NewStatesman Fintech Spotlight – Elavon – Security will make the fintech boom sustainable
Butler’s view is that over the next few years we will see many new ﬁnancial apps and services as a result of the second Payment Services Directive, or PSD2. “The combinations of ideas are bound to be interesting. But this will also inevitably lead to data breaches from unproven technologies.”
As PSD2 gives companies more access to data, Butler says this also creates more “attack surface”. “More customer data will be shared, away from the source, because that’s the essence of the directive – the banks have to give up the data if the customer has authorised it.”
Butler explains that there are strong incentives to keep data secure. “The GDPR cyber security regulation includes ﬁnes of up to €20m or four per cent of global turnover for failure to protect consumer data. A €20m ﬁne would wipe out most new ﬁntechs. But there’s a lot of pressure to be ﬁrst to market with a great new idea. While there’s probably a lot more consideration of security in ﬁntech than in your average web or app start-up, they share the same sense that they need to build fast and get the product out.
“All these new businesses will take payments from customers somewhere along the line. That’s when they turn to companies like Elavon, to take payments by card or with new alternative payment methods. We offer them the services to integrate these payment tools, and we’re mature enough to offer them the security backing, so the products themselves are secure by design. Our new Poynt smart POS terminal, for example, encrypts card numbers at source, and our e-commerce platform has built-in fraud management tools. If you accept credit cards, you also have to follow a set of rules called PCI DSS. Our bigger customers have to do an annual audit, and our smaller customers have a questionnaire – but that can be far from straightforward. So we offer a service where we call them and we walk through all the questions in plain English, and we submit the assessment on their behalf. If they do have a breach and lose cardholder data, being compliant can reduce the penalites. Again, PCI fines can be very large, so we offer a fee waiver scheme. If a company is compliant, we can waive some of the charges if there is a breach.”
Looking forward, Butler believes ﬁntechs will come and go in the near future, and in some cases their demise will be a result of data breaches. “One new type of attack will be the PSD2 equivalent of phishing. A ‘bad actor’ would set up as a third party that’s going to offer a ﬁntech service, and customers would give them access to their banking details. A growing worry we have in this industry is that criminals are getting very sophisticated. In modern cybercrime, middlemen collect data from multiple sources, combine them with other data and use them to create complete consumer proﬁles – playing a similar role to big data analysts in legitimate businesses. Identity theft, rather than plain old ﬁnancial theft, is becoming more interesting to criminals. They can do more with it.”
According to Butler, some groups of consumers, especially millennials, may be at greater risk. “These people in particular need practical advice, because many new ﬁntech products will be marketed at them. A kitemark equivalent might be a really good step. Because only trusted businesses will succeed in the end.
“Payment security is evolving rapidly, but businesses need to manage risk. The old phrase ‘buyer beware’ has a companion. If you are a vendor, it’s a case of ‘seller beware’. Make sure you protect your customers and your business by making the right technology choice.”
Elavon Inc., is a processor of credit card transactions and a subsidiary of U.S. Bancorp. Elavon offers merchant processing in more than 30 countries and supports the payment needs of more than 1,000,000 merchant locations across the globe. Elavon is the 4th largest U.S. credit card processor and is a top six acquirer in the European marketplace.
For press enquiries please contact:
Agata Mlynarczyk on 07825 819304