Accourt Payments Specialists » Compliance https://www.accourt.com payments specialists Thu, 18 Apr 2024 20:09:55 +0000 en-GB hourly 1 http://wordpress.org/?v=4.2.1 EU agrees to adopt revised Payments Services Directive (PSD2) https://www.accourt.com/eu-agrees-to-adopt-revised-payments-services-directive-psd2/ https://www.accourt.com/eu-agrees-to-adopt-revised-payments-services-directive-psd2/#comments Thu, 08 Oct 2015 11:50:59 +0000 http://www.accourt.com/?p=3132 The European Parliament has agreed to the European Commission revised Directive on Payment Services or the so called  Payments Services Directive (PSD2). This new law, proposed by the European Commission in July 2013, enhances consumer protection, promotes innovation and improves the security of payment services. PSD2 is the latest in a series of laws recently […]

The post EU agrees to adopt revised Payments Services Directive (PSD2) appeared first on Accourt Payments Specialists.

]]>
The European Parliament has agreed to the European Commission revised Directive on Payment Services or the so called  Payments Services Directive (PSD2).

This new law, proposed by the European Commission in July 2013, enhances consumer protection, promotes

European Banking Authority

EU agrees to adopt revised Payments Services Directive (PSD2)

innovation and improves the security of payment services. PSD2 is the latest in a series of laws recently adopted by the EU in order to provide for modern, efficient and cheap payment services and to enhance protection for European consumers and businesses.

Commissioner Jonathan Hill, responsible for Financial Stability, Financial Services and Capital Markets Union, said: “European consumers want to know that their payments are safe when they shop or make a payment online. The new Payment Services Directive will ensure that electronic payments in Europe become more secure and more convenient for European shoppers.

This legislation is a step towards a digital single market; it will benefit consumers and businesses, and help the economy grow. I want to thank the European Parliament for the work it has put into reaching this agreement, and pay tribute to the work of rapporteur Antonio Tajani, Vice-President of the European Parliament.”

Commissioner Margrethe Vestager, responsible for competition policy, said: “We have already used EU competition rules to ensure that new and innovative players can compete for digital payment services alongside banks and other traditional providers.

Today’s vote by the Parliament builds on this by providing a legislative framework to facilitate the entry of such new players and ensure they provide secure and efficient payment services. The new Directive will greatly benefit European consumers by making it easier to shop online and enabling new services to enter the market to manage their bank accounts, for example to keep track of their spending on different accounts”.

Following the Parliament’s vote, the Directive will be formally adopted by the EU Council of Ministers in the near future. The Directive will then be published in the Official Journal of the EU. From that date, Member States will have two years to introduce the necessary changes in their national laws in order to comply with the new rules.

Some of the changes that the new rules introduce are:

  • Introduction of strict security requirements for the initiation and processing of electronic payments and the protection of consumers’ financial data;
  • Opening the EU payment market for companies offering consumer or business-oriented payment services based on the access to information about the payment account – the so called “payment initiation services providers” and “account information services providers”;
  • Enhancing consumers’ rights in numerous areas, including reducing the liability for non-authorised payments, introducing an unconditional (“no questions asked”) refund right for direct debits in euro; and
  • Prohibition of surcharging (additional charges for the right to pay e.g. with a card) whether the payment instrument is used in shops or online.

For more information:

http://ec.europa.eu/finance/payments/framework/index_en.htm#151008

FAQ

http://ec.europa.eu/finance/payments/framework/index_en.htm

The post EU agrees to adopt revised Payments Services Directive (PSD2) appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/eu-agrees-to-adopt-revised-payments-services-directive-psd2/feed/ 0
Real-time cross-border payments – ISO 20022 https://www.accourt.com/real-time-cross-border-payments-iso-20022/ https://www.accourt.com/real-time-cross-border-payments-iso-20022/#comments Thu, 03 Sep 2015 15:49:59 +0000 http://www.accourt.com/?p=3098 Real-time cross-border payments might soon be a reality, thanks to the efforts of a new payments industry group. But is there a business case for adopting the ISO 20022 standard? With multiple countries implementing real-time payments initiatives around the globe, interoperability between systems is key. Therefore, the ISO Real Time Payments Group (RTPG), a collection of payments […]

The post Real-time cross-border payments – ISO 20022 appeared first on Accourt Payments Specialists.

]]>
Real-time cross-border payments might soon be a reality, thanks to the efforts of a new payments industry group. But is there a business case for adopting the ISO 20022 standard?

With multiple countries implementing real-time payments initiatives around the globe, interoperability between

ISO 20022

ISO 20022

systems is key. Therefore, the ISO Real Time Payments Group (RTPG), a collection of payments experts brought together by Payments UK, has published a first draft of ISO 20022 usage guidelines for cross-border real-time payments – according to an article in AFP.

