payments on the march - bai · millennials aren’t yet sold on mobile payments. but singing their...
TRANSCRIPT
Payments on the march
In this Issue
February 2017
BAI Banking Strategies
Executive Report
The quest to secure payments security
Alternative music for millennials New payment options to win them over
How banks grab consumers with remote deposit capture
8
12
4
BAI Banking Strategies
Executive Report
BankingStrategiescom
2 3
The quest to secure payments securityThe explosion in digital payments is attracting an unsavory lot But new technologies may give banks an edge against fraudsters
Alternative music for millennials New payment options to win them overMillennials arenrsquot yet sold on mobile payments But singing their tune begins with loyalty perks and speedier transactions
How banks grab consumers with remote deposit captureThe first mobile check deposit services appealed to techies Now banks promote the user friendliness of revamped services as they tackle frustrations such as low deposit limits
Making the most of data security How to mitigate data breaches that can occur through mobile applications No one can say lsquotherersquos an app for thatrsquo when it comes to data security But encryption and tokenization are key technologies banks need to protect sensitive data
4
12
8
16
Table of Contents
Letter from the Editor
ldquoThe march of timerdquo That clicheacuted phrase is as old as the Ides of March itself Yet considering the theme of this BAI executive report ldquoPayments on the marchrdquo it takes on reinvigorated meaning For viewed through the payments prism the march of time emerges as something akin to a conquering armyrsquos blitz into uncharted territory
By the time you finish this sentence itrsquos entirely possible that some startup tech team or visionary will have advanced the march yet another step Keeping up with all the change represents a challenging prospect to say the least But in these pages the issue of payments gets the forward-looking attention it deserves with four pieces addressing different dimensions of the landscape in 2017
In ldquoThe quest to secure payments securityrdquo contributor Howard Altman examines the vulnerabilities that dog financial institutions and consumers alike The percentage of Americans turning to mobile banking has experienced double-digit gains between 2013 and 2015 And while that means more opportunities for banks it also means more hackers and thieves circling the spoils with vulture-like tenacity
Yet if the bad guys in cyberspace are impossible to spot by face or donrsquot leave behind so much as fingerprint a new irony has come into play Altman writes ldquoIn the quest for safer payments some banks are turning to those very featuresmdashfaces and fingerprintsmdashto add a layer of hack-proof security for their customersrdquo
Millennials make for a discriminating demographic and Karen Epper Hoffman tackles the question of landing their loyalty in ldquoAlternative music for millennials New payment options to win them overrdquo Hoffman quotes Brian Pearce senior vice president of innovation for Wells Fargo amp Co Virtual Channels ldquoThere was an assumption that mobile payments behavior [among millennials] is very different but thatrsquos not what wersquore seeing Wersquore seeing customers interested in using mobile wallets hellip but they also donrsquot want to hold up the linerdquo
Bank customers are still getting used to the idea that they can take pictures of their checks anywhere anytime and put them in the bank faster than they can get through a teller line (even if they are at the front of the line) But as with any new wrinkle timersquos needed for the banking public to negotiate the change even as the technology continues to improve
In ldquoHow banks grab consumers with remote deposit capturerdquo Lauri Giesen highlights some of the strategies that lead financial institutions to success After BBVA Compass overhauled its four-year old mobile check deposit service ldquomobile check deposit volume grew to an amount 70 percent more than the three previous years combinedrdquo
How did BBVA do it A mix of marketing new features and higher check limits led the way To that last variable banks with an outdated lower per-check maximum will want to reconsider their policies in light of BBVArsquos concurrent gains in customer loyalty
In a digital world itrsquos payments at the speed of cloud
Finally the actionable advice in ldquoMaking the most of data security How to mitigate data breaches that can occur through mobile applicationsrdquo centers around data breaches that come via mobile apps Authors Smrithi Konanur and Trish Reilly point out that because mobile devices are so close by and convenient security might barely enter the consciousness of users
ldquoThe apps that users access to buy items post information or make appointments may unintentionally enable identity thieves to access credit card data Personally Identifiable Information (PII) and Protected Health Information (PHI)rdquo they note
Incredible as it seems every one of these issues simply didnrsquot exist just a decade ago The payments milieu has changed at such warp speed that banks in fact emerge as something else in the present light They often do their best while new security threats just-hatched technologies and shifting customer preferences swirl around them
Indeed payments are on the march But itrsquos only a matter of time before the march turns into a gallop the gallop into a sprint and the sprint into an airborne force on the cusp of breaking one speed and altitude barrier after another
A veteran journalist who has served with the Chicago Tribune Reuters Money and US News amp World Report Lou Carlozo is the managing editor of BAI Connect with him on LinkedIn
Louis R Carlozo Managing Editor BAI lcarlozobaiorg
BAI Banking Strategies
Executive Report
BankingStrategiescom
4 5
The explosion in digital payments is attracting an unsavory lot But new technologies may give banks an edge against fraudsters
When Darouny Bounsengsa bought her mobile phone at 17 she wasted little time diving into the digital payments world ldquoI use it primarily for checking my balance at a momentrsquos notice but I have used it to deposit checks locate branches and ATMs and transfer funds between my accountsrdquo says the 21-year-old theater manager from Clearwater Fla
You might think there is safety in numbers as Bounsengsa is part of a growing demographic The number of Americans who use mobile banking has jumped from 33 percent of those with bank accounts in 2013 to 43 percent in 2015 according to a study by the Federal Reserve
Yet where consumers with money congregate so do hackers and thieves And like virtual pickpockets they can work a crowd with ease hellip except that theyrsquore impossible to spot by face They donrsquot even leave so much as a fingerprint behind
But in the quest for safer payments some banks are turning to those very featuresmdashfaces and fingerprintsmdashto add a layer of hack-proof security for their customers And while itrsquos too soon to report any stockpile of statistics experts believe the new measures in play hold promise for consumers who send and access money digitally
Citi for instance has just introduced a mobile app that protects transactions by requiring the user to establish biometric data this includes not just fingerprints and facial recognition but also voice authenticationmdashsomething a fraudster could only conceivably defeat by recording you the moment you log on
Thatrsquos because no generic voice prompt such as ldquoHey Sirirdquo will pick the lock To gain access to your Citi accounts you must speak the phrase ldquoMy identity is
secure because my voice is my passport verify merdquo (It doubles as a subtle plug too)
The Citi app is just one example of the tremendous investment banks are making into mobile security says Rick Borden who specializes in cybersecurity law for Robinson amp Cole And ultimately banks may be trying to protect consumers from themselves
ldquoI donrsquot believe Irsquove actually heard of a mobile banking app being compromisedrdquo says Borden who formerly served as senior vice president and assistant general counsel at Bank of America where he was responsible for cybersecurity and technology The biggest risks he notes come from mobile devices themselves along with people ldquowho give their credentials through phishing campaigns or something elserdquo
So while some may unwittingly share passwords or other data that allow passage into their payments stream a recognized face is impossible to share barring a makeup trick straight out of a James Bond flick That said logging in to mobile payments requires WiFi which means problems can still arise says Chris Vickery a
The quest to secure payments security
ldquoI donrsquot believe Irsquove actually heard of a mobile banking app being compromised The biggest risks come from mobile devices themselves along with people who give their credentials through phishing campaigns or something elserdquoRick Borden cybersecurity law specialist for Robinson amp Cole
By Howard Altman
BankingStrategiescom
6 7
The quest to secure payments security
white hat cybersecurity researcher ldquoTherersquos a certain level of risk anytime you are broadcasting information to a wireless network This is especially true for people who are willing to connect to any available WiFi access pointrdquo
Researchers at the University of Erlangen-Nuremberg in Germany also contend that hackers no longer have to work on multiple fronts because apps do not utilize an internet security measure known as two-factor identification ldquoIt is sufficient to compromise the mobile device which automatically compromises all authentication factors running on the smartphonerdquo writes Vincent Haupert a research associate at the universityrsquos Security Research Group
Thus what is user friendly may be hacker friendly as well ldquoThe current trend that massively favors usability over security is the wrong way to gordquo Haupert writes ldquoTherefore legislative regulation is required that precisely frames the limits of authentication schemes used in digital banking Particularly mobile banking currently lacks clear standards that have to be addressedrdquo
For now mobile malware does not yet target mobile banking due in large part to limited customer acceptance But as payments via wallets and apps become more widespread criminals are looking for new ways in
Consumers could also take a lesson from the likes of Bounsengsa who practices whatrsquos known as good cyber hygiene ldquoMy main security concern is someone being able to take my information as I use the app and hack it as I am using it or shortly afterrdquo she says ldquoI donrsquot open the app if Irsquom using public WiFi and switch to using data if I am not at homerdquo
How else can banks protect customers
Encourage and promote cyber hygiene This also includes the frequent changing of mobile passwords as well as keeping separate passwords for different accounts (including non-bank portals such as Venmo or PayPal) Without variation one hacked password can lead to a flood of trouble
Thoroughly test new consumer-facing payments technology This consists of a security architecture review threat modeling secure coding training secure code reviews app integrity protection design static analysis and dynamic testing
Look outside headquarters As players in the FinTech sphere develop breakthroughs in payments security consider partnering with them or undertaking a joint venture to create something new
Bounsengsa the Clearwater theater manager still feels safe using mobile banking apps to send and receive payments ldquoI havenrsquot been hacked or anything of the sortrdquo she says ldquoSo far the app has kept my information secure and I feel comfortable using itrdquo
But therersquos no telling how long that will last For even as payments move faster and smartphones get speedier so too will the cyber criminals rush to keep pace
Howard Altman covers the military and national security for the Tampa Bay Times He has won more than 50 journalism awards and his work has appeared in The New York Times Daily Beast Philadelphia magazine Philadelphia Inquirer New York Observer Newsday and many other publications around the world
BAI Banking Strategies
Executive Report
BAI Banking Strategies
Executive Report
BankingStrategiescom
8 9
Millennials have fashioned the smartphone into a ubiquitous tool to socialize via Twitter or Instagram or Snapchat collaborate on projects with Slack or find and review restaurants on Yelp So it seems natural that this group would aggressively opt in when it comes to mobile payments right
Not so muchmdashor if you prefer that call is on hold
While this large powerful demographic depends on their smartphones to the point of earning the moniker ldquodigital nativesrdquo recent research indicates they arenrsquot quite as committed to using mobile payment methods just yet as many prognosticators predicted According to a 2016 survey by Accenture Consulting 52 percent of North Americans are ldquoextremely awarerdquo of existing mobile payment options But only a meager 18 percent use them regularly Indeed the number of Americans who use mobile phones at the point of salemdashjust 19 percentmdashhasnrsquot bumped up at all in a year the report finds
But the interest is there according to Brian Pearce senior vice president of innovation for Wells Fargo amp Co Virtual Channels ldquoThere was an assumption that mobile payments behavior [among millennials] is very different but thatrsquos not what wersquore seeingrdquo he says ldquoWersquore seeing customers interested in using mobile wallets hellip but they also donrsquot want to hold up the linerdquo
Not that the phone line is clear London-based payments firm VocaLink Ltd also explored the issue of whatrsquos delaying acceptance of mobile payment with its own survey of 5000 US millennials They found that 52 percent had used mobile payments thatrsquos the
Alternative music for millennials
New payment options to win them overMillennials arenrsquot yet sold on mobile payments But singing their tune begins with loyalty perks and speedier transactions
By Karen Epper Hoffman
impressive part Not so much impressive 86 percent had encountered problems
P2P and pointing beyond point-of-sale
A third of millennials (32 percent) use their phones for peer-to-peer (P2P) payments through applications such as Venmo compared to about 18 percent on average across other demographic segments But industry insiders agree the response is not as strong as it could be
ldquoMobile payments at the [point of sale] especially are not really resonating with millennials [because] theyrsquore not really attached to much greater valuerdquo says Daniel Van Dyke mobile practice analyst at Javelin Strategy amp Research ldquoThey donrsquot have a compelling reason to embrace wallet especially when compared to cardsrdquo Van Dyke claims the lack of merchant acceptance is perhaps the biggest drawback to POS-mobile payments though he says wallet providers especially Samsung are making major inroads
P2P services continue to gain momentum as the likes of PayPal Facebook and Chase get into the peer-to-peer game According to a recent Accenture study 46 percent of consumers have used P2P servicesmdash15 percent with regular frequency According to the same study P2P is widely considered the front running use case for enabling real-time payments in the US
With significant growth in bill pay technology and usage opportunities for wider adoption still exist
BAI Banking Strategies
Executive Report
BankingStrategiescom
10 11
Karen Epper Hoffman has been writing about banking and technology issues for nearly a quarter of a century for publications including American Banker Bloomberg Businessweek and Financial Timesrsquo The Banker She has also spoken and moderated panels at industry conferences She lives in Olympia Wash
Alternative music for millennials New payment options to win them over
According to the June 2016 BAI Consumer Market Outlook Survey consumers have an average of 45 bill pay interactions per month Interestingly this does not vary widely by generation
Payments priorities Loyalty velocity friction-free
Millennials already represent more than 75 million US citizens (24 percent of the population) and will have the greatest spending power of any generation by next year ($339 trillion) Thus banks and payments providers refuse to give up on making m-payments work for this up-and-coming group and engage them as customers Charlie Youakim CEO of payments upstart Sezzle points to the basic concept that as with most consumers ldquoMillennials are just looking for something that makes their lives easierrdquo
Youakim suggests that making mobile payments more ldquofriction-freerdquo (that is not having transactions denied or slow down the line at a store) marks an important first stepmdashone that needs to be followed by offering these valued customers rewards
ldquoConsumers are ficklerdquo he says ldquoThey need something to get them on board with [a new] payment methodrdquo recommending clear-cut loyalty options such as cashback on purchases
Bank-centric applications are not the only option as business wallets are on the upswing Starbucksmdashone of the first businesses to introduce an in-house mobile payments systemmdashhas led the way with business-specific wallets Recently Target Walmart and CVS have launched their business-specific payments applications ldquoWe will see more business apps that blend payments with experiences such as lsquoorder aheadrsquo and in-store pickup over the next yearrdquo notes Malauzai chief product officer Robb Gaynor
ldquoIn the end it has to come to the banks to deliver the immediacy and the experience [of payment]rdquo notes Alex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank ldquoIt doesnrsquot matter how good the application is The last mile is delivered by your bankrdquo
Wells Fargo also sees the value in combining what they can offer as a bankmdashspecifically the connection to a customerrsquos real-time banking account informationmdashwith mobile payment according to Pearce
ldquoFor us it begins with the mobile banking application that ability to check balances before or after a transactionrdquo he says The San Francisco-based bank is also looking into other ancillary benefits such as receipt download to smartphone
Despite their convenience-based reticence and early disappointments millennials have shown a propensity to give mobile payments a chance Indeed according to at least one account the total value of mobile payment point-of-sale transactions is forecasted to hit nearly $10 billion by 2018
ldquoIn the end it has to come to the banks to deliver the immediacy and the experience [of payment] It doesnrsquot matter how good the application is The last mile is delivered by your bankrdquoAlex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank
One thing is for certain Millennials arenrsquot about to put down their smartphones or give up their digital native status If anything the natives are restless for payments speed and ease Banks say that day is coming and the first ones to make good on their wordmdashwhether by wallet P2P frictionless app or some appealing combinationmdashstand to win loyal customers and billions in business a billennial payoff if you will
BAI Banking Strategies
Executive Report
BankingStrategiescom
12 13
When BBVA Compass rolled out its mobile check deposit service four years ago it got a number of mostly tech-savvy customers to take photos of their checks and deposit them over their smartphones But as is often the case the technology did not get the wide reach the bank wanted right off the bat
So to get customers to come in droves BBVA Compass had to make improvements to its service Lots of them Last year the bank increased its check amount limits added new features and began an aggressive branch-based marketing campaign
What came next you might say was a deposit to top them all
Mobile check deposit volume grew to an amount 70 percent more than the three previous years combined This time everyday customers got into the act as they learned the joys of spooning their cereal with one hand and stashing a check in the bank with the other
ldquoThis is a great convenience tool for all customers they donrsquot have to go to the bank or to an ATM to deposit their checksrdquo says Alex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank ldquoThey can do it from their kitchen tablerdquo
Whatrsquos more improving this integral part of the payments chain opens new avenues to customer loyaltymdashwhile maintaining the status quo even briefly poses high risks
ldquoThis is not just about checksrdquo says James Van Dyke CEO of Futurion a digital consulting firm ldquoItrsquos about banks being perceived as technology leaders If customers canrsquot get their checks to go through their mobile phone right theyrsquore going to look for another bank when they want to use a credit or debit card for mobile pay or when they want to make a P2P paymentrdquo
One important change BBVA Compass made addresses a pet peeve of bank customers everywhere raising limits on check deposits via smartphone
The first mobile check deposit services appealed to techies Now banks promote the user friendliness of revamped services as they tackle frustrations such as low deposit limits
By Lauri Giesen
How banks grab consumers with remote deposit capture
BAI Banking Strategies
Executive Report
BankingStrategiescom
14
The bank uses a complex algorithm to set limits for each customer based on factors such as account balances and length of time with the bank The final amounts are ldquomultiple times higher than what they previously had beenrdquo Carriles says Today a new customer with a low balance might be allowed to deposit a check up to $1500 while a customer with the highest score may deposit up to $30000
Clearly experience quality matters just as much as deposit quantity
ldquoTo move adoption to the next level banks need to deal with design challenges that have hampered customer experiencesrdquo Van Dyke says Along with a team of experts he ranked the mobile deposit customer service experience at 15 large banks What he found wasnrsquot always good
Those banks with the lowest customer satisfactionmdashand lowest use of the servicesmdashoften had rigid and low deposit limits and did not address ease of use Customers often didnrsquot know whether a check was accepted how long to hold on to their checks and when funds would be available
BBVA Compass now tells customers exactly when funds are available (as opposed to in general) and speeds funds availability for a fee Other new features include ldquoMy Snaprdquo which lets customers decide whether to allow the bank app to automatically take the check picture or let customers do it (Some RDC-
enabled apps literally take over the phone snapping pictures before customers have their checks lined up for the smartphone camera)
Compass is among the mobile payments services that utilizes auto-capture technology ensures framing lighting and other factors are correct before the app snaps the picture That reduces the number of checks rejected because of poor image quality
Elsewhere Bank of America has added the ability to print save or e-mail images of the check deposited ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took offrdquo says Michelle Moore Bank of Americarsquos head of digital banking ldquoSo we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo
But fancy features alone wonrsquot get customers to use mobile check deposit Strong marketing messages are needed too Which is where the llamas come in
Lauri Giesen has spent more than 25 years writing about banking technology and payments for numerous business and financial publications In the 1990s she founded and edited Financial Service Online a magazine covering Internet-based forays into banking and investment services
How banks grab consumers with remote deposit capture
15
BofArsquos ldquotalking llamardquo ad series shows a beast depositing a check in a diner while declaring mobile deposit is ldquoas easy as eggs over easyrdquo
The bank gives step-by-step instructions on how to deposit a check via a mobile phone on its web site It has also assigned 3800 ldquodigital ambassadorsrdquomdashemployees specially trained to promote mobile payments featuresmdashin 4500 branches
As a result the bank processed about 306000 mobile-deposited checks in the fourth quarter of 2016 up 23 percent year-over-year Mobile checks now make up 19 percent of all check deposits at the bank compared to 15 percent a year earlier And 52 million out of 216 million BofA mobile customers now use the check feature a number thatrsquos sure to grow
Whether more credit belongs to the llama or the ambassadors is another matter entirely
ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took off So we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo Michelle Moore head of digital banking at Bank of America
ldquoThis is not just about checks Itrsquos about banks being perceived as technology leadersrdquoJames Van Dyke CEO of Futurion
BAI Banking Strategies
Executive Report
BankingStrategiescom
16 17
With the increase in mobile applicationsmdashalong with the recent surge in data breachesmdashsecuring sensitive data in the mobile environment has become more important than ever Based on a new report from Research and Markets the global mCommerce market is projected to grow at a compound annual growth rate of 331 percent by 2022 For 2016 an estimated 40 percent of Black Friday sales were completed via mobile
But for all that volume there are dangers to consider
Sensitive cardholder information in mobile payment applications as well as Personally Identifiable Information (PII) and Protected Health Information (PHI) in other mobile-based applications must be protected end-to-end As such technologies grow access to data is becoming easy hence the need to safeguard sensitive data-in-motion captured on mobile endpoints which becomes critical to ensure end-to-end data protection
In todayrsquos economy mobile provides a wealth of advantages convenience ease of use multiple features with various different mobile apps such as social and ecommerce connectivity and broad acceptance The trouble is this often gives users a perceived sense of security they feel ldquocomfortablerdquo as long as the device is in reach Yet the risks often donrsquot come into their minds especially those associated with the data typed into the application The apps that users access to buy items post information or make appointments may unintentionally enable identity thieves to access credit card data PII and PHI
