Internet & Mobile Payments: Are They Secure?az9194.vo.msecnd.net/pdfs/110401/238.pdf · Internet &...
Transcript of Internet & Mobile Payments: Are They Secure?az9194.vo.msecnd.net/pdfs/110401/238.pdf · Internet &...
Internet & Mobile Payments: Are They Secure?
Paul Tomasofsky
President, Secure Remote Payment Council
Andrew Schmidt
Research Director, Global Payments TowerGroup
Carl Tsukahara
Chief Marketing Officer, ClairMail Inc.
Janet L. Kapostasy
Vice President, Cardinal Commerce
Secure Remote Payment Council
Working Together to Secure an Industry
Paul Tomasofsky
President, Secure Remote Payment Council
(201) 775-4960
3Fall 2010
The Secure Remote Payment Council
• Cross-industry trade association dedicated to the growth, development and market adoption of debit based internet eCommerce and mobile channel payment methods that meet or exceed the security standards for pinned based card-present payments. It will accomplish this by encouraging and supporting those activities that accelerate the implementation, adoption and promotion of these payments.
4
The Secure Remote Payment Council
• Debit means any device that accesses a checking account (or prepaid debit account)
– Card (Signature or PIN)
– ACH Debit
– E-Check
– Push-Credit
– Chip Device
– USB Device
– Alternative Payments
5
Key Activities to Accomplish Goals• Facilitation of the identification and implementation
of data and tools that reduce fraud, and improve identification and location of those perpetrating it
• Providing a venue for the introduction of new eCommerce payment initiation solutions and a standardized process for their validation
• Providing tools and resources necessary for increasing knowledge
• Promoting best practices for service providers• Providing networking opportunities for industry
participants• Educating Policymakers, Regulators and Law
Enforcement on the benefits of these payments.
6
Current Member Companies
7
SRPc Officers
• Paul Tomasofsky, President and Executive Director
• Dennis F. Lynch, Chairman of the Board
• Terry Dooley, Vice Chairman
• Paul Turgeon, Secretary/Treasurer
8
How To Join?
• Visit www.SecureRemotePaymentCouncil.org
• Email [email protected]
• Call: (201) 775-4960
Internet & Mobile Payments: Are They Secure?
Andrew Schmidt
Research Director, Global Payments TowerGroup
.
© 2011 The Tower Group, Inc. 10
Volumes are up – but – volume isn’t everything…
US Payment Trends
© 2011 The Tower Group, Inc. 11
The shift towards electronic payments is accelerating…
Source: Federal Reserve, TowerGroup
US Payment Volumes from 2000-2009(In Billions)
69.2
80.1
94.0
109.0
27.3
42.8
64.6
84.6
41.9
37.330.5
24.4
0
20
40
60
80
100
120
2000 2003 2006 2009
Total Payments Electronic Payments Paper Payments
© 2011 The Tower Group, Inc. 12
… and Debit is the dominant payment type by volume…
Source: Federal Reserve, TowerGroup
US Payment Volumes from 2000-2009(In Billions)
41.937.3
30.5
24.4
6.28.8
14.619.1
12.315.2
21.721.6
8.3
1825
37.9
3.4 6
0
5
10
15
20
25
30
35
40
45
2000 2003 2006 2009
Check ACH Credit card Debit card Prepaid card
© 2011 The Tower Group, Inc. 13
… yet 95% of value still originates from the transaction account as Check and ACH
Source: Federal Reserve, TowerGroup
55%
41%
1%
3%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2006
44%
51%
2%3%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2009
0.1%
Check ACH Prepaid card Debit card Credit card
0.1%
Distribution of US Payment Volume by Payment Type
© 2011 The Tower Group, Inc. 14
ProviderSend money
Request money Mobile Internet
Proximity/ contactless
Mobile RDC
PayPal � � � � � �
ZashPay � � � � �
SeerGate � � �
Bling Nation � �
Checkout by Amazon
� �
Google Checkout � �
OboPay � �
Zong � �
Physical Disintermediation Abounds in the World of Alternative Payment Providers
Source: Company websites, TowerGroup
Competitors include mix of existing providers, new entrants, payment processors
© 2011 The Tower Group, Inc. 15
The Good News: PayPal Isn’t That Big, Yet
Source: JPMorgan Chase, TowerGroup
Volume of Payments ($B) Processed for 12 months ended Q3, 2010
1,910
1,235
1,497
484
86
0
500
1,000
1,500
2,000
2,500
Visa (Credit) Visa (Debit) MasterCard(Credit)
MasterCard(Debit)
PayPal
© 2011 The Tower Group, Inc. 16
Wireless Providers also Entering the Fray
� Telcos want to provide payment services
- Isis (US)
- ZoomPass (Canada)
- M-PESA (Kenya)
- Bharti Airtel (India)
� Usual goal is to add purchases to monthly bill
- Turns banks and credit unions into mere funding sources
� Isis taking different approach
- To be run over card network
© 2011 The Tower Group, Inc. 17
Contactless, Apps, SMS, and “Bump”
What is a Mobile Payment?
