© 2016 Epicor Software Corporation
Covering Your Assets: Payment Landscape and Technology Keith Lam Sr. Product Manager
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
2 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Keith Lam― Senior Product Manager
► 9+ years at Epicor, focusing on building great products and services that help the independent retailer succeed and grow
► Product focus is on Cloud, SaaS, Payment, Financial, Security, Hardware and Pharmacies
► Passionate about consumer engagement and loyalty― how technology can help small retailers reach new customers and keep existing customers through multi-channel marketing and personalized communication, as well as data security
© 2016 Epicor Software Corporation
Covering Your Assets: Payment Landscape and Technology Keith Lam Sr. Product Manager
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
4 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
The contents of this document are for informational purposes only and are subject to change without notice. Epicor Software Corporation makes no guarantee, representations or warranties with regard to the enclosed information and specifically disclaims, to the full extent of the law, any applicable implied warranties, such as fitness for a particular purpose, merchantability, satisfactory quality or reasonable skill and care. This document and its contents, including the viewpoints, dates and functional content expressed herein are believed to be accurate as of its date of publication, April 2016. The usage of any Epicor products or services is subject to Epicor’s standard terms and conditions then in effect. Usage of the solution(s) described in this document with other Epicor software or third party products may require the purchase of licenses for such other products. Epicor, the EPICOR logo, Eagle, Grow Business, Not Software, are trademarks or registered trademarks of Epicor Software Corporation in the United States, and in certain other countries and/or the EU. Copyright © 2016 Epicor Software Corporation. All rights reserved.
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
5 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Agenda
1. Different Ways to Pay
2. How the Bankcard Payment Chain Works
3. New Payment Options
4. Payment Security
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
6 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
In 2015, what was the most used payment method?
A. Cash
B. Check
C. Debit Card
D. Credit Card
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
7 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Different Ways to Pay
Cash is still King!
https://blackhawknetwork.com/2015consumer_payments
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
8 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Different Ways to Pay
However… Cash and check use is declining fast. 18% of consumers using alternative payment methods
https://blackhawknetwork.com/2015consumer_payments
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
9 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
How the Bankcard Payment Chain Works
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
10 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Card Payment Value Chain
Cardholder presents card to pay for purchases
Merchant swipes card, enters amount and transmits authorization request to processor
Processor electronically sends the auth request to credit card company
Credit card company routes request to cardholders issuing bank
Issuer approves or declines the transaction
Issuer transmits approval or decline to credit card company
Card company forwards response to processor
Processor forwards response to merchant
Merchant completes the transaction
Cardholder account is debited
CARDHOLDER MERCHANT PROCESSOR CARD COMPANY
ISSUER
The Merchant pays between 2%-$% of the total transaction amount to accept card payments: ~ 10 - 20% ~ 5% ~ 70 - 90%
Trans = $ 40.00, MD = 3% $ 0.20 $ 0.06 $ 0.94
Citibank, Chase, BofA Visa, MC, Amex, Disc First Data, Elavon, EPX
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
11 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
New Payment Options
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
12 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
New Payment Options
► Apple Pay
► Android Pay/Google Wallet
► PayPal
► Samsung Pay/Loop
► Bitcoin
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
13 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Apple Pay and Google Wallet
► Apple Pay and Google Wallet are all mobile payment options that allow you to use your smartphone to pay for purchases using your bankcards or a prepaid card.
► Apple Pay and Google Wallet do not store the actual bankcard number on your phone for better security and fraud protection.
http://arstechnica.com/gadgets/2014/10/how-mobile-payments-really-work/
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
14 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Apple Pay ► How does Apple Pay work?
Specific to your iPhone Token is sent to the processor who
matched it to a bankcard for payment • Verification - TouchID • Token – A random number, that represents your bankcard, generated specific to your
iPhone. • Security – Token cannot be stolen and used to create a physical bankcard, cannot be
used for internet ordering nor used on a different device
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
15 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Google Wallet/Android Pay
► How does Google Wallet work?
Creates virtual card
Pay with the virtual card that pulls from your bankcard
• Verification – 4 digit pin
• Virtual Card – Represents your bankcard. Real card is stored on Google servers
• Security – Virtual card cannot be stolen and used to create a physical bankcard, cannot be used for internet ordering nor used on a different device.
• With Android pay, it is similar to Apple Pay where a one use token is presented and transmitted. Google still stores your credit cards
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
16 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
PayPal
http://www.casio.co.uk/paypal/
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
17 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Samsung Pay/Loop
http://www.idownloadblog.com/2015/02/18/samsung-buys-apple-pay-competitor-looppay/
http://www.businesswire.com/news/home/20141103005185/en/LoopPay-Launches-Mobile-Payment-Product-Line-Accepted
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
18 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Bitcoin
http://visual.ly/bitcoin-infographic
https://vulcanpost.com/235071/tiasg2015-day-2-startups-bitcoin-trend/
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
19 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Do you accept mobile payments in your business?