Mobile devices communicate via a secure tunnel (SLLTLS) but data traveling between the mobile device
and the hosting application server is not secure And once unprotected data hits the app servers a huge risk emerges at this point the tunnel ends and the data is no longer protected
Wouldnrsquot it be great if you could construct a protected channel in which the data could flow from the mobile device through the infrastructure to the back endmdashand be fully protected
Safety in the numbers Data-centric security
Data marks the key risk factor It lies at the heart and soul of organizations and customers How do we keep sensitive data used in and transmitted from mobile devices safe Organizations need to think beyond their basic security concernsmdashincluding network security That is they must look into data-centric security for both data-in-motion and data-at-rest Stolen data can be monetized by thieves and thus inspires most security hacks Thus we need to think about security from a data perspective
This concept is to implement layers of security controls by focusing on protecting the data its movement and access to it Each layer of security protects and restricts access in various ways Data-centric security provides security for sensitive data submitted through a mobile endpoint It enables end-to-end sensitive data protection within native mobile applications through the entire enterprise data lifecycle and payment transaction flow Data is secured from the point of capture to the trusted host Additionally data-centric security is agnostic of the device or end-point
Making the most of data security
How to mitigate data breaches that can occur through mobile applications
By Smrithi Konanur and Trish Schaefer Reilly
No one can say lsquotherersquos an app for thatrsquo when it comes to data security But encryption and tokenization are key technologies banks need to protect sensitive data
BAI Banking Strategies
Executive Report
BankingStrategiescom
Making the most of data security How to mitigate data breaches that can occur through mobile applications
Smrithi Konanur serves as Global Product Manager of Payments Web amp Mobile at HPE Security ndash Data Security Smrithi has more than 14 years of computer software industry experience including more than seven years of experience in the payment industry
Trish Schaefer Reilly serves as Global Product Marketing Manager at HPE Trish has more than 15 years of product marketing and product management experience She has a broad range of expertise in marketing defining and managing varied technology platforms including security data storage encryption key management big data analytics virtualization and cloud services
18 19
Popular BAI Banking Strategies Articles
Top 10 retail banking trends for 2017New research points the way forward in categories from customer experience to artificial intelligence
Create experiences not messagesBranded experiences show that banks are dedicated to connecting with customers and community
From branches to big data Five predictions for 2017So begins a new year a new administration and new possibilities in the ways banks will approach business and operations
Video How do you bridge the divide in culture between FinTech and banksIn this FinTech Forward Interview innovators and change makers answer the question How do you bridge the divide in culture between FinTech and banks
Betting on the bot How chatbots will change the face of banking in 2017Following consumer affection for chatbots some banks will use them to help customers monitor finances but howmdashand are they secure
1
2
3
4
5
Funny money In new ads Citi spokesgirl puts secretive adults on the spotShersquos 12 She looks innocent but when she asks grownups to share their financial details she gains the upper hand in a game of truth-or-dare
Drowning in data starving for insight Starting the customer analytics journeyAnalytics is one thing analyzing how to apply it is another For all the data complexity it begins with keeping things simple
The road not token How fraudsters beating EMV could hit a dead end in 2017EMV chips in credit and debit cards slow fraud but donrsquot stop it Tokenization promises to bolster consumer protections
Cross-selling in the crosshairs of regulators and consumersAs the cross-sell debate continues banks have a chance to reshape the practice in a way thatrsquos digitally savvy and consumer friendly
InfoSec superstars How three women broke barriers in banking and securitySeeing and seizing prime opportunities these female banking executives have carved out leadership positions in information security
6
7
8
9
10
What is the right approach to data-centric security especially with mobile applications
Encrypting and tokenizing sensitive data are well-known approaches to securing data used in conjunction with authentication
What is FPE
Format-preserving encryption (FPE) protects sensitive data by preserving the data format It transforms data formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data Since no changes are needed in the data format retrofitting to legacy applications is very simple and easy as opposed to a conventional encryption that would change the data format hence making the integration complex FPE is a NIST-approved encryption standard (NIST is the National Institute of Standards and Technology a unit of the US Commerce Department) FPE is derived from an AES 128-bit block algorithm In addition to the formatted data in the algorithm each mode takes a ldquotweakrdquo which is an additional input that essentially increases different instances of encrypted data
From broken security to tokenization
Tokenization replaces sensitive data such as credit card numbers with tokens and is one of the data protection and audit scope reduction methods recommended by the Payment Card Industry Data Security Standard (PCI DSS) Capabilities such as secure stateless tokenization remove the storage of cardholder data and do so without requiring token databases mapped to the underlying card datamdashand are costly to maintain This dramatically reduces the number of applications and systems that are considered in-scope for compliance assessments in addition to eliminating token databases from the solution
Putting it all together Turning back the hack attack
With the rapid increase in mobile phone usage and applications a huge opportunity exists for hackers to grab the sensitive data There has been a lot of research and implementations that organizations have invested in for desktop and laptop devices to protect data
Herersquos a look at the explosion in progress According to Statista in 2009 worldwide mobile app downloads amounted to approximately 252 billion and are expected to reach 26869 billion in 2017 Coupling this with the fact that mobile devices have their own device-specific platforms a huge challenge awaits for mobile security to be normalized or standardized Moreover organizations are inclined to invest on revenue-generating applications rather than investing on building security for these numerous applications
But starting immediately they need to look at securing threats and vulnerabilities for these applications early-on rather than as an afterthought This means implementing the right technology with data-centric end-to-end securitymdashone that includes strong authentication policies and access control During design of applications organizations need to consider the entire flow of the data including the storage and implement data-centric security to secure their data Until the day comes when an app itself might address some of the issues smart businesses need to make the call now
copy2017 BAI All Rights Reserved 0217
Past IssuesFind all BAI Banking Strategies Executive Reports and ongoing retail banking editorial coverage at BankingStrategiescom
Upcoming Issues
January 2017 The changing face of fraud in a digital age
May 2016 Marketingrsquos new horizon
July 2016 Wealth management for retirement
August 2016 Bankingrsquos digital transformation
October 2016 Evolution of the branch
December 2016 A look ahead to US retail banking in 2017
April 2017 Navigating the compliance curve
May 2017 Marketing that rises above the noise
June 2017 Bankingrsquos digital transformation
BAI Banking Strategies
Executive Report
BankingStrategiescom
2 3
The quest to secure payments securityThe explosion in digital payments is attracting an unsavory lot But new technologies may give banks an edge against fraudsters
Alternative music for millennials New payment options to win them overMillennials arenrsquot yet sold on mobile payments But singing their tune begins with loyalty perks and speedier transactions
How banks grab consumers with remote deposit captureThe first mobile check deposit services appealed to techies Now banks promote the user friendliness of revamped services as they tackle frustrations such as low deposit limits
Making the most of data security How to mitigate data breaches that can occur through mobile applications No one can say lsquotherersquos an app for thatrsquo when it comes to data security But encryption and tokenization are key technologies banks need to protect sensitive data
4
12
8
16
Table of Contents
Letter from the Editor
ldquoThe march of timerdquo That clicheacuted phrase is as old as the Ides of March itself Yet considering the theme of this BAI executive report ldquoPayments on the marchrdquo it takes on reinvigorated meaning For viewed through the payments prism the march of time emerges as something akin to a conquering armyrsquos blitz into uncharted territory
By the time you finish this sentence itrsquos entirely possible that some startup tech team or visionary will have advanced the march yet another step Keeping up with all the change represents a challenging prospect to say the least But in these pages the issue of payments gets the forward-looking attention it deserves with four pieces addressing different dimensions of the landscape in 2017
In ldquoThe quest to secure payments securityrdquo contributor Howard Altman examines the vulnerabilities that dog financial institutions and consumers alike The percentage of Americans turning to mobile banking has experienced double-digit gains between 2013 and 2015 And while that means more opportunities for banks it also means more hackers and thieves circling the spoils with vulture-like tenacity
Yet if the bad guys in cyberspace are impossible to spot by face or donrsquot leave behind so much as fingerprint a new irony has come into play Altman writes ldquoIn the quest for safer payments some banks are turning to those very featuresmdashfaces and fingerprintsmdashto add a layer of hack-proof security for their customersrdquo
Millennials make for a discriminating demographic and Karen Epper Hoffman tackles the question of landing their loyalty in ldquoAlternative music for millennials New payment options to win them overrdquo Hoffman quotes Brian Pearce senior vice president of innovation for Wells Fargo amp Co Virtual Channels ldquoThere was an assumption that mobile payments behavior [among millennials] is very different but thatrsquos not what wersquore seeing Wersquore seeing customers interested in using mobile wallets hellip but they also donrsquot want to hold up the linerdquo
Bank customers are still getting used to the idea that they can take pictures of their checks anywhere anytime and put them in the bank faster than they can get through a teller line (even if they are at the front of the line) But as with any new wrinkle timersquos needed for the banking public to negotiate the change even as the technology continues to improve
In ldquoHow banks grab consumers with remote deposit capturerdquo Lauri Giesen highlights some of the strategies that lead financial institutions to success After BBVA Compass overhauled its four-year old mobile check deposit service ldquomobile check deposit volume grew to an amount 70 percent more than the three previous years combinedrdquo
How did BBVA do it A mix of marketing new features and higher check limits led the way To that last variable banks with an outdated lower per-check maximum will want to reconsider their policies in light of BBVArsquos concurrent gains in customer loyalty
In a digital world itrsquos payments at the speed of cloud
Finally the actionable advice in ldquoMaking the most of data security How to mitigate data breaches that can occur through mobile applicationsrdquo centers around data breaches that come via mobile apps Authors Smrithi Konanur and Trish Reilly point out that because mobile devices are so close by and convenient security might barely enter the consciousness of users
ldquoThe apps that users access to buy items post information or make appointments may unintentionally enable identity thieves to access credit card data Personally Identifiable Information (PII) and Protected Health Information (PHI)rdquo they note
Incredible as it seems every one of these issues simply didnrsquot exist just a decade ago The payments milieu has changed at such warp speed that banks in fact emerge as something else in the present light They often do their best while new security threats just-hatched technologies and shifting customer preferences swirl around them
Indeed payments are on the march But itrsquos only a matter of time before the march turns into a gallop the gallop into a sprint and the sprint into an airborne force on the cusp of breaking one speed and altitude barrier after another
A veteran journalist who has served with the Chicago Tribune Reuters Money and US News amp World Report Lou Carlozo is the managing editor of BAI Connect with him on LinkedIn
Louis R Carlozo Managing Editor BAI lcarlozobaiorg
BAI Banking Strategies
Executive Report
BankingStrategiescom
4 5
The explosion in digital payments is attracting an unsavory lot But new technologies may give banks an edge against fraudsters
When Darouny Bounsengsa bought her mobile phone at 17 she wasted little time diving into the digital payments world ldquoI use it primarily for checking my balance at a momentrsquos notice but I have used it to deposit checks locate branches and ATMs and transfer funds between my accountsrdquo says the 21-year-old theater manager from Clearwater Fla
You might think there is safety in numbers as Bounsengsa is part of a growing demographic The number of Americans who use mobile banking has jumped from 33 percent of those with bank accounts in 2013 to 43 percent in 2015 according to a study by the Federal Reserve
Yet where consumers with money congregate so do hackers and thieves And like virtual pickpockets they can work a crowd with ease hellip except that theyrsquore impossible to spot by face They donrsquot even leave so much as a fingerprint behind
But in the quest for safer payments some banks are turning to those very featuresmdashfaces and fingerprintsmdashto add a layer of hack-proof security for their customers And while itrsquos too soon to report any stockpile of statistics experts believe the new measures in play hold promise for consumers who send and access money digitally
Citi for instance has just introduced a mobile app that protects transactions by requiring the user to establish biometric data this includes not just fingerprints and facial recognition but also voice authenticationmdashsomething a fraudster could only conceivably defeat by recording you the moment you log on
Thatrsquos because no generic voice prompt such as ldquoHey Sirirdquo will pick the lock To gain access to your Citi accounts you must speak the phrase ldquoMy identity is
secure because my voice is my passport verify merdquo (It doubles as a subtle plug too)
The Citi app is just one example of the tremendous investment banks are making into mobile security says Rick Borden who specializes in cybersecurity law for Robinson amp Cole And ultimately banks may be trying to protect consumers from themselves
ldquoI donrsquot believe Irsquove actually heard of a mobile banking app being compromisedrdquo says Borden who formerly served as senior vice president and assistant general counsel at Bank of America where he was responsible for cybersecurity and technology The biggest risks he notes come from mobile devices themselves along with people ldquowho give their credentials through phishing campaigns or something elserdquo
So while some may unwittingly share passwords or other data that allow passage into their payments stream a recognized face is impossible to share barring a makeup trick straight out of a James Bond flick That said logging in to mobile payments requires WiFi which means problems can still arise says Chris Vickery a
The quest to secure payments security
ldquoI donrsquot believe Irsquove actually heard of a mobile banking app being compromised The biggest risks come from mobile devices themselves along with people who give their credentials through phishing campaigns or something elserdquoRick Borden cybersecurity law specialist for Robinson amp Cole
By Howard Altman
BankingStrategiescom
6 7
The quest to secure payments security
white hat cybersecurity researcher ldquoTherersquos a certain level of risk anytime you are broadcasting information to a wireless network This is especially true for people who are willing to connect to any available WiFi access pointrdquo
Researchers at the University of Erlangen-Nuremberg in Germany also contend that hackers no longer have to work on multiple fronts because apps do not utilize an internet security measure known as two-factor identification ldquoIt is sufficient to compromise the mobile device which automatically compromises all authentication factors running on the smartphonerdquo writes Vincent Haupert a research associate at the universityrsquos Security Research Group
Thus what is user friendly may be hacker friendly as well ldquoThe current trend that massively favors usability over security is the wrong way to gordquo Haupert writes ldquoTherefore legislative regulation is required that precisely frames the limits of authentication schemes used in digital banking Particularly mobile banking currently lacks clear standards that have to be addressedrdquo
For now mobile malware does not yet target mobile banking due in large part to limited customer acceptance But as payments via wallets and apps become more widespread criminals are looking for new ways in
Consumers could also take a lesson from the likes of Bounsengsa who practices whatrsquos known as good cyber hygiene ldquoMy main security concern is someone being able to take my information as I use the app and hack it as I am using it or shortly afterrdquo she says ldquoI donrsquot open the app if Irsquom using public WiFi and switch to using data if I am not at homerdquo
How else can banks protect customers
Encourage and promote cyber hygiene This also includes the frequent changing of mobile passwords as well as keeping separate passwords for different accounts (including non-bank portals such as Venmo or PayPal) Without variation one hacked password can lead to a flood of trouble
Thoroughly test new consumer-facing payments technology This consists of a security architecture review threat modeling secure coding training secure code reviews app integrity protection design static analysis and dynamic testing
Look outside headquarters As players in the FinTech sphere develop breakthroughs in payments security consider partnering with them or undertaking a joint venture to create something new
Bounsengsa the Clearwater theater manager still feels safe using mobile banking apps to send and receive payments ldquoI havenrsquot been hacked or anything of the sortrdquo she says ldquoSo far the app has kept my information secure and I feel comfortable using itrdquo
But therersquos no telling how long that will last For even as payments move faster and smartphones get speedier so too will the cyber criminals rush to keep pace
Howard Altman covers the military and national security for the Tampa Bay Times He has won more than 50 journalism awards and his work has appeared in The New York Times Daily Beast Philadelphia magazine Philadelphia Inquirer New York Observer Newsday and many other publications around the world
BAI Banking Strategies
Executive Report
BAI Banking Strategies
Executive Report
BankingStrategiescom
8 9
Millennials have fashioned the smartphone into a ubiquitous tool to socialize via Twitter or Instagram or Snapchat collaborate on projects with Slack or find and review restaurants on Yelp So it seems natural that this group would aggressively opt in when it comes to mobile payments right
Not so muchmdashor if you prefer that call is on hold
While this large powerful demographic depends on their smartphones to the point of earning the moniker ldquodigital nativesrdquo recent research indicates they arenrsquot quite as committed to using mobile payment methods just yet as many prognosticators predicted According to a 2016 survey by Accenture Consulting 52 percent of North Americans are ldquoextremely awarerdquo of existing mobile payment options But only a meager 18 percent use them regularly Indeed the number of Americans who use mobile phones at the point of salemdashjust 19 percentmdashhasnrsquot bumped up at all in a year the report finds
But the interest is there according to Brian Pearce senior vice president of innovation for Wells Fargo amp Co Virtual Channels ldquoThere was an assumption that mobile payments behavior [among millennials] is very different but thatrsquos not what wersquore seeingrdquo he says ldquoWersquore seeing customers interested in using mobile wallets hellip but they also donrsquot want to hold up the linerdquo
Not that the phone line is clear London-based payments firm VocaLink Ltd also explored the issue of whatrsquos delaying acceptance of mobile payment with its own survey of 5000 US millennials They found that 52 percent had used mobile payments thatrsquos the
Alternative music for millennials
New payment options to win them overMillennials arenrsquot yet sold on mobile payments But singing their tune begins with loyalty perks and speedier transactions
By Karen Epper Hoffman
impressive part Not so much impressive 86 percent had encountered problems
P2P and pointing beyond point-of-sale
A third of millennials (32 percent) use their phones for peer-to-peer (P2P) payments through applications such as Venmo compared to about 18 percent on average across other demographic segments But industry insiders agree the response is not as strong as it could be
ldquoMobile payments at the [point of sale] especially are not really resonating with millennials [because] theyrsquore not really attached to much greater valuerdquo says Daniel Van Dyke mobile practice analyst at Javelin Strategy amp Research ldquoThey donrsquot have a compelling reason to embrace wallet especially when compared to cardsrdquo Van Dyke claims the lack of merchant acceptance is perhaps the biggest drawback to POS-mobile payments though he says wallet providers especially Samsung are making major inroads
P2P services continue to gain momentum as the likes of PayPal Facebook and Chase get into the peer-to-peer game According to a recent Accenture study 46 percent of consumers have used P2P servicesmdash15 percent with regular frequency According to the same study P2P is widely considered the front running use case for enabling real-time payments in the US
With significant growth in bill pay technology and usage opportunities for wider adoption still exist
BAI Banking Strategies
Executive Report
BankingStrategiescom
10 11
Karen Epper Hoffman has been writing about banking and technology issues for nearly a quarter of a century for publications including American Banker Bloomberg Businessweek and Financial Timesrsquo The Banker She has also spoken and moderated panels at industry conferences She lives in Olympia Wash
Alternative music for millennials New payment options to win them over
According to the June 2016 BAI Consumer Market Outlook Survey consumers have an average of 45 bill pay interactions per month Interestingly this does not vary widely by generation
Payments priorities Loyalty velocity friction-free
Millennials already represent more than 75 million US citizens (24 percent of the population) and will have the greatest spending power of any generation by next year ($339 trillion) Thus banks and payments providers refuse to give up on making m-payments work for this up-and-coming group and engage them as customers Charlie Youakim CEO of payments upstart Sezzle points to the basic concept that as with most consumers ldquoMillennials are just looking for something that makes their lives easierrdquo
Youakim suggests that making mobile payments more ldquofriction-freerdquo (that is not having transactions denied or slow down the line at a store) marks an important first stepmdashone that needs to be followed by offering these valued customers rewards
ldquoConsumers are ficklerdquo he says ldquoThey need something to get them on board with [a new] payment methodrdquo recommending clear-cut loyalty options such as cashback on purchases
Bank-centric applications are not the only option as business wallets are on the upswing Starbucksmdashone of the first businesses to introduce an in-house mobile payments systemmdashhas led the way with business-specific wallets Recently Target Walmart and CVS have launched their business-specific payments applications ldquoWe will see more business apps that blend payments with experiences such as lsquoorder aheadrsquo and in-store pickup over the next yearrdquo notes Malauzai chief product officer Robb Gaynor
ldquoIn the end it has to come to the banks to deliver the immediacy and the experience [of payment]rdquo notes Alex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank ldquoIt doesnrsquot matter how good the application is The last mile is delivered by your bankrdquo
Wells Fargo also sees the value in combining what they can offer as a bankmdashspecifically the connection to a customerrsquos real-time banking account informationmdashwith mobile payment according to Pearce
ldquoFor us it begins with the mobile banking application that ability to check balances before or after a transactionrdquo he says The San Francisco-based bank is also looking into other ancillary benefits such as receipt download to smartphone
