At PAYMENTSfn 2019, there was an impactful panel discussion centered around merchant compliance with upcoming regulations, fraud prevention, and security. Covering topics like 3DS2, fraud, and GDPR, this particular panel was packed full of insight for people in the payments industry.
Update: See all the posts in this series with our regulations and compliance guide here.
Security, Fraud, and Compliance Panel at PAYMENTSfn
Some key moments from the panel are highlighted below, with a full transcript at the bottom. PAYMENTSfn is an annual conference centered around topics that impact the payments industry. It's also likely coming to a city near you in the next few months - you can sign up here for updates on where its heading next.
Panelists on stage in this video are (L to R):
- Bart de Water
- Kevin
- Lee Gilley
- Sonny Werghis
- Kim Booth
- Brian Hendrix (Moderator)
PSD2, SCA, and 3DS2 At A High Level
As we've explored in previous posts, PSD2 is coming this year - and along with it is 3DS2 under SCA. Kevin Crockett, from Cardinal Commerce, does a great job of breaking that down what all of these different regulations mean, and gives a nice brief explainer of 3DS2.
Brian Hendrix: Yeah, and right next to you we have Kevin from Cardinal Commerce. You know, I read an interesting stat this morning that Mastercard's talking about that even within the EU it's only around 30% of the merchants, as they take a look through the entire stack, the larger merchants obviously being a lot more ready, but a lot of the smaller merchants across the EU not being prepared and not actually being very aware of the differences in the acronym soup that's there.
Kevin Crockett: Sure. Yeah, so there's really two key things that are happening kind of simultaneously in the market right now. So obviously everyone's getting ready for PSD2 and the need to adhere to SCA regulations and authenticating your customers during online CNP transactions, so that's kind of one element. 3D Secure is going to be the primary mechanism driving those authentications, and there's also this shift going on currently from a protocol standpoint on what 3D Secure really is.
Kevin Crockett: So for those of you who aren't familiar with 3DS, it's Three Domain Secure. Basically it's a set of processes that occur prior to authorization where a merchant and a cardholder can exchange information about... I'm sorry, a merchant and a card issuer can exchange information prior to authorization to essentially validate the identity of that cardholder and that consumer during an online payment transaction. So with the impending regulations coming in Europe, 3D Secure is going to be the mechanism to really be running those authentication processes.
Kevin Crockett: So from a protocol standpoint we've long been on what we call the 1.0 version of the 3D Secure protocol which has been around since 1999, and we are currently migrating over to the 3D Secure 2.0 or EMV version of the 3D Secure protocol, which really focuses on expanding the amount of data that's shared between the merchant and the card issuer during the transaction, but also being able to more seamlessly authenticate users across multiple devices, so not just focused on browser transactions, but native mobile applications, IoT devices, TVs, phones, Rokus, things of that nature, so both of those things kind of happening in tandem have kept us pretty busy over the past couple months.
Brian Hendrix: Yeah absolutely, it sounds like it has, it's kept I think a lot of us busy here. So that's very much, and very much has been with GDPR, with PSD2 and the ensuing regulations that have come from that, there's been a huge Europe focus. Really whether it's Lee or anybody that wants to pick it up particularly, taking a look at that and looking at... Obviously we're in the US and we have US-based merchants here, how are these changing standards affecting us, affecting payment teams, and what kind of things should be on everybody's mind that's here, or should they be taking home for their businesses to have in mind as these standards pervade the globe?
Kevin Crockett: Sure. I was just going to comment that 3D Secure, yes, it's going to be a mechanism to meet the needs for SCA compliance in Europe, but it's a global protocol that's currently being used across our merchant base, across all the various countries and geographic locations in the world, so if you're a US-based merchant or you have presence in other countries, 3D Secure is still very much a tool that you can have in your overall fraud strategy. We recommend a layered approach to fraud and 3D Secure is one element that you can incorporate into your overall fraud strategy, and really a lot of the improvements and enhancements that are coming in the EMV or 2.0 version of the protocol really benefits both merchants and card issuers alike. There's more data, there is better decision.
Using teamwork in your company to deal with Fraud
Bart de Water and Kimberly Booth explains how to use other groups at your company to combat fraud, as well as ways to educate others in your company on how well you're doing at fraud prevention.
Brian Hendrix: Yeah, that's a fantastic set of points. One of the comments yesterday on the innovation panel that really struck me was, I believe it was Adam mentioning that he had implemented a couple different tools, and the tool that was pleasing was the one that met expectations. In your experience when we're talking about these tools and different options for mitigating fraud, does a business really go about setting reasonable expectations that can be met?
Kimberly Booth: So, I think it goes back to always tuning your program. So with a machine learning model, depending on your transaction volume you might want to tune it monthly or quarterly, and always reassess your expectations from there. I think getting in the room with a lot of other players in your organization, like product, supply chain, finance, and just deciding what are we willing to accept, how much are we willing to lose, how much are we willing to potentially turn away in a false positive, is important. As long as everybody's on the same page and there's no surprises, I think that is really the biggest thing that you should try to do.
Bart de Water: And of course fraud keeps evolving, so you've got to stay on your toes and make sure that the whack-a-mole game, you keep playing it.
Kimberly Booth: Yeah, and you could get to a point where you've done so well that your fraud is so low, you want to also continue the education of what you're doing. Once your fraud numbers get low, people might wonder why you're... What you're doing. "We don't have any fraud anymore." So doing Lunch and Learns, just trying to explain to people what you do, maybe even giving like a monthly dashboard. "Hey, we blocked all this fraud from this certain fraud ring, it's confirmed fraud." All that goes a long way.
Getting ahead of storing sensitive data
Kevin talks about best practices to select providers for storing sensitive data, especially as it concerns PSD2. Sonny Werghis discusses data governance, and taking inventory of your data and how your company is managing it.
Bart de Water also gives a great example of how they handle data governance at Shopify, and Lee Gilley gives a good example of how many different types of data governance laws there are in the US.
Brian Hendrix: So coming back to that sensitive data topic, as we look at this, whether it's starting out or... Maybe not starting out, earlier than that, but certainly with PCI, we moved from PCI into now privacy information with GDPR, we're moving into PSD2, PSD1, PSD2, and we're talking a lot about different types of sensitive information. In any of your experiences, how can we really start thinking about this holistically? Is there any way at this point for anyone in our area and payments area to get out ahead of this in any functional way and start thinking about sensitive data holistically, the storage, the concept of how I can have this, how I can redact it? You know, anything from a systems to a business process perspective?
Kevin Crockett: Yeah, I think one key thing would just be understanding how all the various providers that you're working with are handling these types of situations. We talked about 3D secure and the EMV rails and all of this enhanced data that can be exchanged. It's important to understand when you're selecting a provider for those services, what are their data retention policies? If they're running JavaScript, what are they collecting that's maybe outside of the protocols, or they may be using for their own analyses and whatnot, so it's important to understand kind of how the various providers are handling your data on your behalf, and that you're in tune with how it's benefiting you.
Sonny Werghis: I also want to add that I think about 10 years ago data governance was a hot topic across multiple industries, and it kind of slowly started to die off, you don't hear as much conversation about it, discussion about it, but I think some of the best practices that came out of that whole mindset of data governance, data lineage, data provenance, things along those lines, data profiling, regardless of your size I think you need to start thinking about how am I going to tackle this, right?
Sonny Werghis: Some degree of data, regardless how big you are, is going to be managed internally in addition to what you mentioned about data that your providers hold on your behalf, but I think starting to take a survey of what is it that I have and own and how am I managing it, even if it's not a formal governance mechanism with a lot of investment and resources committed to it, I think just getting... Starting to get a better inventory of what you have I think is going to be absolutely critical.
Bart de Water: And then from there on if I look at how it happened internally at Shopify, we have a whole bunch of tooling around that to make sure that whatever we build, that deletion and protection and data scrubbing is built at the core. If I open a pull request on the main Shopify application adding a new table in a migration, a bot will detect that, automatically open an issue in our privacy repo for somebody from the Data Privacy Team to review, being like, "Okay, what kind of data is going in here, and what if when that data is extracted to the data warehouse that it, like, these sensitive columns get scrubbed?" All that stuff, so it just, you know, it makes it very easy that no matter where during the development lifecycle, it is not like an optional box that might be forgotten or swept under the rug if it's slightly inconvenient, it is like core to our engineering process that we get this right every time we build something new.
Overall, audience members walked away a ton of new information on what's on the horizon for compliance and new regulatory changes. Below you can find a full transcript of the panel.
Transcript of regulations and compliance panel at PAYMENTSfn
Below is a rough transcript of the the panel conversation.
Brian Hendrix: You know, I think I actually may call an audible on the bios, I've got all the bios here, but we do have three pretty large topics, I think we were talking just beforehand that each of those really could be its own panel, so in order to have enough time and to make it through it I think I might skate past the bios, if anybody's interested I have them all here, but maybe we can just start right down there on the end, Bart, and just kick it off with just sort of really a broad question. You know, looking at it from whether it's security, compliance, or fraud risk, what do you see right now as one of the major trends that's out there in the industry today?
Bart de Water: I think everybody is scrambling to get ready for 3D Secure in Europe, and that sounds a little surprising to me, but it's kind of like GDPR all over again, I feel. Everybody knew it was coming, everybody figured it'll blow over, and then now like, say six months out everybody's, "Oh help, what do I do now? How am I going to get ready and make sure that I don't lose all my customers?" So yeah-
Brian Hendrix: Yeah, absolutely.
Bart de Water: That's the thing that I see a lot, like, in my day-to-day right now.
Brian Hendrix: Yeah, and right next to you we have Kevin [inaudible 00:01:17] from CardinalCommerce. Maybe we could take just a quick chance and tease apart the acronyms just briefly. You know, I read an interesting stat this morning that Mastercard's talking about that even within the EU it's only around 30% of the merchants, as they take a look through the entire stack, the larger merchants obviously being a lot more ready, but a lot of the smaller merchants across the EU not being prepared and not actually being very aware of the differences in the acronym soup that's there.
Kevin Crockett: Sure. Yeah, so there's really two key things that are happening kind of simultaneously in the market right now. So obviously everyone's getting ready for PSD2 and the need to adhere to SCA regulations and authenticating your customers during online CNP transactions, so that's kind of one element. 3D Secure is going to be the primary mechanism driving those authentications, and there's also this shift going on currently from a protocol standpoint on what 3D Secure really is.
