With the EMV-chip card deadline just two months away, Mercury Payment Systems is emphasizing security by providing a reason for its partners to engage in more education and become certified as compliant with the Payment Card Industry data security standard.
Mercury's new Security Pays program certifies participants as qualified integrators and resellers with a three-year renewable credential that puts providers in good standing in the payments industry.
The goal of this initiative is to take the momentum from the EMV migration and extend it to other security techniques that protect a wider variety of payment scenarios (EMV-chip cards primarily protect against the counterfeiting of physical cards).
"Many people are talking about the product of the EMV chip, but we think it is more holistic than that," said Matt Downs, senior vice president, channel-integrated payments for Mercury. The payment processor
In talking to Visa Inc., the PCI council and more than 700 developers, Mercury concluded that current hacking trends called for an accelerated education effort with partners, Downs said. These trends include attacks coming via merchants' links to third parties.
Security Pays raises awareness for those working with smaller merchants by stressing point-to-point encryption, tokenization, Near Field Communication, the inner workings of Apple Pay, and chip-on-chip transactions.
"We open up the hood to go in and enable this technology in a secure fashion," Downs said. "At the second level, it teaches the resellers how to educate and work with their merchants."
Mercury picked up the tab for Security Pays for developers who signed up for the program and took tests during this week's RetailNow tradeshow in Orlando.
Partners can earn up to $10,000 from Mercury by practicing secure behaviors, adhering to standards for remote access to networks, and working with Mercury to deliver various security technologies. The subsidy is designed to fund the security upgrades needed to avoid the shift in fraud liability the card networks plan to impose after the Oct. 1 deadline.
At that time, most merchants unable to accept EMV chip cards would be liable for any fraud occurring at the point of sale (gas stations have a 2017 deadline). But the other security technology highlighted through Security Pays are vital complements to chip-based cards.
Mercury is delivering a security program at a time when smaller merchants are going to become fraud targets because they are generally slower to move to EMV, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"This is a great initiative because awareness of the threat environment and the willingness to address them are still a big challenge in the small and midsize merchant market," Conroy said.
Even though smaller merchants are targets for cybercriminals, better security can often come with simple steps like
"The more players that we have evangelizing the need for stronger security, the better chance we have of better protecting the small and midsize merchants and their data," Conroy said.
Mercury finds that 80% of all breaches affect small business owners, with 60% of those victims losing their business within six months.
"Common attack elements are malware, or remote access, or just poor administration of the actual security product," Downs said. "It is also a case of not leveraging known payment technology, such as point-to-point encryption being readily available in the market."
Mercury will offer the Security Pays program through the end of the year and then evaluate its effectiveness as it plans for its next step, Downs said.
That should be good news for small businesses, which are expected to suffer even more fraud losses over the next few years, said Al Pascual, senior analyst for Javelin Strategy & Research.
With larger merchants already having a significant head start on re-terminalization, the underprepared smaller merchants "will have a giant target on their back," Pascual said.
