update on developments in online payments vol. 7 issue 3, 13 may

1 | 11 www.thepaypers.com Copyright © The Paypers

Update on developments in online payments Vol. 7 Issue 3, 13 May 2014

The Paypers Special:

Data breaches keep on rising, collaboration is key in

fighting fraud 1

Exclusive Interviews:

Exclusive interview with Aaron Kline, ID Analytics 7

Experts’ Corner:

Cybersource: What can organisations do to protect

their customer’s payment data? 2

We live in a constantly changing world. Things that were just a thought a while ago, are

now becoming a reality. Nowadays technology, as well as the disruptive innovation that

drives it, is present in almost every single aspect of our lives. The internet, for instance,

which in its early years was both praised and damned, is currently the leading channel for

most of our daily activities. Evolution is an ongoing process and the best is yet to come.

However, things are never that simple, progress also has its downsides. We have more

freedom and more choices, we have access to advanced technologies which enable us to

perform complex activities, but at the same time we are exposed to numerous threats.

The payments industry makes no exception in this case. Each time we make a transaction,

check our banking details, or authenticate on a new device, we undergo a major risk.

Fraudsters are just around the corner, waiting to find that weak spot so they can gain

access to sensitive financial data such as credit card or bank details, personal health

information (PHI), personally identifiable information (PII), trade secrets of corporations or

intellectual property.

Lately, data breaches seem to be the new wave when it comes to fraud. In 2013, US

retailer Target unveiled that it experienced unauthorized access to payment card data. The

breach, which extended to almost all Target stores in the US, captured data stored on the

magnetic stripes of the cards that customers swipe at the cash register. During the same

year, another major US retailer confronted with a similar situation. Neiman Marcus

revealed that hackers invaded its systems for several months in a breach that involved 1.1

million credit and debit cards.

According to data from the Ponemon Institute, the average cost of a corporate data

breach grew 15% in 2013, reaching USD 3.5 million. Furthermore, the same source unveils

that the cost incurred for each lost or stolen record containing sensitive and confidential

information increased more than 9% to a consolidated average of USD 145.

The report also mentions that the root causes of data breaches vary per country. Countries

in the Arabian region and Germany had more data breaches caused by malicious or

criminal attacks. On the other hand, India had the most data breaches caused by a system

glitch or business process failure. Human error was most often the cause in the UK and

Brazil.

Another study, this time conducted by Verizon, points out nine threat patterns, namely

miscellaneous errors such as sending an email to the wrong person, crimeware (various

malware aimed at gaining control of systems), insider/privilege misuse, physical theft/loss,

web app attacks, denial of service attacks, cyberespionage, point-of-sale intrusions and

payment card skimmers.

DATA BREACHES KEEP ON RISING, COLLABORATION IS KEY IN

FIGHTING FRAUD

Update on developments in online payments


Vol. 7 Issue 3, 13 May 2014

The same research shows that in the financial services sector, 75% of the incidents come

from web application attacks, distributed denial of service (DDoS) and card skimming. In

the retail sector, the majority of attacks are tied to DDoS (33%) followed by point-of-sale

intrusions (31%).

Findings reveal that the use of stolen and/or misused credentials (user name/passwords)

continues to be the main way to gain access to information. Two out of three breaches

exploit weak or stolen passwords. In addition, retail point-of-sale (POS) attacks continue

to trend downward, exhibiting the same trend since 2011. Industries commonly hit by

POS intrusions are restaurants, hotels, grocery stores and other brick-and-mortar

retailers, where intruders attempt to capture payment card data.

Taking into account these statistics as well as the latest major security incidents, it is

obvious that both companies and consumers need better and more sophisticated

measures to fight fraud. In order to be able to keep up with cybercriminals, companies

should acknowledge the fact that they have to implement different solutions aimed at

combating more types of attacks. One-size-fits-all solution does not work. The best

approach implies a constant collaboration between the parties involved, permanent

industry knowledge acquisition and keeping an eye on fraudsters – trying to understand

the way they think and act may help in better identifying the appropriate steps to

counteract these problems effectively.

With more data being collected, from more consumers and across more channels,

payment security has become top of mind. Today, payment data is gold – with

sophisticated criminals using an array of methods to reach this sensitive information.

The whole area of data security is highlighted in Verizon’s latest Data Breach

Investigations Report, based on interviews with 50 large organisations around the globe,

which cites more than 60,000 security incidents and 1,367 confirmed data breaches as

having taken place in 2013.

