Online Retail Fraud to Increase 106% – Are you ready?

As the portion of shopping done online rises, so does the importance of e-commerce to retailers’ overall strategies. Unfortunately, the increased focus on e-commerce also extends to fraudsters looking to make illegitimate purchases – a trend accelerated by the EMV liability shift earlier this month. As more retailers have provided greater payment security in the store with the addition of EMV, fraudsters will be shifting their efforts to target e-commerce sites.

106 Percent online fraudAs a result of EMV according to Trustev, and referenced in our 2015 E-Commerce survey, online fraud is predicted to increase 106% over the next three years. Fraudsters also are looking to exploit ecommerce transactions to capture credit card numbers and other personal data. These changes in the retail landscape make it more important than ever to protect customer data and effectively monitor online transactions.

Online transactions create a unique set of security challenges. Since the transactions are “card not present,” there is no way to verify the card’s legitimacy by verifying the signature, checking the customer’s ID or matching the last four digits of the card. To protect themselves from fraudulent online transactions, retailers must implement a rules-based fraud detection tool, auditing suspect transactions and authorizing legitimate ones.

Protecting Online Customer and Payment Information

Today’s customer expects a certain level of convenience when shopping online including the ability to save their personal and payment information on sites they frequent.

Customer Information – Retailers should be encrypting all customer information as soon as it enters their environment.Hacker_Thief_2

Payment Card Information – Further, the amount of credit card data retailers must save to offer this convenience makes it a target for hackers. Fortunately for retailers, tokenization technology works for both brick and mortar and e-commerce transactions. In fact, all of our clients currently implementing tokenization are implementing multi channel tokens. This not only secures their customer’s credit card data, but also provides the retailer with an omni-channel payment solution central to creating a consistent brand experience across channels.

PCI is not Enough

With the shifting retail paradigm, simply passing PCI is no longer enough to truly protect customer information. Retailers must build security into their technology roadmaps to ensure that the level of protection is commensurate with their omni-channel strategies. We suggest an annual security audit outside of PCI and other standards to ensure that security measures are not in place merely to pass audits but to truly protect the customers’ information retailers work so hard to gain and retain.

As always, I appreciate your opinions on this topic. Please share your comments below.


Mobile ordering, payments responsible for 20pc of Starbucks’ October transactions

Mobile Commerce Daily – Starbucks experienced a considerable rise in revenue this third quarter, with sales toppling 18 percent higher, with stores that were early adopters of the chain’s mobile ordering and payments options the biggest winners.

The beverage marketer has also seen mobile ordering and payment account for 20 percent of its revenue this month, underscoring growing consumer demand for streamlined ways of purchasing on-the-go food and drink. Other quick service restaurants and retailers would be well-poised to follow Starbucks’ model of mobile innovation, which bestowed the brand with a $4.9 billion total revenue in Q3.

“Starbucks is a leader in the mobile apps space and has been extremely successful in getting its customers to download and use its app,” said David Naumann, director of marketing at Boston Retail Partners, Boston. “Consumers are reaching app fatigue and retailers are competing for precious space on consumers’ smartphone screens.

“The key to mobile app success is to provide real value so that customers are compelled to download and use the app,” he said. “Starbucks has cracked the code by combining loyalty rewards, ordering and payment benefits on its mobile app.

“Retailers can learn from Starbucks’ mobile app success by adopting similar principles.”

Read full article: Mobile ordering, payments responsible for 20pc of Starbucks’ October transactions

Will Chase dethrone Apple with bank-branded mobile payment adoption?

Mobile Commerce Daily – Chase’s dedication to competing with current mobile payments developers, such as Apple and Samsung, could potentially offer it front-runner status as its substantial customer base strays away from the pigeonhole caused by software developers.

The bank is the first to develop a mobile payment platform, named Chase Pay, and is likely to hold its own against big names in the field as its customers use a varied range of devices, opening it up for a wider audience. Chase is one of the larger banks, and all its customers with a smartphone are automatically eligible.

