2013: The Year of Making the Payments Industry Not Live Dangerously

2013: The Year of Making the Payments Industry Not Live Dangerously

The Integrated Retailer had the genuine pleasure of catching up with the chairman and CEO of Phoenix Managed Networks, Jack McDonnell Jr. and UK managing director Alan Stephenson-Brown in London recently.

We were keen to talk to these veterans of the transaction industry to find out how their business has been going since the launch of PaySecure Connect™ (now PhoeniXSentry) at the Retail Business Technology Expo (RBTE) 2012 and what they see ahead for 2013. We were not disappointed.

Phoenix Managed Networks is a secure transaction transport business that gives acquirers, payment processors, banks and retailers worldwide advanced data communications services for transaction-based applications. Phoenix is a privately held payments company established in February 2010 and is backed by the McDonnell Group. Phoenix is headquartered in Reston VA in the USA and operates out of a UK subsidiary offices in Sheffield. .

While Jack McDonnell Jr. will admit the global economic environment has been less than favourable in recent years he has seen many significant developments for the business over the past year: “I’d like to be further down the road than we are at the moment but then every CEO will be saying that in the present difficult economic climate. There is no doubt that the economy is a factor – one of the other things which has been a significant element in taking slightly longer than we thought to gain momentum is the surprising lack of knowledge about security within the retail industry especially with the smaller establishments.

We are finding ourselves having to do an educational job everywhere we go. We talk to a potential customer and they say: “‘We don’t have any problems with security and then you look at their Wi-Fi system which is not just open to the public but their router is set to the default password and all their PoS terminals are unprotected on the Internet to be hacked into. We and the payments industry at large have an educational job to do.”

McDonnell Jnr. also pointed out that getting the correct channel partners in the up and running in Europe has taken longer than expected although they are now signed up with Dublin-based Sysnet Global Solutions, a company that provides payment card industry compliance services. However he is upbeat about the prospects for 2013: “The early adopters for our technology are restaurants and hotels because they all run public Wi-Fi which needs to be protected. In the UK, unlike in the US so far, all of the chip and pin terminals are Wi-Fi capable running over ethernet systems so there is a lot of potential for us.

The educational job which we have had to do has surprised us. We have been astonished at how open to attack most Wi-Fi networks are. Businesses running these networks do not seem to understand that as soon as a Wi-Fi hotspot goes up it is a mass point of attack for hackers and when we point out to them how many hacking attacks are actually attempted on the networks they are astonished. They do not seem to understand that the threat is real – no matter how small you are – it’s a matter of simply whether you are a brand or not! Not how big you are – if you are a brand you are going to be under attack and you have to defend yourself.

He continued: “It is also astonishing how many people think that by purchasing a PCI compliant bank terminal that they are PCI compliant – no they’re not. If the system you plug it into is not compliant then you are not complying and you will get fined a lot of money from now on!”

According to McDonnell Jr Phoenix’s systems can put retailers in control of their payments environment. He points out that after the Barnes and Noble data breach in 2012 IT security experts said that all retailers would have to track all PoS devices and monitor their environments 24×7: “The fact is that they made lots more recommendations but small retailers do not have IT departments and IT is not their speciality so they feel a bit lost. It’s not their specialism and why should it be — it’s ours.”

The company is making progress in Europe. Last summer Underbelly, the live entertainment company, integrated PhoeniXSentry, Phoenix’s payments security solution. As part of a multi-year agreement the company is using PhoeniXSentry at its site on the London’s South Bank and at the Edinburgh Fringe festival as well.
Underbelly has replaced its previous payment systems, supplied by multiple vendors and managed in-house. The Payment Card Industry data security standards (PCI DSS)-compliant data security system is internet protocol (IP) based and manages payments and ticketing data from the payment terminal to bank authorisation.

Alan Stephenson-Brown, Managing Director UK said: “The 2011 report by Trustwave showed 90% of incidents where card data is compromised occur in level 4 merchant environments, typically small to medium sized businesses. Large organisations are better educated, better funded and resourced so are increasingly harder for criminals to target, although not immune as demonstrated by high profile data breaches. It is smaller merchants that are being targeted and the payments industry needs to be helping these vulnerable merchants now.

Regularly speaking to retailers has enabled us to get a better understanding of the traumas that PCI compliance causes them. At a recent Association of Convenience Store (ACS) conference one retailer told me that the prospect of not being compliant, suffering a breach, and the potential reputational damage that would follow causes him sleepless nights. The possibility that word-of-mouth between customers that their data wasn’t secure with him would be crippling to his reputation – even now without a legal obligation to report it.

“Others are overwhelmed by the complexities of achieving compliance. Another retailer recently asked me about a letter he had received from his bank informing him that he wasn’t PCI compliant and should he not rectify this he would be penalised – they had no idea of the full implications of PCI compliance, how important it is and the severe financial impact to their business, should they suffer a data breach. The reality is they are not alone, far too many businesses take far too few steps towards adequately securing their payment and non-payment systems.

The new European Data Protection Regulation due in 2014 will give the card schemes additional back up to enforce the fines which are presently seen as hollow threats; this is a step in the right direction but there needs to be another message alongside it.

It needs to be clear that best practice security measures for the payments environment is good business and will go a long way to protecting a business holistically. It shouldn’t be treated as a task where a merchant does as much as they are obliged and no more. Too many merchants are unaware of their obligations to PCI DSS or demonstrate apathy towards the risk they are susceptible to by not adhering to these measures.

Merchants found in breach of PCI can be fined £1000s per card breached – it takes minutes to steal thousands of card details electronically; the ramifications for a small business can be crippling. This is not necessarily the fault of the small merchants who were not the initial focus for the PCI council following the inception in 2004 of the Payments Card Industry Data Security Standards (PCI DSS).

This is something which Phoenix as a security vendor is tackling head on by investing heavily and embarking upon extensive research and development to get the right product to help protect smaller merchants. Phoenix is reaching out to smaller merchants via trade bodies such as the Retail Motor Industry (RMI) and the Association of Convenience Stores (ACS), educating them on payment security and correcting some of the misconceptions surrounding internet security and PCI compliance.

Phoenix is doing this not just because it helps the business, but because after a collective 200 years + experience of its management team in payments it can see that something needs to be done.  More people are transferring to IP for their payments needs, and with this cyber criminals have ever more opportunity to strike, and are targeting smaller retailers now. We believe the industry should be doing the right thing by the smaller retailer so they are better protected.

Security can’t be achieved through regulation and enforcement alone, it needs to be adopted as a culture in business with all parties including banks, acquirers or merchants adopting a collaborative approach to help themselves and their customers. Only once this is achieved, McDonnell Jnr says, will payments be truly secure and the payments industry not be living dangerously.

Phoenix Managed Networks will be exhibiting at RBTE at stand 752