TRANSACTION ACCEPTED: MITIGATING E-PAYMENT RISKS

Some people still feel discomforted at the thought of money as data, able to be exchanged between payer and payee as just a bunch of bits and bytes. This discomfort is heightened for those raised in an era where cash and cheques were the standard methods of payment and websites and EFTPOS merely unknown technologies on a distant horizon. However, electronic transactions are now the preference of large businesses, banks, merchants and retailers, as well as a large chunk of the younger generation and gradually, the country’s small businesses. (According to Statistics NZ, the value of the total Electronic Card Transaction (ECT) series increased 0.8 percent in September 2008 compared with August 2008. There were 84 million electronic transactions in total for September at a value of $4.5 billion.) The reason for the popularity of e-payments is simple: electronic transactions are guaranteed (if payment processing between the payee and the payer’s bank is online and in ‘real time’) and funds paid by electronic payment are instantly available; there’s no need to wait for the cheque clearance process. Other benefits include less cash on premises and a reduced risk of robbery, less administration time including fewer trips to the bank, and improved cashflow. However, what drives even the most reticent business to adopt electronic payments systems and technologies is customer demand. “Most businesses will sell more if they provide what customers want and our feedback is that customers want to pay electronically. If you look at the decline of cheques, [it shows] the consumer is ready to get rid of cheques and from a small business perspective it’s easier to receive money electronically,” says Peter Muggleston, group manager ASB online for the ASB Bank. Banks are certainly champions of electronic payments, whether through EFTPOS, websites, online banking, direct debits or ‘fast cheques’. Other options include international payments to overseas suppliers, same-day cleared payments, automatic or recurring payments, and batch payments including those connected to payroll. As anyone experienced with online banking knows, many of these options are open to consumers as well as business account holders, and the associated fees often lower than cheque processing fees. Unfortunately, Muggleston says small businesses often miss electronic payment opportunities, by forgetting to enter bank account details on an invoice or through not providing incentives such as a small discount for customers who pay electronically rather than by cheque. “The business often doesn’t make it that easy for the customer. You need information on invoices about bank account details and what reference fields to fill in so the business can identify where the payment came from,” he says. Accountants are also keen on small businesses increasing the proportion of electronic payments they receive – few accountants like the ‘cheque-stubs and shoe-box’ approach to small business accounting, preferring to spend their time developing smarter accounting practices and better financial strategies for the business. According to several accountants, electronic payment information held by the business and its bank is easily imported into a software accounting system. It is also relatively easy for a bank to provide any historical electronic payment details at the request of the account owner. Risks and errors Of course, online payments between bank accounts sometimes go wrong. The most troublesome problem is a payment made to the wrong bank account through the incorrect entry of an account number. This requires the bank that has received the payment to ask for its return from the owner of the account it was wrongly paid into. This is generally possible, although a refund can take several days. More common is accidental payment into a non-existent account number, an error bank computer systems are getting smarter about. Most online banking sites will advise the customer that the payment cannot be processed because the numbers don’t match. If it is processed, the payment is held in a ‘suspense account’ by the bank so that it can be sorted out within a shorter time frame. “We have standards that tell us if the bank number matches the branch number. We assume all banks can do that,” says Derek Redman, chief manager of payments for the ASB Bank. Redman says there is a “great deal of co-operation” between the banks when it comes to sorting out electronic payment errors and the actual number of errors proportionate to the number of electronic payments is very low – for the ASB, it is less than one percent of all payment transactions between accounts. “It’s a handful of errors a day, a very tiny number. You have to weigh this up against the disadvantages of cheques. Electronic payments are so much more convenient and faster, and direct credits going into a bank account tend to be free, as opposed to the costs associated with cheques,” says Redman. He says small businesses can reduce electronic payment errors by ensuring bank account details are printed correctly and in large font on an invoice, and that the required reference fields or codes for payment identification are included. Web payment woes and wows So what about payments