively limit where the card could be used, but it still could settle through the brand infrastructure, Jackson explains. It could be restricted by geography, by transaction size, by type of goods or services purchased, even by time of day or 16 August 2010 | Transaction trends
day of the week, he notes. Most cards so far use “cosmetic filtering,” Jackson says: They are imprinted with the name of a mall or group of stores, but the brand logo is a signal that the card can actually be used at any accepting merchant, and consumers generally recognize that, he points out. The precedent for restricted open-loop cards is already there in the branded health savings account (HSA) card. By law, the pre-tax money in those accounts can only be used for eligible health care expenditures. Filters mean that at the point of sale eligible purchases can be settled with the card but ineligible expenses would have to be settled with cash or another card. The filters work at the SKU level, so they are very specific, Jackson says. Outside the HSA world, such filtering is not yet widely used, he adds. Success with prepaid cards will come to those that target specific segments rather than push into mass markets, Cohen suggests. Some of those segments are the underbanked, youth, education, health care, and government, he says. “Parents are giving their children prepaid cards as an alternative to high-limit credit cards,” he notes. One example of a targeted prepaid card could be a layaway card, Jackson illustrates. Now a person saving to buy a lawnmower or TV might buy a gift card every time he or she accumulates some cash and eventually present a stack of gift cards and use them to buy the TV or lawnmower. In the future, he or she might simply reload more cash on one layaway card until accumulating enough to buy the item, he explains.
Corporations have embraced prepaid as far more than a supplement to direct deposit of routine payroll. Prepaid cards can be used to pay bonuses or commissions, pay out budgeted money for a trip, or carry termination pay, Breitzke notes. “Once an ISO has a merchant client, there are a lot of ways they might use prepaid cards in their role as employer,” she says. Singh sees strong growth in businesses paying customer rebates with prepaid cards. Walmart is doing it, he notes.“There is tremendous branding and marketing value if a consumer carries a card with your name on it.” Global Payments is using prepaid cards for employees who travel as an alternative to cash advances or after-the-trip reimbursements, Singh reports. “It’s being embraced as a safer, more convenient alternative to petty cash,” he notes. Theft and fraud are a small problem for prepaid cards because the amounts put on the card are small compared to the exposure created by credit and debit cards, Singh reports.“Fraud exists in the prepaid world, but it’s a small fraction of the fraud we see with credit cards,” he notes. One supposed benefit of prepaid cards may be overrated, Jackson suggests.“Spoilage”—money that is prepaid but never spent—is at best a mixed windfall for the issuer, he points out.A growing number of states require that unspent funds be considered unclaimed property and turned over to the state. That’s a real pain in the neck, he says, especially if a card is later used and the issuer has to try to get the funds back from the state. Even where states don’t claim the money, it’s better to have customers coming into the store, spending more than the amount on their card, and reloading it when that is possible. “Many consumers see a gift card as a license to spend,” Jackson notes. “They feel like the amount on the card is free and whatever more they spend is still a bargain,” he explains.“Velocity is what you want, and you can use gift cards to build velocity.” TT Richard H. Gamble is a contributing writer to Transaction Trends. Reach him at gamble10@earthlink.net.
»
Startup Stories:
A special series following three newly launched ISOs (10th installment)
The Short List Practicing the fine art of prioritizing your objectives By Julie Ritzer Ross
» Express Transact, Orem, UT » Leap Payments, Agoura Hills, CA » Paymint Associates, Brooklyn, NY ISOs We’re Following:
Let us profile your company! If you launched a new ISO in the last 12 months and would like to be considered for the second Startup Stories series, contact abrady@strattonpublishing.com.
S
etting priorities and tackling a few objectives at a time is far favorable to simultaneously tackling every item on a long list of goals. Of the many lessons our startup ISOs have learned since we began following them last November, this ranks among the most important. “Prioritizing is always a challenge,” says Will Detterman, CEO of Leap Payments Inc. While Detterman would like to expand his stable of employees, he’s instead focusing on boarding merchants and building new partnerships. Moreover, the ISO plans to take the necessary time to handle these issues and then shift attention to hiring, rather than outsource the hiring process to a third-party company. “Hiring the right people is the most important thing that I do, and it absolutely cannot be outsourced,” Detterman asserts. “It only takes one bad seed to spoil your reputation.” Although Leap Payments initially concentrated primarily on smaller accounts, adding larger merchants to the fold is its new major area of concentration. Leap Payments’ portfolio now includes several large clients who use multiple payment processing methods that feed into a single account, so Leap Payments is spending considerable time determining how to streamline payment acceptance methodologies. “Our theme is to simplify,” Detterman says. Detterman and his team have experimented with different tactics for attracting merchants that appear to be a good fit for the ISO. “We’ve found a really interesting method to reach our prospects, and while I cannot share any details for competitive reasons, we continue to improve our response and conversion rates.”
Decreasing merchant acquisition costs has been a related focus and a topic of discussion. “There are many different strategies for reducing acquisition” expenditures, Detterman says. “Some ISOs will sign up hundreds of sales reps and then pay them a ridiculously high residual, which in essence brings their merchant acquisition costs to close to zero. But this comes at a significant price to reduce the lifetime value of the merchant, as ISOs’ long-term liability to sales reps is tremendous in that case. “We believe in the power of long-term residuals and expect to maintain every one of our merchants for life. That changes how we look at acquisition costs and residual sharing. Specifically, I will pay more up front to acquire a merchant because my long-term residual is what’s important to me, and we’re not interested in paying a huge percentage to a sales rep who is here today and gone tomorrow. ISOs can’t accomplish their merchant acquiring goals with transient sales reps and call centers in foreign lands.” In other developments, Leap Payments is keeping a sharper eye on “disruptive technologies” that have the potential to significantly alter the ISO playing field. The ISO cites technology that allows point-of-sale transactions to be executed on cell phones as one example. “It’s a niche product with tiny transaction volumes, but could have the potential to lock merchants into solutions they will never abandon,” Detterman says. He predicts that the power of these solutions to change their “turf” will necessitate that ISOs decide to either partner with cell service providers or compete for their business.
