Collective security was first formally introduced by the Peace of Westphalia in 1648, a series of treaties that put an end to a number of wars that had been plaguing Europe.    Very simply put, collective security is an arrangement in which all stakeholders agree that their security depends upon the security of each of the other stakeholders.  As a result, the collective agrees to act in concert to address any threat to any member of the community.  In addition, each member agrees that it is equally committed to the collective peace and will act to protect any member of the collective against the aggressive acts of another party.  The collective also agrees to present a united force that would be sufficient to deter antagonists from attacking any member of the community, lest they provoke the entire community. Lastly, and perhaps most importantly, each member of the collective agrees that it will subordinate its own interests to that of the greater good.  The United Nations and NATO provide examples of collective security in practice.  With this definition in mind, though, can one describe the current state of affairs in the payments industry as one of collective security?  Let’s break it down point by point.

Agreement that the security of any one member of the community impacts the security of all other members.

It seems that we’ve agreed that there are weak links in the chain.  For example, it is commonly agreed that a processor or merchant that does not adequately protect data might put that particular transaction chain at risk, but it seems debatable as to whether the industry at large believes that the insecure systems of Merchant A pose a risk to the security of Merchant B.  Again, a principle component of collective security is the impact of one on the security of all.  What is not debatable is the financial chain – a breach means a showering of fines from the card brands to the acquirer to the merchant or service provider.  In that respect, a breach of one entity can have an impact on many.  In fact, this phenomena is so well recognized that the industry has developed tokenization as a means to mitigate risk to the merchant, and subsequently to the acquirers. If the merchant cannot be compromised, the acquirer cannot be fined.  So while we can’t agree that lack of security may be contagious – one insecure merchant leads to another – we can agree that the butterfly effect of a breach can be far-reaching.  It is in everyone’s interest, then, to secure data.

Agreement that the collective will act to protect any member of the community against the aggression of another party.

This is a controversial point, but I will play devil’s advocate here.  It can be said that the card brands, in recognizing the growing epidemic of card data breach and its repercussions, recognized the need to protect the industry at large by adopting a minimum standard of data protection for those that come into contact with payment data.  I know that some will say it is more of a self-serving move, a risk management program for the brands, but consider for a moment the action in terms of collective security.  Very few companies initiate security measures out of altruism.  Most need to be incented, to put it nicely, into adopting something that has very little tangible ROI.  In this instance, could it be said that the implementation of the PCI DSS was to protect community stakeholders from the aggression of data thieves?  And how about tokenization and P2PE?  Recognizing, perhaps, that merchants (and in particular small merchants) may have difficulty in protecting large volumes of data, many companies began offering technologies that would protect merchants, back office providers, application providers and others, from data thieves.  In this respect, could the adoption of standards and new technologies be said to taken in the interest of protecting the industry against aggression?

The collective will present a united front to deter aggression.

Even assuming agreement on the first two points, it is here that the notion of collective security begins to break down.  While the industry has adopted new technologies and standards to protect against data thieves, very few operate under the illusion that this adoption is a sign of absolute accord on the best way to address data security.  The industry has fragmented into a very “us against them” mentality, with fault lines cropping up on a seemingly regular basis.  There is little agreement as to whether the standards or the technology are sufficient protection and many feel that there is uneven adoption and enforcement.  Such fragmentation hardly presents a united front, and frankly there is little evidence that a united front actually would deter the aggressors in this instance.

Each member will subordinate its own interests in the name of the greater good.

I’m not sure that we need much discussion on this point.  In a capitalist market it is unreasonable to expect any organization to subordinate its interests (profit, revenue, shareholder value) in the interest of the greater good.

So in the final analysis, while it is good for all stakeholders in the industry to secure cardholder data, it can hardly be called an exercise in collective security, in the true sense of the word.  That being said, the notion of collective security is something for which we should strive.  More dialogue, information exchange and education can only help in that effort.

While we celebrate the beginning of summer with barbeques, trips to the beach, and gatherings with friends and families, I hope that we can all take a moment to think about the sacrifices that have been made so that we can enjoy our freedoms.  In honor of Memorial Day, I’d like to just offer up some quotes that I think are appropriate on this day.

We cherish too, the Poppy red
That grows on fields where valor led,
It seems to signal to the skies
That blood of heroes never dies.