“The greatest advantage for a bank, like Chase, to introduce mobile payments is that they are not tied to a given smartphone manufacturer like Apple, Android and Google,” said Ryan Grogman, vice president at Boston Retail Partners. “Another benefit for large banks entering the mobile payment space is the large volume of customers that will automatically be signed-up for the service.

“It is estimated that one if every two households in the U.S. is a Chase customer,” he said. “Chase Pay is also backed by the Merchant Customer Exchange Consortium so they are going to have the support of over 100,000 retail locations at launch.

Read full article: Will Chase dethrone Apple with bank-branded mobile payment adoption?

EMV for Automated Fuel Dispensers is Coming Soon – 6 Steps to be Prepared

If the current day status of retailers’ EMV compliance (or lack of compliance) is an indicator of what to expect in 2017, there is no time to wait in preparing your organization and systems to support EMV for automated fuel dispensers. Traditional brick and mortar retailers continue scrambling to meet the already past October 2015 liability shift deadline for EMV.  Delays across software partners, payment terminal providers, and bank certifications have all contributed to the current backlog of non-compliant retailers.

Even if you’re not ready to kick-off a project in the next couple of months, it would be wise to at least begin identifying some of the critical components of your solution:

  1. Gas Station_CroppedKnow your exposure – talk to your bank or payment processor and have them outline, in detail, your potential liability after October 2017. Understanding the magnitude of your risk early on will help drive your decision making process.
  1. Know your potential sales impact – what could the impact be to your sales if your competition deploys well ahead of your own timeline? Will consumer security concerns drive them to do business with EMV compliant fuel dispensers?
  1. Know your software implications – identify all the potentially impacted software components of EMV for your forecourt business: CRIND (card reader in dispenser) firmware or software, POS integration, payment gateway changes, reporting, consumer receipts, etc. Talk to some of your partners now to get a head start on laying out an overall implementation plan that includes the certification of your solution.
  1. Know your hardware/infrastructure implications – take time now to determine if you will need to purchase new card readers, CRINDs, network infrastructure, cabling, POS terminals, etc. If you wait too long, you may have a bigger challenge of “who’s available to assist in these installs.” Don’t get caught in the position of having to scramble to get the right resources to assist in your implementation efforts.
  1. Know your associate/consumer training impacts – Woman Pumping Gas_croppedThe general perception may be that by 2017 EMV will be generally accepted and US consumers will be trained. However, the reality is that without adequate business process changes at the forecourt and readily available associates to quickly provide instructions and answers customer questions, there could be significant disruptions on the island.
  1. Think about future payments – contactless payments such as Apple Pay, Samsung Pay and Android Pay should factor into your planning process as well. As some of these newer payment methods continue to gain adoption with consumers, it is important to understand how the acceptance of these will impact to your EMV preparation plans.

The key takeaway is that the majority of your planning and design needs to be completed before 2017. By heading down the path to compliance in 2016, you can help reduce the risk of getting caught in a last minute scramble which may result in taking unnecessary shortcuts that may add risk to your business. The time to act is now!

I welcome your opinions on this topic. Please share your comments below.


The Big Problem With Those New Credit Cards That No One’s Talking About – Here’s a prediction you need to heed: a large number of you will soon leave your credit cards behind at a retail store after making a purchase. Why? Because the biggest change in the way Americans spend money in decades is about to occur, and there will be hiccups. And because that’s what happened when other parts of the world transitioned to chip-enabled credit cards, according to consultancy Boston Retail Partners.

Boston Retail Partners, a retail consultancy, also wrote about this issue earlier this month.

“Compared to a traditional magnetic strip swipe of a credit card which may result in a sub second response, an EMV authorization and response will take considerably longer – approximately 5-10 seconds. This is due to behind the scenes authentication and validation of the new chip on the credit card,” the firm said in a blog post. “Another impact of this longer duration of leaving the card inserted in the EMV terminal, there is a high risk of the consumer leaving their card behind. This issue was a documented problem in Europe and other early EMV adopters during their EMV cutovers. Solutions exist to configure the payment terminal or POS to alert the associate and customer audibly, or to restrict the printing of the final receipt until the card is removed. To help minimize this issue, retailers should work with their technology partners to understand which solutions work best.”

