Feb
09
2022
February 9th, 2022 by Admin

John Stewart
January 17, 2022
https://www.digitaltransactions.net/trends-like-open-banking-and-bnpl-will-sustain-e-commerces-hot-streak-a-report-says/

Open banking, single-click checkout wallets, and the hot buy now, pay later trend will all help drive e-commerce volume worldwide in the coming five years, predicts Juniper Research in a report released Monday. This momentum is likely to push online sales long after the short-term impetus from the pandemic subsides, Juniper says.

E-commerce volume totaled $4.9 trillion globally in 2021, a figure the United Kingdom-based research firm forecasts will reach $7.5 trillion in 2026, when China will control a 37% share. Wider availability of multiple e-commerce channels, including mobile devices, will propel the overall growth worldwide, Juniper says. But along with the boom in e-commerce will come a corresponding growth in fraud via identity theft, account takeovers, and fraudulent chargebacks, the report warns. China, for example, will account for more than 40% of fraud losses worldwide in 2025, at more than $12 billion, Juniper forecasts.

Open banking is a trend by which fintechs can verify balances in consumers’ accounts and transfer funds to pay for online purchases. As standards bodies work to promulgate standards for this business, e-commerce payment providers “should … partner with specialists in … specific emerging payment areas to keep pace with changing merchant expectations around acceptance types,” the research firm says in its release, referring to digital wallets and crypto as well as open banking.


Open banking has taken on a higher profile in the global payments market with efforts by both of the global card networks to acquire firms that specialize in this area. Visa Inc. has acquired Tink AB, while Mastercard Inc. bought Aiia and Finicity Corp.

Physical goods will continue to dominate e-commerce spending, the report says, accounting for 82% of payment value by 2026. To tap into the trend, Juniper advises, payments providers should support buy now, pay later plans, which allow consumers to split purchases into four equal installments paid over a six-week period at no interest. BNPL is becoming more controversial, however, as the Consumer Financial Protection Bureau has launched an investigation of the option and as reports emerge that consumers with multiple accounts are more likely to miss a payment.

While still a big trend, e-commerce sales in the U.S. market cooled significantly last year as the pandemic effect lost some of its force. Third-quarter sales in 2021 reached $214.6 billion, up 6.6% year-over-year, according to the Census Bureau, which tracks retail sales. That follows an 8.9% rise in the second quarter and three straight quarters with increases of 32% or more. Fourth-quarter 2021 results are not yet available.

Posted in Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Digital Wallet Privacy, e-commerce & m-commerce, Financial Services, Mail Order Telephone Order, Merchant Account Services News Articles, Merchant Services Account, Mobile Payments, Mobile Point of Sale, Point of Sale, Small Business Improvement, Smartphone, Uncategorized, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , ,

Oct
08
2014
October 8th, 2014 by Elma Jane

When the PCI Security Standards Council (PCI SSC) launched PCI DSS v3.0 in January 2014, businesses were given one year to implement the updated global standard. Now that the deadline is fast approaching, interest is picking up in what v3.0 entails. On Jan. 1, 2015, version 3.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) will reach year one of its three-year lifecycle.

Trustwave, a global data security firm, is on the frontlines of helping secure the networks of merchants and other businesses on the electronic payments value chain against data breaches. As an approved scanning vendor, Trustwave is used by businesses to achieve and validate PCI DSS compliance.

PCI DSS v3.0 is business as usual for the most part, except for a few changes from v2.0 that considers impactful for large swaths of merchants. The top three changes involve e-commerce businesses that redirect consumers to third-party payment providers. The expansion of penetration testing requirements and the data security responsibilities of third-party service providers.

Penetration testing

Penetration testing is the way in which merchants can assess the security of their networks by pretending to be hackers and probing networks for weaknesses. V3.0 of the PCI DSS mandates that merchants follow a formal methodology in conducting penetration tests, and that the methodology goes well beyond what merchants can accomplish using off-the-shelf penetration testing software solutions.

Merchants that are self assessing and using such software are going to be surprised by the rigorous new methodology they are now expected to follow.

Additionally, penetration testing requirements in v3.0 raises the compliance bar for small merchants who self assess. Those merchants could lower the scope of their compliance responsibilities by segmenting their networks, which essentially walls off data-sensitive areas of networks from the larger network. In this way merchants could reduce their compliance burdens and not have to undergo penetration testing.

Not so in v3.0. If you do something to try to reduce the scope of the PCI DSS to your systems, you now need to perform a penetration test to prove that those boundaries are in fact rigid.

Redirecting merchants

The new redirect mandate as affecting some, but not all, e-commerce merchants that redirect customers, typically when they are ready to pay for online purchases to a third party to collect payment details. If you are a customer and you are going to a website and you add something to your shopping cart, when it comes time to enter in your credit card, this redirect says I’m going to send you off to this third party.

The redirect can come in several forms. It can be a direct link from the e-commerce merchant’s website to another website, such as in a PayPal Inc. scenario, or it can be done more silently.

An example of the silent method is the use of an iframe, HTML code used to display one website within another website. Real Estate on the merchant’s website is used by the third-party in such a way that consumers don’t even know that the payment details they input are being collected and processed, not by the e-commerce site, but by the third party.

Another redirect strategy is accomplished via pop-up windows for the collection of payments in such environments as online or mobile games. In-game pop-up windows are typically used to get gamers to pay a little money to purchase an enhancement to their gaming avatars or advance to the next level of game activity.

For merchants that employ these types of redirect strategies, PCI DSS v3.0 makes compliance much more complicated. In v2.0, such merchants that opted to take Self Assessment Questionnaires (SAQs), in lieu of undergoing on-site data security assessments, had to fill out the shortest of the eight SAQs. But in v3.0, such redirect merchants have to take the second longest SAQ, which entails over 100 security controls.

The PCI SSC made this change because of the steady uptick in the number and severity of e-commerce breaches, with hackers zeroing in on exploiting weaknesses in redirect strategies to steal cardholder data. Also, redirecting merchants may be putting themselves into greater data breach jeopardy when they believe that third-party payment providers on the receiving end of redirects are reducing merchants’ compliance responsibilities, when that may not, in fact, be the case.

Service providers

Service provider is any entity that stores, processes or transmits payment card data. Examples include gateways, web hosting companies, back-up facilities and call centers. The update to the standard directs service providers to clearly articulate in writing which PCI requirements they are addressing and what areas of the PCI DSS is the responsibility of merchants.

A web hosting company may tell a merchant that the hosting company is PCI compliant. The merchant thought, they have nothing left to do. The reality is there is still always something a merchant needs to do, they just didn’t always recognize what that was.

In v3.0, service providers, specifically value-added resellers (VARs), also need to assign unique passwords, as well as employ two-factor authentication, to each of their merchants in order to remotely access the networks of those merchants. VARs often employ weak passwords or use one password to access multiple networks, which makes it easier for fraudsters to breach multiple systems.

The PCI SSC is trying to at least make it more difficult for the bad guys to break into one site and then move to the hub, so to speak, and then go to all the other different spokes with the same attack.

Overall, v3.0 is more granular by more accurately matching appropriate security controls to specific types of merchants, even though the approach may add complexity to merchants’ compliance obligations. On the whole a lot of these changes are very positive.

 

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,