SPEAKER_00 0:00

Welcome to this episode of Defense Chat with Jason and Aiden. Let's jump right in to make the payment make that happy Wednesday, Jason. It is great to be back in the office, and it feels like we haven't recorded in forever due to my vacation days, but I'm stoked to be back and I'm ready to dive into today's episode. Hayden, fired up to have you back. I can't remember the last time I took a 10-day vacation. I think I was probably a kid. Jason, I don't remember the last time you took more than one day out of the office. Anyways, let's jump into today's topics. First, manifesting a multi-layered security mindset. Then, the transition from traditional terminals. Will Apple pave the way? And last, oblivious oversight. Why Wirecard lasted so long. Jason, online purchases have more than doubled from last year in the general retail vertical. And much of that is due to older consumers who have been pushing off the digital shift until COVID-19 when they really didn't have a choice. We are projected to see more than 8 million new digital shoppers over the age of 45 by the end of 2020. And although it is a huge opportunity for merchants who are moving toward a digital front, these new online shoppers will also bring new online hackers and protecting all of that data is going to be a key element in the success of these merchants.

SPEAKER_01 1:30

Absolutely, Hayden. One of the biggest challenges anytime there's this rapid of a shift in buying habits is a lack of security concerns. And for the vast majority of merchants, they don't know what they don't know. I still run into merchants all the time that have no idea they can't store cardholder data or CVV data in plain text. And I'm not just talking about small merchants. I recently had my car serviced at a huge dealership and my card number was in plain text on the invoice. When I confronted the dealership about it, it was like looking at a deer in headlights. The supply chain really needs to get better at disseminating this information to the merchants. I know way too many processors who look at monitoring their merchants for PCI compliance as a nuisance. They have no concern for the integrity of the supply chain, let alone spending time to educate their merchants. Until this philosophy shifts through the entire supply chain from the acquiring banks to the processors to the service providers, it's going to continue to be a problem. And I'm not just talking about cardholder data. I think this philosophy needs to be expanded to all PII as well.

SPEAKER_00 2:36

I agree with you, Jason. Merchants need to do more than just protect credit card numbers. Personal information is currently selling for five times the price of credit card numbers on the black market, as there are more things hackers can do with personal information than with a credit card number. Merchants need technology partners who understand how new threats are forming and a partner who is also able to take a multi-layered approach to stop cyber attacks and bad actors. Jason, I know you have an astronomical amount of knowledge for this topic in particular, so as an expert, can you explain the multi layered approach and the technology to go along with it? Absolutely, Hayden.

SPEAKER_01 3:09

And I think it really boils down to the fintechs. The solutions they're developing need to evolve beyond just protecting cardholder data, and they need to start offering solutions that will protect consumer data as well. Unfortunately, there are really no enforced standards in the US around PII, and there are no strict penalties for not protecting consumer data. There's the reputational risk factor, but that doesn't seem to be a big enough deterrent. Applying the same methodologies to PII that we apply to cardholder data will drastically improve this problem. And I think it's important to make sure that we start educating merchants. But at the end of the day, most of them are not sophisticated enough to develop and deploy these solutions themselves. And it really brings me to the point of this topic. The more services that the fintech community can offer to their merchants to enable them to protect them from themselves, the better. FinTech firms are inherently extremely data security-centric. Well, at least they better be if they want to stay out of the headlines. The more data security services a fintech can offer their merchants as value-added services, the more access to data they will have, which will aid them in stopping fraud for their merchants. When fintechs have access to consumer data such as email addresses, phone numbers, shipping addresses, tracking numbers, they can do significantly more fraud and risk detection and help better protect their merchants.

SPEAKER_00 4:33

Well, Jason, another player that is trying to offer more merchant-centric solutions is Apple, who has just purchased Canadian payments company MobiWave, which will allow it to make mobile pay hubs out of an iPhone. MobyWave lets consumers utilize their smartphones to access a credit card as well as to process payments. Now, you may be thinking, what about Square? Well, Apple just positioned itself to be in direct competition with Square, which has been a leader in payments tech for smartphones and tablets.

SPEAKER_01 5:00

Hey, I'm really excited about this acquisition and Apple entering the payment acceptance space. They were a pioneer in the issuance space with their Apple Pay product, which leapfrogged traditional contactless cards, and frankly, in my opinion, is the reason that contactless payments is as prevalent as it is today. The exciting part of them being on the acceptance side of the equation is the innovation that will come from it. The days of merchants using standalone terminals are quickly coming to an end. And this acquisition is going to make that transition happen even faster. As we continue to move towards mobile devices being used for payment acceptance, we have new opportunities to build better solutions that provide increased fraud detection and eliminate existing threat scenarios. Think about the amount of assurance Apple can provide to a merchant that a transaction is legitimate when they are able to introduce their own standards for what data is transmitted as part of the payment. Today, in order to maintain interoperability between all issuers and acquirers, various payment instrument form factors, and a myriad of legacy acceptance devices, we have a set of authorization standards that is so limited, it provides such little data for the risk systems about the transaction itself. This will all change as we start to deploy devices that accept transactions that exchange more data with the cardholder. Between phones, wearables, tablets, and PCs, Apple has an enormous footprint, and this will allow them to leapfrog existing EMV and contactless standards from a data point and data security perspective.

