Complying with New Medicare Reporting Requirements: Insurance CEO Art Meadows Shares Tips for Success
By Laurel Sanders, Optical Image Technology
Insurance companies offering liability coverage, workers compensation, and those that are self insured have struggled to prepare for the new Medicare reporting requirements since the federal mandates were announced. The legislation is expected to reduce Medicare costs by protecting its secondary payer status when eligible claimants can be covered by alternative sources. Unfortunately for insurers, the new laws will increase paperwork, but failing to act on them will carry stiff penalties.
In contrast with previous legislation, the burden of proof now rests on insurers to determine whether tort plaintiffs are eligible for Medicare coverage, and to report this information to the government. The additional tracking can be considerable for those with eligible claimants. Insurers with minimal or no electronic files face the greatest challenges.
The drive toward compliance recently picked up speed: registration opened in May, 2009 for Responsible Reporting Entities (RREs) to express their intent to comply with the electronic reporting requirements. Those who haven’t adjusted their plans, policies, and systems to enable timely reporting must take action soon. Federal delays in enacting the legislation have ended. Fines for non-compliance or late reporting will be severe.
I asked Art Meadows, President and CEO of Panhandle Farmers Mutual Insurance Company and a recognized leader in the insurance field, if he would share some tips to help other insurers make sure they’re able and ready to comply. He shared his expertise and advice during a recent interview:
Q: What are the issues associated with the new legislation?
A: There are a number of requirements for insurers. First, they must identify claimants who are eligible for Medicare benefits. Ideally, they periodically download a list of Medicare-eligible claimants from their digital file repository and operating system that shows all pending claims and upload it to the Medicare site, or they can create and post the lists manually. As it currently stands, quarterly reports will be due starting in 2010. All pending claims must be tracked and reported as long as each claim remains open. If settlements, awards, or judgments are made, these also must be reported.
For insurers, the new legislation is all about facilitating compliance, mitigating risk, and minimizing the corporate expense of managing pertinent information.
Q: What kind of penalties are there for late or omitted reports?
A: Penalties are stiff, amounting to $1,000 per claimant per day. Since reporting will be quarterly, it could take a long time for companies to discover if they’ve made a mistake or omission. Fines could easily amass into hundreds of thousands of dollars with a small number of omissions or late reports. My advice to insurers: don’t just count on employees remembering to file, even if your company is small and files seem manageable. You will need to have a system in place that ensures reporting is done on time and no claimant is missed.
Q: Which companies will be most affected by the new requirements?
A: Companies that will struggle most are those without technology and electronic records. Many successful companies fall into this category. Some don’t even have Internet access in their offices. Without electronic records, a system that ensures reporting dates are met, and some form of automated tracking of eligible claims, compliance will be difficult, time consuming, and potentially prone to error. This could prove to be very costly due to fines.
Companies that have automated operating systems with electronic files and handle many liability claims may encounter fewer problems than those that have a small number and handle them manually. It’s difficult to remember to provide reports if your company only processes a few each year, and even fewer involving Medicare-eligible recipients. Administrative and litigation delays mean cases can remain open for years. Required reporting on claimants can last a long time.
Q: There are numerous companies offering to take on the burden of Medicare reporting for a fee. What are your thoughts about this?
A: This may be a good—or even necessary—situation for some companies, particularly if they are resorting to manual posting of reports. However, entrusting reporting to any outside organization puts your company at risk. Remember: you are delegating the task, but the responsibility to comply is still ultimately yours. I’m not sure I would want to relinquish the responsibility to someone else and risk penalties that might be avoidable by doing my own reporting. If you are considering using an outside agency, consider the risks and proceed carefully.
Q: What is your company doing to ensure it’s prepared when the new rules take effect?
A: Fortunately, we purchased a robust electronic document management system in 2003 and have created electronic reports for several years. Additionally, we are involved with a vendor and five other regional companies in developing a new operating system that will track and report these claims automatically. With direct integration to the Medicare site, we will be able to upload our reports easily, avoiding the time-consuming battle of manual entry.
As a part of our monthly close-out process we already create a variety of reports, such as agent commission checks and A+ ISO reports. We plan to add the Medicare reports as part of that process.
Q: What steps should companies take to register, and what should they expect?
A: Eligible insurers—those that underwrite liability insurance—must register with the Centers for Medicare and Medicaid Services. They must indicate that they are a Responsible Reporting Entity (RRE) and provide notice of their intent to comply with the electronic reporting requirements. They will then receive a company identification number and login information for the CMS program. Companies that still handle processes manually will need to input their information manually on the CMS website.
Q: Is there any additional advice you would like to share with insurers that are struggling with the new rules?
A: If you haven’t begun planning yet, start now. Register well ahead of the September deadline. The information you need to get started can be found on the CMS website, and the major insurance associations also have helpful resources.
Consider ways to make compliance easier. If you’re still managing everything on paper, this is a good time to convert to electronic document management.
Put plans in place to ensure prompt filing. Otherwise, late fines could accumulate for months before you are aware of them. Mistakes are costly. If you already have a digital repository with your policies, claims, and supporting documentation, you can simplify compliance with electronic workflow, establishing rules to remind you of impending deadlines and enforce timely reporting. Lastly, work with your operating system vendor to put programming in place that will track and monitor claims that need to be reported to CMS.
Q: Clearly digital documents make reporting easier. How else do document management and enterprise content management software fit into the compliance picture?
A: Digital trails don’t lie, and they don’t err. They show every document that’s captured and every transaction that occurs. If information is stored electronically and indexed for search, it will be found every time. In an audit, digital tracking of claims, related correspondence, and supporting materials ensures transparency and accuracy. With proper digital storage, files can’t be overlooked.
Finally, if you’re ready to convert to electronic records, or want to replace your imaging system with a better solution, talk with insurers like me who have successfully converted to digital records and electronic reporting. It’s an investment of time and money, but the payback is relatively quick. The increase in productivity and the savings long-term are significant. With recent increases in legislation, and more laws to follow, there’s no better time to invest in your future.
Art Meadows is the President and CEO of Panhandle Farmers Mutual Insurance Company in West Virginia. A National Association of Mutual Insurance Companies (NAMIC) Professional Farm Mutual Manager of the Year (2007) and recipient of the Service Award (2006), he has been a member of the NAMIC Merit Society since 1999. Formerly an insurance agent, property inspector, claims adjuster, and commercial/personal lines underwriter, Art served on the Governor’s Task Force to support West Virginia Tort Reform in 2005 and was president of the West Virginia Association of Mutual Insurance Companies from 1996 to 2005. Art can be reached at art@phfm1898.com.
For information about Optical Image Technology and the DocFinity suite of integrated imaging, document management, and business process management/workflow software, visit www.docfinity.com.
Tuesday, June 23, 2009
Thursday, June 18, 2009
The Economy and Medical Banking
By Mark Brousseau
With the current economic slowdown affecting virtually every individual and business today, the need to keep costs as low as possible has magnified some of the key trends that were already brewing in the medical banking services field prior to the downturn, says Maureen Turo (maureen.turo@bnymellon.com), vice president, Healthcare Market Specialist, The Bank of New York Mellon. These trends include revenue cycle improvements that provide a clear business case for saving time and money, and a partner with proven success in finding the right solutions.
There are numerous medical banking services available to help both payers (commercial insurers) and healthcare providers (institutional and professional). The most widely accepted services focus on improving the efficiency and amount of payments collected and posted by providers, Turo notes. Such services include automated EOB data lift, point of service systems, electronic processing and payment-to-contract analysis services.
"Healthcare providers are paying particular attention to those solutions that automate their payment processes for faster outstanding accounts receivables resolution," Turo says. "Automating payment processing frees resources (both staff and technology) to focus on other important payment collection tasks, such as resolving denied and under-paid claims."
Turo says an increasing number of healthcare providers are also looking for vendors to help them build and analyze the business case supporting these new services. "Although many medical banking services do not have any capital expenditure outlay, the services nonetheless require multiple levels of approval due to their impact on numerous back-office functions and financial systems," she explains. "Projects with the strongest business cases are the ones most likely to capture the provider’s attention."
In addition to needing a strong business case to implement these high-impact services, providers increasingly require strong references of potential vendors. They want to talk to other healthcare organizations that have implemented similar services to learn about the process and results, Turo says. Dealing with multiple (and sometimes antiquated) systems, as well as limited IT and project management resources, providers need assurance that a new service will address their most critical issues.
