In this holiday month the PCI Data Security Council has taken the opportunity to update guidelines for merchants using Wireless technology to collect payments and also to issue guidelines for the growing number of merchants employing Tokenization.

The Payment Card Industry – Data Security Standards (PCI-DSS) lay down minimum security requirements for all merchants and aim to reduce the level of data breaches where customer card details are stolen. Failure to comply with these standards or incidents leading to data loss can lead to substantial fines and brand damage.
The guidelines are designed to help merchants to interpret the PCI-DSS standards, so are not prescriptive and do not change the Standards. Each merchant must ensure that their individual operation complies with the PCI-DSS standards.

Please click for links to the Wireless and Tokenization guidelines or the PCI Security Standards Council website, where you will find guidance, Self-Assessment Questionnaires, lists of qualified Assessors and other valuable information.

The downward trend is attributed to fraud fighting initiatives, Chip & Pin cards, and – crucially – increased awareness among retailers and consumers of secure identity measures like CV2 (the 3 digit signature strip number) and 3D Secure (the password process known as “Verified by Visa” or “MasterCard SecureCode” and which is increasingly common during web transactions).

Online banking fraud losses totalled £46.7 million in 2010 – a 22% fall on the 2009 figure – as banks installed sophisticated fraud detection software and more consumers equipped their PCs with up-to-date anti-virus protection. The dip in online fraud has occurred despite a continuing rise in phishing attacks, up 21% from 2009.

Phone banking fraud losses totalled £12.7 million during 2010, an increase of five per cent from 2009. Most losses involve customers simply being tricked into disclosing their personal security details – through cold calling or fake e-mails, says Financial Fraud Action UK.

Stephen Whitlam, a banking specialist with Expense Reduction Analysts says “Over the last couple of years we have stressed to retail clients the importance of basic protections like CV2 when accepting mail/telephone card transactions  and 3D Secure for internet sales. We expect them to see the benefit overtly in reduced processing costs, but it is clear that reduced fraud losses are also a major incentive. I certainly anticipate that the Card Industry will mandate these processes uniformly shortly”.

There is widespread evidence that most of the major merchant acquirers are imposing – or trying to impose – price increases across great swathes of their customer bases. The reasons given to justify the hikes are real enough, with the acquirers facing external cost increases that I will discuss below, but Expense Reduction Analysts banking Team commonly find:-

i.            That the new tariffs often represent more than cost increases being passed on, with acquirers – and I am being diplomatic here – putting a “spin” on their explanation that disguises increases in their margin.

ii.            Increases apparently imposed without any specific notice at all, with claims that “a standard letter was issued” or the increase was detailed in a statement message. (Who, in a position of authority in any business of any scale reads statement messages from acquirers?)

iii.            Justifications alluding to cost increases that occurred before a particular tariff was agreed.

I mentioned that the reasons for the increases are real enough. In a bit more detail these include:-

1. The two major card branding schemes (Visa and MasterCard) are both increasing the underlying cost to acquirers of secure mail-order/telephony transactions. The scale of these increases is staggering and varies between 44% and 69%. This level of imposed increase represents a step change in the acquirer’s costs of these transactions and in many cases mean that they would be facing losses on them. The increases kick in next Spring but – in the scheme of things – one can understand pricing impacts for businesses being negotiated or advised right now.
2. Many credit card issuers are upgrading standard accounts to premium accounts (such as MasterCard World) at renewal. Acquirers face a significantly higher interchange cost from the schemes for processing these types of card. Tariffs often incorporate a single fixed price for “credit cards” and – given the increasing proportion of premium account holders within the transaction mix – acquirers will at best be facing diminishing margins unless they adjust.
3. Some acquirers have very sophisticated back office systems which allow them to differentiate between secure and none-secure cardholder not present transactions (where “secure” means correct application of either 3-digit signature strip protection for mail-order/telephony or the password-based 3D Secure system for e-commerce transactions). Some cannot differentiate. The penalty costs faced by the acquirers (for non-compliant transactions processed by their merchants) are hefty and increasing.

So, in our projects what do we do about these increases if they are “justified”? After all I do concede that underlying pressure on acquirers is being caused by external elements and they could even be facing potentially unsustainable losses on some transactions.

-          The first part of the answer – at its simplest – is to ensure that the reasons given are actually justified. Negotiated tariffs/margins are negotiated tariffs/margins in my book and cost features in existence at the time of (or prior to) negotiations cannot be used to justify subsequent unit price increases. And because, whether we like it or not, card acquiring is a numbers game, mistakes like that do creep in. I ought to add here, in the interests of fairness to the professionals I deal with in the acquirers, instances like this are swiftly apologised for and corrected.

-          Secondly it’s about making sure that the impact of the increases is limited to no more than passing on the cost changes that the acquirers themselves face. I cannot add an “in fairness” comment here because my experience is that a rise in external costs is often used to mask margin increases. That is the case now in many of the standard tariff increase letters that I have seen and that I am robustly challenging.

-          Thirdly, if an increase is unjustified and – really critically – results in a client facing tariffs that become uncompetitive, we will recommend the activity is tendered. Card acquiring remains a very competitive industry and whilst that should be a last resort, it is actually often straightforward.

The above actions really do rely upon detailed analysis, modelling and current market knowledge both to assess their potential value, but also crucially, to negotiate the optimum outcome. For example I mentioned a rise of 44% to 69% in acquirers’ own major external costs for transactions processed via mail order or telephone. This does not mean a 44% to 69% increase in retailer’s tariffs is justified as that is precisely the way that margins are unfairly increased at times like these. Our aim is to ensure that the actual cost….and no more….is passed on.

Virtually every business that accepts cards will already have received – or will receive over the next few months – an increase in their card processing costs….whether advised or unadvised. And if they don’t, I would suggest that they are already paying too much as otherwise it is hard to see how the acquirer can absorb their “hit” without comment!

This author has long-blogged and written articles stressing the importance that the card industry places on security measures. Their success now seems apparent as according to the UK Cards Association, total fraud losses on UK cards in the first half of 2010 were £187 million, some 20% better than the same period last year. I find it staggering that against the backdrop of the explosive increase in the use of cards – and in the throes of recovery from a recession, this is the  the lowest figure for 10 years!
The association, which represents all the country’s major card issuers and acquiring banks, claims the fall is down to several industry initiatives, including the increasing roll-out of updated chip cards and ongoing work with retailers to improve the security of their equipment and procedures.

Other factors include greater sign-up to MasterCard SecureCode and Verified by Visa, increased use of fraud detection tools by banks and retailers and the growing roll-out of chip and PIN abroad.

Card-not-present fraud fell 12% to £118 million and – as this fall bears out the effectiveness of security measures – expect greater emphasis on this aspect as it is still the biggest element.

In Expense Reduction Analysts’ Banking Team we are hearing whispers from various sources that both Visa and MasterCard are likely to increase the underlying cost of Mail Order and Telephone based card transactions next Spring – and also maintain or even increase the extra cost for non-secure transactions. So – because the medicine is working we anticipate more of it!

We expect that tariffs will continue to put a significant premium on riskier transactions; a classic “stick” approach. And because we monitor the underlying supply-side costs the acquirers face from the major issuing brands (Visa and MasterCard primarily), we can negotiate fair price points for our client’s transactions. Moreover, we can advise on or project manage clients through to compliance and help drive out the penalties.

I was impressed with many of the pointers in Visa Europe’s, first whitepaper aimed squarely at helping the hospitality industry safeguard customer data http://www2.visaeurope.com/documents/ais/hotelbreach_europe_2.pdf . Under the title ‘Hospitality Breaches on the Rise’ it also offers insight on how cyber-criminals target hotels, as well as the  guidance I already alluded to on how data can be protected to help businesses comply with the Payment Card Industry Data Security Standard (PCI DSS).

Hotels often have more complex payment systems than other retail businesses, making it harder for them to achieve PCI DSS compliance. Compared with some retailers who might have only one point-of-sale, customer card data is often captured, stored and retrieved at multiple pay terminals within hotels – such as the reservation desk, restaurant, bar, or for room service, internet access and online bookings.

Cutting to the chase, the tips that impressed me are:-

• Change vendor-supplied defaults for passwords or other security information for Hotel Management Systems (HMS) and Point of Sale (POS) payment systems. The HMS is the central and core component in which cardholder data is stored, processed and transmitted to perform authorisation and settlement across other payment terminals in the network

• NULL sessions (unauthenticated connections to a Windows computer) should be disabled. This is the number one method for hackers to gain information on passwords, groups, services and users

• Install and maintain a firewall to protect data. HMS and POS payment systems should not be directly accessible via the Internet; inbound traffic should be blocked and outbound services should be filtered

• Assign a unique ID to each person with computer access and implement a dual-factor authentication method for remote system access via the Internet. This will mitigate unauthorised access into HMS and POS payment systems

• Track and monitor all access to network resources and cardholder data to track and monitor anomalies and suspicious attack activity

Cardholder data held by hotels is a potentially lucrative source of information for fraudsters who obviously view the hospitality sector as an easy target. By understanding the nature of security threats and the preventive measures that can be taken, managers in the industry can reduce the risk of compromise. The losses from fraud can be significant both in terms of bottom line cost and negative reputation.

Actually implementing the above measures may require specific expertise in some instances, but many are simple management practices. In Expense Reduction Analysts we certainly encourage all our clients to introduce (or maybe just re-invigorate) such practices as easy ways to protect profit, reduce losses and preserve reputations.

Whilst much of the current growth is down to Barclays’ decision to issue contactless cards as standard for all UK customers, the other UK banks are likely to be more aggressive shortly.  We in Expense Reduction Analysts’ Banking Team expect to see most of the major High St Bank’s card acquiring arms working with retailers to encourage wider adoption.

Visa believes the recent rise in the contactless transaction limit from £10 to £15 is helping to make the cards a more attractive proposition for users and retailers.

Currently around 26,000 outlets are enabled for contactless and average transaction values are around the £4.30 mark, with evidence emerging of a surge in use among cardholders. Mark Austin, head of contactless at Visa Europe, said that in the last six months they had seen an increase of 100% in transaction volumes. So a groundswell of acceptance of the technology is growing. I will blog around that issue when I have more information.

For many of our clients its not around being an early adapter but more around recognising how customers, and potential customers, wish to carry out low value/high volume purchases. Moreover, maintaining the profitability of transactions is absolutely crucial. For my part that means ensuring that the actual real transaction costs are understood, rationalised and – where uncompetitive, challenged.

Once in issue, Visa cards will feature an alpha-numeric display and a 12-button keypad built into the back of a conventional credit, debit or prepaid card. The cards will have a three-year battery life, overcoming a potential stumbling block to such schemes in the past.

To validate a transaction when shopping on the Web or logging in to an online banking service, the cardholder activates the authentication process by pressing the “Verified by Visa” option button on the card’s keypad.

When prompted, holders then enter their PIN into the keypad embedded in the card which prompts a unique one-time-passcode to appears on the display, this is then used to authenticate the transaction.

Since 2009 eight banks in countries throughout Europe, including the UK, Italy, and Germany, have piloted the system, with 86% of participants reassured about security. Most cardholders – 70% – also say they would use their cards for card-not-present transactions more often.

This system is currently exclusive to Visa and they see it as a way to bring a similar level of security to payments online as we now see on the high street with chip and pin.
Expense Reduction Analysts have long reviewed the use of 3D Secure (the generic name for both Visa and MasterCards’ e-commerce password security function) as a driver of cost-savings. We argue that as issuers are less prone to fraud, our clients should share the benefit. Whilst it is only compulsory for the diminishing Maestro Card currently, the day may now not be far off when Visa mandate it for all e-commerce transactions across their brands.

In its ‘The Way We Pay 2010′ report, the UK Payments Council notes that cash, on the face of it, still appears incredibly popular, accounting for 60% of transactions, but this is down from 75% just 10 years ago. What’s more, of the 21 billion consumer cash payments made in 2009, 80% were for less than £10.

In just five years, cash transactions are expected to represent less than half the total for the very first time. The value of cash used is dwindling even faster compared to wealth and spending, rising only 7% in the last 10 years, while overall consumer spending has doubled.

The trend will accelerate over the next 10 years and by 2018 the amount of cash used in the UK will fall by 20% after adjusting for inflation, even though total spending will rise by around 15% in real terms, according to the report.

Technology and cultural changes are driving the move, with debit cards and contactless technology taking over from cash, particularly among younger generations.

Debit card usage has risen fourfold in ten years – to £264 billion in 2009 – four times as fast as overall spending, and will double again by 2018. Each adult now uses a debit card 158 times per year, almost every other day, up from a little more than once a week in 1999 and by 2018, one in four of all transactions will be on a debit card, up from just one in twenty ten years ago.

Whilst debit cards have have begun to replace larger credit card and cheque transactions they are also taking over from cash for lower value payments and this will continue with the rise of contactless payments.

Mike Bowman, head, policy and markets, Payments Council, says: “Contactless payment for small purchases has the potential to drive debit card usage even higher. With 18 billion cash transactions less than £15, there’s a huge opportunity for us to replace billions of these with a quick swipe past a card reader.”

The Council cites the way Brits pay in pubs and clubs as an example of this shift in technology and culture. In 1999, nine out of ten pints were bought with cash. Now only 40% of pub spending involves notes and coins and pub goers are much more likely to be eating out as well as drinking. By 2018, the report predicts cash spending in pubs will fall to just 25%.

Bowman says: “Although cash won’t disappear in our lifetime, the continuing payments revolution will make it an ever smaller part of our spending. Even the traditional sight of people waving tenners at the bar is fast vanishing. They’re more likely to brandish their debit cards now as they compete to get served.”

Not only are Brits less likely to pay in cash now, they are also no longer being paid in cash. In 1999 one in eight received their wages in cash. This was down to one in 20 by 2009 and is predicted to fall to one in 50 by 2018.

“More and more people have opened bank accounts in the last ten years, and fewer and fewer have jobs in manufacturing where a weekly wage packet is more common. As a result far fewer of us get wages cash-in-hand,” says Bowman.

Brits have therefore turned to ATMs to access their cash. There are 63,000 holes in the wall in the UK today, two-and-a-half times more than ten years ago. In 1999 62% of cash withdrawn from accounts came from an ATM – by 2009 it was 85%.

Meanwhile, cheques are continuing their slow death says the council, accounting for just two per cent of personal transactions in 2009 as increasing numbers of retailers stop accepting them. The group says that even if it does not embark on its controversial policy to officially phase them out, volumes will more than halve to just 248 million in 2018, making up just 0.8% of all the personal payments.

The council concedes they remain popular for person-to-person payments – accounting for a third in value – but claims the advent of online banking, and especially faster payments is accelerating the decline.

Around 22 million UK adults now operate their accounts online, while the report predicts that Faster Payments will see rapid growth, accounting for £836 million by 2018, up from £294 million in 2009.

Looking further ahead, the Council speculates that cash could be all but dead within 40 years ………..

“By 2050, using cash could well be a minority activity, much more the preserve of informal transactions. With around a billion bank notes created, distributed, collected and destroyed every year, the production and secure transportation of notes is an expensive and environmentally costly business paid for by the tax payer. A progressive move away from cash could hold many benefits,” says the report.

Stephen Whitlam of Expense Reduction Analysts says “negotiating reduced transaction costs for those clients accepting cards is something we are long-experienced in. It is a competitive market and so often we find that businesses use the services of their main bank, either through inertia or a lack of awareness of who the alternatives are. Moreover, published tariffs do not really reflect the alternatives properly as negotiation is a given. And its at tyh enegotiation point where we can make a difference, because we know the market, we understand the acquirer’s cost base and can cut a straightforward path thgrough any technical issues”.

Some retail clients have been wary of 3D-Secure (MasterCard SecureCode and Verified by Visa) believing that business has been lost as card users continue to be nervous of the system. In the last 2 years we have witnessed a marked increased take up, driven both by the opportunity to reduce costs, as most acquirers charge a premium for non-secure transactions, and the desire to reduce the costs and reputational damage resulting from fraud.

So what cost reduction opportunities are there for your organisation? Take a few minutes to look in to the following simple questions and you may just be able to boost your profit margin by cutting your transaction costs:
1. When payments are accepted over the phone or by mail order, do you require the provision and keying of the 3-digit security code (it’s surprising how often we find that staff choose not to key the code).
2. Has the decision on whether to operate 3D-Secure systems on your website been reviewed in the last 12 months?
3. What is the level on ‘non-secure transactions’ on your merchant card statements, and how has this changed in the past 6 months? As with all processes, good practice can slip if not monitored, so a quick check can make sure that you keep this cost on line.

Quite apart from the business expense of sorting out fraud claims and chargebacks, using the systems provided by the acquirers will reduce non-secure transaction fees which we have seen ranging from 10p per transaction to 0.85% of the transaction value. At a time when profit margins are under pressure, these cost saving ideas can be easy to manage and give benefit straight to your profit and loss.

Stephen Whitlam of Expense Reduction Analysts says that the survey “reveals there is still a big education issue out there. The broader card industry has not helped by extending deadlines and by a piecemeal approach to communication. However – at the core – is protection of customer data which if misused can result in broader identity fraud. We are talking here of data captured by the retailer, and how that data is handled and stored by the retailer. The card industry is trying to impose responsible common-sense standards and I do not think we are too long off seeing a high profile retailer being denied access to accepting cards completely. And in our experience – in the interim – the penalty charges we see so many new clients paying are completely avoidable and cover the costs of compliance many times over.”

Stephen went on to say “there have already been some high profile cases like TK Maxx and whilst I understand the responders who feel data security is a card industry responsibility, the answer to them is: yes it is, and the industry response is to ensure that all players take responsibility for their part or exclude them from access”.

*PCI DSS stands for Payment Card Industry Data Security Standards. It is the card industry’s response to the need to make sure that all data that can identify a cardholder, or simply an account, is subject to minimum standards of care by all those who hold or access it.