© 2011 The Tower Group, Inc. 18
Mobile Payments Represent Four Payment Types
Source: TowerGroup
Mobile Point-of-Sale Payment
� Based on contactless and near-field communication (NFC) technology
� Eliminates cash and plastic for transit fares or tolls and other payments
� Technologies exist, but solutions pending
Mobile Remote Payments
� Mobile Internet service
� Used for mobile top-up, content, tickets, account funding
Mobile Remittances
� Builds off traditional international remittance market
� Cross-border, multicurrency
� New solution for a big market
Mobile Person-to-Person
� Adds transactions to social networking
� Convenience of immediate value exchange
© 2011 The Tower Group, Inc. 19
Contactless vs. NFC Primer
Contactless
� Uses RFID
� Is powered by the reader
� Can be deployed in sticker form
� Can already be used at point of sale – trials ongoing
� “Dumb”
NFC
� Uses RFID
� Is powered by the handset
� Is chip-based, requiring a specific handset
� Requires special terminals –few trials
� Feature rich, flexible
Source: TowerGroup
While NFC is the future, it may be a “flying cars” kind of future
© 2011 The Tower Group, Inc. 20
A Contactless Sticker Does Not a Mobile Payment Make
© 2011 The Tower Group, Inc. 21
Blurring the Lines Between Online and Mobile
Source: Fiserv, TowerGroup
© 2011 The Tower Group, Inc. 22
Got an App for That?
� There are hundreds of mobile banking and payment applications on the market- iPhone, Android, BlackBerry, Windows
� And, many of these applications are even tested by the people selling them- Apple has stringent testing methods and will often prevent an
app from reaching the market if they have concerns about it
- Google has looser requirements: $7 and a Gmail account
� Yet even testing may not be enough…
The mobile market may be evolving faster than regulators can protect its users – and their bank accounts
© 2011 The Tower Group, Inc. 23
Got an App for That?
Source: BBC, TowerGroup
© 2011 The Tower Group, Inc. 24
Zeus Trojan
Other Developments in Mobile
© 2011 The Tower Group, Inc. 25
Zeus Trojan Trumps SMS Authentication
Source: Finextra, S21sec, TowerGroup
Infected User PC
Bogus web site
Customer’s mobile
SMS Authentication
Customer account
FraudsterBank web site
1 2
3
4
Infected PC directs to bogus website –asks for mobile info
7
6
5
SMS sent to mobile with link to
malicious app
App monitors inbound SMS
Fraudster logs into bank web site with stolen credentials
Site sends SMS to customer’s
mobile
App redirects SMS to Fraudster
Looting begins
© 2011 The Tower Group, Inc. 26
Fraud & AML
© 2011 The Tower Group, Inc. 27
Sizing One Element of Risk
Source: International Monetary Fund, TowerGroup
Estimated 2011 Global Domestic Product (USD in Trillions)
$15.2
$6.4$5.7
$3.4 $3.3
0
2
4
6
8
10
12
14
$16
US China Japan Germany MoneyLaundering
If laundered funds equaled GDP, money laundering would be the 5th largest economy on the planet…
… and would be 27% larger than France
© 2011 The Tower Group, Inc. 28
US Deposit Account Fraud (2008)
* : Debit Card fraud for POS signature, POS PIN, and ATMSource: American Bankers Association, Federal Bureau of Investigation, TowerGroup
$ Millions (USD)
1,024
788
100
0
200
400
600
800
1,000
1,200
Check Debit Card* ACH
• Reported check fraud accounts for > 50%
• TowerGroup believes actual check fraud is closer to $1.5 billion
© 2011 The Tower Group, Inc. 29
Internet & Mobile Payments: Are They Secure?
