Target Corp’s decision to fast track a $100 million program to adopt the use of chip-enabled smart cards is just a drop in the bucket when it comes to what retailers need to do to defend themselves against future cyber attacks, according to security experts and IT service providers.
The pressure to boost security spending comes at a time when merchants are already spending millions to fend off online retailer Amazon.com and facing an October 2015 deadline set by payment networks Visa Inc and MasterCard Inc to accept new payment cards that store information on computer chips rather than on traditional magnetic stripes.
Target, the No. 3 U.S. retailer, said this week it hoped to finish upgrading its payment card network to the more secure “chip and PIN” standard by early 2015, some six months ahead of its previous plan.
The system, already widely used in Europe and Asia, can accommodate cards carrying tiny microprocessors, which makes it harder for cyber crooks to use stolen data.
U.S. retailers have been so focused on cutting costs and expanding their online presence in the past decade that they have not spent enough of their technology budgets on protecting customer data, security experts and IT service providers said.
While retail spending on overall technology was expected to rise 4 percent annually between 2012 and 2017, U.S. stores spend only roughly 2 percent of their tech budgets on security, with the bulk going to improving their e-commerce, technology advisory firm IDC Retail Insights said.
Unlike their peers in other industries, most retailers still focus on just meeting the basic standards set by the payment card industry rather than substantially beefing up safeguards against increasingly sophisticated attacks, security experts said.
“Retailers have to assume that they are constantly being targeted and actually constantly being penetrated,” said Eddie Schwartz, a vice president at Verizon Enterprise Solutions, who urged retailers to take a more proactive approach.
Pressure from Congress, consumer groups and the banking industry following recent theft of customer data at Target, Neiman Marcus and others may be the turning point to get theretail industry to spend more on security, experts said.
For example, Dinesh Bajaj, the vice president of retail and logistics practice in Americas for Infosys Ltd, expects retailers to spend more in coming months on encrypting credit card data while storing it in multiple systems.
IDC Retail Insights expects spending by retailers in 2014 specifically for security in the United States to be $720.3 million, an increase of 5.7 percent from last year in part because of the recent breaches. Total tech spending by retailers this year is expected to hit $36.34 billion.
“It’s clear that companies need to do a lot more, that they continue to make basic mistakes,” Federal Trade Commission Chairwoman Edith Ramirez said at a hearing on Tuesday looking into massive data breaches at Target and Neiman that affected millions of shoppers.
Launched in July 2012, FIDO, which stands for Fast IDentity Online, is hoping its specifications for security devices and browser plugins will be widely adopted across the technology industry.
Such efforts depend on voluntary adoption by many companies and organizations. So far, those participating in FIDO include heavyweights Google, MasterCard, Lenovo, Infineon, LG Electronics and a variety of smaller companies.
Authentication hardware and software widely varies, with many proprietary clients and protocols. FIDO hopes that standardizing authentication technologies will lead to better interoperability and innovations in biometrics, PINs (personal identification numbers) and secondary authentication technologies, according to its website.
Usernames and passwords underpin most online services but are easy to intercept. Computer security experts have long warned of password weaknesses, such as easy-to-guess ones and people who reuse them across multiple services.
Password replacement technology has a high bar: it needs to be both effective and simple for users.
FIDO envisions a software client that’s installed on computers that employ public key cryptography to authenticate users. All major Web browsers will be supported. The initial focus will be on securing access through Web browsers to Web applications. The group also plans authentication options for Android phones soon and eventually for Windows tablets and Apple products.
When FIDO authentication is used, a user will not need to submit their biometric or personal information to an online service.
The FIDO Alliance will eventually submit its protocol to groups dedicated to Web standards, such as the Internet Engineering Task Force or the World Wide Web Consortium.
MasterCard Inc, one of the largest payment networks, said earlier this year that it plans a new fee for digital wallet operators like PayPal starting in June.
The actual dollar amount PayPal ends up paying may not be that large, analysts say. However, they are worried that this is part of a broader move by payment networks to target PayPal, which has become more of a direct competitor recently.
“Payment networks are taking the gloves off,” Bill Carcache and Brian Nowak, analysts at Nomura Equity Research, wrote in a note to investors on Monday. “The incumbents will do everything in their power to prevent PayPal from riding on their rails without extracting a toll.”