Transaction trends | August 2010 17
»
Startup Stories:
A special series following three newly launched ISOs (10th installment)
Assuming Risk Meanwhile, Paymint Associates has crossed a high priority off its list: finding a point-of-sale (POS) system its principals felt comfortable offering to merchants, in turn bolstering its potential to build its portfolio.The ISO recently signed an agreement with UP Solution, a hardware, software, and payment processing services provider in Hackensack, New Jersey. Under terms of the agreement, Paymint Associates will initially market the vendor’s POS system in tandem with a value-added reseller (VAR). The ISO anticipates transitioning into UP Solution’s reseller program, wherein Paymint Associates itself would become an UP Solution VAR. With the POS situation now sorted out, Paymint Associates can investigate the high-risk merchant category and has already been in contact with one global processor that plays in the market. “We are trying to figure out how to reach these merchants, who themselves are trying to identify the best processor” with which to work, says Steven Feldshuh, vice president, business development. Feldshuh and his partner, George Sarantopoulos, have discovered that traditional methods used to attract the attention of retailers and restaurateurs are not effective in targeting high-risk merchants. ISOs can’t just walk in on or telephone prospects in this merchant class. Paymint Associates is investigating social networks to convey its message. “I do understand that these merchants still want to speak with a knowledgeable person, but getting to them seems to be a challenge in itself,” Feldshuh says. In addition to trying social
networking, the ISO plans to identify a viable vertical niche within the high-risk sector and attend industry events at which high-risk merchants in the subcategory gather. Paymint Associates’ other priority is augmenting its cash advance and loan program, previously available only to its agents, to include merchant customers. Unsolicited requests for loans from its merchant base spurred the ISO into action, and it’s taking a methodical approach to the project.“Our goal is to find the best organizations that offer the best interest rates for our merchants,” Feldshuh notes. “Additionally, we won’t permit any upselling of the rate or fees. The idea is simple—to get merchants money at the lowest possible cost to them, to keep them in business, and to form a long-lasting business relationship with them.”
Slow, Steady Adjustment This past spring, Richard Davis left Express Transact, the ISO he had founded, to join CAM Commerce. The latter has since sold its POS software division to Robertson Piper Software Group (RPSG), enabling its integrated payments division to become an independent, integrated ISO/payment processing organization under the moniker ACCELERATED Payment Technologies. In the integrated model, ACCELERATED’s proprietary payment technology is interfaced with other software. For example, in a physician’s office, the technology integrates with a practice management solution for patient scheduling, invoice tracking, etc. “Integrating our payment piece with the software creates a bundled solution for that office, and turns its PCs into a POS system,” Davis explains.“But beyond that aspect, we offer to take the burden of meeting security requirements to safeguard customers’ credit card numbers and other financial data and to isolate our partners from that liability. And, in the spirit of partnership, we handle all the marketing to the software companies’ clients, ongoing support, and the actual software integration.” Davis’ top priority is a personal adjustment to this integrated model; he had no previous experience with it at any point during his 12-year tenure in the electronic payments industry. “The scheduling of the integration piece with the software companies can be time-consuming and challenging, but whether it takes one day or one year, it’s worthwhile,” he says. As for ACCELERATED itself, the ISO is focusing on forming and maintaining strong personal relationships with its customers. CEO Roy Banks and other principals attend client meetings. Davis recently accompanied Banks to such a meeting.“The partner knew who our CEO was and was anxious to meet him and share with him its goals,” Davis says. “We were told that the partner was impressed and thankful to be working with us because, while most CEOs might come in and push their weight around, so to speak, our CEO listened intently to the company’s plans and goals and, more importantly, solicited feedback about needs and committed that he would ensure we make whatever investment necessary. Our CEO then walked away with a list of items to which he would personally attend. I think this is a model that will serve us well.” TT Julie Ritzer Ross is a contributing writer to Transaction Trends. Reach her at jritzerross@gmail.com.
18 August 2010 | Transaction trends
[ ROUNDTABLE]
Security Guards ETA’S BEST PRACTICES COMMITTEE GOES DEEP WITH SECURITY AND COMPLIANCE DISCUSSION Edited by Angela Hickman Brady and Josephine Rossi
A
t ETA’s annual conference last spring, the organization’s Best Practices Committee sat down for its second annual roundtable on a topically focused best practices issue. This year, data security and compliance were on the agenda. In an in-depth discussion, participants talked about how to ensure merchants are doing what they say they’re doing in terms of compliance, tokenization and end-to-end encryption, the potential impact of regulation, and other issues. Participants included Wenlock Free, VP, business development, Security Metrics; James Oberman, senior exec VP/COO/director, NPC; Michael Petitti, chief marketing officer, Trustwave; and Jason Way, director, product services, Geobridge. The roundtable was moderated by Scott Mabry, chief operations officer, Total Merchant Services.
Scott Mabry, MODERATOR: What aspects of fraud and risk mitigation are not getting the attention they deserve today?
Transaction trends | August 2010 19
[ ROUNDTABLE] Jason Way:
“Compliance best practices are one of the things that we wrestle with every day—which direction to go, how far to go, how much investment to make, what’s going to change next.” —Scott Mabry, Total Merchant Services
One of the most prevalent is the lag in adoption of enforcement for triple DES from single DES, and the migration to triple DES. The lack of enforcement has been going on so long, it’s almost like a broken record. It seems to be a situation where we don’t want to address compliance until we actually are fined for a lack of compliance. The migration to triple DES can’t be overlooked, either. When you do use triple DES, you’re supposed to be applying key bundling to triple DES encryption algorithm keys that you have, and that’s been in force since 2005. Here we are in 2010, and still, I’m not really aware of anybody that’s at least contending with key bundling from an interchange perspective. I’m aware of certain institutions that have adopted an aspect of key bundling for their own storage and internal usage, but we’re still a long way away from being able to have an interoperable method for the appropriate usage of the triple DES algorithm.
