Digital Transactions Authoritative, insightful and timely information for payments professionals
Data Insecurity
Part 4
Securing transactions at the point of sale seems like child's play compared to the Internet, and since the payments volume is 20 to 25 times the size of online transacting, a natural venue for improved data security. But the rash of data breaches (covered in Part 1 of this series) and a curious tolerance for “friendly” fraud by retailers in this channel reveal a laissez-faire attitude that makes POS yet another elusive target for security providers. As with other subjects in this series, the tale of POS resistance to better data security has a history. A decade ago, MasterCard and Visa were trumpeting the inevitability of smart-cards?credit/debit cards with computer chips in them containing protected data that authenticated the cardholder, verified the card, and passed protected financial-account information to a secure reader in the checkout lane. At one point, not so many years ago, the bank card associations decreed that all signature-based cards would have chip-based security in them by 2005. The hole that sunk this ship is largely attributed to a Tower Group projection that deploying the so-called smart-cards, readers, and authentication systems would cost retailers and banks a whopping $13.4 billion in infrastructure costs?with more than half of that amount to be paid by retailers. It was a non-starter. DOA. Meanwhile, the rest of the world (especially Europe and Canada) has gone the route of the chip card, combating fraud mainly by driving it across the borders to countries which haven't deployed it at POS. A growing number of security experts are expecting POS fraud attacks to shift to the U.S. as more and more countries tool up, and we do not. To be sure, the circumstances are different in those countries?primarily the lack of the effective communications systems that offer cheap and ubiquitous real-time authorization in the U.S. Yet, even though they've been armed with recent technology to fortify the use of cards at the counter, much remains unchanged with POS merchants. For example, Pay by Touch's fingerprint-authentication system is working fine for check-cashing, but apparently is getting a lukewarm takeup so far for everyday payment use. PIN debit remains the most secure payment form ever deployed in this country, but the vast majority of small merchants can't see investing $50 to $100 a month for a secure PIN-pad capability?despite the substantial savings in interchange they could enjoy. Even the sexy new contactless cards and devices, which?initial misgivings by some consumers aside?offer superior security to a standard mag-stripe card and an opportunity to replace sometimes difficult and expensive cash transactions, go largely underpromoted by merchants. So what gives? The answer, as usual, seems to lie in an elusive business case. Improved data security at the POS is not only not a priority, but might actually get in the way of doing good business! Here's why. A recent Edgar, Dunn study projected that total fraud at retail was about $12 billion all-in, an amount on a par with banking, but far less than that experienced by health care and insurance. Since the bank card portion of that fraud is only a couple of billion dollars?too small to justify the business case for most POS security solutions aimed at that payment type?that means the remaining $10 billion comes from bad checks and cash. Check fraud, it turns out, is a hard number to calculate. Banks lose about $700 million a year due to check fraud (a very respectable number), based on numbers from the Federal Reserve. So the rest must be borne by merchants, whose losses are around nine times that of the banks, according to Fed estimates. One would think that's a number capable of generating a business case for fraud reduction. But retailers have had plenty of tools to reduce check fraud exposure. For years, Certegy and Telecheck and others have offered check-verification services (validating that the DDA is currently in good standing) for less than a dollar, and check-guarantee services at roughly the same 2% to 3% of the ticket amount that credit cards cost merchants. Yet demand for check-verification service is flat, and use of check guarantee is falling. Real-time debit and verification services like Star Chek Direct, (an off-shoot of Primary Payment Systems, which can verify account status for more than 90% of the nation's DDAs) can “ping” the electronic-funds transfer systems for much less. Yet relatively few retailers and banks participate in these services. Again, what gives? “Most checks are written at retailers that consumers do business regularly with?such as groceries and pharmacies and dry cleaners,” says the VP-Treasurer of one of the nation's largest general merchandise chains. “The retailers know that for the most part, these are good customers who want or need to shop with them locally, so they won't burn their bridges by truly defrauding them. So, we set our NSF fees and check-return policies to accommodate these customers as best we can. It's just another cost of doing business.” As a consequence, there is a growing number of store loyalty cards and payment systems using the automated clearing house, which takes two to three days to clear and settle many transactions. Knowing their customer?the proverbial little old grandmother who shops with them three days a week?enables grocers and other retailers to trust that bad checks will be made good. Finally, when compared to the estimated $35 billion annual price tag for shoplifting and employee theft (according to an annual Florida State survey), many retailers believe they have bigger fish to fry than reducing payment fraud and improving data security. Now that's a number a business case can be built on. —Steve Mott