EBay shares slid 0.5 percent to $50.18, on Monday afternoon, leaving them down about 4 percent so far this year.
Since eBay mentioned the MasterCard fee in a regulatory filing on February 1, the company has lost about 12 percent of its market value – while Amazon is down about 1 percent and the Nasdaq Composite is up 2 percent.
Analysts put that under-performance down to this new fee and concern about rising tension between PayPal and the payment networks.
“The fact that PayPal, as the largest digital wallet player, could be singled out by a network like this is clearly a negative,” said Ken Sena, an analyst at Evercore Partners.
PayPal is moving from its online roots into the physical retailer world, where the vast majority of payments still take place. It is a big opportunity for the business and that has driven eBay shares higher in the past year.
However, as a payment option in lots of physical stores, PayPal will be a much bigger threat to network operators like MasterCard, Visa Inc and American Express, analysts say.
Historically, Visa and MasterCard viewed PayPal’s success in the online world cautiously, but they were also happy because the service generated extra e-commerce transactions that ultimately got processed through their networks.
“Now that PayPal has started moving to the physical point of sale, however, competitive intensity levels are rising as PayPal encroaches deeper into what has traditionally been the incumbents’ turf,” Nomura’s Carcache and Nowak said.
At a conference last month, Chris McWilton, president of MasterCard’s U.S. Markets, complained that PayPal “rides for free” on other companies’ business models.
Groupon Inc, the world’s largest online daily deals provider, launched a payment business on Wednesday and jumped into an already crowded field where it will compete aggressively on price with eBay Inc’s PayPal and start-up Square Inc.
The service, called Groupon Payments, lets U.S. restaurants, salons and spas, retailers and other businesses that run Groupon daily deals accept credit card payments at a lower rate than other providers. In a typical local deal, a customer could pay $20 for a voucher worth $40 of goods and services.
Groupon will charge 1.8 percent for MasterCard, Visa and Discover cards, on top of a 15 cent fee per swipe. For American Express cards, it charges 3 percent plus the 15 cent fee.
Groupon’s daily deals competitors include LivingSocial, Google and Amazon.com Inc, which owns part of LivingSocial.
Groupon aims to reach a size where it will become the “operating system” for local commerce, as Chief Executive Andrew Mason put it earlier this year.
Despite skepticism on Wall Street, Groupon has rolled out a slew of new services for local merchants, including a scheduling system, a customer-loyalty program and now payments.
“They are making the right moves, but it’s a highly competitive market,” said Rick Oglesby, a payments industry expert at consulting firm Aite Group.
Groupon shares jumped 13.9 percent to close at $5.34 after the announcement. The stock has shed about three-quarters of its value since the company went public last year.
Isis is an effort by Verizon Wireless, AT&T Inc and T-Mobile USA to provide mobile wallet services that would allow consumers to get rid of plastic cards and instead make payments by simply waving their phone at a check-out terminal.
While Japan has had mobile payment services for years, U.S. development of such services has been much slower. U.S. mobile providers have long said that they are keen to support payments to help improve their customer loyalty but it has taken a long time to forge agreements with card and merchant partners.
The latest delay follows Apple Inc’s announcement of a new iPhone model on Wednesday without support for the near field communications (NFC) short range wireless technology that the Isis service will be based on.
Other phone makers including Samsung Electronics have embraced NFC but some analysts had hoped Apple would give the industry a shot in the arm by putting the technology in its hugely popular iPhone.
Verizon Wireless is owned by Verizon communications and Vodafone Group Plc. T-Mobile USA is owned by Deutsche Telekom AG.
Google announced this week that it would no longer support its branded pre-paid card in Google Wallet on Oct. 17, and asked customers to take steps to ensure they recover all their remaining funds in a timely manner.
The Google Prepaid Card is a virtual MasterCard account created for use with the company’s near-field communication Google Wallet payment app. Users that activated the “card” when it was released in 2011 received a free $10 credit for use with the system.
To prompt users to spend all the remaining money on their pre-paid accounts, Google announced that it would charge a $2 fee for 30 days of inactivity, though the company also noted that no fees would be levied on accounts that had zeroed out their balances by Oct. 17.
This is likely a move by Google to minimize the amount of manual refunds they will have to issue for anyone who still has a balance after the deadlines, as is the company’s announcement that such direct refunds could take eight weeks to process.