James Oberman: At NPC, we’re looking primarily to keep our losses as low as possible. One of the major things we’re seeing that is ignored is some basic verification that the merchant is doing what they told us they were going to do—particularly in the card-not-present sector. It’s not just a matter of applying the Web crawling tools against your portfolio to make sure the brand is being complied with. It goes beyond that to make sure that that customer who is accepting cards in a card-not-present environment is doing what they said they’d do. Another big thing is merchants forcing transactions and why. Sometimes, it’s as simple as they don’t understand how to use their systems. Or
20 August 2010 | Transaction trends
it’s an innocent customer that lacks an understanding of how the technology works or what they’re supposed to do. Or you may have somebody trying to commit a fraud against you. It’s the same with credits and returns. Often overlooked is matching of credits and returns to sales—not just from a fraud perspective but, with the economy the way it’s been, a lot of merchants are going to other processors to save money or because some credit departments are asking for reserves. So you have this lag of transaction volume, to where they legitimately need to enter their returns on you that were on a previous processor. Likewise, there are the nonfraudulent activities that relate to merchants simply running returns and whether they have the capacity to cover them. In this case, the merchant has already received its funds, so the question is, does the merchant either have monies in a current batch to offset against, or the capacity to cover the overall net returns? Sometimes there seems to be too much of a focus on reviewing sales transaction activity. Although important, you need to go beyond just your regular activity. I see more abuses in these other areas, and more risk there.
Michael Petitti: I think there are rules in place that are at least trying to raise awareness of and generate activity toward most—if not all—businesses in the payment industry being PCI DSS compliant. But there are other issues pertinent to fraud and risk mitigation that aren’t being addressed. For example, in the card-notpresent world—more specifically, e-commerce sites—any entity can obtain a certification for an e-commerce site without demonstrating any ownership of the domain or legitimate business standing. That is one area where there has been an effort from the Certificate Authority Browser Forum to establish the extended validation SSL certificate standard. This type of practice—validating the organization’s identity—is considered somewhat of a tangential practice, even when you look at it in relation to the rules around securing credit card information. PCI DSS is about protecting the cardholder information as it’s stored, processed, or transmitted, whereas validating the identity of an organization that is accepting that information—that is one area that doesn’t get enough attention. There is some press about phishing scams and other schemes of that nature, but time and time again, consumers are duped by fake Web sites.
PCI COMPLIANCE? NO PROBLEM.
Simplify PCI Wondering how to help your merchants become PCI compliant and keep them happy? SecurityMetrics can help. As a leader in PCI-DSS we handle more than 100,000 merchant PCI calls every month. Our Simple approach works. Call today to receive a free PCI consultation for your business. 801-724-9600 www.securitymetrics.com
[ ROUNDTABLE] Way:
“The lack of enforcement has been going on so long, it’s almost like a broken record. It seems to be a situation where we don’t want to address compliance until we actually are fined for a lack of compliance. “ —Jason Way, Geobridge
We’ve come so far so quickly in terms of adopting different payment vehicles. We’re so far past just checking a card. Everybody’s got an app on a different smartphone and doing some browser-based transactions. We’ve allowed the acceptance of money by those means without really producing a due diligence form of enforcing the security controls around it. MODERATOR: There is a lot of conversation going on about tokenization. Will it deliver on the promise? What about end-to-end encryption, or remote key loading? Which is better?
Petitti: I think end-to-end encryption is something the industry should be moving toward. I would define end-to-end encryption as from the time the card is swiped all the way through settlement or authorization. During this process, the card information is unreadable to any nonrelevant parties of the transaction supply chain. The status quo of encryption efforts thus far in the payment industry is mostly point-to-point. For example, there might be encryption at the point of sale, or to shield the merchant from what they perceive as liability from handling credit card information.And there may be encryption between other parties in the transaction supply chain. But by no means is there what I would classify as an end-to-end encryption solution. I think that there are issues with tokenization. There might be a lot of configuration—from a database perspective, for example—that has to be implemented to accommodate tokenization. A lot of smaller businesses—which account for the majority of businesses that accept payment cards and accept a significant portion of the payment card transactions—are probably not in a position to make those types of configuration changes. A larger company might be in a position to make those changes, but it would be costly as well. Tokenization is a sound concept, but there are certainly issues of the implementation that could prevent it from completely delivering on the promise. Way:
I agree that tokenization is a sound concept for what it does. But the way I’ve seen tokenization implemented and strived for is really to be a scope reducer of your compliance and security fundamentals, and your overall environment in looking at the limits of your compliance assessment. Tokenization is nothing more than substituting a sensitive value with another value. We could apply the same definition to encryp-
22 August 2010 | Transaction trends
tion, and we’re not doing that because we actually have encryption standards. We’re getting away with it by saying,“This isn’t encryption, I’m just going to do something different.” Most of the encryption standards that we do have are based on publicly available algorithms to protect secret data. Now we have some of these tokenization solutions that rely on secret algorithms augmenting a public algorithm to protect the same secret data. There are a handful of well-known token solutions, but none of them are interoperable with one another. We haven’t really achieved what, in my mind, was the goal of tokenization: to eliminate sensitive data in the environment. Tokenization is really a redistribution of efforts we can otherwise apply toward a true end-to-end encryption solution. In the world of PIN, we do have end-to-end encryption. The PIN is only in the clear at the time it’s entered on an encrypting PIN pad. The issuer who has to authorize the transaction is the only one that ever ultimately gets to decrypt it and make any use of it. If we were to leverage some of the practices that we’ve already spent decades protecting the PIN and apply them toward sensitive data that we’d otherwise want to protect in an end-to-end fashion, I think we could achieve it. Remote key loading isn’t necessarily related specifically to tokenization or end-to-end encryption, but it’s becoming more sought after because it’s a more efficient, secure method of delivering an initial PIN encryption key to a POS terminal on a merchant link. If we can deliver a key to a POS terminal anywhere in the world that’s got Internet access, we could just as easily deliver a data encryption key under remote loading technology that ultimately produces the same end result. Remote key loading can augment the intended efforts of end-to-end encryption, but end-to-end encryption shouldn’t wait for remote key loading to be prevalent—although it actually already is. There are a couple of solutions in the marketplace today that do offer it for POS terminals as they sit in the marketplace today. The real force holding us back in achieving end-to-end encryption is an interoperability issue. There are standards out there that say, “This is how we should all do it”: X917, old and withdrawn as it is, is still used today, because it’s interoperable. X9 produced a different standard, TR-31 for interoperable standing for key bundling. If everybody employed that, everybody would have a mechanism in each individual
manufacturer’s implementation of a particular product that would allow for interoperability to transfer encrypted data without letting it appear in the clear where it didn’t need to be.
Wenlock Free: Have any of you been to visit the Battleship Arizona in Hawaii? You watch a film before you go out to the memorial that is built over the Arizona. The film does a brilliant job of explaining how Japan successfully blew up Pearl Harbor. The fear of the American forces at the time was an attack from the land. The enemy would come ashore and destroy the airplanes. So the U.S. forces decided to push all the airplanes in the center of the runways, wing to wing, and keep them as far away from the shores as they could. Well, when the Japanese flew over, it made the airplanes an easy target to nail and made it difficult to launch the planes to defend the attack. Using that analogy in an end-to-end encryption tokenization discussion, if you look at it from a business perspective, if transactions are pushed together into a place that would otherwise have been in small areas, small locations, we now shove them all into a nice, big central location. Now we’ve got a situation where we’ve shoved all the data together into big pockets, instead of small, little pockets. More big amounts of card data are then compromised, rather than smaller pockets of card data. The second thing is a business philosophy. If I’m doing recurring billing, and I’m hooked in with a company that is doing my end-to-end encryption on a particular tokenization, and now I want to change my tokenization provider, I have no data. My business is my data. Suddenly, there’s no transparency. And, if there is legislation that requires tokenization to be fully transparent, then we make a new requirement to transfer data between these tokenization entities, opening up another way that data could be compromised. I haven’t laid out any solutions in what I’ve just said here. But these two pieces, this bringing all of the card data together in bigger pockets, and the idea that business cases of changing tokenization providers is going to be very difficult to implement without hurting the security aspects, these are two big concerns that I have, and I would love to see some resolution to those two problems.
Petitti:
We published a report based on our forensic work in which credit card information is stolen after an intrusion has taken place. Some
of the conclusions: In, say, the market in North America and the markets in Europe where they have gone to chip and PIN, you do see a difference in the pattern of cases and the type of information they’re seeking. In North America, we see far more cases in which information is taken from locations or merchants or businesses that are handling information from card-present transactions. In Europe, particularly in the United Kingdom, you see far more cases of card-not-present businesses having information taken from them. That’s largely due to the move to chip and PIN in those specific markets, which has pushed the type of information that the thieves can make use of to the card-not-present world. Ultimately, you’ve seen what I would classify as predictable movement of the activity. As those types of acceptance-based security technologies become more widely adopted, you’re going to see the thieves moving toward what they perceive as the softer targets.
Free: The education of merchants doing business in chip-and-PIN-regulated locations is more advanced. We have some acquirer partners in the United Kingdom who, in converting merchants to chip and PIN, sent reps out with machines to the merchants to say, “Look, tomorrow, that machine is not going to work.Today, you need to take this machine and swap it out, or the game is over for you.” When we follow up with a level-four PCI campaign, particularly in the U.K. and other locations where the chip and PIN have been instituted with a PCI program, the merchants get it. But, when we talk to merchants who haven’t had that experience—and I’m not only talking about mom and pop businesses—they say,“Huh, what?” Transaction trends | August 2010 23
[ ROUNDTABLE]
“The entire community has to nurture businesses to understand and achieve compliance, and really protect consumers’ information. You have to talk to these entities as if they are consumers.” —Michael Petitti, Trustwave
It’s a completely unknown thing. I love a chip and PIN movement simply because it educates merchants about what they’re doing with card data. I asked a card brand representative, “When is the United States going to chip and PIN?” He said, “The U.S. will never go chip and PIN.” He said that U.S. citizens will trade security for convenience every day of the week.
Petitti:
But the markets that have gone to chip and PIN are more regulated markets. One of the wonderful aspects of the U.S. market is that anyone can start a new business. You can sell whatever you want within reason. But in other markets, where the conditions are more regulated, it is more difficult to have that type of economic freedom. But, as a result, there’s probably more discipline because business owners do want to keep up with the latest technology. And, they want to make sure they’re adhering to the latest standards. For them, compliance is more a part of the business process because it’s very much a part of the culture.
manner. The industry has done a pretty good job self-regulating. There’s no question you’ll see additional tweaks to the standard. At some point, you’ll see a data breach protection for consumers at a federal level because a lot of the state statutes are starting to contradict themselves.You’re going to see a need for uniformity for that. Consumers probably don’t understand PCI, but they’re becoming more adept at spotting security indicators. For example, if they see the padlock in the corner, or they see a little emblem on an e-commerce site, consumers recognize those as indicators of security. But I don’t believe consumers understand the specific steps actually taken to protect their information. The effort to educate the hundreds of millions of consumers, just in our country alone, on the proper steps businesses are required to perform to protect their information, that is a daunting challenge. Regulation plays a part in that, but I also think we can somewhat mitigate some of the regulation by having enhanced technologies to take some of guesswork out of it.
MODERATOR:
Is more regulation going to help at this point, or is it more about improving technology processes and industry awareness or something else? Maybe it’s none of those things.
MODERATOR: In the event of an actual or suspected security breach, what are the appropriate procedures for involving law enforcement? Should the processor or sponsor bank be notified first?
Free: It’s not about more regulation. It is about enforcement. We have a PCI standard and many, many other standards that are near bulletproof. But we don’t have enforcement in place to cause what we know to be practiced.
