X
Posted January 22, 2020 by FreedomPay

Top 5 Challenges Facing Retail CTOs in 2020

Retailers are embracing a range of disruptive technologies that are set to fundamentally change the way they interact with and service their customers.

But what does this mean for the executives running the operations behind the scenes?  How are they coping with the pace of change and what are the challenges that will impact their IT strategies in the months ahead?

As we continue working closely with CTOs in leading retail and hospitality brands, we’ve put together some of the topline issues they’ll be wrestling with in 2020:

Legacy management and smashing silos

Mobile, cloud services, big data, analytics, and social media rank highest among the technologies that CTOs see as transforming retail from the way we know it. Yet for many, leveraging these trends is a tricky proposition. How best to maintain availability while adding functionality to existing legacy systems (which may already be creaking at the seams) impacts many of their waking decisions. (Read our Welcome to Hospitality 2020+ white paper here).

In 2020, they’ll continue to seek solutions that help them surround and expand their existing assets using Open APIs and toolkits to integrate wherever they can. They’ll also be looking to free up data flows, connecting business functions in order to break down data silos (e.g. CRM, ERP, Web analytics) and deliver a 360 view of the customer to decision-makers and planners.

Optimizing resources and changing cultures

In too many cases, retail and hospitality IT agendas are hampered by a lack of key resources and business alignment – skills, people, budget, infrastructure.

The focus is often on fueling functional cost savings rather than driving business growth and sourcing innovation. Retail CTOs will need to get out of the back office and lead the innovation agenda if they want to secure the resources they need the dynamic new world of retail.

CTOs must focus their teams on innovating and differentiating the customer experience. Cloud solutions and integrated com

merce platforms will be a major enabler of retail transformation, allowing CTOs to more effectively leverage commodity technology and processes while dedicating valuable internal resources to driving deeper business and customer engagement.

 

 

Building better customer UX (without blowing the budget)

As everyone involved in innovation knows, it’s often the invisible assets that are hardest to deliver. There’s now more pressure than ever on CTOs to enable marketing and acquisition teams to attract and engage consumers – either through faster, responsive and more personalized online interactions, or by helping to create more exciting and inspiring experiences in store at the point of sale (POS). CTOs are being positioned to deliver bigger, better, faster, cheaper platforms – and with less liability too.

Protecting data and reputation

Fraud is the challenge that never goes away. The more channels, payment types, and services a retailer offers, the harder CTOs must work to ensure that payment and data chains are locked down.  Retail Fraud is running at 30%, with merchants now paying $3 for every dollar lost. Faced with chargebacks, fines, and loss of reputation, the heat is on for CTOs to keep their business, management teams and customers better protected.

It’s not just about implementing more fraud prevention solutions, CTOs must select the right combination and layering of core, identity and fraud transaction solutions to defend against increasingly sophisticated threats. To ease the burden, ever more CTOs will choose to outsource risk, investing in payments as a service (SaaS) platforms to shift liability onto their provider and remove their own infrastructure from scope.

Dealing with compliance and ‘the domino effect’

Managing data comes with a minefield of rules including those that can be state-based (e.g. California’s AB375 consumer privacy act), international (e.g. GDPR data protection regulations), payment-related (e.g. PCI DSS), or for anti-fraud (PSD2’s Secure Customer Authentication (SCA). Additionally, these legislations don’t include POS certifications and card issuer mandates that are required to avoid fees and chargebacks.

So much regulatory change creates a domino effect that triggers time and effort –  keeping legacy systems and processes up to date, continuous auditing, reporting, and training – has become a major burden for tech-heavy retailers. Finding new ways to reduce risk and ease the burden, through cloud-outsourcing, payment gateways, encryption, and tokenization is becoming a strategic imperative for CTOs. Even the smallest businesses are now investing in security and compliance specialists to help support them.

Of course, these challenges are just the tip of the iceberg for retail CTOs.  According to Gartner, in 2019, retailers’ investment in technology is expected to grow 3.6%, hitting $203.6 billion over the course of the year. In 2020, much of the focus for CTOs will be in bedding in new assets and systems and ensuring they deliver a positive return on investment (which will mean even more scrutiny by their boards).

With as much change in front as behind them, there’s a long road ahead, but with the right technology and payments partners, they can spread the effort and lighten the load.