"Until more is known about the anticipated federal healthcare reform, I believe these trends will persist, with automation continuing to drive efficiencies in the healthcare industry," Turo says. "As providers experience success implementing various medical banking services, more will do so. Healthcare providers may not want to be on the leading edge of using these medical banking services, but they will not want to be left behind."
What do you think? Post your comments below.
With the current economic slowdown affecting virtually every individual and business today, the need to keep costs as low as possible has magnified some of the key trends that were already brewing in the medical banking services field prior to the downturn, says Maureen Turo (maureen.turo@bnymellon.com), vice president, Healthcare Market Specialist, The Bank of New York Mellon. These trends include revenue cycle improvements that provide a clear business case for saving time and money, and a partner with proven success in finding the right solutions.
There are numerous medical banking services available to help both payers (commercial insurers) and healthcare providers (institutional and professional). The most widely accepted services focus on improving the efficiency and amount of payments collected and posted by providers, Turo notes. Such services include automated EOB data lift, point of service systems, electronic processing and payment-to-contract analysis services.
"Healthcare providers are paying particular attention to those solutions that automate their payment processes for faster outstanding accounts receivables resolution," Turo says. "Automating payment processing frees resources (both staff and technology) to focus on other important payment collection tasks, such as resolving denied and under-paid claims."
Turo says an increasing number of healthcare providers are also looking for vendors to help them build and analyze the business case supporting these new services. "Although many medical banking services do not have any capital expenditure outlay, the services nonetheless require multiple levels of approval due to their impact on numerous back-office functions and financial systems," she explains. "Projects with the strongest business cases are the ones most likely to capture the provider’s attention."
In addition to needing a strong business case to implement these high-impact services, providers increasingly require strong references of potential vendors. They want to talk to other healthcare organizations that have implemented similar services to learn about the process and results, Turo says. Dealing with multiple (and sometimes antiquated) systems, as well as limited IT and project management resources, providers need assurance that a new service will address their most critical issues.
"Until more is known about the anticipated federal healthcare reform, I believe these trends will persist, with automation continuing to drive efficiencies in the healthcare industry," Turo says. "As providers experience success implementing various medical banking services, more will do so. Healthcare providers may not want to be on the leading edge of using these medical banking services, but they will not want to be left behind."
What do you think? Post your comments below.
Monday, June 15, 2009
The Minnesota Mandate: What Does It Mean?
By Mark Brousseau
When HIPAA was passed in 1996 it looked like an electronic future for healthcare was upon us. As it turned out, the lack of enforcement for the new law combined with the ability to “opt-out” of electronic claim and remittance processes altogether allowed payers to delay their adoption of electronic file capabilities.
This was extremely counter-productive to the healthcare industry as a whole, notes Jim Ribelin, CEO, HERAE, LLC (www.herae.com). How could payers take the laws seriously when Medicare has only recently made the move to all electronic remittance data, and there are still US Military hospitals that as of today require paper-based processing as ‘standard procedure?’
It took Tim Pawlenty, Governor of Minnesota, to enact a state law requiring all insurance payers that do business in the state of Minnesota to conduct all claim and payment transactions electronically by December 19, 2009. This time there is no ability to “opt-out” of the electronic mandate. Furthermore, there are stiff penalties waiting for any payer that does not comply, Ribelin points out.
“This presents a very different situation than we’ve seen with HIPAA enforcement,” Ribelin says. “There is the law, but now there is enforcement and penalties, and a relatively tight deadline, at a state level.”
Ribelin adds that Minnesota is home to some of the top, internationally-recognized healthcare facilities. “This new law will require quick and decisive action on the part of large and small payers to provide electronic files across the board,” he says. “It will also create a level of ‘fear and uncertainty’ in the provider market, as every one of them is finally confronted with the inescapable requirement to accept and process electronic remittance information.”
The good news is that the healthcare remittance market has matured since HIPAA and there are solutions available that provide flexible online workflow, payer connections and electronic funds transfer (EFT) data re-association with electronic remittance advice (ERA) data, Ribelin says. The bad news is that there are also very limited solutions out there that do the bare minimum, and often create more work and headaches for the healthcare provider in their quest to adopt electronic payment solutions.
“The challenge is to educate the market on what they should look for in a remittance partner,” Ribelin says. “Sending a scanned image of an explanation of benefit (EOB) can be considered an electronic solution – but it’s a far cry from obtaining a fully HIPAA-compliant 835 data file complete with claim, patient and procedure information that can be searched and reported upon.”
The optimum solution deals with the data right at the source, by direct-connecting to payers, Ribelin claims. This provides many advantages, including standardized online presentation of claim information regardless of the payer, the ability to receive the most robust remittance data before it is modified/tainted by clearinghouses or accidently by the providers themselves, he says. There are also longer-term benefits, Ribelin adds, including significant advantages in terms of reporting to improve back-office processes and collections, contract management to monitor and improve accuracy of insurance payer payments and much more.
What do you think? Post your comments below.
When HIPAA was passed in 1996 it looked like an electronic future for healthcare was upon us. As it turned out, the lack of enforcement for the new law combined with the ability to “opt-out” of electronic claim and remittance processes altogether allowed payers to delay their adoption of electronic file capabilities.
This was extremely counter-productive to the healthcare industry as a whole, notes Jim Ribelin, CEO, HERAE, LLC (www.herae.com). How could payers take the laws seriously when Medicare has only recently made the move to all electronic remittance data, and there are still US Military hospitals that as of today require paper-based processing as ‘standard procedure?’
It took Tim Pawlenty, Governor of Minnesota, to enact a state law requiring all insurance payers that do business in the state of Minnesota to conduct all claim and payment transactions electronically by December 19, 2009. This time there is no ability to “opt-out” of the electronic mandate. Furthermore, there are stiff penalties waiting for any payer that does not comply, Ribelin points out.
“This presents a very different situation than we’ve seen with HIPAA enforcement,” Ribelin says. “There is the law, but now there is enforcement and penalties, and a relatively tight deadline, at a state level.”
Ribelin adds that Minnesota is home to some of the top, internationally-recognized healthcare facilities. “This new law will require quick and decisive action on the part of large and small payers to provide electronic files across the board,” he says. “It will also create a level of ‘fear and uncertainty’ in the provider market, as every one of them is finally confronted with the inescapable requirement to accept and process electronic remittance information.”
The good news is that the healthcare remittance market has matured since HIPAA and there are solutions available that provide flexible online workflow, payer connections and electronic funds transfer (EFT) data re-association with electronic remittance advice (ERA) data, Ribelin says. The bad news is that there are also very limited solutions out there that do the bare minimum, and often create more work and headaches for the healthcare provider in their quest to adopt electronic payment solutions.
“The challenge is to educate the market on what they should look for in a remittance partner,” Ribelin says. “Sending a scanned image of an explanation of benefit (EOB) can be considered an electronic solution – but it’s a far cry from obtaining a fully HIPAA-compliant 835 data file complete with claim, patient and procedure information that can be searched and reported upon.”
The optimum solution deals with the data right at the source, by direct-connecting to payers, Ribelin claims. This provides many advantages, including standardized online presentation of claim information regardless of the payer, the ability to receive the most robust remittance data before it is modified/tainted by clearinghouses or accidently by the providers themselves, he says. There are also longer-term benefits, Ribelin adds, including significant advantages in terms of reporting to improve back-office processes and collections, contract management to monitor and improve accuracy of insurance payer payments and much more.
What do you think? Post your comments below.
Credit Card Security Problems
Posted by Mark Brousseau
An interesting article from the Associated Press on how lax requirements leave consumer data at risk of attack by hackers:
Weak security enables credit card hacks
By JORDAN ROBERTSON
AP Technology Writer
Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.
And while you may take steps to protect yourself against identity theft, an Associated Press investigation has found the banks and other companies that handle your information are not being nearly as cautious as they could.
The government leaves it to card companies to design security rules that protect the nation's 50 billion annual transactions. Yet an examination of those industry requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst, according to the AP's analysis of data breaches dating to 2005.
It means every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you'll spend weeks straightening your mangled credit, though you can't be held liable for unauthorized charges. Even if your transaction isn't hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud.
More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers, according to the Privacy Rights Clearinghouse. Meanwhile, many others likely have been breached and didn't detect it. Even the companies that had the payment industry's top rating for computer security, a seal of approval known as PCI compliance, have fallen victim to huge heists.