A. Yes, we do, but our customers don’t use them very much.
B. Yes, we do, and our customers use them frequently.
C. No, but we’re interested in doing so.
D. No. It’s cash, check or cards for us.
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
20 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
21 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security
Low Risk-High Reward Low Reward-High Risk
Chris Swecker, Former FBI Asst Director
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
22 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Types of Hacked Fraud
http://techcrunch.com/2015/09/07/the-business-of-fraud/
What would you like to order from the black market?
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
23 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Have you had a data breach in your business?
A. Yes.
B. No.
C. I’m not sure!
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
24 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security - Cash
Options File -> Configure -> Application Options -> Option Group “Cash Draw Balancing” Online help “Setting Up the Cash Drawer Balancing Feature”
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
25 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security - Checks
ECC http://help.eaglesoa.com/25/en-n-eagle/POS/ECC/ECC_Ovr.htm
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
26 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security - Bankcards
► EMV
► Transactional Security
• Point to Point Encryption
• Tokenization
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
27 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security – EMV Security
► EMV – Chip cards, chip and pin, chip and signature Two protections:
1. Verification • Chip card is real
2. Authentication • Cardholder is real
Protect from fraudulently created bankcards only.
Does not encrypt or tokenize the card number.
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
28 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security – Transactional Security
► Point to point encryption and tokenization are two different payment security features, normally used together
• Designed to remove any actual bankcard numbers from being stored, processed or transmitted by your POS system through to the Payment Gateway or Processor.
► This combined solution reduces your PCI scope because your system and networks are designed never to see any real bankcard numbers.
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
29 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security – Transactional Security
► Point to Point Encryption
• Encrypts a consumer’s bankcard data at point of swipe or insertion
• Only the encrypted bankcard number is send from the pin pad to the POS system and internet
1234 56 ABD 5432 %25DUCK=$3&
Encrypted swipe data Preserves 1st 6 and last 4 digits
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
30 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security – Transactional Security
► Tokenization
• A random number token is created for the actual bankcard number
• This token is POS system and bankcard specific; i.e. the token cannot be used at another retailer
1234 56BD 3GH5 5432
Tokenized card Preserves 1st 6 and last 4 digits
Epicor Gateway
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
31 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security – Transactional Security
► No actual bankcard numbers are in your POS system so nothing of value can be stolen
► If tokens are stolen, they cannot be made into usable bankcards or used on internet sites
► If you have a data breach, none of your customer’s actual bankcard information will be stolen
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
32 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security
Features EMV Transactional Security
Apple Pay Android Pay
Helps prevent fraudulent bankcards from being used at your store
Helps prevent bankcard numbers from being stolen from your store
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
33 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security – Account Takeovers
► What is it?
• Someone steals your business credential and uses them to steal money from your accounts – ID theft
► Fraud method
• Phishing, social engineering, phony calls, malware, and virus
► Result
• Stolen user name, passwords, account numbers, vendors information, bank information, or social security numbers
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
34 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security – Account Takeovers
► How it works?
“Fraud Advisory for Businesses: Corporate Account Take Over.” United States Secret Service, FBI, IC3, and FS-ISAC.
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
35 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security – Account Takeovers
► Who helps you?
• No one, the bank sees this as a valid transfer.
• The receiving bank cannot give you info on the account holder and the account is closed and the funds are gone
Only you and your employees can protect your business
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
36 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
“The best way to avoid becoming a victim of a cyberheist is not to let computer crooks into the computers you use to access your organization’s bank accounts online.”
- Brian Krebs
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
37 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security – Account Takeovers
► Recommendations
• Educate your employees
• Protect your online environment
• Partner with the banks (call backs, device authentication, multi person approvals, 2 factor authentication)
• Pay attention to suspicious activity and react quickly
• Understand you responsibilities and liabilities
http://www.aba.com/Tools/Function/fraud/pages/corporateaccounttakeoversmallbusiness.aspx
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
38 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Payment Security – Account Takeovers
► Great resource - KrebsOnSecurity.com
► Blog from Brian Krebs who broke the Target breach and provides great recommendations for personal and business protections.
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
39 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Summary
► Cash is King, alternatives moving up
► Bankcard payment chain and who makes money
► New payment options from Apple Pay to Bitcoin
► Payment Security
• Cash, check, bankcards and accounts
• Ways to protect these assets
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
40 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
Summary
Payment types will continually change and so will thieves and hackers, but remember this:
1. You make the decision on the risk for your business.
2. Use the latest security protections.
3. Limit access of personnel and computers that can access sensitive information.
© 2015 Epicor Software Corporation © 2015 Epicor Software Corporation
41 © 2016 Epicor Software Corporation │ Eagle Online Academy #EpicorEOA
For more information on products featured in today’s presentation, or to find out how Epicor Professional Services can help you grow your business, please contact your Account Manager at 800.538.8597.