Kevin Crockett: So for those of you who aren't familiar with 3DS, it's Three Domain Secure. Basically it's a set of processes that occur prior to authorization where a merchant and a cardholder can exchange information about... I'm sorry, a merchant and a card issuer can exchange information prior to authorization to essentially validate the identity of that cardholder and that consumer during an online payment transaction. So with the impending regulations coming in Europe, 3D Secure is going to be the mechanism to really be running those authentication processes.
Kevin Crockett: So from a protocol standpoint we've long been on what we call the 1.0 version of the 3D Secure protocol which has been around since 1999, and we are currently migrating over to the 3D Secure 2.0 or EMV version of the 3D Secure protocol, which really focuses on expanding the amount of data that's shared between the merchant and the card issuer during the transaction, but also being able to more seamlessly authenticate users across multiple devices, so not just focused on browser transactions, but native mobile applications, IoT devices, TVs, phones, Rokus, things of that nature, so both of those things kind of happening in tandem have kept us pretty busy over the past couple months.
Brian Hendrix: Yeah absolutely, it sounds like it has, it's kept I think a lot of us busy here. So that's very much, and very much has been with GDPR, with PSD2 and the ensuing regulations that have come from that, there's been a huge Europe focus. Really whether it's Lee or anybody that wants to pick it up particularly, taking a look at that and looking at... Obviously we're in the US and we have US-based merchants here, how are these changing standards affecting us, affecting payment teams, and what kind of things should be on everybody's mind that's here, or should they be taking home for their businesses to have in mind as these standards pervade the globe?
Lee Gilley: Go ahead, no, you go ahead.
Kevin Crockett: Sure. I was just going to comment that 3D Secure, yes, it's going to be a mechanism to meet the needs for SCA compliance in Europe, but it's a global protocol that's currently being used across our merchant base, across all the various countries and geographic locations in the world, so if you're a US-based merchant or you have presence in other countries, 3D Secure is still very much a tool that you can have in your overall fraud strategy. We recommend a layered approach to fraud and 3D Secure is one element that you can incorporate into your overall fraud strategy, and really a lot of the improvements and enhancements that are coming in the EMV or 2.0 version of the protocol really benefits both merchants and card issuers alike. There's more data, there is better decision.
Kevin Crockett: Outside of Europe, 95% of the transactions are going to be seamlessly authenticated behind the scenes without the need for any sort of consumer interaction or friction during the point of purchase, and really we're looking to solve for two main problems. One, we want to get fraud out of the ecosystem, and two, we really want to target and attack those false declines that are currently happening. So false declines are a big issue that we're looking to solve for where a lot of look legitimate customers are getting declined due to suspected fraud, but if you have this mechanism in place prior to authorization where I as a card issuer am authenticating my cardholder, and I see that in the authorization message there's more contextual data about what happened during the authentication, was it stepped up on, what type of device was Kevin on, did I send him an OTP, was it a frictionless authentication? All of those attributes can now be incorporated into the authorization stream so that the issuers can make better decisions and limit the amount of customer insults.
Brian Hendrix: Absolutely. So you know, Lee, as we're taking a look at this going forward there's obviously the positive sides and the benefits you were talking about to complying with this fraud solution that's 3DS 2.0 regardless of being mandated to, forced to, encouraged to. What are we seeing US-based these days that's impacting that as well that might be of interest?
Lee Gilley: Yeah, sure. So knowing that I'm a stone's throw away from Duke and North Carolina, I'm going to start this out with a Wahoowa, hopefully there's some other Virginia fans in here. But yeah, US-based we're seeing some interesting things. The California Consumer Privacy Act is one of the kind of hot topics in the US right now, it's basically... It's not quite fair to think of it this way, but I would think of it for those of you who aren't familiar with it as GDPR for the US. It has kind of an interesting history, because unlike the GDPR it was not very well thought out.
Lee Gilley: So, California has sort of a unique method for creating laws, which is the people of the people of the state can place... Jump through some hoops and place a law on the ballot and then vote on it, and then it's a law without the legislature really being involved. Laws that are passes that way are really hard to change. So there was a wealthy person in California who was funding a ballot initiative to basically pass a GDPR ballot initiative in California, and the legislature worked with him and reached a compromise and passed a law in seven days. So while the GDPR was under development with different legislatures and different bodies and trade groups, and interest parties putting in their input for years, California did the same thing in seven days.
Lee Gilley: That law goes into effect on January 1 2020 with a delayed enforcement date of, I believe it's now July 1, and it has a lot of GDPR-ish features. The legislature is still... One of the reasons the legislature kind of jumped in and wrote a law is because once... If they write it, it is easier to amend, so they have been and probably will continue to amend it. One of the amendments on the bill right now is currently the CCPA contains a private right of action for data breaches, with a statutory penalty of $100 to $750, which from a lawyer's perspective means that if you have a data breach and you have California customers you are likely to get sued, and if you have a significant volume of California customers a class action is now a much more appealing thing, and the damages of a class action when you have a group of people suing you collectively can be much greater, and a much more appealing case for a lawyer to take up.
Lee Gilley: Recently, just a couple months ago, the Senate in California introduced a bill that would expand that private right of action beyond just data breaches to violation of the entire law essentially. That means that if you fail to properly notify a customer what data you have of theirs, you fail to properly delete their data when requested, those people will actually have the right to sue your company. So this is a really big thing in the US that is coming fast, and frankly was not very well thought out on the front end, so it's kind of a constantly evolving thing, but it's coming quickly.