Barry Kislingbury, senior principal solution consultant at ACI Worldwide, one of the companies that contributed to the first draft, identified some of the gaps in ISO 20022 and explained why this new “rule book” was needed. “Most countries, especially in the Western world, are looking at how they would implement real-time payments,” he said.

“ISO 20022 has become the standard for sending financial transactions—not just the value but the transactional data as well. But it wasn’t designed for real-time. It was designed to be sent and cleared tomorrow or the day after.”interoperability between systems is key. Therefore, the ISO Real Time Payments Group (RTPG), a collection of payments experts brought together by Payments UK, has published a first draft of ISO 20022 usage guidelines for cross-border real-time payments – according to an article in AFP.

Kislingbury explained that ISO 20022 currently lacks certain items that would allow for a real-time payments environment, such as confirmation messages that assure that payments have been made. “That’s something we’re going to have to design from scratch basically in this working group,” he said.

Additionally, there may be missing data that would be needed for real-time, such as e-invoicing. “You may well want to attach a document to a message that says, ‘Here is your invoice.’ Well, attaching a JPEG to a financial message isn’t necessarily the right thing to do because it makes the message massive. With instant payments, time and speed are very important. You want to be making these payments in seconds and not hours.”

Furthermore, with entities all over the world like the Clearing House and the European Payments Council wanting to use ISO 20022 as the messaging standard behind their real-time payments initiatives, the standard has to be uniform. “The problem is, if you’ve got another 40 countries implementing payments schemes and there are gaps in the standards, they’re all going to implement them slightly differently,” Kislingbury said.

This is one concern that Magnus Carlsson, AFP’s manager of treasury and payments, has had since ISO 20022 was first implemented. “We are already seeing some variances in the standard where it is implemented,” he said. “If these differences become more substantial, some of the information in the messages may be lost if the recipient doesn’t have the same version of the standard.”

Therefore, RTPG is seeking to ensure that ISO 20022 is cohesive for all parties involved. “In five to 10 years’ time, we will have interoperable real-time payments globally,” Kislingbury said. “But if everybody is still trying to make it their own way without talking to each other, that would make interoperability much harder. So that was what the working group got together to achieve—to take the current ISO 20022 standard and agree on what messages get used in which scenarios. That wasn’t always clear with ISO 20022, because some of the messages are very similar. We don’t want people using different types of messages for the same thing. So we agreed what the basic flows are for real-time payments, and what messages would be used in those flows.”

The draft is currently being reviewed across the payments industry, ahead of RTPG’s meeting at Sibos 2015 in Singapore this October.

Barriers to ISO 20022 adoption

Carlsson has some concerns about ISO 20022 adoption, primarily that in the U.S. at least, there is a lack of understanding around it. “Obviously, in the U.S., we have the issue of getting to even using ISO 20022, especially on a corporate level,” he said. “Quite frankly, most organizations are not even aware of it.”

Carlsson noted that the U.S. stakeholder group has been very active in reaching out to the corporate world and spreading the benefits of the standard. “The problem is, they haven’t found a pure financial business case for a corporate to adopt it,” he said. “It’s more of a strategic case for the U.S. as a nation to move to ISO 20022. The problem with that is, you’re never going to see a mandate to adopt it like you saw with [the Single Euro Payments Area (SEPA)] in Europe.”

As a former corporate project manager for SEPA implementation, Carlsson knows that it will be difficult to convince businesses to adopt ISO 20022 without a similar mandate. “Just seeing, form a corporate level, the resistance to make any kind of changes, the business case you have to present will have to be so substantial that corporates will see some real benefits to it, or it’s not going to happen,” he said. “We’re talking about a country where 50 percent of the B2B transactions are still done by paper checks.”

Carlsson applauded RTPG’s efforts and noted that U.S. corporates do show interest in using ISO 20022. “We hear corporates say, ‘This is very interesting.’ But then it stops there,” he said. “We need to find a way to show there are real efficiency benefits and cost saving opportunities with ISO 20022. Without a mandate, that’s how you can reach broader implementation.”

The post Real-time cross-border payments – ISO 20022 appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/real-time-cross-border-payments-iso-20022/feed/ 0
Update on changes to the new Payment Services Directive (PSD2) https://www.accourt.com/update-on-changes-to-the-new-payment-services-directive-psd2/ https://www.accourt.com/update-on-changes-to-the-new-payment-services-directive-psd2/#comments Thu, 30 Jul 2015 10:46:44 +0000 http://www.accourt.com/?p=3090 The arrival of the new Payment Services Directive (PSD2) in the internal market repealing the current Payment Services Directive 2007/64/EC (PSD1) has been a closely monitored development since the publication of the European Commission’s (the Commission) Green Paper on Card, Internet and Mobile Payments (COM (2011) 941) in January 2012. On 2 June 2015 the […]

The post Update on changes to the new Payment Services Directive (PSD2) appeared first on Accourt Payments Specialists.

