October 13th, 2014 by Elma Jane

Non-cash payments volumes are expected to increase by nearly 10% percent to reach 366 billion transactions in 2013, fueled by strong growth in developing markets and mobile payments.

Overall, more than half of global non-cash payment growth comes from developing countries despite them only making up one quarter of the market size at 93 billion transactions. China remains a relatively underdeveloped market for non-cash transactions but its population and growth rate suggest in certain conditions that it could soon outstrip the US and Euro-zone within the next five years.

China is one to watch over the coming years, with the report showing that if growth rates remain at the current high level, it could become the largest market for non-cash transactions within just five years. These soaring growth rates in key markets put pressure on the global payments arena to innovate to meet rapidly increasing consumer demand.

Increased use of tablets and smartphones is creating a convergence of e- and m- payments, posing new challenges for Payments Services Providers (PSPs). In 2015, m-payments are projected to grow at 60.8% while e-payments growth is forecast to decelerate to 15.9% annually over the next year, as more people use mobile devices to make payments.

This trend is adding to the pressure on PSPs to modernize their payments processing infrastructures, ideally based around a single integrated payments platform for corporate and retail payments and a central hub.

The growth of the industry coupled with the fast pace of new regulation requires flexibility from PSPs to adapt, initiatives such as real-time payments, pressure on card interchange fees and improved payments governance as examples of cascading regulation.

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , ,

May 5th, 2014 by Elma Jane

The Payment Card Industry (PCI) Data Security Standard (DSS) has come under criticism as high profile data breaches continue to expose flaws in retailers’ data security systems. But telecommunications firm Verizon Wireless concluded that the PCI DSS is working.

Some Responses to Criticisms  

Nilson Report research from August 2013 that said card fraud cost the global payments market over $11 billion in 2012. Verizon added that the frequency of fraud schemes that the PCI DSS was designed to avoid is in fact growing. And yet most businesses are not fully compliant at the time of assessment. Only 51.1 percent of the companies it had audited had passed seven of the 12 requirements of the PCI DSS and only 11.1 percent of said companies had passed all 12.

Verizon addressed some of the criticisms leveled at the PCI DSS. One concern is that the standard promotes compliance as a test to be passed and forgotten, which distracts companies from focusing on improving security. Verizon responded by stating that breached businesses were less likely to be PCI DSS compliant than unaffected companies. It also said businesses improve their chances of not being breached by having the standard in place, and of minimizing the damage of a breach should one occur.

Another common complaint leveled at the standard is that it is too cumbersome and slow moving in relation to the quickly evolving threat landscape and nimble fraudsters ready to try new tactics. Verizon countered that the PCI DSS is meant to be a set of baseline security protocols. Achieving compliance with any standard is simply not enough, organizations must take responsibility for protecting both their reputation and their customers. Most attacks on networks are of the simple variety, with 78 percent of hacking techniques considered low or very low in sophistication. Data Breach Investigations Report (DBIR)  research shows that while perpetrators are upping the ante, trying new techniques and leveraging far greater resources, less than 1 percent of the breaches use tactics rated as high on the VERIS (Verizon’s Data breach Analysis Database) difficulty scale for initial compromise.

Recommendations

There’s an initial dip in compliance whenever a major update to the standard is released, so organizations will have to put in additional effort to prepare for achieving compliance with DSS 3.0.

The newest version of the standard, PCI DSS 3.0, went into effect Jan. 1, 2014. Businesses have until Jan. 1, 2015, to implement it. The updated standard has new requirements and clarifications to version 2.0 that will take time for businesses to understand and implement, and this will result in more organizations being out of compliance.

To help businesses deal with their PCI DSS compliance obligations the firm offered five approaches:

Don’t leave compliance to information technology security teams, but enlist application developers, system administrators, executives and other staff in helping further along the process.

Embed compliance in everyday business practices so that it is sustainable.

Integrate compliance programs into enterprise-wide governance, risk and compliance strategies.

Learn how to reduce the scope of organizations’ compliance responsibilities, chiefly by figuring out how to store less data on fewer systems.

Think of compliance as an opportunity to improve overall business processes, rather than as a burden.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Electronic Payments, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , ,