Laurie Gablehouse is Principal Consultant, Travel Payment Strategies at Ingenico ePayments.
Could you tell me a little bit about your background?
My background is in airlines. I spent the first 12 years of my career working in the call center and then moved into ticketing. Eventually, I switched to e-commerce in the marketing and distribution planning part of the airline. Then I moved into a role that was a step between technology and marketing, where I built some payment-related processes and systems to support electronic ticketing and better manage how payments were handled by airlines. Once I retired from the airline, I had the opportunity to take on a payments role for GlobalCollect, which is where I’ve been for the last six years.
GlobalCollect is now owned by Ingenico. We started as a Dutch company and were purchased by Ingenico in 2014. Ingenico is a French company, probably better known for its terminals, the point-of-sale devices that you use at retail shops. They purchased GlobalCollect to get a foot in the door of card-not-present sales. The point-of-sale terminals are card-present sales, whereas card-not-present is what we do on the GlobalCollect side of things.
What would you say are the key challenges that organizations face when trying to ensure payment security?
Authentication is the key challenge — trying to connect the card to the cardholder. How do you validate that who you’re dealing with is the person who actually owns the card? That’s where everybody tends to end up.
Early on, card providers like Visa, American Express and so on began providing the CVV — a three- or four-digit code that should only be available to the cardholder who’s looking at the card — as one means of trying to connect the two pieces. In the US, the UK and Canada, you can also do address verification, so you try and validate the address as another piece of information that only the cardholder should know.
However, fraudsters have found a way around all of these methods. You have to try to manage or minimise how much data the fraudster might have versus the cardholder.
Is it important to minimise the amount of data that the merchant holds?
PCI has evolved over the last 10 years or so. The data that all the card schemes put out there to help merchants figure out if the person giving them information in a card-not-present environment is actually the holder of the card — that has evolved to the point where now that data has to be in a place where it’s secure.
This presents an additional challenge because not everyone’s system started out that way. There’s a process of evolution to minimise that footprint if you’re a merchant because there is certainly a cost to security. There’s a cost to managing that risk and ensuring that it is not breached in some way.
Do you think that call center managers or merchants are seeing PCI as a cost rather than a benefit?
In a call center, time is money. They literally measure the number of seconds on every call. If you’re having to take a lot of information over the phone in terms of an address, the CVV, or some additional questions that you’re asking — all of that takes time. They’re interested in doing anything they can to reduce the call time without adding to the risk of fraud. If they can see the value in taking less information while not creating more fraudulent transactions, I think they would want that.
Is there an issue of awareness of PCI DSS in your market? How seriously do organizations take it?
I think they have taken it a lot more seriously in the last three to five years than they did before. Card security is a serious problem. You see examples of breaches in the headlines everyday. Social media gives consumers the ability to make brands look bad fairly quickly and fairly easily, and I think that has gotten more attention than anything else. Nobody wants to be in the headlines.
Has GDPR made it more of a headline issue for people?
I think GDPR has been confusing, especially if you’re not in Europe. It’s just not clear what goes into effect when, and what I need to do as a merchant to comply . There are a lot of links in that chain between merchant and personal data. As a merchant, I know what personal data I have and what I should do, but that data will get processed many more times between me and the cardholder’s bank. So the question then becomes who is liable for everything in between? Are you working with systems and processes that are also secure? How can you ensure that the data is also accessible by the person who actually owns it? I don’t know if it’s clear yet how that’s going to be managed.
Are organizations in the US building GDPR into their thinking now?
Absolutely. I think they are very clear that it’s something they need to take seriously — at least the large organizations. Maybe the smaller ones not so much because they think, “I’m in the US so it doesn’t matter.” They don’t realise that because the consumer they’re working with is a European citizen, that it touches them.
Because it’s never existed before, you don’t know how others are interpreting it or what your competition is doing. There’s no footpath — you’re blazing your own trail. Taking in the data is one thing — maybe you don’t store it at all, but that seems very hard to do in an electronic age where you’re trying to make things simple by having profiles and having some knowledge of the consumer to minimise the friction of a transaction. You’ve got to also now figure out: “Well, maybe I shouldn’t have any of this data or I have to give somebody access to help me remove that data.” Those systems were never built with that in mind.
Why it is that reading your card details over the phone is still by far the most common way of taking payment when there are other options now?
I would agree that the majority of the time, that’s how it works. I think it’s because of the perception of the cost of doing it differently. Maybe they haven’t looked into that, and they just don’t know there are other options.
It sounds like it’s an education piece, really. That’s where the challenge lies.
Yes. I think on the one level, it’s a simple explanation. Educationally, it doesn’t take long to get that message across, but everything gets hung up on cost and technical implementation. In today’s world, call centers are not as centralised as they used to be. They’re spread across the world in different countries. I think that’s where they get hung up, to be honest with you.
You’re also balancing a certain cost, which is whatever it costs to install this solution against the potential cost of a breach. But the breach is more hypothetical and harder to quantify, whereas the definite cost is what we’re going to have to pay right now to put this in place. It’s like insurance: You’ve got to figure out, “Gee, am I really going to pay for something that may never happen? How much am I willing to pay for that?”