]]>
The arrival of the new Payment Services Directive (PSD2) in the internal market repealing the current Payment Services Directive 2007/64/EC (PSD1) has been a closely monitored development since the publication of the European Commission’s (the Commission) Green Paper on Card, Internet and Mobile Payments (COM (2011) 941) in January 2012.

On 2 June 2015 the final compromise text of PSD2 was released. The updated PSD2

European Central Bank with Euro

Update on changes to the new Payment Services Directive (PSD2)

broadens the scope of PSD1, captures a wider range of payment transactions, and also addresses some of the concerns raised during the legislative process regarding questions of liability.

Payment service providers (PSPs) will have to ensure that they comply with its provisions by the transposition date around end-2017. In this article, which first appeared in the EPC website, Maria Troullinou of Clifford Chance LLP looks at the key changes that PSD2 will introduce and at how the text has evolved since the initial Commission proposal was published in the summer of 2013.

A similar structure, a much broader scope

The new Payment Services Directive (PSD2) retains the same basic structure as the original Payment Services Directive (PSD1). PSD2 is divided into six titles, each of which focuses on a different subject-matter. Accordingly, title I covers scope and definitions, title II deals with the authorisation and regulation of payment service providers (PSPs), title III focuses on transparency, title IV establishes the respective rights and obligations of payment service users (PSUs) and PSPs and titles V and VI set out provisions on delegated acts and implementation. In addition, the different categories of payment service are set out in the Annex.

Despite retaining the same basic structure, the reach of PSD2 is broader than its predecessor. This is because of the expansion of the territorial scope provisions and the simultaneous narrowing down of the exemptions (commonly known as the ‘negative scope provisions’).

Territorial scope

Most provisions of title III and title IV of PSD2 will now apply to a broader range of payment transactions. Specifically, transactions in non-European currencies where both the payer’s and the payee’s PSP (or the sole PSP in the transaction) are located in the European Union (EU) will be caught, as will ’one leg out’ payment transactions in all currencies (i.e. where only one PSP is located in the EU).

‘One leg out’ transactions were outside the scope of PSD1, but PSD2 now brings them in scope “in respect of those parts of the payment transaction which are carried out in the Union”. This wording operates as a limit to the reach of PSD2 and seeks to offer some comfort to PSPs who would not be able to fulfil their obligations in respect of transactions (or components thereof) taking place outside of the EU over which they have no control (e.g, because these are subject to foreign systems and rules). PSPs will need to carry out an impact analysis and assess which parts of each transaction qualify as having been “carried out in the Union”; in the absence of guidance as to the precise meaning of this wording, this may not be a straightforward exercise.

Negative scope

PSD2 amends some of the exemptions established under PSD1. Changes to the “commercial agent” exemption attempt to address the divergent interpretations taken by some EU Member States, making clear that the exemption applies when agents act only on behalf of the payer or payee (not both).

Where agents act on behalf of both parties (e.g. in respect of e-commerce platforms) the exemption will only apply in cases where the agent does not come into possession, or have control of, clients’ funds.

Moreover, it will no longer be possible to use the same payment instrument within more than one limited network, or to acquire an unlimited range of goods and services and therefore the “limited network” exemption will now only be available to genuinely small networks. PSD2 also limits the scope of the mobile device content exemption to individual payments that do not exceed 50 euros and, on a monthly basis, transactions not exceeding 300 euros in aggregate per subscriber.

The Automated Teller Machine (ATM) exemption set out in Article 3(o) of PSD1 which was removed from the European Commission’s (the Commission) original PSD2 proposal, has now been reinstated. ATM operators will be subject to obligations to provide customers with information on withdrawal charges — both prior to the transaction and on the customer’s receipt — aiming to enhance transparency.

PSD2 seeks to minimise divergent interpretations around the application of certain exemptions. In certain cases, PSPs pursuant to PSD2 will have to notify competent authorities, so that an assessment can be made as to whether the requirements of an exemption have been met.

Expanding the market

PSD2 creates two new types of PSP, commonly referred to as ‘third party payment service providers‘ (TPPs) and attempts to strike a balance between opening up the payments market and maintaining appropriate security standards for online payments.

PSD2 contains provisions requiring EU Member States to ensure that all payment institutions have access to payment account services provided by banks. This is designed to prevent banks from refusing to open and maintain bank accounts for payment institutions. Although the right of a bank to reject account applications on valid grounds (such as anti-money laundering concerns) would not be affected, banks that decline to provide a bank account to another payment institution will have to explain the rejection to the regulator.

Under PSD2, payment initiation service providers (PISPs) are required to be authorised but are subject to a reduced minimum own funds requirement of 50,000 euros. Account information service providers (AISPs) are expressly exempt from authorisation, but are subject to a registration requirement. Both types of entity have to hold professional indemnity insurance or a comparable guarantee in order to ensure that they are able to meet liabilities arising in relation to their activities, as PSD2 aims to achieve a level of supervision commensurate with the risk such new entrants introduce into the system. PISPs that want to provide different payment services involving holding users’ funds will need to obtain full regulatory authorisation.

The post Update on changes to the new Payment Services Directive (PSD2) appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/update-on-changes-to-the-new-payment-services-directive-psd2/feed/ 0
European cross-border and card-not-present fraud on the rise https://www.accourt.com/european-cross-border-and-card-not-present-fraud-on-the-rise/ https://www.accourt.com/european-cross-border-and-card-not-present-fraud-on-the-rise/#comments Thu, 23 Jul 2015 09:01:21 +0000 http://www.accourt.com/?p=3081 Card fraud losses across 19 countries in Europe rose an average of 6% in 2014, according to a new report based on data from Euromonitor International. But the low overall rise masks large shifts in so-called “cross-border” fraud, where criminals use data on cards from one country to commit fraudulent transactions in another country. UK card […]

The post European cross-border and card-not-present fraud on the rise appeared first on Accourt Payments Specialists.

]]>
Card fraud losses across 19 countries in Europe rose an average of 6% in 2014, according to a new report based on data from Euromonitor International. But the low overall rise masks large shifts in so-called “cross-border” fraud, where criminals use data on cards from one country to commit fraudulent transactions in another country.

UK card fraud losses rose by £29 million in 2014, a 6% rise on the previous year. Most of  this increase was

Cross border vulnerabilities of UK fraud

Cross border vulnerabilities of UK fraud

due to cross-border fraud, with domestic losses remaining flat.

In the UK, FICO previously reported a 25% increase in cross-border fraud on debit cards in 2014, compared to 2013. 47% of the fraudulent transactions were taking place in the US – a pattern that seems related to the delay in US adoption of EMV technology. The first wave of the EMV liability shift takes place in October 2015 in the US.

“Banks in the UK and most of Europe adopted EMV technology years ago, so it may appear that they have little to worry about from mag-stripe fraud,” said Martin Warwick, FICO’s fraud chief for Europe. “However, the trends suggest that any European plastic card can be targeted, as criminals try to ‘fill their boots’ before the US finally shuts the door on skimming fraud.”

As reported in the FICO European Fraud Map for the last three years, the leading type of fraudulent card transaction is so-called card-not-present (CNP) fraud. The percentage of fraud losses from CNP fraud averaged 41% for Western European countries, and 23% for Eastern European countries.

In the UK, ecommerce spending in the UK more than doubled between 2008 and 2014, but CNP fraud losses have grown just 1% in that time. However, it has become a greater share of UK card losses, rising from 54% of card losses in 2008 to 70% in 2014.

European Fraud Changes 2013-2014

European Fraud Changes 2013-2014

“We are winning the war on CNP fraud, but we still have a long way to go to get CNP fraud fully under control,” Warwick said. “Authentication of customers and their devices will play an ever-increasing role.This is why FICO has been focused on advances in analytics that assess consumer behavior, and profile not just cardholders but also devices and merchants.”

France had the highest card fraud losses relative to card sales, followed by Greece and the UK, which is the same ranking as last year. Russia saw the fastest growth in card fraud losses – 24% — but card sales in the same period grew 36%.

Fraud severity levels 2013 Vs 2014

Fraud severity levels 2013 Vs 2014

“Any market that is growing will attract criminals attention and that’s exactly what is happening in Russia,” Warwick said. “EMV  has a long way to go to reach maturity in Russia. However, overall Russia has low fraud relative to sales. The key aim for banks will be to ensure that when growth in sales slows they are also in a position to slow the growth in fraud losses”.

The post European cross-border and card-not-present fraud on the rise appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/european-cross-border-and-card-not-present-fraud-on-the-rise/feed/ 0
Top 8 future cyber security threats to the financial services sector https://www.accourt.com/top-8-future-cyber-security-threats-to-the-financial-services-sector/ https://www.accourt.com/top-8-future-cyber-security-threats-to-the-financial-services-sector/#comments Thu, 18 Jun 2015 10:00:16 +0000 http://www.accourt.com/?p=2994 Financial services providers must better prepare for the threat that new technologies pose to their cyber security strategies or risk damaging customer and investor confidence. Cyber-crime within the financial services industry has reached unprecedented *levels and currently costs the global economy £266 billion each year. As companies increasingly adapt to emerging technologies, such as digital […]

The post Top 8 future cyber security threats to the financial services sector appeared first on Accourt Payments Specialists.

]]>
Financial services providers must better prepare for the threat that new technologies pose to their cyber security strategies or risk damaging customer and investor confidence.

