Securing Consumer Transactions
Major data breaches among big box retailers, large banks and other consumer outlets continue to make news. As a result, more secure consumer payment methods are popping up.
Yet, the critical question remains: Will emerging technologies — from “chip-and-PIN” credit cards to Apple Pay, Google Wallet and other products — stem the data risk tide? And, will there be a front runner among the group?
Will there be a single payment system that can give both retailers and their customers a sense of security that is currently nonexistent?
It’s much too early to tell, experts said. The main challenge now may be sorting through the various technological options — in addition to the potential cost and difficulty of implementing a new standard system.
“There is no security salvation or fraud magic bullet, but many of the new technologies offer a lot of promise.” — Aaron Press, director of e-commerce and risk solutions at LexisNexis Risk Solutions
For example, some large retailers such as Wal-Mart, Rite Aid and CVS announced they would not accept Apple Pay, which uses the iPhone and major credit cards as its “touchless” payment delivery system. Instead, those large retailers and others are planning to use an alternative e-payment technology, called CurrentC, which bypasses major credit cards completely.
The retailers favor that system because it eliminates the transaction fees charged by credit card companies to retailers.
According to Aaron Press, director of e-commerce and risk solutions at LexisNexis Risk Solutions in Dallas, each of the various mobile wallet systems has its own advantages.
VIDEO: A report on CBS This Morning notes that the U.S. lags far behind the rest of the world in adoption of chip-and-PIN cards. The main reason? The $8 billion cost to replace the point-of-sale hardware.
One key benefit of systems such as Apple Pay and CurrentC, he said, is that they do not pass actual card data to the merchant, so there is no account information either in storage or in transit that can be compromised.
“If the wallet systems are secure, then consumers benefit from not sharing their payment credentials with merchants,” he said.
“This means that even in the event of a breach, the consumer will not have to worry about their information being stolen and dealing with the hassle of disputing fraudulent charges or receiving new account numbers.”
Press noted that it is not yet clear whether Apple Pay or CurrentC will be vulnerable to fraudulent use.
E-wallet providers must ensure that the credentials being provisioned and used actually belong to the consumer attempting to use them, and that the applications, processes and infrastructure are secure, he said.
The biometrics used with the Apple Pay process are helpful, but not a panacea.
David Katz, leader of the privacy and information security practice group in the Atlanta office of law firm Nelson Mullins, said Apple Pay’s biometric Touch ID technology makes it “difficult for a thief or imposter to use an iPhone to complete transactions fraudulently.”
“Consumers whose phones are stolen or misplaced can easily use the ‘Find my iPhone’ feature to suspend all payments,” he said.
However, he added, with 800 million credit cards on file — not to mention the new wearable fitness trackers that contain large amounts of health data — Apple may have succeeded in making itself a prime target.
“Apple Pay does represent a security improvement over today’s magnetic stripe credit card architecture since the former requires stealing a victim’s phone and successfully duplicating a fingerprint to commit fraudulent transactions,” said Paco Hope, principal consultant at security consulting firm Cigital, in Dulles, Va.
Apple Pay also includes architecture (such as proxy numbers instead of account numbers) that contributes additional security, he said.
Russ Spitler, vice president of product management at Alien Vault, a security provider in San Mateo, Calif., called Apple Pay a “major move” for the payment industry.
While the underlying technology is not new, Apple has the market share and consumer buy-in to make it popular, he said. Shifts in payment technology are driven by consumer demand, not retailer preference.
“In the past, Apple has proven it can manage private data very responsibly — they take encryption seriously and implement it well,” Spitler said.
“They are still prone to attacks against their users such as the recent iCloud issues — but they are working to add more features to help safeguard even in that situation.
“With Apple Pay, I am hopeful we will turn the corner on the horrible status quo of credit cards,” he said.
Because the U.S. adopted credit cards faster than they spread across Europe, Spitler said, the infrastructure in the U.S. is mostly antiquated but deeply entrenched, such as the point-of-sale (POS) systems reliant on magnetic stripe technology.
Moving past that to new Europay, MasterCard and Visa (EMV)-based credit cards (also referred to as chip-and-PIN, chip-and-signature, chip-and-choice, or generally as chip technology) will require a major retrofit of a very distributed payment system that’s been in use for a long period of time, he said.
EMV is a global standard for interoperation of integrated circuit cards (IC cards or “chip cards”) and IC card-capable POS terminals and ATMs, for authenticating credit and debit card transactions.
EMV also supports dynamic authentication (numbers change with each transaction), which means a cardholder’s data is more secure on a chip-enabled payment card than on a magnetic stripe card, and is much more difficult to copy or counterfeit.
“Each corner store will have to invest in new technology at great cost to themselves and without any demand from the consumer; that’s a really difficult request to make of a small business,” Spitler said.
