MasterCard Inc, the world’s second-largest credit card association, sees business booming from selling data to retailers, banks and governments on spending patterns found in the payments it processes, a top executive told Reuters.
MasterCard, which handles payments for 2 billion cardholders and tens of millions of merchants, uses that information to generate real-time data on consumer trends, available more quickly that regular government statistics.
“It is an incredibly fast growing area for us,” Ann Cairns, who heads MasterCard’s business outside North America, said in an interview, stressing that the company respects cardholder privacy, using anonymous data rather than personal information.
MasterCard does not give figures for its information services products but “other revenues”, which include the sale of data, grew 22 percent in the first quarter of 2014 to $341 million, outpacing the growth of total revenue dominated by payments processing, which rose 14 percent to $2.177 billion.
Cairns said clients for the data include retailers, banks and governments, with MasterCard tailoring it to their needs.
“Retailers are fantastic at using the data they have available about how people shop in their store, how their inventory turns over, but what they don’t know is what happens outside their store,” she said. “The data we’ve got is ubiquitous across the whole market. We can help retailers see what they need to do to capture more sales.”
Cairns, 57, a statistician by training who joined MasterCard in 2011 after helping manage the disposal of Lehman Brothers assets in Europe, revels in the insights real-time card data can provide, such as London’s popularity as the world’s top travel destination and a rise in spending on experiences such as eating out or going on holiday rather than shopping in stores.
MasterCard has recorded a spike in spending in Brazil on groceries and a drop in spending on luxury goods as the price of food has risen ahead of the World Cup, she said, the kind of insight valued by companies such as Nike and Adidas that are hoping to sell $300 soccer boots during the competition.
While MasterCard expands in “big data”, Cairns sees no slowdown in its traditional business of processing payments, with plenty of potential for growth as 85 percent of consumer transactions are still made by cash or check.
“Moving money and doing it safely and securely is so deeply cared about by so many people around the world that it will be a business that has fantastic value now and for years to come,” said Cairns, who previously worked at Citigroup and ABN Amro.
Even though POS systems remained a significant target for attackers, as suggested by several high-profile data breaches disclosed by large retailers over the past six months, the largest number of data theft incidents last year actually involved e-commerce sites, Trustwave said Wednesday in a report that compiled data from 691 data breach investigations conducted by the company around the world.
E-commerce intrusions accounted for 54 percent of investigated data breaches and POS system intrusions accounted for 33 percent, Trustwave said. A separate report published by Verizon in April also pointed to Web application and PoS attacks as leading causes of security incidents with confirmed data disclosure last year.
According to Trustwave, over half of intrusions targeted payment-card data, with such data being stolen from e-commerce transactions in 36 percent of incidents and from POS transactions in 19 percent of attacks.
In Western Europe in particular, where countries have rolled out EMV — chip-and-PIN payment card transactions — cybercriminals shifted their focus from POS devices to e-commerce platforms, said John Yeo, EMEA Director at Trustwave. “EMV has changed the pattern of compromises when it comes to payment-card-specific data.”
However, a significant increase in the theft of sensitive, non-payment-card data, was also observed last year. This data includes financial credentials, personally identifiable information, merchant ID numbers and internal company communications, and was stolen in 45 percent of incidents, Trustwave said in the report.
Customer records containing personally identifiable information can possibly be used to perpetrate identity fraud and are sought after on the black market, so that’s why there’s been an uptick in attacks focusing on such data, Yeo said.
Only about a third of victim companies were able to self-detect data breaches, Trustwave found. In 58 percent of cases, breaches were identified by regulatory bodies, the credit card companies or merchant banks.
Target is upgrading the security of its private label payment cards and implementing other network improvements as it seeks to restore confidence after one of the largest-ever data breaches last year.
The retailer will upgrade three types of payment card it uses to support chip-and-pin technology, where a microchip on the card holds customer data to improve security. It will also update its payment terminals to accept chip and pin, at a total cost of $100 million.
Visa and Mastercard have set a deadline for U.S. retailers to be able to accept chip-and-pin cards by October 2015. If the deadline isn’t met, the liability for fraudulent purchases made with chip cards resides with retailers.
Target spokeswoman Molly Snyder said Tuesday the company already had plans to accommodate chip-and-pin cards, widely used in Europe and elsewhere, but has accelerated its technology upgrade by about six months.
Avivah Litan, a vice president at Gartner with expertise in payments, said chip-and-pin cards would in theory have prevented Target’s data breach in which it lost 40 million payment card records via malicious software on its network.