Cyber-crime within the financial services industry has reached unprecedented *levels and

A handgrenade made out of keyboard keys

Top 8 future cyber security threats to the financial services sector

currently costs the global economy £266 billion each year. As companies increasingly adapt to emerging technologies, such as digital wallet service Apple Pay and Near Field Communication (NFC), the likelihood of hacks and data security breaches is rising.

Neil Cross, Managing Director of Advanced 365, explains, “The financial services industry must find a balance between embracing innovation to establish a competitive advantage whilst meeting needs for greater compliance and cyber security in order to survive. At present, too many firms are preparing for yesterday’s threat instead of updating their strategies to defend against tomorrow’s.”

Cross outlines below the top eight technology threats that financial services firms will face in the future.

  1. Botnet attacks – The Botnet (robots and networks) of Things is a group of computers or internet-connected devices that have been hacked to commit fraud or attack servers. Industry experts estimate that botnet attacks have contributed to the loss of millions of pounds from financial institutions. Mass adoption of the Internet of Things will only exacerbate security challenges as it introduces billions of potential new bots.
  2. Self-mutating computer virus – ‘Pandoras’ are regarded as the next generation of self-mutating computer virus attacks. They are designed to destabilise, confuse and destroy critical electronic infrastructures essential to the financial services industry. From a strategic perspective, they can be used as both offensive and defensive security mechanism.
  3. Near Field Communication (NFC) – NFC allows two devices within a short distance of each other to exchange data. It is increasingly being adopted by banks to introduce new products and facilitate mobile payments. Customers are susceptible to aggressive avatar-based attacks which rely on advanced digital creation assembled from stolen aspects of an individual’s identity.
  4. Payments technology – Mass market adoption of new mobile payments technologies, such as Apple Pay and Google Wallet, is expected to occur by the end of 2016. Hackers are intensifying their efforts as companies and consumers increasingly adopt these new systems and related fraud cases in the United States are already totalling millions of dollars.
  5. Biohacking – Biohacking applies to advanced techniques that use science and technology to affect human performance and could be a target for radical security breaches. Smart implants will be used for identification and authentication of individuals which include the ability to access buildings and activate mobile phones, in addition to making bank transactions to replace smartphone PIN codes.
  6. Big data and the cloud – In ten years’ time, most of the world’s data will move through or be stored in the cloud at some stage. This is expected to result in more sophisticated data security attacks targeting cloud infrastructures, shifting from device-based to cloud-based botnets, hijacking distributed processing power.
  7. Mobile – 80% of internet connections could originate from a mobile platform by 2025. Industry experts predict that mobile devices will no longer be used to crack a phone code or steal data from a device itself. Instead they will be targeted by cyber criminals as a catalyst for obtaining additional data resources that can be accessed via the cloud.
  8. Bring Your Own Device (BYOD) – Heavily regulated industries are struggling with the risks introduced by allowing employees to bring their own devices. A 2014 survey of financial services respondents by PwC revealed that 44% said employees represented the highest and most likely source of security incidents. This figure is 9% higher compared with the all industries’ average.

Cross adds, “Financial services providers must adapt to the new world and the demands it places on their organisation. Businesses that fail to demonstrate a greater awareness of emerging technological challenges and transform their notion of security could fall prey to damaging breaches.”

The post Top 8 future cyber security threats to the financial services sector appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/top-8-future-cyber-security-threats-to-the-financial-services-sector/feed/ 0
Criminals receive 1,425% ROI from Cybercrime https://www.accourt.com/criminals-receive-1425-roi-from-cybercrime/ https://www.accourt.com/criminals-receive-1425-roi-from-cybercrime/#comments Tue, 16 Jun 2015 13:59:25 +0000 http://www.accourt.com/?p=2987 Trustwave has released the 2015 Trustwave Global Security Report which reveals the top cybercrime, data breach and security threat trends from 2014. The report discloses how much criminals can profit from malware attacks, which data they target, how they get inside, how long it takes for businesses to detect and contain data breaches, what types of businesses criminals are […]

The post Criminals receive 1,425% ROI from Cybercrime appeared first on Accourt Payments Specialists.

]]>
Trustwave has released the 2015 Trustwave Global Security Report which reveals the top cybercrime, data breach and security threat trends from 2014.

The report discloses how much criminals can profit from malware attacks, which data they target, how they get

Cybercrime compromises by Industry

Cybercrime compromises by Industry

inside, how long it takes for businesses to detect and contain data breaches, what types of businesses criminals are targeting and where the majority of victims are located. It also reveals the most commonly used exploits, most prevalent malware families and more.

Trustwave experts gathered the data from 574 breach investigations the company’s SpiderLabs team conducted in 2014 across 15 countries in addition to proprietary threat intelligence gleaned from the company’s five global Security Operations Centers, security scanning and penetration testing results, telemetry from security technologies distributed across the globe and industry-leading security research.

