Thursday, December 24, 2009

Interview with Verifone's Tony Saunders, Marketing Director for NEMEA

tony_saunders_photoThe Grocery Trader conducted an interview with Verifone's Marketing Director for Northern Europe, Middle East and Africa (NEMEA)  Here is what he had to say:

Operating in over 100 countries worldwide, VeriFone is the global leader in secure electronic payment systems and for the past 30 years has excelled in providing solutions, services and expertise that enable electronic payment transactions and value-added services at the point of purchase. VeriFone’s solutions incorporate existing and emerging technologies, comply with global security standards, and take advantage of the latest connectivity options. Tony Saunders, VeriFone’s Marketing Director for Northern Europe, Middle East and Africa (NEMEA), spoke to The Grocery Trader.

The Grocery Trader - First of all, Tony, to set the scene, what do your different electronic payment technologies do, in non-technical terms?

Our solutions provide a secure method of taking electronic payments at the point of sale. At a grocery retailer, that can be at the checkout lane, self-service kiosk or pay-at-pump. We provide the hardware - such as PIN pads and contactless readers - together with payment software, and sometimes the back-end software and infrastructure. Individual retailers use our products differently: many take our PIN pads combined with our enterprise software solution, PAYware Merchant, for card authorisation and settlement.

GT - What card processing devices and applications do you supply ‘in the box’, and how do they interface with retailers’ existing EPOS systems?

vflogo_wtag_lgWe offer many kinds of payment solutions. Our most popular PIN pad is the Vx 810, which is available with an optional contactless module. With the Vx 810 we provide an API that talks to a retailer’s POS device. We also have an extensive software solutions portfolio for card acceptance, card management and adding value. These products include PAYware Merchant, PAYware GiftCard, PAYware Prepay and PAYware Link, our payment integration middleware solution.

GT – How do you service the needs of the different kinds of retailer?

We work closely with all of our retail clients to provide customised advice, service and support. When first meeting with a prospect we take a consultative approach, learning from the retailer their key pain points with regard to the payments process and how VeriFone can help. And the relationship doesn’t end with the sale – we meet with our retailers regularly to help them optimise their systems and streamline operations. On staff we have technical experts in petro, security, software, retail, unattended and more! There is someone available to help with any kind of problem.

GT - What proportion of UK payment card transactions involve your technologies?

The total UK POS footprint is 800-850,000 devices, and VeriFone has a majority share of that install base, making us number 1 in UK retail.

GT - What different card payment types do your solutions cover?

We cover debit and credit EMV cards, loyalty cards, pre-paid gift cards, e-top up, contactless cards and fuel cards.

GT - What industry standards are your products and solutions made to?

VeriFone has more PCI (Payment Card Industry) approved products than any other payment technology vendor. Every card accepting system in the UK must also meet Common Criteria, mandated by the UK Cards Association. Again, we have more UKCC approved products than any other vendor. We take security very seriously at VeriFone.

With the deadline for PCI compliance fast approaching, many retailers are struggling to keep up. Being non-PCI compliant can open up a retailer to expensive fines or legal woes if a data breach occurs. To help with this, we recently launched VeriShield Protect in the UK. VeriShield Protect is an end-to-end encryption solution, where cardholder data is encrypted at the exact instant of card acceptance and kept encrypted throughout the entire enterprise. The burden on the retailer is significant; if they don’t have an encrypted solution, they will need additional processes and checks and balances in place to maintain the security of their retail environment. VeriShield Protect mitigates many of these costs and avoids much of the expense of maintaining PCI compliance.

GT - How has VeriShield Protect been received?

We’ve had a lot of interest. VeriShield Protect is the only true end-to-end encryption product available - because we encrypt data at the hardware level, not the application level. Encrypting at the application level is too late, a fraudster could intercept cardholder data as it travels to the POS. VeriShield Protect is also the only commercially deployed solution that meets all of Visa’s best practices for data field encryption. Another valuable USP for us.

GT - Do your technologies stop hackers accessing people’s accounts?

If the merchant allows their database to be accessed, card data can still be stolen, but with VeriShield Protect the card data is encrypted, so it’s completely useless to fraudsters.

