Criminals will follow the easiest path to get sensitive payment data.
E-retailers considering one of the newer alternate payment methods, such as online check and PIN-debit acceptance, need to consider what security measures they need to take to protect those transactions, observers say.
Within the past year, several payment organizations have launched services meant to entice merchants to accept online checks and PIN-debt transactions. Online check acceptance, brokered by NACHA, The Electronic Payment Association, which manages and governs the Automated Clearing House electronic payments system, with its Secure Vault Payment service, and online PIN-debit acceptance, such as PaySecure from Acculynk, have attracted merchants because they enable credit-averse consumers to pay from funds in their bank accounts and may cost retailers less than accepting credit cards, say experts.
PaySecure, for example, may save a merchant 60 basis points per transaction costs compared with an online signature-debit transaction in which the consumer does not enter a personal identification number, says Trent Voigt, CEO of JetPay LLC, a payment processing company that offers PaySecure. A basis point is 1/100th of a percentage point. That means that on a $100 transaction a retailer using PaySecure to process the transaction would save 60 cents.
E-retailers may also be attracted to an online check service by the promise of reduced risk, suggests Patricia Hewett, an analyst at consulting firm Mercator Advisory Group Inc. With Secure Vault Payments financial institutions authenticate consumers and provide businesses with immediate authorization and confirmation of payment via the ACH system, which connects financial institutions outside of payment card networks.
“It’s a good funds model,” Hewitt says, meaning that the system ensures the consumer has the money in the bank. The e-retailer knows the transaction is valid and it will be paid within a day or two, she says.
But cost should not be the only consideration, says Patrick McGregor, senior vice president of product management at Trustwave, a payments security firm. E-retailers should consider the security aspects of these alternate payments as they would for credit card transactions, he says. “It’s a complex world when it comes to any payment security,” he says.
Specifically, McGregor says e-retailers should ask about how effective a payment method’s security protocols are against the actual methods that criminals use. Secondly, the merchant should evaluate if the security practices conform to standard industry antifraud measures. That can help validate the security practice, he says. E-retailers should also ask the payment provider which companies or banks it works with. A lack of reputable partners could be a reason to take a closer look at the vendor’s proposal, McGregor says. The idea is to make a merchant’s payment system as strong as possible, he says.
Criminals want to do the least amount of to accomplish their goals, he says. Currently, that means they most often target traditional credit and debit card systems. But as alternate payment methods gain traction, criminal attention easily could swing to them, McGregor says.
“Nothing about the transactions themselves make them bulletproof,” he says. “It’s just a matter of focus.”