Companies that are not compliant with the PCI standards - including one in 10 of the medium-sized and large retailers in the United States - face fines but are left free to process credit and debit card payments. Most retailers don't have to endure security audits, but can evaluate themselves.
Credit card providers don't appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost.
That is of little consolation to consumers who bet on the industry's payment security and lost.
It took four months for Pamela LaMotte, 46, of Colchester, Vt., to fix the damage after two of her credit card accounts were tapped by hackers in a breach traced to a Hannaford Bros. grocery store.
LaMotte, who was unemployed at the time, says she had to borrow money from her mother and boyfriend to pay $500 in overdraft and late fees - which were eventually refunded - while the banks investigated.
"Maybe somebody who doesn't live paycheck to paycheck, it wouldn't matter to them too much, but for me it screwed me up in a major way," she said. LaMotte says she pays more by cash and check now.
It all happened at a supermarket chain that met the PCI standards. Someone installed malicious software on Hannaford's servers that snatched customer data while it was being sent to the banks for approval.
Since then, hackers plundered two companies that process payments and had PCI certification. Heartland Payment Systems lost card numbers, expiration dates and other data for potentially hundreds of millions of shoppers. RBS WorldPay Inc. got taken for more than 1 million Social Security numbers - a golden ticket to hackers that enables all kinds of fraud.
In the past, each credit card company had its own security rules, a system that was chaotic for stores.
In 2006, the big card brands - Visa, MasterCard, American Express, Discover and JCB International - formed the Payment Card Industry Security Standards Council and created uniform security rules for merchants.
Avivah Litan, a Gartner Inc. analyst, says retailers and payment processors have spent more than $2 billion on security upgrades to comply with PCI. And the payment industry touts the fact that 93 percent of big retailers in the U.S., and 88 percent of medium-sized ones, are compliant with the PCI rules.
That leaves plenty of merchants out, of course, but the main threat against them is a fine: $25,000 for big retailers for each month they are not compliant, $5,000 for medium-sized ones.
Computer security experts say the PCI guidelines are superficial, including requirements that stores run antivirus software and install computer firewalls. Those steps are designed to keep hackers out and customer data in. Yet tests that simulate hacker attacks are required just once a year, and businesses can run the tests themselves.
"It's like going to a doctor and getting your blood pressure read, and if your blood pressure's good you get a clean bill of health," said Tom Kellermann, a former senior member of the World Bank's Treasury security team and now vice president of security awareness for Core Security Technologies, which audited Google's Internet payment processing system.
Merchants that decide to hire an outside auditor to check for compliance with the PCI rules need not spend much. Though some firms generally charge about $60,000 and take months to complete their inspections, others are far cheaper and faster.
"PCI compliance can cost just a couple hundred bucks," said Jeremiah Grossman, founder of WhiteHat Security Inc., a Web security firm. "If that's the case, all the incentives are in the wrong direction. The merchants are inclined to go with the cheapest certification they need."
For some inspectors, the certification course takes just one weekend and ends in an open-book exam. Applicants must have five years of computer security experience, but once they are let loose, there's little oversight of their work. Larger stores take it on themselves to provide evidence to auditors that they comply with the rules, leaving the door open for mistakes or fraud.
And retailers with fewer than 6 million annual card transactions - a group comprising more than 99 percent of all retailers - do not even need auditors. They can test and evaluate themselves.
At the same time, the card companies themselves are increasingly hands-off.
Two years ago, Visa scaled back its review of inspection records for the payment processors it works with. It now examines records only for payment processors with computer networks directly connected to Visa's.
In the U.S., that means fewer than 100 payment processors out of the 700 that Visa works with are PCI-compliant.
Visa's head of global data security, Eduardo Perez, said the company scaled back its records review because it took too much work and because the PCI standards have improved the industry's security "considerably."
"I think we've made a lot of progress," he said. "While there have been a few large compromises, there are many more compromises we feel we've helped prevent by driving these minimum requirements."
Representatives for MasterCard, American Express, Discover and JCB - which, along with Visa, steer PCI policy - either didn't return messages from the AP or directed questions to the PCI security council.
PCI's general manager, Bob Russo, said inspector certification is "rigorous." Yet he also acknowledged that inconsistent audits are a problem - and that merchants and payment processors who suffered data breaches possibly shouldn't have been PCI-certified. Those companies also might have easily fallen out of compliance after their inspection, by not installing the proper security updates, and nobody noticed.
The council is trying to crack down on shoddy work by requiring annual audits for the dozen companies that do the bulk of the PCI inspections. Smaller firms will be examined once every three years.
Those reviews merely scratch the surface, though. Only three full-time staffers are assigned to the task, and they can't visit retailers themselves. They are left to review the paperwork from the examinations.
The AP contacted eight of the biggest "acquiring banks" - the banks that retailers use as middlemen between the stores and consumers' banks. Those banks are responsible for ensuring that retailers are PCI compliant. Most didn't return calls or wouldn't comment for this story.
Mike Herman, compliance managing director for Chase Paymentech, a division of JPMorgan Chase, said his bank has five workers reviewing compliance reports from retailers. Most of the work is done by phone or e-mail.
"We have faith in the certification process, and we really haven't doubted the assessors' work," Herman said. "It's really the merchants that don't engage assessors; those get a little more scrutiny."
He defended the system: "Can you imagine how many breaches we'd have and how severe they'd be if we didn't have PCI?"
Supporters of PCI point out nearly all big and medium-sized retailers governed by the standard now say they no longer store sensitive cardholder data. Just a few years ago they did - leaving credit card numbers in databases that were vulnerable to hackers.
So why are breaches still happening? Because criminals have sharpened their attacks and are now capturing more data as it makes its way from store to bank, when breaches are harder to stop.
Security experts say there are several steps the payment industry could take to make sure customer information doesn't leak out of networks.
Banks could scramble the data that travels over payment networks, so it would be meaningless to anyone not authorized to see it.
For example, TJX Cos., the chain that owns T.J. Maxx and Marshalls and was victimized by a breach that exposed as many as 100 million accounts, the most on record, has tightened its security but says many banks won't accept data in encrypted form.
PCI requires data transmitted across "open, public networks" to be encrypted, but that means hackers with access to a company's internal network still can get at it. Requiring encryption all the time would be expensive and slow transactions.
Another possibility: Some security professionals think the banks and credit card companies should start their own PCI inspection arms to make sure the audits are done properly. Banks say they have stepped up oversight of the inspections, doing their own checks of questionable PCI assessment jobs. But taking control of the whole process is far-fetched: nobody wants the liability.
PCI could also be optional. In its place, some experts suggest setting fines for each piece of sensitive data a retailer loses.
The U.S. might also try a system like Europe's, where shoppers need a secret PIN code and card with a chip inside to complete purchases. The system, called Chip and PIN, has cut down on fraud there (because it's harder to use counterfeit cards), but transferred it elsewhere - to places like the U.S. that don't have as many safeguards.
A key reason PCI exists is that the banks and card brands don't want the government regulating credit card security. These companies also want to be sure transactions keep humming through the system - which is why banks and card companies are willing to put up with some fraud.
"If they did mind, they have immense resources and could really change things," said Ed Skoudis, co-founder of security consultancy InGuardians Inc. and an instructor with the SANS Institute, a computer-security training organization. Skoudis investigates retail breaches in support of government investigations. "But they don't want to strangle the goose that laid the golden egg by making it too hard to accept credit cards, because that's bad for everybody."
An interesting article from the Associated Press on how lax requirements leave consumer data at risk of attack by hackers:
Weak security enables credit card hacks
By JORDAN ROBERTSON
AP Technology Writer
Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.
And while you may take steps to protect yourself against identity theft, an Associated Press investigation has found the banks and other companies that handle your information are not being nearly as cautious as they could.
The government leaves it to card companies to design security rules that protect the nation's 50 billion annual transactions. Yet an examination of those industry requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst, according to the AP's analysis of data breaches dating to 2005.
It means every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you'll spend weeks straightening your mangled credit, though you can't be held liable for unauthorized charges. Even if your transaction isn't hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud.
More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers, according to the Privacy Rights Clearinghouse. Meanwhile, many others likely have been breached and didn't detect it. Even the companies that had the payment industry's top rating for computer security, a seal of approval known as PCI compliance, have fallen victim to huge heists.
Companies that are not compliant with the PCI standards - including one in 10 of the medium-sized and large retailers in the United States - face fines but are left free to process credit and debit card payments. Most retailers don't have to endure security audits, but can evaluate themselves.