GT - Does this extra security slow down the processing of transactions?

The encryption takes just milliseconds, so it doesn’t slow things down. The consumer and the merchant won’t notice any difference.

GT – How long does it take for a retailer to see a return on investment?

Retailers need to weigh up the cost of achieving and maintaining compliance with PCI DSS and addressing breaches, plus the cost to their brand reputation. Security should not be treated lightly. Our fees for VeriShield Protect depend on the size of the retailer, number of transactions and whether they want to retain ownership of their decryption - but for what the retailer gets in return, the costs aren’t onerous.

In the security section of there is a calculator based on the US card schemes, showing the cost of a card breach as $150 per card. With some US organisations processing 100 million transactions a month, the costs can be astronomical.

GT - Are you members of the various industry bodies developing card security standards?

Yes we are. We’re the only technology vendor member of the PCI Security Standards Council, alongside the likes of Tesco and RBS. We also work with EMV Co, the major CHIP and PIN industry body, comprising MasterCard, Visa, JCB and Amex, which creates the global CHIP and PIN protocols.

GT - What other market sectors besides retail do you supply electronic payment systems for?

Our systems can be used wherever electronic payments take place. In the hospitality sector we have pay at table solutions that are GPRS, Wi-Fi and Bluetooth enabled. In Africa and the Middle East we have successful prepay installations. In the UK we have gift card installations with our PAYware GiftCard solution. In transportation, our Secura devices are at every London Transport station: you pay for Oyster card top-ups using a VeriFone device. In the US we also offer wireless payment devices for use in taxis, which we plan to bring here. We have unmanned kiosks and payment systems for use in retailers, vending and parking. You can read some of our case studies at:

GT - How long have you been with VeriFone? What does your role involve?

I’ve been here two and a half years, and became Marketing Director in September 2008. I was previously with a competitor, and before that in computer network systems. My role involves communicating the VeriFone brand across Northern Europe, Middle East and Africa. I work with our colleagues in California to bring in new payment platforms. I speak at exhibitions, conferences and seminars in various sectors and demographics, and am personally involved in developing customer solutions.

GT - Which countries are you responsible for?

NEMEA consists of the UK, Ireland, France, the Nordics, Middle East and Africa. In most of these countries we work through our international partner network, or VIPs.


GT - We’re talking in your UK offices in Uxbridge. What operations happen here?

Uxbridge is our NEMEA headquarters. Sales and marketing for the region happens here. We also have development teams on PAYware and payment applications, and front line help desks for Tier 1 and Tier 2 retailers.

GT - Where does VeriFone rank in the league table of payment technology vendors? What sets you apart from other vendors?

We turn over just short of $1bn globally, and are either ranked 1 or 2 in each country we operate in. We’re at the forefront of security development, and lead the way with VeriShield Protect. We offer payment solutions for every sector and market space; whether that’s retail, government, transportation, healthcare, hospitality, financial, petroleum - even e-commerce or telephone order!

GT - When was VeriFone set up? Who owns it now? Are you formally linked to any other IT or financial services companies?

VeriFone was founded in 1981, and is listed on the NYSE under ‘PAY.’ We’re totally independent.

GT - How big is VeriFone in NEMEA? What differentiates the UK from other markets?

The UK stands out as a leader in CHIP and PIN adoption, and the POS environment has seen major changes since we came in. Denmark, Finland and Sweden also follow the PCI standards, but Britain is a more mature market, though people here still use dial-up for a lot of transactions. There are a large number of players here in POS and retail infrastructure.

The UK is the lynchpin to the whole area, and offers the region’s largest revenues. 2008 was a relatively flat year for us, but considering conditions across the world, that’s pretty good! In the UK we’ve grown market share even with many retailers closing and taken share from our competitors.

GT - Where is your global HQ?

Our HQ and our hardware platform development are in San Jose, California. We develop applications regionally for different markets, either ourselves or through partners or resellers.