She said Target’s move is more than symbolic even though the retailer was already moving to chip-and-pin. It gives customers a more secure way to pay using Target’s branded cards, she said.
“It’s good for consumers, and in the end, probably going to be good for Target,” Litan said.
Target has been under intense pressure to shore up its network following the breach. It is facing 80 civil lawsuits and inquiries from regulators including state attorneys general, the Federal Trade Commission and the U.S. Securities and Exchange Commission, according to its March 14 annual report.
Starting next year, Target will upgrade its debit cards, called REDcards, which account for around 20% of Target’s sales, to chip and pin.
The cards include a credit card and a debit card that Target issues and can only be used at its stores. The upgrade also applies to a credit card co-branded with MasterCard that can be used anywhere, Snyder said.
Target is also rolling out new software and payment terminals compatible with chip and pin to its 1,797 U.S. stores by next September.
So far, cybercriminals haven’t been able to steal sensitive data from the microchip of chip-and-pin cards, although some computer security researchers have found ways to attack the system.
Visa and MasterCard have long championed chip and pin as a replacement for magnetic stripe cards. Data can be easily copied from the magnetic stripe with off-the-shelf equipment.
Chip-and-pin cards still have a security hole, however: most still have the magnetic stripe, since they wouldn’t work at most U.S. stores today without it. That could change as the U.S. moves toward full chip-and-pin compliance, but the transition could take years.
A surge in cybercrime is forcing security vendors to release security updates every 40 minutes, according to security firm Symantec.
Senior manager for Symantec Security Response, Orla Cox, reported the development during a briefing attended by The INQUIRER.
“We’re seeing more sophisticated attacks than ever before and people want security,” she said. “Nowadays we are rolling out virus signature upgrades around every 40-50 minutes. They are rapid response upgrades that go through partial vetting. We then follow them up with three upgrades per day that are fully certified.”
Cox said Symantec began rolling out the rapid updates to help mitigate the growing number of malware variants and active cyber campaigns targeting its customers.
“It’s been about shaving off minutes for the last couple of years. If you came to us a few years ago it was one [update] and before that it would have taken hours. The rapid updates are for people that need a rapid response, like those suffering an infection.”
She said Symantec blocked 568,700 web attacks on its customers and detected a massive 1.6 million malware variants per day in 2013. But despite helping customers, Cox said the company’s rapid update cycle has increased the risk of pushing out an update with a false positive signature.
“The biggest quality issue we face is the danger of false positive definitions. There’s a risk of detecting something clean as malicious, that’s the big no no in our industry, so it’s as much about building definitions libraries about legit files as malicious,” she said.
False positives are updates from security providers that list legitimate files as malware and block them from running. In the past the faulty updates have caused damage to many companies. In 2013, Malwarebytes crippled thousands of its customers’ machines when it issued a false positive update.
Cox said the influx of new threats has also forced Symantec to expand its analysis procedures in recent years. “We’ve had to evolve how we work, it’s not just about providing protection and moving on any more. Threats and the landscape have changed and to address this we’ve begun doing intelligence work,” she said.
“We do bespoke research on occasion, with both customers and law enforcement. These situations are ones where we have the skills they don’t – that’s the benefit of us being here every day, reverse-engineering malware.
“Doing this over the years we’ve had to develop a number of systems and now we’re trying to understand the individual attacks in the context of who did them and why.”
Symantec is one of many technology firms to begin adopting an intelligence-based approach to cyber defence. Facebook unveiled a new automated ThreatData security service designed to detect and catalogue new malware families earlier in March.
Trustmark National Bank and Green Bank N.A. have filed a lawsuit against security firm Trustwave for damages suffered from the holiday season data breach at Target Corp, accusing the company of failing to identify security gaps, the American Banker reported.
The two banks are seeking damages of more than $5 million and named Trustwave Holdings and Target as defendants, the American Banker said.
The banks allege that the vulnerabilities in the Target system were either undetected or ignored by Trustwave, giving hackers access to millions of card accounts and personal records, the report said.
Some 40 million payment card records were stolen from the discount retailer, along with 70 million other records with customer information such as addresses and telephone numbers, during the 2013 holiday shopping season.
Target missed multiple opportunities to thwart the hackers responsible for the unprecedented holiday shopping season data breach, U.S. Senate staffers charged in a committee report released on Tuesday.
The report also said Target gave access to its network to a third-party vendor that did not follow accepted information security practices.
