In March 2015, addressing a crowd at Innovation Project 2015, retired four-star General Keith Alexander, the former director of the National Security Agency, quieted the crowd with his rather sober reality of the future of cybercrime and cybersecurity.
Over the next two years, cyber attacks will get worse before they get better.
Fast forward seven months, and throw the EMV liability shift into the mix, and the conversations surrounding cybersecurity, authentication, tokenization, fraud and security have only intensified. Whether one takes the perspective of the payments network, the issuer, the merchant or the consumer, security is top of mind when it comes to card and card-not-present payments.
To catch up on the latest chatter in the industry — specifically around cybersecurity and EMV — PYMNTS spoke with twoBank of America Merchant Services executives to get their inside perspective into the merchant side of the matter. Our objective? To get their sense of the concerns that are surfacing and what’s being done — and not being done – to stay a step ahead.
To start, let’s step back to two years ago, right around the time of the massive Target data breach. That news hit the industry like a hot iron, igniting what was later to become a contentious issue about what’s needed to better protect consumer card data.
Larry Brennan, Bank of America Merchant Services VP of Merchant Data Security, explained that in about 2013 the chatter in the industry really began to pick up about cybersecurity. And what started it all?
The Target headlines. And merchants who wanted to make sure they weren’t the next big breach headline.
“Data compromises have been around since credit cards have been accepted. But it wasn’t really until you started seeing all the major breaches that were identified in the papers. Now, all of the merchants — regardless of their size — are now concerned about if ‘I am going to be the next breach,'” Brennan explained. “That’s brought a big interest from the clients as to ‘how can I protect my card data?’ From the time customers [present a] credit card, all the way through my transaction. That’s what we start seeing. It started in about 2013 and it’s got progressively more front of mind for the clients.”
Fast forward two years. And now we have the EMV liability shift.
Now, from the merchant’s perspective it’s the financial liability — perhaps more than ever — motivating the push to adopt new methods of protecting cardholder data, but it’s also about reputational damage, Brennan said, which goes back to avoiding being the next headline in those papers.
On the EMV side, at least for BoA Merchant Services, the shift continues to be a process — as it is for all issuers. Derrick Carpenter, SVP of Industry Solutions and Platforms for Bank of America Merchant Services, explained it’s about a two-year process.
“What we’ve seen in other markets is that it takes a considerable amount to get to critical mass. We envision the same thing. We’re making consistent progress everyday on our small businesses,” he said.
What EMV boils down to for many of its customers, particularly for SMBs, is the educational aspect, and of course, the costs.Carpenter said that BoA Merchant Services has reached out over 1.5 million times to educate its merchant clients over the last year about the need to make the shift.
“We’re still working with our small businesses and that’s where most of the education has to happen and it’s because of small business. A small business is worried about running the business on a day-to-day basis. They kind of look to us from a payments perspective. We focus on continuing education,” Carpenter said.
The next two years mean not only educating its merchant base, but also ensuring consumers are educated, trained and have EMV cards on hand to make the transactions. But EMV, of course, is not the only element of fraud protection that’s being addressed.
Then there’s other buzzwords that are also driving the conversations: encryption and tokenization.
“EMV definitely does solve one piece of fraud. But it’s really a three-pronged approach from a breach perspective. EMV solves for counterfeit cards showing up in the marketplace, but encryption and tokenization is what is really going to protect the data inside the customer system. So when it’s breached, that’s what will solve that is that tokenization and encryption. That’s something we offer and push with every single one of our solutions into the marketplace,” Carpenter said.
For the U.S., the fears of card-not-present fraud is already a bustling conversation. Just looking across the pond, Brennan noted, can give a example of how CNP fraud ballooned after EMV was implemented.
“When you squeeze out card present, the crooks are going over to the other side,” Brennan said. “With a solution such as tokenization and all the other products, we can still be ahead, trying to help our clients try to minimize card present with card not present.”
Other tactics BoA Merchant Services uses to keep merchants up to date, besides the educational angle, is spending time upfront segmenting its market to determine which merchant category codes were most likely to get hit by fraud. That way, merchants can understand “the likelihood of them being impacted by counterfeit fraud,” Carpenter said.
This helps SMBs make the business decision as to when the right time to jump on the EMV bandwagon might be. And in the next two years, BoA Merchant Services will continue to increase its authentication tools in order to give those businesses an extra push toward implementing fraud-prevention solutions.
But still, there’s barriers holding merchants, especially many SMBs, from accepting the EMV status quo. For one, Carpenter said, it’s a hard sell to push EMV on businesses that may not have had a chargeback yet.
“When [merchants] think about the idea that maybe someday there will be a chargeback, [they] need to invest now for this thing that may happen in the future, I think that’s tough. They are focused on running their business day-to-day. As they start to experience a liability shift chargeback I think it will come to reality,” Carpenter said.
It’s also about consumer perception. As more consumers use their chip cards, and realize the security benefits behind the card standard, that could spark more SMBs to ensure they are keeping up with what consumers expect, he said. That means, if the business next door is EMV-compatible and consumers value such a measure, it may have a ripple effect across Main Street businesses to align their terminals to ensure customers that their card data is secure.
So looking five years out, what does Carpenter project for the EMV market? Besides that two-year time projection, EMV will begin to open up more dynamic conversations about technology — including mobile and everything mobile encompasses for payments.
“We think 24 months from now, we’ll see most of our small businesses (80-85 percent) will have adopted EMV and new technology will be out there. Really, when you think about small business, it’s not just EMV that makes the decision,” Carpenter said.
“It’s the opportunity in an environment where mobile is coming on the scene, security is really important, communication methods from dial-up to cloud. All of these new types of technology are giving a lot of reasons for when a client makes an investment to get a new solution that is not only EMV compliant but also does mobile, does NFC, does all sorts of new ways to help them manage their business,” he added.
Still, those businesses must be managed in the modern-day age where breaches are becoming the reality instead of the exceptions. That’s the cybersecurity-minded future Gen. Alexander warned of seven months ago, and very much the reality merchants — both big and small — are living with today.