A biometrics solution for Commercial Cards.

Fingerprints and selfies are coming to the Commercial Card world! I view this as big news. Last year, the headlines were all about EMV/chip cards. Now the tide is turning toward improving the security of online purchases, which often comprise a large portion of Purchasing Card transactions in particular. BMO Financial Group (BMO) and Mastercard have an answer. Following is content from their related press release.

These two organizations have begun a phased launch of the first biometric corporate credit card program in Canada and the U.S. that will enable cardholders to verify transactions using facial recognition and fingerprint biometrics when making online purchases. The introduction of this technology will increase security when making payments that do not include a face-to-face interaction, and will be integrated seamlessly for easy use in reducing the likelihood of a card being used by anyone who is not the cardholder.   

Beginning with corporate cards issued to BMO employees in Canada and the U.S., the Mastercard Identity Check mobile app will prompt participants to:

  • scan fingerprints or snap selfies to validate their identities via biometrics; and

  • when verified, return to the merchant site to complete the online purchase

“The use of biometric technology has become more common for consumers looking for convenient and secure ways to make purchases using their smartphones, so this was the natural next step for us as innovators in the payment security space,” said Steve Pedersen, Vice President, Head, North American Corporate Card Products, BMO Financial Group. “Mitigating the risk of fraud is always our top priority, and the inclusion of this technology is going to make payment authentication easier, and strengthen the security of the entire payments ecosystem.”

Mr. Pedersen added that the first phase will test the potential of delivering greater security and convenience using BMO employee corporate cardholders in the U.S. and Canada, including establishing and improving best practices in corporate environments, developing better protection against potential fraud and continually minimizing the need for customer service inquiries. Once complete, the next phase will be to make the technology available to customers more broadly beginning in the summer of 2016.

“With BMO, Mastercard is hosting our first Canadian and U.S. corporate card biometric user engagement. It’s always exciting to introduce biometrics to new cardholders. They quickly realize that they don’t have to sacrifice convenience for security. By snapping a selfie or scanning a fingerprint, the person becomes the password,” said Catherine Murchie, Senior Vice President of North America Processing, Enterprise Security & Network Solutions for Mastercard.

Biometrics offer another layer of security for online payments.

Biometrics offer another layer of security for online payments.

About BMO Financial Group

Established in 1817 as Bank of Montreal, BMO Financial Group is a highly diversified financial services organization and a leading provider of commercial card and treasury solutions based in North America.  With total assets of approximately $642 billion as of October 31, 2015, and close to 47,000 employees, the bank also offers a broad range of retail banking, wealth management and investment banking products and services to more than 12 million customers.

About Mastercard

Mastercard, www.Mastercard.com, is a technology company in the global payments industry. We operate the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. Mastercard’s products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone. Follow us on Twitter @MastercardNews, join the discussion on the Beyond the Transaction Blog and subscribe for the latest news on the Engagement Bureau.

What I Like About This

Besides this being good news overall, when I learned more about their solution, I was excited by a specific element. Any device, including a laptop or even desktop computer, can be used for the online purchasing process. (I was thinking about administrative assistants and others who work at their desks all day.) The authentication, however, will occur via the purchaser’s mobile device.

This is just one more evolving piece of card and payment security—a growing and important part of the industry.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.

Subscribe

Evolving security for online payments.

Worldwide, card not present (CNP) fraud continues to be a challenge in the payments industry. We have seen the warnings. Such fraud typically rises as countries migrate to EMV/chip cards in an effort to reduce other types of fraud like point-of-sale fraud and card cloning. This is indeed happening now in the United States. However, do not think industry players (e.g., issuers, networks, acquirers, merchants) are sitting idly. Following are a couple evolving tools to combat CNP fraud and/or the theft of personal data.

One-time Passwords 

Perhaps you have experienced one-time passwords or passcodes (OTP) already. My payment card processor utilizes this functionality. After I provide my ID and password for their site, I also have to enter a one-time, six-digit number that they send to my mobile device as part of the login process. It expires in five minutes. 

Every fraud prevention strategy should include a multi-faceted approach to increase effectiveness.

Every fraud prevention strategy should include a multi-faceted approach to increase effectiveness.

Julie Conroy, Research Director, Aite Group Retail Banking Practice, is someone who has studied security over the years. She stresses, “A big security weakness is our reliance on static passwords and the fact that most people use the same password for multiple sites. The industry must transition from static passwords to dynamic ways of confirming the identity of a user.”

There have been countless reports of fraudsters obtaining access to one account of an individual and using the stolen credentials to access other accounts belonging to that person. They are often able to gather enough personal data to commit more crimes like applying for a loan.

As individuals, we can do our part by not using the same password for multiple applications and sites. Also consider the strength of the passwords you use. One of the most common passwords continues to be password. Many organizations train their employees on strong passwords and other aspects of security. Further, it is a best practice to address security within your card program policies, procedures and training.

3-D Secure 

Despite being an international security standard for online card payments, 3-D Secure (3DS) has not received a lot of press, nor extensive use, in the United States. This is starting to change as CNP fraud makes more headlines and 3DS continues to improve. It provides another method for verifying someone’s identify during the online checkout process, but it requires participation from the merchant and their acquirer/processor, and the cardholder and their card issuer/bank. You might be familiar with the different names, depending on card brand; for example, Verified by Visa, Mastercard SecureCode and American Express SafeKey. 

