Beruflich Dokumente
Kultur Dokumente
10 | R e t a i l F r a u d S p e c i a l R e p o r t
personal details have been leaked to criminals have organizations. Larger companies are naturally richer
more significant long-term consequences. The targets; however, most have accompanying budgets
security of shoppers and their credit card details and an IT department dedicated to protecting their
has been repeatedly shown to be a top concern. vital customer information. Therefore, as PCI DSS
Consider that: regulations take hold, fraudsters are shifting their
A global survey found that 50 percent of attention to softer, less well-defended targets like
consumers worry about credit card fraud (ACI small businesses. In fact, nearly 96 percent of PCI
Worldwide: Card Fraud Survey, March 2011) DSS breaches take place with Level 3 and 4
More than a third of consumers in the UK have merchants typically smaller businesses that accept
experienced some form of card fraud (ACI less than one million card transactions annually.
Worldwide: Card Fraud Survey, March 2011) Along with satellite branches of larger organizations,
A survey of consumers in the UK found that 42 these are proven to be the most vulnerable
percent had been discouraged from making a organizations for attacks. According to research from
purchase because they were worried about card Javelin (source), cybercrime in the U.S. targeted at
fraud (Connected World: Card Fraud Survey, SMEs totaled more than $8 billion in 2010.
January 2011) It can be very difficult as a smaller organization
Banks, the credit card companies and retailers to dedicate the time to ensuring proper and thorough
have all responded by taking steps to improve PCI DSS compliance, but that doesnt mean there
security. In the UK, for example, EMV (chip-and- arent options. Network management systems can be
PIN) cards were introduced to help reduce the risk of used to make PCI DSS compliance a simple, cost-
card fraud, but chip and PIN alone does not secure effective and continual process with minimal fuss.
merchants. Even though the payment cards are more Nobody said compliance was easy, but
difficult to clone and copy, the card data is still compliance is not an option; its essential. Retailers
susceptible to breaches while its on a merchants must begin to explore the opportunities, do whats
payment system. In an attempt to secure the whole best for the business, and avoid being next on the
environment in which the transaction takes place, the hackers hit list.
Payment Card Industry Data Security Standards (PCI
DSS) were introduced in 2006 by the major credit Mobile, Mobile Everywhere,
card companies. These standards help ensure that a But What Does It All Mean?
basic level of security is in place at merchant Mobile payments, mobile commerce, and mobile
businesses to reduce the risk of card fraud. POS are three commonly used terms today. Here, the
By now, all merchants should be aware of PCI various mobile methods are defined based on
DSS, and many merchants that process, transmit or descriptions provided by MerchantWarehouse.com.
store credit card data are required to be PCI DSS- Mobile Payment. In its simplest definition,
compliant. mobile payment is the payment for an item or service
In theory, with these new security standards the from or via a mobile device. While many today
retail industry should be a safe haven for consumer associate mobile payments primarily with
data, with criminals forced to turn their attention contactless payments like near-field
elsewhere. Instead, a serious data breach happens communication (NFC) or bar and QR codes, SMS,
every week on average and the number of hacking mobile web payments, and direct mobile billing are
incidents seems only to be increasing. So whats also included in its broader definition.
going wrong? Mobile Payment Acceptance. Unlike the
For many merchants, PCI DSS compliance has broader term of mobile payment, mobile payment
become a bit like setting a house alarm, but using acceptance signifies the ability to accept payments on
1234 as an access code. The intention to protect a mobile device, whether it is a smartphone or tablet.
against theft is there, but the execution is poor. The typical setup includes a free or low-cost
Retailers just arent giving enough attention to attachment that allows for the swiping of traditional
compliance. Its one thing just to fill out a self- credit and debit cards. The device is connected,
assessment compliance form and tick the correct through the smartphone or tablet, to a credit- and
boxes, which on the surface indicates compliance, but debit-card processing application.