All other types of cards will continue to work normally with Google Wallet after the change. Google added support for Visa and Discover last month, though initial reports that American Express had also joined the program turned out to be premature.
NFC technology, once thought to be the next big thing in payment methods, has yet to break into the U.S. mainstream. Although NFC payment is accepted at some major retailers, including McDonald’s, few consumers use it on a regular basis.
EBay Inc’s PayPal online payments service has gained access to millions of stores across the United States through an agreement with Discover Financial Services, expanding its reach beyond the Web and into the brick and mortar world.
Under the deal revealed on Wednesday, PayPal will issue payment cards to its more than 50 million active users in the United States next year, which they can use to buy from merchants that already use Discover Network, which links more than 7 million U.S. retail locations.
Their tie-up is the latest alliance among technology and financial corporations intended to stake out a spot in new forms of retail payment – such as “digital wallets” proposed by the likes of Google Inc that employ smartphones.
PayPal – which accounts for almost half of eBay’s annual revenue – is expanding beyond its popular Internet payments service in search of new opportunities. In the past year, it has persuaded more than 15 retailers, including Home Depot Inc and Office Depot Inc, to accept PayPal payments in their stores.
For Discover – the fourth-largest U.S. credit card issuer after Visa Inc, MasterCard Inc and American Express Co – PayPal’s large user base could generate significant transaction volume for its payments network.
PayPal users will be able to pay at merchants on the Discover Network by swiping their new cards through existing check-out machines and entering a four-digit PIN.
Merchants will not need to buy new hardware or software to accept PayPal, according to Don Kingsborough, the PayPal executive leading the company’s offline push.
“It’s a big step for both companies,” said Ken Paterson, a director at Mercator Advisory Group, a research firm that focuses on the consumer payments industry. “This would provide a ready-made route for PayPal to get into most card-accepting retail establishments in the U.S.”
More that a dozen retailers including Best Buy, Walmart, Target and 7-Eleven have joined forces to create the Merchant Customer Exchange (MCX), a mobile-payments network that will go head-to-head with Google and Isis.
The retailers claim that they are better suited than mobile operators and OS developers to develop a successful mobile-payment system.
No launch date was given for the exchange, which was announced Wednesday, but development of MCX’s mobile application is underway. It will be available through virtually any smartphone, according to a statement from the merchants. MCX is not yet saying which payment technologies it will use, but that information will be provided in the near future, according to a spokesman.
Like their competitors, the retailers plan to combine their mobile wallet with targeted offers and promotions that will be available through smartphones.
MCX will enter an increasingly crowded U.S. market for mobile payments using Near-Field Communications (NFC) and other methods. The two main competitors for MCX are Google Wallet and Isis, which is backed by AT&T Mobility, T-Mobile USA and Verizon Wireless.
Even more contenders are expected to enter the space, including Apple, according to Windsor Holden, research director with Juniper Research.
“There is no question that Apple will come out with some form of contactless payment technology,” Holden said.
It remains to be seen whether the company will opt for NFC or something else, he said.
PayPal, the online payments division of eBay Inc, has sparked a furor in the publishing world by requesting some e-book distributors to ban books that contain “obscene” themes including rape, bestiality or incest.
PayPal sent an email on Feb 18 to Mark Coker, founder of e-book publisher and distributor Smashwords, saying it would “limit” the company’s PayPal account unless Smashwords removed from its website e-books “containing themes of rape, incest, beastiality and underage subjects.”
PayPal sent similar warnings to online publishers and booksellers including BookStrand.com and eXcessica, according to the Electronic Frontier Foundation, a non-profit that supports free speech, privacy and other individual rights in the digital world.
A PayPal spokesman confirmed that the company sent such notifications to companies but declined to identify specific recipients.
EFF and other groups including the Authors Guild, the American Booksellers Foundation for Free Expression and the Association of American Publishers are planning to send a letter to PayPal on Wednesday asking the company to reverse its policy.
PayPal “is now holding free speech hostage by clamping down on sales of certain types of erotica,” the groups said, according to a draft of the letter sent to Reuters. “We strongly object to PayPal functioning as an enforcer of public morality and inhibiting the right to buy and sell constitutionally protected material.”
PayPal said it was acting in part because banks and credit card companies it works with restrict such content, according to an email PayPal sent to Smashwords on February 24. Reuters obtained copies of the emails.