Despite their convenience-based reticence and early disappointments millennials have shown a propensity to give mobile payments a chance Indeed according to at least one account the total value of mobile payment point-of-sale transactions is forecasted to hit nearly $10 billion by 2018
ldquoIn the end it has to come to the banks to deliver the immediacy and the experience [of payment] It doesnrsquot matter how good the application is The last mile is delivered by your bankrdquoAlex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank
One thing is for certain Millennials arenrsquot about to put down their smartphones or give up their digital native status If anything the natives are restless for payments speed and ease Banks say that day is coming and the first ones to make good on their wordmdashwhether by wallet P2P frictionless app or some appealing combinationmdashstand to win loyal customers and billions in business a billennial payoff if you will
BAI Banking Strategies
Executive Report
BankingStrategiescom
12 13
When BBVA Compass rolled out its mobile check deposit service four years ago it got a number of mostly tech-savvy customers to take photos of their checks and deposit them over their smartphones But as is often the case the technology did not get the wide reach the bank wanted right off the bat
So to get customers to come in droves BBVA Compass had to make improvements to its service Lots of them Last year the bank increased its check amount limits added new features and began an aggressive branch-based marketing campaign
What came next you might say was a deposit to top them all
Mobile check deposit volume grew to an amount 70 percent more than the three previous years combined This time everyday customers got into the act as they learned the joys of spooning their cereal with one hand and stashing a check in the bank with the other
ldquoThis is a great convenience tool for all customers they donrsquot have to go to the bank or to an ATM to deposit their checksrdquo says Alex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank ldquoThey can do it from their kitchen tablerdquo
Whatrsquos more improving this integral part of the payments chain opens new avenues to customer loyaltymdashwhile maintaining the status quo even briefly poses high risks
ldquoThis is not just about checksrdquo says James Van Dyke CEO of Futurion a digital consulting firm ldquoItrsquos about banks being perceived as technology leaders If customers canrsquot get their checks to go through their mobile phone right theyrsquore going to look for another bank when they want to use a credit or debit card for mobile pay or when they want to make a P2P paymentrdquo
One important change BBVA Compass made addresses a pet peeve of bank customers everywhere raising limits on check deposits via smartphone
The first mobile check deposit services appealed to techies Now banks promote the user friendliness of revamped services as they tackle frustrations such as low deposit limits
By Lauri Giesen
How banks grab consumers with remote deposit capture
BAI Banking Strategies
Executive Report
BankingStrategiescom
14
The bank uses a complex algorithm to set limits for each customer based on factors such as account balances and length of time with the bank The final amounts are ldquomultiple times higher than what they previously had beenrdquo Carriles says Today a new customer with a low balance might be allowed to deposit a check up to $1500 while a customer with the highest score may deposit up to $30000
Clearly experience quality matters just as much as deposit quantity
ldquoTo move adoption to the next level banks need to deal with design challenges that have hampered customer experiencesrdquo Van Dyke says Along with a team of experts he ranked the mobile deposit customer service experience at 15 large banks What he found wasnrsquot always good
Those banks with the lowest customer satisfactionmdashand lowest use of the servicesmdashoften had rigid and low deposit limits and did not address ease of use Customers often didnrsquot know whether a check was accepted how long to hold on to their checks and when funds would be available
BBVA Compass now tells customers exactly when funds are available (as opposed to in general) and speeds funds availability for a fee Other new features include ldquoMy Snaprdquo which lets customers decide whether to allow the bank app to automatically take the check picture or let customers do it (Some RDC-
enabled apps literally take over the phone snapping pictures before customers have their checks lined up for the smartphone camera)
Compass is among the mobile payments services that utilizes auto-capture technology ensures framing lighting and other factors are correct before the app snaps the picture That reduces the number of checks rejected because of poor image quality
Elsewhere Bank of America has added the ability to print save or e-mail images of the check deposited ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took offrdquo says Michelle Moore Bank of Americarsquos head of digital banking ldquoSo we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo
But fancy features alone wonrsquot get customers to use mobile check deposit Strong marketing messages are needed too Which is where the llamas come in
Lauri Giesen has spent more than 25 years writing about banking technology and payments for numerous business and financial publications In the 1990s she founded and edited Financial Service Online a magazine covering Internet-based forays into banking and investment services
How banks grab consumers with remote deposit capture
15
BofArsquos ldquotalking llamardquo ad series shows a beast depositing a check in a diner while declaring mobile deposit is ldquoas easy as eggs over easyrdquo
The bank gives step-by-step instructions on how to deposit a check via a mobile phone on its web site It has also assigned 3800 ldquodigital ambassadorsrdquomdashemployees specially trained to promote mobile payments featuresmdashin 4500 branches
As a result the bank processed about 306000 mobile-deposited checks in the fourth quarter of 2016 up 23 percent year-over-year Mobile checks now make up 19 percent of all check deposits at the bank compared to 15 percent a year earlier And 52 million out of 216 million BofA mobile customers now use the check feature a number thatrsquos sure to grow
Whether more credit belongs to the llama or the ambassadors is another matter entirely
ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took off So we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo Michelle Moore head of digital banking at Bank of America
ldquoThis is not just about checks Itrsquos about banks being perceived as technology leadersrdquoJames Van Dyke CEO of Futurion
BAI Banking Strategies
Executive Report
BankingStrategiescom
16 17
With the increase in mobile applicationsmdashalong with the recent surge in data breachesmdashsecuring sensitive data in the mobile environment has become more important than ever Based on a new report from Research and Markets the global mCommerce market is projected to grow at a compound annual growth rate of 331 percent by 2022 For 2016 an estimated 40 percent of Black Friday sales were completed via mobile
But for all that volume there are dangers to consider
Sensitive cardholder information in mobile payment applications as well as Personally Identifiable Information (PII) and Protected Health Information (PHI) in other mobile-based applications must be protected end-to-end As such technologies grow access to data is becoming easy hence the need to safeguard sensitive data-in-motion captured on mobile endpoints which becomes critical to ensure end-to-end data protection
In todayrsquos economy mobile provides a wealth of advantages convenience ease of use multiple features with various different mobile apps such as social and ecommerce connectivity and broad acceptance The trouble is this often gives users a perceived sense of security they feel ldquocomfortablerdquo as long as the device is in reach Yet the risks often donrsquot come into their minds especially those associated with the data typed into the application The apps that users access to buy items post information or make appointments may unintentionally enable identity thieves to access credit card data PII and PHI
Mobile devices communicate via a secure tunnel (SLLTLS) but data traveling between the mobile device
and the hosting application server is not secure And once unprotected data hits the app servers a huge risk emerges at this point the tunnel ends and the data is no longer protected
Wouldnrsquot it be great if you could construct a protected channel in which the data could flow from the mobile device through the infrastructure to the back endmdashand be fully protected
Safety in the numbers Data-centric security
Data marks the key risk factor It lies at the heart and soul of organizations and customers How do we keep sensitive data used in and transmitted from mobile devices safe Organizations need to think beyond their basic security concernsmdashincluding network security That is they must look into data-centric security for both data-in-motion and data-at-rest Stolen data can be monetized by thieves and thus inspires most security hacks Thus we need to think about security from a data perspective
This concept is to implement layers of security controls by focusing on protecting the data its movement and access to it Each layer of security protects and restricts access in various ways Data-centric security provides security for sensitive data submitted through a mobile endpoint It enables end-to-end sensitive data protection within native mobile applications through the entire enterprise data lifecycle and payment transaction flow Data is secured from the point of capture to the trusted host Additionally data-centric security is agnostic of the device or end-point
Making the most of data security
How to mitigate data breaches that can occur through mobile applications
By Smrithi Konanur and Trish Schaefer Reilly
No one can say lsquotherersquos an app for thatrsquo when it comes to data security But encryption and tokenization are key technologies banks need to protect sensitive data
BAI Banking Strategies
Executive Report
BankingStrategiescom
Making the most of data security How to mitigate data breaches that can occur through mobile applications
Smrithi Konanur serves as Global Product Manager of Payments Web amp Mobile at HPE Security ndash Data Security Smrithi has more than 14 years of computer software industry experience including more than seven years of experience in the payment industry
Trish Schaefer Reilly serves as Global Product Marketing Manager at HPE Trish has more than 15 years of product marketing and product management experience She has a broad range of expertise in marketing defining and managing varied technology platforms including security data storage encryption key management big data analytics virtualization and cloud services
18 19
Popular BAI Banking Strategies Articles
Top 10 retail banking trends for 2017New research points the way forward in categories from customer experience to artificial intelligence
Create experiences not messagesBranded experiences show that banks are dedicated to connecting with customers and community
From branches to big data Five predictions for 2017So begins a new year a new administration and new possibilities in the ways banks will approach business and operations
Video How do you bridge the divide in culture between FinTech and banksIn this FinTech Forward Interview innovators and change makers answer the question How do you bridge the divide in culture between FinTech and banks
Betting on the bot How chatbots will change the face of banking in 2017Following consumer affection for chatbots some banks will use them to help customers monitor finances but howmdashand are they secure
1
2
3
4
5
Funny money In new ads Citi spokesgirl puts secretive adults on the spotShersquos 12 She looks innocent but when she asks grownups to share their financial details she gains the upper hand in a game of truth-or-dare
Drowning in data starving for insight Starting the customer analytics journeyAnalytics is one thing analyzing how to apply it is another For all the data complexity it begins with keeping things simple
The road not token How fraudsters beating EMV could hit a dead end in 2017EMV chips in credit and debit cards slow fraud but donrsquot stop it Tokenization promises to bolster consumer protections
Cross-selling in the crosshairs of regulators and consumersAs the cross-sell debate continues banks have a chance to reshape the practice in a way thatrsquos digitally savvy and consumer friendly
InfoSec superstars How three women broke barriers in banking and securitySeeing and seizing prime opportunities these female banking executives have carved out leadership positions in information security
6
7
8
9
10
What is the right approach to data-centric security especially with mobile applications
Encrypting and tokenizing sensitive data are well-known approaches to securing data used in conjunction with authentication
What is FPE
Format-preserving encryption (FPE) protects sensitive data by preserving the data format It transforms data formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data Since no changes are needed in the data format retrofitting to legacy applications is very simple and easy as opposed to a conventional encryption that would change the data format hence making the integration complex FPE is a NIST-approved encryption standard (NIST is the National Institute of Standards and Technology a unit of the US Commerce Department) FPE is derived from an AES 128-bit block algorithm In addition to the formatted data in the algorithm each mode takes a ldquotweakrdquo which is an additional input that essentially increases different instances of encrypted data
From broken security to tokenization
Tokenization replaces sensitive data such as credit card numbers with tokens and is one of the data protection and audit scope reduction methods recommended by the Payment Card Industry Data Security Standard (PCI DSS) Capabilities such as secure stateless tokenization remove the storage of cardholder data and do so without requiring token databases mapped to the underlying card datamdashand are costly to maintain This dramatically reduces the number of applications and systems that are considered in-scope for compliance assessments in addition to eliminating token databases from the solution
Putting it all together Turning back the hack attack
With the rapid increase in mobile phone usage and applications a huge opportunity exists for hackers to grab the sensitive data There has been a lot of research and implementations that organizations have invested in for desktop and laptop devices to protect data
Herersquos a look at the explosion in progress According to Statista in 2009 worldwide mobile app downloads amounted to approximately 252 billion and are expected to reach 26869 billion in 2017 Coupling this with the fact that mobile devices have their own device-specific platforms a huge challenge awaits for mobile security to be normalized or standardized Moreover organizations are inclined to invest on revenue-generating applications rather than investing on building security for these numerous applications
But starting immediately they need to look at securing threats and vulnerabilities for these applications early-on rather than as an afterthought This means implementing the right technology with data-centric end-to-end securitymdashone that includes strong authentication policies and access control During design of applications organizations need to consider the entire flow of the data including the storage and implement data-centric security to secure their data Until the day comes when an app itself might address some of the issues smart businesses need to make the call now
copy2017 BAI All Rights Reserved 0217
Past IssuesFind all BAI Banking Strategies Executive Reports and ongoing retail banking editorial coverage at BankingStrategiescom
Upcoming Issues
January 2017 The changing face of fraud in a digital age
May 2016 Marketingrsquos new horizon
July 2016 Wealth management for retirement
August 2016 Bankingrsquos digital transformation
October 2016 Evolution of the branch
December 2016 A look ahead to US retail banking in 2017
April 2017 Navigating the compliance curve
May 2017 Marketing that rises above the noise
June 2017 Bankingrsquos digital transformation
BAI Banking Strategies
Executive Report
BankingStrategiescom
4 5
The explosion in digital payments is attracting an unsavory lot But new technologies may give banks an edge against fraudsters
When Darouny Bounsengsa bought her mobile phone at 17 she wasted little time diving into the digital payments world ldquoI use it primarily for checking my balance at a momentrsquos notice but I have used it to deposit checks locate branches and ATMs and transfer funds between my accountsrdquo says the 21-year-old theater manager from Clearwater Fla
You might think there is safety in numbers as Bounsengsa is part of a growing demographic The number of Americans who use mobile banking has jumped from 33 percent of those with bank accounts in 2013 to 43 percent in 2015 according to a study by the Federal Reserve
Yet where consumers with money congregate so do hackers and thieves And like virtual pickpockets they can work a crowd with ease hellip except that theyrsquore impossible to spot by face They donrsquot even leave so much as a fingerprint behind
But in the quest for safer payments some banks are turning to those very featuresmdashfaces and fingerprintsmdashto add a layer of hack-proof security for their customers And while itrsquos too soon to report any stockpile of statistics experts believe the new measures in play hold promise for consumers who send and access money digitally
Citi for instance has just introduced a mobile app that protects transactions by requiring the user to establish biometric data this includes not just fingerprints and facial recognition but also voice authenticationmdashsomething a fraudster could only conceivably defeat by recording you the moment you log on
Thatrsquos because no generic voice prompt such as ldquoHey Sirirdquo will pick the lock To gain access to your Citi accounts you must speak the phrase ldquoMy identity is
secure because my voice is my passport verify merdquo (It doubles as a subtle plug too)
The Citi app is just one example of the tremendous investment banks are making into mobile security says Rick Borden who specializes in cybersecurity law for Robinson amp Cole And ultimately banks may be trying to protect consumers from themselves
ldquoI donrsquot believe Irsquove actually heard of a mobile banking app being compromisedrdquo says Borden who formerly served as senior vice president and assistant general counsel at Bank of America where he was responsible for cybersecurity and technology The biggest risks he notes come from mobile devices themselves along with people ldquowho give their credentials through phishing campaigns or something elserdquo
So while some may unwittingly share passwords or other data that allow passage into their payments stream a recognized face is impossible to share barring a makeup trick straight out of a James Bond flick That said logging in to mobile payments requires WiFi which means problems can still arise says Chris Vickery a
The quest to secure payments security
ldquoI donrsquot believe Irsquove actually heard of a mobile banking app being compromised The biggest risks come from mobile devices themselves along with people who give their credentials through phishing campaigns or something elserdquoRick Borden cybersecurity law specialist for Robinson amp Cole
By Howard Altman
BankingStrategiescom
6 7
The quest to secure payments security
white hat cybersecurity researcher ldquoTherersquos a certain level of risk anytime you are broadcasting information to a wireless network This is especially true for people who are willing to connect to any available WiFi access pointrdquo
Researchers at the University of Erlangen-Nuremberg in Germany also contend that hackers no longer have to work on multiple fronts because apps do not utilize an internet security measure known as two-factor identification ldquoIt is sufficient to compromise the mobile device which automatically compromises all authentication factors running on the smartphonerdquo writes Vincent Haupert a research associate at the universityrsquos Security Research Group
Thus what is user friendly may be hacker friendly as well ldquoThe current trend that massively favors usability over security is the wrong way to gordquo Haupert writes ldquoTherefore legislative regulation is required that precisely frames the limits of authentication schemes used in digital banking Particularly mobile banking currently lacks clear standards that have to be addressedrdquo
For now mobile malware does not yet target mobile banking due in large part to limited customer acceptance But as payments via wallets and apps become more widespread criminals are looking for new ways in
Consumers could also take a lesson from the likes of Bounsengsa who practices whatrsquos known as good cyber hygiene ldquoMy main security concern is someone being able to take my information as I use the app and hack it as I am using it or shortly afterrdquo she says ldquoI donrsquot open the app if Irsquom using public WiFi and switch to using data if I am not at homerdquo
How else can banks protect customers
Encourage and promote cyber hygiene This also includes the frequent changing of mobile passwords as well as keeping separate passwords for different accounts (including non-bank portals such as Venmo or PayPal) Without variation one hacked password can lead to a flood of trouble
Thoroughly test new consumer-facing payments technology This consists of a security architecture review threat modeling secure coding training secure code reviews app integrity protection design static analysis and dynamic testing
Look outside headquarters As players in the FinTech sphere develop breakthroughs in payments security consider partnering with them or undertaking a joint venture to create something new
Bounsengsa the Clearwater theater manager still feels safe using mobile banking apps to send and receive payments ldquoI havenrsquot been hacked or anything of the sortrdquo she says ldquoSo far the app has kept my information secure and I feel comfortable using itrdquo
But therersquos no telling how long that will last For even as payments move faster and smartphones get speedier so too will the cyber criminals rush to keep pace
Howard Altman covers the military and national security for the Tampa Bay Times He has won more than 50 journalism awards and his work has appeared in The New York Times Daily Beast Philadelphia magazine Philadelphia Inquirer New York Observer Newsday and many other publications around the world
BAI Banking Strategies
Executive Report
BAI Banking Strategies
Executive Report
BankingStrategiescom
8 9
Millennials have fashioned the smartphone into a ubiquitous tool to socialize via Twitter or Instagram or Snapchat collaborate on projects with Slack or find and review restaurants on Yelp So it seems natural that this group would aggressively opt in when it comes to mobile payments right
Not so muchmdashor if you prefer that call is on hold
While this large powerful demographic depends on their smartphones to the point of earning the moniker ldquodigital nativesrdquo recent research indicates they arenrsquot quite as committed to using mobile payment methods just yet as many prognosticators predicted According to a 2016 survey by Accenture Consulting 52 percent of North Americans are ldquoextremely awarerdquo of existing mobile payment options But only a meager 18 percent use them regularly Indeed the number of Americans who use mobile phones at the point of salemdashjust 19 percentmdashhasnrsquot bumped up at all in a year the report finds
But the interest is there according to Brian Pearce senior vice president of innovation for Wells Fargo amp Co Virtual Channels ldquoThere was an assumption that mobile payments behavior [among millennials] is very different but thatrsquos not what wersquore seeingrdquo he says ldquoWersquore seeing customers interested in using mobile wallets hellip but they also donrsquot want to hold up the linerdquo
Not that the phone line is clear London-based payments firm VocaLink Ltd also explored the issue of whatrsquos delaying acceptance of mobile payment with its own survey of 5000 US millennials They found that 52 percent had used mobile payments thatrsquos the
Alternative music for millennials
New payment options to win them overMillennials arenrsquot yet sold on mobile payments But singing their tune begins with loyalty perks and speedier transactions
By Karen Epper Hoffman
impressive part Not so much impressive 86 percent had encountered problems
P2P and pointing beyond point-of-sale
A third of millennials (32 percent) use their phones for peer-to-peer (P2P) payments through applications such as Venmo compared to about 18 percent on average across other demographic segments But industry insiders agree the response is not as strong as it could be
ldquoMobile payments at the [point of sale] especially are not really resonating with millennials [because] theyrsquore not really attached to much greater valuerdquo says Daniel Van Dyke mobile practice analyst at Javelin Strategy amp Research ldquoThey donrsquot have a compelling reason to embrace wallet especially when compared to cardsrdquo Van Dyke claims the lack of merchant acceptance is perhaps the biggest drawback to POS-mobile payments though he says wallet providers especially Samsung are making major inroads
P2P services continue to gain momentum as the likes of PayPal Facebook and Chase get into the peer-to-peer game According to a recent Accenture study 46 percent of consumers have used P2P servicesmdash15 percent with regular frequency According to the same study P2P is widely considered the front running use case for enabling real-time payments in the US
With significant growth in bill pay technology and usage opportunities for wider adoption still exist
BAI Banking Strategies
Executive Report
BankingStrategiescom
10 11
Karen Epper Hoffman has been writing about banking and technology issues for nearly a quarter of a century for publications including American Banker Bloomberg Businessweek and Financial Timesrsquo The Banker She has also spoken and moderated panels at industry conferences She lives in Olympia Wash
