Market trends related to COVID-19 have shifted the dynamics of retail payment security, both online and in-store. At NRF PROTECT ALL ACCESS, Mohamed Abdelsadek spoke about the growth of contactless payments, emerging security risks and how companies are addressing them and improving the security of payments and transactions.
Abdelsadek is executive vice president of North America services for Mastercard, one of NRF’s Cybersecurity Partners. After the event, NRF spoke with Abdelsadek to get a little more insight into retail payments security.
There has been a significant decline in cyber incidents attributable to point-of-sale malware over the past five years. What is Mastercard seeing in terms of POS cyber threat trends?
The rollout of EMV technology at the physical point of sale has dramatically reduced fraud in what is considered the card-present environment. The cryptograms validated on chip-enabled transactions are difficult to replicate, which has not only has reduced fraud in the ecosystem but also has increased the approval rate of physical transactions.
What this means for consumers is lower false declines and a better experience. Having said that, we still experience friendly fraud as well as fraud schemes that expose the least secure terminals or terminals that haven’t yet migrated to EMV technology.
Where we see most of the fraud and vulnerabilities today is in the digital space. Not only are fraudsters able to exploit vulnerabilities on insecure sites, they are able to scale in unprecedented ways. Still, most of the risks are coming from human lack of cyber hygiene, poor passwords, old software, clicking on unsafe links, or emails that open the door to individual or corporate information that leads to breaches and eventually to fraud on payments.
What do you see as the most significant digital threats to the retail industry today? What should companies be doing to prevent these types of attacks?
The most significant threat is coming from fraudsters stealing data. As retailers move more of their operations online, they use third-party vendors that provide different commerce solutions. Each one of those connections, if not secured, could be a potential vulnerability and entry point for fraudsters.
Moreover, the hosting of credentials and personal information — if not treated correctly, and ideally tokenized — would be an asset fraudsters will try to get and exploit. There are also other threats like synthetic IDs, credential stuffing and account takeover.
Another big threat for the retail industry is experiences like buy online, pick up in store that might be opening the door to new fraud schemes that will grow as a consequence of the current environment.
We believe any digital environment should be secured through a layered approach that protects the environment and the customers before, during and after the payment transaction.
We call this connected intelligence, and it is based on the premise of securing the environment without creating unnecessary friction for consumers and enabling a data collaboration approach between merchants and issuers that would allow for higher payment approval rates and lower fraud.
In the recent discussion at NRF PROTECT ALL ACCESS, you highlighted how the shift to contactless commerce has shifted the volume and nature of retail transactions. What are the implications of these consumer shifts in terms of changes to overall cyber risks?
Over the past few months, we’ve seen an increase in contactless payments. Certainly, this reflects the COVID-19 environment. The pandemic triggered a series of significant behavioral changes for consumers, merchants and businesses, which has rapidly expanded contactless preferences.
Between February and March 2020, Mastercard transaction data shows contactless transactions grew twice as fast globally and three times as fast in the United States as non-contactless transactions in the grocery and drug store categories. Contactless is largely being used on everyday purchases — including runs to the supermarket or the pharmacy. In that environment, 80 percent of contactless transactions in Q1 were under $25, a range that is typically dominated by cash purchases.
Contactless transaction technology reinforces the progress made on security with the introduction of the EMV chip. Cards and devices contain an embedded chip and RFID antenna that wirelessly link the card/device and the reader. When the customer taps, account information and a one-time-only code is transmitted from the card or device to the reader to identify that transaction in just in a fraction of a second, across that highly secure link.
Many countries have been using contactless payment capabilities much more actively than the U.S. over the past decade. What lessons can we take away from retailers in those countries, both in terms of store operations and the management of cyber risks?
The U.S. market is now dramatically accelerating in contactless adoption. We’ve been seeing consistent and solid increases in contactless spend and transactions over the last few years, which has been accelerating even more rapidly since March 2020.
One of the most important takeaways from other market experiences is the fact that contactless is not only a different way to use a physical card but it’s an overall different payment experience for the cardholder. Contactless promises a tap-and-go experience that provides a secure and faster way to complete a payment. Retailers adopting contactless help reduce friction at checkout.
Contactless uses dynamic security provided by the chip technology in the back end. Tokenization also adds an additional level of security when mobile contactless payments are considered. Increased usage of contactless transactions, due to the replacement of other forms of payments (cash, check, swipe) increase the overall security of payments ecosystem. As another impact of this replacement, retailers experience improvement in their operational efficiency. This is one big reason why, globally, transit systems and large retailers focus on enabling contactless payments.
Implementation at scale has been a key learning to facilitate meaningful adoption. Ubiquity is a key element of making contactless the trusted default way of payment for a cardholder. Inconsistent payment options across the industry can cause an overall lag.
For example, some retailers are still not offering contactless as an option at checkout, which can be disincentivizing to a consumer. For scale to happen, merchants need to enable contactless and issuers should issue contactless cards. Industry standardization not only helps drive adoption, but also makes for a more secure ecosystem and minimizes cyber risks.
Looking ahead three to five years, what cyber risks should retailers be most concerned about?
The next few years will be critical for retailers to establish a secure digital environment for consumers to interact and shop. While the threats might not be very different to what we are exposed to today, the amount of traffic online and the human factor will be critical to establish a secure digital ecosystem. What that means is being aware of potential cyber threats internal as well as those of third-party vendors and internal stakeholders, creating cyber hygiene programs for employees, protecting credentials and data collected from customers, enabling frictionless secure experiences and collaborating with key stakeholders to enhance decisioning at the point of sale.
Mastercard has been active over the past few years in working with cybersecurity nonprofits such as the Global Cyber Alliance and the Cyber Readiness Institute to promote cyber best practices for small businesses. Can you discuss those partnerships, and what small retailers should know about them?
Small businesses have been one of the hardest hit groups since the start of the pandemic. To support small businesses during this time, Mastercard is helping our partners access cybersecurity resources to safeguard their systems now and for the future.
In April, we announced a commitment of $250 million over five years to support small businesses in the United States and other markets where we operate — this includes giving small business owners access to necessary resources to help protect their businesses and their employees through cyber vulnerability assessments and identity theft protection. Particularly as small businesses are moving online, in turn increasing exposure to cyber threats, these resources will help small business owners understand the vulnerabilities of their systems.
The Global Cyber Alliance is a cybersecurity toolkit specifically designed for small and medium businesses. It’s a free online resource available worldwide and offers actionable guidance and tools with clear directions to combat the increasing volume of cyberattacks. Resourcing small businesses with tools to protect themselves from ever-evolving cyber risks not only strengthens their individual businesses but also supports the health of the entire commercial ecosystem, including governments and larger companies.
Additionally, Mastercard is a member of the Cyber Readiness Institute, which brings together business leaders from around the world and across industries to develop practical and free resources to help small and medium businesses build resilient and robust cybersecurity programs. Not only is the institute supporting small businesses on a granular level, but the Institute’s investment in cyber programs is improving the security of global value chains on a macro level.