Security & Fraud

PYMNTS Data Dive | Why Can’t We Be Friends Edition: Walmart, Central Banks And Google

Most weeks at PYMNTS, we feel like financial news reporters — mostly, because that’s what we are. But, every so often, we get to feel like stormchasers, à la The Weather Channel, and last week was one of those extra-special weeks.

We feel we owe the team at Lending Club special thanks for getting the week started off with a bang.

Like the true innovators they are, they decided to start celebrating Friday the 13th on Monday the 9th with the dual announcements that that the CEO was stepping down at the behest of the board and that the reason for the rapid farewell were highly troubling issues as a result of an internal investigation of the firm. The hits just kept on coming from there, and Lending Club’s stock price has taken a rather expected beating in subsequent days (as did most other marketplace lenders, who were apparently ruled guilty by association).

And while that was undeniably the most exciting news of last week, it wasn’t the only news. In fact, between Walmart and Visa spinning up for another 10 rounds, central banks under persistent attack from hackers and Google just saying no to payday lenders, it was actually pretty wild out there.

And who said payments was boring?


Visa And Walmart: Why Can’t They Be Friends?

While no one would likely ever characterize the relationship between Visa and Walmart as a love-fest, it might have seemed, over the last 12 months or so, that the two massive firms had sort of a detente thing going. Visa is part of Walmart Pay after all.

But things heated up last week when Walmart sued Visa over EMV and chips without PINs.

About a year ago, Walmart SVP and Assistant Treasurer Mike Cook referred to then-forthcoming EMV rules as “a joke,” noting that the signatures required at the end of the transaction essentially invalidated any potential security advance offered by the chip card.

“[Signature is] worthless as a form of authentication,” said Cook.

So worthless in fact, Walmart believes, that it is ready to go to court over it. At issue is the fact that Visa currently prohibits Walmart from insisting its customers use a PIN when paying with a chip-embedded card. Walmart customers can use their PIN at checkout, but they can also waive the PIN in favor of using a signature instead, according to a lawsuit filed by Walmart last week.

“This suit is about protecting our customers’ bank accounts when they use their debit cards at Walmart,” a Walmart spokesman said in an emailed statement to media outlets. “We believe Visa’s position creates unacceptable risk to customers, and its actions and rules are inconsistent with federal law.”

It’s also alleged that Walmart’s move away from signature-based authentication could save the retailer some serious change. Signature transactions, on average, cost $0.05 more than PIN transactions — although it has not been publicly revealed what the spread is for Walmart. Seventy percent of Walmart’s chip-based transactions are on debit cards.

“[Visa] has demanded that we allow fraud-prone signature verification for debit transactions in our U.S. stores because Visa stands to make more money processing,” Walmart said in its lawsuit.

Those who stand against “chip-and-choice” noted that the PIN is more secure and not really likely to create much in the way of friction, given that consumers already use PINs at ATMs.

The other side of that argument is that PINs are a holdover from a previous era when they were more essential for authenticating consumers and that signature-based solutions were faster and easier for merchants and processors in the U.S to get updated to in advance of the EMV liability shift.

Visa has not provided public comment on the matter.

However, last April, Stephanie Ericksen, VP of risk products at Visa, was quoted as saying (in response to Mike Cook’s quote):

“We don’t see a need for it, [as chip-and-PIN] will have a shorter shelf life,” she said, suggesting that newer technologies would deliver new opportunities to innovate the current EMV experience.


Banks Under Siege

It has been a less-than-wholly-inspiring week for the cybersecurity of central banks, with multiple central banks reporting attempts to steal funds by hackers.

Internet hacker collaborative Anonymous may have managed to officially disrupt both the website of the central bank of Greece and Cyprus.

The group’s attack on the central bank (in Greece) also came at the same time as an ominous message was posted on YouTube: “Olympus will fall.”

“A few days ago, we declared the revival of Operation Icarus. Today, we have continuously taken down the website of the Bank of Greece,” the video message continued. “This marks the start of a 30-day campaign against central bank sites across the world.”

The Central Bank of Cyprus was the next target.

“[The hack] resulted in some delays in user connections, but generally, the website could handle the anticipated number of users for the day,” the spokeswoman told media outlets.

At least, based on the type of attack, the obvious connection between the two attacks is evident.

But, on the upside, at least the central banks are having their public-facing websites — not their actual funds — pursued by said hackers.

Unlike the Bangladesh hack that made a little over $80 million disappear into the ether.

This is considered the upside, given last week’s other chipper piece of news, care of SWIFT, that hackers made another run on the SWIFT messaging system in an attempt to purloin funds from a second commercial bank.

According to SWIFT officials, the latest attack targeted a commercial bank and managed to send SWIFT messages using the bank’s valid codes.

No funds were stolen, but hackers did gain access to the transfer system using genuine credentials and malware to cover themselves.

“Forensic experts believe this new discovery evidences that the malware used in the earlier reported customer incident was not a single occurrence but part of a wider and highly adaptive campaign targeting banks,” SWIFT said in a notice to banks reviewed by The Wall Street Journal.

The latest malware attack, or attempted attack, was discovered by third-party experts who brought the issue to SWIFT’s attention. The attack actually predates the Bangladesh hack.

The malware used in the Bangladesh attempt and the current attempted attack have two things in common, according to SWIFT.

The first is it sends messages over the SWIFT platform; the second is the program exists to digitally cover tracks and make it harder to identify the culprits.


Google Says Goodbye To Payday Lenders' Advertising Funds

Google, it seems, does not want advertising revenue from everyone.

As of July 13, payday loans will no longer be able to be advertised on Google. Its decision reflects the AdWords policy not to promote things that can harm consumers and its feeling that payday lenders fall into that category.

“When reviewing our policies, research has shown that these loans can result in unaffordable payment and high default rates for users, so we will be updating our policies globally to reflect that,” David Graff, director of global product policy at Google, wrote in a blog post. “This change is designed to protect our users from deceptive or harmful financial products and will not affect companies offering loans such as mortgages, car loans, student loans, commercial loans, revolving lines of credit (e.g. credit cards).”

This ban by Google includes loans that have repayment dates that hit within 60 days of being issued. It also includes loans with an APR of 36 percent or higher in order to avoid promoting loans considered predatory.

The post goes on to note that while the ads could connect consumers to “interesting, useful brands, businesses and products,” there is enough risk that consumer could be guided to harmful products that Google has decided they no longer fit the description of things it wants to help connect customers to.

Google disabled more than 780 million ads for various reasons in 2015, which included everything from counterfeiting to phishing.

“Ads for financial services are a particular area of vigilance given how core they are to people’s livelihood and wellbeing,” Graff wrote.

“This new policy addresses many of the longstanding concerns shared by the entire civil rights community about predatory payday lending. These companies have long used slick advertising and aggressive marketing to trap consumers into outrageously high interest loans — often those least able to afford it,” Wade Henderson, president and CEO of The Leadership Conference on Civil and Human Rights, was quoted as saying in the post.

That decision doesn’t reflect the reality of payday loans, which is that most borrowers do repay them and within a few days of taking them, or the reality that one can watch their fill of XXX movies on Google-owned YouTube but we digress.


So, what did we learn this week? Apparently, we can’t all be friends, and sometimes, it’s pointless to even try.



Banks, corporates and even regulators now recognize the imperative to modernize — not just digitize —the infrastructures and workflows that move money and data between businesses domestically and cross-border. Together with Visa, PYMNTS invites you to a month-long series of livestreamed programs on these issues as they reshape B2B payments. Masters of modernization share insights and answer questions during a mix of intimate fireside chats and vibrant virtual roundtables.

Click to comment