Everything old is new again.
If there were prevailing undertones that struck me during this year’s visit to CARTES, it would be reinvention and reinvigoration. Companies showed off brand new corporate designs, presented mergers and acquisitions and newly created divisions to address anticipated emerging markets and generally thanked Apple for creating a ’tipping point’ for the payment industry.
The phrase came courtesy of Verifone Europe’s President June Yee Felix. During her address at the opening Summit of Cartes she said, “Apple Pay is something wonderful for our industry. They have engaged the consumer. The technology has been there for some time. Others, such as Google, have gone down the same road, but what’s different is that Apple has captured the imagination of the consumer. Having over 200,000 merchants as places to pay in the US alone is a tipping point, I believe, in creating momentum. It will get consumer excitement going and that is very, very important.” This sentiment was also echoed by Eurosmart’s Chairman Oyvind Rastad. When asked to comment on the arrival of Apple Pay he said, “It’s great news for the industry,” and predicted, “Next year will be the year of NFC. I know this is the third time I’ve said this, but NFC is becoming a commercial reality.” As I said before, everything old is new again.
Verifone, in my opinion, was one of the winners of Cartes. With a brand new corporate design, relevant demonstrations and an overall buzz all over their first row booth, the company left quite an impression. Along with a number of other US-based companies, the company also touched upon other elements that have a critical impact on the payments industry, namely the structure of secure commerce and reducing merchant exposure to large-scale data breaches, and accelerating the acceptance of EMV in the U.S. market. Amongst Verifone’s announcements was the one concerning the the global availability of its secure commerce architecture, which the company said is designed to “reduce merchant exposure to large-scale data breaches, and reduce the certification burden on U.S. merchants, acquirers and other payment providers looking to enable EMV acceptance.” The company showcased this quite heavily at the Money 20/20 event that was taking place at the same time as Cartes in Las Vegas. Verifone’s secure commerce architecture decouples payment data from the merchant’s POS system and enables encrypted delivery of this data from the payment terminal directly to the merchant’s processor. This benefits merchants by removing the POS system from the scope of EMV certification, which Verifone said greatly reducing the burden for clients. It also prevents consumer payment data from entering the POS by transmitting it directly to the merchant’s payment processor, which takes away the risk of the data being stolen. This secure commerce architecture is now available to all of Verifone’s direct merchant customers and all merchant acquirers in the U.S. Merchants; Global availability will begin in 2015.
Also last week, American Express announced their new online payment security services — American Express Token Services, a suite of solutions designed to enable its card-issuing partners, processors, acquirers and merchants to create a safer online and mobile payments environment for consumers. With American Express Token Service, traditional card account numbers are replaced with unique “tokens,” which can then be used to complete payment transactions online, in a mobile app or in-store with a mobile Near Field Communication (NFC)-enabled device. By using tokens, merchants and digital wallet operators will no longer need to store consumers’ sensitive payment account information in their systems. In addition, tokens can be assigned for use with a specific merchant, transaction type or payment device to provide further protection against fraud. “We believe our payments network is a tremendous asset to American Express – one that will allow us to offer our customers new features and technologies to meet their evolving spending needs,” said Paul Fabara, President, Global Banking and Global Network Business, American Express. “As we move ahead, we are excited to bring these new capabilities to our customers and look forward to continuing to serve them.”
Other news was the laboratory hacking of a flaw in the contactless Visa card. I am cautious in emphasising it was ‘laboratory hacking’ because after covering security related news through The Silicon Trust for so long I am left with a healthy disregard for those researchers who make such claims under ideal circumstances. Usually just before they are about to present a paper at some conference somewhere. In this instance Scottsdale, Arizona. Researchers from the University of Newcastle said the flaw is simple: when the amount is requested in a foreign currency, the system will approve unlimited cash transactions without a PIN, while the card is still in the victim's pocket or bag. The transactions can be valued up to 999,999.99 in any foreign currency – while the system limits transaction in the U.K. to a maximum of £20 before a PIN is required, making the purchase in a foreign currency sidesteps the £20 limit. Newcastle University’s lead researcher Martin Emms said, "With just a mobile phone we created a point-of-sale terminal that could read a card through a wallet. By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. It took less than a second for the transaction to be approved." After reviewing Newcastle University’s findings, Visa Europe responded with the following statement, “The research does not take into account the multiple safeguards put into place throughout the Visa system, each of which must be met in order to make a transaction possible in the real world. For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment. We are updating the safeguards in the payment system to require more transactions to come online for authentication, making it even more difficult to make this kind of fraudulent attack. This process was already underway before we were made aware of the Newcastle research."
The UK Cards Association told the Daily Mail, "While this complex fraud may be theoretically feasible in a laboratory, it hasn’t been attempted in the real world and absolutely no money has ever been lost as a result. There are robust security checks in place at every single stage of a payment – by the retailer’s bank, the card scheme and the customer’s bank – which monitor, and stop, suspicious transactions. Consumers can be assured they are legally protected from any fraud losses and will never be out of pocket."
It’s only when things are moving again that the researchers even bother to have a go at this sort of thing. I take it as a good sign for a reinvigorated industry.
So should Visa.
Steve Atkins
Contactless Intelligence
![]()