-Moina Michael

Today is the day we put aside to remember fallen heroes and to pray that no heroes will ever have to die for us again. It’s a day of thanks for the valor of others, a day to remember the splendor of America and those of her children who rest in this cemetery and others. It’s a day to be with the family and remember. – Ronald Reagan

The greatest glory of a free-born people is to transmit that freedom to their children. -William Havard

I went to bed that night convinced that I had shared an informative and helpful link to my colleagues.  The next morning, my sister-in-law informed me that this is what I had shared instead:

Now, I’m certainly not shy about my penchant for the Muppets, or my Queen fangirl status.  However, I remember thinking, “That’s how easily I could compromise my own privacy and that’s how easily a mistake could compromise a company’s data security.”  I didn’t check the link that I was copying to my Twitter feed.  What if I had been browsing my medical insurance coverage or my stock trading site and accidentally shared that instead?  What if I had been at work and clicked on an email attachment that resulted in a trojan that infected the corporate network.  We can be one-click away from disaster and diligence is a must on both a personal front (at some point we have to take some responsibility for our own privacy) and on behalf of our companies.

It’s no secret that people are often the weakest link in security and in privacy (think hospital employees checking on celebrities or employees transferring customer databases to a laptop to work from home).  But we often forget that we can be the weakest link in our own privacy.  Just some food for thought today…

I don’t say this to make light of the PCI DSS.  I truly believe that the implementation of a consistent standard has been good for the overall security posture of the industry.  However, it does seem that in some cases the media and the analysts use the PCI DSS as a whip with which to beat companies that have been victimized by a breach.  Case in point – commentary from a Gartner analyst regarding the breach in question: “The bit that caught my attention in this letter is that credit card information was exposed.  There are really only two scenarios that would allow the actual card numbers to be stolen: either from a database on the back end, which means the retailer was in violation of PCI-DSS, or the hacker could have launched something on the site to get the numbers after they were transmitted.”  A statement like this is needlessly inflammatory and accusatory.  Anyone that has been working in PCI DSS knows that there are endless methods that can be used by hackers and data thieves to expose cardholder data.  To say there are just two ways for this to happen is presumptive to say the least.  We may yet find that the merchant was non-compliant, but it is not the place of anyone – journalist, analyst or infosec consultant – to speculate on the cause in such a public manner before the facts are out.  The only impact that can have is to inflame opinion against the merchant.

The tendency to blame the victim in information security in general is troubling.  Why aren’t we blaming the criminals?  Yes – all  companies have a duty to take a due standard of care with consumer data, and that includes compliance with industry standards like PCI DSS.  Until we know that the company failed to do so, however, the guilty verdict is premature.

Aggregation – Just a few years ago, this was a dirty word in the payments industry.   Aggregator status was exceedingly difficult to attain and at least two of the major card brands discouraged the notion entirely.  Now, however, those card brands have reversed their position and have opened the possibility of the aggregator payment model to the industry at large.  This allows processors to cut their costs, but brings with it challenges of its own – sub-accounting, liability and portfolio management to name a few.

Specialty Bank Charter – Georgia recently passed a law that would allow an ISO to own its own sponsor bank.   According to this article in Digital Transactions, the law could have far-reaching implications, allowing ISOs to significantly lower their costs.  This gives rise to the possibility of an exceedingly competitive acquirer to emerge.  The Digital Transactions article provides a great analysis of the law and its potential impact.  Is it likely that other states will follow?

Revolutionary Approach to Marketing – On this point, I imagine that I will get some push-back, but I believe that Square’s technology is the least revolutionary aspect of the company.  What the company did that really transformed the payments industry was not introducing the audio-jack card swipe, but introducing B2C marketing to a traditionally B2B industry.  Square has challenged everyone to step up their game with respect to brand recognition.  Consumers know the name Square – how many other payment processors can say the same?

These are just a few of the changes that I’ve noticed over the last 12-18 months.  It would be interesting to hear from others about these changes, and others that are currently impacting our industry, or that are likely to do so in the near future.