Petitti: There are probably two answers to this
Petitti: I also think there has to be at least acknowledgement of the differences in regulation. Right now, a lot of laws are being passed at the state level. Those are a form of regulation, but they largely denote the process for handling communication to customers in the event that their information may have been exposed. But there’s no law that says, “You must do these things to protect personally identifiable information.” I think you’re starting to see a little bit of a movement toward that. One of the effective aspects of the PCI standard is that it has organized what we believe, as an industry, are the best practices for protecting credit card information, which we all know is the information most prized by those who are looking to commit fraud, either by the reselling of that information, or actually using that information in a fraudulent 24 August 2010 | Transaction trends
question. One is, if the data breach potentially involves payment card information, absolutely the sponsoring member, the acquiring member, the processor should be notified. My experience is that, for most of the businesses that do experience a compromise, they’re usually told by the acquirer or sponsoring member because that’s where the common point of purchase analysis has been done. But, from there, if we’re talking about a payment card situation, the card brands need to be involved as well. Once those parties have been notified, the appropriate law enforcement authorities are called in. There’s not exactly an apples-to-apples situation here. In the case of a very small merchant, a lot of actions occur without their knowledge because they’re the ones who probably find out after the fact. Then, the card brands end up working with the appropriate law enforcement authority, usually at the federal level, because, if some mom-and-pop store in the quad cities is a victim of a data breach, the local authorities don’t really have the experience to
deal with that type of situation. Chances are, it’s part of a larger effort to begin with. On the other side, if you’re looking at nonpayment card information that’s been stolen, it is absolutely appropriate to involve law enforcement authorities at that level, because there is no intermediary from a sponsoring bank or a card brand. Chances are, if a larger organization has had personally identifiable information stolen or some sort of proprietary corporate information stolen, you have to make sure your internal security team is aware of that. They would know the proper response and escalation procedures. That likely would involve appropriate law enforcement personnel.
Free:
There is an expectation by merchants who are compromised that the dirty rat is going to get caught and be brought to pay restitution. And, unfortunately, that doesn’t happen as quickly or as often as merchants perceive that it should. When we listen to representatives from the Secret Service, from the FBI, I am convinced they’re doing the very best that they can with the resources they have. But I am constantly reminded by merchants of how disappointed they are that restitution is not so quickly forthcoming. So in the course of what we talk about, maybe we shouldn’t set a giant expectation in the minds of the merchants that these dirty rats are going to get caught every time.
Oberman:
Again, it comes down to the cost of having justice served. Is it worth it? The first thing you do is your damage control to make sure that it’s not going to happen anymore. And, then, do I have any other holes in the organization or any other kind of customers that you should watch out for?
MODERATOR: Are interchange rates properly reflecting the risks being assumed by each party in the acquiring value chain? Oberman:
Let’s set the parameters on what we define. First of all, the acquiring part of the industry doesn’t benefit directly from interchange, as we know. We exist because of issuers. And we provide an important role for the payment exchange. I’ll use as an example what Discover did recently. Discover, particularly for the SME segment, said—regarding the small merchant, medium-sized merchant—it’s a value proposition to allow the acquiring industry into this playing
field with us. And we’re going to set interchange and we’re going to let you mark that up and participate in that transaction. As far as this specific question, let’s look at it from the perspective of the issuer. Approximately 40 percent of the issuer’s net revenue comes from interchange. The other 60 percent comes from interest and fees that they charge. We only exist because some bank, financial, or non-bank institution, like American Express or Discover, has chosen to extend credit to a consumer. So the question is, is the interchange they’re setting reasonable? Remember, they’re taking bad debt risks, and then you have the explosion of rewards cards.There’s tremendous competition to put a card in one of your pockets that you can convert to some kind of flight or trip or gift you’re going to buy for your kids. I think interchange is more driven by that. I think for the bad debt risk, the fraud risk, just the overall risk that the issuer carries the burden on that the acquiring industry doesn’t absorb, the interchange levels are reasonable. I expect interchange, actually, to possibly come down. I think with Discover entering the field and the fact that it’s a very competitive market, we’re going to start seeing a trend develop where interchange may come down slightly. Again, that’s because of the free market system. So we’ve got to respect the issuer’s role in the payments system because the majority of the revenue is on that side of it. The acquiring side of an industry, it’s not immaterial, but it’s small in relation to the revenue being driven by the issuing side. Let’s face it, in the last decade, credit was extended to individuals who maybe didn’t have the ability to pay. How has the issuing side of the industry subsidized that? With interchange, by increasing interchange rates, by putting restrictions on their rewards programs, by juggling all that around. I think that’s going to sort itself out. In terms of the risk that acquirers have taken— the risk of improper card acceptance by merchants that they bear—we don’t get to subsidize that merchant risk with interchange. I wish there was a way we could join into that party, but right now, we’re not allowed there.
“I can’t recall any businesses we’ve had in our company that sustained themselves when they either had deceptive practices or ignored adopting best practices or fair practices for handling information. Eventually, it catches up to them.“ —James Oberman, NPC
MODERATOR: Are there particular merchant profiles that ISOs should be particularly wary of?
Petitti: This is one of those questions that really spans the gamut of issues we see in the acquiring industry. For all the cases we investigated Transaction trends | August 2010 25
[ ROUNDTABLE]
“I asked a card brand representative, ‘When is the United States going to chip and PIN?’ He said, ‘The U.S. will never go chip and PIN.’ He said that U.S. citizens will trade security for convenience every day of the week.” —Wenlock Free, Security Metrics
last year in which credit card information was stolen, we saw it was stolen most often at hospitality vendors. Does that mean ISOs and acquirers should stay away from those types of businesses? No. But I think what you started to see, particularly as the merchants and ISOs have become more sophisticated with their PCI efforts, is that they tell those types of industries, “Here are the things I want you to do as you continue to accept credit cards. Or, if you want to become a merchant in my portfolio, these are some of the things I want you to do before you do that.” Know the risks associated with a given industry.