its another to keep up to date and be absolutely Mobile Commerce. While some interchange the
certain that a business is protected. terms mobile payment and mobile commerce, the
Small- and medium-sized businesses seldom latter has its own, distinctive definition. Mobile
consider themselves to be targets for card fraud commerce encompasses mobile payment, but also
criminals. But these businesses in particular must be includes a variety of mobile-based activities,
warned: criminals do not only target big including content purchase and delivery, money
11 | R e t a i l F r a u d S p e c i a l R e p o r t
transfer, auctions, browsing, marketing and As mobile payments continue to gain favor with
advertising, and location based-services. consumers, the market is almost guaranteed to get
Mobile POS. Mobile point-of-sale (POS) is more crowded with service provider options. Apple
predicted to be the future standard, even among tier- Pay, along with future Apple Watch applications, is
one retailers. Many leaders are investing in mobile purportedly the fastest-growing app for mobile
POShand-held checkout devices that serve as a payments. Samsungs recent acquisition of LoopPay
payment extension to the companys larger POS is another reach into the mobile market through
system. While these new mobile POS devices have Android phones. And as recently reported by The
some of the same characteristics as mobile payment Wall Street Journal, Google has shown renewed
acceptance devices, they are much more robust in interest in Softcard, formerly called ISIS, the mobile
terms of features and reliability. These new devices payments company that was formed out of a
will include the ability to accept mobile gift, NFC, consortium of AT&T, Verizon, and T-Mobile. There
QR/bar code, and include integrated loyalty and is also ConnectC, PayPal, and the Starbucks
reward. approach with QR codes, to name a few additional
Tablet POS. In todays marketplace, more and options or potential options.
more point-of-sale developers are focused on iPad With the growing number of mobile payment
and tablet development versus traditional systems. applications available to the consumer, associated
These new platforms afford developers with more challenges will also grow for retailers to
options, more capabilities, and a lower-cost accommodate the various forms of payments while
alternative, while retailers receive parallel benefits in remaining transparent to the customer experience.
terms of features and functionality, portability, and There is a real possibility that a consumer might tap
reduced cost. In fact, tablet-based POS systems open their device on a terminal in one store, use a QR code
up a new opportunity for smaller retailers that, due to in another, and complete a transaction via a mobile
high cost, were not able to leverage POS in the past application in another. There will be plenty of room
for their business. for confusion from both the consumer and front-line
employees at retail locations.
12 | R e t a i l F r a u d S p e c i a l R e p o r t
Many retailers have not yet figured out how to The biggest challenge we faced was the
handle this new way of thinking about fraud and its misperception that the risk of fraud would be greater
impact on their stores once the changes to credit and with mobile payments than with the traditional credit-
debit cards take effect, especially for those who and debit-card swipe, said Bill Inzeo, who is
cannot afford to immediately comply, said Joseph director of insights and intelligence and asset
LaRocca, vice president and senior advisor on loss protection solutions for Walgreens. We went to
prevention for RetaiLPartners and formerly with the great lengths to educate our field organization that, if
National Retail Federation. The way we handle accepted according to policy, the risk factor does not
fraud incidents will change dramatically, not only go up with mobile payments.
from a liability standpoint, but also from the way When asked about the coming changes as it
those incidents will be processed through the legal relates to EMV chip technology, Inzeo feels that the
system. Today card issuers can upload their cases in benefits far outweigh the challenges. Walgreens
bulk, a process that is not yet in play for the retail upgraded its POS systems a couple of years ago with
community. an eye to future requirements. It made sure that all of
its hardware was capable of accepting the new cards.
The Good News They are now working with their programmers to
Because widespread adoption of these new forms develop code that will make accepting the new smart
of payments is still in the early stages, there is the cards seamless to the customer and the associate.
opportunity to plan accordingly. When it comes to adopting new technology like
Walgreens. The nations largest drug retailing mobile payments or chip-and-PIN cards, you need to
chain with over 8,000 locations, Walgreens has been approach it from a business and financial perspective
accepting various types of mobile payments for without the emotional ties to fraud and loss, said
several years. Walgreens acceptance of NFC Inzeo. We bring an objective point of view, evaluate
payments across the chain enabled its first adoption the risk, and provide recommendations that protect
of Google Wallet and the expansion of Apple Pay. our customers and the company, while delivering the
Since rolling out the new payment form, Walgreens shopping experience our customers and patients
has seen little to no impact on fraud levels. deserve and expect.
The retailer credits its proactive approach to eBay. Online retail giant eBay has perhaps the
adopting new technology to a successful most experience with mobile payments through its
implementation. For mobile payments, that included PayPal application. PayPal processed $46 billion in
a comprehensive communication strategy and mobile payment volume in 2014, up 68 percent over
partnering with key stakeholders within the 2013.
organization as well as third-party providers, Surprisingly, we have seen very little in the
including its credit- and debit-card processor. Setting form of fraud attributed to mobile payments, stated
clear expectations and finding alignment and Paul Jones, senior director of global asset protection
agreement at the start also helps the transition process for eBay and PayPal. We attribute much of that to a
to proceed more smoothly. well-thought-out and well-executed plan.
Walgreens asset protection solutions team When asked what retailers should consider when
actively participates in weekly meetings with its IT entering the realm of mobile payments in their stores,
partners so that any changes being considered or Jones emphasized the need for structured agreements.
made to the POS systems take into consideration the Like his counterparts at Walgreens, he stresses the
need for proactive protection against fraud. These need for expectations to be set up front along with
proactive measures are then designed into the back- alignment and agreement on implementation. eBay
end processes and are systematically included. The offers its retail partners protection against fraud by
company also educates its front-end cashiers on how assuming the risk and liability should a fraudulent
to handle mobile payments. The same basic transaction occur with its service. He urges others to
principles apply to mobile payments as to traditional address this point with their mobile payment service
credit- and debit-card transactionsthe card or the provider, whoever they may be.
mobile phone must be present. Along with designing the interface for maximum
One of the challenges Walgreens faced in rolling ease-of-use for the consumer, retailers need to put
out mobile payments was the misperception on the network security at the forefront of the process.
part of the field organization that fraud would be Echoing Walgreens advice, Jones recommended that
more prevalent. The company put together a loss prevention teams need to be involved from the
comprehensive communication strategy to educate beginning of any new project that has the potential to
the field to help them overcome this misperception. disrupt business through loss or fraud. You need to
13 | R e t a i l F r a u d S p e c i a l R e p o r t
be present from the start to be effective in the end, most merchants if they want to continue to achieve a
stated Jones. high level of customer service and satisfaction, said
Heinens Grocery Stores. Regional supermarket Guenther. But along the way, it helped us create a
chain Heinens, based out of Cleveland, Ohio, heightened sense of awareness for PCI compliance
currently accepts mobile payments in the form of and payment best practices for our organization.
Apple Pay and Google Wallet at its twenty-two retail
locations. The company is also in the planning and Prepare for the Future
implementation stages of converting its payment While the type of mobile payments that
terminals to accommodate the new EMV CHIP consumers will ultimately adopt and the number of
technology. options available to them will continue to grow, one
According to John Guenther, director of risk thing is certainmobile payments are here to stay
management and information security for the and will only become more prevalent in the years to
merchant, the security challenges that exists between come. In order to remain competitive, retailers will
near-field communications (NCF) technologies like need to find ways to accommodate mobile payments
those found in mobile payment devices and EMV and provide a seamless shopping environment for
chip-and-PIN technologies are quite different. their customers while accepting a whole host of
NFC devices concentrate on masking the mobile payments from a variety of devices.
consumer credit- and debit-card information from the Retailers will need to follow the emerging
retailer point-of-sale terminals through tokenization, mobile market closely so that they can deliver on
while chip-and-PIN focuses on a more secure consumer demands, concluded LaRocca. At the
payment transaction by requiring a higher level of end of the day, if a customer cannot conduct business
authenticating when using the card, explained in the manner that suits their individual needs, they
Guenther. Both forms of payment still have the will take their dollars elsewhere.
potential to be breachedmobile payments through Preventing mobile payment fraud will take on a
loading fraudulent cards into the device and chip- bigger role in the lives of many loss prevention
and-PIN for online transactions. executives with the upcoming shift in liability. But
Not unlike other retailers who have transitioned the good news in all of this is the fact that with
to the new payment technologies, Guenthers advice proper planning, open dialogue with all key
is to develop a comprehensive plan and to be able to stakeholders, advancements in technology, and a
clearly articulate the goals and objectives behind comprehensive communication strategy, retailers are
making the proposed changes to the companys in a good position to meet the challenges head on.
payment systems. Those who have already ventured into the world
He recommends formalizing the project with a of mobile payments have so far seen little to no
dedicated team, appointing a project manager to disruption to their businesses and feel that the
oversee all aspects of the conversion, engaging key goodwill generated among their customer base is well
stakeholders and third-party vendors, and asking the worth the time and efforts invested. Technology in
right questions from the start, such as: the retail environment is always changing, said
What middleware applications will be affected? Inzeo. By being proactive, you can adjust to
What reporting functions will change and how? anything. If you are involved from the beginning of
Will this be a standalone, integrated, or semi- the process, you can find success.
integrated process?
These are just a few of the questions that will
need to asked, answered, and understood for Contributors to this free report include Chris Trlica,
successful implementation. Bill Farmer, Scott Richard, JD Sherry, Lee A.
In the end, this journey into alterative payment Pernice, and the Association of Certified Fraud
forms is consumer driven and really not an option for Examiners.
14 | R e t a i l F r a u d S p e c i a l R e p o r t