2015 Trustwave Global Security Report: Key Highlights

  • Return on investment: Attackers receive an estimated 1,425% return on investment for exploit kit and ransomware schemes ($84,100 net revenue for each $5,900 investment)
  •  Weak application security: 98% of applications tested by Trustwave in 2014 had at least one vulnerability. The maximum number of vulnerabilities Trustwave experts found in a single application was 747. The median number of vulnerabilities per application increased 43% in 2014 from the previous year.
  • The password problem: “Password1″ was still the most commonly used password. 39% of passwords were eight characters long. The estimated time it took Trustwave security testers to crack an eight-character password was one day. The estimated time it takes to crack a ten-character password is 591 days.
  • Where victims reside: Half of the compromises Trustwave investigated occurred in the United States (a nine percentage point decrease from 2013).
  • Who criminals target: Retail was the most compromised industry making up 43% of Trustwave’s investigations followed by food and beverage (13%) and hospitality (12%).
  • Top assets compromised:  42% of investigations were of e-commerce breaches. Forty were of point-of-sale (POS) breaches. POS compromises increased seven percentage points from 2013 to 2014, making up 33% of Trustwave’s investigations in 2013 and 40% in 2014. E-commerce compromises decreased 13 percentage points from 2013 to 2014.
  • Data most targeted: In 31% of cases Trustwave investigators found attackers targeted payment card track data (up 12 percentage points over 2013). Track data is the information on the back of a payment card that’s needed for an in-person transaction. Twenty percent of the time attackers sought either financial credentials or proprietary information (compared to 45% in 2013) meaning attackers shifted their focus back to payment card data.
  • Lack of self-detection: The majority of victims, 81%, did not detect breaches themselves. The report reveals that self-detection leads to quicker containment of a breach. In 2014, for self-detected breaches, a median of 14.5 days elapsed from intrusion to containment. For breaches detected by an external party, a median of 154 days elapsed from intrusion to containment.
  • How criminals break in: Weak remote access security and weak passwords tied as the vulnerability most exploited by criminals in 2014. Weak remote access security or weak passwords contributed to 94% of POS breaches.
  • Spam on the decline: Spam volume continues to decrease making up 60% of total inbound mail (compared to 69% in 2013 and more than 90% at its peak in 2008), but six percent of it included a malicious attachment or link, a slight increase from 2013.
Industry breakdown of IT environments compromised by Cybercrime

Industry breakdown of IT environments compromised by Cybercrime

“To defend against today’s sophisticated criminals, businesses must see attacks from their front windshield instead of their rear view mirror,” said Trustwave Chairman, Chief Executive Officer and President Robert J. McCullen. “By providing a wealth of current, actionable data breach trends and threat intelligence, our 2015 Trustwave Global Security Report helps businesses identify what’s coming so that they can engage the people, processes and technologies needed to thwart cybercrime attacks that can generate close to a 1,500 return on investment.”

Download a complimentary copy of the full 2015_TrustwaveGlobalSecurityReport

The post Criminals receive 1,425% ROI from Cybercrime appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/criminals-receive-1425-roi-from-cybercrime/feed/ 0
Payments bodies to standardise ISO 20022 real-time payments https://www.accourt.com/payments-bodies-to-standardise-iso-20022-real-time-payments/ https://www.accourt.com/payments-bodies-to-standardise-iso-20022-real-time-payments/#comments Thu, 21 May 2015 13:23:43 +0000 http://www.accourt.com/?p=2937 Global interoperability of real-time payments systems will require harmonisation of market practices and standards. A group of international clearing houses, banks, vendors, payments associations and other parties have proposed setting up an activity to look at how to deliver this under the aegis of the International Standards Organisation – and set an ambitious target of […]

The post Payments bodies to standardise ISO 20022 real-time payments appeared first on Accourt Payments Specialists.

]]>
Global interoperability of real-time payments systems will require harmonisation of market practices and standards. A group of international clearing houses, banks, vendors, payments associations and other parties have proposed setting up an activity to look at how to deliver this under the aegis of the International Standards Organisation – and set an ambitious target of collating an initial variant of ISO 20022 usage guidelines for real-time payments before the summer.

At a meeting organised by the UK Payments Council a very mixed and wide group of 40-plus representatives of global organisations discussed the issues as they see them, agreeing to work together to identify areas where decisions made at this stage of design and implementation could make interoperability easier to achieve – according to an article first published in Banking Technology.

Real time retail payments system market landscape

Real time retail payments system market landscape (Source SWIFT)

The conclusion of the initial meeting was that no new set of ISO messages needs to be developed, any collaborative activity would be a refinement of the existing messages

“Interoperability between jurisdictions will ultimately be the key to getting value,” said one North American participant, a point that was echoed by another: “Our focus may be domestic but we have an eye on international interoperability.”