“Our banking partners and credit card associations have taken a very strict stance on this subject matter,” PayPal said in the February 24 email. “Our relationships with the banking partners are absolutely critical in order to provide the online and mobile services we (offer) … to our customers. Therefore, we have to remain in compliance with their rules, which prohibit content involving rape, bestiality or incest.”
The move has caused an uproar in the publishing world, which is concerned that banks and credit card companies may be exerting too much control over what books can be written, published and read.
A PayPal spokesman said the company allows its service to be used for the sale of “erotic” books but added that the company has to draw the line “on certain adult content that is extreme or potentially illegal.”
Boku Inc, a big online mobile payments company supported by venture capital firms including Andreessen Horowitz and Benchmark Capital, debuted a new service on Thursday that allows consumers to pay with any mobile phone anywhere credit cards are accepted.
Boku already provides carrier billing through about 230 wireless carriers, including AT&T Inc, Vodafone Group Plc and Verizon Communications Inc in more than 60 countries. This service lets people pay with their mobile number and get the transactions charged to their monthly phone bill.
Carrier billing is typically limited to smaller online purchases, either through personal computers or within mobile phone apps.
Boku’s new platform, called Boku Accounts, allows purchases in physical stores, a much bigger market. The service will be branded and offered by wireless carriers to customers, with Boku running the system in the background.
The move puts Boku in closer competition with PayPal, which is pushing its popular online payments service into physical stores. Google Inc is also trying to get its Google Wallet service into stores through a partnership with giants such as MasterCard Inc and Citigroup Inc.
PayPal’s in-store offering works with merchants’ existing point-of-sale terminals, but usually requires a software upgrade. Google Wallet works with phones that have Near-Field Communication, or NFC, chips in them and merchants need a terminal that supports this technology.
Boku’s service comes with a sticker that users can slap on the back of their mobile phones, turning any handset into an NFC-enabled device. It also comes with a payment card that can be swiped using existing retailer terminals, without a software upgrade, according to the company.
“We wanted this to be available in any store,” Ron Hirson, co-founder of Boku, said. “You don’t need a new phone or a new terminal.”
Visa comes onboard a “Google Wallet” project already supported by Citigroup, MasterCard, Sprint Nextel Corp and First Data. In May, the group announced a trial of a system that allows shoppers store funds on their phones and pay at checkout.
Rival Isis, a venture between Verizon Wireless, AT&T Inc and T-Mobile USA, has already signed partnerships with all the major card networks, including MasterCard and Visa.
But while Sprint announced the launch of the Google Wallet service on Monday, Isis has said its service will not be ready until early next year.
Google’s system competes with plans by other top U.S. banks and mobile phone companies and employs near-field communication (NFC) technology, used widely in Asia.
On Monday, Google and Visa said the Internet search leader had received a worldwide license to Visa’s “paywave” — similar to Mastercard’s PayPass — enabling its installation on Android smartphones. Customers link their credit or debit bank accounts to Android phones with the Google Wallet app installed.
They can then tap their phones — which come with an NFC chip — at specially installed terminals at checkout to effect a purchase.
“This agreement extends Google Wallet to Visa account holders worldwide,” said Stephanie Tilenius, Google’s vice president of Commerce and Payments.
“This is a crucial step toward realizing our shared vision for the future of mobile commerce.”
The two executives, Osama Bedier and Stephanie Tilenius, were formerly employed by PayPal and led the launch on Thursday of Google’s own mobile payment system in partnership with MasterCard, Citigroup and phone company Sprint.
The suit highlights the growing competition by a wide range of firms from traditional finance to Silicon Valley trying to take a major stake in what has been described as a $1 trillion opportunity in mobile payments. The mobile phone is seen as the digital personal wallet of the future.
The eBay suit said Bedier worked for nine years at PayPal, most recently serving as vice president of platform, mobile and new ventures. He joined Google on January 24 this year.
Tilenius was at eBay from 2001 to October 2009 and served as a consultant to the company until March 2010. The suit says Tilenius joined Google in February 2010 as vice president of e-commerce.
Bedier is accused in the suit of having “misappropriated PayPal trade secrets by disclosing them within Google and to major retailers.”
The suit accused Tilenius of recruiting Bedier, thereby breaking a contractual agreement with eBay. It also claims Bedier attempted to recruit former colleagues still at PayPal.
