The Mess that is Credit Cards

Blake Laufer
Chief Technology Officer
T2 Systems, Inc.
Today’s Roadmap

Defining the Mess

Alphabet Soup
Operational Options and Risk
Alternative Payments
Motivation

ƒ Credit Card ƒ In 2005…

associations are ƒ Fees collected from
concerned! merchants: $48.6 billion
ƒ Fraud ƒ Average fee 2.2% per
ƒ Identity Theft sale for Visa and
MasterCard
ƒ Business Model
An Unprecedented Event

ƒ December 2006: Visa Complus Data Innovations

holds a Payment Digital Payment Technologies
Application Vendor
Federal APD
Conference
ƒ 83 companies attended Hamilton Manufacturing
ƒ 11 companies from the IntegraPark
parking biz Parkeon
ƒ John Van Horn arranged Scheidt & Bachmann
meetings before and after
the VISA conference for SKIDATA
the parking industry T2 Systems
attendees VenTek
Zeag USA
Who’s Who in the Zoo?

Card Association

Issuer Acquirer

Cardholder Merchant
Transaction Authentication

Card Association

Issuer Acquirer

Cardholder Merchant
How the Benjamins Move

Card Association

Issuer Acquirer

Cardholder Merchant
Today’s Roadmap

Defining the Mess

Alphabet Soup
Operational Options and Risk
Alternative Payments
Most Common Acronyms

ƒ CISP, SDP, DSOP, DISC

ƒ Individual security programs from Visa,
MasterCard, American Express, and Discover.
These have mostly been replaced by PCI DSS,
however the terms are still floating around.
ƒ PCI DSS
ƒ Payment Card Industry – The association created
by Visa, MasterCard, American Express, JCB, and
Discover to set industry standards.
ƒ Data Security Standard. The “digital dozen”
items associated with providing data security.
YAA (Yet Another Acronym)

ƒ CVV2
ƒ Card Verification Value – This is a 3 or 4 digit
number used for fraud prevention. It’s printed
on the card, but not found in the mag-stripe.
More Acronyms (Payment)

ƒ ACH
ƒ Automated Clearinghouse – An inter-branch
banking standard for handling large batches of
small transactions.
ƒ HTTPS
ƒ Hypertext Transfer Protocol (Secure) – The
technology used to ensure web page data can’t
be snooped.
ƒ Gateway
ƒ Not an acronym, but a common term. It is the
software or application that talks to a processor.
Even More Acronyms (Security)

ƒ AVS
ƒ Address Verification System – A system to ensure
that the cardholder’s provided address matches
the one on file.
ƒ PABP
ƒ Payment Application Best Practices – Guidelines
to assist software developers and vendors to
create secure payment applications.
ƒ QSA
ƒ Qualified Security Assessor – Any company
approved to provide certification of PCI DSS
compliance.
 Today’s Roadmap

Defining the Mess

Alphabet Soup
Operational Options and Risk
Alternative Payments
PCI DSS Compliance

ƒ PCI DSS (Payment Card Industry Data

Security Standard) is a combination of two
things:

Software Merchant’s
used for supporting PCI DSS
transaction network and Compliance
processing environment
PCI Compliance Elements

1. Build and maintain a secure

network
2. Protect card holder data
3. Maintain a vulnerability
management program
4. Implement strong access
control measures
5. Regularly monitor and test
networks
6. Maintain an information
security policy
Your Payment Gateway

ƒ What is a Gateway?
ƒ Merchant chooses gateway Acquirer
software to connect one (or
more) Acquirers
ƒ Authentication Options:
ƒ Dial-up (phone)
Gateway
ƒ Dedicated line (phone)
ƒ Cellular data (wireless)
ƒ Internet (agnostic)

Merchant
Payments

ƒ Card Present versus Card Not

Present
ƒ Card-not-present is considered
at higher risk of fraud, so it
carries higher fees
ƒ Signature Requirement
ƒ New rules allow transactions
under $25 (and card present) to
be processed without a
signature.
Three Elements of Authentication

ƒ Any one of
these
Something you Something you
alone is
thought of
HAVE KNOW as “weak”
security.
ƒ Two (or
more) are
Something you considered
ARE to “strong”
security.
CVV2: the Good, the Bad, and the Ugly

ƒ Good
ƒ A CVV2 code is a way of trying to ensure
“something you know” in addition to “something
you have”.
ƒ Bad
ƒ You only have the “something you know” when
you have the “something you have”. So is it
really a second security element?
ƒ Ugly
ƒ Fraudulent web sites collect and save this data
anyway, sell it on the open market.
Biometrics? No thank you!

ƒ Biometrics
ƒ Using finger and palm prints, retina and voice
scanning, facial and gait recognition…
ƒ Problems:
ƒ Not all biometrics are unique (example: twins
have the same fingerprints)
ƒ If compromised your biometric is invalid forever –
and you can’t change it!
Today’s Roadmap

Defining the Mess

Alphabet Soup
Operational Options and Risk
Alternative Payments
Credit Card Competition

ƒ The weakness of credit cards are creating

opportunities for competitors:
ƒ Micropayment Aggregators
ƒ Pay-by-cell
ƒ PayPal
ƒ Smart Cards, RFID, and “e-Wallet”
Micro-payment Aggregators

ƒ Aggregators attempt to ƒ Advantages

group payments ƒ Reduced transaction fees
together to reduce ƒ Parker access to
transaction fees. payment history
ƒ Loyalty program
ƒ Disadvantages
ƒ Only provides value
when there are multiple
transactions on the same
card within a given time
ƒ Slight delay in
settlement
Pay-by-Cell (PbC)

ƒ Advantages:
ƒ Augments usage of existing single-space
meters (and other metering devices)
ƒ No additional cost to the parking office to
implement this offering (PbC company
usually provides the signage and
advertising).
ƒ Works with multiple zones, rates and tariffs.
ƒ Disadvantages
ƒ Completely dependent on real-time wireless
handheld enforcement.
PayPal

ƒ PayPal is the standard ƒ How PayPal works:

for “Internet” money. ƒ Online customer creates
ƒ End of 2006 there were an account, puts money
133 million accounts in the account using a
(most active) credit card.
ƒ PayPal processes more ƒ Money is drawn from the
transactions annually account as the customer
than American Express! makes purchases online
(or can draw off a credit
card).
ƒ Recent expanded
offerings:
ƒ Send money online
ƒ Text to Buy
ƒ Online debit card
Smart Cards, RFID, and e-Wallet

ƒ Smart Cards ƒ RFID tags are unique

ƒ Though capable of so identifiers associated
much more, these are to a user’s account…
primarily being used as ƒ PayPass
electronic wallets.
ƒ SpeedPass
ƒ Money is “loaded” onto
the card electronically ƒ E-Z Pass
and debited with each
use.
Questions

Thank You!