Home Depot won't get fooled again. Two years removed from a massive data breach that compromised more than 50 million customer credit and debit cards, the home improvement retailer is going on the offensive to bolster security both in stores and on the web, filing a federal lawsuit alleging that credit card giants Visa and MasterCard are putting U.S. merchants at risk of cyberattack by employing security measures vulnerable to fraud.
The Home Depot suit contends that Visa and MasterCard payment cards issued to U.S. consumers integrating EMV chip technology remain less secure than cards used in Europe and other regions because American payment processors still rely on customers' handwritten signatures for verification, rather than more secure Personal Identification Numbers, or PINs. The absence of PIN requirements could lead to even greater fraud as shopper activity shifts online, where no physical card is presented, Home Depot says.
The threat posed to online retailers operating in the post-EMV world is very real, agrees Ned Canning, e-commerce product manager at payment processing and technology provider Vantiv, which in 2015 processed 23 billion transactions totaling $842 billion in volume across more than 800,000 merchant locations. Vantiv offers a range of fraud prevention and customer payment information security solutions for offline and online retailers alike.
I met with Canning at the recent Internet Retailer Conference + Exposition to discuss the evolving digital payments segment, the security challenges it faces and possible solutions to the problem, including Apple Pay, whose subsequent expansion from mobile applications to the desktop and mobile web necessitated a follow-up phone interview. Our conversation has been edited for clarity and length.
RETAIL DIVE: We’re about nine months into the EMV transition. What trends are you seeing?
CANNING: It’s very easy for an online retailer to say, “Chips and cards don’t apply to online.” But if you peel away all the different changes it makes to the payments landscape, just by pure touchpoints, it’s a humongous change for the U.S. payments industry to undergo. Every payment terminal and every card transaction is slightly changing. It’s a necessary change, and there are a lot of effects—not necessarily direct, but also indirect effects—that are going to start to shake out.
If you peel it all away, [EMV is] an integrated circuit chip in a plastic card. It allows a terminal to say, “This did come from an issuing bank. It wasn’t created by someone else.” A [magnetic]-stripe card is basically a static piece of data put onto the mag-stripe on the back of that card. Once the issuer creates it and puts it out there, that’s what’s being used as authentication. Anyone who can extract that data or can even get that data from another source—like a data breach like you’ll see at some big retailers—can encode that data onto a new piece of plastic. Provided the issuing bank doesn’t know that a new card has been created, that card can then be used, because the terminal is reading that static identification criteria and saying, “This is a valid card.” The chip adds a dynamic signature. There’s an additional code that’s generated every time is transaction is run, so the issuing bank can say definitively, “This is something we created, and no, it hasn’t been copied to a new piece of plastic.”
It’s a very effective tool to fight fraud, but you’re focusing on one very specific type of fraud, which is counterfeit cards, and only within a card-present reading. An online retailer doesn’t get to authenticate that chip—there’s no kind of handshake that goes on there. So from that perspective, [EMV] doesn’t do anything to help counterfeit fraud online.
If fraudsters see one avenue of revenue is closed down—that they can’t create a counterfeit card and use that—they’re gonna go somewhere else. There are “dark web” areas where you can buy files of credit cards. Once you have that file, you can still put it on a new mag-stripe card and use it in a retail environment, but as EMV clamps down on that, you have to find somewhere else to use those. It pushes fraudsters into the card-not-present space. These changes have a direct effect on e-commerce retailers, and pushes a problem they didn’t necessarily have before onto their doorstep.
We shield [merchants] as fraud moves over to the card-not-present space. We’re making sure you’re not letting a lot of bad transactions come in your front door, and also making sure you’re not turning away good transactions because you don’t have the insight and the data points. At the same time, we’re helping you protect the back door of your company so no one can come in, take your customers’ data and throw it out there for use in fraudulent transactions. Because if you’re a customer-focused merchant, that’s one of the worst things that could possibly happen. When [consumers are] transacting, security is one of the biggest things they think about. Every time you get a marquee breach of a trusted legacy retailer, it’s really damaging to the brand.
I’ve seen research indicating that something like 60% of small businesses—whether they’re retailers or in another vertical—who suffer a data breach go out of business in six months, not only because of the resulting customer churn but also because of the costs associated with a breach.
CANNING: Exactly. That’s a good point. When you have these breaches at large retailers, you could argue they’ve got runway to weather the storm. They’ve got an established brand, an established user base and solid cash flows that allow them to sustain, repair customer trust and maybe recover. But if you’re a smaller e-com merchant bootstrapping yourself in the earlier stages of growth, something like that could shut the lights off very quickly.