MODERATOR: Do you see merchants’ risk often increases with their lack of ability to adopt and endorse improvement in technology? Oberman:
There’s a parallel between businesses that ignore best practices and enter into what are truly deceptive practices, when you study them. They tend to ignore best practices for implementing secure technology. It comes down to making sure you know your customer. Make sure you’re doing business with somebody that’s committed to building their business for the long term. At the end of the day, I can’t recall any businesses we’ve had in our company that sustained themselves when they either had deceptive practices or ignored adopting best practices or fair practices for handling information. Eventually, it catches up to them. Those are the kind of businesses we tend to either stay away from completely or, if we take them on, we require other risk mitigation techniques. With all this being said, it’s not like the ISO should flee those businesses or the acquirer should flee them. But remember, we’re in an economy where the member sponsor bank is under capital constraints right now, and so there’s going to be a trend toward making sure portfolios are as clean as possible. Maybe the product is working, maybe it’s not, but they’re running a good business. They’re well capitalized, they’re profitable, and they answer their phone and provide good customer service— all those basics.
are stolen, and that sort of grassroots support makes the people they elect act. They act with the consumer in mind. The resulting regulation tends to look similar to other state regulations with a focus on notification more than data protection. Almost every state now has passed some sort of notification law in the event of a data breach. We discussed that it’s likely that will give way to regulation at the federal level that provides some uniformity. Whether or not that happens in the next 12 months, I can’t really say.
Oberman: In the next 12 months, we may not
MODERATOR:
see much from the federal level, but I think we’ll see a lot of pockets of state activity.The proposed state regulations and grassroots activity will be a burden on our organization and our members, because most of the members are either national in scope or regional. Keeping up with different regulations in different states can make your head spin. As far as interchange, I don’t think we’ll see anything on the credit card side. Congress didn’t understand all the dynamics between the issuer of a credit card and the acquirer’s role, and I think they’re retrenching there.
Petitti: There’s no question consumers are inconvenienced and upset when their identities
Free: I don’t think it’s too far out of anybody’s mind that a city government might ask for a PCI certificate in conjunction with issuing a business license. It’s not unreasonable when you consider that your city requires you to have a phone num-
Do you see additional regulation coming in the next 12 months, or will industry have wider latitude now to find solutions without government direction?
26 August 2010 | Transaction trends
an ISO with a completely different portfolio could say,“My portfolio doesn’t get anything but the stick.” Each ISO’s risk guru and sales VP could sit down together and say, “This is going to work for my portfolio, and I think this is going to work well.” And then roll it out and make it happen.
Petitti:
ber or fax number or place of business to obtain a business license. It would make sense to me, especially when states pass PCI-related laws, that the merchants would be asked to validate their compliance or prove it.
MODERATOR:
How can the MLS assist the level-four merchant with understanding PCI compliance and becoming compliant?
Petitti:
In the United States alone, there are about 6 million level-four merchants. They tend to be very small businesses that have no understanding of security and probably less understanding of PCI and the rules they must adhere to when it comes to protecting their cardholder information. One of the keys is the MLS, the ISO, the acquirer—the entire community has to nurture those businesses to understand and achieve compliance, and really protect consumers’ information. You have to talk to these entities as if they are consumers. The message has to be consumable and understandable at that level. And I also think the messaging has to be delivered in multiple ways, multiple times.
Free:
You can lead a horse to water, but you can’t make it drink. We’ve found that there are some ways to help the horses drink. ISOs know their merchants. And I think an ISO can say, “My portfolio will understand that carrot.” And then
There are a variety of approaches from an incentive standpoint. But, at the same time, whether you’re putting a fee in a statement, or you’re somehow notifying them that “Here is the stick and here is the carrot,” they have to be addressed in a way that helps them consume that information and understand it. The method and the message with which you reach out to small businesses has to be radically different from the compliance effort that has been put forth over the last four or five years, which is focused on much larger organizations. Free: The state of Nevada has passed legislation for merchants related to PCI compliance. I see the day when, if you want to do business in the state of Nevada, you’re going to have to generate proof that you’re PCI compliant. The state of Nevada’s going to pull up some kind of reporting tool. Keep your eyes open and watch.They make money on business licenses right now. So can a state make money on merchants who are not compliant right now? I think it’s in the wings. The states seem to need the cash. MODERATOR: Will consumers feel any more secure, confident, when making payments, or are most consumers oblivious to the measures being taken to protect their data?
Oberman: I think the technology employed has helped consumers understand. I know that the rate at which I get phone calls from my credit card company saying I have some irregular activity has gone up. They’re getting much better at identifying spending patterns and helping the consumer. Way: I think consumers are getting better at recognizing traditional payment methods. But consumers will choose convenience over security. And, over the course of the last year, I’ve lost count of the number of businesses and manufacturers that want some assistance in receiving a payment over iPhone now.That technology is escaping us. And we don’t have standards or good solutions in place.That will be the next really big fraud boom. TT Transaction trends | August 2010 27
ISO Corner RISK IN REVIEW
Banding Together
Industry coalition combats child pornography with a global, strategic focus By John J. Brady
F
ormed in 2006, the Financial Coalition Against Child Pornography (FCACP) is a ground-breaking alliance between private industry and the public sector. Managed by the International Centre for Missing & Exploited Children (ICMEC) and its sister organization, the National Center for Missing & Exploited Children (NCMEC), the FCACP consists of leading banks, credit card companies, electronic payment networks, third-party payments companies, and major Internet services companies. The coalition represents nearly 90 percent of the U.S. payments industry and relies on the involvement of U.S. federal and state law enforcement partners. The FCACP mission is to follow the flow of funds and shut down payments accounts used to support merchants peddling child pornography. To accomplish this, the coalition focuses on removing barriers to information sharing across partner organizations; expanding its global membership; and supporting ICMEC’s efforts to promote robust child pornography legislation around the world.
Silo Smashing Following the global adoption of the Internet, service providers, the payment card industry, law enforcement organizations, and ICMEC/NCMEC quickly built a solid approach to address the growing threat of commercial child pornography online. However, as sophisticated child pornographers exploited the reach and capabilities of the Internet, the FCACP
ask
the Expert
was launched as a critical new resource to remove silos and develop strategies for members to collaborate to address this serious problem. The coalition’s strategic focus includes the development of various work groups that leverage the collective expertise of its members. These work groups concentrate on increasing information sharing, handling technology challenges and opportunities, and strengthening analytical capabilities. Since the FCACP was established, these work groups have realized positive results. For example, the number of unique commercial child pornography Web sites reported to the U.S. CyberTipline dropped 50 percent following the expansion of this line to accommodate information from financial companies and electronic payment networks. In addition, illegal child pornography Web sites are increasingly directing buyers away from using traditional payment tools for transactions by encouraging the use of complicated, multi-layered alternative payment schemes, making access more difficult. For example, a Web site may claim to accept traditional credit card payments, but after attempting to use a credit card, a purchaser is instructed to e-mail the seller who then replies with instructions on how to send money through alternative payment (non-credit card) mechanisms. In other situations, sites simply are refusing to process credit cards from the United States.
