CONTINUE TO SITE »
or wait 15 seconds

Article

Data breaches open doors for new payments infrastructures

One California-based company says regional networks that rely on 'push' versus 'pull' payments will be the platforms of the future.

March 22, 2009 by Tracy Kitten — Editor, AMC

Card-skimming, database compromises, cyber hacks and attacks — all are impacting the electronic-payments space. Most notable among the ranks of recent database breaches are the card compromises that occurred after databases at Heartland Payment Systems Inc. and RBS WorldPay Inc. were hacked.
 
Last week, Visa Inc. removed both merchant acquirers from its list of PCI-compliant processors. And Heartland Payment Systems stated last week in its annual report that its data breach is now under investigation by the U.S. Department of Justice, the Securities and Exchange Commission, the Federal Trade Commission and the Office of the Comptroller of the Currency. Heartland also has been named in several class action suits filed by consumers and card-issuing financial institutions.

So far, hundreds of cards have been re-issued because of the Heartland breach. And the RBS breach, which came to light in December, ultimately led to a $9 million ATM scam that spanned the globe.

 
Both compromises occurred despite Payment Card Industry Data Security Standard certification, and both have come in the wake of the 2005 CardSystems data breach, which spurred the card networks to enforce stricter PCI mandates.
 
But the security gaps, some industry experts say, are likely to push consumers to alternative payments methods.
 
Bruce Cundiff, director of payments research and consulting for Javelin Strategy & Research, says consumers are more aware of card compromises and security concerns than ever before. That knowledge is shifting the payments mentality.
 
Consumers take the payments reins
 
"In the last five to seven years, we've seen more involvement from the consumer to proactively protect themselves, and more are involving themselves as soon as possible in fraud-prevention efforts," he said. "And I really see more retailers looking at how they can really protect cardholder data."
 
Cundiff says the Heartland and RBS breaches reflect growing knowledge on the part of fraudsters, who now realize how easy it is to go directly to a database, rather than the time-consuming process of compromising cards individually.
 
"Look at the TJX breach as an example," he said. "They stole those numbers from retailers and now they are going upstream and stealing from the processor. That's where the money is and the fraudsters are moving up to where they can access the most information."
 
Some inherent flaws in the payments infrastructure are likely to blame, Cundiff says, but as fraud remains relatively low in the United States, the impetus to change has not yet reached a tipping point.
 
Wences Casares
A push for new payments infrastructures
 
Wences Casares is a founder of Palo Alto, Calif.-based Bling Nation, a local payments network that enables FIs to convert debit transactions to on-us transactions. The Bling Nation platform allows consumers to secure contactless payments at the point of sale, relying on Bling Nation's proprietary technology for "push," rather than the traditional "pull," payments.
 
"At the core is how those breaches (Heartland Payments and RBS WorldPay) are possible," Casares said. "They are using pull payments, which means you have a lot of players involved in the transaction. A lot of critical information about the consumer and the consumer account is pulled that is not really necessary. And anyone who is involved in the transaction has access to that information — meaning it has more places to be exposed and more chances to be tapped into."
 
A push payment uses the Automated Clearing House to proactively authorize a debit from an account. So the consumer actually "pushes" the payment out to a biller.
 
"The key difference is in who is grabbing or handling the money," Casares said. "In a pull payment, like any kind of credit card payment, the consumer must give all of his account information to the merchant. The merchant then goes and pulls those funds from the consumer's bank account. The problem is that the consumer is trusting all of that information with the merchant. And if the merchant is hacked, then the consumer's information could be compromised. It's really an architecture problem."
 
So Bling Nation is proposing more regional networks that directly connect banks and credit unions with retailers, bypassing the networks all together.
 
"In both breaches, you had hackers or thieves monitoring different parts of the transaction," Casares said. "Encrypting helps, but you still need to remove all of the relevant information. And doing that would be hard for the networks, because it would require an entire redesign. In order to make a push network work, you really need to start from scratch."
 
Taking a regional approach, Bling Nation is focusing on community FIs, where about 80 percent of their customers' and members' transactions occur within close proximity of the FIs' branches. And because a majority of those close-proximity purchases are low-dollar transactions, retailers are anxious to bypass the interchange fees they have to pay the networks.
 
And rather than having the local FIs issue separate cards for the regional/community network, Bling Nation is relying on mobile payments.
 
"Any technology could be used, but we are only providing the push payment through the mobile phone," Casares said. "We think it's very safe, and with the phone we can text the consumer a confirmation and then have the consumer enter a PIN right on their phone, bypassing the keypad all together."
 
Cundiff says Bling Nation's proposition shows promise on the community level, but it will be a long time before push payments become mainstream.
 
"NACHA itself, with secure vault payments, is working on a push-payment platform," Cundiff said. "But while most of this is happening in the online world, it's not necessarily taking root in the physical world, because we have such a large infrastructure. The rails that the transaction goes over are based on the EFT networks, such as STAR, PULSE, Visa, MasterCard. Currently, a lot is dictated by the network."
 
Consumer behavior is another concern, Cundiff says, since consumers are so accustomed to using and carrying cards. Movement in the mobile-payments space may help the evolution, but it will take time.

Related Media

Recent Posts
ParaScript intros verification solution for checks
Nymeo Federal Credit Union wins recognition as 1 of the best workplaces in Maryland
SEC accuses former ATM businessman Daryl Heller of funneling $185M from investors
Fifth Third named as top veteran friendly employer
DC AG sues Bitcoin ATM operator Athena Bitcoin for allegedly exploiting scam victims


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'