Lee Gilley: And for those of you who are thinking why am I talking about California, my company's not a California company, the law applies pretty broadly. If you do business in California, which is not very well defined right now, but you should assume if you interact with Californians you do do business in California, and have $25 million in revenue total across your company, collect data on more than 50,000 California users or more than 50% of your revenue is generated by the sale of data, you are subject to this with respect to your Californians. So California is to a large degree functionally making a nationwide GDPR for the US right now.
Brian Hendrix: Thank you.
Sonny Werghis: Brian, if I can add to that, I think in terms of the actual impact of some of these things on merchants here in the US, I think 3DS to a large degree, you get an API from Cardinal or Shopify or someone and you take care of it that way, so the impact that you experience from an implementation perspective is probably less, but as soon as you start talking about GDPR you need to worry about, you know, what does data portability mean to me, right? What is data transparency?
Sonny Werghis: How am I going to be able to determine based on my e-commerce platform, whether you're using Hybris or [inaudible 00:10:19], you know, [inaudible 00:10:20] e-commerce, whatever it is that... Or you build something of your own, how am I going to ensure that data transparency in the sense I can quickly find that, you know, Brian, all the data that I've collected about Brian, and how am I going to be able to delete all of that data, right? There's all kinds of issues surrounding the right to forget, the right to be forgotten or whatever, that data erasure policy, because now you have to deal with not just in your own database, what about all the archives you've kept of the data, right?
Sonny Werghis: So some of those I think are still emerging in terms of the details need to be worked out and clarified, but I personally think that GDPR is going to have a bigger impact in terms of the extent to which you have to understand your system to be able to comply with it, and to a certain degree the California law as well [inaudible 00:11:06].
Brian Hendrix: Absolutely.
Lee Gilley: Yeah, I absolutely agree, the California law is the same way. If you think you may be affected by it, you really need a multi-disciplinary approach on it. You need to understand how your institution stores and manages data. You've got to understand, "What do I do if there's a breach?" You've got to have lawyers involved to understand what your legal obligation is. It's really a full company operation that everyone has to be involved in.
Brian Hendrix: Yeah, and just for a moment I want to put a pin in sensitive data, it's one of the topics I want to come back to, sort of how business looks and handles it, but we talked a lot about we have this emerging standard in the EU... Well, or less emerging maybe, emerging in the opinion of a lot of folks that are handling it now, but taking a look at the fact that we're using ultimately what's a fraud prevention tool that's been around since... You know, for quite a while, since the late '90s, Kim, from your perspective as a Fraud Manager, do I get to look at 3DS 2.0, I've complied, that's my number one tool in my toolbox, that's where I should go to, am I safe? You know, what kind of expectations should a business have around fraud prevention in a broader sense?
Kimberly Booth: Yeah, so good question. With respect to 3DS, obviously it's a great data point to have in your arsenal to look at a transaction holistically when it comes in, and then even from a reactive perspective if something does get through that's fraudulent and you get a chargeback, something from 3DS would be considered compelling evidence that you can utilize to dispute the transaction as well, so having it from both perspectives was great, but definitely not the only thing that you would use. You could have way too many false negatives or false positives that way.
Kimberly Booth: I think the way that fraud is going now is companies are looking to use kind of a grouping of a machine learning tool and a rules-based tool, or just moving completely into machine learning. So with machine learning you can get a good pattern analysis of all the transactions that are coming through your organization, and you can get a big data historical bank and you can start to see where trends and patterns are spiking, and then if you see anything that comes in quick, that you're seeing a quick bleed from a part of your business, you can put in a rule to kind of stop it, and then while the rule's in place the machine can also learn. So I think having a holistic approach with the machine learning, the rules, and then 3D Secure, anything that you can check from the payment processing side is really important.
Brian Hendrix: Yeah, that's a fantastic set of points. One of the comments yesterday on the innovation panel that really struck me was, I believe it was Adam mentioning that he had implemented a couple different tools, and the tool that was pleasing was the one that met expectations. In your experience when we're talking about these tools and different options for mitigating fraud, does a business really go about setting reasonable expectations that can be met?
Kimberly Booth: So, I think it goes back to always tuning your program. So with a machine learning model, depending on your transaction volume you might want to tune it monthly or quarterly, and always reassess your expectations from there. I think getting in the room with a lot of other players in your organization, like product, supply chain, finance, and just deciding what are we willing to accept, how much are we willing to lose, how much are we willing to potentially turn away in a false positive, is important. As long as everybody's on the same page and there's no surprises, I think that is really the biggest thing that you should try to do.
Bart de Water: And of course fraud keeps evolving, so you've got to stay on your toes and make sure that the whack-a-mole game, you keep playing it.
Kimberly Booth: Yeah, and you could get to a point where you've done so well that your fraud is so low, you want to also continue the education of what you're doing. Once your fraud numbers get low, people might wonder why you're... What you're doing. "We don't have any fraud anymore." So doing Lunch and Learns, just trying to explain to people what you do, maybe even giving like a monthly dashboard. "Hey, we blocked all this fraud from this certain fraud ring, it's confirmed fraud." All that goes a long way.
Brian Hendrix: Absolutely. I think that goes to something else that came up yesterday with Fareed, you know, you get to the point where you're blocking fraud so well, people begin to wonder why we're investing this much in fraud, and that's definitely not something we want to have, and I know you had mentioned just going out and proactively sharing, "This is exactly how much fraud we've blocked," it's a really powerful tool in that... You know, to keep that going and to keep the game of whack-a-mole going, and the race, as it were.