“Magnetic stripe technology makes it dirt simple to clone a card once you have the electronic data associated with it,” he added.
However, he said, the use of chip/PIN technology does not guarantee the long-term elimination of risk.
“Even if the world magically adopted chip-and-PIN technology overnight, hackers would simply try to find a new way to turn card data into money,” Spitler said.
Mike VanDenBerg, a managing director in KPMG’s cyber services and information protection practice, said it’s well documented that fraud and loss levels are lower in Europe than in the U.S.
“It’s not perfect there, but it’s better. There were many more barriers to the adoption in the U.S., mainly the high cost and disruption of replacing the aging POS equipment necessary to adopt chip-and-PIN-type solutions,” he said.
VanDenBerg said the ripple effect of the latest round of data breaches started in earnest around 2013, and served as a major wake-up call, not just for retailers but for any business that allowed payment with a magnetic swipe credit card.
Unfortunately, when you factor in budget cycles for new equipment, priorities had already been set in 2013 for the following year. As a result, planning and positioning for 2015 has just begun.
“The first big adjustments on these fundamental problems from a security standpoint are starting to take place right now,” he said. “Plus, they also must be able to connect to Apple Pay and other wireless payment platforms.”
VanDenBerg noted that merchants have to install replacement platforms at all levels, including both hardware and software — a very expensive undertaking. And while there is no mandate to move to EMV-based solutions (no laws or regulations demanding it), merchants and retailers understand that they need to move to the next level when it comes to data security at point of sale. After all, how many more data scandals do we need to see to trigger a broader consumer backlash?
“It’s not an end game, nor a silver bullet, but the new credit card platforms are definitely more secure than the current magnetic stripe cards,” he said.
“If it takes two or three years to move from one technology to another, the old platforms may even get less secure because they will receive less scrutiny in terms of updates, patches, etc.” — Mike VanDenBerg, managing director, KPMG cyber services and information protection practice
From a risk management perspective, he said, retailers will need to turn the “old stuff off” as they roll out the new POS platforms. So while they are sun-setting systems that are no longer needed, the risk still remains as long as they are in operation. In fact, businesses should be very careful prior to the transfer.
“If it takes two or three years to move from one technology to another, the old platforms may even get less secure because they will receive less scrutiny in terms of updates, patches, etc.,” he said. “That can’t be ignored.”
Anyone putting consumer data at risk by accepting credit cards must engage in the risk management and security conversation and bring it to the forefront of the business.
“Ten years ago, security was in the background, outside the building. Five years ago, it was in the lobby and three years ago, it was moving up even more. Today, it finally has a seat at the table,” he said. “I think we will see significant momentum a year or two from now when it comes to credit cards equipped with chip-and-PIN-type solutions.”
Cigital’s Hope said that payment networks are introducing risk management beyond today’s process of simply accepting or denying charges. Contactless payment systems deployed in the UK, for example, usually are dependent upon a variety of limits on total amount, number of transactions and transactions per time period.
“This is what it looks like when modern risk management meets the retail experience: the strength of the security measures in place,” he said. “Retail customer data in the future will be much more carefully protected using similar designs.”
Regardless of what type of payment system is used, all businesses should have cyber insurance, even though many companies still don’t believe they are likely targets, said Collin Hite, who leads the insurance recovery group at Hirschler Fleischer in Richmond, Va.
The first party aspects of such coverage can be critical to a business since the insurance pays for forensic investigation and re-securing the network, in the event of a data breach, he said.
“This is typically the largest cost — not the actual loss of information of the consumers,” he said.
“While we know the Fortune 500 to 1,000 are considering specific cyber coverage, middle-market businesses need to understand that they are as vulnerable as the ‘big boys,’ ” he said.
Craig Young, a mobile security researcher for Tripwire, in Portland, Ore., said the best risk management strategy is to move to the next technology as quickly as possible.
“The ancient swipe and sign technology that dominates American retail is long overdue for a funeral,” he said. “For years, credit cards have been low-hanging fruit for thieves with a variety of techniques to steal card data, reproduce cards and start spending.”
LexisNexis’ Press added that it’s way too early to declare a front runner in mobile payments, and that magnetic stripe cards will be around for several more years.
“There is no security salvation or fraud magic bullet, but many of the new technologies offer a lot of promise,” Press said. “EMV will drastically improve POS security and reduce counterfeit fraud. Biometrics is a promising option for identity verification.”
But, he warned, new technologies open the window to new problems.
“Companies need to evaluate the risks and benefits of adding any new commerce technology or channel to their environment,” Press said.
Workplace Regulations Increase
The National Labor Relations Board surprised virtually no one when it issued a trio of pro-employee decisions as 2014 drew to a close, according to employment-law experts.