Read Full Article: The Big Problem With Those New Credit Cards That No One’s Talking About

Mobile Payments: Are they Secure?

According to comScore, 76.8%1 of American adults own a smartphone.  The majority of smartphone owners are at least aware of the ability to make mobile payments.  However, mobile wallets currently account for a small percentage of both in-store and online retail transactions.  Security is often cited as the number one reason consumers aren’t using their phones to carry out more transactions, but is this concern justified?Payments-Slide-ApplePay

In recent months, Apple has received some bad press for the high fraud rates associated with their successful mobile payment product Apple Pay.  Industry expert Cherian Abraham suggested the fraud rate could be as high as 6%.  This is typically the result of fraudsters using stolen credit card data, obtained through breaches or phishing, to set up digital wallets.  So, from the retailer’s point of view, there is certainly reason to be apprehensive about accepting mobile payments.

However, it is important to note that a consumer’s credit card information is actually very secure when making mobile payments – typically more so than with a traditional credit card swipe on a payment terminal.  Mobile payments utilize tokenization, meaning a transaction token is passed to the payment terminal in lieu of the card number. This allows customers to pay with their credit or debit accounts without passing their actual card numbers to the retailer. If a data breach occurs, their bank accounts will therefore not be compromised.

Apple attributed Apple Pay’s fraud issues to the banks:  “During setup, Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay.”  In an effort to combat fraud, banks have begun to more thoroughly review customer sign-ups on Apple Pay, and Apple is now providing additional information to the banks as part of the initial process.

Samsung and MCX Mobile Payment will soon be joining Apple Pay, Android Pay, and Pay Pal in the expanding mobile wallet market.  As a result, mobile payments are going to continue to be in the spotlight as providers compete for market share.  With banks closing known fraud loopholes, tech savvy consumers, and forward thinking retailers, should be more eager to become mobile payment adopters.

I welcome your opinions on this topic. Please share your comments below.


[1] comScore Reports May 2015 U.S. Smartphone Subscriber Market Share, comScore (July 2, 2015)


Accepting Apple Pay: Are You Ready?

In recent years, retailers have been actively conceding to rapidly evolving consumers and popular ApplePay_Sept_2015technology trends. Those same consumers have been equipping themselves with leading edge technology, which is driving retailers to deliver a seamless experience across all channels – in the store, on the Web, and via their mobile device. That experience includes the ability to process payments by utilizing mobile payments and digital wallets such as Apple Pay, one of the most discussed solutions in this space.

What is Apple Pay?

Apple Pay is one of the newest trends in retail. It has given consumers the ability to transact securely with retailers without ever pulling out a credit card or debit card or cash from their wallet. Instead, the consumer pays by using their compatible Apple iOS device regardless of channel – in the store, on the Web, and within mobile apps.

How is using Apple Pay secure?

When consumers add a credit or debit card to the Wallet (formerly Passbook) app on their Apple iOS device[1], a unique Device Account Number is assigned, encrypted, and securely stored on a dedicated chip (Secure Element) in the device. At the time of purchase, the Device Account Number, along with a transaction-specific dynamic security code generated by the Secure Element, is used to process the payment. This process is called tokenization, which retailers are becoming extremely familiar with as they work towards levels of security beyond PCI compliance including EMV compliance in the United States. They never see the consumer’s card information, which satisfies the direction many retailers are going with payment and customer data.

Along with the tokenization process, the consumer’s finger is required with Touch ID or device passcode, which prevents unauthorized use on the Apple iOS device to complete the transaction. In lieu of Touch ID, the Apple Watch requires a passcode and continual skin contact to ensure payments are secure.

Are you ready to accept Apple Pay payments?ApplePay_AppleWatch

To accept in-store payments via Apple Pay, retailers need to ensure their existing hardware will support it. Apple Pay utilizes Near Field Communication (NFC) to initiate the secure payment between a contactless payment terminal and the compatible Apple iOS device. With the transition to EMV compliance, many retailers are finding their hardware already supports NFC. However, once the hardware is confirmed compatible or in place to accept Apple Pay, requirements specific to the retailer will need to be defined to be sure the proper development work happens (user interface changes and integration with a payment processor or switch).

Retailers will need to make sure their payment processor is certified for Apple Pay. Without certification, the retailer will not be able to accept Apple Pay.

How does Apple Pay work?

When a consumer makes a purchase in-store with an Apple Pay compatible device, the device requests the consumer to use their finger via Touch ID to select a payment method and authorize a transaction at time of payment. The consumer then places the Apple iOS device near the NFC supported payment terminal. Next, the Apple iOS device builds an encrypted payment token (includes the DAN and cryptogram) and communicates it to the payment terminal. The payment terminal then sends the payment token to the retailer’s payment gateway, which sends the private key generated during merchant setup to decrypt the payment token and access the DAN and cryptogram. From there, the payment gateway sends the DAN and cryptogram on for processing. The DAN and cryptogram are both received by the retailer’s processor to then map back to the real card number and send to the consumer’s issuing Bank for approval.

Why Apple Pay?

One of the initial benefits of Apple Pay for retailers and consumers is the overall security of the payment data. When a consumer sets up Apple Pay, the device receives a unique Device Account Number (DAN) that is securely stored on the Apple iOS device in place of a credit or debit card number. This method is more secure than a traditional credit or debit card and the retailer never sees or handles the card number at any point in the transaction.

Aside from the security aspect of Apple Pay, the process allows an easier and quicker payment process. Consumers are picking up on this technology quickly and they’ll want to utilize Apple Pay as many begin their transition to “wallet-less” shopping.


With Apple Pay in the limelight, retailers are in the midst of determining what mobile payments and digital wallets they are going to accept – along with where (in-store and/or online) they’re going to accept. Consumers are only going to get savvier and expect to utilize this technology.

Excepting these methods of payment provide another avenue for a retailer to deliver an exceptional and personalized experience to their loyal and future customers.

We will discuss other mobile payment and digital wallet solutions in the future. Until then, I welcome your opinions on this topic. Please share your comments below.


[1] iPhone 6 or iPhone 6 Plus (Apple Pay in stores and within apps); Apple Watch paired with iPhone 5 or later; iPad Air 2 or iPad mini (Apple Pay within apps); iOS 8.1 or later in the US or iOS 8.3 or later in the UK; United States or United Kingdom as your selected region; Touch ID or passcode on your device; an Apple ID signed in to iCloud; supported card from a participating bank; a passcode on your Apple Watch and Wrist Detection turned on

EMV Liability Shift: Less than a Month Away

With the October 1st EMV Liability Shift deadline just a few weeks away, it is a good time for retailers to take a realistic view of where they are in their compliance efforts and plan for the months ahead. Backlogs at both the acquiring banks and software vendors have created challenges for retailers looking to implement and certify their EMV solutions along their originally planned timelines.

Early AdoptersEMV Credit Card

For those retailers that are compliant today, or will become compliant ahead of the deadline, congratulations – you are one of the few who will have successfully navigated the required testing, certification and implementation steps in advance of October.

Early Majority

For those retailers that will narrowly miss the deadline, it is important to stay the course in order to minimize the potential liability shift resulting from chip-enabled fraudulent transactions during the high traffic holiday season.

Late Adopters

If, however, you are a retailer without imminent plans to implement an EMV compliant solution, then you must take the necessary steps to ensure you are prepared for the impending shift in financial liability. Reaching out to your acquiring bank can help you obtain projected financial implications of non-compliance. It will be critical to work with your internal finance partners to account for the potential liability for each month you are not in compliance.