GT - What are your best selling products and applications for Tier 1 retailers?

vx810_ctlsleftangle_lrWe offer Tier 1 retailers PIN pads and PAYware software solutions for their retail environment. Our largest volume product is currently the Secura PIN pad, which is in Tesco, Sainsbury’s and other majors but we are migrating customers to the Vx 810 because of our VX platform. All our core investment is in VX, which also offers a migration platform for contactless cards. The benefit of our extensive partner network is that the Vx 810 has been accepted and certified by all POS integrators, making it basically “plug-and-play” for retailers. Vx 810 will ultimately replace Secura as the main platform in the retail space. Retailers are also very interested in contactless.

In the banking channel our biggest selling products are the Vx 810 DUET countertop solution and the portable Vx 670, our pay at table product.

GT - What are your latest security products for retail environments?

We’re in the process of bringing VeriShield Protect to the EMV environment. One major retail customer is rolling it out in the next four months and we have installations in the US as well. Several major Tier 1 UK retailers are very interested, but it needs to fit in with their timetables: that said, they know they need to be PCI DSS compliant soon, and this offers significant savings in achieving that.

GT - Which UK retailers have adopted your solutions so far? Can you talk about what you do for them?

So far we have thoroughly rolled out Vx 810 with Thorntons and Clinton Cards (see case study on next page), who are early adopters. Other major high street retailers are also interested. The contactless transaction value threshold is £10, which will hopefully change to £15 very soon, making contactless a more desirable proposition for retailer and consumer alike.

GT – How long does it take to put a Vx 810 solution in place?

Switching over all the PIN pads in a retailer’s estate can take 3-6 months: if a particular retailer has no relationship with the POS vendor, you have to start from scratch, and it could take up to a year to develop a spec. We have relationships with so many retailers and POS vendors, the chances are we have a solution already available.

GT – What happens about training?

The integrators or retailers’ own organisations do the training, but we provide user guides and have a help desk and technical support analysts to carry through the implementation process and sort out problems.

GT - What effect has the worldwide recession had on your business?

We addressed our organisational needs within NEMEA before the recession hit. We readjusted our structure and budgets, so we haven’t been impacted: instead, we’ve taken market share. We’ve had to work harder but we’ve been very successful, growing numbers and hitting expectations. We’re in excellent shape.

GT - Does the rise of contactless cards pose a major risk to the security of consumers’ accounts?

Contactless cards don’t pose any additional security risk compared to other types of cards. And VeriShield Protect is available for ironclad cardholder data protection. People were talking about contactless cards a decade ago, and it’s taken far too long to come in. In the UK it is great that Barclaycard has now issued five million contactless credit and debit cards, which helps consumers become more comfortable with the technology.

GT - Where do you see VeriFone going from here?

2010 will be a major year for VeriFone. The UK payment acceptance market won’t grow to any extent, but we will by taking more market share in both the retail and banking space. We will be rolling out contactless technology with a major high street retailer from January. Our PAYware suite of software solutions is gaining traction, and we recently launched a PAYware Partner Program to recruit resellers who will further the reach of our card acceptance, card management and value-added software solutions. Finally, a lot of opportunities we’re working on at the moment will also come to light in 2010, along with some exciting new hardware developments, which will roll out in the second half of the year.

VeriFone   tel: +44 (0)1895 275275

Reblog this post [with Zemanta]

First Data Releases SpendTrend™ Mid-December 2009 Consumer Spending Data

Image representing First Data Corp as depicted...

Value-Conscious Consumers Continue to Drive Holiday Spending

ATLANTA, DEC. 23, 2009 – First Data Corporation, a global leader in electronic commerce and payment processing, today released First Data SpendTrend™ transaction data that compares Dec. 1 through Dec. 14, 2009 to the same period last year. SpendTrend tracks same-store consumer spending using credit, signature debit, PIN debit and EBT cards at U.S. merchant locations.

Overall transaction growth remained healthy at 7.9 percent, while the Midwest experienced the highest growth rate of 10.8 percent. Transaction growth for all regions was up from November. Data indicates that consumers continued to focus on value, leading to large transaction increases in petroleum (13.4 percent) and value retailers (14.9 percent).

Same-store sales volume growth increased 6.9 percent year-over-year. This was an improvement over November’s growth rate of 6.2%. Overall transactions for the month showed a growth of 7.9 percent over 2008. Transactions in the month of November 2009 were 8.9 percent higher than the previous year.