The first iteration of 3DS relied on static passwords. During checkout, the purchaser (cardholder) would click a link to access a designated webpage by their card issuer, in which they must enter an additional password (previously established) to authenticate the transaction. Opponents of this arrangement argue it can result in the abandonment of legitimate purchases because of the extra step. However, as Julie Conroy shares, “The evolution of 3DS now gives merchants greater control—through a metrics-based approach—over which transactions are pushed down the 3DS path.” She also notes that many of the large issuers have moved to either risk-based authentication, which requires no interaction from the purchaser, or dynamic authenticators, such as a one-time passcode (OTP). Some countries are even mandating 3DS to some extent or are considering a mandate. Within the Commercial Card realm, 3DS is primarily used outside the United States.

Naturally, every fraud prevention strategy should include a multi-faceted approach to increase effectiveness. This post only references two of many.  

What's Next

Stay tuned to this blog for a related, upcoming post on a new security solution for Commercial Cards.   

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.

Subscribe

One supplier's card acceptance journey.

In the life of a card program manager, it is common to approach suppliers about accepting card payments. You initiate a call and are prepared to address the “why accept” question. What if a supplier surprises you by already being convinced? Instead of asking why, they want to know how. Smaller suppliers in particular might not know how to get started. Your ability to offer advice beyond “talk to your bank” could prove to be the pivotal action. For insider experience, I spoke with Rick Swartwood, CPCP, who went from card professional to restaurant entrepreneur (and card acceptor). Read on for his insights that could help you assist your suppliers.

Following his 16 years of Commercial Card experience—most of which were with the Lockheed Martin Corporation—and prominent industry participation, Rick pursued a lifelong ambition of opening his own restaurant in 2014. He is now seeking a return to the corporate world, whether working within a payments arena, procure-to-pay operation or shared services. His restaurant experience has given him a whole new perspective of what it means to be a card-accepting supplier. Email Rick or get in touch through LinkedIn.

Finding Merchant Services

While a supplier’s current bank is certainly one route to explore for merchant services, there are many other options. Finding them is probably the easiest part. Rick shared how, as a restaurant owner, approximately 20 different merchant services organizations “came out of the woodwork” to sell him on their card acceptance solution. If a supplier has not received any such communications, they could find options though a simple Internet search. Two popular search phrases are credit card processing and merchant services. However, in the business-to-business (B2B) payments world, it is critical to find an acquirer who specializes in this space.

Evaluating the Options

Like any vendor search, when selecting a merchant services partner, a supplier should be wary of any verbal promises by salespeople such as “no extra fees.” The written proposals always include various types of fees, such as: monthly service fees, add-on or pass-through fees, PCI compliance fees and contract opt-out charges.

Because each merchant services company had a unique proposal format, Rick’s biggest challenge was finding the fees within each proposal to make apples-to-apples comparisons. To make his process easier, Rick developed a standard list of questions and required each company to answer in the same order. Questions included:

  • Is your service based on a monthly statement processing fee or are the processing charges deducted on a batch by batch basis? 
  • Is your service based on a fixed rate per transaction? If so, does the rate vary by card type? 
  • Is your service based on a cost plus pass through charge? If so, what is the charge? Does it vary by card type?
  • When are the receipt funds available in my bank account? Does it vary by card type? 
  • Is there a single receipt for all card types or multiple individual receipts based on card type? 
  • Is there a cost to opt out of the contract? 

This approach could help other suppliers who are new to card acceptance. When a supplier specifically needs B2B credit card processing, I recommend they also ask merchant services companies about their B2B capabilities and experience.

Having Buyer’s Remorse

Rick’s original merchant services choice was not his last for a couple reasons. For example, the availability of funds for one type of card became problematic. While the funds were supposed to be available within 48 hours, the reality was that it sometimes took 72–96 hours. In addition, another merchant services company proposed some financing of restaurant equipment if they could become the processor, so it made sense for Rick to change. See also my previous blog post about why some card acceptance relationships fail.

Suppliers should not be afraid to make a switch, but they also need to consider the financial repercussions of doing so.

Suppliers who are new to card acceptance and seeking a merchant services partner need to be wary of any offers that sound too good to be true.

Suppliers who are new to card acceptance and seeking a merchant services partner need to be wary of any offers that sound too good to be true.

Final Thoughts

Every supplier has different needs when it comes to card acceptance. For Rick’s restaurant business, 85% of payments, including server tips, were via cards. For these reasons, his priorities were low fees and quick availability of funds. Because he was paying servers’ tips in cash on a daily basis, a two-day lag for card payments was not ideal. For a non-retail/non-restaurant business like mine, I sought simplicity above all else.  

The next time one of your suppliers seeks guidance concerning card acceptance, encourage them to:

  • identify their needs
  • understand the fees they could encounter and payment timing/availability of funds 
  • shop around for a merchant services provider, especially one with experience in business-to-business (B2B) credit card processing 

Access additional resources related to card acceptance.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.

Subscribe