payments - Retail Systems

Recommendations

Info

RS 34 RS June - July 2012 roundtable JK: It is for the small merchants – it’s just easier for them. AY: My question to you Jeremy is; where do they go? Some of them don’t even know what PCI is and they wouldn’t know who to outsource to if you asked them. There are great solutions out there, some with one vendor, others across several vendors. JK: They have a relationship with their acquiring bank and so that has to be the gateway for them. How good it is, I don’t know. Some of the acquirers will have hundreds of thousands of small merchants. Do they talk to them all individually or do they just blitz them? However, those acquirers will have access to suppliers who are PCI approved service providers so they can give the smaller merchants this information. Essentially I’ve got to work with the UK cards and the UK acquirer groups. Firstly we need to be able to get some information to the merchants and then once they’ve read that give them a list of people they should be talking to, let them know how much it’s going to cost and tell them what they’re going to get. And we need to let them know what could happen to them if they don’t go this route. The brands don’t differentiate between big and small merchants when there’s a data breach, they just come in and hit you. For small merchants it’s end of game. AY: When chip and PIN came out there was a whole load of education. Not just to the consumers but to the retailers as well and that was pushed down by the acquirers. We don’t have that same infrastructure for PCI and I think it’s that whole education process that’s lacking, that’s what the retailers need. JK: In some regard we’ve done a sort of top down approach. We’ve started off at the big retailers and we’ve gone down to the next level and now we’re getting down to the smaller merchants. Whether that’s right or wrong, I don’t know. “Outsourcing PCI is key for tier 3 and 4 retailers.” AH: I think there’s a vast difference between the council interpretation of the standard and the acquirer interpretation of the standard. And sometimes you almost get the feeling that they don’t want you to worry. They want you to be seen to be trying so therefore there’s a small, tiny penalty per merchant should you not register with the PCI DSS there’s a small monthly fee, but that is all. So if you don’t meet the requirements you tick a box for an implementation plan and this is never reviewed and that almost gives you the ability to perpetually say: ‘We’re working on implementation.’ At the moment acquirers don’t appear to be serious. CP: UK card acquirers, who come together on a monthly basis and meet in a non-competitive environment, they’ve been really trying and worrying about how they’re going to get at the small business merchants. So, encouraged by Jeremy, they have started to put together an education package particularly focused at level 4 merchants around the e-commerce environment. That was sustained and upheld by the PCI council in the autumn. When the council asked for suggestions of what they should focus on in a 12 month period they got 31 suggestions, that was whittled down to 13. These were voted on by the participating organisations, of which there are over 600 across the world. The vote came out in favour of e-commerce solutions and education for smaller merchants but they broadened that and said e-commerce education. Here in the UK we’re focused on smaller merchants, looking at risk and looking at cloud. And in the UK the card acquirers have come together and they’ve written some guidance which has been fed into the special interest group, which will hopefully be published before September/October. AH: Say a retailer already knows what they’re meant to be doing. I meant in the process of monitoring someone’s compliance maintenance, there is the ability to just indicate that you have an implementation plan in place. Even if that plan is that you’re waiting for your payment supplier to provide a solution – that is also accepted. But this could roll over into a number of years and in my opinion it’s not a realistic review of that retailer’s compliance. CP: Waiting for your supplier is another area that is being addressed. The challenges for merchants has been that some of the suppliers are saying: ‘Well there’s nobody chasing me to do it. You’re going to pay for it Mr merchant.’ The merchant says: ‘No I’m not.’ So that’s also been addressed now. Visa particularly have launched a program to get the service providers to register online to indicate they are compliant or that their solution means card data is not in the merchant’s
environment. Anyone who is a service provider can register the elements of their company that says the merchant data will not be in scope. So it completely defines how the suppliers are addressing PCI. CN: it’s probably worth stressing that the delineation is between the certified and self certified as well. We’re certified so we’ve been independently audited as a level one service provider and that’s the other important thing. The intent is that if, as a merchant, you use the services or solutions provided by a certified provider there’s an element of safe harbour. Choose someone who’s self certified then the risk still sits with the merchant. The compliance portals need to have an element of intelligence behind them. AH: They do, they’re very automated and email every five minutes. They do actually appear to maintain the compliance. CN: Well they might appear to be, but are they actually monitoring in real-time the environment they’re supposed to be protecting? Providing a dashboard which is really an interface that just provides some ticks and boxes online rather than a piece of