December TransactionsCHANGE
Credit & Signature Debit+5.1%
PIN Debit+11.7%
Total Transactions+7.9%
Note: Growth reflects same store transactions only.

Value merchants continued to outperform, both in terms of transaction growth, which increased to 14.9 percent, and sales volume growth of 13.5 percent. The average ticket held steady as consumers remained value-oriented through December. Additional data from the SpendTrend mid-December 2009 report can be accessed at from the home page dashboard.


Media Relations

Cara Crifasi


Reblog this post [with Zemanta]

Top 5 Hacks of 2009 (Cisco Security Expert)

James Heary, a "Cisco Security Expert" writes for Network World on his Top 5 Breaches of 2009.

About Cisco Security Expert

Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean AccessCisco Subnet blog community. Contact him. book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's
The number of personal records exposed skyrocketed to 285 million records this year, compared with 35 million in 2008.

1) Conficker - Conficker is the most widespread botnet ever recorded. Sure it isn't a specific breach persay but I just had to make it my number one. It still infects millions of PCs. In fact, according to a report recently released by, china telecom's chinanet still has over a million infected PCs or about 1% of its total IP address space. Conficker exploited a Microsoft vulnerability described in the Microsoft Security Bulletin MS08-067.

2) Phishing attacks on banking sites
- A recent report by Trusteer shows that phishers are making huge bank by phishing banks. The report shows that only a very very few bank customers actually click on a phishing email, in fact it is only 0.000564%. Of these people that do click though 45% of them divulge their personal credentials to the fake phishing site. The report calculates that even though the click rate is super low the scale of users involved makes this a significant loss for our banks. They estimate that banks loose between 2.4 and 9.4 million dollars (per million online bank users) to phishing fraud Annually!

3) Heartland Payment Systems
- I'm sure you all know about this one already. It occurred in January 2009 when attackers where able to steal more than 130,000,000 credit card records. Many of the attacks used were basic SQL injection exploits. Just a few days ago Heartland agreed to pay AMEX $3.6 million to settle claims related to the breach. Heartland has set aside $12.6 million more to settle other claims it is anticipating from Visa, Mastercard, etc.

Continue Reading

How Dangerous is the Cyber Threat - PBS Video


The White House named a new chief for the nation's cyber security efforts Tuesday, part of a new emphasis on digital threats.

A digital security expert weighs in on the realities of cyber crime in the U.S.

Video Below:

MasterCard Softens Controversial PCI Rule

Six Months Later, MasterCard Softens a Controversial PCI Rule

(December 23, 2009) MasterCard Inc. is changing a controversial policy, and pushing back a deadline, that it announced only six months ago regarding enforcement of the Payment Card Industry data-security standard. With the changes, which involve assessing computer systems for PCI compliance, MasterCard could be viewed as responding to valid complaints after first disclosing the planned changes, or it could be viewed has having done a flip-flop. Or both at the same time.

In June, MasterCard adopted a new policy governing whether big merchants can do so-called self-assessments of their PCI compliance. The new policy applied to so-called Level 2 merchants, those submitting 1 million to 6 million total MasterCard and Maestro (PIN-debit) transactions annually, and Level 1 merchants, those submitting more than 6 million transactions. MasterCard previously had let Level 2 merchants to do annual self-assessments for PCI compliance unless they brought in a Qualified Security Assessor (QSA) certified by the PCI Security Standards Council for an on-site assessment. But come Dec. 31, 2010, MasterCard planned to require that all Level 1 and, for the first time, Level 2 merchants, use a QSA for the annual on-site PCI assessment.

That policy generated many complaints from Level 2 merchants, who security experts say would have to pay anywhere from $100,000 to $1 million for a QSA’s services. MasterCard’s policy also diverged from Visa Inc.’s, which lets Level 2 merchants do self-assessments. Many observers also wondered whether there were enough QSAs to go around to handle all the new work from Level 2s.