Alternative music for millennials New payment options to win them over
According to the June 2016 BAI Consumer Market Outlook Survey consumers have an average of 45 bill pay interactions per month Interestingly this does not vary widely by generation
Payments priorities Loyalty velocity friction-free
Millennials already represent more than 75 million US citizens (24 percent of the population) and will have the greatest spending power of any generation by next year ($339 trillion) Thus banks and payments providers refuse to give up on making m-payments work for this up-and-coming group and engage them as customers Charlie Youakim CEO of payments upstart Sezzle points to the basic concept that as with most consumers ldquoMillennials are just looking for something that makes their lives easierrdquo
Youakim suggests that making mobile payments more ldquofriction-freerdquo (that is not having transactions denied or slow down the line at a store) marks an important first stepmdashone that needs to be followed by offering these valued customers rewards
ldquoConsumers are ficklerdquo he says ldquoThey need something to get them on board with [a new] payment methodrdquo recommending clear-cut loyalty options such as cashback on purchases
Bank-centric applications are not the only option as business wallets are on the upswing Starbucksmdashone of the first businesses to introduce an in-house mobile payments systemmdashhas led the way with business-specific wallets Recently Target Walmart and CVS have launched their business-specific payments applications ldquoWe will see more business apps that blend payments with experiences such as lsquoorder aheadrsquo and in-store pickup over the next yearrdquo notes Malauzai chief product officer Robb Gaynor
ldquoIn the end it has to come to the banks to deliver the immediacy and the experience [of payment]rdquo notes Alex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank ldquoIt doesnrsquot matter how good the application is The last mile is delivered by your bankrdquo
Wells Fargo also sees the value in combining what they can offer as a bankmdashspecifically the connection to a customerrsquos real-time banking account informationmdashwith mobile payment according to Pearce
ldquoFor us it begins with the mobile banking application that ability to check balances before or after a transactionrdquo he says The San Francisco-based bank is also looking into other ancillary benefits such as receipt download to smartphone
Despite their convenience-based reticence and early disappointments millennials have shown a propensity to give mobile payments a chance Indeed according to at least one account the total value of mobile payment point-of-sale transactions is forecasted to hit nearly $10 billion by 2018
ldquoIn the end it has to come to the banks to deliver the immediacy and the experience [of payment] It doesnrsquot matter how good the application is The last mile is delivered by your bankrdquoAlex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank
One thing is for certain Millennials arenrsquot about to put down their smartphones or give up their digital native status If anything the natives are restless for payments speed and ease Banks say that day is coming and the first ones to make good on their wordmdashwhether by wallet P2P frictionless app or some appealing combinationmdashstand to win loyal customers and billions in business a billennial payoff if you will
BAI Banking Strategies
Executive Report
BankingStrategiescom
12 13
When BBVA Compass rolled out its mobile check deposit service four years ago it got a number of mostly tech-savvy customers to take photos of their checks and deposit them over their smartphones But as is often the case the technology did not get the wide reach the bank wanted right off the bat
So to get customers to come in droves BBVA Compass had to make improvements to its service Lots of them Last year the bank increased its check amount limits added new features and began an aggressive branch-based marketing campaign
What came next you might say was a deposit to top them all
Mobile check deposit volume grew to an amount 70 percent more than the three previous years combined This time everyday customers got into the act as they learned the joys of spooning their cereal with one hand and stashing a check in the bank with the other
ldquoThis is a great convenience tool for all customers they donrsquot have to go to the bank or to an ATM to deposit their checksrdquo says Alex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank ldquoThey can do it from their kitchen tablerdquo
Whatrsquos more improving this integral part of the payments chain opens new avenues to customer loyaltymdashwhile maintaining the status quo even briefly poses high risks
ldquoThis is not just about checksrdquo says James Van Dyke CEO of Futurion a digital consulting firm ldquoItrsquos about banks being perceived as technology leaders If customers canrsquot get their checks to go through their mobile phone right theyrsquore going to look for another bank when they want to use a credit or debit card for mobile pay or when they want to make a P2P paymentrdquo
One important change BBVA Compass made addresses a pet peeve of bank customers everywhere raising limits on check deposits via smartphone
The first mobile check deposit services appealed to techies Now banks promote the user friendliness of revamped services as they tackle frustrations such as low deposit limits
By Lauri Giesen
How banks grab consumers with remote deposit capture
BAI Banking Strategies
Executive Report
BankingStrategiescom
14
The bank uses a complex algorithm to set limits for each customer based on factors such as account balances and length of time with the bank The final amounts are ldquomultiple times higher than what they previously had beenrdquo Carriles says Today a new customer with a low balance might be allowed to deposit a check up to $1500 while a customer with the highest score may deposit up to $30000
Clearly experience quality matters just as much as deposit quantity
ldquoTo move adoption to the next level banks need to deal with design challenges that have hampered customer experiencesrdquo Van Dyke says Along with a team of experts he ranked the mobile deposit customer service experience at 15 large banks What he found wasnrsquot always good
Those banks with the lowest customer satisfactionmdashand lowest use of the servicesmdashoften had rigid and low deposit limits and did not address ease of use Customers often didnrsquot know whether a check was accepted how long to hold on to their checks and when funds would be available
BBVA Compass now tells customers exactly when funds are available (as opposed to in general) and speeds funds availability for a fee Other new features include ldquoMy Snaprdquo which lets customers decide whether to allow the bank app to automatically take the check picture or let customers do it (Some RDC-
enabled apps literally take over the phone snapping pictures before customers have their checks lined up for the smartphone camera)
Compass is among the mobile payments services that utilizes auto-capture technology ensures framing lighting and other factors are correct before the app snaps the picture That reduces the number of checks rejected because of poor image quality
Elsewhere Bank of America has added the ability to print save or e-mail images of the check deposited ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took offrdquo says Michelle Moore Bank of Americarsquos head of digital banking ldquoSo we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo
But fancy features alone wonrsquot get customers to use mobile check deposit Strong marketing messages are needed too Which is where the llamas come in
Lauri Giesen has spent more than 25 years writing about banking technology and payments for numerous business and financial publications In the 1990s she founded and edited Financial Service Online a magazine covering Internet-based forays into banking and investment services
How banks grab consumers with remote deposit capture
15
BofArsquos ldquotalking llamardquo ad series shows a beast depositing a check in a diner while declaring mobile deposit is ldquoas easy as eggs over easyrdquo
The bank gives step-by-step instructions on how to deposit a check via a mobile phone on its web site It has also assigned 3800 ldquodigital ambassadorsrdquomdashemployees specially trained to promote mobile payments featuresmdashin 4500 branches
As a result the bank processed about 306000 mobile-deposited checks in the fourth quarter of 2016 up 23 percent year-over-year Mobile checks now make up 19 percent of all check deposits at the bank compared to 15 percent a year earlier And 52 million out of 216 million BofA mobile customers now use the check feature a number thatrsquos sure to grow
Whether more credit belongs to the llama or the ambassadors is another matter entirely
ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took off So we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo Michelle Moore head of digital banking at Bank of America
ldquoThis is not just about checks Itrsquos about banks being perceived as technology leadersrdquoJames Van Dyke CEO of Futurion
BAI Banking Strategies
Executive Report
BankingStrategiescom
16 17
With the increase in mobile applicationsmdashalong with the recent surge in data breachesmdashsecuring sensitive data in the mobile environment has become more important than ever Based on a new report from Research and Markets the global mCommerce market is projected to grow at a compound annual growth rate of 331 percent by 2022 For 2016 an estimated 40 percent of Black Friday sales were completed via mobile
But for all that volume there are dangers to consider
Sensitive cardholder information in mobile payment applications as well as Personally Identifiable Information (PII) and Protected Health Information (PHI) in other mobile-based applications must be protected end-to-end As such technologies grow access to data is becoming easy hence the need to safeguard sensitive data-in-motion captured on mobile endpoints which becomes critical to ensure end-to-end data protection
In todayrsquos economy mobile provides a wealth of advantages convenience ease of use multiple features with various different mobile apps such as social and ecommerce connectivity and broad acceptance The trouble is this often gives users a perceived sense of security they feel ldquocomfortablerdquo as long as the device is in reach Yet the risks often donrsquot come into their minds especially those associated with the data typed into the application The apps that users access to buy items post information or make appointments may unintentionally enable identity thieves to access credit card data PII and PHI
Mobile devices communicate via a secure tunnel (SLLTLS) but data traveling between the mobile device
and the hosting application server is not secure And once unprotected data hits the app servers a huge risk emerges at this point the tunnel ends and the data is no longer protected
Wouldnrsquot it be great if you could construct a protected channel in which the data could flow from the mobile device through the infrastructure to the back endmdashand be fully protected
Safety in the numbers Data-centric security
Data marks the key risk factor It lies at the heart and soul of organizations and customers How do we keep sensitive data used in and transmitted from mobile devices safe Organizations need to think beyond their basic security concernsmdashincluding network security That is they must look into data-centric security for both data-in-motion and data-at-rest Stolen data can be monetized by thieves and thus inspires most security hacks Thus we need to think about security from a data perspective
This concept is to implement layers of security controls by focusing on protecting the data its movement and access to it Each layer of security protects and restricts access in various ways Data-centric security provides security for sensitive data submitted through a mobile endpoint It enables end-to-end sensitive data protection within native mobile applications through the entire enterprise data lifecycle and payment transaction flow Data is secured from the point of capture to the trusted host Additionally data-centric security is agnostic of the device or end-point
Making the most of data security
How to mitigate data breaches that can occur through mobile applications
By Smrithi Konanur and Trish Schaefer Reilly
No one can say lsquotherersquos an app for thatrsquo when it comes to data security But encryption and tokenization are key technologies banks need to protect sensitive data
BAI Banking Strategies
Executive Report
BankingStrategiescom
Making the most of data security How to mitigate data breaches that can occur through mobile applications
Smrithi Konanur serves as Global Product Manager of Payments Web amp Mobile at HPE Security ndash Data Security Smrithi has more than 14 years of computer software industry experience including more than seven years of experience in the payment industry
Trish Schaefer Reilly serves as Global Product Marketing Manager at HPE Trish has more than 15 years of product marketing and product management experience She has a broad range of expertise in marketing defining and managing varied technology platforms including security data storage encryption key management big data analytics virtualization and cloud services
18 19
Popular BAI Banking Strategies Articles
Top 10 retail banking trends for 2017New research points the way forward in categories from customer experience to artificial intelligence
Create experiences not messagesBranded experiences show that banks are dedicated to connecting with customers and community
From branches to big data Five predictions for 2017So begins a new year a new administration and new possibilities in the ways banks will approach business and operations
Video How do you bridge the divide in culture between FinTech and banksIn this FinTech Forward Interview innovators and change makers answer the question How do you bridge the divide in culture between FinTech and banks
Betting on the bot How chatbots will change the face of banking in 2017Following consumer affection for chatbots some banks will use them to help customers monitor finances but howmdashand are they secure
1
2
3
4
5
Funny money In new ads Citi spokesgirl puts secretive adults on the spotShersquos 12 She looks innocent but when she asks grownups to share their financial details she gains the upper hand in a game of truth-or-dare
Drowning in data starving for insight Starting the customer analytics journeyAnalytics is one thing analyzing how to apply it is another For all the data complexity it begins with keeping things simple
The road not token How fraudsters beating EMV could hit a dead end in 2017EMV chips in credit and debit cards slow fraud but donrsquot stop it Tokenization promises to bolster consumer protections
Cross-selling in the crosshairs of regulators and consumersAs the cross-sell debate continues banks have a chance to reshape the practice in a way thatrsquos digitally savvy and consumer friendly
InfoSec superstars How three women broke barriers in banking and securitySeeing and seizing prime opportunities these female banking executives have carved out leadership positions in information security
6
7
8
9
10
What is the right approach to data-centric security especially with mobile applications
Encrypting and tokenizing sensitive data are well-known approaches to securing data used in conjunction with authentication
What is FPE
Format-preserving encryption (FPE) protects sensitive data by preserving the data format It transforms data formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data Since no changes are needed in the data format retrofitting to legacy applications is very simple and easy as opposed to a conventional encryption that would change the data format hence making the integration complex FPE is a NIST-approved encryption standard (NIST is the National Institute of Standards and Technology a unit of the US Commerce Department) FPE is derived from an AES 128-bit block algorithm In addition to the formatted data in the algorithm each mode takes a ldquotweakrdquo which is an additional input that essentially increases different instances of encrypted data
From broken security to tokenization
Tokenization replaces sensitive data such as credit card numbers with tokens and is one of the data protection and audit scope reduction methods recommended by the Payment Card Industry Data Security Standard (PCI DSS) Capabilities such as secure stateless tokenization remove the storage of cardholder data and do so without requiring token databases mapped to the underlying card datamdashand are costly to maintain This dramatically reduces the number of applications and systems that are considered in-scope for compliance assessments in addition to eliminating token databases from the solution
Putting it all together Turning back the hack attack
With the rapid increase in mobile phone usage and applications a huge opportunity exists for hackers to grab the sensitive data There has been a lot of research and implementations that organizations have invested in for desktop and laptop devices to protect data
Herersquos a look at the explosion in progress According to Statista in 2009 worldwide mobile app downloads amounted to approximately 252 billion and are expected to reach 26869 billion in 2017 Coupling this with the fact that mobile devices have their own device-specific platforms a huge challenge awaits for mobile security to be normalized or standardized Moreover organizations are inclined to invest on revenue-generating applications rather than investing on building security for these numerous applications
But starting immediately they need to look at securing threats and vulnerabilities for these applications early-on rather than as an afterthought This means implementing the right technology with data-centric end-to-end securitymdashone that includes strong authentication policies and access control During design of applications organizations need to consider the entire flow of the data including the storage and implement data-centric security to secure their data Until the day comes when an app itself might address some of the issues smart businesses need to make the call now
copy2017 BAI All Rights Reserved 0217
Past IssuesFind all BAI Banking Strategies Executive Reports and ongoing retail banking editorial coverage at BankingStrategiescom
Upcoming Issues
January 2017 The changing face of fraud in a digital age
May 2016 Marketingrsquos new horizon
July 2016 Wealth management for retirement
August 2016 Bankingrsquos digital transformation
October 2016 Evolution of the branch
December 2016 A look ahead to US retail banking in 2017
April 2017 Navigating the compliance curve
May 2017 Marketing that rises above the noise
June 2017 Bankingrsquos digital transformation
BankingStrategiescom
6 7
The quest to secure payments security
white hat cybersecurity researcher ldquoTherersquos a certain level of risk anytime you are broadcasting information to a wireless network This is especially true for people who are willing to connect to any available WiFi access pointrdquo
Researchers at the University of Erlangen-Nuremberg in Germany also contend that hackers no longer have to work on multiple fronts because apps do not utilize an internet security measure known as two-factor identification ldquoIt is sufficient to compromise the mobile device which automatically compromises all authentication factors running on the smartphonerdquo writes Vincent Haupert a research associate at the universityrsquos Security Research Group
Thus what is user friendly may be hacker friendly as well ldquoThe current trend that massively favors usability over security is the wrong way to gordquo Haupert writes ldquoTherefore legislative regulation is required that precisely frames the limits of authentication schemes used in digital banking Particularly mobile banking currently lacks clear standards that have to be addressedrdquo
For now mobile malware does not yet target mobile banking due in large part to limited customer acceptance But as payments via wallets and apps become more widespread criminals are looking for new ways in
Consumers could also take a lesson from the likes of Bounsengsa who practices whatrsquos known as good cyber hygiene ldquoMy main security concern is someone being able to take my information as I use the app and hack it as I am using it or shortly afterrdquo she says ldquoI donrsquot open the app if Irsquom using public WiFi and switch to using data if I am not at homerdquo
How else can banks protect customers
Encourage and promote cyber hygiene This also includes the frequent changing of mobile passwords as well as keeping separate passwords for different accounts (including non-bank portals such as Venmo or PayPal) Without variation one hacked password can lead to a flood of trouble
Thoroughly test new consumer-facing payments technology This consists of a security architecture review threat modeling secure coding training secure code reviews app integrity protection design static analysis and dynamic testing
Look outside headquarters As players in the FinTech sphere develop breakthroughs in payments security consider partnering with them or undertaking a joint venture to create something new
Bounsengsa the Clearwater theater manager still feels safe using mobile banking apps to send and receive payments ldquoI havenrsquot been hacked or anything of the sortrdquo she says ldquoSo far the app has kept my information secure and I feel comfortable using itrdquo
But therersquos no telling how long that will last For even as payments move faster and smartphones get speedier so too will the cyber criminals rush to keep pace
Howard Altman covers the military and national security for the Tampa Bay Times He has won more than 50 journalism awards and his work has appeared in The New York Times Daily Beast Philadelphia magazine Philadelphia Inquirer New York Observer Newsday and many other publications around the world
BAI Banking Strategies
Executive Report
BAI Banking Strategies
Executive Report
BankingStrategiescom
8 9
Millennials have fashioned the smartphone into a ubiquitous tool to socialize via Twitter or Instagram or Snapchat collaborate on projects with Slack or find and review restaurants on Yelp So it seems natural that this group would aggressively opt in when it comes to mobile payments right
Not so muchmdashor if you prefer that call is on hold
While this large powerful demographic depends on their smartphones to the point of earning the moniker ldquodigital nativesrdquo recent research indicates they arenrsquot quite as committed to using mobile payment methods just yet as many prognosticators predicted According to a 2016 survey by Accenture Consulting 52 percent of North Americans are ldquoextremely awarerdquo of existing mobile payment options But only a meager 18 percent use them regularly Indeed the number of Americans who use mobile phones at the point of salemdashjust 19 percentmdashhasnrsquot bumped up at all in a year the report finds
But the interest is there according to Brian Pearce senior vice president of innovation for Wells Fargo amp Co Virtual Channels ldquoThere was an assumption that mobile payments behavior [among millennials] is very different but thatrsquos not what wersquore seeingrdquo he says ldquoWersquore seeing customers interested in using mobile wallets hellip but they also donrsquot want to hold up the linerdquo
Not that the phone line is clear London-based payments firm VocaLink Ltd also explored the issue of whatrsquos delaying acceptance of mobile payment with its own survey of 5000 US millennials They found that 52 percent had used mobile payments thatrsquos the
Alternative music for millennials
New payment options to win them overMillennials arenrsquot yet sold on mobile payments But singing their tune begins with loyalty perks and speedier transactions
By Karen Epper Hoffman
impressive part Not so much impressive 86 percent had encountered problems
P2P and pointing beyond point-of-sale
A third of millennials (32 percent) use their phones for peer-to-peer (P2P) payments through applications such as Venmo compared to about 18 percent on average across other demographic segments But industry insiders agree the response is not as strong as it could be
ldquoMobile payments at the [point of sale] especially are not really resonating with millennials [because] theyrsquore not really attached to much greater valuerdquo says Daniel Van Dyke mobile practice analyst at Javelin Strategy amp Research ldquoThey donrsquot have a compelling reason to embrace wallet especially when compared to cardsrdquo Van Dyke claims the lack of merchant acceptance is perhaps the biggest drawback to POS-mobile payments though he says wallet providers especially Samsung are making major inroads
P2P services continue to gain momentum as the likes of PayPal Facebook and Chase get into the peer-to-peer game According to a recent Accenture study 46 percent of consumers have used P2P servicesmdash15 percent with regular frequency According to the same study P2P is widely considered the front running use case for enabling real-time payments in the US
With significant growth in bill pay technology and usage opportunities for wider adoption still exist
BAI Banking Strategies
Executive Report
BankingStrategiescom
10 11
Karen Epper Hoffman has been writing about banking and technology issues for nearly a quarter of a century for publications including American Banker Bloomberg Businessweek and Financial Timesrsquo The Banker She has also spoken and moderated panels at industry conferences She lives in Olympia Wash
Alternative music for millennials New payment options to win them over
According to the June 2016 BAI Consumer Market Outlook Survey consumers have an average of 45 bill pay interactions per month Interestingly this does not vary widely by generation
Payments priorities Loyalty velocity friction-free
Millennials already represent more than 75 million US citizens (24 percent of the population) and will have the greatest spending power of any generation by next year ($339 trillion) Thus banks and payments providers refuse to give up on making m-payments work for this up-and-coming group and engage them as customers Charlie Youakim CEO of payments upstart Sezzle points to the basic concept that as with most consumers ldquoMillennials are just looking for something that makes their lives easierrdquo