SPEAKER_00 6:36

Mobile devices primarily use an NFC chip built in that transmits the card's information wirelessly. Without that chip, wireless and contactless payments would not be possible. The downside to this chip is that criminals can take advantage of this technology by using a scanner that wirelessly scans the victim's payment methods in the same way a cash register would. Scariest part about this is that anyone can legally buy one of these scanners at an electronic store, making the technology even more dangerous. With the new wirelessly obtained card information, these bad actors can then use it to make fraudulent purchases online. Hayden, you're exactly right.

SPEAKER_01 7:11

And the big issue here is that to make these changes to the existing standards with the existing terminals in place would take years. As we transition to new acceptance devices, be it Apple or Android-based, we have the ability to start developing new standards in how data is exchanged between the devices that solves for these attack vectors. These new standards will be much easier to get out there to both cardholders and merchants, as the rollout will simply be part of an iOS or Android update. When this happens, all of a sudden the data exchange between somebody's watch and the iPad accepting the payment will be encrypted instead of being passed in plain text like it is today. Even though these solutions will be backwards compatible with legacy terminals, it's going to create even a more powerful push to get merchants to utilize newer technology because not only will they get the bells and whistles from POS solutions developed by the fintech community, they will now also have a data security perspective to talk to merchants about. Thanks to COVID and the massive contactless adoption that we've seen, we're getting closer and closer to a world where we may not just be talking about a cashless society, but a cardless society. And when you couple this with new security layers that acquisitions like this will make possible, we're going to start massively moving towards a world where a cardholder present, fraudless society might be possible.

SPEAKER_00 8:37

Jason, one thing that's certainly not fraudless is Wirecard. Visa and MasterCard find Wirecard for dodgy transactions dating pretty far back. Wirecard acted as a feeder of card transaction data into Visa and MasterCard's vast networks, which connected to banks that handle hundreds of millions of transactions a day. Visa has been concerned about Wirecard since at least 2015, but prosecutors are investigating whether Wirecard executives use the financial system to launder money dating as far back as 2010. As we learn more about the Wirecard tobacco, one major focus is on its practice of processing transactions for merchants other companies would avoid, usually due to the high risk of the merchant, like gambling, porn, and nutraceuticals. Visa even asked Wirecard to leave certain merchants and stated that too much of its business came from these same high-risk verticals.

SPEAKER_01 9:26

Hayden, we've talked about this before, and I'm gonna bring it up until there's some sort of oversight to this. The best analogy I can give you is how people that were very close to the mortgage industry saw its imminent collapse before it happened. Well, we're working with so many players in the supply chain from acquiring banks to third-party payment providers. I have to tell you, it's scary. What happened to Wirecard happens almost daily around the globe, just not at the same scale. We've consulted for a myriad of acquiring banks who have little to no idea how to run an acquiring program. They have little to no oversight on how their third-party payment processors are underwriting their merchants, controlling the flow of funds, and monitoring the risk. There are banks that have acquiring programs that we've worked with that when a problem comes up and I start talking to them about their oversight policies, things that are actually required by the standards from the card networks, such as the V Cigars, Global Acquirer Risk Standards, they sit there like a deer in headlights, and I can't help to think to myself, how are they even in this industry? And for a good majority of the acquiring banks that do understand the responsibilities, they don't have the technology or the tools they need to oversee the programs. But instead, they rely on reports generated by the groups they're overseeing to satisfy the card brand requirements. And I think that's even more detrimental because it creates a false sense of security for the bank.

SPEAKER_00 10:50

Wirecard is no stranger to taking losses due to imperfections in their structure. MasterCard fined Wirecard $11 million for processing gambling transactions under the wrong codes. In 2010, MasterCard wrote to Wirecard's banking unit about the concerns that it was rerouting through miscoded merchants' gambling transactions that the bank had already declined. Banks would then approve these payments, thinking they weren't gambling related. And it's not just MasterCard. In 2009, Visa fined Wirecard's banking unit $12 million for high chargebacks that occurred in October and November of 2009, reaching over 100%. That means for two months in 2019, Wirecard had more chargebacks than transactions, which is an astronomical statistic.

SPEAKER_01 11:31

Man, the skeletons in the closet for this group just continue to come marching out. It's like somebody opened the gates to Satan's lair. One of the big problems with this industry is that the people that are assessing the fines, the card brands, are for-profit companies. In other words, there's a conflict of interest between maximizing profit and protecting consumers, and that's hard to reconcile. If you look at a group like Wirecard, the card brands made massive amounts of money off them, both in traditional processing fees, but also chargeback fees and fines for rules violations. To compound the problem, when the card brands fine the banks, the banks turn around and pass those fines on to third-party payment processors who ultimately pay those fines by passing the cost on to merchants. Fraud and chargebacks are a profitable business for the card brands, the acquiring bank, and the third-party payment providers because they're all making fees. The ones who really lose in this equation are the issuing banks and the merchants that are getting hit with the fraud. I feel like this is a problem that isn't going to get fixed until the regulators that are auditing the banks understand how all of this works. And they clearly don't today. In the meantime, all we can do is continue to do our part by working with the banks to develop risk and compliance programs, building cutting-edge technology that allows the banks to automate the review of data directly from the source and continue to help weed out the bad actors from the supply chain.

SPEAKER_00 12:57

Alright, Jason, it is time to make payments make sense. Give me those takeaways.

SPEAKER_01 13:10

Apple, welcome to the space. We're watching closely and excited to see what solutions are to come. Banks. If you're losing sleep lat night over your acquiring programs oversight, we're here to help.

SPEAKER_00 13:23

Thanks for joining us today. And if you've got a topic you would like us to discuss, follow and message us on social media at SenseChat. And as always, we would love your feedback.