WHITE PAPER
MULTI-LAYERED SECURITY
STRENGTHENS PAYMENT
STRUCTURES
How to Prepare a Comprehensive Strategy
W H I T E PA P E R
MULTI - L AYERED SECURIT Y STRENGTHENS
PAYMENT STRUCTURES
How to Prepare a Comprehensive Strategy
The lines have been drawn in retail data security. While security threats will continue to exist – thieves
and hackers will constantly seek new ways to target the retail industry – merchants can fight back by
employing the most effective strategies to deal with today’s challenges. Forward-thinking retailers are
prepping for a more secure future that includes a combination of EMV (Europay/MasterCard/Visa)
standards, encryption and tokenization.
No payments infrastructure, no matter how well-designed and well-protected, can keep out every hacker,
criminal and mischief-maker. But does this mean retailers should simply throw in the towel on data
security? Quite the contrary. Acknowledging the inevitability of attacks also includes understanding where
and how those attacks are most likely to occur, and taking the most effective actions to mitigate risks.
The fact that fraudulent activity gravitates to the easiest targets is a compelling reason for retailers to beef up
their own data defenses. The most secure payment transaction possible today is one that combines three
technologies: EMV, track data encryption and tokenization. Retailers using a comprehensive, multi-layered
approach to transaction security can make themselves less appealing for criminal activity.
MOUNTING DATA SECURITY CONCERNS
The time is ripe for
immediate action. Recent
October 1, 2015,
major card brands
will institute
a liability shift
making retailers
financially
responsible for
counterfeit,
card-present POS
transactions.
high-profile data breaches
at Target, Neiman Marcus
and Michael’s Stores have
raised public (and industry)
consciousness about data
security. In the wake of
these breaches, National
Retail Federation (NRF)
President and CEO
Matthew Shay issued a
challenge to Congress to
focus more on supporting
the “chip and PIN”
technology associated with EMV standards, as well as enforcing federal cybersecurity laws and developing
a uniform federal data breach notification statute. The Retail Industry Leaders Association (RILA) has
stressed the importance of eliminating the magnetic stripe cards that are currently in wide use in the U.S.,
which are considered more vulnerable to fraud and theft than chip cards.
In addition, a number of current and pending deadlines are pushing U.S. retailers to formulate action plans for
their payment infrastructures. As of April 2013, payment processors were required to support merchant
M U LT I - L AY E R E D S E C U R I T Y S T R E N G T H E N S
PAY M E N T S T R U C T U R E S
2
J U LY / 2 0 1 4
W H I T E PA P E R
acceptance of transactions conducted with chip cards, which are now being distributed to consumers by many
payment card issuers. On October 1, 2015, Visa, MasterCard and other card brand networks will institute a liability
shift, potentially making retailers financially responsible for counterfeit card-present POS transactions. Currently, POS
fraud is largely absorbed by card issuers. A similar shift will occur for fuel dispenser terminals in October 2017.
“In the last few months, we have seen a dramatic shift in the interest and understanding of the benefits that
EMV chip cards provide, particularly in helping to lessen the impacts of payment data breaches and to prevent
counterfeit card fraud,” said Randy Vanderhoof, Director of the EMV Migration Forum in April 2014. “As a result,
U.S. migration is accelerating and there is a refreshed urgency in resolving issues and moving forward as quickly
as possible.” The Forum predicts that U.S. EMV chip adoption is poised for “exponential growth in the next year
from today’s estimated 17 to 20 million EMV chip cards and millions of EMV-capable terminals and ATMs, some
of which already accept EMV chip cards.”
When discussing the security challenges facing merchants, it is important to note that there are two distinct kinds of
criminal activity: fraud and data theft. Fraud is the use of another person’s card information to make a purchase. Data
theft is the act of stealing credit card numbers, usually in large quantities, for later use in a fraudulent transaction(s).
Fraud and theft are two different problems, each requiring a specific approach in how we address them.
This white paper will discuss the benefits of a multi-layered approach to data security, and will provide guidelines
for retailers on how best to move forward in today’s rapidly changing payments environment.
TOP FIVE REASONS FOR IMPLEMENTING A
COMPREHENSIVE DATA SECURITY STRATEGY
I. Minimizing Risk Reduces Retailers’ Vulnerability
Since it’s impossible to eliminate risk, the retailers’ goal is to minimize or manage risk. There are a number of
steps involved in a multi-layered security strategy that can effectively accomplish this goal.
