Credit Union Geek

Marketing, Strategy, and The Force by Joe Winn

Tag: apple pay (page 1 of 2)

New Tech Alert! “Hey Siri, Pay My Electric Bill”

This is a CUbit.  In case you haven’t seen one before, these are my out-of-schedule short posts highlighting breaking news.

Today, Apple released a beta update for iOS (software powering iPhone and iPad).  There were the expected improvements and feature additions (hooray, an easy way to find my AirPods!), but something else snuck in.  Something which can change the entire credit union industry overnight.

Apple added bill pay capabilities to Siri.

Yes, with only your voice, you can pay a bill or check on the status of a payment.  Instead of opening an app, finding Bill Pay, trying to set a new one, finding out you can’t do it on your phone, going to your computer, entering the information…etc., now, just say, “Hey Siri, pay my cell phone bill.”  Or, “Hey Siri, did Dave ever pay me for that dinner?”

This functionality is now in beta as part of SiriKit (the API which powers integrations into Siri services).  If your banking platform service is not diving in to the documentation headfirst, tell them get on it!  And if you manage your own bill payment system, ask your IT to begin looking at what it will take to have your members paying by voice upon its release.

What are you waiting for?  Get to it!

Give Your Card A Security Update

Originally published on CUInsight.com

Update 7/12/16: An earlier version of this article claimed Samsung Pay did not use tokenization. They do, my mistake! Corrected. (CUInsight version not updated)

A family friend was in town this past week. She is part of the Boomer generation, so, a user of new tech, but semi-begrudgingly. At one point, we discussed how her Android phone supported mobile payment. “It’s easier and more secure for you!” I explained to her. “You’ll never need to go through the hassle of getting a new card number again!” Her response? “Yeah, still wouldn’t bother. I’d prefer to just swipe.”
This is the type of apathy you’re facing. She didn’t grow up in a world of data security breaches, and considers a reissued credit card “par for the course”. It’s not that she doesn’t believe me when I tell her that mobile payment is vastly better. She just doesn’t care.

Maybe I framed it wrong. As we all have, using terms like tokenization instead of just calling it what it is: A security update for your credit card. So what is tokenization (To-Ken-I-Zeh-Shun)? Besides a big, scary word, of course. It’s always thrown around when mobile payments are discussed, but a recent survey shows understanding is lacking. Nearly a third of people admit to not knowing what it means and almost half say that it wouldn’t encourage them to use mobile payments. My interpretation: That latter group doesn’t grasp what it is either, but are afraid to admit it. So, what is it and why should you care? Tokenization represents how your card number is handled during the transaction. Still fuzzy? That’s ok.

Here’s how a normal purchase works (greatly simplified and leaving out payment processor):

1. Swipe at terminal (or type number on computer).
2. The number on the front of your card goes to the merchant.
3. Merchant asks credit card issuer (your credit union or bank) if the number is good.
4. Bank or credit union looks at number and gives a “yay or nay”.
5. Merchant keeps your name and card number so they know who you are when you buy again.

As you can see, the number on your card passes through multiple hands, and even stays with some. While your financial institution guards the number, others along the line may not. This is how major breaches occur. Bad actors break into these non-bank systems and steal the list of names and numbers, then sell them on the black market. Sometimes they lie in wait, gathering new numbers for months before anyone even notices. Then, the numbers are sold or posted online, and that’s when your frustrations begin.

Here’s how a tokenized mobile payment works:

1. When you add a card to your phone’s “wallet”, it asks your bank or credit union to verify your identity.
2. Your issuer then creates a new number just for mobile payments (which you never see).
3. Upon paying with your phone, a fingerprint is required to show it’s really you.
4. The phone then uses your “mobile payment” number to make another one-time-use number and sends that to the merchant.
5. The merchant asks your bank or credit union if this number is good, but learns nothing from it, since it will never be used again.

The number on your card never leaves your possession. Best part of this? If every one of those systems was hacked, your card number would still be safe. The issuer just makes a new “mobile payment” number for you, and that’s it. No canceling accounts, changing numbers, or mailing cards. In fact, it might happen without you ever knowing. Think of it like a security update for your credit card.

