Mastercard Flags Out Contactless Technology[vc_row][vc_column width=”1/2″][vc_column_text]
Hot on the heels of Mastercard’s Payment Safety and Security Workshop came the sombre announcement by Yahoo that hackers have stolen data from at least 500 million users. Information obtained in the hack may have included names, email addresses, telephone numbers, dates of birth, encrypted passwords and possibly even security questions and answers.
That Malaysia is considered very advanced, globally speaking, in migrating to electronic payments reflects the government and industry’s seriousness in progressing the country’s ICT eco-system. But are the consumers ready? This Yahoo scare has serious implications as a wake-up call to all those fancying online purchases and delivery, where one divulges email addresses, physical addresses, credit card details, age, purchasing history …. these are all a hacker needs to inflict colossal damage.
Well, while one cannot close the gate, one can secure the front door (and back door!) lock. Mastercard’s country manager (Malaysia and Brunei), Perry Ong, together with credit card industry veteran, Peter Gordon, recently conducted the Mastercard workshop specifically to educate the press on its initiatives and advancement in security protection features.
Industry moving towards CHIP and PIN
As we already know, in an effort to boost payment security, Malaysia is moving away from the signature-based system for credit and debit cards to a personal identification number (PIN) verification by 1 January 2017. Malaysian-issued cards would use a six-digit PIN for all transactions except for contactless ones. More about contactless later.
It is reassuring to note that Malaysia was already one of the countries leading the adoption of Europay-MasterCard-Visa (EMV) chip technology about a decade before. Under the EMV system, cardholder account data is encrypted on the card chip in Secure Sockets Layer (SSL) format. The merchant terminal software securely packages the cardholder data off the chip.
[/vc_column_text][/vc_column][vc_column width=”1/2″][vc_column_text] “We have confirmed, based on a recent investigation, that a copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”
– Yahoo, 23rd Sept 2016 –[/vc_column_text][vc_empty_space height=”200px”][vc_video link=”https://www.youtube.com/watch?v=yhBndyMDVO4″][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
EMV had certainly been instrumental in cutting down credit card fraud over the years. That was a needed “push factor” as recall that in the 1990s, credit card fraud and card cloning was rampant. Still, current stats by The Nilson Report shows there is “US$0.06 lost to fraud in every US$100 spend”.
Now Malaysia is blazing the trail for ASEAN countries to further boost payment security, with CHIP and PIN technology mandated by Bank Negara Malaysia, in both credit and debit cards.
The two-pronged system works such that it is a combination of a physical card and a PIN that is only known to the user. This unique security code is generated for each purchase with validation of each security code required to authorise payment.
About 39 million (or 8 million credit card estimated by end 2016) and 31 million co-badged debit cards (estimated by end 2017) in Malaysia will have been replaced with new PIN-enabled cards in the months to come. We are ahead of the United States in implementing! This is not as surprising as it sounds. The massive cost of changing plastics to smarter plastics plus getting PIN-enabled credit/debit card terminals with in-built contactless antennae ready in all merchants can weigh heavily on a bigger nation.
Locally, Mastercard shared that Malaysia is looking to increase card terminals from 220,000 to 800,000 by 2020, our targeted “fully developed nation” status. Contactless will feature in about 30% of all terminals.
Currently, no PIN or signature is required for contactless transactions of up to RM250 in Malaysia. The most simple security feature measure for a contactless card is the fact that it never leaves your hand. Because you’re in control of the payment, there’s no chance that someone will double swipe or make a copy of your card when you’re not looking. At point of usage, no information of user’s name is recorded not does the terminal read one’s CVV number.
Contactless payments have already landed across multiple geographies. In countries such as Australia, Canada, Japan, UK, Sweden, Turkey, Poland, Taiwan, South Korea and of course, our neighbour Singapore, “wave and pay” have become quite commonplace.
The convenience of contactless in reducing payment queues certainly makes shopping less stressful but its value in facilitating fast-moving “traffic” situation (e.g. paying and alighting from a taxi) is just, well… slick.
What about online?
The criteria to approve a merchant to accept credit-card payment via an online medium naturally hinges on the security of that merchant’s customer storage systems. Online merchants must adhere to “The Payment Card Industry Data Security Standard” (PCI DSS).
Further to this, the industry has introduced “tokenisation” as another layer of security. Your credit card’s primary account number is swapped for a “token” of arbitrary characters after transmittal to the merchant’s payments processor. Whether the transaction is approved or declined, that token is then transmitted back to the merchant and used to represent the customer (within the merchant’s customer database).
A hint of trends to come
Mastercard’s new Masterpass digital wallet payment system is an example where tokenisation is used, where users can bypass checkout forms during online payments. Greater details will be announced when that roll-out happens in Malaysia in due course.
Other anticipated trends of the future bandied about at the Mastercard workshop was that perhaps the world will see a widespread change from plastics … to embedded chips in e-enabled mobile devices, over and on top of mobile phones, such as in your watches, etc. And user authentication could change to facial recognition or retina scans.
Cashless is inevitable for the ecosystem, despite the hazards of fraud. The industry is encouraging it. Why? Ultimately, cash can be “non-transparent” …. but digital data is. Banks have access to greater traceability of monetary flows inside and outside our borders. It is that much easier to track “black money”. For the merchants, handling cash is actually expensive. Don’t underestimate the cost of touching, storing, transporting and protecting cash.
Consumers better be ready to go, literally, cashless.[/vc_column_text][/vc_column][/vc_row]