Credit card providers don't appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost.
That is of little consolation to consumers who bet on the industry's payment security and lost.
It took four months for Pamela LaMotte, 46, of Colchester, Vt., to fix the damage after two of her credit card accounts were tapped by hackers in a breach traced to a Hannaford Bros. grocery store.
LaMotte, who was unemployed at the time, says she had to borrow money from her mother and boyfriend to pay $500 in overdraft and late fees - which were eventually refunded - while the banks investigated.
"Maybe somebody who doesn't live paycheck to paycheck, it wouldn't matter to them too much, but for me it screwed me up in a major way," she said. LaMotte says she pays more by cash and check now.
It all happened at a supermarket chain that met the PCI standards. Someone installed malicious software on Hannaford's servers that snatched customer data while it was being sent to the banks for approval.
Since then, hackers plundered two companies that process payments and had PCI certification. Heartland Payment Systems lost card numbers, expiration dates and other data for potentially hundreds of millions of shoppers. RBS WorldPay Inc. got taken for more than 1 million Social Security numbers - a golden ticket to hackers that enables all kinds of fraud.
In the past, each credit card company had its own security rules, a system that was chaotic for stores.
In 2006, the big card brands - Visa, MasterCard, American Express, Discover and JCB International - formed the Payment Card Industry Security Standards Council and created uniform security rules for merchants.
Avivah Litan, a Gartner Inc. analyst, says retailers and payment processors have spent more than $2 billion on security upgrades to comply with PCI. And the payment industry touts the fact that 93 percent of big retailers in the U.S., and 88 percent of medium-sized ones, are compliant with the PCI rules.
That leaves plenty of merchants out, of course, but the main threat against them is a fine: $25,000 for big retailers for each month they are not compliant, $5,000 for medium-sized ones.
Computer security experts say the PCI guidelines are superficial, including requirements that stores run antivirus software and install computer firewalls. Those steps are designed to keep hackers out and customer data in. Yet tests that simulate hacker attacks are required just once a year, and businesses can run the tests themselves.
"It's like going to a doctor and getting your blood pressure read, and if your blood pressure's good you get a clean bill of health," said Tom Kellermann, a former senior member of the World Bank's Treasury security team and now vice president of security awareness for Core Security Technologies, which audited Google's Internet payment processing system.
Merchants that decide to hire an outside auditor to check for compliance with the PCI rules need not spend much. Though some firms generally charge about $60,000 and take months to complete their inspections, others are far cheaper and faster.
"PCI compliance can cost just a couple hundred bucks," said Jeremiah Grossman, founder of WhiteHat Security Inc., a Web security firm. "If that's the case, all the incentives are in the wrong direction. The merchants are inclined to go with the cheapest certification they need."
For some inspectors, the certification course takes just one weekend and ends in an open-book exam. Applicants must have five years of computer security experience, but once they are let loose, there's little oversight of their work. Larger stores take it on themselves to provide evidence to auditors that they comply with the rules, leaving the door open for mistakes or fraud.
And retailers with fewer than 6 million annual card transactions - a group comprising more than 99 percent of all retailers - do not even need auditors. They can test and evaluate themselves.
At the same time, the card companies themselves are increasingly hands-off.
Two years ago, Visa scaled back its review of inspection records for the payment processors it works with. It now examines records only for payment processors with computer networks directly connected to Visa's.
In the U.S., that means fewer than 100 payment processors out of the 700 that Visa works with are PCI-compliant.
Visa's head of global data security, Eduardo Perez, said the company scaled back its records review because it took too much work and because the PCI standards have improved the industry's security "considerably."
"I think we've made a lot of progress," he said. "While there have been a few large compromises, there are many more compromises we feel we've helped prevent by driving these minimum requirements."
Representatives for MasterCard, American Express, Discover and JCB - which, along with Visa, steer PCI policy - either didn't return messages from the AP or directed questions to the PCI security council.
PCI's general manager, Bob Russo, said inspector certification is "rigorous." Yet he also acknowledged that inconsistent audits are a problem - and that merchants and payment processors who suffered data breaches possibly shouldn't have been PCI-certified. Those companies also might have easily fallen out of compliance after their inspection, by not installing the proper security updates, and nobody noticed.
The council is trying to crack down on shoddy work by requiring annual audits for the dozen companies that do the bulk of the PCI inspections. Smaller firms will be examined once every three years.
Those reviews merely scratch the surface, though. Only three full-time staffers are assigned to the task, and they can't visit retailers themselves. They are left to review the paperwork from the examinations.
The AP contacted eight of the biggest "acquiring banks" - the banks that retailers use as middlemen between the stores and consumers' banks. Those banks are responsible for ensuring that retailers are PCI compliant. Most didn't return calls or wouldn't comment for this story.
Mike Herman, compliance managing director for Chase Paymentech, a division of JPMorgan Chase, said his bank has five workers reviewing compliance reports from retailers. Most of the work is done by phone or e-mail.
"We have faith in the certification process, and we really haven't doubted the assessors' work," Herman said. "It's really the merchants that don't engage assessors; those get a little more scrutiny."
He defended the system: "Can you imagine how many breaches we'd have and how severe they'd be if we didn't have PCI?"
Supporters of PCI point out nearly all big and medium-sized retailers governed by the standard now say they no longer store sensitive cardholder data. Just a few years ago they did - leaving credit card numbers in databases that were vulnerable to hackers.
So why are breaches still happening? Because criminals have sharpened their attacks and are now capturing more data as it makes its way from store to bank, when breaches are harder to stop.
Security experts say there are several steps the payment industry could take to make sure customer information doesn't leak out of networks.
Banks could scramble the data that travels over payment networks, so it would be meaningless to anyone not authorized to see it.
For example, TJX Cos., the chain that owns T.J. Maxx and Marshalls and was victimized by a breach that exposed as many as 100 million accounts, the most on record, has tightened its security but says many banks won't accept data in encrypted form.
PCI requires data transmitted across "open, public networks" to be encrypted, but that means hackers with access to a company's internal network still can get at it. Requiring encryption all the time would be expensive and slow transactions.
Another possibility: Some security professionals think the banks and credit card companies should start their own PCI inspection arms to make sure the audits are done properly. Banks say they have stepped up oversight of the inspections, doing their own checks of questionable PCI assessment jobs. But taking control of the whole process is far-fetched: nobody wants the liability.
PCI could also be optional. In its place, some experts suggest setting fines for each piece of sensitive data a retailer loses.
The U.S. might also try a system like Europe's, where shoppers need a secret PIN code and card with a chip inside to complete purchases. The system, called Chip and PIN, has cut down on fraud there (because it's harder to use counterfeit cards), but transferred it elsewhere - to places like the U.S. that don't have as many safeguards.
A key reason PCI exists is that the banks and card brands don't want the government regulating credit card security. These companies also want to be sure transactions keep humming through the system - which is why banks and card companies are willing to put up with some fraud.
"If they did mind, they have immense resources and could really change things," said Ed Skoudis, co-founder of security consultancy InGuardians Inc. and an instructor with the SANS Institute, a computer-security training organization. Skoudis investigates retail breaches in support of government investigations. "But they don't want to strangle the goose that laid the golden egg by making it too hard to accept credit cards, because that's bad for everybody."
Wednesday, June 10, 2009
More Businesses Turn to Psychics
Posted by Mark Brousseau
More and more business owners are turning to psychics, says Russell Grant Astrology, which has been dispensing Astrological advice for over 30 years.
Historically, 1 in 3 calls to Russell Grant was regarding a love related matter. Over the past few months, more business owners have been calling up to get advice during this tough climate.
Using psychics and mediums for business use is not unusual, Russell Grant says. In fact, psychics are regularly employed to suss out prospective employees, solve mysteries within the workplace or indeed work hand in hand with astrologers and Financial Directors to plot the business moving forward.
“Many worried self-employed men and women have been calling me during the past few weeks” one psychic commented. “I was very pleased to be able to guide a number of people into opening their minds to other avenues within their businesses to limit the losses they have been facing over the past few months.”
What do you think?
More and more business owners are turning to psychics, says Russell Grant Astrology, which has been dispensing Astrological advice for over 30 years.
Historically, 1 in 3 calls to Russell Grant was regarding a love related matter. Over the past few months, more business owners have been calling up to get advice during this tough climate.
Using psychics and mediums for business use is not unusual, Russell Grant says. In fact, psychics are regularly employed to suss out prospective employees, solve mysteries within the workplace or indeed work hand in hand with astrologers and Financial Directors to plot the business moving forward.