Retailers should start from the basis of having all relevant systems in compliance with the Payment Card Industry
Data Security Standard (PCI DSS), which provides a common baseline for security in a wide range of retail and
payment environments.
However, as many retailers have discovered, being PCI compliant reduces the likelihood that a breach might
occur, but it offers no assurances. Some of the most spectacular incursions of recent years have happened at
retail organizations that had passed their PCI assessment.
For U.S. retailers, another important step will be the move toward full adoption of EMV standards and upgrading
to technology capable of accepting chip-based cards. EMV is the primary method for combatting fraud in cardpresent payments, and the U.S. is the last major global market to adopt these standards, which makes domestic
companies more tempting targets for organized crime and cyber thieves.
“EMV has been tremendously successful in preventing fraud,” according to The Migration to EMV Chip Technology,
a 2012 white paper from Gemalto Security. “Wherever EMV has been implemented comprehensively, including
the objective PIN verification by the chip, significant fraud reduction ratios have been achieved and sustained.”
M U LT I - L AY E R E D S E C U R I T Y S T R E N G T H E N S
PAY M E N T S T R U C T U R E S
3
J U LY / 2 0 1 4
W H I T E PA P E R
However, EMV adoption alone isn’t a comprehensive security strategy. In fact, while the standard’s
authentication procedures help reduce card present fraud rates, an indirect impact is that fraud shifts to
offline card-not-present (CNP) transactions. Fraudsters’ persistent movement toward the weakest link is
another strong argument for a multi-layered approach to payment and data security.
Another basic element of a strong security strategy is encryption. Industry experts agree that comprehensive
encryption is a necessity in today’s payment environment. The mag stripe cards that are still used by most U.S.
consumers introduce valuable information, including the card account number, into retailers’ payment systems
at the POS. If this information is stolen en route, the mag-stripe contains all of the data necessary for a criminal
to “clone” a credit card. The stolen numbers can also be used to make purchases online.
Tokenization can put up
Tokenization
provides an
additional layer
of security and
elminates the
need for
merchants, digital
wallet operators
and others to
store account
numbers.
another barrier to cyber thieves.
Tokenization is a form of data
substitution, where valuable data
are replaced with a valueless
substitute. For the merchant, a
token seamlessly works in their
environment, but to a criminal
tokenized data are useless.
These tokens can maintain a
persistent one-to-one relationship
with each card, meaning the tokens have the same numeric format as the card number and the
same card always returns the same token at a particular merchant. Such a relationship allows retailers to
enable internal data gathering and analytics that rely on an unchanging card number. This is helpful for
retailers that use transaction data both to build up individuals’ customer profiles and to improve customer
segmentation and targeting efforts. Processor-based tokenization (whereas the processor issues the actual
token) allows the retailer to perform these functions without exposing actual cardholder data.
Finally, any multi-layered approach to data security also includes building awareness into security structures
that provides timely, specific alerts when systems have been breached or tampered with. Whether it’s a fullscale data theft, the first introduction of malware into a system, or simply an offline POS card reader that can’t
be accounted for, the retailer’s security team needs to know about it. Even if the problem turns out to be
benign, timely reporting is essential given the complex and multi-player nature of today’s payment systems.
M U LT I - L AY E R E D S E C U R I T Y S T R E N G T H E N S
PAY M E N T S T R U C T U R E S
4
J U LY / 2 0 1 4
W H I T E PA P E R
II. The Impending EMV Liability Shift
The October 2015 liability shift towards the EMV standard should be a strong motivator for U.S. merchants
to step up their EMV transition plans, but it is just one among many advantages of moving toward
compliance with these worldwide standards.
“The payments community should consider how the migration impacts new technology adoption and plan
implementation to ensure that new infrastructure investment can support both EMV and other technologies
that deliver value,” notes a November 2013 Smart Card Alliance white paper, The Changing U.S. Payments
Landscape: Impact on Payment Transactions at Physical Stores. “Doing so minimizes fraud exposure after
the liability shift, ensures that all U.S. and foreign customers are able to perform transactions using their
cards and mobile devices, and reaps the benefits of various incentives offered by the payment brands.”