While Verizon tags 2013 as the “year of the retailer breach,” it acknowledges that

retailers understand the need to protect customers’ personal identifying information,

and that there are associated risks with it being compromised. As an organisation, you

can certainly try to lock-down and contain this data, however your efforts will need to

scale with your expanding operations. Costs can increase, and you’ll strive to keep ahead

of criminal minds.

A ‘data-out’ strategy can help to mitigate concerns and contains two essential

components:

1. Eliminate contact with sensitive payment data during acceptance

The use of cloud-based technologies allows you to transmit payment information

directly to the cloud to be processed and stored in a PCI DSS-compliant network, so that

the data doesn’t enter your environment.

Customers making a purchase online or via their mobile can then be directed to a

payment page in the cloud where they can enter their payment information. In doing so,

payment data never actually enters your environment; instead it can be transmitted to a

fully compliant level 1 PCI compliant network, removing liability at the point of

interaction.

EXPERTS’ CORNER

“What can organisations do to protect their customer’s payment data?”

By Pritesh Patel, CyberSource

Responsible for establishing & leading a team of diverse Value Added Ser-

vices Consultants across CEMEA to provide dedicated implementation,

technical & presales support for driving ecommerce/CNP acceptance.

Working closely with management to influence & drive sales and Value

Added Services pipelines to ensure revenue targets are met or exceeded.




2. Avoid storing payment data in your systems

Remove payment data from your environment by tokenising it. A payment token is a

‘non-financial identifier’ that can be used in place of an original payment credential to

initiate a payment transaction. After a payment has been processed, your payment

provider should store the card data in a PCI DSS-compliant secure data centre and return

just the payment token.

Payment security risk arises from the fact that payment data is present in your

environment in the first place. By not touching, storing or handling sensitive data, you

can help reduce the complexity of PCI compliance management, and help protect

sensitive customer information.

Sift Science is a US-based technology company dedicated to making world-class fraud

detection accessible to everyone. Sift designed its automated, real-time, large-scale

machine learning solution to make finding and stopping online fraud as quickly, easily,

and accurately as possible. Comprised of a multidisciplinary team of innovators, Sift

Science has the backing of investors like: Spark Capital, Union Square Ventures, First

Round Capital, PayPal co-founder Max Levchin, Salesforce CEO Marc Benioff, Zillow co-

founder Rich Barton, angel investor Chris Dixon, Y Combinator.

What is Sift Science’s approach when it comes to ecommerce fraud?

Jason Tan: Sift takes a “no rules, just data” approach to ecommerce fraud. We’ve built

our product to be:

• Accurate: Accurate scores mean great results. Our goal is to have Sift customers catch

all of their fraud with very low false positive rates.

• Fast: Sift’s learning and analysis work in real time. Fraud scores are available

immediately and updated continuously to incorporate customer feedback as soon as it’s

given. With Sift, our customers never need to set rules.

• Comprehensive & customized: With large-scale machine learning, Sift leaves no stone

unturned in looking for fraud patterns. Sift users get their very own Sift models that

adapt to each unique business; by combining our existing fraud library with each store or

website’s data, every customer’s Sift model is specially-tailored to his or her needs. For

example, if a customer sells shoes, we might learn that size 10 shoes are more suspicious

than size 15 shoes.

• Transparent: Scores and signals are available to customers via our real time console,

APIs and email notifications, so the information is available whenever and wherever you

need it. Our console is a one-stop shop; there, users can find all of the information that a

fraud team requires to streamline decisions as well as view data visualizations to better

understand customer patterns and actions.

• Easy: With Sift, it’s easy to get started and there’s no risk to try our fraud-fighting

product. Integration is simple and we require no contract lock-in or setup fees. Every

customer gets a 30-day free trial. Our pricing structure is transparent and designed to

support every customer’s growth.

The online environment as well as the payments industry are changing at a faster pace.

What is the impact this constant development has on online security?

Jason Tan: Online security companies are subject to intense pressure because online

payments and ecommerce opportunities continue to rapidly evolve. This environment

requires a two-fold response:

EXCLUSIVE INTERVIEW WITH JASON TAN, SIFT SCIENCE

“Sift takes a 'no rules, just data' approach to ecommerce fraud”

Jason Tan (@jasontan) is the Co-Founder and CEO of Sift Science, a

US technology company that fights online fraud with large-scale ma-

chine learning. He previously served as CTO of BuzzLabs, a machine

learning startup acquired by InterActiveCorp. Prior to that, he was an

early engineer at two Seattle startups, http://Zillow.com and Optify.