Youakim suggests that making mobile payments more ldquofriction-freerdquo (that is not having transactions denied or slow down the line at a store) marks an important first stepmdashone that needs to be followed by offering these valued customers rewards
ldquoConsumers are ficklerdquo he says ldquoThey need something to get them on board with [a new] payment methodrdquo recommending clear-cut loyalty options such as cashback on purchases
Bank-centric applications are not the only option as business wallets are on the upswing Starbucksmdashone of the first businesses to introduce an in-house mobile payments systemmdashhas led the way with business-specific wallets Recently Target Walmart and CVS have launched their business-specific payments applications ldquoWe will see more business apps that blend payments with experiences such as lsquoorder aheadrsquo and in-store pickup over the next yearrdquo notes Malauzai chief product officer Robb Gaynor
ldquoIn the end it has to come to the banks to deliver the immediacy and the experience [of payment]rdquo notes Alex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank ldquoIt doesnrsquot matter how good the application is The last mile is delivered by your bankrdquo
Wells Fargo also sees the value in combining what they can offer as a bankmdashspecifically the connection to a customerrsquos real-time banking account informationmdashwith mobile payment according to Pearce
ldquoFor us it begins with the mobile banking application that ability to check balances before or after a transactionrdquo he says The San Francisco-based bank is also looking into other ancillary benefits such as receipt download to smartphone
Despite their convenience-based reticence and early disappointments millennials have shown a propensity to give mobile payments a chance Indeed according to at least one account the total value of mobile payment point-of-sale transactions is forecasted to hit nearly $10 billion by 2018
ldquoIn the end it has to come to the banks to deliver the immediacy and the experience [of payment] It doesnrsquot matter how good the application is The last mile is delivered by your bankrdquoAlex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank
One thing is for certain Millennials arenrsquot about to put down their smartphones or give up their digital native status If anything the natives are restless for payments speed and ease Banks say that day is coming and the first ones to make good on their wordmdashwhether by wallet P2P frictionless app or some appealing combinationmdashstand to win loyal customers and billions in business a billennial payoff if you will
BAI Banking Strategies
Executive Report
BankingStrategiescom
12 13
When BBVA Compass rolled out its mobile check deposit service four years ago it got a number of mostly tech-savvy customers to take photos of their checks and deposit them over their smartphones But as is often the case the technology did not get the wide reach the bank wanted right off the bat
So to get customers to come in droves BBVA Compass had to make improvements to its service Lots of them Last year the bank increased its check amount limits added new features and began an aggressive branch-based marketing campaign
What came next you might say was a deposit to top them all
Mobile check deposit volume grew to an amount 70 percent more than the three previous years combined This time everyday customers got into the act as they learned the joys of spooning their cereal with one hand and stashing a check in the bank with the other
ldquoThis is a great convenience tool for all customers they donrsquot have to go to the bank or to an ATM to deposit their checksrdquo says Alex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank ldquoThey can do it from their kitchen tablerdquo
Whatrsquos more improving this integral part of the payments chain opens new avenues to customer loyaltymdashwhile maintaining the status quo even briefly poses high risks
ldquoThis is not just about checksrdquo says James Van Dyke CEO of Futurion a digital consulting firm ldquoItrsquos about banks being perceived as technology leaders If customers canrsquot get their checks to go through their mobile phone right theyrsquore going to look for another bank when they want to use a credit or debit card for mobile pay or when they want to make a P2P paymentrdquo
One important change BBVA Compass made addresses a pet peeve of bank customers everywhere raising limits on check deposits via smartphone
The first mobile check deposit services appealed to techies Now banks promote the user friendliness of revamped services as they tackle frustrations such as low deposit limits
By Lauri Giesen
How banks grab consumers with remote deposit capture
BAI Banking Strategies
Executive Report
BankingStrategiescom
14
The bank uses a complex algorithm to set limits for each customer based on factors such as account balances and length of time with the bank The final amounts are ldquomultiple times higher than what they previously had beenrdquo Carriles says Today a new customer with a low balance might be allowed to deposit a check up to $1500 while a customer with the highest score may deposit up to $30000
Clearly experience quality matters just as much as deposit quantity
ldquoTo move adoption to the next level banks need to deal with design challenges that have hampered customer experiencesrdquo Van Dyke says Along with a team of experts he ranked the mobile deposit customer service experience at 15 large banks What he found wasnrsquot always good
Those banks with the lowest customer satisfactionmdashand lowest use of the servicesmdashoften had rigid and low deposit limits and did not address ease of use Customers often didnrsquot know whether a check was accepted how long to hold on to their checks and when funds would be available
BBVA Compass now tells customers exactly when funds are available (as opposed to in general) and speeds funds availability for a fee Other new features include ldquoMy Snaprdquo which lets customers decide whether to allow the bank app to automatically take the check picture or let customers do it (Some RDC-
enabled apps literally take over the phone snapping pictures before customers have their checks lined up for the smartphone camera)
Compass is among the mobile payments services that utilizes auto-capture technology ensures framing lighting and other factors are correct before the app snaps the picture That reduces the number of checks rejected because of poor image quality
Elsewhere Bank of America has added the ability to print save or e-mail images of the check deposited ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took offrdquo says Michelle Moore Bank of Americarsquos head of digital banking ldquoSo we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo
But fancy features alone wonrsquot get customers to use mobile check deposit Strong marketing messages are needed too Which is where the llamas come in
Lauri Giesen has spent more than 25 years writing about banking technology and payments for numerous business and financial publications In the 1990s she founded and edited Financial Service Online a magazine covering Internet-based forays into banking and investment services
How banks grab consumers with remote deposit capture
15
BofArsquos ldquotalking llamardquo ad series shows a beast depositing a check in a diner while declaring mobile deposit is ldquoas easy as eggs over easyrdquo
The bank gives step-by-step instructions on how to deposit a check via a mobile phone on its web site It has also assigned 3800 ldquodigital ambassadorsrdquomdashemployees specially trained to promote mobile payments featuresmdashin 4500 branches
As a result the bank processed about 306000 mobile-deposited checks in the fourth quarter of 2016 up 23 percent year-over-year Mobile checks now make up 19 percent of all check deposits at the bank compared to 15 percent a year earlier And 52 million out of 216 million BofA mobile customers now use the check feature a number thatrsquos sure to grow
Whether more credit belongs to the llama or the ambassadors is another matter entirely
ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took off So we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo Michelle Moore head of digital banking at Bank of America
ldquoThis is not just about checks Itrsquos about banks being perceived as technology leadersrdquoJames Van Dyke CEO of Futurion
BAI Banking Strategies
Executive Report
BankingStrategiescom
16 17
With the increase in mobile applicationsmdashalong with the recent surge in data breachesmdashsecuring sensitive data in the mobile environment has become more important than ever Based on a new report from Research and Markets the global mCommerce market is projected to grow at a compound annual growth rate of 331 percent by 2022 For 2016 an estimated 40 percent of Black Friday sales were completed via mobile
But for all that volume there are dangers to consider
Sensitive cardholder information in mobile payment applications as well as Personally Identifiable Information (PII) and Protected Health Information (PHI) in other mobile-based applications must be protected end-to-end As such technologies grow access to data is becoming easy hence the need to safeguard sensitive data-in-motion captured on mobile endpoints which becomes critical to ensure end-to-end data protection
In todayrsquos economy mobile provides a wealth of advantages convenience ease of use multiple features with various different mobile apps such as social and ecommerce connectivity and broad acceptance The trouble is this often gives users a perceived sense of security they feel ldquocomfortablerdquo as long as the device is in reach Yet the risks often donrsquot come into their minds especially those associated with the data typed into the application The apps that users access to buy items post information or make appointments may unintentionally enable identity thieves to access credit card data PII and PHI
Mobile devices communicate via a secure tunnel (SLLTLS) but data traveling between the mobile device
and the hosting application server is not secure And once unprotected data hits the app servers a huge risk emerges at this point the tunnel ends and the data is no longer protected
Wouldnrsquot it be great if you could construct a protected channel in which the data could flow from the mobile device through the infrastructure to the back endmdashand be fully protected
Safety in the numbers Data-centric security
Data marks the key risk factor It lies at the heart and soul of organizations and customers How do we keep sensitive data used in and transmitted from mobile devices safe Organizations need to think beyond their basic security concernsmdashincluding network security That is they must look into data-centric security for both data-in-motion and data-at-rest Stolen data can be monetized by thieves and thus inspires most security hacks Thus we need to think about security from a data perspective
This concept is to implement layers of security controls by focusing on protecting the data its movement and access to it Each layer of security protects and restricts access in various ways Data-centric security provides security for sensitive data submitted through a mobile endpoint It enables end-to-end sensitive data protection within native mobile applications through the entire enterprise data lifecycle and payment transaction flow Data is secured from the point of capture to the trusted host Additionally data-centric security is agnostic of the device or end-point
Making the most of data security
How to mitigate data breaches that can occur through mobile applications
By Smrithi Konanur and Trish Schaefer Reilly
No one can say lsquotherersquos an app for thatrsquo when it comes to data security But encryption and tokenization are key technologies banks need to protect sensitive data
BAI Banking Strategies
Executive Report
BankingStrategiescom
Making the most of data security How to mitigate data breaches that can occur through mobile applications
Smrithi Konanur serves as Global Product Manager of Payments Web amp Mobile at HPE Security ndash Data Security Smrithi has more than 14 years of computer software industry experience including more than seven years of experience in the payment industry
Trish Schaefer Reilly serves as Global Product Marketing Manager at HPE Trish has more than 15 years of product marketing and product management experience She has a broad range of expertise in marketing defining and managing varied technology platforms including security data storage encryption key management big data analytics virtualization and cloud services
18 19
Popular BAI Banking Strategies Articles
Top 10 retail banking trends for 2017New research points the way forward in categories from customer experience to artificial intelligence
Create experiences not messagesBranded experiences show that banks are dedicated to connecting with customers and community
From branches to big data Five predictions for 2017So begins a new year a new administration and new possibilities in the ways banks will approach business and operations
Video How do you bridge the divide in culture between FinTech and banksIn this FinTech Forward Interview innovators and change makers answer the question How do you bridge the divide in culture between FinTech and banks
Betting on the bot How chatbots will change the face of banking in 2017Following consumer affection for chatbots some banks will use them to help customers monitor finances but howmdashand are they secure
1
2
3
4
5
Funny money In new ads Citi spokesgirl puts secretive adults on the spotShersquos 12 She looks innocent but when she asks grownups to share their financial details she gains the upper hand in a game of truth-or-dare
Drowning in data starving for insight Starting the customer analytics journeyAnalytics is one thing analyzing how to apply it is another For all the data complexity it begins with keeping things simple
The road not token How fraudsters beating EMV could hit a dead end in 2017EMV chips in credit and debit cards slow fraud but donrsquot stop it Tokenization promises to bolster consumer protections
Cross-selling in the crosshairs of regulators and consumersAs the cross-sell debate continues banks have a chance to reshape the practice in a way thatrsquos digitally savvy and consumer friendly
InfoSec superstars How three women broke barriers in banking and securitySeeing and seizing prime opportunities these female banking executives have carved out leadership positions in information security
6
7
8
9
10
What is the right approach to data-centric security especially with mobile applications
Encrypting and tokenizing sensitive data are well-known approaches to securing data used in conjunction with authentication
What is FPE
Format-preserving encryption (FPE) protects sensitive data by preserving the data format It transforms data formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data Since no changes are needed in the data format retrofitting to legacy applications is very simple and easy as opposed to a conventional encryption that would change the data format hence making the integration complex FPE is a NIST-approved encryption standard (NIST is the National Institute of Standards and Technology a unit of the US Commerce Department) FPE is derived from an AES 128-bit block algorithm In addition to the formatted data in the algorithm each mode takes a ldquotweakrdquo which is an additional input that essentially increases different instances of encrypted data
From broken security to tokenization
Tokenization replaces sensitive data such as credit card numbers with tokens and is one of the data protection and audit scope reduction methods recommended by the Payment Card Industry Data Security Standard (PCI DSS) Capabilities such as secure stateless tokenization remove the storage of cardholder data and do so without requiring token databases mapped to the underlying card datamdashand are costly to maintain This dramatically reduces the number of applications and systems that are considered in-scope for compliance assessments in addition to eliminating token databases from the solution
Putting it all together Turning back the hack attack
With the rapid increase in mobile phone usage and applications a huge opportunity exists for hackers to grab the sensitive data There has been a lot of research and implementations that organizations have invested in for desktop and laptop devices to protect data
Herersquos a look at the explosion in progress According to Statista in 2009 worldwide mobile app downloads amounted to approximately 252 billion and are expected to reach 26869 billion in 2017 Coupling this with the fact that mobile devices have their own device-specific platforms a huge challenge awaits for mobile security to be normalized or standardized Moreover organizations are inclined to invest on revenue-generating applications rather than investing on building security for these numerous applications
But starting immediately they need to look at securing threats and vulnerabilities for these applications early-on rather than as an afterthought This means implementing the right technology with data-centric end-to-end securitymdashone that includes strong authentication policies and access control During design of applications organizations need to consider the entire flow of the data including the storage and implement data-centric security to secure their data Until the day comes when an app itself might address some of the issues smart businesses need to make the call now
copy2017 BAI All Rights Reserved 0217
Past IssuesFind all BAI Banking Strategies Executive Reports and ongoing retail banking editorial coverage at BankingStrategiescom
Upcoming Issues
January 2017 The changing face of fraud in a digital age
May 2016 Marketingrsquos new horizon
July 2016 Wealth management for retirement
August 2016 Bankingrsquos digital transformation
October 2016 Evolution of the branch
December 2016 A look ahead to US retail banking in 2017
April 2017 Navigating the compliance curve
May 2017 Marketing that rises above the noise
June 2017 Bankingrsquos digital transformation
BAI Banking Strategies
Executive Report
BankingStrategiescom
8 9
Millennials have fashioned the smartphone into a ubiquitous tool to socialize via Twitter or Instagram or Snapchat collaborate on projects with Slack or find and review restaurants on Yelp So it seems natural that this group would aggressively opt in when it comes to mobile payments right
Not so muchmdashor if you prefer that call is on hold
While this large powerful demographic depends on their smartphones to the point of earning the moniker ldquodigital nativesrdquo recent research indicates they arenrsquot quite as committed to using mobile payment methods just yet as many prognosticators predicted According to a 2016 survey by Accenture Consulting 52 percent of North Americans are ldquoextremely awarerdquo of existing mobile payment options But only a meager 18 percent use them regularly Indeed the number of Americans who use mobile phones at the point of salemdashjust 19 percentmdashhasnrsquot bumped up at all in a year the report finds
But the interest is there according to Brian Pearce senior vice president of innovation for Wells Fargo amp Co Virtual Channels ldquoThere was an assumption that mobile payments behavior [among millennials] is very different but thatrsquos not what wersquore seeingrdquo he says ldquoWersquore seeing customers interested in using mobile wallets hellip but they also donrsquot want to hold up the linerdquo
Not that the phone line is clear London-based payments firm VocaLink Ltd also explored the issue of whatrsquos delaying acceptance of mobile payment with its own survey of 5000 US millennials They found that 52 percent had used mobile payments thatrsquos the
Alternative music for millennials
New payment options to win them overMillennials arenrsquot yet sold on mobile payments But singing their tune begins with loyalty perks and speedier transactions
By Karen Epper Hoffman
impressive part Not so much impressive 86 percent had encountered problems
P2P and pointing beyond point-of-sale
A third of millennials (32 percent) use their phones for peer-to-peer (P2P) payments through applications such as Venmo compared to about 18 percent on average across other demographic segments But industry insiders agree the response is not as strong as it could be
ldquoMobile payments at the [point of sale] especially are not really resonating with millennials [because] theyrsquore not really attached to much greater valuerdquo says Daniel Van Dyke mobile practice analyst at Javelin Strategy amp Research ldquoThey donrsquot have a compelling reason to embrace wallet especially when compared to cardsrdquo Van Dyke claims the lack of merchant acceptance is perhaps the biggest drawback to POS-mobile payments though he says wallet providers especially Samsung are making major inroads
P2P services continue to gain momentum as the likes of PayPal Facebook and Chase get into the peer-to-peer game According to a recent Accenture study 46 percent of consumers have used P2P servicesmdash15 percent with regular frequency According to the same study P2P is widely considered the front running use case for enabling real-time payments in the US
With significant growth in bill pay technology and usage opportunities for wider adoption still exist
BAI Banking Strategies
Executive Report
BankingStrategiescom
10 11
Karen Epper Hoffman has been writing about banking and technology issues for nearly a quarter of a century for publications including American Banker Bloomberg Businessweek and Financial Timesrsquo The Banker She has also spoken and moderated panels at industry conferences She lives in Olympia Wash
Alternative music for millennials New payment options to win them over
According to the June 2016 BAI Consumer Market Outlook Survey consumers have an average of 45 bill pay interactions per month Interestingly this does not vary widely by generation
Payments priorities Loyalty velocity friction-free
Millennials already represent more than 75 million US citizens (24 percent of the population) and will have the greatest spending power of any generation by next year ($339 trillion) Thus banks and payments providers refuse to give up on making m-payments work for this up-and-coming group and engage them as customers Charlie Youakim CEO of payments upstart Sezzle points to the basic concept that as with most consumers ldquoMillennials are just looking for something that makes their lives easierrdquo
Youakim suggests that making mobile payments more ldquofriction-freerdquo (that is not having transactions denied or slow down the line at a store) marks an important first stepmdashone that needs to be followed by offering these valued customers rewards
ldquoConsumers are ficklerdquo he says ldquoThey need something to get them on board with [a new] payment methodrdquo recommending clear-cut loyalty options such as cashback on purchases
Bank-centric applications are not the only option as business wallets are on the upswing Starbucksmdashone of the first businesses to introduce an in-house mobile payments systemmdashhas led the way with business-specific wallets Recently Target Walmart and CVS have launched their business-specific payments applications ldquoWe will see more business apps that blend payments with experiences such as lsquoorder aheadrsquo and in-store pickup over the next yearrdquo notes Malauzai chief product officer Robb Gaynor
ldquoIn the end it has to come to the banks to deliver the immediacy and the experience [of payment]rdquo notes Alex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank ldquoIt doesnrsquot matter how good the application is The last mile is delivered by your bankrdquo
Wells Fargo also sees the value in combining what they can offer as a bankmdashspecifically the connection to a customerrsquos real-time banking account informationmdashwith mobile payment according to Pearce
ldquoFor us it begins with the mobile banking application that ability to check balances before or after a transactionrdquo he says The San Francisco-based bank is also looking into other ancillary benefits such as receipt download to smartphone
Despite their convenience-based reticence and early disappointments millennials have shown a propensity to give mobile payments a chance Indeed according to at least one account the total value of mobile payment point-of-sale transactions is forecasted to hit nearly $10 billion by 2018
ldquoIn the end it has to come to the banks to deliver the immediacy and the experience [of payment] It doesnrsquot matter how good the application is The last mile is delivered by your bankrdquoAlex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank
One thing is for certain Millennials arenrsquot about to put down their smartphones or give up their digital native status If anything the natives are restless for payments speed and ease Banks say that day is coming and the first ones to make good on their wordmdashwhether by wallet P2P frictionless app or some appealing combinationmdashstand to win loyal customers and billions in business a billennial payoff if you will
BAI Banking Strategies
Executive Report
BankingStrategiescom
12 13
When BBVA Compass rolled out its mobile check deposit service four years ago it got a number of mostly tech-savvy customers to take photos of their checks and deposit them over their smartphones But as is often the case the technology did not get the wide reach the bank wanted right off the bat
So to get customers to come in droves BBVA Compass had to make improvements to its service Lots of them Last year the bank increased its check amount limits added new features and began an aggressive branch-based marketing campaign
What came next you might say was a deposit to top them all
Mobile check deposit volume grew to an amount 70 percent more than the three previous years combined This time everyday customers got into the act as they learned the joys of spooning their cereal with one hand and stashing a check in the bank with the other
ldquoThis is a great convenience tool for all customers they donrsquot have to go to the bank or to an ATM to deposit their checksrdquo says Alex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank ldquoThey can do it from their kitchen tablerdquo