Brian Hendrix: So coming back to that sensitive data topic, as we look at this, whether it's starting out or... Maybe not starting out, earlier than that, but certainly with PCI, we moved from PCI into now privacy information with GDPR, we're moving into PSD2, PSD1, PSD2, and we're talking a lot about different types of sensitive information. In any of your experiences, how can we really start thinking about this holistically? Is there any way at this point for anyone in our area and payments area to get out ahead of this in any functional way and start thinking about sensitive data holistically, the storage, the concept of how I can have this, how I can redact it? You know, anything from a systems to a business process perspective?
Kevin Crockett: Yeah, I think one key thing would just be understanding how all the various providers that you're working with are handling these types of situations. We talked about 3D secure and the EMV rails and all of this enhanced data that can be exchanged. It's important to understand when you're selecting a provider for those services, what are their data retention policies? If they're running JavaScript, what are they collecting that's maybe outside of the protocols, or they may be using for their own analyses and whatnot, so it's important to understand kind of how the various providers are handling your data on your behalf, and that you're in tune with how it's benefiting you.
Sonny Werghis: I also want to add that I think about 10 years ago data governance was a hot topic across multiple industries, and it kind of slowly started to die off, you don't hear as much conversation about it, discussion about it, but I think some of the best practices that came out of that whole mindset of data governance, data lineage, data provenance, things along those lines, data profiling, regardless of your size I think you need to start thinking about how am I going to tackle this, right?
Sonny Werghis: Some degree of data, regardless how big you are, is going to be managed internally in addition to what you mentioned about data that your providers hold on your behalf, but I think starting to take a survey of what is it that I have and own and how am I managing it, even if it's not a formal governance mechanism with a lot of investment and resources committed to it, I think just getting... Starting to get a better inventory of what you have I think is going to be absolutely critical.
Brian Hendrix: Fantastic.
Bart de Water: And then from there on if I look at how it happened internally at Shopify, we have a whole bunch of tooling around that to make sure that whatever we build, that deletion and protection and data scrubbing is built at the core. If I open a pull request on the main Shopify application adding a new table in a migration, a bot will detect that, automatically open an issue in our privacy repo for somebody from the Data Privacy Team to review, being like, "Okay, what kind of data is going in here, and what if when that data is extracted to the data warehouse that it, like, these sensitive columns get scrubbed?" All that stuff, so it just, you know, it makes it very easy that no matter where during the development lifecycle, it is not like an optional box that might be forgotten or swept under the rug if it's slightly inconvenient, it is like core to our engineering process that we get this right every time we build something new.
Brian Hendrix: Absolutely. Did you have something?
Lee Gilley: I was just going to add, I think all of that makes sense, and I would say unfortunately from a... Again from a more US perspective, because of the fragmented nature of the way we do things, right, our federalism system where you have state governments, we have the Federal Government, we have a whole host of varying regulators who are interested in different pieces of data security and data requirements.
Lee Gilley: I mean, the financial services space has had the Gramm-Leach-Bliley Act, which is not particularly robust, but it's had that for a while, healthcare has had HIPAA, there are different... There's a whole layer of existing laws that are out there, and unfortunately right now in the US there's not a good unifying law, and with California taking this initiative one thing you are likely to see is other states will probably follow with similar Acts, and the Federal Government, excuse me, has started to get into the game.
Lee Gilley: They're discussing right now a data protection bill for biometric facial recognition data. So I think all of those pieces of advice are good, and I think another piece if you're in the US is you do really have to keep your ear to the ground and your eyes open for new things that are coming your way that you may not see until it's too late.
Brian Hendrix: Absolutely. You know, you're speaking of that, their ear to the ground, and again broadly across the many topics that we have for ourselves here, and with security compliance and fraud and risk, are there any particular tools that any of you do use to keep that ear to the ground that you find particularly beneficial for yourselves?
Bart de Water: Product managers.
Sonny Werghis: Like, I should add spreadsheets.
Brian Hendrix: Yeah.
Sonny Werghis: [inaudible 00:20:32]. There was a... The book Checklist Manifesto comes to mind. Checklist, you need to have a checklist at some point somewhere that's keeping track of all those things. Even if it just means checking off a box, it's important to check off that box.
Lee Gilley: And I would say from a legal perspective, and again, I know that I'm talking to a room that I think is devoid of lawyers, but presumably some of you have in-house lawyers you work with sometimes, you know, it's really important that your in-house lawyers are active in the areas that they need to be. They need to... You know, they should know based on what your company does what they should be looking for, and they should be coming to conferences to like this, or really more legal-focused conferences, and paying attention. There's tons of sources of information out there, it's just a matter of kind of knowing which ones to tune into.
Kimberly Booth: Yeah, if you can keep everything more centralized so if anything happens in the future and someone needs to look at it they can find it easily, and even keeping a PDF or a scanned copy in like Google Drive or something is really helpful.
Brian Hendrix: Absolutely. And just to take a moment, a quick break for the audience, if there's any specific questions that anyone has on any of our wide-ranging set of topics, we're happy to take one or two. Anyone? Have we put you... Okay, good, there we go.