“Many worried self-employed men and women have been calling me during the past few weeks” one psychic commented. “I was very pleased to be able to guide a number of people into opening their minds to other avenues within their businesses to limit the losses they have been facing over the past few months.”
What do you think?
Sunday, June 7, 2009
Risk and Image Payments
Posted by Mark Brousseau
Vijay Balakrishnan, president of StratEx, LLC (www.stratexllc.blogspot.com) passes along the following article:
It occurs to me that payment security, like beauty, may rest in the eye of the beholder. Societal norms on beauty have ranged over the years from Raphaelesque abundance to Twiggy-like minimalism. With payments transformed in ever larger numbers from pieces of paper to electronic images, the debate du jour centers on the risk of image payments. Does the transformation of checks to images and data for onward transmission through an evolving electronic infrastructure introduce additional risk? The answer perhaps depends on one's perspective.
The proponents on either side have aligned themselves into sharply defined camps. There are those who attest that technology provides the ability to check for fraud at a scale never before possible, and that business processes need to step up to avail of new avenues. There are others who turn the argument on its head and assert that technology allows the propagation of fraud at the speed of light; the paper check, after all, was bound by the limitations of planes, trains, and automobiles.
Lending more uncertainty to the dialog is a regulatory black hole that allows many degrees of interpretive freedom. Check 21, which is widely touted as the legislative parent of the image revolution in U.S. check processing, is noticeably silent on image exchange. All Check 21 says is that a paper "substitute check" meeting certain requirements can be created from an image of a paper check, and that this new piece of paper has the same legal standing as the original item. It says nothing about the image itself, or its transmission within or between financial institutions. While this delights and provides opportunity to those in the legal profession, it does little to shore up the basic argument- is the new image infrastructure riskier than the paper based one it is replacing?
The central issue is not whether image payments are risky (all payments arguably are risky at some level), but whether they pose additional risk. Those in the no-additional-risk camp question whether every paper item is checked for signature and check stock viability, and whether every deposit is reviewed based on business rules. They assert that technology can automatically examine every item and deposit (or a subset thereof) using rule based filters, and identify those that need manual intervention. They further point out at this can be done on "Day Zero" at initial capture, instead of on "Day Two and Beyond" in the paper world. If anything, they claim, the automated image world is less risky than its paper predecessor.
"Not so fast," say the others. The lack of robust duplicate detection systems across payment channels (branches, ATMs, other remote capture locations), and between institutions make the electronic equivalent of check kiting a real threat. With access to the right software, images can be altered with greater ease than paper items. They also point out that this risk can emanate from within financial institutions, as opposed to "the other side of the firewall". While it is theoretically possible for technology to check all items, few institutions have this capability in place. The regulatory framework is playing catch-up to the reality of billions of image payments zapping their way across the nation (and indeed the world with the international remote capture of U.S. dollar deposits), making for a Jello-like foundation.
During the now distant past when the credit card world confronted similar issues, the card associations came up with rules of governance. They were also able to establish the interchange system, which shared revenue and risk between acquirers, processors, and issuers. Thus, their approach focused less on the presence or absence of risk, and more on a system that compensated entities in the chain for risk exposure. Interchange was established at a time when the power equation between banks and merchants was tilted heavily in favor of financial institutions. It is highly unlikely that an interchange system for image exchange will see light of day. This brings up another intriguing question- regardless of the outcome of the less versus more risk debate, will future years see risk adjusted transaction fees for image processing?
The challenge with questions of this nature early in the life cycle of disruptive technology adoption is that answers cannot be based on empirical information. Like changing perspectives on beauty, there are myriad opinions. If you have a take on this, let me know. Speculating on a brave new world in itself is relatively risk free. It will be a while before your opinion is borne out one way or the other!
Vijay Balakrishnan, president of StratEx, LLC (www.stratexllc.blogspot.com) passes along the following article:
It occurs to me that payment security, like beauty, may rest in the eye of the beholder. Societal norms on beauty have ranged over the years from Raphaelesque abundance to Twiggy-like minimalism. With payments transformed in ever larger numbers from pieces of paper to electronic images, the debate du jour centers on the risk of image payments. Does the transformation of checks to images and data for onward transmission through an evolving electronic infrastructure introduce additional risk? The answer perhaps depends on one's perspective.
The proponents on either side have aligned themselves into sharply defined camps. There are those who attest that technology provides the ability to check for fraud at a scale never before possible, and that business processes need to step up to avail of new avenues. There are others who turn the argument on its head and assert that technology allows the propagation of fraud at the speed of light; the paper check, after all, was bound by the limitations of planes, trains, and automobiles.
Lending more uncertainty to the dialog is a regulatory black hole that allows many degrees of interpretive freedom. Check 21, which is widely touted as the legislative parent of the image revolution in U.S. check processing, is noticeably silent on image exchange. All Check 21 says is that a paper "substitute check" meeting certain requirements can be created from an image of a paper check, and that this new piece of paper has the same legal standing as the original item. It says nothing about the image itself, or its transmission within or between financial institutions. While this delights and provides opportunity to those in the legal profession, it does little to shore up the basic argument- is the new image infrastructure riskier than the paper based one it is replacing?
The central issue is not whether image payments are risky (all payments arguably are risky at some level), but whether they pose additional risk. Those in the no-additional-risk camp question whether every paper item is checked for signature and check stock viability, and whether every deposit is reviewed based on business rules. They assert that technology can automatically examine every item and deposit (or a subset thereof) using rule based filters, and identify those that need manual intervention. They further point out at this can be done on "Day Zero" at initial capture, instead of on "Day Two and Beyond" in the paper world. If anything, they claim, the automated image world is less risky than its paper predecessor.
"Not so fast," say the others. The lack of robust duplicate detection systems across payment channels (branches, ATMs, other remote capture locations), and between institutions make the electronic equivalent of check kiting a real threat. With access to the right software, images can be altered with greater ease than paper items. They also point out that this risk can emanate from within financial institutions, as opposed to "the other side of the firewall". While it is theoretically possible for technology to check all items, few institutions have this capability in place. The regulatory framework is playing catch-up to the reality of billions of image payments zapping their way across the nation (and indeed the world with the international remote capture of U.S. dollar deposits), making for a Jello-like foundation.
During the now distant past when the credit card world confronted similar issues, the card associations came up with rules of governance. They were also able to establish the interchange system, which shared revenue and risk between acquirers, processors, and issuers. Thus, their approach focused less on the presence or absence of risk, and more on a system that compensated entities in the chain for risk exposure. Interchange was established at a time when the power equation between banks and merchants was tilted heavily in favor of financial institutions. It is highly unlikely that an interchange system for image exchange will see light of day. This brings up another intriguing question- regardless of the outcome of the less versus more risk debate, will future years see risk adjusted transaction fees for image processing?
The challenge with questions of this nature early in the life cycle of disruptive technology adoption is that answers cannot be based on empirical information. Like changing perspectives on beauty, there are myriad opinions. If you have a take on this, let me know. Speculating on a brave new world in itself is relatively risk free. It will be a while before your opinion is borne out one way or the other!
Labels:
alternative payments,
Brousseau,
Check 21,
check imaging,
image exchange,
risk,
substitute checks,
TAWPI,
Vijay
Saturday, June 6, 2009
Key Criteria for Mobile Solutions
By Mark Brousseau
A new white paper from Fiserv, Inc. says there are 10 key criteria for selecting a mobile financial services solution:
A new white paper from Fiserv, Inc. says there are 10 key criteria for selecting a mobile financial services solution:
- Flexible enrollment
- Ability to deliver banking services via SMS, WAP and downloadable applications from one provider
- Consolidated enterprise platform
- Adaptable and scalable solution
- Extended functionality
- Mobilizing and streamlining business processes
- Proven premium services
- An integrated platform that lowers the total cost of ownership and interfaces with core banking, online banking and electronic billing and payment systems
- Bank-centric
- Multiple deployment options
What do you think? Post your comments below.
Smartphones and Mobile Banking
By Mark Brousseau
Smartphones will have a tremendous impact on mobile banking, Alain DeSouza, senior manager, Market Development, Solutions Marketing, at Blackberry, told attendees at the Third Annual Mobile Commerce Summit at The M Resort in Las Vegas yesterday.