While EMV would not have prevented the recent data breach at Target, which occurred as
the result of malware installed inside the retailer’s payment network, EMV and chip cards
would make it much more difficult to use the stolen data to perpetrate fraud. “A fundamental
EMV principle is to digitally sign payment data to ensure transaction integrity,” according to
the Gemalto report, “The Migration to EMV Chip Technology.”
EMV standards, in combination with chip technology, give each transaction a unique “stamp”
that prevents CVVs from being fraudulently reproduced to create a counterfeit card, even if
other data are stolen from a merchant’s or processor’s database.
EMV (which prevents fraud), when used in combination with an encryption and tokenization
solution (which eliminates card data in the merchant environment), provides comprehensive
protections for merchants.
M U LT I - L AY E R E D S E C U R I T Y S T R E N G T H E N S
PAY M E N T S T R U C T U R E S
5
EMV and chip
cards do offer
stronger
protections
compared to
existing payment
methods by using
dynamic data to
make stolen card
account numbers
less valuable.
J U LY / 2 0 1 4
W H I T E PA P E R
WHAT DOES
A DATA
BREACH
COST A
RETAILER?
Assessing the actual dollar value of a data breach is difficult,
particularly when thousands or even millions of consumer records
are involved. Some of the costs will be borne not by the retailer,
but by other payment stakeholders, such as banks or payment
processors. Even after the October 2015 liability shift, those retailers
that have not adequately prepared themselves for EMV and chip card
adoption may find themselves financially responsible for losses. As
many retailers have discovered, costs can easily mount up.
“Hard” data breach costs include, but are not limited to:
• Cost to replace credit/debit cards (Bank/Issuer)
• Notification to cardholders via direct mail, phone, e-mail
or text (Merchant)
• Public relations management expenses (Merchant)
• Upgraded technology and security measures (Merchant)
• Remediation of customer good will, e.g. providing credit monitoring
services to affected customers (Merchant)
• Loss of loyal customers, current and future (Merchant)
The “soft” costs of a security incident, such as a diminished
reputation with customers and a loss of trust, can’t be accurately
quantified, but the impacts can be severe and long-lasting.
III. Data Breaches Hurt Retailers’ Brands and Reputations
Minimizing risk is more than just good security policy; it’s good corporate policy. Beyond any
hard costs involved in remediating a data breach, these events can have both obvious and
subtle effects on a retailer’s relationship with its most valuable asset – its customers.
“If a credit card account is misused, the cardholder has to spend time straightening out
unauthorized transactions and dealing with the issuance of new cards,” wrote Wayne State
Minimizing risk
is more than just
good security
policy; it’s good
corporate policy.
University Law School Professor Peter J. Henning in a January 28, 2014 New York Times
article headlined, “Adding Up the Costs of Data Breaches.” “Even more dangerous is the potential for
identity theft, which could result in substantial disruptions to an individual’s financial life that can take
months to fully rectify.”
Retailers that fall victim to a data breach are also faced with a dilemma: when exactly should they inform the
public that a breach has occurred? Companies may feel pressure to keep quiet about breaches until the
M U LT I - L AY E R E D S E C U R I T Y S T R E N G T H E N S
PAY M E N T S T R U C T U R E S
6
J U LY / 2 0 1 4
W H I T E PA P E R
extent of the breach can be determined, and also to cooperate with law enforcement agencies trying to
determine more about the eventual destination of the stolen data. When the breach is discovered in real-time,
authorities often prefer to let the breach unfold while forensics teams watch and track the activity. Often, the
activity can be tracked back to its source and the information used to press charges against the attackers.
However, delays in releasing information can compound a retailer’s image problems with its customers –
and its shareholders – who aren’t concerned with the forensics process and only want to protect their
private information.
“For publicly traded companies…there is an additional obligation to disclose material information to
shareholders in a timely manner,” Henning added. “For any retailer, a cyber-attack may drive customers
away and affect income through increased expenses for stronger computer security, providing identity theft
protection to affected customers and refunding of any fraudulent charges.”
At Target, where data from 40 million cards were hacked in November and December 2013, the impact was
a direct hit to the bottom line. “During the quarter, the number of transactions fell 5.5%, in part because of
shoppers leery of buying at Target following the breach,” according to a Feb. 26, 2014 AP article headlined
Data-Breach Costs Take Toll on Target Profit. While the retailer has not yet been able to assess the total costs
of the breach, the company reported that it resulted in $17 million in net expenses during the affected quarter.