 

 

SHARE NOW
Posted January 20, 2020 by FreedomPay

Top 5 Payment Security Trends in 2020

Fraud is on the rise. With deep pockets and creative minds, fraudsters and cybercriminals are becoming increasingly organized, sophisticated, and focused on the low hanging fruit that exists within the retail space.

The security playbook has widened, and now includes EMV, PCI DSS, and point-to-point encryption (P2PE), with new regulations such as PSD2’S SCA tightening up vulnerabilities. In addition, robust anti-fraud solutions are now part of most card acceptance POS and payment gateways.

As the data protection battle continues, there are some strong security patterns emerging:

• CNP payment fraud will continue to rise and fraudsters will get increasingly sophisticated

Squeezed out of the traditional payment chain, criminals are increasingly targeting remote Customer Not Present (CNP) transactions where shoppers’ data is especially vulnerable.
According to Juniper Research, online payment fraud will top $22 billion this year—and could reach $48 billion by 2023. Fraudulent attacks are becoming more sophisticated using tactics such as phishing, ID theft, pagejacking, wire scams, and merchant ID fraud. In 2020, watch out for ‘imposter bots’ that exploit the growth of AI-driven chatbots for online customer support to draw out payment details and other sensitive information from established retail websites.

• Tokenization will become more widespread as merchants seek to secure the payment chain while delivering more personalized and connected services (including IoT)

Tokenization replaces sensitive payment data with a randomly generated token that lets their transaction be tracked and their ‘footprint’ remembered making it ideal for CRM, loyalty and personalized promotions. The merchant does not touch, or store payment data and fraudsters can’t reverse the token to access account details. By 2020 it’s expected that there will be 20 billion IoT devices, a proportion of these will no doubt facilitate transactions too, creating a whole new window of opportunity for fraudsters. Tokens can be used across all channels and can even facilitate transactions between devices in IoT environments.

 

 

• New forms of authentication will emerge fueled by PSD2’s SCA requirement which comes into effect in 2019 (EU) and 2020 (UK)

Strong Customer Authentication (SCA) will soon become essential for retailers in order to ensure compliance with PSD2. Each transaction will require two different types of authentication taken from three criteria (something you own, something you know and something unique to you). With a physical card and a PIN, EMV already meets the criteria. However, for CNP and online transactions, it’s not so easy, with extra passwords and registrations increasing friction and possibly dropped sales at the checkout. To prevent this, merchants may turn to ‘customer-familiar’ smartphones and biometrics to ease the process. They will be supported by the likes of MasterCard, who are already championing biometric authentication.

• Anti-fraud solutions will deliver better security decisions with less friction for legitimate buyers

Advanced, risk-based decision-making for e-commerce will help to reduce CNP fraud using updated standards from EMV 3D-Secure. Examining 10 times more risk factors than before to help decide whether step-up authentication is required. In addition, companies that facilitate digital payments will likely layer 3D-Secure with other advanced analytics technologies like artificial intelligence, to help analyze for fraud. Across retail, self-learning neural models will be used to automatically spot patterns much more swiftly. They will also enable closer rules setting and customization – essential for peak periods such as Black Friday – to minimize false declines and reduce the incidence of chargebacks.

• Merchants will have to tighten up their processes – whether mandated or not

It’s not possible for technology alone to fully eliminate retail fraud, especially for online stores. Like all hi-tech environments, people, and processes are often the source of inadvertent breaches. Retailers will have to continually update network security systems including firewalls and antivirus software, train staff and maintain audits to keep their defences high and information safe. Expect to see more security specialists employed full-time, even within smaller merchant organizations.

• Security will become a core differentiator for selecting a payment service provider

Businesses will be more proactive in their cybersecurity strategies when it comes to protecting the consumer. As senior execs and boards are increasingly held accountable, security is moving beyond a simple compliance tick-box towards a real corporate imperative supported by organisational wide procedural frameworks. Reflecting on this, security will become a critical differentiator ahead of reliability and costs for merchants seeking payment partners and providers.

While there are a plethora of security add-ons and antifraud software available, merchants shouldn’t forget the basics. This includes maintaining awareness of the latest fraud regulation and ensuring systems (and those of providers) are verified and compliant with all the latest standards; specifying PCI point-to-point encryption (P2PE) and tokenization for all payment platforms.