Carl Tsukahara
Chief Marketing Officer, ClairMail Inc.
The Evolving Mobile Payments Vendor Landscape
Source: Mooreland Partners
Financial Institution-Focused Merchant-Focused Mobile Operator-Focused
Cu
sto
me
r S
erv
ice
sB
2B
Se
rvic
es
So
ftw
are
/Te
chn
olo
gy
Internet & Mobile Payments: Are They Secure?
Janet L. Kapostasy
Vice President,
Cardinal Commerce.
April 4, 2011
Agenda
• Thank you
• Brief overview of Cardinal
• Remote transactions– eCommerce
– Mobile commerce
– tCommerce
– Xbox commerce?
– Other…it is really about new channels
• Mobile commerce in action
• Thank you
34
What We Do At Cardinal
• Enable payment brands that use authentication
– Internet commerce
– Mobile commerce
– Remote commerce
• Connect to the existing payment infrastructure
• Mobile commerce
– Anything that can be done on the internet
– We can extend that to the mobile channel
– …and then some
• Connect payment brands / consumers to payments
• Infrastructure for authenticated payments
• World leader in mobile / remote commerce
35
Platforms to Access
ENABLES PAYMENT BRANDS,
METHODS and NETWORKSLeading provider of authenticatedtraditional payments brands, including American Express SafeKey, and many alternative online and mobile payment options.
ONLINE and MOBILE
AUTHENTICATION for BANKSMulti-factor authentication:Verified by Visa, MasterCard®SecureCodeTM, JCB J/SecureTM, out-of-band authentication and other authentication services
MOBILE BANKING, PAYMENTS,
MARKETING and SALESEnables secure mobile banking, mobile payments and collections, and mobile merchandising and sales
36
Adapting to Existing Infrastructure
PAYMENT NETWORKCONSUMER MERCHANT ACQUIRER ISSUER
Username
Password
HTTPSVbV
Secure
Code
Enables Merchants
JCB
DirectoryMasterCard
DirectoryVisa
Directory
Enables Merchants / processors / payment brands
Enables banks / issuers
Thin Client
37
CardinalCommerce | Market Footprint
• Major Gateways:
– CyberSource®, Clear Commerce®, Retail Decisions, Digital River™, GSI, Travelocity®, UPS®, and others
• Processors and Acquirers:
– First Data™, Chase Paymentech™, Fifth Third, First National®, RBS WorldPay™, Merchant eSolutions, and others
• Middleware Providers:
– CommercialWare, Ecometry, Paymetric, SAP VAR’s, Shopping Cart Cartridges + 50
• Mobile Commerce:
– Prepaid processors, Short code, US Carrier, others
38
CardinalCommerce Market Footprint Merchants
Airlines:
Delta
British Airways
Continental
Air Canada
Northwest
Fly Thomas Cook
Spice Jet
Aljazeera
Others
Electronics:
Newegg
Tiger Direct
Dell
Smart Bargains
Tech for Less
Toshiba
CompSource
Adorama
Others
Apparel:
Hot Topic
American Eagle
Torrid
KarmaLoop
Shoebuy
Boscov’s
Liz Claiborne
Foot Locker
Others
Other:
Theme parks
Ticketing
Virgin Mobile
T-Mobile
Zales
MLB
Dick’s
Auction Sites
Others
Merchants: +70,000 active / ≈ 450,000 connected
39
|
Enabling Payment Brands and MethodsSingle Integration: One for all and all for one
40
Moving transaction from any place… to the right place… in the right way
41
UPDS
Authentication is Key
Existing Credentials
42
Authentication is Key
Available Authentication Technology
• 2IDmyPCTM
• 2IDmobileTM
• 2ID CAD
43
Sample: mCommerce Participants
44
• Connect payments to the mobile channel
• Enable payment brands
• Connect banks to the mobile channel
• Connect cards – debit, credit, stored value
• Enable merchants in the mobile channel
• Short code coverage: 160 countries
Strategy:
• Integrate into the card processors
• Integrate into bank platforms
• Integrate into merchant infrastructure
• Enable strategic payment brands, e.g.:PayPal, Amazon, Google, Visa, MasterCard
• Secure strategic mobile providers: Sprint, VeriSign, Open Market, etc.