But a coalition representing an array of industry sectors and businesses filed suit in the U.S. District Court for the District of Columbia to stop the NLRB from moving forward with its “ambush-elections” rule, which it issued on Dec. 12. It’s anyone’s guess what the outcome will be.
In each of the board’s decisions — regarding employee use of company email for union organizing, the NLRB’s so-called “quickie-election” rule; and the changing standard for deferral to arbitration awards — the board basically told affected employers they will have to adjust to the enhanced union organizing efforts within their workforces.
Steve Bernstein, a partner in the Tampa, Fla., office of Fisher & Phillips, said the email decision was “seven years in the making,” with labor unions working to get a Bush administration NLRB rule overturned since the day President Barack Obama took office.
“This decision is the culmination of those efforts,” Bernstein said.
Patrick Muldowney, a partner at Baker Hostetler in Orlando, Fla., said the main takeaway on that decision is that employers are losing even more control over what occurs in their workplaces, including the ability to enforce their email policies.
Muldowney said employers must tread carefully when reviewing or even becoming aware of employees’ emails, especially regarding employee discipline. They need to know if an email is an exercise of Section 7 rights.
“You might say this gives an employee another bite at the apple if they are not happy with an arbitration outcome.” — Patrick Muldowney, partner, Baker Hostetler
As for the NRLB’s “quickie election” rule that goes into effect on April 14, some legal experts said that reducing the time between the filing of a petition and a union election denies employers an adequate chance to stage an anti-union campaign prior to employee voting.
The average time for the election process is now somewhere between 38 and 42 days, experts said. The new rule can drop that number to as few as 10 or 20 days, which critics contend, creates an “ambush-election” scenario — and is a serious setback for employers trying to respond to worker demands and union promises.
The third key decision gives the NLRB more discretion in deferring to arbitration procedures and awards for employees alleging they suffered retaliation or reprisal for engaging in union and/or protected concerted activity, in violation of the National Labor Relations Act.
“The standard used to be deferring to an arbitration award when it wasn’t clearly repugnant to the NLRA,” Muldowney said. “You might say this gives an employee another bite at the apple if they are not happy with an arbitration outcome. The board has said it no longer needs to automatically defer to arbitration decisions.”
Youth Will Be Served
The writer Oscar Wilde once said, “Youth is wasted upon the young.”
While Wilde was making an interesting philosophical point, his words do not apply to the crop of the Risk & Insurance® Under 40 Power Broker® finalists and winners for 2015.
To the person, our Power Broker® Under 40 designees demonstrated that when it comes to succeeding in the commercial insurance business, age is a minor hurdle. Some went to law school; others came from undergraduate internship programs. One even took a temp job that morphed into a permanent position as a successful broker.
Across the board, the group didn’t let age limit their success. The women among the group encountered the dual challenge of age and gender … in a business not historically known for its youth nor its availability to women, though those issues are becoming more extinct with each passing year.
“Insurance chose me, you might say.” — Allison Barrett, senior vice president, Willis
Allison Barrett, 34, a Power Broker® winner in Financial Services, graduated from law school and became a legislative aide in Washington, D.C., before landing in the insurance business. Today, Barrett, a senior vice president in Willis’ New York City office, specializes in financial services.
“Insurance chose me, you might say. I wanted to come back to New York so I reached out to a friend working on the operations side at Marsh,” she said. “I went in not knowing much or having high expectations.”
She hasn’t looked back, saying she now “loves” the business to the point of being a “fanatic about what I do.”
Falling into a Career
Kimberly Mann, 26, a Power Broker® winner in the Environmental category, from Marsh’s Philadelphia office, said like many others, she fell into her insurance career.
Specifically, Mann started as a temp employee in Marsh’s filing department, working for six months before moving to the more high-potential broker side. Within a month, she interviewed in the environmental practice and found her niche.
“I was absolutely drawn to the breadth of clients at Marsh, the different industries and the practices within Marsh,” she said. “Some of the people I work with have been here for 20-plus years and started out doing what I am doing, and that is a good sign.”
Even with the industry-wide understanding of the need to bring more young people into commercial insurance, she said, she still senses the immediate perception of her age when entering a room to meet a client.
“Some might look at me as if to say, ‘OK, where is my adviser, my senior adviser?’ It can be a challenge, but once they see you doing your job well, it becomes a non-issue.”
Tiffany Davis, 36, a Power Broker® winner in the At Large category and a vice president and consultant of client services at Lockton Cos., in Los Angeles, also never planned on working in insurance. In fact, her background was in distressed turnarounds and private equity – at first blush, a far cry from explaining P&C coverages to clients.
