March 16, 2017
By Kevin Woodward
Rattle off a selection of payment trends—EMV, tokenization, fraud—and many e-retailers may be beset by apprehension. That’s especially true if the retailer looks to support emerging payment types, according to Matt Herren, director of payments analytics at Computer Services Inc., a Paducah, Ky.-based financial-technology provider.
Herren, speaking at the Merchant Risk Council’s annual conference Wednesday in Las Vegas, outlined the various payment trends, their risks to e-commerce merchants, and how merchants could counter those risks.
Chief among the risks is the proliferation and variety of stolen data available to criminals. Instead of siphoning off data piece-by-piece by targeting a specific source, criminals now look for ways to capture massive amounts of data, even if it is not payments related, according to Herren.
“Several years ago, we started seeing [criminals] going after watering holes,” Herren said, gaining access to data not at just one location, but potentially dozens or hundreds.
Couple that change with the increasing sophistication of criminals—after capturing data some of the malware programs they use can automatically delete themselves to hide their tracks—and the task before merchants grows exponentially.
With more data for sale on the dark Web, where much of the criminal sale of stolen data takes place, and tools designed to thwart or identity criminal activity widely available for sale there, too, law-enforcement aid to merchants could be imperfect, he says. “We ultimately know the software used by the [National Security Agency] showed up on the dark [Web] for sale,” Herren said.
There’s more. Criminals are now offering guarantees that their data is valid. As recently as seven to eight years ago, criminals were content to sell primary account numbers and other-card specific data, Herren said. Now, they’ve instituted “quality-control” programs.
“What we started seeing from sellers of this stolen information is they started warranting their services,” Herren said. “They were confident enough the data was new and fresh.” They also began doing test transactions to indicate the validity of the data, moves that eventually drove prices up and created demand for ancillary data.
“To avoid detection, they started selling things like geolocation information,” Herren said. Geolocation enables merchants to know the location of a device.
Other data, related to card-not-present transactions, could reveal a legitimate customer’s purchase history. With that in hand, criminal activity drawing on such data becomes harder for merchants to detect, he said.
What can merchants do? One response is to incorporate payment technologies that use dynamic data, Herren said. EMV chip card acceptance, which is well-suited to combatting counterfeit fraud at the point of sale, is of little benefit to e-commerce merchants, but its use of dynamic data is instructive, he added.
Dynamic data changes for each transaction and is unique to that transaction. The answer for EMV in the card-not-present arena is tokenization, according to Herren.
“The core credentials are dynamic and tokenized,” he said. While a breach is never optimal, tokenized payment information is of no value to criminals, he added.
And as mobile commerce garners a larger portion of all online commerce, the need to use tokens will increase. Many mobile-payments services, such as Apple Pay, Samsung Pay, and Android Pay, use tokens for in-store and online transactions.
The end result should be about improving the shopping experience, Herren said. “We have to solve a problem,” he said. “And that’s the experience.”
SPECIAL FEATURERead Digital Transactions Online