• WAP, App and Text capability
• Develop multi-channel “proxy” authentication capability
45
Live Mobile Commerce Businesses
• Largest Platform / processor: First Data- Prepaid / stored value platform – full functionality - Payroll Cards - Wal-Mart- Health and employee benefits (SHPS)
• Green Dot®:- Full service banking for prepaid cardholders- Wal-Mart Visa®
• Second Largest Platform / processor: SVS Ceridian- Prepaid / stored value platform – full functionality - Store locator, balances, transfers, purchases, etc.
• Mobile Banking: First Data, International banks, merchants
• Sprint Mobile Wallet Service
• Direct Retail:- Footlocker ®, Football Fanatics, SkyMall- Merchandising, marketing, sales - Loyalty programs – Marriott®
- ShopSavvy®
46Private and Confidential
Enabling mBanking & mPayments
• Features for Mobile Banking
– Leverage existing infrastructure –
extend traditional banking/BPP
functionality
• SMS
• WAP
• Mobile applications
• Alerts and Acknowledgements:
– Balance alerts
– Mini statements
– Locator functionality
– Reload funds
– Fraud alerts
– Bill-due reminder
– Deposit notice – benefit or payroll card
– Mobile notice – card sent, application approved, etc.
47
HSBC Mobile Banking – Hosted Registration
48
Rules Based Alerting | One Way Text Messaging to the Consumer
Customizable alerts/ real time through our web UI
1. Merchant country is not card issuing country
and authorized amount > 15dinars and XYZ field
= 8210 or 8211 and country currency is not dinars
2. POS mode = 55 and authorized amount > 15 dinars
3. POS condition code = 95 and authorized
amount >15 dinars
4. Merchant country is not Kuwait and authorized
amount > 15 dinars
49
Live: Green Dot Mobile Banking
Over 8 million transactions.
Hundreds ofthousands ofunique users
Other Features: Daily low balance alerts, ATM Locator, Mobile Marketing, Bill Pay, Top-up
50
Skinny It Down – Optimize for Each Mobile Platform
iPhone, Android, Palm
Blackberry
51
Commerce Enabled Applications
52
Integration: Loyalty Programs to Mobile
• Posters and Magnets placed in stores
• Goal to increase:
– User base
– Usage per member
– Perceived value
• Reduce cost of sign-up by 70%+
• Facilitates members’ ability to update
profile, preferences
• Enables more accurate targeted marketing
53
Sprint™ Mobile Payment Services (SMW Overview)
Mobile Payment Services (SMPS): aggregates payment instruments (e.g. credit cards, debit cards, GoogleTM Checkout, Checkout by Amazon, PayPalTM, etc.) into a mobile wallet
• Available as one-click - payment options on the mobile phone
• User set up / registration:
– Account (username, password, PIN)
– Shipping address (s)
– Any/all desired payment methods
• User shops - on their mobile phone and pays for a goods or services
• SMPS: registered payment methods as payment options at checkout.
54
Intellectual PropertyPCI / DSS compliant – Level 1• Software platforms • 100% Cardinal• No third party suppliers
Issued USA patents• US 7,051,002 B2 - Universal Merchant Platform• US 7,140,036 B2 - Centralized identity management• US 7,606,771 B2 - Cardinal Authentication Device (CAD)• US 7,624,039 B2 - Affinity shopping portal • US 7,693,783 B2 - Universal Merchant Platform – gateway / MSP• US 7,742,967 B2 - Secure and Efficient Payment System • US 7,797,731 B2 - Centralized identity authentication• US 7,877,296 B2 - Text to Buy• 60+ pending
Issued International Patents• EP 1 221 146 B1(UK and Switzerland)• 600 15 587.0-08 (Germany) • 2005/0269 (South Africa)• 2007/07072 (South Africa)• 2008/1212 (South Africa)• Others pending
Proprietary Integrations
55Confidential
Mobile Gift Card Application
56
Internet & Mobile Payments: Are They Secure?
Panel Discussion
Paul Tomasofsky
President, Secure Remote Payment Council
Andrew Schmidt
Research Director, Global Payments TowerGroup
Carl Tsukahara
Chief Marketing Officer, ClairMail Inc.
Janet L. Kapostasy
Vice President, Cardinal Commerce