Swipeout

Patricia Moore looks into the impending Eftpos Version 6 upgrade, and some of the security issues surrounding card-based electronic transactions.
It can be something of a surprise to be told ‘we don’t do Eftpos’. Since its introduction back in 1985 consumers have taken for granted the availability of electronic funds transfer at point of sale; it’s how we shop.
“People expect it, a bit like electricity and water,” says Paul Whiston, head of sales and marketing at Paymark, which, with EFTPOS New Zealand, make up New Zealand’s two processor networks. And we like the ease of those card transactions; Kiwis have the highest Eftpos usage, per capita, in the world. (In early January, Paymark, which processes 75 percent of all transactions, celebrated its nine billionth transaction in a little over 20 years of operation.) As consumers, we also enjoy the luxury of paying no fees on transactions – elsewhere in the world that’s not the case, but the banks are committed to maintaining a low-cost model, says Whiston.
But come June 1, there could be a whole lot of businesses apologising for the non-availability of electronic payment facilities – and maybe a whole lot of customers looking elsewhere to use their cards.
In line with new global security requirements, all terminals in New Zealand must be upgraded (to Version 6) by that date. This will enable EMV (chip-and-PIN) migration where magnetic stripes on credit cards are phased out in favour of small computer chips – a standard pioneered by Eurocard, MasterCard and Visa. Hence, EMV. No-one can avoid the upgrading and banks will begin disconnecting merchants with non-compliant terminals as of June 1.
While this may be news to consumers, it hasn’t exactly happened overnight. The process has been underway for some time now with the Rugby World Cup as the milestone event used to highlight the necessity for change.
“The driver is actually the international mandates around security with which we have to comply as a country,” says Whiston. “The date coincided with the RWC and, as an industry, it was decided to tie the two together.”
And they are absolutely related, says Whitson; visitors to New Zealand for the event will be using the new chip cards the banks are issuing and previous technology simply won’t work. “How good is that for New Zealand? How good is that for a retailer?”
Merchants also need to be aware that the Rugby World Cup is expected to bring with it a massive increase in card fraud. “Every large sporting event sees the host nation’s credit card fraud rate soar – the World Cup in South Africa was a perfect example,” says Simon Gamble business development director at Mako Networks.
“Since there are a large number of foreign cards in the country the banks’ fraud detection systems struggle to do their job as the baseline of ‘normal’ activity has changed so much.” For similar reasons criminals find it easier to get into the country, he warns.
“Banks, merchants and cardholders will need to be extra vigilant and employ the latest security measures to ensure New Zealand’s safe image is upheld.”
The industry has put considerable efforts into co-ordinated communications to ensure that merchants who need to upgrade their terminals are aware of the need, understand it is compulsory and know what the deadline is, says Alan Sharpe, product and marketing manager at EFTPOS New Zealand. “Merchants have also been advised that non-compliant terminals will be disconnected from the network if they don’t meet the deadline and any lenience received in the past will not be extended this time.”
(www.areyouready.co.nz has been set up to enable merchants to check whether a terminal is compliant with the latest standards.)

Slow to react

Merchants have been slow to accept the clock is ticking. By November last year Paymark figures indicated 45,000 terminals throughout the country still required upgrading. By mid-January that was down only a fraction to 40,800. Time’s running out and the danger is that there may be neither the terminals nor the manpower to actually handle the installations and upgrades.
Brendan Eager, at resellers Eftpos2Go, talks about being in a store and asking the business owner if he realised his 5.1 terminal needed replacing. “He said, ‘Yeah, I’ll get to it’. There’s a guy who will wait ‘til May. The scary thing is that back in 2008 at the last upgrade path, nothing actually happened to those who didn’t upgrade.”
So why the reluctance?
“Cost can be a factor for merchants that choose to own their own terminal, rather than lease,” says Sharpe. “These merchants may be leaving the upgrade to the last minute. This is a risky strategy with the volume of terminals still to be upgraded.” (Sharpe reports that, in fact, all EFTPOS NZ terminal customers connected to the ENZ network have been upgraded and that the majority of their customers who connect to Paymark are also compliant.)
Sharpe’s advice to merchants is to lease the technology. “Gone are the days of purchasing a terminal and expecting it to last five to ten years. In an uncertain and changeable market, characterised by rapid technological development and payment security standards, leasing protects against future changes and the associated costs.”
But, he says, merchants need to be wary of locking themselves into a 48-month contract. “While the price might be more attractive, you need to ask does it include free 24/7 after sales service and support? And will the terminal be upgraded at no cost if new standards are introduced or the current technology becomes obsolete?”
Eager says they also advise leasing and notes that while initially the trend was towards purchasing the equipment, today leasing is by far the more popular option.
“Although the South Island still tends to buy, while the North Island leases.”
Merchants are price driven and the opportunity to buy a cheap device can be tempting, says Eager. “But eighty percent of their business goes through Eftpos and until it breaks down they don’t realise how important it is.”
He says that’s when the crunch comes. “Service and support off the back of Eftpos is crucial. Our clients know we’ve got kit on the ground and a man in a van who is going to fix stuff when it breaks. Not next week, but now.” (Eager is a prime mover in the establishment of an accredited reseller programme.)