DeSouza noted that, depending on the analyst numbers you believe, smartphones represent 20 to 26 percent of the mobile phones in the United States, and 12 to 14 percent of the mobile phones globally. When you consider that 4 billion people worldwide have mobile phones (with 1.3 billion mobile phones purchased annually) there is a lot of opportunity for smartphone mobile banking applications.
“Mobile banking will be one of the top seven applications people will have,” DeSouza said. He predicts the mass market adoption of mobile banking applications and that more companies will leverage mobile applications in general as a means of entering and exploiting new demographic segments.
And while iPhone has been getting a lot of the smartphone buzz, “the gorilla in the smartphone industry globally is Nokia, even though Blackberry leads the U.S. market,” DeSouza said.
What do you think? Post your comments below.
Smartphones will have a tremendous impact on mobile banking, Alain DeSouza, senior manager, Market Development, Solutions Marketing, at Blackberry, told attendees at the Third Annual Mobile Commerce Summit at The M Resort in Las Vegas yesterday.
DeSouza noted that, depending on the analyst numbers you believe, smartphones represent 20 to 26 percent of the mobile phones in the United States, and 12 to 14 percent of the mobile phones globally. When you consider that 4 billion people worldwide have mobile phones (with 1.3 billion mobile phones purchased annually) there is a lot of opportunity for smartphone mobile banking applications.
“Mobile banking will be one of the top seven applications people will have,” DeSouza said. He predicts the mass market adoption of mobile banking applications and that more companies will leverage mobile applications in general as a means of entering and exploiting new demographic segments.
And while iPhone has been getting a lot of the smartphone buzz, “the gorilla in the smartphone industry globally is Nokia, even though Blackberry leads the U.S. market,” DeSouza said.
What do you think? Post your comments below.
Friday, June 5, 2009
Cardholders Going Mobile
By Mark Brousseau
Below are some insights on mobile banking from the Third Annual Mobile Commerce Summit this week at The M Resort in Las Vegas.
… Cardholders have become increasingly more comfortable moving account information via the mobile channel, Kevin Morrisson, assistant vice president, Card Products, H&R Block, told attendees.
… Within six months of launch, financial institutions average 1.5 to 2 percent of their Internet users accessing mobile banking, Scott Moeller, chief executive officer, MShift, Inc. said during a breakfast briefing.
… Huntington Bank surveyed its mobile banking customers and found that 65 percent of them were likely to use mobile banking in the future, Ellen Johnson of Huntington Bank told attendees. Most importantly, 48 percent of respondents were very likely to recommend Huntington to another person because of the bank’s mobile banking offering.
… Huntington Bank’s mobile banking customers are 38 percent more profitable than the rest of the bank’s customer base, Johnson told attendees.
… Mobile phones are the preferred channel for global remittance because of their prevalence, speed and accessibility, T. Jack Williams, CEO, eCommlink, told attendees. “As an industry we need to focus on the ‘last mile’ of global remittance to truly open up the opportunity,” Williams said.
… When you look for a processor for your mobile payments initiative, select a partner committed to mobile for the long run, Williams told attendees. The processor needs to be able to support mobile traffic (short code support), must be compliant with SAS 70 and PCI, and must have an API library for a variety of mobile functions.
… Merchant agenda will need to be addressed by mobile payments or they will never adopt it, Williams said.
… More than 40 percent of mobile banking users are not online banking users, finds Aspen Marketing Services. This means that a mobile marketing initiative that largely focuses on online banking users (a common approach) will potentially ignore more than half of a bank’s customer base.
What do you think? Post your comments below.
Below are some insights on mobile banking from the Third Annual Mobile Commerce Summit this week at The M Resort in Las Vegas.
… Cardholders have become increasingly more comfortable moving account information via the mobile channel, Kevin Morrisson, assistant vice president, Card Products, H&R Block, told attendees.
… Within six months of launch, financial institutions average 1.5 to 2 percent of their Internet users accessing mobile banking, Scott Moeller, chief executive officer, MShift, Inc. said during a breakfast briefing.
… Huntington Bank surveyed its mobile banking customers and found that 65 percent of them were likely to use mobile banking in the future, Ellen Johnson of Huntington Bank told attendees. Most importantly, 48 percent of respondents were very likely to recommend Huntington to another person because of the bank’s mobile banking offering.
… Huntington Bank’s mobile banking customers are 38 percent more profitable than the rest of the bank’s customer base, Johnson told attendees.
… Mobile phones are the preferred channel for global remittance because of their prevalence, speed and accessibility, T. Jack Williams, CEO, eCommlink, told attendees. “As an industry we need to focus on the ‘last mile’ of global remittance to truly open up the opportunity,” Williams said.
… When you look for a processor for your mobile payments initiative, select a partner committed to mobile for the long run, Williams told attendees. The processor needs to be able to support mobile traffic (short code support), must be compliant with SAS 70 and PCI, and must have an API library for a variety of mobile functions.
… Merchant agenda will need to be addressed by mobile payments or they will never adopt it, Williams said.
… More than 40 percent of mobile banking users are not online banking users, finds Aspen Marketing Services. This means that a mobile marketing initiative that largely focuses on online banking users (a common approach) will potentially ignore more than half of a bank’s customer base.
What do you think? Post your comments below.
Security Stymies Mobile Banking
By Mark Brousseau
Security fears are the single biggest factor inhibiting mass consumer uptake of mobile banking, Tom Wills, senior analyst, Security, Fraud and Compliance at Javelin Strategy & Research, said yesterday at the Third Annual Mobile Commerce Summit at The M Resort in Las Vegas.
When it comes to mobile banking, 47 percent of consumers surveyed by Javelin Strategy & Research cited security as the thing they are most concerned about, Wills said. “No other category comes close.” Additionally, 73 percent of consumers are concerned that hackers will get access to their mobile phone.
But many consumer fears about mobile banking security are misplaced, Wills said. “There is lots of misinformation and misperception,” he told the audience of 98. “For instance, there is a perception that there is a lot of malware in the mobile banking channel. That’s not true. But it doesn’t matter that a consumer is wrong; if they are concerned, it’s lost revenue for banks.”
Wills added that, “The mobile channel is one of the safest around, if good security is implemented. It has some innate security safeguards.”
Those comments notwithstanding, banks need to be prepared to deal with fraud in mobile banking, Clint Heyworth, attorney, Consumer Finance Group, Chambliss, Bahner & Stophel told attendees.
“Mobile payments are going to happen. That is a given,” Heyworth said. “Fraud is also going to happen. That also is a given. Stealing is not a new concept. Mobile banking is just a new forum for theft and fraud. Companies need to decide how to stop it.”
So, why haven’t we heard more about instances of mobile banking fraud? “Not enough people are using it, and there isn’t enough money going through it,” Eric Kraar, senior architect, Firethorn, told attendees.
Kraar noted that the myriad operating systems in mobile banking strengthens security for the channel because it “makes it harder to get at a lot of people with one attack.” Conversely, it also means that vendors can’t focus their security efforts in any one area. “We can’t come up with one solution that fits everything,” Kraar said.
What do you think? Post your comments below.
Security fears are the single biggest factor inhibiting mass consumer uptake of mobile banking, Tom Wills, senior analyst, Security, Fraud and Compliance at Javelin Strategy & Research, said yesterday at the Third Annual Mobile Commerce Summit at The M Resort in Las Vegas.
When it comes to mobile banking, 47 percent of consumers surveyed by Javelin Strategy & Research cited security as the thing they are most concerned about, Wills said. “No other category comes close.” Additionally, 73 percent of consumers are concerned that hackers will get access to their mobile phone.
But many consumer fears about mobile banking security are misplaced, Wills said. “There is lots of misinformation and misperception,” he told the audience of 98. “For instance, there is a perception that there is a lot of malware in the mobile banking channel. That’s not true. But it doesn’t matter that a consumer is wrong; if they are concerned, it’s lost revenue for banks.”
Wills added that, “The mobile channel is one of the safest around, if good security is implemented. It has some innate security safeguards.”
Those comments notwithstanding, banks need to be prepared to deal with fraud in mobile banking, Clint Heyworth, attorney, Consumer Finance Group, Chambliss, Bahner & Stophel told attendees.
“Mobile payments are going to happen. That is a given,” Heyworth said. “Fraud is also going to happen. That also is a given. Stealing is not a new concept. Mobile banking is just a new forum for theft and fraud. Companies need to decide how to stop it.”
So, why haven’t we heard more about instances of mobile banking fraud? “Not enough people are using it, and there isn’t enough money going through it,” Eric Kraar, senior architect, Firethorn, told attendees.