Speaker 7: Kind of wait for them to turn me on and then I'll... Is there... Regarding the CCPA legislation that's come out, is there any concern among businesses that other states are going to follow suit, but not with the same exact legislation, but something that's nuanced, requiring them to go back and redo things they've already done to get ready for CCPA?
Lee Gilley: You can virtually guarantee that's going to happen. There are a number of states that are discussing that. There are a number of states that have privacy bills that exist that focus on specific things, biometrics has been one that I think three or four states already have, Illinois has a kind of infamous one, and there's six or seven more that are looking at biometric data specifically, but I think you can virtually guarantee if California does that that some of your other more kind of consumer-friendly, more privacy-focused states are going to follow suit, and they almost certainly will not adopt it word-for-word.
Lee Gilley: The natural, or a natural, there's really some debate at the federal level of where privacy would live, because like I said our history is that it's fragmented, there are privacy laws for banks, there's privacy laws for healthcare companies, but there hasn't really been overarching meaningful privacy protections. One of the natural places for it to live is the Federal Trade Commission, and their Commissioners are attempting right now to wrangle that authority for themselves, and they are interested if they do get that authority in preempting a lot of the state laws, so you would then be operating under a federal law that would sort of erase, for lack of a better term, the state laws that come along in the meantime, but we're not there yet and it's highly unlikely we'll get there, you know, any time in the next few years.
Brian Hendrix: Any other? Yep, absolutely.
Speaker 8: So with 3DS 2.0 we've started to hear a lot about the liability shift. I'm curious if you can talk about what some of the nuance and limitations of that will be for merchants?
Kevin Crockett: Sure, so we can really take a look at this from both a US and I guess European standpoint, but ultimately the end result of a successfully authenticated transaction is a cryptogram that a merchant would receive back from the card issuer after authentication completes. So as long as that cryptogram called a CAVV, which is just a verification value, makes it into the authorization message that's then ultimately sent into the card issuer, that transaction then would have liability protection, meaning if I went then to dispute a transaction that I made that went through 3DS successfully, that would be blocked at the issuer and then they would not be able to issue that chargeback to the merchant, so that's liability protection on successfully authenticated transactions.
Kevin Crockett: When you look at it across Europe, it's... That concept still applies. If it's a fully-authenticated transaction, the merchant would still qualify for liability protection, but there are other use cases where you're claiming an exemption, and so if you're claiming an exemption and the consumer doesn't go through a strong form of two-factor authentication, you may still get a cryptogram back but since you're the party claiming the exemption you retain liability. But ultimately if it's a fully-authenticated, you're covered from a liability standpoint.
Brian Hendrix: Fantastic. You know, a small shift to some of the emerging trends that are out there, Bart, you and I before the session had talked a little bit about some of your involvement with W3C, and Sonny, you and I as well talked about that, taking a look at the new web auth APIs, secure remote commerce, that's coming along, that's out in the future, maybe if you could share a little bit [inaudible 00:25:49] either of your or anybody else's experience with that as it's forming?
Bart de Water: Yeah, so Shopify is part of the Web Payments Workgroup at the W3C, and we've run an experiment last year around summer if I have it correctly, where we basically ran a test across some selected merchants on our platform and see if it was ready for prime time. We did see a noticeable drop in conversion rate on the checkout, so after about a week we decided that we... You know, we have the data, the picture is clear, like, we turned it off because after all it's our merchants' livelihood that we're kind of like beta testing with, even though they signed up for it of course, but still.
Bart de Water: It did provide some valuable data points and real-life feedback that was needed because mostly at the time it was the browser vendors putting together the spec, and one of the points where we differed of opinion was that like, we really need discount codes. Like, merchants use discount codes for promotions, that's how they attract customers, and the spec had no place to communicate that through the API to the backend. Now that we actually like ran the experiment, had the results, we could actually be like, "See, we're not making this up, this is actually needed.
Bart de Water: So I believe that version 2.0 of the spec, that it's on the roadmap to figure out how a discount code or something along those lays... Like, also like loyalty, like how do you incorporate this while on the other hand offering a seamless checkout experience that is easy to implement and standardized across browsers to make the checkout process easier and faster for everybody involved?
Sonny Werghis: My perspective on that whole topic is more from a processor and network perspective. In talking to some processors there are concerns with, especially the ones... There are concerns with how that impacts the flow of traffic across the local networks, right, the global networks. I mean, that's a topic that spans... Goes beyond securable commerce into just network tokenization in general. The local EFTs are starting to be able to process card-not-present transactions. When you implement something that requires a network token it limits their ability to process that transaction, and generally they are less expensive than the global networks, and so large merchants, there is a real dollar impact to doing some of those things, so I think some of those details have to be worked out, right, before it gains wide adoption.
Sonny Werghis: I think it's a very interesting concept, but I think there's some degree of... Not necessarily pushback, but starting to question, "How is this going to affect me? Is it going to cause a reduction in total fee that I'm paying for the transaction, or is it going to limit my ability to go the... Pick and choose the network that I route my transaction across?" Right? So those are some of the aspects that make it interesting.
Brian Hendrix: Absolutely, thank you so much. So sticking on the concept of emerging standards, taking a look from a fraud perspective, what do you see changing right now from a fraud perspective? You know, taking a quick look maybe in the last year or two of fraud, and then what is nascently changing it you're seeing from your position?