With GDPR necessitating clear policies for storing and handling ‘all’ customer data and the reporting of data breaches, retailers must make sure the right processes and training are in place to support these too.

If in doubt, payment partners such as FreedomPay, are often first to spot new security trends and can provide practical support and guidance to help keep businesses and their customers safe.

 

 

SHARE NOW
Posted August 23, 2019 by Bernard Clary

Stop Hackers Finding Gold in Your Data: A Quick Guide to P2PE

With so many touchpoints in the customer sales journey, it’s getting harder to lock-down retail payment chains against fraudsters (losses on UK-issued cards totalled £671.4 million in 2018). For many physical retailers, PCI compliance alone is no longer enough to ensure data security, protect customers and safeguard their business and reputation. That’s where point-to-point encryption (P2PE) comes in.

Why is P2PE important?

P2PE provides merchants with one of the most significant ways to minimize the risk of criminals stealing their cardholders’ data during in-store, face-to-face, card-present transactions.

What does it do?

P2PE protects credit card data from the point of sale (POS) as it travels through a merchant’s local network and across the internet before it reaches the payment processing system at the acquirer’s end.

How does it work?

It does this by encrypting data immediately upon entry from a payment terminal connected to the POS device to the third party secure environment where it is decrypted before authorization – from the starting point to the end point – hence its name. This encryption method utilizes complex encryption keys controlled by a P2PE solution provider, ensuring the merchant, or any third party, has no means of accessing the data traversing the network.

Why does this help?

Encrypting card data in this manner, means that even if a fraudster manages to capture it, they are unable to access the user’s ID or card data, without the relevant encryption/decryption keys. So, sensitive payment data can be safely sent through the entire payment chain without risk of compromise.

What about PCI Compliance?

P2PE is like a booster for PCI DSS – it goes further, is more exacting and safer than PCI DSS alone. And it makes achieving PCI compliance much simpler and less expensive too! That’s because it effectively takes the POS system and payment platform out of PCI scope, reducing time, effort and cost of compliance (but only if you use a PCI approved P2PE solution and provider, and follow the correct operational procedures).

Will it stop retail fraud?

No, it doesn’t prevent fraud using lost or stolen cards, but it does prevent criminals from accessing card data at the point of sale or while the cardholder data is in-transmission from the POS device to the payment processor.

Does it stop merchants using transaction data?

Not if you use it in tandem with a tokenization solution such as FreedomPay CardStorTM . This replaces the cardholder’s primary account number (PAN) with a ‘token’. Retailers can use tokens to identify the customer – for loyalty programs or automated form filling – and to supply transaction-based information to CRM systems and for business intelligence.

Is it hard or expensive to implement?

It can normally be integrated easily as part of your payment solution or platform using a PCI P2PE toolkit to provide the relevant encryption keys/pathways. If in doubt speak to your authorized payment provider. Any additional costs can often be quickly offset against time, effort and cost savings from PCI scope and audit reduction.

Still need to be convinced?

Here’s a quick summary of the benefits:

1. Simplifies PCI DSS compliance, reduces scope and cost
2. Extra data security without compromising customer experience
3. Minimizes risk of fraud, data breaches and subsequent fines, loss of custom and reputation
4. Data protection that keeps payment services simple
5. Used with tokenization, won’t affect loyalty programs or other commerce platforms
6. Software-based, easy to integrate – especially with FreedomPay.

Read more about payment security here.

SHARE NOW
Posted February 07, 2017 by FreedomPay

Listed vs. Non-Listed P2PE Solutions: What You Need to Know

The PCI Security Standards Council (PCI-SSC) recently released an assessment methodology for merchants using Point-to-Point Encryption (P2PE) solutions that have not yet been listed on the council’s website. The addition of the Non-Listed Encryption Solution Assessment (NESA) and the accompanying audit process provides merchants an expanded pool of encryption solutions beyond the current list of validated providers, allowing for a wider range of security offerings. Before deciding between a listed or a non-listed solution, however, it important to understand the assessment requirements of each as it relates to the solution provider as well as the merchant.