Jason graduated magna cum laude from the University of Washington in 2006 with a

Computer Engineering degree.

siftscience.com




1) Solutions must be flexible & adaptive (whether to new business models, or to the ways

that consumers can spend money): Models must be customized to the unique and

constantly changing methods that fraudsters use when attacking a customer’s site.

Strength comes in the ability to learn from and predict the unique patterns seen in a

vertical, business model or geography. Online security companies must leave no stone

unturned and adapt to even the most sophisticated fraudster’s tactics.

2) Solutions must be comprehensive and work in real time: The payments industry must be

able to analyze all available data and discover all available patterns in real time. Best-in-

class technology is essential in order to stay ahead of fraudsters.

Cybercrime attempts have increased lately, with more and more companies being

targeted. What could they do to stay ahead of security risks?

Jason Tan: We all need to take a proactive approach to fraud prevention and leverage the

fraud patterns seen globally across the internet. For example, fraud patterns displayed in

the gaming industry often show up in other industries years later. Companies can stay

ahead of these risks by getting access to pooled learnings. For example, Sift Science has a

library of 5M fraud patterns that our customers can leverage and apply their fraud-finding

models.

What are the biggest challenges when it comes to payment security for retailers and

customers nowadays?

Jason Tan: Although fraudsters are growing more sophisticated, the data that retailers

need to protect themselves from fraudsters is available and always increasing. However,

taking advantage of it - e.g. collecting, processing, and deriving insights from this data -- is

incredibly difficult. The technology exists, but the skills required to execute on the

intricacies of the technology are scarce and, usually, are only found at places like Amazon,

PayPal, and Google. At Sift, we’re making this state-of-the-art technology accessible and

offering our customer lessons learned on a global scale.

INFORM develops and markets software systems to optimize business processes on the

basis of operations research and fuzzy logic. INFORM Risk & Fraud division is specialized in

fraud prevention and provides a high performance multi-channel fraud detection and risk

assessment solution that helps banks, acquires, issuers and PSPs mitigating payment risk

and avoid chargebacks. RiskShield prevent fraud losses and increase customer confidence

with the most adaptive and fastest deployable anti-fraud software in the market today.

We are thrilled to be the 2014 METAwards winner. To be honored by our peers,

customers and industry leaders at MRC is incredibly humbling. We will rise to

the expectations and esteem that come with the METAwards, and will continue

to innovate and deliver more value for our current and future customers. We

believe that our unique large-scale, real-time machine learning technology is

the way to solve fraud in the next decade, and want to help online merchants

of all shapes and sizes.

Jason Tan, Sift Science

EXPERTS’ CORNER

“Match the payment authentication process with the consumer’s

risk profile”

By Stanley Harmsen van der Vliet, INFORM

Stan is currently product marketing manager for INFORM's fraud pre-

vention solution for both the financial and insurance market and an

online marketing advisor for several smaller companies in The Nether-

lands. Stan recently served as a freelance consultant at EastNets and

as a Business Developer for Fiserv Inc. EastNets is a global provider of

compliance and payment solutions with main offices in Dubai, Amman

and Brussels. He was responsible for the overall training development program for em-

ployees and partners.




More than 1000 companies worldwide benefit from advanced optimization software

systems by INFORM in industries such as transport logistics, airport resource management,

production planning, financial crime risk management and insurance claims handling

optimization. INFORM employs over 500 staff from more than 30 countries.

It must be an odd feeling: always being one, or a few steps behind. Fighting fraud can be

achieved by implementing additional safety measures; but the cost of these measures is

high for the payment providers and they don´t always deliver consumers the perfect

online experience. So, it might be better to adapt to this and implement security measures

that keep costs down and truly help consumers make safer payments. The overload of

payment verification tools and processes feels like an extra layer of inconvenience to

consumers and they can hardly be seen as a help in executing a payment for ecommerce

platforms such as Amazon, John Lewis, Ikea or Zalando.

Risk-based authentication opportunities

Banks and credit card companies do, of course, have good reasons for implementing these

security authentication measures as they do help to reduce Internet fraud. But they should

not close their eyes to alternative eCommerce security and authentication solutions that

also meet the ever-changing needs of the consumer. There are better ways of providing

consumers with a far more satisfying online and mobile shopping experience: Card issuing

banks and card service providers should adopt tools that offer differentiating possibilities,

such that a consumer with a high risk will still betaken through the strict security steps and

those with a lower risk profile will be able to progress with a much ‘lighter’ security

process. This approach maintains the stringent security at the high end of the risk scale,

but at the same time, fast-tracks the lower risk consumers giving a far better experience

for the majority.

