Secure Attitudes
Pros from around the payments profession weigh in on their customers’ thoughts on security
Edited by Josephine Rossi
Not so long ago, conventional wisdom in the payments community said that merchants did not view data security as a high-level priority. Aside from the largest and most well-funded of retailers, merchants were more focused on revenue generation and other business fundamentals than they were on self-assessments, log monitoring, penetration testing, and the like. But times have changed, and as the digital economy has exploded, so, too, has society’s attention on cybersecurity and data breaches.
Transaction Trends’ contributing writers set out to learn if payments professionals are seeing a change in perspective from their merchant customers regarding security. We spoke to professionals from niche functions in the payments ecosystem, including acquiring, processing, security consulting, and software, for their input. Although their insights varied, most agree that while merchants are more aware of the importance of payments security, they are not necessarily doing much about it or are heavily reliant on third parties to facilitate a more secure sales environment. “It still speaks to the value of having a trusted advisor, which I know is cliché,” explains one source. Several payments experts also pointed out the need for independent software vendors (ISVs), which have exploded onto the scene, to become better educated on security, too. ISVs should be prioritizing security rather than narrowly focusing on developing “an elegant solution” for merchants, according to multiple people we contacted.
Additional excerpts of our discussions follow.
What are merchants’ general mindsets and attitudes toward security?
They are more aware, but they still lack resources. “Smaller merchants are exponentially more cognizant of security pitfalls and requirements than they used to be, due to a number of factors including landmark retail data breaches, customers’ increasing expectations, the constant discussion around securing personal data, and their own consumer experiences,” says Scott Baker, vice president of IT, security, and technical operations, BigCommerce, an ISV/ full-service SaaS e-commerce platform.
“That said, greater awareness and a sense of urgency don’t necessarily translate to merchants having the time, resources, or expertise to address cybersecurity and payments security on their own,” he continues. “Many small businesses are already stretched thin, so they need technology providers to step in, manage the risks, and allow them to focus on growing their business, not warding off constantly evolving security threats.”
Some think breaches won’t happen to them. A prevailing mindset among small and mid-sized merchants is that the breaches are only happening to the large, Fortune 500-type companies, says Jeff Zimmerman, chief operating officer at Clearent, a payment solutions and processing provider. “A lot of smaller merchants still believe that they’re too small to be a target—despite all of the industry’s attempts to tell them otherwise. … There are plenty of stats that show that small merchants are getting hit. Our education attempts definitely highlight that, [but] it’s a perception that is hard to break.”
Many are not thinking holistically. The targeted nature of PCI mandates has helped merchants become more comfortable talking about compliance over the past few years, but it also has encouraged merchants to view security as piecemeal, says Sam Pfanstiel, ETA CPP, solution principal of PCI at Coalfire, a cyber risk advisory and security compliance assessment firm that works with merchants of all sizes. “There are too many threats for today’s organizations to consider security a back-office concern,” he says. “Security must be ingrained in the culture of an organization if they want to succeed in the future.”
Besides awareness, how have the breaches covered by the media actually affected your customers’ thinking or sense of urgency?
They are concerned about the customer experience and trust. Consumer concerns are driving more business decisions, says Baker. “The more vigilant consumers become with regard to their identities, payment credentials, and PII [personally identifiable information], the more hurdles are introduced to the purchase process that can lead to friction in the customer experience and even cart abandonment. Merchants understand the gravity of ensuring that their customers have secure, streamlined avenues to shop, pay, and become repeat buyers, and realize that they’re fighting an uphill battle to maintain consumer trust in the wake of major industry breaches.”
More executives are getting involved. “It’s impossible to be desensitized to some of these breaches [in the news] because each one seems a little bit bigger and more egregious than the last one,” says Steve Robb, president of the managed compliance services division at ControlScan. The firm, which merged with EchoSat earlier this year, has since broadened its focus on merchant PCI compliance to include security programs for ISVs. Executives at smaller merchants and retailers, in particular, have taken notice of the headlines, according to the firm’s research. Forty-two percent of ControlScan customers’ executive teams are “100 percent aware” of their company’s security-related activities and objectives.
“This really began with the Target and Home Depot breaches, which showed just how deep the impacts of a breach can go, not only with regard to the company’s bottom line, but also the ability for the company’s topmost executives to continue leading,” Robb says.
What is the most troubling merchant mindset regarding security?
Many are overly reliant on technology. “A good ‘human firewall’ is the most important—yet often overlooked— security approach for merchants,” Pfanstiel explains. “Security technologies are rapidly evolving, but [they] are not a magic bullet and cannot replace training and building a culture of security.”