Diversifying the Ranks
“Not having an insurance background, I sort of laughed when someone asked me to look into the business,” said Davis.
“I first talked to the person I work for right now, and he said I would be working in a niche within insurance.”
Being both female and African-American has created some trying situations, Davis said, because at its foundation the business remains stocked predominantly with older men.
“Being female and an African-American, I have experienced a little pushback now and then, but things really are changing.”— Tiffany Davis, vice president, consultant of client services, Lockton
“As I sit in front of a CFO or CEO, when they perceive insurance, they perceive an older, white male, or any white male for that matter,” she said. “Being female and an African-American, I have experienced a little pushback now and then, but things really are changing.”
Unlike folks who fell into insurance, Lee Newmark, 27, area vice president in the Chicago office of Arthur J. Gallagher & Co., completed the AJG summer internship program while still in college and segued into a full-time job upon graduation.
Newmark, a Power Broker® winner in the Health Care category, actually had the offer prior to his senior year, a rare luxury for today’s millennials (outside the tech industry, anyway).
“I dropped off my resume and nine weeks later, I was done with the internship and had an offer from Gallagher,” said Newmark, who started in 2009 and specializes in health care. “I had known some great people who worked there, so I figured why not give it a shot?”
Adding Youth and Talent
Newmark laughed about his prior insurance misconceptions — that it was only about life insurance, benefits, auto and other personal lines. He’s certain that early perceptions like his are the main reason commercial insurance is challenged to attract as many young people as it needs.
“Insurance isn’t considered very sexy,” he said. “But it’s a great business-to-business industry where you often are calling on C-suite and high-level executives,” he said. “For me, it’s easy to tell younger people how much different the insurance reality is compared to the perception.
“That’s our biggest struggle as an industry.”
Tandis Nili, 34, a vice president at Aon in New York City, much like Newmark, started working as a broker shortly after college graduation, nine days to be exact.
“Even though my only contact with insurance was my car insurance, I had a contact at Aon,” said Nili, who majored in finance and minored in chemistry in college and is a 2015 Power Broker® in the Energy/Downstream category.
“Aon was looking for someone in the financial industry because of the need to understand operations and earnings.”
Since joining Aon, Nili also earned a law degree while going to night school (she is both a part-time coverage counsel and broker).
She reasoned that a law degree would help her be even more effective to her finance clients, mainly Fortune 500 companies. For example, if they are going to sign a lease or contract, she can give it the legal once-over.
In 2006, Nili launched a network of insurance professionals, many of them under 40, to try and help others navigate an industry that had been mostly populated by older male brokers.
“I still sometimes find gender is a challenge, but on the flip side, some of the older men I have met have proven to be great mentors,” she said. “I would say it’s not so much the youth aspect as gender bias. I still see it with clients sometimes.”
Mary Pontillo, 38, a vice president at DeWitt Stern in New York City, came to the industry with a M.A. in art history and a paucity of job offers within the art world.
Despite her advanced degree and an internship at the world-famous Hirshhorn Museum in Washington, D.C., Pontillo faced the harsh reality of few open museum positions.
As luck would have it, Pontillo, now a perennial Power Broker® in the Fine Arts category, came across a fine arts claims adjuster who needed administrative help and within a few months she started considering a career mixing insurance with fine arts.
“I had no idea this industry segment even existed in undergrad or graduate school,” she said. “What I love about it the most is that my career started off with me knowing more about art and less about insurance. But today, my art background allows me to speak the language with clients.”
“I had no idea this industry segment even existed in undergrad or graduate school.” — Mary Pontillo, vice president, DeWitt Stern
Pontillo said being a broker specializing in fine arts requires a very hands-on, personal relationship with underwriters and clients because every day poses a different challenge.
Looking ahead, she’s secure knowing that her age is a benefit.
“Many of my broker competitors are close to retirement age and there are few people in my age bracket in the industry,” she said. “It’s great to be in a really strong position at a relatively young age.”
Tammy Mission, 27, an assistant vice president at EPIC, in Concord, Calif., also was recruited out of college, St. Mary’s College of California. The school has strong local ties in the insurance business, so Mission figured she would get “into sales” for a year and then move back to the finance track career-wise.
As it turned out, her initial two-hour interview at Heffernan, in San Francisco, was so positive she was hooked.
“They sold me on insurance,” she said. “They knew I was a millennial and they knew how to pitch me.”
Mission’s business acumen kicked in and her client pipeline began to grow. This marks her second year running as a Power Broker® in the Nonprofit category.
“Early in my career, I had challenges. I was so young and naïve,” she said. “But I believe it comes down to personality. My parents are entrepreneurs, so at an early age I received tasks without instructions other than do it fast, keep it moving.”
Listing of Power Broker Winners and Finalists Under 40: