ETA Expert Insights: Payment Security: What to Expect in 2021

It is January 2021, and we are now going into 11 months of the pandemic here in the United States and we are entering a steady-state maturity in where we are with COVID. When the pandemic first hit, many merchants had to scramble to go online and pivot their business from their original model, and had to offer new forms of payments for their customers. Payments companies also had to pivot and react quickly to help implement new tech solutions and introduce new processing methods- mostly online- which has led to a large increase in ecommerce in the last year. But with this growth, concerns around identifying and mitigating risks have come up, as well as who has responsibility for them.

As things start to even out from the initial shock of the pandemic, it’s important to start looking back at internal processes and making sure they are secure and proactive, rather than reactive.

In this interview, members of ETA’s Payment Facilitator Committee discuss security concerns, trends, and predictions for the payments industry.

1. Based on where we are now, what are some ongoing concerns? What are frequently seen threats?

Jim Bibles, Aperia Solutions
We have made a lot of progress over the years, with regard to secure application development and information security education, but the payments community still has an issue with patching systems and migrating from unsupported/ obsolete applications. This behavior is directly responsible for the Magento attacks we saw in 2020 and will contribute to more attacks 2021. All Magento users need to migrate to the secure version of the application and entities that use Solarwinds and VMWare need to ensure that they have migrated to the secure versions and applied the appropriate patches. A robust vulnerability management program is a critical part of any information security program and it really needs to have more attention paid to it.

Chris Bucolo, Sysnet Global Solutions
As we have migrated to Chip card (EMV) in the U.S. we have seen the predicted rise in ecommerce breach activity. Merchants are adding processing methods, but are not necessarily aware of the risks they represent. This is understandable given the need to survive in this climate. We have an obligation to go back and help them identify and address risks. Web application attacks have exploded and many merchants do not know who has responsibility for protecting those applications and the servers they are housed on. We need to help them avoid an “outsource and forget it” mindset. We need to arm them with questions and tips to go to their third party providers with. COVID has brought increased threats. This is not in doubt. Remote access security is an even bigger issue now when you look at how people work.

Tatila Downing, JPMorgan Chase
Merchants repeatedly receive threats, and new ones are coming up all the time. Breaches have become sophisticated and will continue to rise. We have come a long way to establish secure measurements such as the chip technology on credit cards, or pin and pay. However with COVID, merchants had to quickly adapt to a new norm adding ecommerce which brought them other threats. Chargebacks as a result have increased and are expected to normalize with time. Meanwhile, card testing and fraudulent transactions are still high. The good news is that many acquirers and third parties in the US are establishing measures to recognize customers by authenticating transactions utilizing their mobile phones or emails. They are geo locating clients and keeping their buying history on record with the help of artificial intelligence and machine learning. There is a lot a merchant can do to mitigate risk, however because the risks keep evolving, it will continue to be an ongoing process.

2. What has come out as a result of COVID that are here to stay?

Jim Bibles, Aperia Solutions
More merchants have migrated to omni-channel solutions that leverage internet and wireless connections and collect more consumer information than ever before (IP addresses, emails, geo location data, etc.) this trend holds across all verticals. Merchants are going to have to go back and examine impact on them both from a security and privacy perspective and ensure that they adjusted their systems to meet the regulatory impact associated with this migration.

Chris Bucolo, Sysnet Global Solutions
The additional methods of processing and channels will be unlikely to lose ground. Once consumers get used to buying in a new way, over such a long time frame, it is here to stay. Many people will consider “low” or “no touch” buying as a preferred way of doing business for the future.

Tatila Downing, JPMorgan Chase
The convenience of payments is here to stay. Curb pick-up, one touch pay, card on file and delivery of goods will continue to flourish. COVID has brought contactless to a new level. Retailers and service providers will have to make the process of buying as convenient as possible in order to excel in this environment of today. Today the focus is on safety, fast and efficient.

3. How do we help acquirers, processors, PFs, and ISOs play catch up for those that allowed everything to slide in early stages?

Jim Bibles, Aperia Solutionss
As an industry we need to continue to educate our customers on the risks associated with these behaviors and when possible provide them with solutions that help them meet their obligations to their customers to secure the data, provide transparency about the data collected, and only use it in a compliant manner. If we want to be seen as a trusted business advisor rather than a payments vendor, we need to start reimagining how we engage with our customers.

Chris Bucolo, Sysnet Global Solutions
It makes sense to go back to basics in some ways and make sure, especially in an increasingly software driven world, everyone in the chain understands the roles and responsibilities breakdown and the potential vulnerabilities that go along with it. Does adding that bell or whistle enhance the buying experience? If so, what is the impact on risk of a data breach? What increases my scope and risk footprint, and what decreases it?

Tatila Downing, JPMorgan Chase
We help them by giving them access to data analysis. How are they performing, what behaviors are helping or hurting. Today, information is more valuable than ever. Access to how and what their consumers are buying will help merchants determine their next action and save them time and money in the long run. Being proactive rather than reactive will become quite important in the industry. Education on trends and predictions will also play a great part in determining how to invest in consumer experience and expectations.

4. What are considerations for the acceptance channel?

Jim Bibles, Aperia Solutions
The pandemic pushed the migration to omni-channel acceptance into hyperdrive and if an entity does not have such a solution in their product set, they are behind the curve. That being said, moving into the omni-channel world does introduce more complexity and risk into the merchant environment and we need to ensure that that is addressed both as part of our internal risk assessment for our merchants and with the merchant as part of the sales / deployment cycle.

Tatila Downing, JPMorgan Chase
Besides the omni-channel becoming an acceptance channel, the introduction of many alternative payment methods will be essential. Strategies of buy now and pay later has sky rocketed as consumers struggle to make ends meets with the pandemic. Wallets such as Apple Pay, Google Pay, etc. have become more popular than ever. These considerations should be taken into account when looking at channels to invest.

5. What are predictions of the future?

Jim Bibles, Aperia Solutions
It is odd that a pandemic that forces everyone to stay home has all accelerated our interconnectivity. My prediction is the technologies and behaviors that have been adopted during the pandemic, such as working remote, virtual wine tastings, curbside pick-up, and the home delivery of almost everything is here to stay and that we will have to work very hard to ensure the technology supporting these activities is secure and the data collected is done so in a compliant manner. So my second prediction is lots of new security and privacy regulations and enhanced oversight in 2021.

Chris Bucolo, Sysnet Global Solutions
I think we are entering a new era where COVID has simply accelerated innovations in payments and security that were inevitable, for the most part. I believe it will not be long until many countries and even large venues for gatherings will require “vaccination passport”, with biometric authentication. This underscores the issues that will come out of the confluence of a need to protect the public with privacy concerns. Our industry will have to navigate these issues, maybe sooner than we think.

Tatila Downing, JPMorgan Chase
Some of my predictions . . . the world will continue to shrink as brands expand to different markets, accepting various payment methods. Marketplaces will contribute in bringing sellers and buyers together globally. Consumer experience will be key for repeat purchases.

Subscription businesses will continue to rise and finally convenience of payments will determine who stays in business in the future.