IV. Don’t Be ‘Low-Hanging Fruit’ for Cyber Thieves
The United States has been slow to change its payment infrastructure for a number of reasons, most
stemming simply from the foundations built early on. The task of de-coupling decades old infrastructure,
practices and policies is daunting, but the growing risk of fraud is a powerful motivator.”
“As more countries have adopted EMV, much of the card fraud in those countries has migrated to places
that are still reliant on the less secure magnetic-stripe card technology,” wrote Erik Vlugt, Vice President
of Product Marketing at VeriFone, in the March 2012 report U.S. Payment Systems to Sync with Rest of
World. “As reported in a recent Federal Reserve paper, markets that have migrated or are in the process of
migrating to EMV chip-and-PIN have seen a significant decrease in fraud, while ‘overall fraud levels in the
United States are trending upward.’ ’’
When the focus is narrowed to individual companies within a still-unsecure market, the imperative to
improve security becomes even more pressing. Particularly as large companies institute comprehensive,
multi-layered security solutions, criminals will gravitate to smaller but more easily attacked targets, such as
smaller Tier II, III and IV retailers.
Another area to pay close attention to is e-commerce and other CNP transactions. Here, EMV does little to
make these transactions more secure, and the approaching move to the EMV standard may increase fraud
levels outside brick-and-mortar stores.
Movement toward EMV adoption is part of a general trend toward a more comprehensive, multi-layered
approach to data and payment security. For example, in March 2014, NRF Senior Vice President and
General Counsel Mallory Duncan urged Congress to examine the latest data breaches in a “holistic fashion.”
M U LT I - L AY E R E D S E C U R I T Y S T R E N G T H E N S
PAY M E N T S T R U C T U R E S
7
J U LY / 2 0 1 4
W H I T E PA P E R
“We need PIN-authentication of cardholders regardless of the chip technology used on newly issued cards,”
Duncan added as part of the NRF’s recommendations. “We also need chip cards that use open standards
and allow for competition among payment networks as we move into a world of growing mobile commerce.
Finally, we need companies throughout the payment system to work together on achieving end-to-end
encryption so that there are no weak links in the system where sensitive card payment information may be
acquired more easily than in other parts of the system.”
V. Encryption and Tokenization Work Better Together
The combination of end-to-end encryption and tokenization shores up many of the vulnerabilities in the
payments processing chain, according to the 2012 First Data report, What Thieves Don’t Want You to Know:
The Facts About Encryption and Tokenization. Encryption helps protect live cardholder data when it is in the
clear, that is, in plain text format and therefore readable by a person or computer. Use of the two main types
of encryption – session-level encryption of transmission paths and data-level encryption – can significantly
reduce this vulnerability, according to the First Data report.
Session-level encryption addresses the short-lived temporary connection (or session) between two systems,
for example from a POS terminal to a store’s central host or from a consumer’s PC to an e-commerce page.
However, such encryption won’t protect data as it moves from one encrypted “tunnel” to another, such as
when it moves from the store server to the card acquirer/processor. It also does little to protect against thieves
with internal access to a retailer’s systems.
This is one reason why data-level encryption, applied as close to the point of entry or capture as possible, is
preferred, since it almost completely eliminates access points where unencrypted data could be intercepted.
This is also called end-to-end or point-to-point encryption because data are encrypted at the point of capture,
and remain encrypted until reaching the party that holds the decryption key, typically the merchant’s processor.
If at any point along the way, the encrypted data are stolen, the data will be useless to criminals in their
encrypted form.
Tokenization
eliminates
sensitive
cardholder
data from the
merchant’s
environment after
transactions have
been authorized.
Tokenization reduces retailer security risks in the event of data breaches because it
eliminates sensitive cardholder data from the merchant’s environment after transactions have
been authorized. If the token numbers are stolen, they are meaningless to thieves because
outside of the correlation database, they are simply collections of random numbers.
In addition, the use of tokens rather than real card data in back-end business applications can
shrink the cardholder data environment that is subject to PCI compliance requirements and
audits. This reduction in scope can save retailers significant time and money.
and tokenization solve mutually-exclusive security weaknesses in the
“ Encryption
payments process,” notes the First Data report. “Encryption protects data that has
been captured by the merchant but has not yet been used for the transaction
authorization process. Tokenization solves the problem of storing and using real
card data in business processes that are downstream from authorization.
