As retailers and other enterprises explore accepting cryptocurrencies as a form of payment, security teams at these organizations need to be involved in the process of selecting the payment platform and securing the wallets, experts say.
For youth clothing brand PacSun, accepting cryptocurrencies for payments felt like a good way to reach Gen Z shoppers. Through a partnership with cryptocurrency payment service provider Bitpay, PacSun supports 11 cryptocurrencies, including Bitcoin, Bitcoin Cash, Ethereum, Dogecoin, and Litecoin, as well as Coinbase, Gemini, Binance, and other cryptocurrency wallets. The fashion retailer joins a growing list of companies that now accept cryptocurrencies, such as PayPal, AT&T, and Overstock.com.
Instead of trying to hold on to the cryptocurrency, most of these companies are relying on cryptocurrency payment platforms to manage the payments. This is why companies need to work with their information security teams to carefully evaluate the reputation and cybersecurity practices of these platforms before selecting a provider.
When considering which platforms to use for managing cryptocurrency payments, ease of use is particularly important for the overall cryptocurrency experience, says Luke Stokes, managing director at the Foundation for Interwallet Operability (FIO). Beyond that, merchants must consider other factors, such as whether the platform can serve their volume of customers, what kind of cybersecurity protocol the platform has, whether the provider has been hacked in the past, and how the payment platform addresses vulnerabilities, Stokes says.
“Just like you would with a PCI-compliant environment where you're accepting payments, you have to follow very similar security best practices to ensure that the website itself where you're collecting payments wasn't hackable,” Stokes says. “It's very similar to any kind of payment infrastructure decision: 'Do you have very secure systems?' But then it goes a little bit further to be like, 'Do you want to be your own bank or not?'”
Custodial vs. Non-custodial
One of the most important questions companies must ask themselves before accepting cryptocurrencies is whether they want a non-custodial wallet, meaning they will control the key to their cryptocurrencies, or a custodial wallet, where a third-party service provider will oversee their keys, says Stokes. The original premise of cryptocurrencies was to allow people to manage their funds without an intermediary, but many companies or vendors might be reluctant to become their own bank and prefer to work through a third party instead, Stokes says.
For companies that choose to accept cryptocurrencies directly and retain control over their private keys, doing so poses a substantial security risk for that company’s cryptocurrency assets. But selecting a third party to manage the key to their cryptocurrencies creates a different risk profile, Stokes explains.
Companies with non-custodial wallets risk being hacked or losing their keys, which could result in losing their cryptocurrency forever if they don’t have adequate backup procedures in place. For companies using custodial wallets, companies could lose access to their cryptocurrency if that third party runs into problems, such as government actions or hacks, Stokes explains.
One necessary measure companies must take is to adop multisignature wallets, which can be accessed by multiple users, Stokes says. They should also have cold wallets where cryptocurrencies aren’t accessible online and use air-gapped computers and hardware wallets, which require multiple people to access the funds. It’s also critical to conduct complete audit trails, meaning a record of all interactions with the funds and wallets, he adds.
Consider the Risks
PacSun chose BitPay to facilitate its cryptocurrency payments because the platform works with other major organizations, such as the Dallas Mavericks and Microsoft, says Mike Relich, PacSun’s co-CEO. Given that the retail sector has to worry about ransomware, bots, and other cybersecurity issues surrounding e-commerce transactions, the company went into discussions as to whether to accept cryptocurrencies with that in mind, Relich says.
Plus, cryptocurrencies do not come with the risks of chargebacks that credit cards do, Relich says.
“Somebody can use a fraudulent card, and then the person disputes, and then the chargeback, and then we're liable for the risk. Crypto is immediate. The minute that transaction happens — that's the one of the beauties of crypto — it's finalized,” Relish says. “So, actually, from a financial point of view, the risk is lower than accepting a credit card.”
For companies that don’t have an e-commerce component, accepting cryptocurrency payments comes with different considerations. Allure Security, a firm that detects and removes fraudulent websites that impersonate legitimate companies, doesn’t have to worry about potential fraudulent transactions from strangers because the company knows the customers it's working with, says CEO Josh Shaul. When Allure Security sends its invoices via Coinbase Commerce and accepts cryptocurrencies, the company knows exactly who paid for the service, Shaul says.
Allure Security decided against holding onto cryptocurrency. The company accepts payment using a Coinbase Commerce account and immediately converts the cryptocurrencies into US dollars, a process that Coinbase Commerce made fairly easy, Shaul says.
Allure Security chose Coinbase based on a client recommendation and its positive reputation. It also helped that Shaul was familiar with some people on Coinbase’s security team. Shaul didn’t have a preference for which coins to accept, reasoning that accepting whichever new coins would be a good marketing tool to reach new customers.
“There's some risk, I suppose, that in the short period of time from when a customer pays their bill before we realize they've paid it and moved the money to actual money that we could lose some value, but I would roll the dice for the fun market awareness that we could generate around we'll take any crazy coin there is,” Shaul says. “Coinbase is, I think, more pragmatic. They don't want to be dealing with the bigger risk of fluctuations on those in their commerce plan.”
Regulatory Landscape Is Murky
While companies are trying to decide whether to accept cryptocurrencies, lawmakers and regulators are still developing guidance for cryptocurrency companies. In the US, Congress and the Securities Exchange Commission have yet to provide clear guidance as to how to manage this new asset class, in part, because it does not have the characteristics of existing currencies and asset classes, and our existing laws for regulating traditional currencies and asset classes are almost a century old, says David Gold, one of the co-founders of the FIO protocol. The FIO Protocol is an open source usability-layer solution trying to make sending, receiving, and requesting cryptocurrency across all blockchain easier.
SEC Chair Gary Gensler told lawmakers during a September Senate hearing that the agency is crafting rules for the emerging cryptocurrency sector.
Before the company decided to accept cryptocurrency payments, one of the questions that Allure Security's finance team had was how to account for cryptocurrencies in its taxes. But the company ultimately decided to do so by calculating the US dollars that are converted from cryptocurrencies into US dollars and transferred into its bank account, Shaul says. For now, he says, he's not concerned about the regulatory impact on cryptocurrencies in 2021 or 2022.
“There might be some exposure down the road that cost us a little more than we thought it would. But for me, just the simple value of being able to transact with these companies the way that they want to transact and not introduce friction... that's what I care about,” Shaul says. “We'll deal with the regulatory and whatever that comes when and if it comes.”