Bill Farmer is a huge Apple fan. He is constantly wowed by the brand’s ability to keep churning boundary-pushing technology, so much so that he runs network management services provider Mako Networks pretty much entirely from his iPad.
Proactive innovation is a strong trait Kiwis boast in equal measure to the Americans, says Farmer, but even though the "we can fix it ourselves” mentality runs through the veins, New Zealanders are "appallingly bad” at finishing things they’ve started.
This toxic trend for doing things half-measure is one Farmer is concerned is spilling over into credit card security, with an alarming 180,000 merchants in New Zealand reportedly still non-compliant with the technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data.
The Rugby World Cup (RWC) is knocking at New Zealand’s door, with just 24 weeks to go until kick-off, yet we seem in a weak state to protect the country’s influx of tourists, who are used to superior security, Farmer explains. Credit card fraud is a huge drag on commerce profitability, be it through web-based retail transactions, card ‘skimming’ – where the data stored on the magnetic strip of your credit or debit card is copied through ATM or merchant terminal card insertion – outright card theft, or unsecured merchant networks.
New Zealand Retailers Association Chief Executive John Albertson last year released figures that showed Visa credit card fraud in New Zealand has increased from about $0.04 in every $100 spent, to nearly $0.05 in every $100. Globally, the fraud rate averaged $0.065 in every $100.
Swipe cards are steadily being eradicated in favour of those with an embedded microchip that facilitates chip and PIN transactions. In 12 months’ time it will be illegal for a merchant to accept transactions verified and authorised by signature. April 2012 spells the deadline for all merchants to have fully-installed and activated chip-capable terminals.
Chip technology offers banks and merchants the ability to provide their customers with benefits such as higher transactions, innovations such as contactless payments, plus the opportunity to store information like reward programmes on their cards. The move to chip and PIN was part of a comprehensive seven-point security agenda that includes initiatives to enhance the security of online transactions. Online retailers will be required to capture the three-digit cardholder verification number when processing transactions.
New Zealand is lagging five years behind countries like the UK and Malaysia, which ranks it high on the risk scale as a soft target for international fraudsters. This threat is particularly pertinent given the huge influx of foreign visitors and the subsequent increase in foreign credit cards expected to come ashore in the weeks before, during and after the 2011 RWC.
Chip cards verified by unique PINs have dramatically slashed counterfeit card fraud overseas. The UK introduced compulsory chip and PIN in 2006, resulting in fraud losses at UK retailers falling between 35% between 2005 and 2008. In Malaysia, chip technology was mandated in 2005 and resulted in domestic counterfeit fraud on Malaysian-issued Visa cards being virtually eliminated within 12 months.
Unfortunately, "The majority of merchants in NZ haven’t even got a clue what’s coming,” says Farmer. "At the moment there’s been a big focus for the credit card schemes to become chip and PIN, but that’s only a tiny part of it.”
First comes the complete rebuild of all the banks’ internal systems, requiring every single merchant to have a terminal that accepts chip and PIN. The next wave is total compliance, requiring "all the merchants to understand what their security issues are and to ensure that their networks are fully compliant. The areas where there’s been the greatest amount of fraud – the northern hemisphere – have been targeted first.”
Momentum is gathering in New Zealand, says Farmer, but non-disclosure policies between banks and their service providers could be blamed for fuelling complacency in merchants oblivious to the proliferation of credit card fraud, a mentality Mako Networks is trying hard to flip on its head.
"We’re working with the NZICT group here, which is a government group that is trying to increase the amount of security around the Rugby World Cup. If you look at each of the other major sporting events, there is a much higher degree of fraudulent activity surrounding them, as you’d expect – much like that at the FIFA World Cup in South Africa last year – but you never hear about it because there’s not a lot of disclosure.
"There were four major, publically notified areas of credit card fraud last year; one from each of the major banks. Nobody even knows who they are. It might have got p3 in the NZ Herald for one day,” says Farmer, frustrated with the hush-hush approach to communicating the real risks.
Mako Networks is channelling energy into its combination of a Customer Premise Equipment (CPE) and a Hosted Central Management System (CMS), which work together to provide a complete network connectivity and management solution for businesses. One of the company’s biggest customers is Telecom and they’ve got the provision of the IT services at the RWC.
Mako Networks’ international experience stems from its partnerships with a trio of system integration partners in the UK and operations in Australia, Ireland, United Arab Emirates, Saudi Arabia, Canada and South Africa. "All the emphasis that we’ve put on the payment card industry is all starting to come to fruition now, so what we see as the next natural part of the cycle is significantly increasing our presence in the UK, starting a presence in the US and significantly increasing our development capability here.
"We’re the world’s first and only Level One PCI-certified network management service provider in the world. In the last 18 months we’ve employed 20 people. We had a team of 20 people in December 2009/10. That’s grown to a team of 40 odd now. We hope to have 70 people by this Christmas and 300 people in five years’ time,” says Farmer, who recently brought SnapperNet on as Mako’s New Zealand distributor.
"Having a turnkey solution, where you can go out to a merchant and say hey, plug this in and it’s done and it’ll cost you $100-200 a month, is a gift for them.” Software updates, password changes, security keys and network diagrams are taken care of automatically by Mako, so merchants can focus on business.
All retail verticals are at risk of data security breach, says Farmer, giving hospitality as an example. "If you’ve got a bar that’s got 100 people lined up at it, you’re feeding credit cards through as quickly as possible. You need confidence that your network software is taking care of the intricacies of security management. We’re talking merchants in every single vertical in the market, everyone who accepts a credit card; it doesn’t matter if they’re a florist, tiler, reseller, hotel, down-town or high street retailer.”
Research information freely available through Mastercard and Visa, advises Farmer, and then articulate policies and procedures to staff. "There’s no way that 180,000 merchants in this country, can be PCI compliant by the RWC, it just can’t happen. The best that we can hope for at the moment is that at least staff are aware of the type of activity that does go on.
"All retailers have to consider all of the systems that they use, like their POS systems, and locking them down. They don’t have to go updating all their software now (even though to be PCI compliant they do) but if they just get them into an environment that is not on the internet, then that is the next major area.
"Then after that comes degrees of prop compliance across the whole country. Retailers are responsible for it all. At the moment the banks may not charge them, but if they do have a breach they will be responsible for the costs of the forensic examination, the cost of any mitigation, they could even be responsible for the fraud itself, but the main thing is they’ve got major reputational risk. It’s a big deal. The banks are entitled to kick the costs right back out at the merchant.
"If you’re a small business, you’ll normally have some sort of an overdraft, and that is an all-obligations facility. If it was really bad, that flows all the way through to you personally guaranteeing that you’ll lose your house as a result of what happens out there. That’s what could happen. We’re not trying to scaremonger about it, but that’s the reality,” warns Farmer.