The process for becoming a listed solution with the PCI-SSC begins with an audit performed by an independent, third party, Qualified Security Assessor (QSA) who has been certified for P2PE assessments. During this assessment, the P2PE QSA will evaluate the solution against the relevant controls outlined in the following six P2PE Domains:

  • Domain 1: Encryption Device and Application Management
  • Domain 2: Application Security
  • Domain 3: P2PE Solution Management
  • Domain 4: Merchant Managed Solutions (not applicable to 3rd party solution providers)
  • Domain 5: Decryption Environment
  • Domain 6: P2PE Cryptographic Key Operations and Device Management

For each applicable control, the P2PE QSA will collect evidence from the solution environment, and observe all required procedures to ensure compliance with the standard. The results of the assessment are then documented using the P2PE Report on Validation (P-ROV) template which is submitted directly to the PCI-SSC for final review. Once a representative of the PCI-SSC has approved and signed the submitted P-ROV, the solution will receive an official listing on the PCI website.

Since the PCI-P2PE standard is still relatively new, and the process of implementing and validating a new or existing solution can be quite lengthy, the NESA process gives solution providers the ability to provide a degree of security assurance to customers, along with limited scope reduction, while they work towards a validated listing. Much like the process for becoming a listed solution, non-listed solution providers need to engage a P2PE QSA to perform an assessment of their solution. The requirements for this type of assessment, however, have been relaxed in that a non-listed solution assessment can be completed without meeting the requirements for P2PE Domains 1, 2, or 3, but must meet all applicable requirements of Domains 5 and 6. Though the QSA will still complete a P-ROV for informational purposes, the end result of this assessment will also include a set of documents (referred to as the NESA documentation) which will include:

  • A description of the solution
  • A summary of the application’s full compliance, partial compliance, or non-compliance with Domains 1,2, and 3
  • A statement of compliance confirming the applicable requirements of Domains 5 and 6 are met
  • The assessing P2PE QSA’s recommendation as to how the solution impacts the merchants PCI scope

This set of documents serves the same purpose as a listed solution’s P-ROV or Attestation of Validation (AOV), without being submitted to the PCI Council or the Payment Brands, and will be used by PCI QSA’s when assessing the PCI compliance of a merchant utilizing the non-listed solution. As with standard PCI certification documentation, this NESA documentation should be distributed to clients on an annual basis, and whenever there are significant changes to the system.

At the merchant level, the difference between implementing a listed versus a non-listed solution becomes apparent during the annual PCI-DSS re-certification. A merchant using a listed solution in accordance with the solution providers P2PE Instruction Manual (PIM) and the pre-requisites of the SAQ P2PE automatically qualifies for a drastic reduction in PCI scope when assessing their environment, because the security and isolation of credit card data has been verified by a representative of the PCI-SSC. This same level of scope reduction is not guaranteed with a non-listed solution, and will depend on what is permitted by the merchant’s acquirer as well as the payment brands. In some cases, the acquirer or payment brands may require the aid of a PCI QSA to review the solution provider’s NESA documentation and the merchant’s implementation of the solution to determine what PCI-DSS requirements are covered, and to what degree. The results of this secondary solution assessment will determine which areas of the merchant environment are in scope of PCI, but will not qualify the merchant to utilize the SAQ P2PE.

Now that the door has been opened for the use of non-listed solutions that can still provide a measure of client scope reduction, it’s up to the merchants to determine what they are comfortable with in terms of controls evaluated by the solution provider, and the effort required on their end to properly implement the solution and maintain compliance. Listed or Non-Listed, the choice is yours, but merchants using a non-listed solution need to know they may be subject to additional assessments which could result in additional long-term costs.

FreedomPay’s PCI-validated P2PE solution is a listed solution, and delivers merchants all the PCI-scope reducing benefits listed above. To learn more about FreedomPay’s payment security solutions visit here.

SHARE NOW
Posted December 01, 2016 by FreedomPay

Make Holiday Shopping Safer with FreedomPay P2PE

As 2016 draws to a close, the next big national trend is a robust holiday shopping season, a sign that consumers are ready to spend again.

The National Retail Federation predicts a massive Thanksgiving shopping weekend, kicked off by Black Friday specials. More than 137.4 million Americans are expected to shop online or in stores over the four-day holiday weekend, up from 135.8 million last year, according to an NRF survey. If the forecast holds true, this could be an early sign of a strong holiday quarter.