Whatrsquos more improving this integral part of the payments chain opens new avenues to customer loyaltymdashwhile maintaining the status quo even briefly poses high risks
ldquoThis is not just about checksrdquo says James Van Dyke CEO of Futurion a digital consulting firm ldquoItrsquos about banks being perceived as technology leaders If customers canrsquot get their checks to go through their mobile phone right theyrsquore going to look for another bank when they want to use a credit or debit card for mobile pay or when they want to make a P2P paymentrdquo
One important change BBVA Compass made addresses a pet peeve of bank customers everywhere raising limits on check deposits via smartphone
The first mobile check deposit services appealed to techies Now banks promote the user friendliness of revamped services as they tackle frustrations such as low deposit limits
By Lauri Giesen
How banks grab consumers with remote deposit capture
BAI Banking Strategies
Executive Report
BankingStrategiescom
14
The bank uses a complex algorithm to set limits for each customer based on factors such as account balances and length of time with the bank The final amounts are ldquomultiple times higher than what they previously had beenrdquo Carriles says Today a new customer with a low balance might be allowed to deposit a check up to $1500 while a customer with the highest score may deposit up to $30000
Clearly experience quality matters just as much as deposit quantity
ldquoTo move adoption to the next level banks need to deal with design challenges that have hampered customer experiencesrdquo Van Dyke says Along with a team of experts he ranked the mobile deposit customer service experience at 15 large banks What he found wasnrsquot always good
Those banks with the lowest customer satisfactionmdashand lowest use of the servicesmdashoften had rigid and low deposit limits and did not address ease of use Customers often didnrsquot know whether a check was accepted how long to hold on to their checks and when funds would be available
BBVA Compass now tells customers exactly when funds are available (as opposed to in general) and speeds funds availability for a fee Other new features include ldquoMy Snaprdquo which lets customers decide whether to allow the bank app to automatically take the check picture or let customers do it (Some RDC-
enabled apps literally take over the phone snapping pictures before customers have their checks lined up for the smartphone camera)
Compass is among the mobile payments services that utilizes auto-capture technology ensures framing lighting and other factors are correct before the app snaps the picture That reduces the number of checks rejected because of poor image quality
Elsewhere Bank of America has added the ability to print save or e-mail images of the check deposited ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took offrdquo says Michelle Moore Bank of Americarsquos head of digital banking ldquoSo we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo
But fancy features alone wonrsquot get customers to use mobile check deposit Strong marketing messages are needed too Which is where the llamas come in
Lauri Giesen has spent more than 25 years writing about banking technology and payments for numerous business and financial publications In the 1990s she founded and edited Financial Service Online a magazine covering Internet-based forays into banking and investment services
How banks grab consumers with remote deposit capture
15
BofArsquos ldquotalking llamardquo ad series shows a beast depositing a check in a diner while declaring mobile deposit is ldquoas easy as eggs over easyrdquo
The bank gives step-by-step instructions on how to deposit a check via a mobile phone on its web site It has also assigned 3800 ldquodigital ambassadorsrdquomdashemployees specially trained to promote mobile payments featuresmdashin 4500 branches
As a result the bank processed about 306000 mobile-deposited checks in the fourth quarter of 2016 up 23 percent year-over-year Mobile checks now make up 19 percent of all check deposits at the bank compared to 15 percent a year earlier And 52 million out of 216 million BofA mobile customers now use the check feature a number thatrsquos sure to grow
Whether more credit belongs to the llama or the ambassadors is another matter entirely
ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took off So we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo Michelle Moore head of digital banking at Bank of America
ldquoThis is not just about checks Itrsquos about banks being perceived as technology leadersrdquoJames Van Dyke CEO of Futurion
BAI Banking Strategies
Executive Report
BankingStrategiescom
16 17
With the increase in mobile applicationsmdashalong with the recent surge in data breachesmdashsecuring sensitive data in the mobile environment has become more important than ever Based on a new report from Research and Markets the global mCommerce market is projected to grow at a compound annual growth rate of 331 percent by 2022 For 2016 an estimated 40 percent of Black Friday sales were completed via mobile
But for all that volume there are dangers to consider
Sensitive cardholder information in mobile payment applications as well as Personally Identifiable Information (PII) and Protected Health Information (PHI) in other mobile-based applications must be protected end-to-end As such technologies grow access to data is becoming easy hence the need to safeguard sensitive data-in-motion captured on mobile endpoints which becomes critical to ensure end-to-end data protection
In todayrsquos economy mobile provides a wealth of advantages convenience ease of use multiple features with various different mobile apps such as social and ecommerce connectivity and broad acceptance The trouble is this often gives users a perceived sense of security they feel ldquocomfortablerdquo as long as the device is in reach Yet the risks often donrsquot come into their minds especially those associated with the data typed into the application The apps that users access to buy items post information or make appointments may unintentionally enable identity thieves to access credit card data PII and PHI
Mobile devices communicate via a secure tunnel (SLLTLS) but data traveling between the mobile device
and the hosting application server is not secure And once unprotected data hits the app servers a huge risk emerges at this point the tunnel ends and the data is no longer protected
Wouldnrsquot it be great if you could construct a protected channel in which the data could flow from the mobile device through the infrastructure to the back endmdashand be fully protected
Safety in the numbers Data-centric security
Data marks the key risk factor It lies at the heart and soul of organizations and customers How do we keep sensitive data used in and transmitted from mobile devices safe Organizations need to think beyond their basic security concernsmdashincluding network security That is they must look into data-centric security for both data-in-motion and data-at-rest Stolen data can be monetized by thieves and thus inspires most security hacks Thus we need to think about security from a data perspective
This concept is to implement layers of security controls by focusing on protecting the data its movement and access to it Each layer of security protects and restricts access in various ways Data-centric security provides security for sensitive data submitted through a mobile endpoint It enables end-to-end sensitive data protection within native mobile applications through the entire enterprise data lifecycle and payment transaction flow Data is secured from the point of capture to the trusted host Additionally data-centric security is agnostic of the device or end-point
Making the most of data security
How to mitigate data breaches that can occur through mobile applications
By Smrithi Konanur and Trish Schaefer Reilly
No one can say lsquotherersquos an app for thatrsquo when it comes to data security But encryption and tokenization are key technologies banks need to protect sensitive data
BAI Banking Strategies
Executive Report
BankingStrategiescom
Making the most of data security How to mitigate data breaches that can occur through mobile applications
Smrithi Konanur serves as Global Product Manager of Payments Web amp Mobile at HPE Security ndash Data Security Smrithi has more than 14 years of computer software industry experience including more than seven years of experience in the payment industry
Trish Schaefer Reilly serves as Global Product Marketing Manager at HPE Trish has more than 15 years of product marketing and product management experience She has a broad range of expertise in marketing defining and managing varied technology platforms including security data storage encryption key management big data analytics virtualization and cloud services
18 19
Popular BAI Banking Strategies Articles
Top 10 retail banking trends for 2017New research points the way forward in categories from customer experience to artificial intelligence
Create experiences not messagesBranded experiences show that banks are dedicated to connecting with customers and community
From branches to big data Five predictions for 2017So begins a new year a new administration and new possibilities in the ways banks will approach business and operations
Video How do you bridge the divide in culture between FinTech and banksIn this FinTech Forward Interview innovators and change makers answer the question How do you bridge the divide in culture between FinTech and banks
Betting on the bot How chatbots will change the face of banking in 2017Following consumer affection for chatbots some banks will use them to help customers monitor finances but howmdashand are they secure
1
2
3
4
5
Funny money In new ads Citi spokesgirl puts secretive adults on the spotShersquos 12 She looks innocent but when she asks grownups to share their financial details she gains the upper hand in a game of truth-or-dare
Drowning in data starving for insight Starting the customer analytics journeyAnalytics is one thing analyzing how to apply it is another For all the data complexity it begins with keeping things simple
The road not token How fraudsters beating EMV could hit a dead end in 2017EMV chips in credit and debit cards slow fraud but donrsquot stop it Tokenization promises to bolster consumer protections
Cross-selling in the crosshairs of regulators and consumersAs the cross-sell debate continues banks have a chance to reshape the practice in a way thatrsquos digitally savvy and consumer friendly
InfoSec superstars How three women broke barriers in banking and securitySeeing and seizing prime opportunities these female banking executives have carved out leadership positions in information security
6
7
8
9
10
What is the right approach to data-centric security especially with mobile applications
Encrypting and tokenizing sensitive data are well-known approaches to securing data used in conjunction with authentication
What is FPE
Format-preserving encryption (FPE) protects sensitive data by preserving the data format It transforms data formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data Since no changes are needed in the data format retrofitting to legacy applications is very simple and easy as opposed to a conventional encryption that would change the data format hence making the integration complex FPE is a NIST-approved encryption standard (NIST is the National Institute of Standards and Technology a unit of the US Commerce Department) FPE is derived from an AES 128-bit block algorithm In addition to the formatted data in the algorithm each mode takes a ldquotweakrdquo which is an additional input that essentially increases different instances of encrypted data
From broken security to tokenization
Tokenization replaces sensitive data such as credit card numbers with tokens and is one of the data protection and audit scope reduction methods recommended by the Payment Card Industry Data Security Standard (PCI DSS) Capabilities such as secure stateless tokenization remove the storage of cardholder data and do so without requiring token databases mapped to the underlying card datamdashand are costly to maintain This dramatically reduces the number of applications and systems that are considered in-scope for compliance assessments in addition to eliminating token databases from the solution
Putting it all together Turning back the hack attack
With the rapid increase in mobile phone usage and applications a huge opportunity exists for hackers to grab the sensitive data There has been a lot of research and implementations that organizations have invested in for desktop and laptop devices to protect data
Herersquos a look at the explosion in progress According to Statista in 2009 worldwide mobile app downloads amounted to approximately 252 billion and are expected to reach 26869 billion in 2017 Coupling this with the fact that mobile devices have their own device-specific platforms a huge challenge awaits for mobile security to be normalized or standardized Moreover organizations are inclined to invest on revenue-generating applications rather than investing on building security for these numerous applications
But starting immediately they need to look at securing threats and vulnerabilities for these applications early-on rather than as an afterthought This means implementing the right technology with data-centric end-to-end securitymdashone that includes strong authentication policies and access control During design of applications organizations need to consider the entire flow of the data including the storage and implement data-centric security to secure their data Until the day comes when an app itself might address some of the issues smart businesses need to make the call now
copy2017 BAI All Rights Reserved 0217
Past IssuesFind all BAI Banking Strategies Executive Reports and ongoing retail banking editorial coverage at BankingStrategiescom
Upcoming Issues
January 2017 The changing face of fraud in a digital age
May 2016 Marketingrsquos new horizon
July 2016 Wealth management for retirement
August 2016 Bankingrsquos digital transformation
October 2016 Evolution of the branch
December 2016 A look ahead to US retail banking in 2017
April 2017 Navigating the compliance curve
May 2017 Marketing that rises above the noise
June 2017 Bankingrsquos digital transformation
BAI Banking Strategies
Executive Report
BankingStrategiescom
10 11
Karen Epper Hoffman has been writing about banking and technology issues for nearly a quarter of a century for publications including American Banker Bloomberg Businessweek and Financial Timesrsquo The Banker She has also spoken and moderated panels at industry conferences She lives in Olympia Wash
Alternative music for millennials New payment options to win them over
According to the June 2016 BAI Consumer Market Outlook Survey consumers have an average of 45 bill pay interactions per month Interestingly this does not vary widely by generation
Payments priorities Loyalty velocity friction-free
Millennials already represent more than 75 million US citizens (24 percent of the population) and will have the greatest spending power of any generation by next year ($339 trillion) Thus banks and payments providers refuse to give up on making m-payments work for this up-and-coming group and engage them as customers Charlie Youakim CEO of payments upstart Sezzle points to the basic concept that as with most consumers ldquoMillennials are just looking for something that makes their lives easierrdquo
Youakim suggests that making mobile payments more ldquofriction-freerdquo (that is not having transactions denied or slow down the line at a store) marks an important first stepmdashone that needs to be followed by offering these valued customers rewards
ldquoConsumers are ficklerdquo he says ldquoThey need something to get them on board with [a new] payment methodrdquo recommending clear-cut loyalty options such as cashback on purchases
Bank-centric applications are not the only option as business wallets are on the upswing Starbucksmdashone of the first businesses to introduce an in-house mobile payments systemmdashhas led the way with business-specific wallets Recently Target Walmart and CVS have launched their business-specific payments applications ldquoWe will see more business apps that blend payments with experiences such as lsquoorder aheadrsquo and in-store pickup over the next yearrdquo notes Malauzai chief product officer Robb Gaynor
ldquoIn the end it has to come to the banks to deliver the immediacy and the experience [of payment]rdquo notes Alex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank ldquoIt doesnrsquot matter how good the application is The last mile is delivered by your bankrdquo
Wells Fargo also sees the value in combining what they can offer as a bankmdashspecifically the connection to a customerrsquos real-time banking account informationmdashwith mobile payment according to Pearce
ldquoFor us it begins with the mobile banking application that ability to check balances before or after a transactionrdquo he says The San Francisco-based bank is also looking into other ancillary benefits such as receipt download to smartphone
Despite their convenience-based reticence and early disappointments millennials have shown a propensity to give mobile payments a chance Indeed according to at least one account the total value of mobile payment point-of-sale transactions is forecasted to hit nearly $10 billion by 2018
ldquoIn the end it has to come to the banks to deliver the immediacy and the experience [of payment] It doesnrsquot matter how good the application is The last mile is delivered by your bankrdquoAlex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank
One thing is for certain Millennials arenrsquot about to put down their smartphones or give up their digital native status If anything the natives are restless for payments speed and ease Banks say that day is coming and the first ones to make good on their wordmdashwhether by wallet P2P frictionless app or some appealing combinationmdashstand to win loyal customers and billions in business a billennial payoff if you will
BAI Banking Strategies
Executive Report
BankingStrategiescom
12 13
When BBVA Compass rolled out its mobile check deposit service four years ago it got a number of mostly tech-savvy customers to take photos of their checks and deposit them over their smartphones But as is often the case the technology did not get the wide reach the bank wanted right off the bat
So to get customers to come in droves BBVA Compass had to make improvements to its service Lots of them Last year the bank increased its check amount limits added new features and began an aggressive branch-based marketing campaign
What came next you might say was a deposit to top them all
Mobile check deposit volume grew to an amount 70 percent more than the three previous years combined This time everyday customers got into the act as they learned the joys of spooning their cereal with one hand and stashing a check in the bank with the other
ldquoThis is a great convenience tool for all customers they donrsquot have to go to the bank or to an ATM to deposit their checksrdquo says Alex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank ldquoThey can do it from their kitchen tablerdquo
Whatrsquos more improving this integral part of the payments chain opens new avenues to customer loyaltymdashwhile maintaining the status quo even briefly poses high risks
ldquoThis is not just about checksrdquo says James Van Dyke CEO of Futurion a digital consulting firm ldquoItrsquos about banks being perceived as technology leaders If customers canrsquot get their checks to go through their mobile phone right theyrsquore going to look for another bank when they want to use a credit or debit card for mobile pay or when they want to make a P2P paymentrdquo
One important change BBVA Compass made addresses a pet peeve of bank customers everywhere raising limits on check deposits via smartphone
The first mobile check deposit services appealed to techies Now banks promote the user friendliness of revamped services as they tackle frustrations such as low deposit limits
By Lauri Giesen
How banks grab consumers with remote deposit capture
BAI Banking Strategies
Executive Report
BankingStrategiescom
14
The bank uses a complex algorithm to set limits for each customer based on factors such as account balances and length of time with the bank The final amounts are ldquomultiple times higher than what they previously had beenrdquo Carriles says Today a new customer with a low balance might be allowed to deposit a check up to $1500 while a customer with the highest score may deposit up to $30000
Clearly experience quality matters just as much as deposit quantity
ldquoTo move adoption to the next level banks need to deal with design challenges that have hampered customer experiencesrdquo Van Dyke says Along with a team of experts he ranked the mobile deposit customer service experience at 15 large banks What he found wasnrsquot always good
Those banks with the lowest customer satisfactionmdashand lowest use of the servicesmdashoften had rigid and low deposit limits and did not address ease of use Customers often didnrsquot know whether a check was accepted how long to hold on to their checks and when funds would be available
BBVA Compass now tells customers exactly when funds are available (as opposed to in general) and speeds funds availability for a fee Other new features include ldquoMy Snaprdquo which lets customers decide whether to allow the bank app to automatically take the check picture or let customers do it (Some RDC-
enabled apps literally take over the phone snapping pictures before customers have their checks lined up for the smartphone camera)
Compass is among the mobile payments services that utilizes auto-capture technology ensures framing lighting and other factors are correct before the app snaps the picture That reduces the number of checks rejected because of poor image quality
Elsewhere Bank of America has added the ability to print save or e-mail images of the check deposited ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took offrdquo says Michelle Moore Bank of Americarsquos head of digital banking ldquoSo we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo
But fancy features alone wonrsquot get customers to use mobile check deposit Strong marketing messages are needed too Which is where the llamas come in
Lauri Giesen has spent more than 25 years writing about banking technology and payments for numerous business and financial publications In the 1990s she founded and edited Financial Service Online a magazine covering Internet-based forays into banking and investment services
How banks grab consumers with remote deposit capture
15
BofArsquos ldquotalking llamardquo ad series shows a beast depositing a check in a diner while declaring mobile deposit is ldquoas easy as eggs over easyrdquo
The bank gives step-by-step instructions on how to deposit a check via a mobile phone on its web site It has also assigned 3800 ldquodigital ambassadorsrdquomdashemployees specially trained to promote mobile payments featuresmdashin 4500 branches
As a result the bank processed about 306000 mobile-deposited checks in the fourth quarter of 2016 up 23 percent year-over-year Mobile checks now make up 19 percent of all check deposits at the bank compared to 15 percent a year earlier And 52 million out of 216 million BofA mobile customers now use the check feature a number thatrsquos sure to grow
Whether more credit belongs to the llama or the ambassadors is another matter entirely
ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took off So we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo Michelle Moore head of digital banking at Bank of America
ldquoThis is not just about checks Itrsquos about banks being perceived as technology leadersrdquoJames Van Dyke CEO of Futurion
BAI Banking Strategies
Executive Report
BankingStrategiescom
16 17
With the increase in mobile applicationsmdashalong with the recent surge in data breachesmdashsecuring sensitive data in the mobile environment has become more important than ever Based on a new report from Research and Markets the global mCommerce market is projected to grow at a compound annual growth rate of 331 percent by 2022 For 2016 an estimated 40 percent of Black Friday sales were completed via mobile
But for all that volume there are dangers to consider
Sensitive cardholder information in mobile payment applications as well as Personally Identifiable Information (PII) and Protected Health Information (PHI) in other mobile-based applications must be protected end-to-end As such technologies grow access to data is becoming easy hence the need to safeguard sensitive data-in-motion captured on mobile endpoints which becomes critical to ensure end-to-end data protection
In todayrsquos economy mobile provides a wealth of advantages convenience ease of use multiple features with various different mobile apps such as social and ecommerce connectivity and broad acceptance The trouble is this often gives users a perceived sense of security they feel ldquocomfortablerdquo as long as the device is in reach Yet the risks often donrsquot come into their minds especially those associated with the data typed into the application The apps that users access to buy items post information or make appointments may unintentionally enable identity thieves to access credit card data PII and PHI
Mobile devices communicate via a secure tunnel (SLLTLS) but data traveling between the mobile device
and the hosting application server is not secure And once unprotected data hits the app servers a huge risk emerges at this point the tunnel ends and the data is no longer protected
Wouldnrsquot it be great if you could construct a protected channel in which the data could flow from the mobile device through the infrastructure to the back endmdashand be fully protected
Safety in the numbers Data-centric security
Data marks the key risk factor It lies at the heart and soul of organizations and customers How do we keep sensitive data used in and transmitted from mobile devices safe Organizations need to think beyond their basic security concernsmdashincluding network security That is they must look into data-centric security for both data-in-motion and data-at-rest Stolen data can be monetized by thieves and thus inspires most security hacks Thus we need to think about security from a data perspective