processed through a website? Although there are online debit services available for website payments (PayPal is one example) most e-commerce payments occur as credit card payments and this is arguably the area of the electronic payment world that carries the most risk. Bryan Stibbard, vice president of sales for security specialists Astaro Asia Pacific says the largest threat facing the payment card industry is credit card fraud, particularly for Internet-based transactions and those made via telephone and mail where the card does not have to be physically present. “It is the responsibility of card handlers to deal with these risks by implementing appropriate safeguards [which include] hardware, software and administrative components,” says Stibbard. He says technology components tend to be ‘point products’ like separate firewalls, anti-virus software, and denial of service devices; or multi-purpose “Unified Threat Management” (UTM) products that deliver a range of safeguards in a single system. Stibbard says deploying UTM solutions at the Internet ‘gateway’ minimises the risk of site hacking and intrusion and encrypt payment traffic. User activity can also be tracked and monitored and alerts triggered if security policies are breached. “A [company] should consider the best way to keep the system simple, use as few key components as possible, while making key components as robust and effective as possible,” says Stibbard. The good news for small businesses is that the application of hardware and software components for the security of live credit card processing is usually sorted out by the business’s bank and a website host. While few small businesses host their own websites, those that do are responsible for the security of the credit card payments processed through it. Mark Pullen, RSA country manager for Australia and New Zealand, says most small businesses use an ISP or web host able to run secure e-payments. “These providers deliver an e-commerce system that taps into a known secure gateway. However, it’s important to always check the reputation of the provider,” says Pullen. He says websites taking credit card payments need to be able to offer the customer an SSL certificate and ‘Payment Card Industry Data Security Standards’ (PCI DSS); a web host provider is normally the one to set this up in conjunction with the business’s bank. Pullen says one of the few places a small business can come unstuck is processing credit card payments offline, sometimes via an EFTPOS terminal, then not storing transaction details securely. “If you store this information offline either physically or in a database somewhere then you open yourself up to quite a bit of risk. The answer is to not store it, or to encrypt it. Merchants who have credit card details stolen from them need to be aware the fines are heavy,” says Pullen. Ian McKindley, country risk director for Visa, agrees Visa merchants must take care to protect cardholder data from internal or external ‘compromises’ and not store data that is not required. “Visa’s Account Information Security (AIS) is a mandated programme that helps merchants to comply with the PCI DSS, a set of global requirements for the safe storage of cardholder information. Visa encourages merchants to contact their merchant services provider for more details on these programmes,” says McKindley. He says overall, card fraud remains low. Data collected by the Australian Payments Clearing Association (APCA) shows that the rate of fraud on Australian-issued debit, credit and charge cards in 2007 was around three cents in every $100. However, Card-Not-Present fraud has increased. “Consumers in Australia are protected from fraud by Visa’s Zero Liability policy – however, e-commerce merchants of all types and sizes can be vulnerable. Fraudulent transactions can lead to lost revenue and may mean extra processing time and costs,” says McKindley. He says important precautions include ensuring online card payments require the input of the last three digits printed on the card’s signature panel or on the white box to the right of the panel. This unique code, known as CVV2, helps merchants verify the customer has a legitimate Visa card in hand at the time of the order. McKindley says CVV2 is easy to set up and potentially reduces fraud-related chargeback volume. He says cardholders can also choose to add a ‘verified VISA’ password to their card when shopping online. Cardholders sign up for Verified by Visa through their bank and choose their own password. Software installed on the merchant server then recognises the Visa card during the e-payment process and prompts for the password. Electronic payment specialists spoken to for this feature were unanimous in saying website payments should be handled by a security-certified web host in conjunction with the relevant bank. (As an example, credit card transactions for the Companies Office are processed by payment solution provider Direct Payment Solutions.) As to cost, banks charge a small fee per month which applies for the support of a credit card processing facility and credit card companies take between 1.7 and 2.4 percent of each transaction. Each bank has its own requirements for businesses that want to process credit card transactions. Age of EFTPOS The risks