Target faces dozens of potential class-action lawsuits and action from banks that could seek reimbursement for millions of dollars in losses due to fraud and the cost of card replacements.
Target spokeswoman Molly Snyder declined to comment on the American Banker report. Trustwave was not available for comment.
Troubled UK supermarket chain Morrisons has been attacked and the personal details of thousands of Morrisons staff including salaries, bank account details and addresses have been stolen and published online.
The hack is believed to have been the result of an internal leak, with data copied onto a portable storage device and taken out of Morrisons’ Bradford headquarters. The data had details of staff from director level to the shop floor, was also sent anonymously to a local paper in Yorkshire, the Telegraph & Argus, by a “concerned Morrisons shopper.”
Morrisons announced a massive profits warning on Thursday, which sent shares diving 12 per cent and the attack came hours after the chief executive, Dalton Philips, boasted that new IT systems would help to turn around Morrisons’ performance. It said it was now “urgently reviewing our internal data security measures,” and was working with UK banks and credit check service Experian to help colleagues secure their bank accounts.
ATMs running XP Embedded are not affected because Microsoft is not cutting off its support until 2016.
The process of upgrading to an alternative such as Windows 7 is both complicated and expensive for ATM operators – with many older machines needing to be altered one by one. Most are not expected to have made the switch within the next month.
JPMorgan has bought a custom one-year tech support agreement from Microsoft and will not begin migrating its 19000 machines to Windows 7 until July, the bank has told Bloomberg. Wells Fargo and Citi say that they are working on upgrading their networks.
It’s not just ATMs that are at risk – Microsoft recently warned that the Indian banking industry’s reliance on XP could put more than 34,000 branches at risk.
In a notice on its site, the PCI SSC is urging firms to take the plunge: “Don’t make yourself an easy target, talk to your technology provider today and make sure your PC and systems are not putting your customers’ confidential payment card data and your business at risk.”
Target Corp’s decision to fast track a $100 million program to adopt the use of chip-enabled smart cards is just a drop in the bucket when it comes to what retailers need to do to defend themselves against future cyber attacks, according to security experts and IT service providers.
The pressure to boost security spending comes at a time when merchants are already spending millions to fend off online retailer Amazon.com and facing an October 2015 deadline set by payment networks Visa Inc and MasterCard Inc to accept new payment cards that store information on computer chips rather than on traditional magnetic stripes.
Target, the No. 3 U.S. retailer, said this week it hoped to finish upgrading its payment card network to the more secure “chip and PIN” standard by early 2015, some six months ahead of its previous plan.
The system, already widely used in Europe and Asia, can accommodate cards carrying tiny microprocessors, which makes it harder for cyber crooks to use stolen data.
U.S. retailers have been so focused on cutting costs and expanding their online presence in the past decade that they have not spent enough of their technology budgets on protecting customer data, security experts and IT service providers said.
While retail spending on overall technology was expected to rise 4 percent annually between 2012 and 2017, U.S. stores spend only roughly 2 percent of their tech budgets on security, with the bulk going to improving their e-commerce, technology advisory firm IDC Retail Insights said.
Unlike their peers in other industries, most retailers still focus on just meeting the basic standards set by the payment card industry rather than substantially beefing up safeguards against increasingly sophisticated attacks, security experts said.
“Retailers have to assume that they are constantly being targeted and actually constantly being penetrated,” said Eddie Schwartz, a vice president at Verizon Enterprise Solutions, who urged retailers to take a more proactive approach.
Pressure from Congress, consumer groups and the banking industry following recent theft of customer data at Target, Neiman Marcus and others may be the turning point to get theretail industry to spend more on security, experts said.
For example, Dinesh Bajaj, the vice president of retail and logistics practice in Americas for Infosys Ltd, expects retailers to spend more in coming months on encrypting credit card data while storing it in multiple systems.
IDC Retail Insights expects spending by retailers in 2014 specifically for security in the United States to be $720.3 million, an increase of 5.7 percent from last year in part because of the recent breaches. Total tech spending by retailers this year is expected to hit $36.34 billion.
“It’s clear that companies need to do a lot more, that they continue to make basic mistakes,” Federal Trade Commission Chairwoman Edith Ramirez said at a hearing on Tuesday looking into massive data breaches at Target and Neiman that affected millions of shoppers.
Launched in July 2012, FIDO, which stands for Fast IDentity Online, is hoping its specifications for security devices and browser plugins will be widely adopted across the technology industry.