Maurice Cleaves, interim chief executive of the Payments Council, said that the intention of the meeting was simply to explore collaboration options: “Collaboration is often the key to success in the development of payment systems, so we are delighted to be facilitating this international dialogue to coordinate around real-time payments. Many countries in the world are still at the early stage of development of a domestic real-time payment system but whilst this is in development it is critical that we have an eye to the future and develop a common standard to enable interoperability. Building this thinking into the requirements at an early stage will ease the adoption by users of systems in multiple countries immediately and smooth the process of interoperability as this becomes a reality.”

All agreed that the timing is pertinent: many jurisdictions are implementing, or actively thinking about real-time systems. There is a slim window of opportunity to work together “and that time is now”.

Many of those actively implementing are at different stages of development, but are keeping interoperability at the front of their considerations. International compatibility is particularly valuable to multinational banks that have to connect to multiple market infrastructures. The ISO 20022 messaging standard was identified by all as the most appropriate technical standard for real-time payments, and it is unlikely that another would supersede it but there remain issues with implementation, some of which may be due to genuine local requirements.

“Standardisation should seek to standardise what is common and be a platform for innovation and competition, said James Whittle, director of industry dynamics at the Payments Council. “ISO 20022 is not about getting everyone to do the same thing: where there is a need for a difference, we have to understand it and when there isn’t we need to work to harmonise. ISO is not a police force. No-one is going to knock on the door and say you are not implementing it properly. It’s more a question of is what you think is unique to your market really unique? If it is, what’s the fastest way for you to implement it?”

This leads to a follow-up question, as phrased by one delegate: “what is the threshold for uniqueness? Absent an understanding of that we might reach an endpoint that is no better than the status quo.”

One participant said that an 80/20 rule applied and implementers should embrace regional difference and accept that these need to continue for legitimate business reasons. There is a desire to develop a system that is flexible and consistent but will cater for regional differences.

Different jurisdictions have taken different approaches to the way they intend to implement RTP systems. In Australia, and other early movers such as Finland, the approach is based on an overlay concept that means creating a backbone on which different banks can build different products – separating the common parts from what is competitive.

Across jurisdictions the connection method for institutions also varies: in the UK there are 12 direct connections to the Faster Payments Service and smaller institutions have to connect through agency or sponsor arrangement with those organisations – a situation that the incoming Payment Systems Regulator is currently investigating, and operators are seeking to work with vendors to improve. Canada has a similar tiered approach, but the 10,000 US financial institutions are not tiered, making connectivity a considerable issue there.

In settlement there are a number of different approaches: the UK has three daily settlement windows, Finland is proposing two different settlement mechanisms – a real-time high-value and one for low value which would be batch overnight. The US is completely overhauling its National Settlement System which will become a 24/7 platform by the end of this year. Australia has opted for line-by-line real-time settlement.

Not all of the issues are technical: how failed payments or payments made in error are recovered differs across jurisdictions. Agreement will have to be struck on overcoming this: “a request for repayment message is the easy bit – how you use it will require a lot of legal work,” said one.

One area where there is likely to be a large degree of divergence is in the type and amount of data that is carried in a message: for most institutions and corporates the addition of remittance data along with payments data, may be desirable, but it opens a number of issues. One bank participant pointed out that adding both remittance and payment data in one message could add an unacceptable payload to the message, significantly affecting system performance. “We are very reluctant how much payload we can add to the message – we have a limited amount of time in which to processes the messages,” he said.

Adding additional information can place unnecessary strains on the backbone. There is also the question of the type of data: “When Tim Berners-Lee was developing the Internet. He probably wasn’t thinking about cat videos …” observed one participant.

More seriously for institutions, there will likely be anti-money laundering implications in carrying messages without knowing the contents of those messages.

One participant said that real-time payments are largely retail so it is important to look at what data, such as geo-tagging, is being used in that space. “Otherwise we are potentially missing a range of data that will have to be built back in five years’ time.”

All agreed that there was need for wider involvement in the discussions, including credit card schemes and corporate’s. “In ISO 20022 we don’t know what kind of data is required or the use cases, we need to work with the card schemes, and we need to understand the needs of the user community. We need to find out what the superset of data actually is,” said one.

The consensus was that this would be best achieved by focusing on harmonisation of the payment messages. It is proposed to “take an inventory of what being done domestically and then look at the commonality of that”, as one participant phrased it.

The post Payments bodies to standardise ISO 20022 real-time payments appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/payments-bodies-to-standardise-iso-20022-real-time-payments/feed/ 0
Can you turn regulatory and payment scheme compliance into a competitive advantage? https://www.accourt.com/can-you-turn-regulatory-and-payment-scheme-compliance-into-a-competitive-advantage/ https://www.accourt.com/can-you-turn-regulatory-and-payment-scheme-compliance-into-a-competitive-advantage/#comments Wed, 22 Apr 2015 07:51:52 +0000 http://www.accourt.com/?p=2910 Regulatory compliance has long been viewed as a mandatory component and a ‘cost’ of doing business as a financial services provider, whether you are an issuer, programme manager or payment services provider. However, the regulatory landscape has evolved and while compliance remains a primary focus, there is now an opportunity to gain a larger foothold in […]

The post Can you turn regulatory and payment scheme compliance into a competitive advantage? appeared first on Accourt Payments Specialists.