Shifting gears away from security, so many retailers here at the IRCE show say they’re struggling to address the shift to mobile—conversions aren’t happening, and a lot of that seems to be that the purchase experience on mobile is incredibly difficult from a user standpoint. What can be done to simplify checkouts and payment processing away from the desktop, and what role is Vantiv playing here?
CANNING: It’s an exciting area. You have Apple Pay and Android Pay jumping out with really innovative solutions. I’m an avid user of Apple Pay. It’s essentially eliminated the traditional credit card payment process from a card-not-present transaction. It’s a thumbprint now. I turn on the phone, I provision my card to the phone—I scan it into my Apple Pay wallet—and from then on, when I’m shopping with a merchant that uses Apple Pay, I don’t have to think about taking my card out or punching in 16 digits on a tiny screen.
One of the big realities of mobile is the real estate. You don’t have a full keyboard. You have a tiny screen to display products and reviews. There’s very little real estate for a traditional entry of credit card data. Now I press my thumbprint, and all of that stuff is auto-populated into the merchant’s checkout flow in a tokenized manner. It’s layering in security with convenience. Now I’m not even thinking about friction. When you see the Apple Pay logo, you just go for it. It’s one of the biggest innovations I’ve seen in the retail space in a long time.
But beyond security and convenience, there was always the prospect of ubiquity—the third side of the triangle—that was missing from Apple Pay. Because not a lot of retailers have a fully-developed mobile strategy that a native application can fit into—it’s a huge amount of development, it’s a huge amount of strategic investment into customer acquisition. So I could only use Apple Pay in a very specific method of interaction with my favorite merchants.
Now that you have [Apple Pay] open to the browser, you’ve given somewhat ubiquitous access to a lot of different merchants that don’t necessarily need to jump over those high barriers to entry. You now have the ability to incorporate that security and convenience into your website, and you can start looking at Apple Pay as a ubiquitous solution that you can use anywhere, if you’re in a native app or you’re surfing via your browser on your phone or your browser on your MacBook. You can also configure Safari on a non-Mac device. You’re bringing into reality the security, the convenience and the ubiquity of Apple Pay that makes it a really interesting trendsetter in the payments space.
When I hear something to the effect that, say, Kohl’s is the first major retailer to incorporate their loyalty program into Apple Pay, I’m somewhat shocked that no one’s done that before. It seems like something that should have been introduced long ago. Shouldn’t the evolutionary process be further along than it is?
CANNING: I feel like we’re still pretty early in the growth stage. It’s only been a year and change since Apple Pay was introduced. Granted, that’s centuries in the technology world. It’s going to take some time for the retail strategy to settle around one particular way of interacting with customers, like an iOS app, for instance. There’s a lot of different touchpoints to consider. Mobile is going to Kohl’s.com in your Safari browser, but it could also be downloading a Kohl’s app, and going in through there. There’s a lot of different options, and as retailers start to feel out which options work best for them, it’s gonna resonate, because other retailers can say, “I have a similar strategy that might fit with that, too.”
As any retailer will tell you, checkout is only one part of the conversion process. You’ve got a lot of steps. Fully-integrated retail mobile apps are still trying to find their way in some cases. As [retailers] figure out how to make things work and how to optimize their customer touchpoints, we can step in on that payment step and say, “We’ll make it as easy as possible.”
I don’t work too much in the loyalty space, but there’s a lot of different players there, so figuring out how to integrate those systems you may have had in place for a long time with your new mobile strategy and making sure you can normalize a lot of these exchanges and present them to the consumer in a way that keeps their experience in focus is definitely difficult. From a technology standpoint, you’ve got all these different systems that need to seamlessly and very quickly and scalably interact with each other, but also make the customer experience seem the same across all the different places. It’s very difficult.
I’m just impatient.
CANNING: Aren’t we all, though? In almost every [IRCE] session so far, we’ve heard something along the lines of, “The consumer’s deal is getting even better every day.” The consumer is getting more and more assumptive of you being able to give them what they want. The consumer wants to buy on-demand. It’s getting tougher and tougher to satisfy an ever-needy customer. But I want it, too, and as a customer, I’m hoping it gets even easier as soon as possible.
From an omnichannel standpoint, you’ve got point-of-sale systems that have been around for a long time—e-commerce systems less, mobile even less. So you’ve got these different systems from a merchant technology standpoint that are all at very different stages of their lives or upgrade cycles or re-platforming cycles, and figuring out how to realign those is very difficult. Figuring out how to align those in a way that keeps the customer in focus the whole time, and makes their experience the same as much as possible across all those channels, is exceedingly difficult. Especially when the customer wants it tomorrow. But everybody’s working on it, and we’re gonna get there.