Kraar noted that the myriad operating systems in mobile banking strengthens security for the channel because it “makes it harder to get at a lot of people with one attack.” Conversely, it also means that vendors can’t focus their security efforts in any one area. “We can’t come up with one solution that fits everything,” Kraar said.
What do you think? Post your comments below.
Wednesday, June 3, 2009
Mobile Commerce Trends
By Mark Brousseau
Some interesting facts from the pre-conference workshop at the Third Annual Mobile Commerce Summit at the M Resort Casino & Spa in Las Vegas on Wednesday:
… Banks that think they are going to fund their mobile initiatives through advertising had better think again, according to Bob Gilbreath, chief marketing strategist, Bridge Worldwide, an interactive and relationship marketing agency. “Mobile ad interruption will not be tolerated,” Gilbreath said, noting that 72 percent of Americans have registered on the Federal Do Not Call list. What’s more, service providers fear losing $50 per month customers in exchange for pennies per ad unit, he said.
… Smartphone users spend less than 5 minutes online per session, Gilbreath said.
… People who write down how they will use a new product are 50 percent more like to use it, according to a study by Proctor and Gamble.
… Young consumers are spending less time in traditional “online” environments, Gilbreath said.
… The Berg Institute says there were 3.1 million mobile banking households in the United States last year – up from 400,000 households in 2007. The Berg Institute estimates there will be 7 million mobile banking households by the end of 2009.
… 50 percent of all calls to bank customer service centers are from mobile phones, and will rise to 70 percent in 2010, according to Celent. Many calls are simple balance requests, Celent notes.
… As of January, 2009, Bank of America had 1.9 million mobile banking users – up from 1 million users in June, 2008. On peak days, Bank of America has 100,000 mobile banking users.
… Only 40 percent of a retail bank’s customers are profitable, finds the Council on Financial Competition.
What do you think? Post your comments below.
Some interesting facts from the pre-conference workshop at the Third Annual Mobile Commerce Summit at the M Resort Casino & Spa in Las Vegas on Wednesday:
… Banks that think they are going to fund their mobile initiatives through advertising had better think again, according to Bob Gilbreath, chief marketing strategist, Bridge Worldwide, an interactive and relationship marketing agency. “Mobile ad interruption will not be tolerated,” Gilbreath said, noting that 72 percent of Americans have registered on the Federal Do Not Call list. What’s more, service providers fear losing $50 per month customers in exchange for pennies per ad unit, he said.
… Smartphone users spend less than 5 minutes online per session, Gilbreath said.
… People who write down how they will use a new product are 50 percent more like to use it, according to a study by Proctor and Gamble.
… Young consumers are spending less time in traditional “online” environments, Gilbreath said.
… The Berg Institute says there were 3.1 million mobile banking households in the United States last year – up from 400,000 households in 2007. The Berg Institute estimates there will be 7 million mobile banking households by the end of 2009.
… 50 percent of all calls to bank customer service centers are from mobile phones, and will rise to 70 percent in 2010, according to Celent. Many calls are simple balance requests, Celent notes.
… As of January, 2009, Bank of America had 1.9 million mobile banking users – up from 1 million users in June, 2008. On peak days, Bank of America has 100,000 mobile banking users.
… Only 40 percent of a retail bank’s customers are profitable, finds the Council on Financial Competition.
What do you think? Post your comments below.
Check Out A Small Sample of Attendees for TAWPI 2009 in Washington DC
ACE Hardware Finance Project Manager
Alabama Power Company: Supervisor of Remittance Processing
Alliance Bank: VP/ Director of Information Technology
Allstate Insurance Company: Associate Consultant
Amica Mutual Insurance Company: EVP of Operations
Alabama Power Company: Supervisor of Remittance Processing
Alliance Bank: VP/ Director of Information Technology
Allstate Insurance Company: Associate Consultant
Amica Mutual Insurance Company: EVP of Operations
American Heart Association Vice President Customer Strategies and Field Operations Projects
American National Property & Casualty Co.: Sr Premium Payment Specialist
AmeriGas Propane: Director of Revenue Mangement
AmeriPharm Inc. IT Director
Ameriprise Financial INC: Director Document & Payment Operations
American National Property & Casualty Co.: Sr Premium Payment Specialist
AmeriGas Propane: Director of Revenue Mangement
AmeriPharm Inc. IT Director
Ameriprise Financial INC: Director Document & Payment Operations
Bank of America LSS - Lockbox Specialty Services
Blue Cross Blue Shield of Alabama Manager-Cash Management & Investments
Blue Cross Blue Shield of Alabama Operations Manager-Payment Processing
Capital One Auto Finance Payment Processing Sr. Unit Manager
CenterPoint Energy Director of Remittance
Christian Broadcasting Network, Inc. Manager-Remittance Processing
CNH Capital America LLC: Mgr, Cash Processing and Processing Svs
County of Orange: Cash Manager
Customs & Border Protection Office of Training and Development
Department of Defense Senior Technical Advisor
Department of Homeland Security Chief Knowledge Officer
Duke Power Company Collect Process Design Specialist
Eastern Bank AVP
Father Flanagan's Boys Home Lockbox Manager
Fifth Third Processing Solutions Vice President - Relationship Management
Blue Cross Blue Shield of Alabama Manager-Cash Management & Investments
Blue Cross Blue Shield of Alabama Operations Manager-Payment Processing
Capital One Auto Finance Payment Processing Sr. Unit Manager
CenterPoint Energy Director of Remittance
Christian Broadcasting Network, Inc. Manager-Remittance Processing
CNH Capital America LLC: Mgr, Cash Processing and Processing Svs
County of Orange: Cash Manager
Customs & Border Protection Office of Training and Development
Department of Defense Senior Technical Advisor
Department of Homeland Security Chief Knowledge Officer
Duke Power Company Collect Process Design Specialist
Eastern Bank AVP
Father Flanagan's Boys Home Lockbox Manager
Fifth Third Processing Solutions Vice President - Relationship Management
FBI Management & Program Analyst
First American Real Estate Tax Svs Director of Operations
Florida Power & Light Company Customer Billing Supervisor
First American Real Estate Tax Svs Director of Operations
Florida Power & Light Company Customer Billing Supervisor
FMCS - Federal Mediation and Conciliation Service IT Specialist
FOOTSTAR AP MANAGER
Illinois National Bank Vice President
Indiana Department of Revenue Administrator of the Returns Processing
JPMorgan Chase & Company Executive Director, Receivables Product Mgt.
Library of Congress Acting Chief
LifeWay Christian Resources Manager of Accounts Payable
M & I Bank Vice President
Maryland Health Care Commission Division Chief - Center for Health IT
Media General, Inc. Remittance Processing Manager
Morgan Stanley Executive Director
Navy Federal Credit Union Manager, Remittance Processing
New Jersey Department of Banking and Insurance State Coordinator
New York City Department of Education Technology Instructor
North American Membership Group, Inc. Operations Manager
Northwestern Mutual Director, Shared Services
Nuclear Regulatory Commission
Office of Tax & Revenue Branch Chief Receipt & Archive Branch
Office of the General Counsel Director of Litigation
Orange County Treasurer-Tax Collector Chief Assistant Treasurer-Tax Collector
Pacific Blue Cross Manager, Office Services
Palmetto GBA Director
Pediatric Associates of Richmond Information Technology Specialist
Pepco Holdings, Inc. Business Systems Project Manager
PNC Bank Vice President, Sr.Product Manager
Portland General Electric Company Manager - Revenue Collection
Proctor Financial Chief Administrative Officer
PSE&G District Manager - Customer Operations
Resurgent Capital Services Senior Manager
Richland County Information Technology Business Systems Division Manager
Skechers USA ACCOUNTS PAYABLE MANAGER
SOURCECORP BPS Inc Director of Operations
State Farm Insurance Company Systems Analyst
St. Paul Travelers Insurance Vice President of Operations
Sunlife Financial Sr Manager, Imaging Center
T.Rowe Price Services, Inc Assistant Vice President
The Huntington National Bank Product Manager-Senior
TIAA-CREF Mgr, Business and Administrative Support
Time Warner Cable Regional AP Manager
FOOTSTAR AP MANAGER
Illinois National Bank Vice President
Indiana Department of Revenue Administrator of the Returns Processing
JPMorgan Chase & Company Executive Director, Receivables Product Mgt.