Lower cost, higher revenue and enhanced consumer satisfaction

By differentiating the payment method and security steps to individual customers, based

on a shoppers’ buying behaviour and transaction history, both issuers, acquires and online

merchants can benefit from better results. The majority of customers (and their

computers) can be trusted; they simply want to purchase an e-book, a flight or shoes.

About 90-95% of all transactions fit within the low risk profile. There is really no point in

demanding that all consumers fulfil all high security steps required in a complete

authentication process. By implementing the right solution: payment service providers will

save costs; online shops will benefit from higher revenues; and the majority of consumers

will be far happier and more likely to complete their transaction.

Step by step, the world seems to be going mobile as well, how does Jumio address the

need for a more secure and improved mobile customer experience?

Marc Barach: As mobile consumers, we seem to have a voracious appetite to get the full

range of life’s tasks accomplished on our connected devices. Conducting shopping, travel,

banking, investing and more are now commonplace, but each one of these activities at

some point requires the consumer to fill out long forms on their device. And that’s the

problem. Numerous studies show that the more data a consumer must key enter in order

to complete a process, the greater is their drop off. That’s something businesses cannot

EXCLUSIVE INTERVIEW WITH MARC BARACH, JUMIO

“The challenges of payment security have always been a balancing act”

Marc leads Jumio’s worldwide marketing efforts and brings over 20

years of marketing innovation and operational experience in emerging

technologies and the financial sector to Jumio. Previously, he served as

CEO of mobile applications company Emotive, CMO of enterprise

search SaaS pioneer Marin Software and CMO of Ingenio, where he

sparked creation of pay-per-call technology; a multi-billion USD adtech

product which lead to Ingenio’s acquisition by AT&T in 2007.

As CMO of online insurance first mover InsWeb, Marc drove revenue which enabled the

company to raise USD 100 million in its IPO. Additionally, Marc has held executive-level

marketing posts at a number of financial institutions including Charles Schwab and First

Nationwide Bank. A frequent speaker at prestigious conferences worldwide, Marc has

been widely quoted in national and business press.




afford. Jumio’s mobile offerings use computer vision technology to scan and validate

credentials obviating the need for time-consuming key entry. This allows consumers using

our clients’ apps to speed though sign-up and checkout processes, which translates into

higher completion rates and satisfaction. This service is offered through three of our

products: Netverify, Netswipe and Fastfill.

Netswipe turns a customer’s phone into a secure credit card reader, eliminating the need

for customers to manually enter credit card payment information. Consumers hold their

credit card up to their mobile device and their card is automatically scanned, extracting

cardholder name, 16-digit card number and expiration date. This takes seconds as

opposed to typically a minute for key entry. By removing that friction from the process,

Netswipe addresses the critical issue of shopping cart abandonment, which plagues almost

every online and mobile merchant. Businesses using Netswipe in their mobile apps see

conversion rates increase as much as 20 to 30% and sometimes higher.

Netverify allows businesses to authenticate their customers’ identities in real-time by

validating their source credential of a passport, driver license or ID card. Consumers simply

hold their ID up to their smartphone or desktop camera and Netverify validates the ID,

extracts the personal info it contains and fills it into the sign-up on the checkout form.

Identification documents issued by more than 100 countries are processed this way. In

order to confirm that the person presenting the ID is the person shown in the ID, Jumio

uses its proprietary Face Match technology to help businesses assess the extent to which a

photo on an ID presented during a mobile or online transaction matches the customer’s

actual face. This is a key differentiator in the industry, as no other solution provides the

same breadth of real-time identity verification. Jumio’s Netverify also helps organizations

meet KYC requirements and industry regulations, while reducing fraud and chargeback

costs in purchase transactions.

Fastfill automates key entry of personal customer information in mobile apps, providing a

faster and more convenient way for consumers to open accounts, complete web

registration forms, and remove friction from the checkout process. With Fastfill, customers

tap the “Scan ID” button on a business’ mobile app, hold their ID up to the device’s

camera, and their personal data is extracted from the ID and populated into the new

account form in an instant. Customers are no longer subjected to minutes of data entry on

a small keypad entry and merchants don’t have to worry about losing customers in the

sign-up process.