This concept is to implement layers of security controls by focusing on protecting the data its movement and access to it Each layer of security protects and restricts access in various ways Data-centric security provides security for sensitive data submitted through a mobile endpoint It enables end-to-end sensitive data protection within native mobile applications through the entire enterprise data lifecycle and payment transaction flow Data is secured from the point of capture to the trusted host Additionally data-centric security is agnostic of the device or end-point
Making the most of data security
How to mitigate data breaches that can occur through mobile applications
By Smrithi Konanur and Trish Schaefer Reilly
No one can say lsquotherersquos an app for thatrsquo when it comes to data security But encryption and tokenization are key technologies banks need to protect sensitive data
BAI Banking Strategies
Executive Report
BankingStrategiescom
Making the most of data security How to mitigate data breaches that can occur through mobile applications
Smrithi Konanur serves as Global Product Manager of Payments Web amp Mobile at HPE Security ndash Data Security Smrithi has more than 14 years of computer software industry experience including more than seven years of experience in the payment industry
Trish Schaefer Reilly serves as Global Product Marketing Manager at HPE Trish has more than 15 years of product marketing and product management experience She has a broad range of expertise in marketing defining and managing varied technology platforms including security data storage encryption key management big data analytics virtualization and cloud services
18 19
Popular BAI Banking Strategies Articles
Top 10 retail banking trends for 2017New research points the way forward in categories from customer experience to artificial intelligence
Create experiences not messagesBranded experiences show that banks are dedicated to connecting with customers and community
From branches to big data Five predictions for 2017So begins a new year a new administration and new possibilities in the ways banks will approach business and operations
Video How do you bridge the divide in culture between FinTech and banksIn this FinTech Forward Interview innovators and change makers answer the question How do you bridge the divide in culture between FinTech and banks
Betting on the bot How chatbots will change the face of banking in 2017Following consumer affection for chatbots some banks will use them to help customers monitor finances but howmdashand are they secure
1
2
3
4
5
Funny money In new ads Citi spokesgirl puts secretive adults on the spotShersquos 12 She looks innocent but when she asks grownups to share their financial details she gains the upper hand in a game of truth-or-dare
Drowning in data starving for insight Starting the customer analytics journeyAnalytics is one thing analyzing how to apply it is another For all the data complexity it begins with keeping things simple
The road not token How fraudsters beating EMV could hit a dead end in 2017EMV chips in credit and debit cards slow fraud but donrsquot stop it Tokenization promises to bolster consumer protections
Cross-selling in the crosshairs of regulators and consumersAs the cross-sell debate continues banks have a chance to reshape the practice in a way thatrsquos digitally savvy and consumer friendly
InfoSec superstars How three women broke barriers in banking and securitySeeing and seizing prime opportunities these female banking executives have carved out leadership positions in information security
6
7
8
9
10
What is the right approach to data-centric security especially with mobile applications
Encrypting and tokenizing sensitive data are well-known approaches to securing data used in conjunction with authentication
What is FPE
Format-preserving encryption (FPE) protects sensitive data by preserving the data format It transforms data formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data Since no changes are needed in the data format retrofitting to legacy applications is very simple and easy as opposed to a conventional encryption that would change the data format hence making the integration complex FPE is a NIST-approved encryption standard (NIST is the National Institute of Standards and Technology a unit of the US Commerce Department) FPE is derived from an AES 128-bit block algorithm In addition to the formatted data in the algorithm each mode takes a ldquotweakrdquo which is an additional input that essentially increases different instances of encrypted data
From broken security to tokenization
Tokenization replaces sensitive data such as credit card numbers with tokens and is one of the data protection and audit scope reduction methods recommended by the Payment Card Industry Data Security Standard (PCI DSS) Capabilities such as secure stateless tokenization remove the storage of cardholder data and do so without requiring token databases mapped to the underlying card datamdashand are costly to maintain This dramatically reduces the number of applications and systems that are considered in-scope for compliance assessments in addition to eliminating token databases from the solution
Putting it all together Turning back the hack attack
With the rapid increase in mobile phone usage and applications a huge opportunity exists for hackers to grab the sensitive data There has been a lot of research and implementations that organizations have invested in for desktop and laptop devices to protect data
Herersquos a look at the explosion in progress According to Statista in 2009 worldwide mobile app downloads amounted to approximately 252 billion and are expected to reach 26869 billion in 2017 Coupling this with the fact that mobile devices have their own device-specific platforms a huge challenge awaits for mobile security to be normalized or standardized Moreover organizations are inclined to invest on revenue-generating applications rather than investing on building security for these numerous applications
But starting immediately they need to look at securing threats and vulnerabilities for these applications early-on rather than as an afterthought This means implementing the right technology with data-centric end-to-end securitymdashone that includes strong authentication policies and access control During design of applications organizations need to consider the entire flow of the data including the storage and implement data-centric security to secure their data Until the day comes when an app itself might address some of the issues smart businesses need to make the call now
copy2017 BAI All Rights Reserved 0217
Past IssuesFind all BAI Banking Strategies Executive Reports and ongoing retail banking editorial coverage at BankingStrategiescom
Upcoming Issues
January 2017 The changing face of fraud in a digital age
May 2016 Marketingrsquos new horizon
July 2016 Wealth management for retirement
August 2016 Bankingrsquos digital transformation
October 2016 Evolution of the branch
December 2016 A look ahead to US retail banking in 2017
April 2017 Navigating the compliance curve
May 2017 Marketing that rises above the noise
June 2017 Bankingrsquos digital transformation
BAI Banking Strategies
Executive Report
BankingStrategiescom
12 13
When BBVA Compass rolled out its mobile check deposit service four years ago it got a number of mostly tech-savvy customers to take photos of their checks and deposit them over their smartphones But as is often the case the technology did not get the wide reach the bank wanted right off the bat
So to get customers to come in droves BBVA Compass had to make improvements to its service Lots of them Last year the bank increased its check amount limits added new features and began an aggressive branch-based marketing campaign
What came next you might say was a deposit to top them all
Mobile check deposit volume grew to an amount 70 percent more than the three previous years combined This time everyday customers got into the act as they learned the joys of spooning their cereal with one hand and stashing a check in the bank with the other
ldquoThis is a great convenience tool for all customers they donrsquot have to go to the bank or to an ATM to deposit their checksrdquo says Alex Carriles executive vice president and director of mobile and online channels for BBVA Compass Bank ldquoThey can do it from their kitchen tablerdquo
Whatrsquos more improving this integral part of the payments chain opens new avenues to customer loyaltymdashwhile maintaining the status quo even briefly poses high risks
ldquoThis is not just about checksrdquo says James Van Dyke CEO of Futurion a digital consulting firm ldquoItrsquos about banks being perceived as technology leaders If customers canrsquot get their checks to go through their mobile phone right theyrsquore going to look for another bank when they want to use a credit or debit card for mobile pay or when they want to make a P2P paymentrdquo
One important change BBVA Compass made addresses a pet peeve of bank customers everywhere raising limits on check deposits via smartphone
The first mobile check deposit services appealed to techies Now banks promote the user friendliness of revamped services as they tackle frustrations such as low deposit limits
By Lauri Giesen
How banks grab consumers with remote deposit capture
BAI Banking Strategies
Executive Report
BankingStrategiescom
14
The bank uses a complex algorithm to set limits for each customer based on factors such as account balances and length of time with the bank The final amounts are ldquomultiple times higher than what they previously had beenrdquo Carriles says Today a new customer with a low balance might be allowed to deposit a check up to $1500 while a customer with the highest score may deposit up to $30000
Clearly experience quality matters just as much as deposit quantity
ldquoTo move adoption to the next level banks need to deal with design challenges that have hampered customer experiencesrdquo Van Dyke says Along with a team of experts he ranked the mobile deposit customer service experience at 15 large banks What he found wasnrsquot always good
Those banks with the lowest customer satisfactionmdashand lowest use of the servicesmdashoften had rigid and low deposit limits and did not address ease of use Customers often didnrsquot know whether a check was accepted how long to hold on to their checks and when funds would be available
BBVA Compass now tells customers exactly when funds are available (as opposed to in general) and speeds funds availability for a fee Other new features include ldquoMy Snaprdquo which lets customers decide whether to allow the bank app to automatically take the check picture or let customers do it (Some RDC-
enabled apps literally take over the phone snapping pictures before customers have their checks lined up for the smartphone camera)
Compass is among the mobile payments services that utilizes auto-capture technology ensures framing lighting and other factors are correct before the app snaps the picture That reduces the number of checks rejected because of poor image quality
Elsewhere Bank of America has added the ability to print save or e-mail images of the check deposited ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took offrdquo says Michelle Moore Bank of Americarsquos head of digital banking ldquoSo we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo
But fancy features alone wonrsquot get customers to use mobile check deposit Strong marketing messages are needed too Which is where the llamas come in
Lauri Giesen has spent more than 25 years writing about banking technology and payments for numerous business and financial publications In the 1990s she founded and edited Financial Service Online a magazine covering Internet-based forays into banking and investment services
How banks grab consumers with remote deposit capture
15
BofArsquos ldquotalking llamardquo ad series shows a beast depositing a check in a diner while declaring mobile deposit is ldquoas easy as eggs over easyrdquo
The bank gives step-by-step instructions on how to deposit a check via a mobile phone on its web site It has also assigned 3800 ldquodigital ambassadorsrdquomdashemployees specially trained to promote mobile payments featuresmdashin 4500 branches
As a result the bank processed about 306000 mobile-deposited checks in the fourth quarter of 2016 up 23 percent year-over-year Mobile checks now make up 19 percent of all check deposits at the bank compared to 15 percent a year earlier And 52 million out of 216 million BofA mobile customers now use the check feature a number thatrsquos sure to grow
Whether more credit belongs to the llama or the ambassadors is another matter entirely
ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took off So we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo Michelle Moore head of digital banking at Bank of America
ldquoThis is not just about checks Itrsquos about banks being perceived as technology leadersrdquoJames Van Dyke CEO of Futurion
BAI Banking Strategies
Executive Report
BankingStrategiescom
16 17
With the increase in mobile applicationsmdashalong with the recent surge in data breachesmdashsecuring sensitive data in the mobile environment has become more important than ever Based on a new report from Research and Markets the global mCommerce market is projected to grow at a compound annual growth rate of 331 percent by 2022 For 2016 an estimated 40 percent of Black Friday sales were completed via mobile
But for all that volume there are dangers to consider
Sensitive cardholder information in mobile payment applications as well as Personally Identifiable Information (PII) and Protected Health Information (PHI) in other mobile-based applications must be protected end-to-end As such technologies grow access to data is becoming easy hence the need to safeguard sensitive data-in-motion captured on mobile endpoints which becomes critical to ensure end-to-end data protection
In todayrsquos economy mobile provides a wealth of advantages convenience ease of use multiple features with various different mobile apps such as social and ecommerce connectivity and broad acceptance The trouble is this often gives users a perceived sense of security they feel ldquocomfortablerdquo as long as the device is in reach Yet the risks often donrsquot come into their minds especially those associated with the data typed into the application The apps that users access to buy items post information or make appointments may unintentionally enable identity thieves to access credit card data PII and PHI
Mobile devices communicate via a secure tunnel (SLLTLS) but data traveling between the mobile device
and the hosting application server is not secure And once unprotected data hits the app servers a huge risk emerges at this point the tunnel ends and the data is no longer protected
Wouldnrsquot it be great if you could construct a protected channel in which the data could flow from the mobile device through the infrastructure to the back endmdashand be fully protected
Safety in the numbers Data-centric security
Data marks the key risk factor It lies at the heart and soul of organizations and customers How do we keep sensitive data used in and transmitted from mobile devices safe Organizations need to think beyond their basic security concernsmdashincluding network security That is they must look into data-centric security for both data-in-motion and data-at-rest Stolen data can be monetized by thieves and thus inspires most security hacks Thus we need to think about security from a data perspective
This concept is to implement layers of security controls by focusing on protecting the data its movement and access to it Each layer of security protects and restricts access in various ways Data-centric security provides security for sensitive data submitted through a mobile endpoint It enables end-to-end sensitive data protection within native mobile applications through the entire enterprise data lifecycle and payment transaction flow Data is secured from the point of capture to the trusted host Additionally data-centric security is agnostic of the device or end-point
Making the most of data security
How to mitigate data breaches that can occur through mobile applications
By Smrithi Konanur and Trish Schaefer Reilly
No one can say lsquotherersquos an app for thatrsquo when it comes to data security But encryption and tokenization are key technologies banks need to protect sensitive data
BAI Banking Strategies
Executive Report
BankingStrategiescom
Making the most of data security How to mitigate data breaches that can occur through mobile applications
Smrithi Konanur serves as Global Product Manager of Payments Web amp Mobile at HPE Security ndash Data Security Smrithi has more than 14 years of computer software industry experience including more than seven years of experience in the payment industry
Trish Schaefer Reilly serves as Global Product Marketing Manager at HPE Trish has more than 15 years of product marketing and product management experience She has a broad range of expertise in marketing defining and managing varied technology platforms including security data storage encryption key management big data analytics virtualization and cloud services
18 19
Popular BAI Banking Strategies Articles
Top 10 retail banking trends for 2017New research points the way forward in categories from customer experience to artificial intelligence
Create experiences not messagesBranded experiences show that banks are dedicated to connecting with customers and community
From branches to big data Five predictions for 2017So begins a new year a new administration and new possibilities in the ways banks will approach business and operations
Video How do you bridge the divide in culture between FinTech and banksIn this FinTech Forward Interview innovators and change makers answer the question How do you bridge the divide in culture between FinTech and banks
Betting on the bot How chatbots will change the face of banking in 2017Following consumer affection for chatbots some banks will use them to help customers monitor finances but howmdashand are they secure
1
2
3
4
5
Funny money In new ads Citi spokesgirl puts secretive adults on the spotShersquos 12 She looks innocent but when she asks grownups to share their financial details she gains the upper hand in a game of truth-or-dare
Drowning in data starving for insight Starting the customer analytics journeyAnalytics is one thing analyzing how to apply it is another For all the data complexity it begins with keeping things simple
The road not token How fraudsters beating EMV could hit a dead end in 2017EMV chips in credit and debit cards slow fraud but donrsquot stop it Tokenization promises to bolster consumer protections
Cross-selling in the crosshairs of regulators and consumersAs the cross-sell debate continues banks have a chance to reshape the practice in a way thatrsquos digitally savvy and consumer friendly
InfoSec superstars How three women broke barriers in banking and securitySeeing and seizing prime opportunities these female banking executives have carved out leadership positions in information security
6
7
8
9
10
What is the right approach to data-centric security especially with mobile applications
Encrypting and tokenizing sensitive data are well-known approaches to securing data used in conjunction with authentication
What is FPE
Format-preserving encryption (FPE) protects sensitive data by preserving the data format It transforms data formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data Since no changes are needed in the data format retrofitting to legacy applications is very simple and easy as opposed to a conventional encryption that would change the data format hence making the integration complex FPE is a NIST-approved encryption standard (NIST is the National Institute of Standards and Technology a unit of the US Commerce Department) FPE is derived from an AES 128-bit block algorithm In addition to the formatted data in the algorithm each mode takes a ldquotweakrdquo which is an additional input that essentially increases different instances of encrypted data
From broken security to tokenization
Tokenization replaces sensitive data such as credit card numbers with tokens and is one of the data protection and audit scope reduction methods recommended by the Payment Card Industry Data Security Standard (PCI DSS) Capabilities such as secure stateless tokenization remove the storage of cardholder data and do so without requiring token databases mapped to the underlying card datamdashand are costly to maintain This dramatically reduces the number of applications and systems that are considered in-scope for compliance assessments in addition to eliminating token databases from the solution
Putting it all together Turning back the hack attack
With the rapid increase in mobile phone usage and applications a huge opportunity exists for hackers to grab the sensitive data There has been a lot of research and implementations that organizations have invested in for desktop and laptop devices to protect data
Herersquos a look at the explosion in progress According to Statista in 2009 worldwide mobile app downloads amounted to approximately 252 billion and are expected to reach 26869 billion in 2017 Coupling this with the fact that mobile devices have their own device-specific platforms a huge challenge awaits for mobile security to be normalized or standardized Moreover organizations are inclined to invest on revenue-generating applications rather than investing on building security for these numerous applications
But starting immediately they need to look at securing threats and vulnerabilities for these applications early-on rather than as an afterthought This means implementing the right technology with data-centric end-to-end securitymdashone that includes strong authentication policies and access control During design of applications organizations need to consider the entire flow of the data including the storage and implement data-centric security to secure their data Until the day comes when an app itself might address some of the issues smart businesses need to make the call now
copy2017 BAI All Rights Reserved 0217
Past IssuesFind all BAI Banking Strategies Executive Reports and ongoing retail banking editorial coverage at BankingStrategiescom
Upcoming Issues
January 2017 The changing face of fraud in a digital age
May 2016 Marketingrsquos new horizon
July 2016 Wealth management for retirement
August 2016 Bankingrsquos digital transformation
October 2016 Evolution of the branch
December 2016 A look ahead to US retail banking in 2017
April 2017 Navigating the compliance curve
May 2017 Marketing that rises above the noise
June 2017 Bankingrsquos digital transformation
BAI Banking Strategies
Executive Report
BankingStrategiescom
14
The bank uses a complex algorithm to set limits for each customer based on factors such as account balances and length of time with the bank The final amounts are ldquomultiple times higher than what they previously had beenrdquo Carriles says Today a new customer with a low balance might be allowed to deposit a check up to $1500 while a customer with the highest score may deposit up to $30000
Clearly experience quality matters just as much as deposit quantity
ldquoTo move adoption to the next level banks need to deal with design challenges that have hampered customer experiencesrdquo Van Dyke says Along with a team of experts he ranked the mobile deposit customer service experience at 15 large banks What he found wasnrsquot always good
Those banks with the lowest customer satisfactionmdashand lowest use of the servicesmdashoften had rigid and low deposit limits and did not address ease of use Customers often didnrsquot know whether a check was accepted how long to hold on to their checks and when funds would be available
BBVA Compass now tells customers exactly when funds are available (as opposed to in general) and speeds funds availability for a fee Other new features include ldquoMy Snaprdquo which lets customers decide whether to allow the bank app to automatically take the check picture or let customers do it (Some RDC-
enabled apps literally take over the phone snapping pictures before customers have their checks lined up for the smartphone camera)
Compass is among the mobile payments services that utilizes auto-capture technology ensures framing lighting and other factors are correct before the app snaps the picture That reduces the number of checks rejected because of poor image quality
Elsewhere Bank of America has added the ability to print save or e-mail images of the check deposited ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took offrdquo says Michelle Moore Bank of Americarsquos head of digital banking ldquoSo we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo
But fancy features alone wonrsquot get customers to use mobile check deposit Strong marketing messages are needed too Which is where the llamas come in
Lauri Giesen has spent more than 25 years writing about banking technology and payments for numerous business and financial publications In the 1990s she founded and edited Financial Service Online a magazine covering Internet-based forays into banking and investment services
How banks grab consumers with remote deposit capture
15
BofArsquos ldquotalking llamardquo ad series shows a beast depositing a check in a diner while declaring mobile deposit is ldquoas easy as eggs over easyrdquo
The bank gives step-by-step instructions on how to deposit a check via a mobile phone on its web site It has also assigned 3800 ldquodigital ambassadorsrdquomdashemployees specially trained to promote mobile payments featuresmdashin 4500 branches
As a result the bank processed about 306000 mobile-deposited checks in the fourth quarter of 2016 up 23 percent year-over-year Mobile checks now make up 19 percent of all check deposits at the bank compared to 15 percent a year earlier And 52 million out of 216 million BofA mobile customers now use the check feature a number thatrsquos sure to grow
Whether more credit belongs to the llama or the ambassadors is another matter entirely
ldquoWe found when we added the ability to print images of check deposits on ATMs ATM deposits really took off So we added the same feature to mobile deposits to give customers the confidence that their check image is securerdquo Michelle Moore head of digital banking at Bank of America