Ebay said PayPal and Google worked closely together for three years until this year on developing a commercial deal where PayPal would serve as a payment option for mobile application purchases on Google’s Android phones.
It said Bedier was the senior PayPal executive leading and finalizing negotiations with Google on Android during this period.
It also claimed Bedier transferred up-to-date versions of documents outlining PayPal’s mobile payment strategies to his non-PayPal computer just days before leaving PayPal for Google.
Google and PayPal have had similar run-ins in the recent past regarding online payments via computers with the launch of Google Checkout in 2006, but Checkout has had a minimal impact on PayPal’s market dominance.
The suit was filed at Superior Court of the State of California, county of Santa Clara.
Google Inc will unveil a mobile payment system this Thursday that will allow consumers to pay at checkout counters with phones instead of cards, a source said, hoping to beat Visa and others to the punch.
The Internet search engine giant and advertising leader will work with MasterCard Inc, the world’s second-largest credit and debit card processing network, to launch the system, the source familiar with the matter told Reuters on Tuesday.
Google joined forces with MasterCard and Citigroup Inc to develop the system, the Wall Street Journal originally reported back in March.
It has now signed up big retail partners Macy’s Inc, American Eagle Outfitters Inc and Subway, though it is unclear if the project will be launched nationwide or just in New York initially, the Journal cited sources as saying Tuesday.
Google invited media representatives to attend a “partner event” on Thursday in New York to demonstrate what it called its “latest innovations.” It plans to debut a mobile payments system that will run on the Android operating system and be available on phones from Sprint Nextel Corp, Bloomberg reported on Tuesday.
A source familiar with the matter confirmed Google would launch the program. Citigroup did not respond to requests for comment. Google, Sprint and MasterCard declined comment.
GfK found that PayPal was the brand most likely to be trusted with personal financial data by consumers in nine major markets around the world, in a survey whose results are due to be published some time this week.
Major credit card brands Visa and MasterCard were the next most likely global brands to be trusted, followed by technology juggernaut Apple, which already handles account data through the iTunes store, Nokia and Samsung.
Mobile carriers, who have been hoping to diversify their increasingly marginalized revenues through NFC, came far down the list.
“When we think of trust or security, we probably default to a brand that’s been around for a long time. In this case, people have put their trust in a very new company,” GfK analyst and report author Ryan Garner told Reuters.
“Whilst financial brands have built up high levels of trust, mobile-based brands such as Nokia and Apple, and relatively new financial brands like PayPal, have the potential to disrupt this seemingly comfortable position,” GfK said.
GfK carried out its online survey of 8,603 consumers in Britain, the United States, Germany, France, Spain, Brazil, China, Italy and South Korea — which it used as a benchmark because mobile payments have been used there for many years.
Visa Inc, the world’s largest credit and debit card processing network, is designing a digital wallet that people can use to pay for things on the Internet or with their phones instead of with traditional plastic cards.
The network said on Wednesday it is collaborating with several large U.S. and international banks to create the wallet. Its partners include US Bancorp, PNC Financial Services, Regions Financial, BB&T Corp, Toronto Dominion’s TD Bank and the U.S. arm of Barclays PLC.
The “digital wallet” will store the banks’ customers’ credit and debit card account information, both for Visa cards as well as other cards. People can use the wallet to pay for things online or in stores, Visa said.
The network will also have to convince merchants to put a new “one-click” button on their websites, so that potential customers can use their Visa digital wallets to buy things by clicking the button instead of by manually entering all of their account information every time they want to make an online purchase.
Banks, mobile phone operators and networks like Visa are all trying to gain territory in the small, but high-potential market for U.S. mobile payments. Last week Isis, a separate mobile payments venture run by three of the top four U.S. carriers, said it had modified its initial goals and was now open to working with Visa and MasterCard as it introduces its own mobile wallet.
Jim McCarthy, Visa’s head of global products, told Reuters in an interview on Wednesday that mobile payments in the United States “will more easily take off” from people using their smartphones’ browsers to buy things online.
But Visa and its rivals, including MasterCard Inc, American Express Co and Discover Financial Services, are also trying to figure out ways for people to buy things with their phones in physical stores. McCarthy said that a previous, separate Visa pilot to test smartphone payments with Bank of America Corp and other large U.S. banks will be commercially available this summer.
Visa plans to introduce the digital wallet in the United States and Canada in autumn of 2011.