What are the biggest challenges when it comes to payment security for retailers and

customers nowadays?

Marc Barach: The challenges of payment security have always been a balancing act. The

industry is often toggling between making the payment process as convenient as possible

for the consumer yet safe for the merchant. If that’s out of balance, which is often the

case, the merchant is always on the failing end from either losing customers or having high

chargeback and fraud costs. The two objectives, ease-of-use and fraud control, have

historically been at opposite ends of the continuum – typically when security goes up, the

consumer suffers and, if security is lax, the merchant suffers. Jumio has developed a

service that breaks open that paradigm – so that both security and consumer experience

are improved.

Companies such as Amazon pioneered the ‘one click’ purchase which is incredibly popular

with consumers but, in our view, isn’t the end of the line. We’re working toward the goal

of ‘no key entry’ transactions, which represents the next step on the ease-of-use

trajectory. This means that real-time authentication activities need to take place behind

the scenes while the consumer sails through the transaction. Online merchants spend so

much time, money and energy getting people to their websites and apps and often forget

that getting them successfully through the sign-up and checkout processes are just as

important to meeting their revenue goals.

In your opinion, what is the best approach to ensure secure payments and online fraud

prevention?

Marc Barach: Most security processes today use indirect ways such as knowledge-based

authentication to authenticate the ID of the transacting customer. These can be effective,




but none of them are as good as using the source document (passport, driver license,

government ID) or as consumer friendly. Fast, easy and intuitive processes are what

create great consumer experiences, which contribute to higher completion rates and

revenue. As consumers become more sophisticated, especially on mobile, the tolerance

for slow and complex processes is diminishing. At the end of the day, merchants have to

figure out how to manage fraud without turning away legitimate consumers. Our whole

business is built around making sure we do exactly that.

Jumio has recently launched the Bitcoin Identity Security Open Network. With cyber-

criminals often using digital currencies like Bitcoin to commit illegal transactions, how

does the network plan to boost trust and confidence in the Bitcoin ecosystem?

Marc Barach: BISON was created to instill greater confidence in the Bitcoin system by

providing the industry with a standardized way to validate buyer identities when in the

process of establishing a relationship or conducting a transaction. It’s a reaction to some of

the confidence-shaking events that have plagued the Bitcoin industry. The industry

recognizes that smart self-regulation is much better than external regulation and now is

the time to put that infrastructure in place.

The Bitcoin exchanges, wallets, ATMs and mining companies in the BISON network have

come together as a first step in this self-regulatory process. Using Netverify, these

providers can meet KYC practices while weeding out fake or manipulated IDs, which is

usually a precursor for fraud or other illegal activities. BISON members also receive

aggregated fraud trend information across the network. Lastly, and perhaps the most

exciting feature of BISON, is that customers’ validation status and PII travel with them

wherever they transact within the network.

That means that a customer presents and scans their ID the first time with one Bitcoin

company, and when they go to transact with another member, their validated status and

data is automatically imported into that transaction, and vice-versa. The friction removal

manifests itself in higher completion rates and consumer satisfaction. This feature of the

Network launches later in 2014.

Aaron Kline is director of eCommerce Solutions at ID Analytics,

where he leads the company’s efforts to reduce online and card-not-

present fraud. He has extensive ecommerce experience that enables

him to balance the need for optimal user experiences with the

requirements of fraud management. Prior to joining ID Analytics,

Kline led the New Business Initiatives Team within the Consumer Group at Intuit. In

addition, he held leadership roles at Provide Commerce, including leading ProFlowers

International, organic growth initiatives, and various M&A activities. Kline has also held

MRC’s 2014 eCommerce Payments & Risk Council in Las Vegas is the place to

gain insight into important industry trends, network with industry colleagues

and review the latest technology offerings from a wide range of innovative

companies. We were gratified to be selected by the MRC membership to win

the METAward for the Best Innovative Emerging Technology in the established

company category. In his presentation, CSO Mike Orlando demonstrated

Jumio’s Fastfill and Netswipe mobile technologies which enabled him to make

in-app purchases without having to key enter PII or payment data. We wish to

thank the Membership for this acknowledgement and recognize the great

offerings of all the other nominated companies. Together, we are moving the

ball forward to create a safer and more efficient transactional environment for

merchants and consumers.