”
M U LT I - L AY E R E D S E C U R I T Y S T R E N G T H E N S
PAY M E N T S T R U C T U R E S
8
J U LY / 2 0 1 4
W H I T E PA P E R
7
QUALITIES
TO LOOK
FOR IN A
PAYMENT
SECURITY
PARTNER
Retailers will need to rely on strong partners as they navigate
the changing payment and data security landscape. In addition
to technical expertise and retail industry experience, a good
payment security partner should offer:
1 Global insights into security issues and standards.
2Participation with national and international standards
authorities.
3A large installed base that can be internally tracked, as a
means to discover trends and uncover potential weak points.
4Transparent access to real-time alerts regarding security
issues, potential and real data breaches and equipment
failures.
5 Comprehensive solutions providing end-to-end encryption.
6Extensive understanding and knowledge of legal and
governmental issues around payments and security,
including connections to national and international law
enforcement agencies.
7 Long history in the payments and security industries
ASSESSING SECURITY UPGRADE CHALLENGES
It bears reiterating that there is no single solution that provides absolute data security. In addition, bringing
a payments infrastructure into compliance with new standards can be a major undertaking, particularly at
large retailers with tens of thousands of POS terminals. Even for smaller retailers, costs and complexity can
be significant barriers to adoption.
Another complication is that new technologies are keeping the entire payments infrastructure in a state of
flux. Contactless payment methods such as NFC have the potential to bring an increasing number of smart
consumer mobile devices into the mix.
These systems “blur the line between the current definitions of card-present and card-not-present transactions,”
according to the Smart Card Alliance. Retailers will be seeking payment terminals that will not only work
with EMV standards, but will also be capable of handling various forms of contactless payments.
With this new wave of payment acceptance technology, comes a host of potential security access points
of vulnerability. Loyalty and mobile wallet applications may have unsecure code vulnerabilities, and as
M U LT I - L AY E R E D S E C U R I T Y S T R E N G T H E N S
PAY M E N T S T R U C T U R E S
9
J U LY / 2 0 1 4
W H I T E PA P E R
standards continue to evolve and the EMV kernel requires updating, payment terminals will have to be
serviced to ensure compliance, continued operability and security. These updates can either be done
manually with an army of field technicians, or remotely using secure access mechanisms.
BEFORE
How willing will consumers be to use the technology?
ADOPTING ANY
Will the solution need strong data connection services for consumers?
INNOVATIVE
Will there be disruptions in the service?
PAYMENT
SOLUTION, THE
SMART CARD
ALLIANCE
RECOMMENDS
MERCHANTS ASK
THE FOLLOWING
QUESTIONS:
Can the solution be integrated with the current POS device/software?
What are the costs associated with using the solution?
How will the payment solution receive software updates?
What physical and logical security protections does the solution
incorporate?
ow well do you trust the manufacturer of the solution, which will
H
ultimately be responsible for ensuring the security and stability of
the payment system?
M U LT I - L AY E R E D S E C U R I T Y S T R E N G T H E N S
PAY M E N T S T R U C T U R E S
10
J U LY / 2 0 1 4
W H I T E PA P E R
CONCLUSION
With millions of legacy systems still in use in merchant locations around the country, it makes sense to protect
critical infrastructure systems in smart, cost-effective ways. For medium- to large-retailers where a complete
enterprise IT upgrade to more secure systems is an impossibility, or for small retailers considering an upgrade
to more secure payment acceptance technology, the simplest security solution to implement is one that
ensures that whatever data ultimately traverse store systems is secure. This can easily be accomplished
through a multi-layered combination of EMV cards and terminals that can accept them, format preserving
encryption that protects sensitive information while preserving the original data format, and tokenization that
replaces card data with useless numbers.
Using a multilayered strategy
that preserves
data integrity at
multiple locations
and in multiple
ways needs to
be a priority for
retailers both
large and small.
Retailers of all sizes
should make data security
a priority. Should a
breach occur, even with
the aforementioned
precautions, preserving
customer trust and brand
reputation will be a
challenge. But when the
smoke clears and the
forensics are complete,
being able to assure
customers that every precaution was taken to preserve the integrity and privacy of their data and that those
precautions were successful, will go a long way towards a long and prosperous business endeavor.