Tokenization isn’t scary. Swiping your card the old way is. Your credit union put a lot of work into supporting the mobile payment systems…growth will remain stagnant if only 1/4 see the value. Help your members live a safer financial life and spread the knowledge!

A Merchant Breach Rant For You To Empathize

This CUbit is an extension of a comment I shared on a CUInsight article today. You can view the full story (and my comment) here. Background: Wendy’s appears to have experienced a POS (Point of Sale) breach sometime in the past, oh, few years. The malware (bad software) has crept around their systems and locations under the radar, only mentioned briefly in a corporate report and supported by credit unions seeing increased debit card fraud from members who frequented the chain.

I don’t eat at Wendy’s, so my cards are not compromised (by this breach, at least). But why should that make a difference? Just because you enjoy an occasional Frosty doesn’t mean you should have to watch your account for fraud. And, in all honesty, when faced with limited options, I’ll have their baked potato. Will I pay with plastic? Of course. Will millions of others? Sure.

If you read my posts regularly, you’ll know this isn’t the first one on merchant breaches. Nor will it be the last. At least with how they’re treated today. The onus on security is akin to me paying someone to watch my car, having it stolen, then the watcher just looking at me while shrugging their shoulders. When was the last time you heard about a card breach affecting the issuer? That’s right, almost never. Because they care about security. In fact, they have regulations mandating their adherence to stringent policies. Whether you’re Bank of America, our regional community bank, or one of thousands of credit unions, you protect card information. And given how rare an issue arises, I’d say you are all doing a great job.

(From this point, my original story comment is expanded upon, so if it looks familiar, that’s on purpose, and thank you for reading!)

My frustration isn’t with the credit unions. Not at all. It’s with the retailers. Wendy’s just happens to be the case in point today. Let me repeat what I’ve said before many times: We. Have. The. Technology. To. End. Breaches.

Between adopting EMV and contactless payment (Apple Pay, Android Pay, CU Wallet, etc.), we can have tokenized transactions at all purchases. This means your card number, unless physically lost/stolen, is impossible to be compromised. Even if the merchant’s system is crawling with malware. All the criminals get is a one-time use number (which is immediately identified as fraud when attempted again). The number you see on the piece of plastic never appears on their end.

Would new systems solve the problem? Mostly. But there are also an enormous amount of dangerous practices still being performed. Know anything about PCI compliance? No way these actions would pass. Now you want examples, so here are two I’ve experienced in just the past few weeks. The first came while I was with a friend getting his car serviced. This wasn’t at a mom-and-pop shop, rather, he went to one of the largest dealerships in the southeast United States. What did they do upon payment? They photocopied his credit card, front and back, to store with his service paperwork.

Let me repeat: They took a picture of his credit card. Then they put it in a glass office with hundreds of others, in full view of staff and customers. “We lock that office”, they said. Color me comforted.

Another crazy action occurred just two days ago at a hotel in Los Angeles. Upon check-in, hotels like to keep your card on file for incidentals (or if you decide to rock-star-style destroy the room). That’s fine, and there’s a proper way to do it. This Comfort Inn (again, big company which knows better) took an imprint and put it with the regular paperwork, under no lock and key.

And we wonder why breaches are so common (imagine their security on digital if that’s how they treat in-person).

Since merchants (especially multi-nationals) have little responsibility in the breaches (it’s not like we’ve heard credit unions talk about this before…), they are slow to make any changes. If they had to burden 100% of the breach costs, do you think we’d still have major merchants doing such dumb things with your information?

As a technologist, it’s incredibly frustrating to see event after event of preventable breaches occur, while those completely not in the wrong having to bear the costs (the Big 3, community banks, and credit unions all included).

Plus, who likes having to reset all of your automatic payments and online shopping accounts?

Image credit: https://www.flickr.com/photos/111692634@N04/11406986014/

Older posts

© 2017 Credit Union Geek

Theme by Anders NorenUp ↑