As part of ETA’s continuing efforts to expand information resources, author John J. Brady has agreed to answer readers’ questions on this topic through August 31, 2010. E-mail your questions to experts@electran.org. Questions and answers will be posted to ETA’s Web site as they arrive and are answered. Please note that questions and answers become the property of Transaction Trends and may be edited prior to posting online.
28 August 2010 | Transaction trends
The trends and success of the coalition are encouraging, and so the FCACP is attempting to enhance its efforts and reach out to additional industry sectors to keep the pressure on and the momentum going. Specifically, the FCACP is developing relationships with registrars, hosting companies, and similar entities to increase the coalition’s resources to block the efforts of the child pornography business.
International Expansion Although child pornography consumers are global, the major commercial criminal enterprises tend to be based in Europe and Asia. Thanks to the support of major payment brand partners, the FCACP is able to extend its reach globally, despite being headquartered in the United States. The coalition continues to disrupt the global child pornography business by building alliances with companies, law enforcement agencies, and non-government organizations (NGOs), and by crafting solutions that are aligned with local laws and customs. Significant milestones include: • The European Financial Coalition (EFC) was launched on March 3, 2009, and is supported by the European Commission. The ICMEC serves as an advisory member of its steering group. • The Swedish Presidency of the European Union issued an announcement on Oct. 23, 2009, calling for EU member states to politically support further development of the financial coalitions and to join the EFC. • The NGO, ECPAT Sweden, started collaborations with SkandiaBanken and law enforcement in the summer of 2008. In 2009, the Swedish Bankers Association and ECPAT Sweden announced that all Swedish banks would be supporting the effort.
• The Asia Pacific FCACP was formed in 2009. Currently it is mapping out priorities and work streams, as well as recruiting new participants. • In Brazil, banks, law enforcement, government entities, and the NGO, SaferNet, signed a cooperation agreement to address commercial child pornography. Banco Bradesco, a member of the FCACP, recently hosted a meeting in Sao Paulo for private sector companies and NGOs to build awareness about the problem and outline potential solutions. ICMEC will provide counsel and guidance as these entities move forward.
Legislative Challenges While the United States and a small number of other countries have robust child pornography laws, the majority of the world does not. As part of its “Child Pornography: Model Legislation and Global Review” program, ICMEC continues its research into current child pornography laws around the world to gain a better understanding of existing laws and to gauge where the issue stands on national political agendas. In particular, the organization is trying to determine if national legislation:
• exists with specific regard to child pornography • defines child pornography • c riminalizes computer-facilitated offenses • criminalizes possession of child pornography, regardless of the intent to distribute • requires Internet service providers (ISPs) to report suspected child pornography to law enforcement or to some other mandated agency. Since ICMEC’s initial findings in 2006, the quantity and quality of international child pornography legislation has increased. However, results continue to show a need for additional global attention to this issue. Therefore, in the summer of 2009, ICMEC research on the existing child pornography laws expanded from the 187 Interpol member countries to include all 196 nations around the world. The organization will continue its work with various governments as well as regional leaders and NGOs that can champion and influence the promotion of effective anti-child pornography legislation.
Join the Fight The FCACP has published two thoughtleadership pieces, “Best Practices for Verifying and Monitoring Merchants Who Want to Join the Payments System,” and a white paper on trends related to web hosting and alternative payment tools in the child pornography business. These papers can be found at www. cybertipline.com/fcacp. Sadly, despite the ongoing efforts of FCACP and international expansion of similar coalitions, the demand for child pornography still exists. However, coalition members remain steadfast and vigilant in the goal of eradicating commercial child pornography and the fight continues. To join in the fight and learn what your organization can do to help prevent child pornography, please contact financialcoalition@ncmec.org. TT John J. Brady is the U.S. regional head of customer security and risk services for the payment system integrity group of MasterCard Worldwide, and a member of the ETA Risk & Fraud Committee.
Transaction trends | August 2010 29
ETA 2009-2010 BOARD OF DIRECTORS OFFICERS PRESIDENT Holli Targan Partner Jaffe, Raitt, Heuer & Weiss, P.C. PRESIDENT-ELECT Rick Pylant President & Chairman COCARD Marketing Group, LLC
Kim Fitzsimmons Senior Vice President–First Data Services First Data Corporation
Advisory Council Robert Baldwin President & CFO Heartland Payment Systems, Inc.
Heidi Goff President & Managing Director, The Americas Hypercom, Inc.
Joe Cohane CEO Veracity Payment Solutions
Robert McCullen CEO Trustwave
TREASURER Eddie Myers President & COO Payment Processing, Inc. SECRETARY Roy Banks CEO ACCELERATED Payment Technologies™ IMMEDIATE PAST PRESIDENT Nick Baxter Senior Vice President First National Bank of Omaha DIRECTORS Todd Ablowitz President Double Diamond Group
Jeff Rosenblatt President EVO Merchant Services Debra Rossi Executive Vice President Merchant Payment Solutions Wells Fargo Bank Dave Siembieda President & CEO CrossCheck, Inc. Tom Wimsett President & CEO National Processing Company
Dean Leavitt Chairman & CEO Unicorn Partners, LLC Ed Myers U.S. President Global Payments, Inc.
ex-officio Carla Balakgie CEO Electronic Transactions Association Jan Estep President & CEO NACHA Sameer Govil Head of Acceptance Solutions Global Acceptance Visa Matt Johanson Vice President Acquirer Relations Discover Network
Deana Rich President Rich Consulting
Steve Carnevale Senior Vice President/ Group Head Commerce Development MasterCard Worldwide
Kurt Strawhecker Executive Partner The Strawhecker Group Buzz Stryker President & CEO POS Portal, Inc.