Many perceive PCI compliance as a hassle. “[Merchants] are required to complete PCI self-assessment questionnaires that can be tedious and technical, and some are required to conduct network vulnerability scans,” Zimmerman explains. Consequently, merchants become focused on completing those “detailed tasks and can lose sight of how they help them avoid costly data breaches.”
What are merchants’ attitudes toward EMV implementation?
Not all value the standard. Some merchants truly understand the importance, says Zimmerman, but others—especially restaurants, which are not as concerned with chargebacks—do not “appreciate what EMV’s trying to do.” In addition, some merchants are more concerned with accepting the latest technology rather than having updated security features. “The terminal that supports EMV [also] supports Apple Pay, and they get a two-for-one,” he says.
Cost is a deterrent for many. “Smaller card-present merchants in the United States have largely looked to their acquirers, gateways, and POS providers to provide them with EMV solutions,” says Pfanstiel. “For many merchants, however, card-present counterfeit fraud liability isn’t cost-justified, and they are still focusing on improved security or reducing fraud in card-not-present channels.”
What are some specific concerns that keep your e-commerce customers up at night?
“Tuning” and multichannel commerce. “Tuning” is an anti-fraud service and a “major concern and pain point for merchants. It can be a nightmare to understand, and it is almost guaranteed that revenue will suffer until they’ve got the anti-fraud knobs tuned properly for the specifics of their business,” Baker explains. Merchants fear losing customers if legitimate transactions are declined and “need to be reassured that the payments and fraud detection services … can be customized to fit their business.”
The other chief concern, says Baker, is security when selling via social media, marketplaces, mobile channels, and voice command. “They’re wondering what payments and data security measures are in place, and are concerned about how they are—or aren’t—covered when commerce becomes more decentralized,” he says.
E-commerce sites being used to validate card numbers. Fraudsters “will go out and buy a batch of 20,000 card numbers on the dark web, and they will just start running them through,” Robb explains. As a result, the merchant incurs a fee every time an authentication is performed. In addition to the costs, operations can be significantly affected, too, according to Robb. “Card fraud through checking for valid numbers can [prevent] legitimate purchases from being able to even get passed through the system.”
Any advice for the payments community?
Be transparent about resource commitment and liability. Payment providers need to be “proactive and transparent” in their discussions with merchants regarding how much time merchants “will spend manually validating purchases as opposed to the payment or anti-fraud provider automating that process,” says Baker. “Merchants are serious about security,” but they need to know how to balance resources for other business priorities.
Similar candor is needed when payment providers discuss “liability for fraud once a payment or fraud detection partner greenlights” a card-not-present transaction, adds Baker, who describes merchant confusion and surprise over chargebacks in such a situation, coupled with increased pressure from merchant banks to secure their e-commerce solutions. “As an example, certified PCI DSS compliance of an e-commerce platform by a qualified auditor used to be sufficient to prove a secure e-commerce platform and, according to the standard, it still should be,” he explains. “However, many merchant banks are now requiring their merchants to have their own security testing of the e- commerce provider beyond that compliance. The potential for conflicts between security testers adds a new layer of stress on the merchant.”
Educate on “bad behavior.” The genesis of many POS compromises is “people doing things on the system that they probably shouldn’t, like surfing the internet or reading their email and opening a document,” says Phil Agcaoili, senior vice president and chief information security officer at Elavon, a payment processor and acquirer. “Some of the more general-purpose POS systems have been run off of Linux or Windows environments, and so those are just as susceptible as an end-user’s laptop in a compromise.”
Keep an eye on merchants with multiple locations and franchises. These types of merchants have inherent weakness because “they’re smaller entities and have a lot more satellite stores,” Agcaoili continues. “The franchising side of the house is where a lot of the challenges are,” because they lack standardization. “My message is the more standardization happens, the better likelihood of [the merchant] staying secure and avoiding a breach. A lot of companies that standardize … follow enterprise-wide standards and policy. Those traditions tend to [create] a uniform security posture.”
Help them take ownership. “Acquirer security programs should include an element of risk analysis, not simply strict compliance-based objectives,” says Pfanstiel. By interweaving discussions of risk with concepts such as interchange and fraud, for example, merchants are reminded that they are “ultimately responsible for securing their environment, which helps them to take ownership of this important role.” T
Josephine Rossi is editor of Transaction Trends. Reach her at [email protected]. Ed McKinley contributed reporting to this article.