One potential benefit to late adopters of EMV will be the learnings of the issuing banks and software vendors related to the lengthy project implementations currently in flight, as well as core certifications already undertaken by their credit switch vendor.

At this point, there are no official positions regarding card issuers granting a waiver for the potential liability shift stemming from EMV non-compliance. However, several acquiring banks and card issuers have been holding those discussions, so we would encourage your organization to reach out to your own banks and processors to understand their view on the EMV waiver process, especially for those retailers whose implementation has been held up due to factors outside of their control.

Fuel and Convenience Deadline – Two years away

Finally, for those retailers in the fuel and convenience industry, EMV compliance remains a couple of years away as the liability shift for Fuel and Convenience Stores is scheduled for October 2017. However, given the length and complexity that many traditional merchants have experienced for their EMV projects, it is not too early to start working with their software vendors and issuing banks now in an attempt to stay ahead of the curve. We anticipate that these retailers will glean some benefit from the experiences of retailers in other verticals.

I welcome your opinions on this topic. Please share your comments below.


EMV: Training and Educating Associates and Customers

For retailers, EMV has been in the news with increasing frequency over the past year. However, recent studies indicated that only a small percentage of customers are familiar with what EMV entails and how the process will work.

With minimal understanding of EMV by consumers and store associates, retailers EMV Credit Cardare going to face two key challenges when implementing EMV in their stores.

Challenge #1: Training and educating store associates on EMV (what is it, how does it work, and why is it being implemented?).

Challenge #2: How do retailers educate and communicate the changes to their customers?

The primary change for customers occurs during the credit card tender process. Customers and store associates will no longer be swiping a credit card on a payment terminal or POS MSR. Instead, customers will be responsible for now inserting (or “dipping”) their cards into an EMV-capable payment terminal. This seemingly minor change cannot be overlooked or minimized as swiping has been the norm for so long and has become a subconscious behavior during checkout.

Insert vs. Swipe

Not only does the physical process change (insert versus swipe), but the timing of an EMV transaction is impacted. Compared to a traditional magnetic strip swipe of a credit card which may result in a sub second response, an EMV authorization and response will take considerably longer – approximately 5–10 seconds. This is due to behind the scenes authentication and validation of the new chip on the credit card.

Patience is Required

Additionally, if a person removes the card before the reading, transmission and authorization is complete, then the transaction will likely be declined. Retailers must be sure to communicate the impact of this new process and that “patience” is required. Even though this new technology takes longer (which is counterintuitive to most customers’ understanding of anything new), the added benefit of improved transaction security should be part of the associate and customer training.

Leaving Card in EMV Terminal

Another impact of this longer duration of leaving the card inserted in the EMV terminal, there is a high risk of the consumer leaving their card behind. This issue was a documented problem in Europe and other early EMV adopters during their EMV cutovers. Solutions exist to configure the payment terminal or POS to alert the associate and customer audibly, or to restrict the printing of the final receipt until the card is removed. To help minimize this issue, retailers should work with their technology partners to understand which solutions work best.

PIN vs. Signature

And if all of the insert and timing changes weren’t enough, there is the open question of Chip or PIN entry for a given EMV card. Many customers may not even be aware of their PIN for non-Debit cards, which will further slow down and complicate the checkout process. However, since many payment processors are not equipped with the technology to handle EMV chip-and-PIN credit transactions, it is not likely that customers will have to memorize PINs anytime soon. Therefore, most EMV cards will be initially configured for signature verification vs. the real-time PIN verification.

These changes all come with added security for both retailers and customers; however, as with all changes, special attention must be spent towards developing robust change management plans which include both associate training and end consumer education.

As always, I welcome your opinions on this topic.  Please share your comments below.


11% of US retailers integrate loyalty with payment app

NFC World – Some 11% of US retailers have already integrated a loyalty program into a mobile payment app, while 40% plan to do so within the next two years and 20% in three to five years, research from Boston Retail Partners reveals.

Read full article: 11% of US retailers integrate loyalty with payment app