M U LT I - L AY E R E D S E C U R I T Y S T R E N G T H E N S
PAY M E N T S T R U C T U R E S
11
J U LY / 2 0 1 4
W H I T E PA P E R
GLOSSARY OF KEY
PAYMENT INDUSTRY TERMS
Chip and PIN: Common term for the use of a smart
NFC (Near Field Communication): A form of
card in combination with a 4-digit Personal
contactless payment in which a mobile phone or other
Identification Number (PIN).
smart device communicates with the payment
CNP (Card-Not-Present): CNP transactions are
conducted using just the card number and other
identifying data (i.e. a PIN or security code), as in
acceptance device at the POS for making payments,
using electronic coupons, and activating promotions
from retailers, merchandisers and others.
phone, online or mobile commerce purchases.
PAN: Primary Account Number.
CP (Card-Present): Transactions using a payment
PCI DSS: Payment Card Industry Data Security
card taking place in person, i.e. at a POS terminal in a
Standard.
brick-and-mortar store.
PII (Personally Identifiable Information): Any piece
CVM, CVR and CVV: Card verification Methods,
of information which can potentially be used to
Results and Value.
uniquely identify, locate, or contact a person or steal
DAC: Data authentication code.
EMV (Europay/MasterCard/Visa): EMV provides an
unimpeachable method for “offline” authentication, which
relies on the local payment acceptance terminal and the
chip card to authenticate the card without having to
access online databases that store current cardholder
data. A fundamental EMV principle is to digitally sign
payment data to ensure a transaction’s integrity.
Encryption: The process of translating information
into a code that can only be read if the reader has
access to the key that was used to encrypt it. There
are two main types of encryption – asymmetric (or
public key) and symmetric (or secret key).
Hybrid card: A card that contains both an EMV chip
and a magnetic stripe.
Multi-factor authentication: Authentication combining
two or three factors that can include: 1) An ownership
factor, which is something the person has (i.e. a card);
2) A knowledge factor, which is something the person
knows (i.e. a PIN); 3) An inherence factor, which is
something the person is or does (a fingerprint or
other biometrics).
M U LT I - L AY E R E D S E C U R I T Y S T R E N G T H E N S
PAY M E N T S T R U C T U R E S
the identity of a person, i.e. name, birth date, Social
Security Number, etc.
P2PE (Point-to-Point Encryption): A solution combining
secure devices, applications and processes that encrypt
data from the point of interaction (for example, at
the point of swipe or dip) until the data reaches the
solution provider’s secure decryption environment.
Smart card: A device that includes an embedded
secure integrated circuit, either a secure
microcontroller or equivalent intelligence with internal
memory or a secure memory chip alone, that connects
to a reader with direct physical contact or with a
remote contactless radio frequency interface.
Tokenization: The process by which a primary
account number (PAN) is replaced with a surrogate
value called a token. The security of an individual
token relies predominantly on the infeasibility of
determining the original PAN knowing only the
surrogate value.
Sources: EMVCo, www.emvco.com; PCI Security
Council, www.pcisecuritystandards.org; Smart
Card Alliance, www.smartcardalliance.org; WhatIs,
www.whatis.techtarget.com
12
J U LY / 2 0 1 4
W H I T E PA P E R
ABOUT VERIFONE
About VeriFone Systems, Inc. (www.verifone.com)
VeriFone Systems, Inc. (“VeriFone”) (NYSE: PAY) is a global leader in secure electronic payment solutions.
VeriFone provides expertise, solutions and services that add value to the point of sale with merchantoperated, consumer-facing and self-service payment systems for the financial, retail, hospitality, petroleum,
government and healthcare vertical markets. VeriFone solutions are designed to meet the needs of
merchants, processors and acquirers in developed and emerging economies worldwide.
© 2014 VeriFone. All rights reserved. VeriFone and the VeriFone logo are registered trademarks of VeriFone in the United States and/or other
countries. No portion of this document may be reproduced or distributed in any form or by any means without the prior written permission of
said company. All other trademarks are the property of their respective holders. 07/14 Rev A FS
M U LT I - L AY E R E D S E C U R I T Y S T R E N G T H E N S
PAY M E N T S T R U C T U R E S
13
J U LY / 2 0 1 4