SPEAKER_01 0:00

Welcome to this episode of Defense Stack with Jason and Hayden. Let's jump right in to make the payment and make it fan.

SPEAKER_00 0:22

Well, Hayden, welcome back to another Wednesday recording session. And by the looks of it, that pretty face definitely got some sun over the weekend.

SPEAKER_01 0:30

Yeah, I'm still feeling this weekend's sun, which is a bummer, but you know, now I know for the next heat wave, I am definitely gonna be wearing sunscreen. Well, it's nice that they still have the uh beaches open here for now.

SPEAKER_00 0:40

We'll see how that pans out.

SPEAKER_01 0:42

Yeah, I hope they do stay open. It's been a little getaway for me out of the house, be able to get some sun, a little bit too much sun, I suppose. Alrighty, Jason, let's jump into today's topics. First, we have automated approval assimilation. And unfortunately, we are not talking about your PPP loan.

SPEAKER_00 0:59

Next, we'll cover vicious vulnerabilities, and it's worse than just the virus.

SPEAKER_01 1:04

And finally, digital due diligence, how contact tracing can be applied to identity validation. Well, Jason, when we discussed automated approval for a topic this week, I would have been certain that we'd be discussing the PPP loan application process if I hadn't heard you talking to so many ISVs about it.

SPEAKER_00 1:21

Yeah, Hayden, it's actually something that's been impacting the entire supply chain. We, in addition to ISVs, we've talked to lots of banks about adjusting their underwriting policies to allow ISVs and TPPs to automatically underwrite merchants. And it's it's always been a big topic in the industry, but now that we have so many retail businesses shut down and trying to scramble for online solutions, it's become even more of a hot topic. People don't want to fill out paper applications and the normal underwriting process that a lot of merchant processing companies have their ISVs go through is just too slow. One of the big components of it has been working with the entire supply chain on putting together automated solutions that meet all of the underwriting requirements from a KYC, AML, BSA, OFAC perspective, and do it in a real-time manner as opposed to a manual review. It's a problem that a lot of ISVs have suffered through for quite some time if they haven't worked with the Stripes of the world. Stripe is infamous for their underwriting and auto approval process for onboarding new merchant accounts. And ISVs that have gone the more traditional route of working with a TPPP are usually faced with a scenario where they don't have as robust of technology as what Stripe does. So they're forced to work with paper applications.

SPEAKER_01 2:51

Yeah, I've heard you discuss there are other solutions for ISVs than the PayFacks like Stripe that provide this.

SPEAKER_00 2:57

I think first and foremost, it's important to remember that automated underwriting is not a function of being a payfac. It's a function of having the technology in place to do it. There's actually quite a few of them. One of the things I always talk about is finding the right payments partners, and that really does affect the whole supply chain. The acquiring banks have to be comfortable with an automated underwriting solution. The T Triple P or PayFAC has to build the technology to do it. So it's a it's a very involved process. We've actually consulted for quite a few different organizations and helping them rewrite their underwriting policies in finding third-party vendors to do data validation. And I think it's obviously the direction that the industry is moving. It's a matter of sourcing the right relationships and the right vendors so that rather than reviewing a voided check by hand, you're able to do a real-time bank account validation API call. And those are the types of solutions that are needed in order to transition from the paper process to the automated real-time digital process.

SPEAKER_01 4:07

But doesn't this open the banks to more risk with fraudulent activity than the traditional paper applications?

SPEAKER_00 4:13

Actually, I think it does the opposite, right? When you look at a lot of fraudulent merchant processing applications, identity theft, those types of scenarios, people are normally utilizing the paper application process. And the reason is it's very easy to take a check in Photoshop and change the name on it, or scan a driver's license and change the address on it. It's it's much easier to forge those documents and send them in as part of an underwriting packet than it is to manipulate third-party data sources. I think one of the big keys of this is the merchant demographic that you're applying the automated approval processes to. Restaurants that are doing smaller volume brick and mortar retail locations, e-commerce applications that are focused in specific verticals, they have very predictable patterns. So those are the types of merchants that these solutions really work well for. I'm certainly not proposing that you start underwriting high-risk merchants in this fashion. I think for vertically specialized ISVs who have banking partners that understand the value of third-party data validation, it's actually a win. Additionally, one of the things that it puts in place, which most systems are lacking today, is the ability to re-underwrite those merchants, to look at them again six months down the road and assess has their financial stability changed? Has there been any negative reviews online? Things that usually slip through the cracks when a paper application process is in place. So I think a properly implemented automated underwriting and approval system actually reduces how vulnerable a ISV, T Triple P or acquiring bank is to merchant fraud.

SPEAKER_01 6:06

Jason, let's talk about somebody's decision that made them vulnerable. Hey, an e-commerce fraud protection tool storing millions of transactions has been unsecured for weeks and just recently closed again. The database works with other payment processors, verifying payments to make sure there is no fraud going on for outside vendors. Pay's mistake was not having a password installed on its server, which allowed anybody to see the data inside. The error occurred while a company was updating a service and somebody had accidentally left the database without a password.