While retailers certainly welcome increased traffic and sales, a rush on shopping, travel and dining out also leads to an increased risk of compromised credit card information. Fortunately, merchants can mitigate that risk for their customers with a point-of-sale solution that not only meets industry requirements but also take additional security steps.

Merchants can reduce their scope for PCI compliance and ensure that no cardholder data actually flows through their systems. FreedomPay’s Point to Point Encryption (P2PE) solution is fully audited and validated according to PCI standards, and supports traditional as well as emerging payment technologies such as EMV. It integrates with POS systems and payment processors. Merchants deploying the FreedomPay P2PE solution are covered under its PCI validation, and can raise their level of security compliance while delivering a safer experience for their customers.

For 2016, online sales are expected to increase seven percent – 10 percent over the previous year – to reach up to $117 billion, according to the NRF. FreedomPay’s Hosted Payment Page provides cardholder encryption for online purchases with a seamless integration into a retailers existing ecommerce site. Customers providing card information during the online checkout process will experience the same security as when they use their credit card at the store.

While EMV chip cards are gaining widespread adoption, most consumers and many merchants don’t understand that the EMV technology only prevents card duplication fraud. It does not secure payment data throughout the entire transaction chain.

With the FreedomPay solution, merchants can fill the security gaps left in the transition to EMV payments. The system integrates P2PE and tokenization to fill in the security gaps from the transition to EMV. With tokenization, credit card information is encrypted at the point-of-sale, and actual credit card data is replaced by a random code (token) in the merchant’s system. So if the system is breached, there is no actual data that can be compromised.

FreedomPay’s solutions are approved by the PCI Security Council to reduce the scope for PCI compliance. Using a non-validated P2PE solution that does not support the EMV chip cards leaves merchants exposed to liability for data breaches and fraudulent purchases.

As the use of mobile wallets increases, FreedomPay’s solution supports NFC payments through platforms such as Apple pay, Samsung Pay and Android Pay. Furthermore, as the payments ecosystem continues to branch out, FreedomPay adapts and evolves to support new opportunities as well as integrate with legacy technologies.

While holiday shoppers will be budget conscious as always, card data security is high on everyone’s wish list this year. That’s why FreedomPay’s goal is to stay on the leading edge of payments innovation and change the face of global commerce. There’s no better time to do that than the biggest shopping season of the year.

Interested in learning more about how we can help your retail operations deliver a great level of security to your customers? Visit us online at FreedomPay.com.

 

SHARE NOW
Posted November 15, 2016 by FreedomPay

Don’t Skip the Chip, Get A PCI Validated Solution Today

The payment terminal beeps at a customer after she inserts her chip card into the slot on the bottom of the reader. The cashier has to tell her to swipe the card instead, in the latest case of what seems like the zillionth person to get it wrong.

You can’t blame the customer or the cashier for the confusion. A year after the liability shift of October 2015, there’s still a high level of inconsistency in the deployment of EMV acceptance among merchants. To accept the new chip cards, merchants must use EMV certified terminals by the major card processors and the card issuers, like Visa and MasterCard and replace their outdated payment devices.

But the reluctance to pay for updated payment devices and longer-than-expected certification processes have slowed the transition to what was supposed to be a more secure way to accept payments. And, it’s ironic that some merchants haven’t begun accepting EMV-enabled cards for fear of slowing down checkout lanes.

As promised, those merchants who didn’t make the transition to the EMV standard are seeing higher fraud chargebacks from the card brands showing up in their statements.

More than a year later, many merchants are behind the curve to secure cardholder data. What should they be concentrating on to catch up?

The key is to understand the three layers of the card data security environment. EMV is only one of those layers. The PCI Security Standards Council recommends that merchants also integrate Point-to-Point Encryption (P2PE) and Tokenization. FreedomPay’s Commerce Platform offers a turnkey solution that incorporates all three layers and is integrated into most major point-of-sale and property management systems, making implementation simple and seamless.

The FreedomPay Commerce Platform is a PCI validated, all-in-one solution for EMV, P2PE and Tokenization. It’s fully certified with the major card processors, so deploying the solution with Ingenico’s certified payment devices eliminates the need for merchants to undergo their own EMV certification. It’s a turnkey solution that saves time, money, and eliminates the swipe or dip dilemma at the checkout.

One of the key benefits of FreedomPay’s platform is the fact that it’s already validated. If a merchant uses another non-validated solution, the merchant is still liable to meet stricter PCI DSS requirements.

To address customer desire for faster checkouts, the solution also enables NFC mobile wallet payments such as Apple Pay, Samsung Pay and Android Pay.

So far, more than half of the payment cards in the U.S. have been upgraded to chip cards, with the card brands predicting that number will be much closer to 100% by the end of 2017. With chip cards in hand, consumers will expect merchants to be able to accept them to provide higher levels of security.

Merchants, particularly smaller merchants, shouldn’t undertake the EMV certification process on their own. It can take a lot longer and cost a lot more than expected and without P2PE and tokenization, the data is not as secure as consumers and merchants assume it to be.

Merchants of all sizes can use the FreedomPay Commerce Platform for an omni-channel card security solution for both card-present and card-not-present transactions, by using our Hosted Payment Page for e-commerce and a Virtual Terminal solution for call center transactions.

To learn more about complete card payments security solutions, click here.

 

SHARE NOW
Posted October 26, 2016 by FreedomPay

FreedomPay’s Pay-at-Table Solution Offers Enhanced Service and Security with Point-to-Point (P2PE) Encryption Technology

Tableside payment solutions are increasingly in demand in today’s competitive hospitality industry. The improved check-out times these systems provide benefit both consumers and proprietors. But these payment options come with challenges as well. What about security? Can restaurants assure consumers that their payment data is safe? What about new chip card and mobile wallet transactions? Can restaurants offer customers the convenience of these options tableside?

Firebirds Wood Fired Grill knows the answers to these questions as they prepare to roll out FreedomPay’s Pay-at-Table Solution at their 38 locations in the U.S. Recently recognized by Nation’s Restaurant News as a “Breakout Brand,” the company is as serious about security as it is about its signature dishes and drinks. FreedomPay’s Point-to-Point Encryption (P2PE) will provide PCI certified security for their transactions as well as the flexibility to process chip card (EMV) and mobile (NFC) payments.

FreedomPay was the first company in the U.S. to be certified in P2PE encryption by the Payment Card Industry (PCI.) PCI certification in data security standards reduces regulatory compliance burdens on vendors who choose FreedomPay’s payment solutions. Visit us online to learn how your business can benefit from improved service and unrivaled data security in your payment processing system.

Watch the video below to see just how simple Pay-at-Table is to use!

SHARE NOW
Posted May 15, 2015 by FreedomPay

EMV, Point-to-Point Encryption and Tokenization On Capitol Hill

The House Financial Services Committee held a full committee hearing on data and cyber security, where the Members of Congress challenged payment industry experts on protecting consumer data in the era of computer hacking.

Brian Dodge of the Industry Leaders Association, Laura Moy of the New America Foundation, Stephen Orfei of the PCI Security Standards Council, Jason Oxman of the Electronic Transactions Association and Tim Pawlenty of the Financial Services Roundtable were called to speak before the Committee.

The panel covered a range of issues, from foreign cyber security threats, to malware at the point-of-sale, to card fraud and online fraud, to the costs of fraud on financial institutions, merchants and consumers.  Several Members debated ongoing legislation and the role that Federal and State regulators and law enforcement agencies should play in consumer breach protection.

In their opening statements, Mr. Oxman and also Mr. Orfei advocated for a layered approach to data security, with EMV at the point of sale, point-to-point encryption, and tokenization.

Mr. Orfei continued, “EMV chip is not a silver bullet.  Additional controls are needed to protect the integrity of payments online and in other channels.  This includes encryption, tamper resistant devices, malware protection, network monitoring and more.  All are vital parts of the PCI standards.”

 

 

As a solution provider, FreedomPay has committed to delivering the highest standards in the industry that help merchants protect their customers’ credit card data.  FreedomPay offers merchants the technologies and supporting programs be on the leading edge of payment data security, adhering to the rigorous PCI Validated P2PE standard, and extending functionality across the broad ecosystem of Card Present and Card Not Present payments.

EMV, PCI Validated P2PE and tokenization are what we do.  And really, that is only the beginning.  Just wait until you see what secure transaction data can do.

 

SHARE NOW