Apple Pay may be coming to Canada, according to reports – but will it help retailers to break free of their security woes?
Some suggest that Canadian banks may be open to working with Apple Pay, which was introduced in the United States late last year. For consumers, the biggest appeal of this mechanism is the ability to pay using your phone or smart watch, but there is also an important angle for both consumers and retailers: the mitigation of credit card risk.
Today, when a customer hands over their credit card at the store, the retailer has to scan it and send it to a payment card processor. Those details then become the retailer’s responsibility.
Instead of a credit card, Apple Pay uses a token to represent the card, along with a one-time dynamic number, designed to authenticate users along the way. This prevents the retailer from having to see the credit card number at all.
Retailers are coming under increasing pressure to improve their security following a number of notable security breaches at places like Home Depot and Target, in which credit card numbers were stolen.
One potential issue that could make data breaches of this kind even more worrying for retailers is the emergence of data breach notification law. Alberta and Manitoba already have provincial acts requiring companies to notify customers of breaches. Bill S-4, the Digital Privacy Act, would escalate these requirements to a federal level, making the notification of data breaches mandatory for retailers (and other companies) that lost customer data to thieves.
Technology like Apple Pay may help mitigate that risk, but another way for retailers to protect themselves against the business risk from data breaches is cyber-risk insurance. These policies, now common in the US, are emerging in Canada. They enable companies to take out insurance against the costs incurred by data breaches. These costs include the detection and mitigation of the attack, the notification and compensation of customers, any regulatory costs that arise, and any lawsuit that the company may incur.
Underwriters have begun raising the bar for retailers seeking cyber-insurance contracts, said Michelle Lopilato, the director of the cyber risk solutions practice at large US-based broker Hub International.
Insurers are looking for best-in-class controls, said Lopilato, adding that she is starting to see changes in the requirements and levels of coverage offered.
These controls include encryption of data at the POS terminal, full PCI-DSS compliance, up to date security patches, and continuous real-time monitoring of the payment network, she said. These are becoming table stakes for retailers that want to be insured against cyber-risk.
Tokenization of credit card payments using mechanisms like Apple Pay isn’t yet affecting cyber-insurance risk, said Lopilato.
“Eventually it will, but there are so few of the clients that I work with who are at that point. The largest banks are there, but it’s the merchants that aren’t there yet,” she said.
Apple Pay may enable retails to offer convenience and security to their customers, but it’s unlikely to impact any cyber-insurance premiums, then. And in the meantime, it may require a hefty PoS upgrade if a retailer doesn’t already have near-field communication (NFC) installed on its network.