Such efforts depend on voluntary adoption by many companies and organizations. So far, those participating in FIDO include heavyweights Google, MasterCard, Lenovo, Infineon, LG Electronics and a variety of smaller companies.
Authentication hardware and software widely varies, with many proprietary clients and protocols. FIDO hopes that standardizing authentication technologies will lead to better interoperability and innovations in biometrics, PINs (personal identification numbers) and secondary authentication technologies, according to its website.
Usernames and passwords underpin most online services but are easy to intercept. Computer security experts have long warned of password weaknesses, such as easy-to-guess ones and people who reuse them across multiple services.
Password replacement technology has a high bar: it needs to be both effective and simple for users.
FIDO envisions a software client that’s installed on computers that employ public key cryptography to authenticate users. All major Web browsers will be supported. The initial focus will be on securing access through Web browsers to Web applications. The group also plans authentication options for Android phones soon and eventually for Windows tablets and Apple products.
When FIDO authentication is used, a user will not need to submit their biometric or personal information to an online service.
The FIDO Alliance will eventually submit its protocol to groups dedicated to Web standards, such as the Internet Engineering Task Force or the World Wide Web Consortium.
MasterCard Inc, one of the largest payment networks, said earlier this year that it plans a new fee for digital wallet operators like PayPal starting in June.
The actual dollar amount PayPal ends up paying may not be that large, analysts say. However, they are worried that this is part of a broader move by payment networks to target PayPal, which has become more of a direct competitor recently.
“Payment networks are taking the gloves off,” Bill Carcache and Brian Nowak, analysts at Nomura Equity Research, wrote in a note to investors on Monday. “The incumbents will do everything in their power to prevent PayPal from riding on their rails without extracting a toll.”
EBay shares slid 0.5 percent to $50.18, on Monday afternoon, leaving them down about 4 percent so far this year.
Since eBay mentioned the MasterCard fee in a regulatory filing on February 1, the company has lost about 12 percent of its market value – while Amazon is down about 1 percent and the Nasdaq Composite is up 2 percent.
Analysts put that under-performance down to this new fee and concern about rising tension between PayPal and the payment networks.
“The fact that PayPal, as the largest digital wallet player, could be singled out by a network like this is clearly a negative,” said Ken Sena, an analyst at Evercore Partners.
PayPal is moving from its online roots into the physical retailer world, where the vast majority of payments still take place. It is a big opportunity for the business and that has driven eBay shares higher in the past year.
However, as a payment option in lots of physical stores, PayPal will be a much bigger threat to network operators like MasterCard, Visa Inc and American Express, analysts say.
Historically, Visa and MasterCard viewed PayPal’s success in the online world cautiously, but they were also happy because the service generated extra e-commerce transactions that ultimately got processed through their networks.
“Now that PayPal has started moving to the physical point of sale, however, competitive intensity levels are rising as PayPal encroaches deeper into what has traditionally been the incumbents’ turf,” Nomura’s Carcache and Nowak said.
At a conference last month, Chris McWilton, president of MasterCard’s U.S. Markets, complained that PayPal “rides for free” on other companies’ business models.
Groupon Inc, the world’s largest online daily deals provider, launched a payment business on Wednesday and jumped into an already crowded field where it will compete aggressively on price with eBay Inc’s PayPal and start-up Square Inc.
The service, called Groupon Payments, lets U.S. restaurants, salons and spas, retailers and other businesses that run Groupon daily deals accept credit card payments at a lower rate than other providers. In a typical local deal, a customer could pay $20 for a voucher worth $40 of goods and services.
Groupon will charge 1.8 percent for MasterCard, Visa and Discover cards, on top of a 15 cent fee per swipe. For American Express cards, it charges 3 percent plus the 15 cent fee.
Groupon’s daily deals competitors include LivingSocial, Google and Amazon.com Inc, which owns part of LivingSocial.
Groupon aims to reach a size where it will become the “operating system” for local commerce, as Chief Executive Andrew Mason put it earlier this year.
Despite skepticism on Wall Street, Groupon has rolled out a slew of new services for local merchants, including a scheduling system, a customer-loyalty program and now payments.
“They are making the right moves, but it’s a highly competitive market,” said Rick Oglesby, a payments industry expert at consulting firm Aite Group.
Groupon shares jumped 13.9 percent to close at $5.34 after the announcement. The stock has shed about three-quarters of its value since the company went public last year.
Isis is an effort by Verizon Wireless, AT&T Inc and T-Mobile USA to provide mobile wallet services that would allow consumers to get rid of plastic cards and instead make payments by simply waving their phone at a check-out terminal.