SPEAKER_00 6:35

Hayden, headlines like this drive me absolutely nuts because they're so preventable. And it just demonstrates a complete neglect for information security. I don't care what standard somebody's following, whether it's PCI or NIST 800, they all have requirements for vulnerability management and penetration testing after significant changes are made to an environment. And this sounds like a company that clearly does not follow that guidance. I know that PCI only requires quarterly ASV scans, but to not be scanning your environment on a nightly basis and not be doing penetration testing after significant changes to your environment is absolutely ludicrous. This is the type of things that slips through the cracks. A simple vulnerability scan would have detected this and saved pay a ton of negative press in the headlines.

SPEAKER_01 7:25

Yeah, apparently the breach exposed around 2.5 million transactions residing on the server, and these transactions showed the full plain text credit card number, expiration dates, and the amount of money spent.

SPEAKER_00 7:37

And that's just adding insult to injury. On top of not doing vulnerability management, penetration testing, they're storing card numbers in plain text, which is just a recipe for disaster. You're asking to be compromised. The purpose of all of these security controls is that you have a multi-layered security approach where if one system fails, another system's there to back it up. Had they encrypted the card numbers, sure, they still would have been missing a critical piece by not having a password on a database server, but at least the cardholder data wouldn't have been exposed. You can't play in the payment supply chain and be this negligent and expect to stay in business.

SPEAKER_01 8:17

I agree with you, Jason, but Pay is not the only company that has neglected security this year. Two US-based sites, Court and Utility Payments, exposed data in early April, and a Christian donation platform left millions of credit card numbers exposed in January.

SPEAKER_00 8:32

It's becoming more and more of a common theme as SaaS companies and ISVs want more and more responsibility in the payments supply chain. More data breaches continue to occur. The vast majority of these companies don't have a very detailed security mindset. And the supply chain does a horrible job with due diligence when it comes to vetting their downstream partners that they're allowing to hold on to cardholder data. It's a topic we could spend an entire session on.

SPEAKER_01 9:00

We'll have to dive deeper into that in a future episode, but while on the subject of due diligence, let's talk about consumer authentication and contact tracing methodologies. Digital onboarding experiences that allow customers to easily access their accounts is very essential for competing banks, but in order to do that, customers' identities must be able to be verified as quickly as possible. And having access to more data means that banks can authenticate customers by requesting a couple pieces of information rather than having to provide personal identification documents and visiting branches to complete the onboarding process.

SPEAKER_00 9:35

Yeah, Hayden, this is very similar to our first topic, except now we're talking about the other side of the equation, consumer validation as opposed to business validation. And I think this is a trend that actually started with the peer-to-peer payment solutions, your Venmos, your Square Cashes, your Zells of the world, and is making its way to mainstream banking and merchant processing. It's very exciting, and I think it's going to have a big impact ultimately on banks' willingness to embrace automated underwriting types of solutions.

SPEAKER_01 10:08

Yeah, I agree. The Royal Bank of Canada is one financial institution that is trying out biometric tools as a way to speed authentication during its onboarding process. These customers do not have to submit any physical documentation or further authenticate themselves physically in branches. RBC also announced that it's allowing customers to scan their passports using their smart device cameras for identification.

SPEAKER_00 10:31

Yeah, this is a super interesting topic, and there's a lot of innovation going on around it as more and more consumers have biometric-enabled devices, watches, computers, and with new trends like FIDO Alliance, that is a new authentication and validation solution that's becoming a standard, I think we're only gonna see more and more innovation in this consumer authentication realm. One of the interesting topics that I've always discussed, and I think has a big future in this, is social media as a part of validation. We live in a society today where it's almost awkward if you don't have a LinkedIn page or a Facebook page or some other form of social media, and I'm really curious to see how that's gonna tie into consumer authentication, right? It's it's very hard to fake 10 years of somebody's identity, and I think a Facebook profile or a LinkedIn profile is almost more valuable than a picture of somebody's driver's license at this point.

SPEAKER_01 11:33

Yeah, my ex-girlfriend's lack of social media presence did raise some eyebrows, so I see where you're coming from with that statement. Well, I think our listeners know what time it is. It is time to make payments make sense. Jason, give me those takeaways.

SPEAKER_00 11:46

Banks, automated underwriting is the future and it's a function of good technology. ISVs, if you're not scanning your environment daily for vulnerabilities, you probably have more holes than Swiss cheese. Payment service providers, consumer authentication is going digital. Be prepared for real time responses or to become part of history.

SPEAKER_01 12:08

Thanks for joining us today. And if you've got a topic you would like us to discuss, follow and message us on social media at SenseChat. And as always, we would love your feedback. Aid now.