]]>
Regulatory compliance has long been viewed as a mandatory component and a ‘cost’ of doing business as a financial services provider, whether you are an issuer, programme manager or payment services provider.

However, the regulatory landscape has evolved and while compliance remains a primary

Can you turn regulatory and payment scheme compliance into a competitive advantage?

Can you turn regulatory and payment scheme compliance into a competitive advantage?

focus, there is now an opportunity to gain a larger foothold in the payments value chain and seize a competitive advantage – writes Jamie Merritt, Partner, Accourt – Payments Specialists.

Historically, the ability to become principal members of the payment schemes has primarily been the domain of the traditional bank players. However, as a result of the Payment Services Directive (PSD) and its driving desire to create a broader competitive landscape, opportunities now exist for smaller, more agile organisations and those with bespoke niche propositions to operate in a space usually occupied by the traditional banks. For example, prepaid issuers and PSPs have been able to apply to the FCA for Payment Institution Licences (PI’s) or E-money Licences and principal membership of the Schemes, dispensing with the need for a traditional banking partner.

The rationale and potential barriers to enter into this space have been both commercial and regulatory, as access requires both principal membership of the payment schemes and a licence from the FCA. Whilst these remain unchanged, the opportunity to gain a stronger foothold in the payments value chain – and ultimately a greater share of the revenue pool – is worth consideration.

Traditional issuing and acquiring models have focused on a number of key players taking clearly defined roles.  Both prepaid issuers and acquirer PSPs have changed the landscape here, with additional organisations fulfilling both key operational/regulatory roles whilst providing additional value to the end customer. Consequently, there are a number of points to consider, namely:

  1. The regulators and the European Commission are striving towards both greater competition and transparency on the various fee structures
  2. With greater transparency, the quest for value provision to the consumer is paramount
  3. An increase in the number of constituent parts of the payments value chain, whether from an issuing or acquiring perspective, will ultimately result in increased pricing for the end customer.

Therefore, organisations participating in this space – or those that have an appetite to do so – must have the ability to positively address these points. The key question is: how?

Fundamentally, they need a clear and full understanding of the implications associated with both the Regulator and scheme membership and/or accreditation. These implications fall into three broad categories:

  1. Commercial – How can you build a business case that factors in both incremental revenues and the costs associated with regulator and payment scheme approval and on-going management of the business?
  2. Operational – What infrastructure changes do you need to make to your business to demonstrate an understanding of, and compliance with, both the application and day-to-day management of the regulatory and scheme requirements?
  3. Compliance – How can you demonstrate that the written policy and procedural documents are a living, breathing part of the company’s DNA?

It is also imperative to evaluate how responses to these questions will be viewed by a regulator. The FCA has summarised its role as four key functions:

  • Regulation – A supervisory role of the overall conduct of regulated companies
  • Best Practice – Upholding the highest operational and ethical standards
  • Protection – Ensuring customer protection
  • Enforcement -Taking the required punitive action against organisations who fail to meet these standards

The FCA’s overall objective is to drive better consumer protection, greater integrity of the payments system and enhanced customer experience by increasing competition. Consequently you will need to demonstrate regulatory compliance in line with all the JMLSG guidelines and all legal requirements through both the application phase and on-going management of the day to day business.

A similar level of due diligence is also required to support principal membership applications with the individual payment schemes, either as an acquirer or an issuer. The development of the supporting business case is key, both from the perspective of potential collateral requirements and in demonstrating a comprehensive understanding of the compliance obligations and fee structures.

Once you understand the rationale to embark on this journey you will need to work through how to best achieve the desired result.  The reality here is that this is extremely difficult to do well.  A critical factor is the selection of the right partner to assist you with the development of this road map and to help navigate through this extremely complex commercial and regulatory maze.

How Accourt can help:

  • Assist in the development of the requisite supporting business case
  • Develop a risk assessment and gap analysis on the supporting operational infrastructure
  • Review and/or create supporting operational procedural documentation, including all the required regulatory and compliance documents
  • Support and manage the application process to the regulator and provide all subject matter expertise
  • Create supporting documentation for principal scheme membership
  • Manage the application process
  • Provide subject matter expertise and provide support for the scheme risk review
  • Provide subject matter expertise and provide support for the go-live project

The post Can you turn regulatory and payment scheme compliance into a competitive advantage? appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/can-you-turn-regulatory-and-payment-scheme-compliance-into-a-competitive-advantage/feed/ 0