While Japan has had mobile payment services for years, U.S. development of such services has been much slower. U.S. mobile providers have long said that they are keen to support payments to help improve their customer loyalty but it has taken a long time to forge agreements with card and merchant partners.
The latest delay follows Apple Inc’s announcement of a new iPhone model on Wednesday without support for the near field communications (NFC) short range wireless technology that the Isis service will be based on.
Other phone makers including Samsung Electronics have embraced NFC but some analysts had hoped Apple would give the industry a shot in the arm by putting the technology in its hugely popular iPhone.
Verizon Wireless is owned by Verizon communications and Vodafone Group Plc. T-Mobile USA is owned by Deutsche Telekom AG.
Google announced this week that it would no longer support its branded pre-paid card in Google Wallet on Oct. 17, and asked customers to take steps to ensure they recover all their remaining funds in a timely manner.
The Google Prepaid Card is a virtual MasterCard account created for use with the company’s near-field communication Google Wallet payment app. Users that activated the “card” when it was released in 2011 received a free $10 credit for use with the system.
To prompt users to spend all the remaining money on their pre-paid accounts, Google announced that it would charge a $2 fee for 30 days of inactivity, though the company also noted that no fees would be levied on accounts that had zeroed out their balances by Oct. 17.
This is likely a move by Google to minimize the amount of manual refunds they will have to issue for anyone who still has a balance after the deadlines, as is the company’s announcement that such direct refunds could take eight weeks to process.
All other types of cards will continue to work normally with Google Wallet after the change. Google added support for Visa and Discover last month, though initial reports that American Express had also joined the program turned out to be premature.
NFC technology, once thought to be the next big thing in payment methods, has yet to break into the U.S. mainstream. Although NFC payment is accepted at some major retailers, including McDonald’s, few consumers use it on a regular basis.
EBay Inc’s PayPal online payments service has gained access to millions of stores across the United States through an agreement with Discover Financial Services, expanding its reach beyond the Web and into the brick and mortar world.
Under the deal revealed on Wednesday, PayPal will issue payment cards to its more than 50 million active users in the United States next year, which they can use to buy from merchants that already use Discover Network, which links more than 7 million U.S. retail locations.
Their tie-up is the latest alliance among technology and financial corporations intended to stake out a spot in new forms of retail payment – such as “digital wallets” proposed by the likes of Google Inc that employ smartphones.
PayPal – which accounts for almost half of eBay’s annual revenue – is expanding beyond its popular Internet payments service in search of new opportunities. In the past year, it has persuaded more than 15 retailers, including Home Depot Inc and Office Depot Inc, to accept PayPal payments in their stores.
For Discover – the fourth-largest U.S. credit card issuer after Visa Inc, MasterCard Inc and American Express Co – PayPal’s large user base could generate significant transaction volume for its payments network.
PayPal users will be able to pay at merchants on the Discover Network by swiping their new cards through existing check-out machines and entering a four-digit PIN.
Merchants will not need to buy new hardware or software to accept PayPal, according to Don Kingsborough, the PayPal executive leading the company’s offline push.
“It’s a big step for both companies,” said Ken Paterson, a director at Mercator Advisory Group, a research firm that focuses on the consumer payments industry. “This would provide a ready-made route for PayPal to get into most card-accepting retail establishments in the U.S.”
More that a dozen retailers including Best Buy, Walmart, Target and 7-Eleven have joined forces to create the Merchant Customer Exchange (MCX), a mobile-payments network that will go head-to-head with Google and Isis.
The retailers claim that they are better suited than mobile operators and OS developers to develop a successful mobile-payment system.
No launch date was given for the exchange, which was announced Wednesday, but development of MCX’s mobile application is underway. It will be available through virtually any smartphone, according to a statement from the merchants. MCX is not yet saying which payment technologies it will use, but that information will be provided in the near future, according to a spokesman.
Like their competitors, the retailers plan to combine their mobile wallet with targeted offers and promotions that will be available through smartphones.
MCX will enter an increasingly crowded U.S. market for mobile payments using Near-Field Communications (NFC) and other methods. The two main competitors for MCX are Google Wallet and Isis, which is backed by AT&T Mobility, T-Mobile USA and Verizon Wireless.
Even more contenders are expected to enter the space, including Apple, according to Windsor Holden, research director with Juniper Research.
“There is no question that Apple will come out with some form of contactless payment technology,” Holden said.
It remains to be seen whether the company will opt for NFC or something else, he said.