Marc Barach, Jumio

EXCLUSIVE INTERVIEW WITH AARON KLINE, ID ANALYTICS

“Understanding the consumer's identity makes us stand apart”




various operating roles at Cox Communications, HD Supply, and The Home Depot. ID

Analytics is a leader in consumer risk management with patented analytics, proven

expertise, and real-time insight into consumer behavior. By combining proprietary data

from the ID Network—one of the nation’s largest networks of cross-industry consumer

behavioral data—with advanced science, ID Analytics provides in-depth visibility into

identity risk and creditworthiness.

How does ID Analytics address identity fraud in the US?

Aaron Kline: ID Analytics takes a risk-based approach to tracking identity fraud. We work

specifically with enterprises to detect and eliminate fraud from their daily activities. When

it comes to a new account setup, be it at a bank or a wireless carrier, consumers are asked

to provide different data inputs, for personally identifiable information. Thus, we help

enterprises assess the riskiness of those applications, which is one use case.

Another use case that we help enterprises with revolves around transaction-related fraud.

When an online merchant, or an ecommerce company, takes a certain type of information

for the purpose of an online transaction, we assist those organizations in assessing the

riskiness of that order.

Customer needs, which are related to new account applications or online transactions, are

a priority, so we also help enterprises with authentication or compliance-related matters.

As such, when it comes to authenticating the user or any compliant-related checks, like

KYC (know your customer) checks, we provide organizations with tools like KBA

(knowledge-based authentication) quizzes. Our solution fits different use cases and runs

across all of those different needs. Therefore, our approach is based on understanding the

identity of the consumer which makes us really stand apart.

Moreover, we have pervasive insight into how U.S. consumers behave both online and

offline. We work with 6 of the top 10 issuing banks, with 4 of top 5 wireless carriers and

we have good relationships with certain credit bureaus and the government in the

ecommerce arena. This vantage point has allowed us to see the U.S. adult population

taking action at some point in their lives. And, as such, we have the ability to have insights

into the consumer’s profile.

We also offer a data consortium model so that enterprises which work with us get the

value of our products. Finally, our clients submit to us performance-related information.

They let us know if a new account has gone bad or if a transaction results in a chargeback.

That standpoint allows us to understand whether someone really is a good or bad actor,

whether s/he has actually committed a fraud or not. It really helps us to have insight into

whether it’s a first-party fraud, synthetic fraud or third-party fraud. However, the identity

network that we operate is the core asset in terms of predicting those kinds of fraud cases

and we’re really helping the market understand identity fraud.

You just launched a new product with new features for the Transaction Protector and

Transaction Advanced Intelligence solutions. What does this new feature provide to

merchants?

Aaron Kline: Transaction Protector and Transaction Advanced Intelligence are both geared

at helping online merchants assess the riskiness of online transactions in a card-not-

present world. The new features are designed for device-related reputation and

recognition. We have partnered with both iovation and ThreatMetrix, companies which

are well-known in the device space, in order to gain that insight. By understanding the

individual behind the online transaction and the mechanism through which they place that

transaction, we have great insight into consumer behavior. It helps us understand whether

risk or fraud is occurring in an online transaction. We have seen great lift to our predictive

models incorporating that data.

Merchants and future clients have the ability to benefit not only from data, the identity

network that we offer, but also from wealth in repositories of device recognition in

reputation data that both iovation and ThreatMetrix offer.

We think that biometric authentication could be one of the most promising new

technologies in ecommerce. What is your view on these developments? Is it on the




roadmap for ID Analytics?

Aaron Kline: Simply put, yes. It is on the roadmap for ID Analytics. By taking an identity-

based approach to understanding consumer behavior, we are always looking for unique

elements to define a consumer. There could be multiple email or phone addresses and

numbers, respectively, associated with an individual. In order to have laser-like focus on

understanding the consumer behavior, one must reassure that uniquely identifying each

individual is feasible.

We love biometrics because it is the thing that could potentially help us understand that

one-to-one relationship, unlike device which poses the case for a one-to-few relationship.

We like it but biometrics really can help us confirm a one-to-one relationship. There are

companies working on things like voice recognition. It would be really interesting for the

call centre environment.

We also think of the advancements happening in mobile technology, like Samsung’s new

Galaxy 5 smartphone which includes fingerprint authentication technology that will open

up to third-party developers. This fact makes us consider that fingerprint biometrics are

going to be cool. As such, we are engaged in discussions with potential partners in that

space, and we’re really looking to incorporate biometrics in future product releases. I also

expect that, within the next year, we’ll either have probably one or more confirmed

partnerships in biometrics. We will also have developed our own technology, because it is

essential in tying an individual to an individual trait.

What do you see in terms of face recognition?

Aaron Kline: We are also interested in this type of biometric authentication technology

because our aim is to come up with an answer to which of these biometrical technologies

is most impenetrable to fraud. To support my opinion, the Chaos Club in Germany, for

example, demonstrated that they could quickly penetrate Apple’s finger recognition

capability. That is why we are open to all biometric technologies. It is just a question of

“Has the technology got to a place where we see it as relatively invulnerable to an

additional attack?” Otherwise it’s really not worth it. So, that is an area we are currently

exploring, I`m not sure that anybody has got a solid answer to it yet.

How long do you think that will take?

Aaron Kline: ID Analytics will look to cement partnerships in this arena within the next

year. We value partnerships in terms of learning that new technology and how it works. I

think that it’s more likely that the partnerships will be on either the voice or the fingerprint

side of things, rather than the face, the iris, or even DNA, just because those capabilities

are more established in the market. Then we’ll continue to look aggressively at developing

that technology ourselves once we prove the efficacy of biometrics. I think that’s

something we need to prove to ourselves.

Phil J. Smith is Senior Vice President of Government Solutions at

Trustwave. He has more than 14 years of federal criminal investigative and

prosecutorial experience, having served as both a Special Agent with the

U.S. Secret Service and as a Senior Trial Attorney with the U.S. Department

of Justice Terrorism and Violent Crime Section. He was involved in the

Secret Service's early efforts to combat computer and electronic crime including the

gathering of electronic evidence. Phil has significant crisis management experience

including extraterritorial matters involving bombing of U.S. facilities, air piracy and the

killing of US nationals.

Security is no longer ‘just an IT problem.’ As revealed in our recently released 2014

Security Pressures Report, 50% of more than 800 full-time IT professionals surveyed said

their owners, boards of directors and C-level executives are applying the most pressure

when it comes to security and it doesn’t stop there. Security has now become a

Congressional issue.

EXPERTS’ CORNER

“Going Beyond PCI”

By Phillip Smith, Senior Vice President of Government Solutions,

Trustwave

https://www2.trustwave.com/2014-security-pressures-report.html

https://www2.trustwave.com/2014-security-pressures-report.html




On February 5, 2014, Trustwave was asked to present expert testimony before Congress

about data breaches and malware attacks. In light of the recent string of high profile data

breaches, the House Committee on Energy and Commerce held the hearing to get a better

understanding of how data breaches occur and how they can be prevented. I presented

the testimony and focused on one major theme – the importance of businesses going

‘beyond PCI compliance,’ using the Standard as a starting point, not an ending point when

building their security strategies.

In today’s internet-connected world, threats are more complex than ever. Hackers are

going after businesses of all sizes and across all industries. According to the 2013

Trustwave Global Security Report, cardholder data was the primary data type targeted by

attackers in 2012. There is a well-established underground marketplace for stolen

payment card data where criminals may get up to USD 50 per card; multiply that by

millions and you can see how selling payment card data can be a lucrative business.

The PCI DSS continues to play a critical role when it comes to data security. The Standard

has increased awareness and given businesses guidelines for basic security controls to

protect cardholder and personal data. However, in today’s environment, where the threat

landscape is more complex than ever and new business-improvement technologies are

introduced every day, keeping up with and complying with the Standard simply isn’t

enough. While the Standard helps businesses deploy some essential security controls, it

doesn’t cover security around every attack vector, such as security surrounding targeted

malware, mobile devices and cloud technology.

In addition to complying with the PCI DSS, businesses must also use a defense-in-depth

approach to security consisting of multiple layers of defense, detection, response and

ongoing testing. The strategy should include incident response preparedness, security

awareness training, risk assessments and ongoing penetration testing as well as security

controls that protect their databases, web applications and mobile payment systems. It

should also include anti-malware technologies such as security gateways that help protect

businesses in real-time from threats like malware, zero-day vulnerabilities and data loss,

and can help organizations use things like web and cloud applications securely.

According to the 2014 Security Pressures Report, 85% of IT pros said a bigger IT security

team would reduce security pressures and bolster job effectiveness. If businesses find that

they do not have the skills or manpower needed to make sure all of their technologies are

installed and working properly, they should look to augment their in-house staff by

partnering with an outside team of security experts whose sole responsibility is to manage

their security.

If businesses embrace this kind of approach to security, they can better protect

themselves against attacks and inherently maintain compliance with the PCI DSS.

Wendy Kennedy has over twenty years of experience assisting

businesses with global expansion strategies including profit

maximization, creation of new revenue models, minimization of risk,

to businesses with an emphasis on data privacy and protection. She

is the author of the eBook "Data Privacy: A Practical Guide" (April,

2014) and editor of the International Business, Trade and Taxation

Blog, and a partner at Interstice Consulting.

There can be no question that the number of data breaches is increasing with the passage

of each month. Yet data privacy and protection laws remain fragmented. The urgency to

implement data protection and privacy laws can be seen by the vast number of proposals

being adopted or introduced worldwide. The EU, for example, the undisputed forerunner

in enacting data protection and privacy laws, is set to proceed with adoption and

implementation of the Data Privacy Regulation unifying data protection and privacy law

among its member states, which will likely become effective in 2015. The emphasis is on

greater harmonization, increased regulatory enforcement and transparency.

EXPERTS’ CORNER

“Data Breach Legislation: Global Trends 2014”

By Wendy Kennedy, International Business Practice Leader,

Interstice Consulting

https://www2.trustwave.com/2013GSR.html

https://www2.trustwave.com/2013GSR.html




Global companies should also take note of the rise in international data privacy laws. Data

protection and privacy laws have been enacted recently in Singapore, China, Malaysia,

South Korea, Serbia, Brazil and Argentina. Ensuring compliance with new laws is

increasingly difficult and time consuming.

In the US, Senator Tom Carper (D-Del) introduced a bill, the Data Security Act of 2014,

attempting to align fragmented data protection laws at the federal and state levels. The

bill is intended to address security, ensure privacy, create a notification requirement and

enhance enforcement and penalties. The proposed bill would require entities, both public

and private, to take better preventative measures safeguarding sensitive information,

investigate security breaches, and place strict notification requirements for breaches. The

proposed Data Security Act would supersede the confusing and inconsistent federal and

state laws governing data protection now in place.

One problem identified by consumer advocates is that the bill only allows consumers to

sue under federal law only, while eliminating consumer recourse for violations of state

law. Another group of lawmakers, lead by Senator Patrick Leahy (D-VT) have been working

throughout the past decade to garner support for their Personal Data Privacy and Security

Act of 2014, which was reintroduced earlier this year on the heels of the massive data

security breach experienced by Target, Inc. and Neiman Marcus. This proposal would

require businesses notify law enforcement of data breaches within 10 days after discovery

of a breach involving more than 5,000 persons or breach of a data base containing

personal information of 500,000 or more individuals. The proposal would also give the

Federal Trade Commission, the US Attorney General, and states attorney general

enforcement power with fines and penalties up to USD 1 million per breach.

States too, are jumping on the band wagon. With significant state level legislative activity

to address data breaches, some of which serve to amend existing laws to include private

liability for data breaches, others propose new legislation with primary focus on

notification upon the event of a data breach. Of course, businesses would welcome

standardization of data protection laws, it would lower the cost of compliance and provide

greater predictability and stability. Currently, the myriad of divergent laws, not just across

the US but across the world make compliance costly and inefficient. Several measures can

be put in place to reduce risks and minimize losses in the event of a data breach. First,

data protection and privacy insurance is becoming widely available, although can be quite

costly, and second, engaging a data privacy officer to develop a breach plan of action and

who will serve as an expert resource in the event of a breach.

About: Online Paypers is a bi-weekly update on developments in online payments by The Paypers, the portal for

payment professionals.

Editors: Adriana Screpnic, Ionela Barbuta , Mihaela Mihaila, Sebastian Lupu, Andreea Nita and Melisande Mual.

Website: For more information, please visit our websites: www.thepaypers.com

Contact: For more information, you can contact us at: [email protected]

Subscription info: Online Paypers is a product of The Paypers and is published 24 times per year. Year

subscription price: €295

Copyright: 2014 © The Paypers. All rights reserved. Reproduction or redistribution in any form without explicit

prior written permission of The Paypers is prohibited.

Disclaimer: The Paypers sees to the utmost reliability of all its news products. Nevertheless we do not accept

any responsibility for any possible inaccuracies.

Check out The Paypers’ "Cross-border Ecommerce Research"

section for more information on specific cross-border

ecommerce facts & figures, preferred payment methods, risk

and fraud, as well as ecommerce legislation & regulation in

developed and emerging countries.

http://www.thepaypers.com/cross-border-ecommerce

update on developments in online payments vol. 7 issue 3, 13 may

Documents