ldquoThis is not just about checks Itrsquos about banks being perceived as technology leadersrdquoJames Van Dyke CEO of Futurion
BAI Banking Strategies
Executive Report
BankingStrategiescom
16 17
With the increase in mobile applicationsmdashalong with the recent surge in data breachesmdashsecuring sensitive data in the mobile environment has become more important than ever Based on a new report from Research and Markets the global mCommerce market is projected to grow at a compound annual growth rate of 331 percent by 2022 For 2016 an estimated 40 percent of Black Friday sales were completed via mobile
But for all that volume there are dangers to consider
Sensitive cardholder information in mobile payment applications as well as Personally Identifiable Information (PII) and Protected Health Information (PHI) in other mobile-based applications must be protected end-to-end As such technologies grow access to data is becoming easy hence the need to safeguard sensitive data-in-motion captured on mobile endpoints which becomes critical to ensure end-to-end data protection
In todayrsquos economy mobile provides a wealth of advantages convenience ease of use multiple features with various different mobile apps such as social and ecommerce connectivity and broad acceptance The trouble is this often gives users a perceived sense of security they feel ldquocomfortablerdquo as long as the device is in reach Yet the risks often donrsquot come into their minds especially those associated with the data typed into the application The apps that users access to buy items post information or make appointments may unintentionally enable identity thieves to access credit card data PII and PHI
Mobile devices communicate via a secure tunnel (SLLTLS) but data traveling between the mobile device
and the hosting application server is not secure And once unprotected data hits the app servers a huge risk emerges at this point the tunnel ends and the data is no longer protected
Wouldnrsquot it be great if you could construct a protected channel in which the data could flow from the mobile device through the infrastructure to the back endmdashand be fully protected
Safety in the numbers Data-centric security
Data marks the key risk factor It lies at the heart and soul of organizations and customers How do we keep sensitive data used in and transmitted from mobile devices safe Organizations need to think beyond their basic security concernsmdashincluding network security That is they must look into data-centric security for both data-in-motion and data-at-rest Stolen data can be monetized by thieves and thus inspires most security hacks Thus we need to think about security from a data perspective
This concept is to implement layers of security controls by focusing on protecting the data its movement and access to it Each layer of security protects and restricts access in various ways Data-centric security provides security for sensitive data submitted through a mobile endpoint It enables end-to-end sensitive data protection within native mobile applications through the entire enterprise data lifecycle and payment transaction flow Data is secured from the point of capture to the trusted host Additionally data-centric security is agnostic of the device or end-point
Making the most of data security
How to mitigate data breaches that can occur through mobile applications
By Smrithi Konanur and Trish Schaefer Reilly
No one can say lsquotherersquos an app for thatrsquo when it comes to data security But encryption and tokenization are key technologies banks need to protect sensitive data
BAI Banking Strategies
Executive Report
BankingStrategiescom
Making the most of data security How to mitigate data breaches that can occur through mobile applications
Smrithi Konanur serves as Global Product Manager of Payments Web amp Mobile at HPE Security ndash Data Security Smrithi has more than 14 years of computer software industry experience including more than seven years of experience in the payment industry
Trish Schaefer Reilly serves as Global Product Marketing Manager at HPE Trish has more than 15 years of product marketing and product management experience She has a broad range of expertise in marketing defining and managing varied technology platforms including security data storage encryption key management big data analytics virtualization and cloud services
18 19
Popular BAI Banking Strategies Articles
Top 10 retail banking trends for 2017New research points the way forward in categories from customer experience to artificial intelligence
Create experiences not messagesBranded experiences show that banks are dedicated to connecting with customers and community
From branches to big data Five predictions for 2017So begins a new year a new administration and new possibilities in the ways banks will approach business and operations
Video How do you bridge the divide in culture between FinTech and banksIn this FinTech Forward Interview innovators and change makers answer the question How do you bridge the divide in culture between FinTech and banks
Betting on the bot How chatbots will change the face of banking in 2017Following consumer affection for chatbots some banks will use them to help customers monitor finances but howmdashand are they secure
1
2
3
4
5
Funny money In new ads Citi spokesgirl puts secretive adults on the spotShersquos 12 She looks innocent but when she asks grownups to share their financial details she gains the upper hand in a game of truth-or-dare
Drowning in data starving for insight Starting the customer analytics journeyAnalytics is one thing analyzing how to apply it is another For all the data complexity it begins with keeping things simple
The road not token How fraudsters beating EMV could hit a dead end in 2017EMV chips in credit and debit cards slow fraud but donrsquot stop it Tokenization promises to bolster consumer protections
Cross-selling in the crosshairs of regulators and consumersAs the cross-sell debate continues banks have a chance to reshape the practice in a way thatrsquos digitally savvy and consumer friendly
InfoSec superstars How three women broke barriers in banking and securitySeeing and seizing prime opportunities these female banking executives have carved out leadership positions in information security
6
7
8
9
10
What is the right approach to data-centric security especially with mobile applications
Encrypting and tokenizing sensitive data are well-known approaches to securing data used in conjunction with authentication
What is FPE
Format-preserving encryption (FPE) protects sensitive data by preserving the data format It transforms data formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data Since no changes are needed in the data format retrofitting to legacy applications is very simple and easy as opposed to a conventional encryption that would change the data format hence making the integration complex FPE is a NIST-approved encryption standard (NIST is the National Institute of Standards and Technology a unit of the US Commerce Department) FPE is derived from an AES 128-bit block algorithm In addition to the formatted data in the algorithm each mode takes a ldquotweakrdquo which is an additional input that essentially increases different instances of encrypted data
From broken security to tokenization
Tokenization replaces sensitive data such as credit card numbers with tokens and is one of the data protection and audit scope reduction methods recommended by the Payment Card Industry Data Security Standard (PCI DSS) Capabilities such as secure stateless tokenization remove the storage of cardholder data and do so without requiring token databases mapped to the underlying card datamdashand are costly to maintain This dramatically reduces the number of applications and systems that are considered in-scope for compliance assessments in addition to eliminating token databases from the solution
Putting it all together Turning back the hack attack
With the rapid increase in mobile phone usage and applications a huge opportunity exists for hackers to grab the sensitive data There has been a lot of research and implementations that organizations have invested in for desktop and laptop devices to protect data
Herersquos a look at the explosion in progress According to Statista in 2009 worldwide mobile app downloads amounted to approximately 252 billion and are expected to reach 26869 billion in 2017 Coupling this with the fact that mobile devices have their own device-specific platforms a huge challenge awaits for mobile security to be normalized or standardized Moreover organizations are inclined to invest on revenue-generating applications rather than investing on building security for these numerous applications
But starting immediately they need to look at securing threats and vulnerabilities for these applications early-on rather than as an afterthought This means implementing the right technology with data-centric end-to-end securitymdashone that includes strong authentication policies and access control During design of applications organizations need to consider the entire flow of the data including the storage and implement data-centric security to secure their data Until the day comes when an app itself might address some of the issues smart businesses need to make the call now
copy2017 BAI All Rights Reserved 0217
Past IssuesFind all BAI Banking Strategies Executive Reports and ongoing retail banking editorial coverage at BankingStrategiescom
Upcoming Issues
January 2017 The changing face of fraud in a digital age
May 2016 Marketingrsquos new horizon
July 2016 Wealth management for retirement
August 2016 Bankingrsquos digital transformation
October 2016 Evolution of the branch
December 2016 A look ahead to US retail banking in 2017
April 2017 Navigating the compliance curve
May 2017 Marketing that rises above the noise
June 2017 Bankingrsquos digital transformation
BAI Banking Strategies
Executive Report
BankingStrategiescom
16 17
With the increase in mobile applicationsmdashalong with the recent surge in data breachesmdashsecuring sensitive data in the mobile environment has become more important than ever Based on a new report from Research and Markets the global mCommerce market is projected to grow at a compound annual growth rate of 331 percent by 2022 For 2016 an estimated 40 percent of Black Friday sales were completed via mobile
But for all that volume there are dangers to consider
Sensitive cardholder information in mobile payment applications as well as Personally Identifiable Information (PII) and Protected Health Information (PHI) in other mobile-based applications must be protected end-to-end As such technologies grow access to data is becoming easy hence the need to safeguard sensitive data-in-motion captured on mobile endpoints which becomes critical to ensure end-to-end data protection
In todayrsquos economy mobile provides a wealth of advantages convenience ease of use multiple features with various different mobile apps such as social and ecommerce connectivity and broad acceptance The trouble is this often gives users a perceived sense of security they feel ldquocomfortablerdquo as long as the device is in reach Yet the risks often donrsquot come into their minds especially those associated with the data typed into the application The apps that users access to buy items post information or make appointments may unintentionally enable identity thieves to access credit card data PII and PHI
Mobile devices communicate via a secure tunnel (SLLTLS) but data traveling between the mobile device
and the hosting application server is not secure And once unprotected data hits the app servers a huge risk emerges at this point the tunnel ends and the data is no longer protected
Wouldnrsquot it be great if you could construct a protected channel in which the data could flow from the mobile device through the infrastructure to the back endmdashand be fully protected
Safety in the numbers Data-centric security
Data marks the key risk factor It lies at the heart and soul of organizations and customers How do we keep sensitive data used in and transmitted from mobile devices safe Organizations need to think beyond their basic security concernsmdashincluding network security That is they must look into data-centric security for both data-in-motion and data-at-rest Stolen data can be monetized by thieves and thus inspires most security hacks Thus we need to think about security from a data perspective
This concept is to implement layers of security controls by focusing on protecting the data its movement and access to it Each layer of security protects and restricts access in various ways Data-centric security provides security for sensitive data submitted through a mobile endpoint It enables end-to-end sensitive data protection within native mobile applications through the entire enterprise data lifecycle and payment transaction flow Data is secured from the point of capture to the trusted host Additionally data-centric security is agnostic of the device or end-point
Making the most of data security
How to mitigate data breaches that can occur through mobile applications
By Smrithi Konanur and Trish Schaefer Reilly
No one can say lsquotherersquos an app for thatrsquo when it comes to data security But encryption and tokenization are key technologies banks need to protect sensitive data
BAI Banking Strategies
Executive Report
BankingStrategiescom
Making the most of data security How to mitigate data breaches that can occur through mobile applications
Smrithi Konanur serves as Global Product Manager of Payments Web amp Mobile at HPE Security ndash Data Security Smrithi has more than 14 years of computer software industry experience including more than seven years of experience in the payment industry
Trish Schaefer Reilly serves as Global Product Marketing Manager at HPE Trish has more than 15 years of product marketing and product management experience She has a broad range of expertise in marketing defining and managing varied technology platforms including security data storage encryption key management big data analytics virtualization and cloud services
18 19
Popular BAI Banking Strategies Articles
Top 10 retail banking trends for 2017New research points the way forward in categories from customer experience to artificial intelligence
Create experiences not messagesBranded experiences show that banks are dedicated to connecting with customers and community
From branches to big data Five predictions for 2017So begins a new year a new administration and new possibilities in the ways banks will approach business and operations
Video How do you bridge the divide in culture between FinTech and banksIn this FinTech Forward Interview innovators and change makers answer the question How do you bridge the divide in culture between FinTech and banks
Betting on the bot How chatbots will change the face of banking in 2017Following consumer affection for chatbots some banks will use them to help customers monitor finances but howmdashand are they secure
1
2
3
4
5
Funny money In new ads Citi spokesgirl puts secretive adults on the spotShersquos 12 She looks innocent but when she asks grownups to share their financial details she gains the upper hand in a game of truth-or-dare
Drowning in data starving for insight Starting the customer analytics journeyAnalytics is one thing analyzing how to apply it is another For all the data complexity it begins with keeping things simple
The road not token How fraudsters beating EMV could hit a dead end in 2017EMV chips in credit and debit cards slow fraud but donrsquot stop it Tokenization promises to bolster consumer protections
Cross-selling in the crosshairs of regulators and consumersAs the cross-sell debate continues banks have a chance to reshape the practice in a way thatrsquos digitally savvy and consumer friendly
InfoSec superstars How three women broke barriers in banking and securitySeeing and seizing prime opportunities these female banking executives have carved out leadership positions in information security
6
7
8
9
10
What is the right approach to data-centric security especially with mobile applications
Encrypting and tokenizing sensitive data are well-known approaches to securing data used in conjunction with authentication
What is FPE
Format-preserving encryption (FPE) protects sensitive data by preserving the data format It transforms data formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data Since no changes are needed in the data format retrofitting to legacy applications is very simple and easy as opposed to a conventional encryption that would change the data format hence making the integration complex FPE is a NIST-approved encryption standard (NIST is the National Institute of Standards and Technology a unit of the US Commerce Department) FPE is derived from an AES 128-bit block algorithm In addition to the formatted data in the algorithm each mode takes a ldquotweakrdquo which is an additional input that essentially increases different instances of encrypted data
From broken security to tokenization
Tokenization replaces sensitive data such as credit card numbers with tokens and is one of the data protection and audit scope reduction methods recommended by the Payment Card Industry Data Security Standard (PCI DSS) Capabilities such as secure stateless tokenization remove the storage of cardholder data and do so without requiring token databases mapped to the underlying card datamdashand are costly to maintain This dramatically reduces the number of applications and systems that are considered in-scope for compliance assessments in addition to eliminating token databases from the solution
Putting it all together Turning back the hack attack
With the rapid increase in mobile phone usage and applications a huge opportunity exists for hackers to grab the sensitive data There has been a lot of research and implementations that organizations have invested in for desktop and laptop devices to protect data
Herersquos a look at the explosion in progress According to Statista in 2009 worldwide mobile app downloads amounted to approximately 252 billion and are expected to reach 26869 billion in 2017 Coupling this with the fact that mobile devices have their own device-specific platforms a huge challenge awaits for mobile security to be normalized or standardized Moreover organizations are inclined to invest on revenue-generating applications rather than investing on building security for these numerous applications
But starting immediately they need to look at securing threats and vulnerabilities for these applications early-on rather than as an afterthought This means implementing the right technology with data-centric end-to-end securitymdashone that includes strong authentication policies and access control During design of applications organizations need to consider the entire flow of the data including the storage and implement data-centric security to secure their data Until the day comes when an app itself might address some of the issues smart businesses need to make the call now
copy2017 BAI All Rights Reserved 0217
Past IssuesFind all BAI Banking Strategies Executive Reports and ongoing retail banking editorial coverage at BankingStrategiescom
Upcoming Issues
January 2017 The changing face of fraud in a digital age
May 2016 Marketingrsquos new horizon
July 2016 Wealth management for retirement
August 2016 Bankingrsquos digital transformation
October 2016 Evolution of the branch
December 2016 A look ahead to US retail banking in 2017
April 2017 Navigating the compliance curve
May 2017 Marketing that rises above the noise
June 2017 Bankingrsquos digital transformation
BAI Banking Strategies
Executive Report
BankingStrategiescom
Making the most of data security How to mitigate data breaches that can occur through mobile applications
Smrithi Konanur serves as Global Product Manager of Payments Web amp Mobile at HPE Security ndash Data Security Smrithi has more than 14 years of computer software industry experience including more than seven years of experience in the payment industry
Trish Schaefer Reilly serves as Global Product Marketing Manager at HPE Trish has more than 15 years of product marketing and product management experience She has a broad range of expertise in marketing defining and managing varied technology platforms including security data storage encryption key management big data analytics virtualization and cloud services
18 19
Popular BAI Banking Strategies Articles
Top 10 retail banking trends for 2017New research points the way forward in categories from customer experience to artificial intelligence
Create experiences not messagesBranded experiences show that banks are dedicated to connecting with customers and community
From branches to big data Five predictions for 2017So begins a new year a new administration and new possibilities in the ways banks will approach business and operations
Video How do you bridge the divide in culture between FinTech and banksIn this FinTech Forward Interview innovators and change makers answer the question How do you bridge the divide in culture between FinTech and banks
Betting on the bot How chatbots will change the face of banking in 2017Following consumer affection for chatbots some banks will use them to help customers monitor finances but howmdashand are they secure
1
2
3
4
5
Funny money In new ads Citi spokesgirl puts secretive adults on the spotShersquos 12 She looks innocent but when she asks grownups to share their financial details she gains the upper hand in a game of truth-or-dare
Drowning in data starving for insight Starting the customer analytics journeyAnalytics is one thing analyzing how to apply it is another For all the data complexity it begins with keeping things simple
The road not token How fraudsters beating EMV could hit a dead end in 2017EMV chips in credit and debit cards slow fraud but donrsquot stop it Tokenization promises to bolster consumer protections
Cross-selling in the crosshairs of regulators and consumersAs the cross-sell debate continues banks have a chance to reshape the practice in a way thatrsquos digitally savvy and consumer friendly
InfoSec superstars How three women broke barriers in banking and securitySeeing and seizing prime opportunities these female banking executives have carved out leadership positions in information security
6
7
8
9
10
What is the right approach to data-centric security especially with mobile applications
Encrypting and tokenizing sensitive data are well-known approaches to securing data used in conjunction with authentication
What is FPE
Format-preserving encryption (FPE) protects sensitive data by preserving the data format It transforms data formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data Since no changes are needed in the data format retrofitting to legacy applications is very simple and easy as opposed to a conventional encryption that would change the data format hence making the integration complex FPE is a NIST-approved encryption standard (NIST is the National Institute of Standards and Technology a unit of the US Commerce Department) FPE is derived from an AES 128-bit block algorithm In addition to the formatted data in the algorithm each mode takes a ldquotweakrdquo which is an additional input that essentially increases different instances of encrypted data
From broken security to tokenization
Tokenization replaces sensitive data such as credit card numbers with tokens and is one of the data protection and audit scope reduction methods recommended by the Payment Card Industry Data Security Standard (PCI DSS) Capabilities such as secure stateless tokenization remove the storage of cardholder data and do so without requiring token databases mapped to the underlying card datamdashand are costly to maintain This dramatically reduces the number of applications and systems that are considered in-scope for compliance assessments in addition to eliminating token databases from the solution
Putting it all together Turning back the hack attack
With the rapid increase in mobile phone usage and applications a huge opportunity exists for hackers to grab the sensitive data There has been a lot of research and implementations that organizations have invested in for desktop and laptop devices to protect data
Herersquos a look at the explosion in progress According to Statista in 2009 worldwide mobile app downloads amounted to approximately 252 billion and are expected to reach 26869 billion in 2017 Coupling this with the fact that mobile devices have their own device-specific platforms a huge challenge awaits for mobile security to be normalized or standardized Moreover organizations are inclined to invest on revenue-generating applications rather than investing on building security for these numerous applications
But starting immediately they need to look at securing threats and vulnerabilities for these applications early-on rather than as an afterthought This means implementing the right technology with data-centric end-to-end securitymdashone that includes strong authentication policies and access control During design of applications organizations need to consider the entire flow of the data including the storage and implement data-centric security to secure their data Until the day comes when an app itself might address some of the issues smart businesses need to make the call now
copy2017 BAI All Rights Reserved 0217
Past IssuesFind all BAI Banking Strategies Executive Reports and ongoing retail banking editorial coverage at BankingStrategiescom
Upcoming Issues
January 2017 The changing face of fraud in a digital age
May 2016 Marketingrsquos new horizon
July 2016 Wealth management for retirement
August 2016 Bankingrsquos digital transformation
October 2016 Evolution of the branch
December 2016 A look ahead to US retail banking in 2017
April 2017 Navigating the compliance curve
May 2017 Marketing that rises above the noise
June 2017 Bankingrsquos digital transformation
copy2017 BAI All Rights Reserved 0217
Past IssuesFind all BAI Banking Strategies Executive Reports and ongoing retail banking editorial coverage at BankingStrategiescom
Upcoming Issues
January 2017 The changing face of fraud in a digital age
May 2016 Marketingrsquos new horizon
July 2016 Wealth management for retirement
August 2016 Bankingrsquos digital transformation
October 2016 Evolution of the branch
December 2016 A look ahead to US retail banking in 2017
April 2017 Navigating the compliance curve
May 2017 Marketing that rises above the noise
June 2017 Bankingrsquos digital transformation