]]> http://www.drheathermark.com/2012/05/02/changes-in-attitude/feed/ 0 http://www.drheathermark.com/2012/05/02/changes-in-attitude/ http://feedproxy.google.com/~r/drheathermark/SCOB/~3/ubLC1bmp-qs/ http://www.drheathermark.com/2012/04/16/mobile-commerce-minority-report/#comments Mon, 16 Apr 2012 00:39:22 +0000 hlmark http://www.drheathermark.com/?p=200 “You contain information. I need to know how to get at it.” – John Anderton, Pre-Crime Officer; Minority Report

Therein lies the essential question of mobile commerce.  In 2002, a movie called Minority Report hit the box office.  The premise of the movie was that the Pre-Crime unit was able to “see crime” before it happened, thereby preventing the act before it even occurs.  “There hasn’t been a murder in six years. The system, it is perfect.”  The key to mobile commerce is just that concept, but applied in reverse.  We want to know what the consumer is likely to do and encourage them to do it.  We analyze mobile behaviors, locational data, shopping activity, status updates, friendship requests and any other bit of data that can help predict consumer behavior and then develop applications that can help to enable that behavior.  I recall watching that movie in the theater and watching John Anderton (the main character) walk through the mall while personalized advertisements vied for his attention.

It was an interesting scene, one that hearkened to the idea of “big brother,” though in a not entirely threatening way.  It seemed to introduce the idea of personalized advertisement in way that could enhance the consumer experience. Seen in this futuristic example, the idea seemed far off.  But look at what we’re doing now with mobile commerce.  We can now link our social networks to our payment methods to get personalized, extremely targeted advertising and messaging.

What’s interesting to note is that consumers have a sort of sliding scale of “acceptable privacy.”  The “Consumers and Convergence” report by KPMG demonstrate that consumers are willing to share their online and behavioral data, provided they get something of value in return – discounts or services.  If they don’t see a quid pro quo, consumers are more likely to see behavioral tracking as an infringment on their privacy.  Fortunately, this seems to be a place in which the need of retailer and service providers to encourage adoption merges nicely with the self-interest of consumers seeking greater value.

Mobile payments today pose a number of interesting conundrums for acquirers and ISOs, not the least of which center around risk and fraud.  Last week, I had the good fortune to attend and participate in the Merchant Acquirers’ Committee meeting in Las Vegas.  Not surprisingly, many of the conversations in which I was involved centered around managing and monitoring fraud among mobile merchants.  The topic of using geo-location as chargeback protection certainly came up.  Imagine if a payment company was able to leverage a tool like Girls Around Me, demonstrating that Facebook or foursquare users were in the immediate vicinity of the merchant at the time of the purchase.  Would we be up in arms about the invasion of privacy, or would we be commending ourselves for the innovative solution to a difficult problem.

This topic is interesting on a number of levels.  As a privacy professional, one should be aware of the impact of technology not only on our behavior but on our very definition of privacy.  Technology has rendered privacy something of a  moving target.  What is considered an invasion of privacy in one setting (aggregating data of individuals nearby and broadcasting it to other smartphone users for purposes of introduction), might just as easily be considered an innovative way to solve a difficult problem if applied differently.  Similarly, consumers shift their own privacy definitions according to the context.  If the technology behind Girls Around Me were used to notify people of nearby registered sex offenders, would the level of outrage be the same?

As a payments professional, the interest lies in finding the right balance.  Mobile payments are changing the way merchants do business and the way consumers pay.  The payments industry has to devise a way to ensure that both of those constituencies are protected from fraud.  Perhaps leveraging the technology of social networks and marrying that to mobile payments is the answer.  However, it is a fine line to walk for everyone involved.  Where does protection and better service cross the line into invasion of privacy?

It is interesting to watch the mobile payment space evolve.  Over the last two years tremendous progress has been made in offering merchants new levels of mobility.  The most prevalent at this point are the mobile card readers.  It’s also been interesting to watch the Wallet Wars unfold.  It is generally accepted that in order to spur customer adoption, the application must provide significant value add to the consumer.  Loyalty programs, discounts, reward points, up-to-date messages and information as well as a payment vehicle must all be provided in this one-stop shop.  What is not so readily accepted is the definition of a mobile payment.  Since the definition of “payment” is fairly cut and dry, it seems obvious that the controversy (though admittedly, I may be the only one that perceives any controversy) surrounds the use of the term mobile.