Taking security seriously

But how seriously do we take the business of card security?
“There’s an assumption among business owners that the technology will take care of it,” says Whiston. “Which makes it even more important that they get on with the upgrade.”
A recent study from the Ministry of Justice found more Kiwis are fearful of credit card fraud than burglary, says Gamble. “However, until they experience a card breach, most business owners are more focused on making their business successful than on payment card security. Most merchants and consumers are unaware of how card fraud works and how they play a key part in securing card payments and preventing fraud.
“For most people the concept of card security begins and ends with the signature or PIN. It doesn’t take into account the computer network environment or the storage of card data. What’s more, there’s little awareness of the penalties businesses face.”

Consumers are usually protected from paying for card fraud but Gamble says a business can be held responsible by the acquiring banks and card companies, potentially footing the bill for an investigation into the card fraud (in addition to any fees and penalties) if it is found they could have done more to protect against such a situation. “It’s a little known but important clause in the agreements they sign with banks, that can place the blame, and expenses, right at their feet.”
Businesses should follow the guidelines of the Payment Card Industry Data Security Standard (PCI DSS), a set of rules designed to significantly reduce card fraud globally, says Gamble. “Ultimately merchants will have no choice but to adhere to these if they wish to continue toaccept credit cards. It’s also essential businesses ensure their PIN Entry Devices (PEDs) are PCI DSS compliant and that all other connected devices are on a separate network.”
Mako, which is currently the world’s only PCI DSS certified management system, offers an automated and affordable solution which means smaller merchants can easily become, and stay, PCI DSS compliant, he says.
Not all goods and services are sold over the shop counter; more and more businesses are out and about – and customers still expect Eftpos access. Providing merchants know where terminals are at all times – don’t leave them lying around where anyone can have access, says Paymark’s Whiston – card security risks are no higher on mobile terminals.
“In addition to the security measures for dial transactions, those processed via GPRS (General Packet Radio Service) or broadband connections, which are open networks, go through Full Data Encryption (FDE), which means the data is fully encrypted when it is sent for approval,” says Alan Sharpe. “All EFTPOS New Zealand mobile and broadband terminals come standard with FDE.”
The Internet has turned the world into one vast shopping mall and Sharpe says two new online products from EFTPOS New Zealand – Customer Preferred Currency Online (CPCO) and Multi-Currency Conversion – are making it easier for both consumers and merchants to enjoy the experience. “With CPCO customers advantages include paying in a currency they know and trust, plus certainty of transaction value. Multi-Currency Conversion allows merchants to set prices in a familiar currency to their overseas customers but receive payment in New Zealand dollars.”
However, security when a card isn’t present is a growing problem and improving it a slow process, says Mako’s Gamble. Dual factor authentication is one method being considered as card schemes and banks address ways to increase online security. “But it’s certain that online fraud in 2011 will be greater than in 2010.”
The current upgrade enabling migration to chip-and-PIN is a significant development, but it’s just one of the changes happening in the payment card industry. Traditionally card terminals have connected to banks over the telephone network but Simon Gamble says more businesses are shifting to high-speed IP computer networks.
“These process transactions faster and are cheaper to run. With IP connectivity merchants can have more than one card terminal without needing multiple phone lines. This results in shorter queues for consumers and more business for merchants.”

Tap and pay

Contactless payment solutions are also becoming more widespread. Just tap a card on a pad and the payment goes through without swiping or PIN entry. These are ideally suited to businesses operating in the hospitality and events sectors where speed of payment is essential, says Alan Sharpe.
“EFTPOS New Zealand is rolling out contactless payments to bars and restaurants in and around three major stadiums this year.”
Paul Whiston says opportunities around mobile devices will also be developed; “Smart phones, tablets and the like. But there are a lot of players out there – phone networks and manufacturers, the banks, card processors. We all need to be in synch.”
Patricia Moore is an Auckland-based freelance writer. Email [email protected]