associated with EFTPOS payments are so small they are considered to be negligible, and this also applies to mobile (wireless) EFTPOS transactions. This is because encryption occurs at many levels through the EFTPOS process, including within the terminal itself (see the diagram on page 56). However, Rob Fisher, manager of EFTPOS Specialists, says this peace of mind is dependent on using a terminal that uses the latest security software – terminals with a Paymark logo (a symbol of a padlock surrounded by a white circle) are usually fine, but if in doubt check with the terminal supplier that the terminal is using ETSL version 5.1, 5.2 or 6.0 software (EMV 5.1 3DES is its official name). EFTPOS terminals also need to be compliant with Visa and Mastercard PCI data security standards. If not, a merchant can end up wearing the bill for a fraudulent credit card transaction. Simon Bowstead, operations manager for EFTPOS network company ETSL (Paymark is an ETSL tradename) says ETSL has international compliance with PCI credit card processing standards. With 100,000 terminals on its network in New Zealand, ETSL is owned by the four Australian banks (BNZ, ANZ, ASB and Westpac) and recently processed this country’s seven-billionth EFTPOS transaction. Bowstead says ETSL is presently in the midst of a network technology change which will not affect the security of EFTPOS payments, but may slightly increase the numbers of times a payment stops being processed. “There might be a few teething problems, which is the same with any new technology. But all transactions will be running across the new network by March next year. We also have a ‘black out’ period where we don’t make changes to the system over the heavy Christmas and New Year retail season,” says Bowstead. He says the mantra at Paymark is ‘Safe, Secure, Reliable’ and this is taken seriously. “If our customers, the general public and shop owners of New Zealand, thought the EFTPOS system wasn’t safe then we wouldn’t be in business.” ETSL charges a small charge per transaction and an administration fee of $11.50 per month per merchant, regardless of the number of terminals used. This fee includes access to the ETSL helpdesk. Fisher says terminal leasers or buyers should also nail down a good service rate. “Every one supplier has a help line but you can only phone-diagnose terminal problems to a certain level,” says Fisher. He says businesses can run a phone, fax and EFTPOS terminal across the same analogue line, but EFTPOS runs just as well – and often better – across a broadband Internet connection. Stefan Lecchi, general manager marketing for terminal supplier Provenco/Cadmus says it’s important to check whether or not a terminal on a broadband connection can be transferred back to an analogue phone line in the event the broadband connection is lost. “The terminal may first need to be reprogrammed and require a service call,” says Lecchi. He says the immediate focus for Provenco/Cadmus is to provide a range of broadband-capable payment system solutions. “We also offer value-add applications – examples are tip options for restaurants, or two merchant numbers for one terminal for different businesses that want to use the same terminal.” He says the future of EFTPOS includes contactless solutions in which customers pass a credit card over a merchant reader and the purchase is deducted from the credit card without the need for PIN entry or a signature. (This is somewhat similar to the one-swipe solution already in place in car park payment machines.) Payment on the run Mobile EFTPOS terminals are beneficial for mobile businesses that have experienced problems in the past with cheques, or who are facing customer demand for electronic payments. However, mobile EFTPOS transactions, while secure, can be slow to process and are notorious for terminating unexpectedly. This is sometimes due to fluctuations in the network service and sometimes due to the sensitivity of the terminal. Fisher says there are pros and cons to the use of mobile EFTPOS transactions via either Telecom or Vodafone’s service (he says Telecom’s network is more reliable, but Vodafone has superior customer service) but the hassles of using either are outweighed by the fact customers want to pay electronically. Mobile EFTPOS costs are fairly stable – up to $15 per month is the standard fee through a mobile provider, which may or may not include all transactions made within that period. If not, transactions cost around 10 cents each. In a testimonial on EFTPOS Specialists’ website, the Tauranga branch of Weight Watchers says its sales grew to twice the national average following the introduction of a mobile EFTPOS terminal at meetings. National manager Colleen Stairmand says before Mobile EFTPOS customers would bring $20 to cover meeting fees, and then find they didn’t have enough cash to pay for other products. “They would have to walk down the road to an ATM machine to get cash out which was often too much hassle. Now they can simply use their EFTPOS card. Mobile EFTPOS suits businesses like ours or those who regularly attend events and need to provide a familiar form of payment. “You can also hire the equipment for short periods of time.” Vikki Bland is an Auckland-based freelance writer. Email [email protected]