Library of Congress Acting Chief
LifeWay Christian Resources Manager of Accounts Payable
M & I Bank Vice President
Maryland Health Care Commission Division Chief - Center for Health IT
Media General, Inc. Remittance Processing Manager
Morgan Stanley Executive Director
Navy Federal Credit Union Manager, Remittance Processing
New Jersey Department of Banking and Insurance State Coordinator
New York City Department of Education Technology Instructor
North American Membership Group, Inc. Operations Manager
Northwestern Mutual Director, Shared Services
Nuclear Regulatory Commission
Office of Tax & Revenue Branch Chief Receipt & Archive Branch
Office of the General Counsel Director of Litigation
Orange County Treasurer-Tax Collector Chief Assistant Treasurer-Tax Collector
Pacific Blue Cross Manager, Office Services
Palmetto GBA Director
Pediatric Associates of Richmond Information Technology Specialist
Pepco Holdings, Inc. Business Systems Project Manager
PNC Bank Vice President, Sr.Product Manager
Portland General Electric Company Manager - Revenue Collection
Proctor Financial Chief Administrative Officer
PSE&G District Manager - Customer Operations
Resurgent Capital Services Senior Manager
Richland County Information Technology Business Systems Division Manager
Skechers USA ACCOUNTS PAYABLE MANAGER
SOURCECORP BPS Inc Director of Operations
State Farm Insurance Company Systems Analyst
St. Paul Travelers Insurance Vice President of Operations
Sunlife Financial Sr Manager, Imaging Center
T.Rowe Price Services, Inc Assistant Vice President
The Huntington National Bank Product Manager-Senior
TIAA-CREF Mgr, Business and Administrative Support
Time Warner Cable Regional AP Manager
U.S. Army IT Specialist
U.S. Cellular, Inc. Mgr, Accounts Payable/Business Support Services
U.S. Department of State Compliance
UMUC Program Director, Telecommunications Management
Union Bank of California Vice President/Manager
United States Treasury Assistant Commissioner Federal Finance
United Water VP of Customer Service
Unity Health Insurance Systems Analyst
US Attorney's Office Information Technology Specialist
Verizon Communications Manager
Wells Fargo Bank Product Manager
ZC Sterling Capture Automated Technologies Manager
U.S. Cellular, Inc. Mgr, Accounts Payable/Business Support Services
U.S. Department of State Compliance
UMUC Program Director, Telecommunications Management
Union Bank of California Vice President/Manager
United States Treasury Assistant Commissioner Federal Finance
United Water VP of Customer Service
Unity Health Insurance Systems Analyst
US Attorney's Office Information Technology Specialist
Verizon Communications Manager
Wells Fargo Bank Product Manager
ZC Sterling Capture Automated Technologies Manager
Tuesday, June 2, 2009
Remote Deposit Capture Still Has Legs
By Mark Brousseau
With the stratospheric growth of remote deposit capture (RemoteDepositCapture.com says it has reached over 50 percent penetration among financial institutions in less than half the time it took online banking), you might assume that interest in the technology is dying down. You’d be wrong.
At last week’s Windy City Summit in Chicago, a session on remote deposit capture drew a standing room-only crowd (some attendees even sat on the floor), and many corporate practitioners admitted that they still haven’t implemented technology, reports Leilani Doyle, product manager at US Dataworks, Inc. (ldoyle@usdataworks.com).
“While remote deposit capture is no longer new, and the market is saturated with product offerings, the technology is still growing steadily among corporations,” Doyle explains. “Corporate practitioners recognize that truncating paper as soon as possible in the process is always better.”
Doyle believes that there is more growth ahead for remote deposit capture, particularly with ISOs now selling the solution to billers who previously were an untapped audience, and with the introduction of new check scanners especially designed for billers for low transaction volumes (think: small businesses). US Dataworks plans to make product announcements in this area.
Remote deposit capture holdouts (and early adopters of the technology) also are looking for remote deposit capture solutions that allow for the centralized processing and repair of checks captured at the point of presentment. Anticipating this trend, US Dataworks designed its remote deposit capture offering to allow billers to capture items anywhere, correct them anywhere, and clear them anywhere.
Doyle said there also was a lot of talk among treasurers at the Windy City Summit about the need to reduce any excess balances in their demand deposit accounts (DDA). “Using balances to pay for services is too expensive,” Doyle explains, adding that many treasury managers were looking for a place to park their excess funds. “Not only are corporations receiving an ECR of 1 percent or less, but they also are incurring FDIC fees based on the risk category of their financial institution.”
“The macro-economic pressures of banks not willing to lend, and the Federal Reserve fund rates being at an all-time low, have put a unique spin on the treasury management professional’s job,” Doyle says. “Treasurers are spooked by high FDIC rates, the unknown risk of FDIC rate hikes to cover losses, and the fact that they can no longer use DDA balances to pay for non-credit services.”
The challenge for most treasurers is that they can’t move their banking relationship if they have a credit facility with their bank – regardless of the fees the bank changing for its cash management services: “Companies need to have access to that line or another longer term credit facility.”
In addition, some banks are changing their availability schedules, Doyle says. This is another area where Doyle thinks US Dataworks’ technology can help. With a centralized payments hub, like the one offered by US Dataworks, corporations are better prepared to choose the bank with the best availability schedule, or to dynamically change the way payments are collected based on the paying bank. “Better management of the collections side of the treasury function will provide more accurate collected balance forecasting and reduces the amount of collected balances subject to the FDIC assessment,” Doyle says. “Corporations can augment this strategy with a sweep to pay off loans if they are a net borrower, or a sweep to an investment product, if they are a net depositor.”
What do you think? Post your comments below.
With the stratospheric growth of remote deposit capture (RemoteDepositCapture.com says it has reached over 50 percent penetration among financial institutions in less than half the time it took online banking), you might assume that interest in the technology is dying down. You’d be wrong.
At last week’s Windy City Summit in Chicago, a session on remote deposit capture drew a standing room-only crowd (some attendees even sat on the floor), and many corporate practitioners admitted that they still haven’t implemented technology, reports Leilani Doyle, product manager at US Dataworks, Inc. (ldoyle@usdataworks.com).
“While remote deposit capture is no longer new, and the market is saturated with product offerings, the technology is still growing steadily among corporations,” Doyle explains. “Corporate practitioners recognize that truncating paper as soon as possible in the process is always better.”
Doyle believes that there is more growth ahead for remote deposit capture, particularly with ISOs now selling the solution to billers who previously were an untapped audience, and with the introduction of new check scanners especially designed for billers for low transaction volumes (think: small businesses). US Dataworks plans to make product announcements in this area.
Remote deposit capture holdouts (and early adopters of the technology) also are looking for remote deposit capture solutions that allow for the centralized processing and repair of checks captured at the point of presentment. Anticipating this trend, US Dataworks designed its remote deposit capture offering to allow billers to capture items anywhere, correct them anywhere, and clear them anywhere.
Doyle said there also was a lot of talk among treasurers at the Windy City Summit about the need to reduce any excess balances in their demand deposit accounts (DDA). “Using balances to pay for services is too expensive,” Doyle explains, adding that many treasury managers were looking for a place to park their excess funds. “Not only are corporations receiving an ECR of 1 percent or less, but they also are incurring FDIC fees based on the risk category of their financial institution.”
“The macro-economic pressures of banks not willing to lend, and the Federal Reserve fund rates being at an all-time low, have put a unique spin on the treasury management professional’s job,” Doyle says. “Treasurers are spooked by high FDIC rates, the unknown risk of FDIC rate hikes to cover losses, and the fact that they can no longer use DDA balances to pay for non-credit services.”
The challenge for most treasurers is that they can’t move their banking relationship if they have a credit facility with their bank – regardless of the fees the bank changing for its cash management services: “Companies need to have access to that line or another longer term credit facility.”
In addition, some banks are changing their availability schedules, Doyle says. This is another area where Doyle thinks US Dataworks’ technology can help. With a centralized payments hub, like the one offered by US Dataworks, corporations are better prepared to choose the bank with the best availability schedule, or to dynamically change the way payments are collected based on the paying bank. “Better management of the collections side of the treasury function will provide more accurate collected balance forecasting and reduces the amount of collected balances subject to the FDIC assessment,” Doyle says. “Corporations can augment this strategy with a sweep to pay off loans if they are a net borrower, or a sweep to an investment product, if they are a net depositor.”
What do you think? Post your comments below.
Subscribe to:
Posts (Atom)