 As defined by Merriam-Webster, mobile means “capable of moving or being moved.”  In the world of payments, this can be taken to mean an extension of the POS – that one does not need to approach the retail counter in order to make a payment, nor does a merchant need a retail counter in order to receive a payment.  In applying this definition to NFC payments, there seems to be a disconnect.  The POS and the retail environment seem to be necessary components to this flavor of “mobile” payment.  NFC may truly be a contactless payment – no card needs to be swiped- but it is not a mobile payment. In my estimation, mobile payments and offline to online commerce are intricately entwined.  The goal is to find customers in the virtual world and bring in to real-life stores, converting the online browser to the real-world shopper and building customer loyalty in the process.  Another key component of mobile should be the concept of remote ordering.  A customer should be able to order and make payment on the go in order for a payment method to be considered mobile.  NFC requires the customer be present in the store.  There is no O-to-O commerce or remote ordering involved in the process.

This should not be taken as an attack on NFC by any means.  The payment infrastructure will surely see major changes as a result of the adoption of NFC.  Visa, VeriFone, Google, and ISIS are among just a few of the major companies that are banking on mobile (no pun intended). NFC will become, and already is, a force to be reckoned with in the payments world, if for no other reason than the attention it has garnered. However, the semantic confusion over the terms “mobile” and “contactless” can cause significant confusion for merchants as they devise and deploy mobile strategies.  The involvement of a mobile phone itself does not make it a mobile payment?  Or does it? How would you define a “mobile payment?”

I had a conversation today that drove home one of the essential challenges of many businesses.  That challenge is in encouraging technological innovation while protecting consumer privacy.  As Earl Warren aptly pointed out in 1963, the advent and rapid evolution of technology has fundamentally changed the role of privacy in the modern world.  One can argue, and several have, that there is no privacy in the digital age.  In the late 1990s the then-CEO of Sun MicroSystems , Scott McNealy famously declared “privacy is dead, deal with it.”  But the notion that privacy is dead oversimplifies the matter.  The fact of the matter is that the definition of privacy, and the individual expectation of privacy, has evolved significantly.  That is not to suggest, of course, that individuals are at ease with the notion of large companies, or any company for that matter, sharing the information, but individuals have a far more nuanced definition of privacy than they did twenty, ten, even five years ago.

Privacy can no longer be defined as simply “the right to be let alone.”    Privacy today has not only to do with issues of being able to live one’s life as one sees fit without intrusion from authorities or overzealous paparazzi.  Today, issues of privacy revolve around the practices of collecting data, sharing data, using data, securing data, and finally disposing of data.  Additionally, privacy encompasses the ideas of notice and consent.  In addition to the transformation in the way that privacy is defined, the awareness of privacy issues today has grown significantly.  Everyone from consumers to technologists are aware of practices that might compromise the privacy of the individual.  Organizations dedicated entirely to the protection of consumer privacy have become forces to be reckoned with on a regulatory level.  Witness EPIC’s involvement in Google’s recent FTC enforcement action.  EPIC, the Electronic Privacy Information Center, is active in protecting consumer privacy and in lobbying government to ensure “fair” practices on the part of business.

In this environment, it is easy to assume that technology advocates and privacy advocates are inherently and irretrievably at odds.  On the contrary, however, not only can the two work together, but it is not uncommon to find both technology and privacy being advocated by the same person.  I often find myself in this position.  One does not have choose sides in this debate.  There is room for common ground.  Working toward a common goal, which is to create technology that is trusted, privacy advocates and technology advocates can create a paradigm in which both technology and privacy can evolve.  Far from being dead, privacy is alive and well and it can be married with technology in a manner that allows consumers significant functionality while protecting their privacy.  As Michelle Dennedy, Chief Privacy Officer for McAfee, elegantly stated:

“I do not think it is hopeless.  Just as you shouldn’t ‘just get over it’ and eat Big Macs for the rest of your life, you shouldn’t just get over it, and not have good identity management, and not have good policies, and not consistently train, and try to comprehend data flows for new technologies. It is a never-ending struggle, and like life, it is going to continue until the end of interaction. So privacy is alive, and we are going to keep it alive. Whether we decide to have a healthy, robust, respectful discussion on data, or whether we decide to just let the hackers of the world have at it, and let the politicians and powerbrokers of the world steal it, that’s ours to choose or lose.”

The moral of the story here, at least to me, is that one doesn’t have to choose between technology and privacy.   Intelligent innovation can allow companies to create technologically innovative products that work to protect consumer privacy, or at the very least, products that don’t erode consumer privacy.  Privacy is not dead, but it is evolving and technologists will need to make a conscious choice to include privacy considerations in the development lifecycle.  This allows companies to continue their innovative process while earning the trust of their consumers.