This month, however, MasterCard pushed back the deadline by six months, to June 30, 2011. And instead of requiring use of a QSA, MasterCard will let Level 2 merchants do the assessments themselves provided they have staff attend merchant-training courses offered by the PCI Council, and each year pass a PCI Council accreditation program. Level 2 merchants are free to use QSAs if they wish. Come June 30, 2011, Level 1 merchants can use an internal auditor provided the audit staff has PCI Council training and annual accreditation. MasterCard also said its definitions of merchant levels now match Visa’s, so, for example, if a merchant is a Level 2 merchant in Visa’s eyes, it’s also one in MasterCard’s eyes.
 Continue Reading at Digital Transactions News

Reblog this post [with Zemanta]

Head of Global Public Policy for MasterCard Goes "On the Record"

Shawn Miles, head of global public policy for MasterCard responded to a Boston Globe readers question about Interchange.

SOME MERCHANTS claim they can’t do business without credit cards, and can’t discount for cash. That’s why we were interested in your recent article about a Boston merchant who cuts the price of sushi by 55 percent on Sundays for customers who pay cash to avoid the fee of about 2 percent she pays to accept credit cards (“Taking a swipe at card processing fees," 

Is this really about cash discounts or about a practice followed by some sushi vendors who cut prices by half on Sunday to make room for fresh fish on Monday? Dec. 12, Metro, B1).

Says Shawn:

"Merchants’ lobbyists want consumers to believe they will benefit if Congress regulates the fee of about 2 cents on a dollar merchants pay for the benefits they get by accepting credit cards: they outsource their credit risk to the banks that issue the cards and are responsible if customers default; they get protection from fraud and theft; guaranteed payment, and efficient record keeping. Plus higher sales, as consumers aren’t constrained by the amount of cash they have in their wallet.

If merchants don’t pay their fair share, consumers get hurt. Like any other valuable service, electronic payments have a cost. Today, those costs are split between the two key beneficiaries - merchants and cardholders. If merchants get their way and persuade Congress to regulate their share, consumers will pay more. That happened in Australia, where the government regulated these fees. Consumers there now pay more for their cards through higher annual fees, fewer benefits, and sometimes, surcharges when they choose to use their cards. Merchants pocketed the savings, as there is no evidence that they have cut the prices they charge.


Purchase, N.Y.

The writer is head of global public policy for MasterCard.

Online Banking Fraud Secretly Running at Epidemic Levels

The Wall Street Journal ran a front page story that Citigroup, Inc. had been hacked.  Citi responded that there was no breach, then PC World reported that it was an "old breach confused as a new breach."  Then the WSJ story was attacked as being inaccurate...

In any event, there is a very good reason that U.S. banks have generally been loath to disclose computer attacks.  Fear of scaring off customers.  It's all about deposits.  You get hacked, it's harder to get deposits.  Therefore, we will never know the magnitude of losses suffered by financial institutions due to cyber-siphoning.  Many say take whatever figure they report and times it by 5.  I say times it by 10 and you'd be closer to the real numbers.  Either way, we're talking losses of $1B+.

According to the Financial Times Paul Murphy,

"Official statistics in the US suggesting $260m was lost last year in all forms of online crime are a complete joke." It’s a scandal. Why the authorities and the banks allow this cover-up to continue is a mystery.

This, from Seeking Alpha:

How Big of a Problem Is Cybertheft from Banks?

The WSJ’s front-page story was clear and unhedged:

The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials.

The fallout, however, is incredibly muddy and opaque.

  • Citigroup (C) is strenuously denying that there was any breach at all, let alone any losses; it also said in the original story that the WSJ’s smoking gun — the disappearance of $1 million from a Citibank bank account in Mt Vernon, NY — was “an isolated incident of fraud”.

  • PCWorld says that the story is wrong:

  • ABC has weighed in too, deciding that Citigroup and the WSJ are both wrong, and that “the truth here is somewhere in the middle”, whatever that’s supposed to mean.

  • The Financial Times Paul Murphy has an interesting theory: Citigroup, like every major bank in the Western world, is covering up the fact that online fraud — both sophisticated and unsophisticated — is running at epidemic levels. But it can’t be seen to be singled out as an institution with weak controls, where the public at large might be fearful of depositing their money. So it goes on the denial warpath.

Continue Reading

Disqus for ePayment News