Bryan O’Malley Vice President American Express LEGAL COUNSEL Dave Goch Attorney at Law Webster, Chamberlain & Bean
Greg Cohen President Moneris Solutions
Advertisers index Phone
Web
4Access Communications
Company
13
888-306-4222
www.4access.com
Authorize.Net
C2
866-437-0491
www.authorize.net
Cynergy Data
1
800-933-0064 x5147
www.cynergydata.net
13
303-916- 9997
www.doublediamondgroup.net
8, 13
713-880-0326
ssotis@eprocessingnetwork.com
C3
800-735-3362
www.firstdata.com
Hypercom Corporation
2
480-642-5000
mmitjans@hypercom.com
Network Merchants Inc
13
800-617-4850
sales@nmi.com
PacNet Services Ltd.
29
604-689-0399
www.pacnetservices.com
Security Metrics
21
801-724-9600
www.securitymetrics.com
Total Merchant Services Inc
C4
888-84-TOTAL x9727
www.totalmerchantservices.com
Double Diamond Group eProcessing Network First Data Corporation/Partner Sales ISO
Page
TransFirst
4
214-453-7711
www.transfirst.com
USA ePay
18
866-872-3729
www.usaepay.com
30 August 2010 | Transaction trends
Save The Dates ETA Annual Meeting & Expo May 10 – 12, 2011 San Diego, CA
Where the Payments Industry Connects!
Industry Insider
A Foreign Affair PacNet Services fills the need for overseas payment processing By Bryan Ochalla
O
ne of the best ways a company can differentiate itself from its competitors in the often-cramped payments industry: Find a niche and fill it. Rosanne Day learned that lesson more than 16 years ago when she started PacNet Services Ltd., and the international payments processor has focused mainly on the direct-response industry ever since. Previously, Day worked at a bank where her colleagues were approached by businessmen in the mailorder industry who were having a hard time banking their foreign checks. “They were sending their mailorder promotions to various countries all over the world, and they “Our wide range were accepting as a form of payment low-value foreign checks,” of local elecshe recalls. “When they took tronic payment them to their local bank, the bank products will charged them $25 per check, and it took about six weeks for them pick up the slack as checks to obtain funds. But they were decline in future years.” selling a product for about $20, so clearly this was untenable.” —Rosanne Day Day, however, saw an opportunity to establish a company specializing in helping those in the direct-response industry:“I knew these businessmen weren’t the only ones selling their products overseas and taking in foreign checks.”
Product Portfolio When PacNet opened, the company’s one-and-only product centered on processing paper checks from four markets: England, France, Germany, and the United States.The company’s second product—multi-currency credit card processing—followed shortly after, says Day, “because anyone who is going to be selling is going to be taking both checks and credit cards.” Today, PacNet’s suite of card services includes merchant accounts in the national currencies of more than 130 countries, a secure hosted payment page, virtual terminal, risk scoring, and multiple integration options for Internet, mail-order, and call-center sales. Other products also have been added to the company’s portfolio, including direct debit in multiple countries and local electronic payment capabilities. 32 August 2010 | Transaction trends
Along with an expanded product offering, PacNet also has broadened its client base from direct-response companies to multi-channel marketers, those with a pure-play e-commerce focus, and more. “We don’t work in a consumer-facing environment,” Day explains. “Our average transaction value is less than $100.”
International Differentiation Checks are still very popular among PacNet’s highvolume, low-value clients—particularly in France, the United Kingdom, and the United States, where they are still a popular form of payment. “The complexion of our business is bound to change as popular sentiment regarding check usage changes,” Day adds. “Our wide range of local electronic payment products will pick up the slack as checks decline in future years.” In other markets, where check writing has been actively discouraged by the banking system—such as Scandinavia—“we’re exclusively into electronic, direct payments,” Day says. That international experience has helped the company differentiate itself from its competitors. “We have many competitors in the domestic processing space, but very few of them can efficiently process payments from the other major world markets.” The company’s international expertise serves as the backbone of another of its industry differentiators, too. “We’ve tried over the years to position ourselves as an educator to the industry on foreign and international payment types,” Day explains. “So we encourage our clients—and, honestly, people who aren’t our clients, too—to ask us about any country they’re considering marketing their products to and the forms of payment that are popular in those countries, because it can vary quite widely. “We want our clients to succeed if they decide to go into a new market—because if they succeed, we succeed,” Day shares. “So we do whatever we can to help make that happen.” TT Bryan Ochalla is a contributing writer for Transaction Trends. Reach him at bochalla@yahoo. com.
Standing behind our ISO partners keeps us in front. First Data’s financial stability and industry-leading products and services give you the support you need to meet your goals.
As a First Data ISO partner, you’ll share the same platform as many ISOs. So when you’re looking to acquire or be acquired, your shared platform maximizes the portfolio value and makes the process of integrating your merchants much easier.
Stay in Front. Call 800-298-3025 or visit www.firstdatapartners.com/partners
© 2010 First Data Corporation. All Rights Reserved.
GivinG it to you straiGht. real reps. real success.
i first joined total Merchant services because I felt like I could believe them. I stayed because they keep their promises – my overall monthly and residual revenues keep increasing, month after month. the underwriters are superb. I always feel like my customers are safe. I feel like I have total control over my portfolio. Even in uncertain times, I feel secure because I am with a good, ethical company. Without a doubt, aMplify is the pulse of my business. The amount and quality of the information available via the Account Management Portal has made me efficient, effective, and most importantly, profitable. i always know with certainty what is going on with my clients. I can depend on daily emails to notify me of any updates and changes. This lets me focus on growing my business because I know my merchants are safe, secure and satisfied.
Jeff Schafer I’m helping my clients, making great money, and having fun in the process.
see the difference for yourself. Join the team with a proven track record. Check out Total Merchant Services program details at www.upfrontandresiduals.com or call us toll-free at 1-888-84-total ext. 9411 Total Merchant Services (TMS) is a Member Service Provider for: HSBC Bank USA, National Association, Buffalo, NY.