Kimberly Booth: So, we're seeing a lot of trending towards mobile fraud now, which I think payments is as well. You know, a lot of transactions are happening on your mobile device, so we're seeing an uptick in fraud being perpetuated on the mobile device, so a good way to kind of get ahead of that in your fraud tool if you have device fingerprinting is to pay close mind to transactions that may be coming into the mobile more than you were before, and kind of looking for trends within browser layers, cookies on the phone, what type of browser they're using, and all things like that are really important right now.
Brian Hendrix: Absolutely.
Bart de Water: I think... And this is a problem that is larger than just the payments space, but username and passwords just in general, terrible. And you know, we've... Like, two-factor authentication is becoming more normal. Even non-technical people like my mom is always my favorite example of being like, "Hey, I should really like, you know, I should really start using a password manager," because she got a notification on her Gmail that somebody tried to log in from China, and she's... And I explained to her database breaches, how they work, and she's like, "Oh yeah," and like now... Like you know, it hit, it became really close to home all of a sudden instead of just this theoretical problem.
Bart de Water: And you've seen that too with other data breaches from, like, big credit rating agencies, it's... Yeah, that's worrisome, but fortunately... And that is something of a bit of a pet project that I work on in my spare time, is the web authentication standard from the W3C, which will basically... Has the potential of making usernames and passwords obsolete by using public-key cryptography, which we all learned from yesterday during Adam's talk.
Brian Hendrix: That's right.
Bart de Water: But yeah, basically you can log in with a USB fob or with your phone. The same chips that securely store your credit card data can also generate a key pair that then can be used with a website to securely log in. I'm very excited to hopefully, in like the next 10 to 20 years, hopefully see an end to the problem of password reuse and then getting your whole digital life breached.
Brian Hendrix: Absolutely.
Kevin Crockett: Yep, and just to kind of touch on both of those topics from a 3D Secure standpoint, those are definitely trends that we've been noticing as well, and really some of the key things that the updated protocols are looking to solve for. So on the mobile aspect when you look at 3D Secure 1.0 it's a very browser-based solution, that's what the specs were designed to support, there wasn't any concept of mobile commerce in '99 when these things were first created, so 2.0 really takes that into account, and there are mobile SDKs that can be embedded into the native applications to allow the facilitation and exchange of that necessary data to perform authentication on those devices.
Kevin Crockett: Now, that poses a different type of issue around the type of authentication methodology that's being used by the card issuers, where previously in the old days you would have to log into your account to basically establish a pin or passcode, and then if the merchant used 3D Secure you would have to actually enter that into the site. It's a terrible user experience and very easy to do takeovers, so there's been a mass shift and actually some mandates from the networks to get off of static authentication, so authentication must be dynamic in nature.
Kevin Crockett: What we're seeing predominantly now are OTPs or one-time passwords being sent to mobile devices or emails, but there's also a big shift into biometric authentication, especially when you're looking at authenticating on mobile devices or on IoT devices, where the real estate and the type of interface isn't consistent, being able to do a push notification if you have your Chase app installed on your phone, use your thumbprint to authenticate yourself, that feeds back into the flow and then that's a different mechanism to authenticate a cardholder or a consumer over a standard pin, passcode. It's more dynamic and leveraging all of the different devices.
Brian Hendrix: Yeah. A quick pivot, because no talk on this would ever be complete without having a little bit of time for PCI, it's something that's here, it's going to stay, it's not going away on any level. You know, maybe Sonny I could start off with you. You know, taking a look maybe all the way down from the level of system design, system architecture, and looking at apps that are absolutely and have been for the past few years native to the cloud, with options like containerization and firewalls that can be spun up, spun down, and scaling, in your experience what should be in the modern toolkit, the modern toolkit today for someone who's PCI-concerned, certainly looking at a hosted solution, a clouded solution?
Sonny Werghis: Well, so I think some of the topics that we've talked about are certainly... Play into PCI as well, so we talked about SCA, and primarily driven by multi-factor authentication I think PCI spec four is going to require that for your CD... Your cardholder data. I can't remember acronyms anymore, I don't know-
Bart de Water: CDCV?
Sonny Werghis: If anyone knows what PCI stands for or DSS stands for anymore, right? But your CDE has to be... Administrative access has to be protected through MFA. Wow, that's a lot of acronyms in one [inaudible 00:34:23] sentence, right? But PCI is kind of in a settled state, right? It's fairly stable, people get it. I think the challenge that I encounter is people who are looking to... Especially the more traditional shops, the legacy technology stacks, when they are looking to upgrade their technology, move into a newer stack, there's always a InfoSec or a Governance Team that wants to put a kibosh to everything, right? I always say it [inaudible 00:34:52] when a governance person walks into a room, just the level of innovation and level of life within the room just drops, so... Which is an unfortunate-
Lee Gilley: Same with lawyers.
Sonny Werghis: No offense meant, but it's just the reality of what it is. But I think in terms of the... PCI as it applies to your workloads within your data center are essentially the same mechanism that apply to what lives in the cloud as well, so there shouldn't any concern, there shouldn't be any fear. Embrace the new technology, because a lot of those technologies are in fact more secure than your traditional technologies, and so I think you should be embracing the cloud, looking to move your workloads to the cloud, embracing containerization because it adds additional layers of security around it that makes it easier for you to manage and govern it from a PCI perspective.
Brian Hendrix: Absolutely. Okay, I think we're down to about our last five minutes, if there... I want to check back in with the audience, if there's another round of questions that anyone has that they'd like get at for our thrilling conclusion?
Sonny Werghis: I just wanted to state this one thing, it's interesting that this is the last topic we're going to talk about today.
Brian Hendrix: Near to it.
Sonny Werghis: Who wants... Almost the last. Who wants to talk about security and governance and risk, and all that, right? Except the few of us here, except the lawyer here.
Brian Hendrix: Anyone else?
Bart de Water: Well, I think to kind of like latch on there, is... Well, I've been reading up lately on Google's Zero Trust concept, which is also very interesting. Basically Google got like hacked by supposedly Chinese state hackers in 29, and they realized that they were very much built around perimeter security but once inside the firewall they kind of like had a free pass, and they've been re-architecting their systems that basically no system trusts another just because they are on the inside network. Like, design your systems as if they are directly connected to the big, scary internet, and trust everything that comes in with suspicion.
Bart de Water: And they've been writing some interesting papers on that, like how to make that work, and especially at Google's scale. But yeah, that definitely goes along with the defense in depth kind of thinking, that there's not just one layer of defense which is your firewall.
Kimberly Booth: Right, and that almost brings back to the big Target breach many years ago. They couldn't get into Target's systems, but they could get into their air conditioning system because there was literally no security there, so with the internet of things you really need to make sure your weakest point is really tough to get into, because the weakest point is what they're going to exploit.
Brian Hendrix: Absolutely.
Bart de Water: For the people who want to Google this, they call it BeyondCorp.
Brian Hendrix: Yep. And certainly in PCI compliance one of the things that comes to mind for me as well that I always like to bring up, at least as far as I know, and maybe Lee will double-check me on this, but for all the years of all the breaches that I've seen occur that happen constantly and consistently, every single... I used to have a giant slide back when I did presentations with all the logos just stacked up on each other of everyone who's seen a breach, they had one thing in common, and that's they were all PCI compliant, or so they thought at the time, every single one of them.
Brian Hendrix: So there is very much a concept as well that this isn't a point in time, I know you hear it all the time, but recognize these are businesses from small to extremely large, and this type of compliance, it will come in from a vector you don't expect. Fraud comes in from vectors you don't expect, so it's very much a consistent defense, right? It's a... As much as it feels like a sprint and a race, it's very much a marathon I think too.
Brian Hendrix: I think with a closing idea as well, we heard some of this yesterday I think in one of the panels that we had, are there any tools or strategies that any of you use right now to build the cross-team feel? You know, talking about this having to be something that's not localized to just one team that we need in the entire business concerned with fraud, we need the entire business concerned with security, compliance. What ways are you using right now to build that consistency, and consistency of message across the business, and maybe even ideally making a virtue of that necessity, you know, showing that off and making it a good thing for the business?
Kimberly Booth: Yeah, so from a fraud perspective I like to do big meetings where I invite people from all different stakeholders and just show a deck of what's going on. Also I like to try to get involved in other projects within the company with an open mind. You don't want to be the risk person that goes into every project and immediately says "This is so risky," because you won't be invited to any more meetings, but if you can go into projects with an open mind, and you'll be invited to get in the ground working of other things in the future and ultimately everybody has the same goal, and if we all remember that then we can really solve a lot of problems in the short term.
Kevin Crockett: Yeah, definitely. Me personally, I manage multiple teams from implementation, solution engineering, ongoing support, customer success, so it's very important with all of these changes that are happening right now in the ecosystem, from not just a 3DS standpoint but also from a PSD2 perspective that everyone's out there and they're talking about the right things and we're all aligned in our general messaging, so we do kind of a similar thing where we have these large all-hands meetings where basically it's a day, we're offsite, various stakeholders from our other departments like Product and Development come in and give updates on what's relevant so that everyone's at least aligned on what's our core message, what are our core objectives, and how are we in the market in the talking about these things so that we can help all of our customers help themselves?
Lee Gilley: And I think I would echo what both of my co-panelists up here have said, and that I have a little bit of a unique perspective in that I'm never internal of a company, I'm always coming in from the outside, but the companies that struggle with this stuff, it really is about communication. So often a product gets so far down the line, or a process gets so far down the line and then someone brings in a risk person or a lawyer who says, "Well, did you think about these 700 things?" It's way better to have them do that at the beginning so that you can incorporate it as you go than have them come in at the end and either squash it or make you go back and redo a bunch of stuff. So I would definitely echo that from an outsider's perspective the successful companies really do a good job having those things in mind at the front end of a process.
Sonny Werghis: And I think you want to make sure that you're communicating a couple things. One is that this is real, it's got to be taken care of, right? But we're here to help you. We don't want to be the ones that is bringing these 700 topics, "Now you take care of it" kind of a mindset, and we don't want to be killing innovation, but we want to be coming on board and helping you with your innovation, we just want to make sure that this is incorporated into that brilliant idea that you just came up with, or brilliant product that you just came up with. We want to make that successful, but we also want to make sure it is safe and secure and compliant.
Brian Hendrix: Absolutely. Thank you so much, and we are... We've run out of time in this awesome topic, so thank you very, very much to our panelists, we very much appreciate it, and please join and tackle any of us during the next break to discuss any of the burning questions you have. Thank you.
Download the PCI Compliance eBook Below
.png)
.svg){kind=icon}
.svg)
.png)
.png)