paper isn’t good enough. As a level 4, unless you happen to be selling IT products, there’s no knowledge of IT infrastructure let alone the day-to-day challenges of PCI. What it should be is an intelligent system. A portal should be an intelligent system that looks outwards at information coming in real time that reports a system as compliant, not just when it was signed off but at any point during the 12 months. AH: Does your system do all of that? In the sense that they will generate an alert every time a repeated action is not done, for example a wireless scan. So in that sense it will remind you of everything that you’re meant to be doing and enforce that? CN: We protect all the core networking elements. I think enforcement is key because the scan is very much ingrained. But it’s a good thing to go out and check your systems. If you think about it in a very traditional security context, the reason that group four and others pay for people to walk round perimeter fences and fill in the gaps between CCTV, is that when you don’t have someone walking round and you don’t have the coverage in security you don’t know what’s happening at that time. In my view we have to move to something with continual monitoring enforcement and this extends to payments and non-payments connections to public networks. AH: The very interesting development has been that the hosted page redirection is actually potentially weakening the retailer because you’re completely taken out from having to implement roundtable all other measures and the council already has a take on that in that the weakest website in the world can redirect the customer. Thankfully that doesn’t work very well with business processes because you can’t redirect them every time if you want to save their card and all other bits and pieces that come into play. It will be interesting to see what the next level will be after all of those insecure sites start using the redirection. MG: What we’re seeing from the survey that we’re carrying out with Visa and Barclaycard, from a small merchant perspective, is that they don’t even understand the payments ecosystem, never mind PCI. If you ask them to tell you how they accept payments by card, most of them don’t even know what it means. So we ask them for what’s known as an ecosystem diagram. It’s really just ways to data flow in terms of payments, and maybe not just credit card payments, but payments via wire and other ways. What we’re seeing is that those merchants who are trying to map their payments ecosystems, when they receive the letter from the bank saying: ‘You have to become compliant’ they kind of get it – they still don’t do it – but they get it. And that’s the first step. One of the things that the council and the whole industry needs to do is define the payments security issue. The second point I wanted to raise was something that’s coming out of the survey – security for small merchants is actually being driven by data protection. The ICO in the UK has actually said that merchants need to be compliant with PCI in order to be compliant with government regulations that apply to your jurisdiction. DB: Actually for most online merchants there’s a percentage of transactions that are lost or stolen and these will by default be handled by a person. Whether it’s from a call centre environment or however they then handle that transaction, that also needs to be taken care of, not just the one handled online. CP: In my experience where there’s an e-commerce environment there’s also a call centre, the two can’t be separated. But I’d still agree that both should be outsourced. JK: I think it’s also worth mentioning that the point-to-point solution that the council envisages, certainly at this stage, is a face-to-face solution, it doesn’t cover e-commerce. CN: One of the confusing messages coming out of this, and you can understand why, is that merchants think it’s this magic thing that’s going to take their card present fraud away and they don’t need to care about it because the bank’s looking after that. RS June - July 2012 RS 35
Page 1 and 2: Sponsored by awards Celebrating Inn
Page 3 and 4: FIRST CHOICE FOR TECHNOLOGY PURCHAS
Page 5 and 6: RS Editor Karen Moss karen.moss@ret
Page 7 and 8: Standing the test of time A Traditi
Page 9 and 10: Click & Collect elsewhere John Lewi
Page 11 and 12: FOCUS Retail systems multi-channel
Page 13 and 14: challenge against LoveFilm although
Page 15 and 16: Maximise your online revenues by bl
Page 17 and 18: A breathe of fresh air Casio’s ne
Page 19 and 20: Continental style Retail Systems fi
Page 21 and 22: at a glance MAY PayPal’s 15 milli
Page 23 and 24: thoughts from the frontline With th
Page 25 and 26: SBU, Wipro Technologies, says: “W
Page 27 and 28: contents 26..... Underlying risk Mo
Page 29 and 30: “A more convenient token based on
Page 31 and 32: strategies, says Richard Paterson,
Page 33 and 34: Aqil Nasser, Debenhams’ technical
Page 35: you’re looking for. So, this is i
Page 39 and 40: GT: So you’ve got the token, you
Page 41 and 42: soapbox During a time of economic s
Page 43 and 44: While facial recognition technology
Page 45 and 46: type solution within its armoury th
Page 47 and 48: Unpredictable weather patterns are
Page 49 and 50: A subscription to Retail Systems gu
Page 51 and 52: Imagine the scenario - a young fema
Page 53 and 54: Don’t miss out To be kept up-to-d
Page 55 and 56: direct commerce software D I R E C
Page 57 and 58: D I R E C T O R Y O F K E Y P L A Y
Page 59 and 60: D I R E C T O R Y O F K E Y P L A Y
Page 61 and 62: Keith Bird is CEO of e-commerce pla
Page 63 and 64: The Fifth Annual Retail Systems Mul

payments - Retail Systems

Create successful ePaper yourself

Delete template?

Save as template?