Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

September 15, 2014

Let’s Talk Token: Authenticating Payments

It's challenging to have a conversation about EMV cards—cards with chip technology—given their well-documented fraud-mitigating shortcomings, without diving into a conversation on tokenization. And these conversations just intensified with Apple announcing the use of tokenization with its soon-to-be launched mobile payment application. Tokenization of payment card data can provide an additional layer of security to EMV cards for in-person payments and mitigates fraud risks that these cards don't address in the non-face-to-face environment.

I recently spoke at a forum on EMV cards, where it became evident to me that there is a high degree of confusion in the payments industry, especially within the merchant community, about tokenization. Currently, multiple standards initiatives around a new tokenization framework are under way, so Portals and Rails is embarking on a series of posts on tokenization. In this first installment, we define tokenization and distinguish between tokens generated within the merchant's environment (an enterprise solution) and payment tokens generated as an end-to-end-solution. A future post will compare the various payment end-to-end tokenization initiatives that have been announced to date.

In the data security and payments environment, tokenization is the substitution of sensitive data with a surrogate value representing the original data but having no monetary value. For payment cards, tokenization refers to the substitution of part or all of a card’s PAN, or primary account number, with a totally randomized value, or token. A true token cannot be mathematically reversed to determine the original PAN, but a token service provider in a highly secure environment can subsequently link it to its associated PAN.

Tokenization of payment credentials has been around since the mid-2000s, driven primarily by the issuance in 2004 of the Payment Card Industry Data Security Standard (PCI-DSS), which defines merchant requirements for protecting cardholder data. Merchants historically stored PANs for a variety of reasons, including to use in settlement reconciliation, perform incremental authorizations, handle chargebacks, and identify cardholder transactions for loyalty programs. With tokenization, merchants can remove PANs from their data environment and replace them with tokens—and thereby reduce their PCI-DSS compliance requirements. However, this enterprise solution still requires that the PAN enter the merchant environment before the tokenization process taking place.

Under the tokenization initiatives currently under way from the Clearing House and EMVCo, a financial institution would issue a token replacing a cardholder's PAN to the person's mobile handset, tablet, or computer device before initiating a digital payment transaction. So the merchant, rather than receiving the cardholder's PAN for initiating a transaction, would receive a token value associated with that PAN, which would then be de-tokenized outside the merchant's environment to obtain the necessary authorization and complete the transaction. The merchant never has knowledge of the cardholder's PAN—and that is a significant difference between these tokenization initiatives and the enterprise solution related to handling payment credentials.

The Clearing House's and EMVCo's concepts for payment tokenization are similar in many ways, but they also have differences. A future post will delve into the end-to-end tokenization initiatives and consider the impact on mitigating risk in payment transactions.

Photo of Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 15, 2014 in cards, chip-and-pin, EMV | Permalink | Comments (0) | TrackBack (0)

September 08, 2014

Seeking a Successful Biometric Solution

As an earlier post noted, advances in technology have spurred the implementation of various biometric authentication methodologies in the consumer market. But as people are discovering, not all methodologies are equally suited for all applications. Those who are implementing such applications have to consider risk level, cost, operating environment, and targeted population. They also have to evaluate a number of other factors to determine if a particular biometric is better suited than another for an intended application. These factors include but are not limited to:

  • Uniqueness. While the biometric doesn't always have to be unique to every individual on the planet, the probability that two people share a particular characteristic should be unlikely enough to prevent an unacceptable number of false acceptances (when one person is wrongly authenticated as another). For example, fingerprints are considered to be unique to every individual, but current smartphone fingerprint readers have such low-resolution scanners that the possibility of a false acceptance is one in 44,000. This rate is most likely sufficient for many applications, but a high-dollar transaction may require supplemental authentication.
  • Universality. The targeted characteristic must be present in the overall population, with only a few exceptions. Only a couple of biometric elements, such as DNA and facial recognition, can provide complete population coverage. Hand geometry and vein recognition, for example, won't work on people who are missing fingers or other body parts.
  • Permanence. The characteristic should not change over time. Even though people can alter almost any physical characteristic through medical procedures, the possibility of such alteration to the characteristic being considered for biometric authentication should be infrequent among the population—and the alteration procedure should be relatively expensive.
  • Collection ease. The more invasive the collection of the biometric sample, the more resistance people will have to it. People tend to view facial and voice recognition and fingerprinting as noninvasive but retinal scans as highly invasive—a light beam scans the back of the person's eye, which can be very uncomfortable.
  • Performance. The biometric element must support the creation of a template that is accurate and quickly obtained while also providing minimal database storage requirements. A system that takes a long time to authenticate someone during peak usage periods will encounter user dissatisfaction and possibly decreased productivity.
  • Accuracy. Individuals should not be able to fool the system. Fingerprint readers should verify that the right fingerprints belong to the right person, that a spoken phrase is live and not recorded, and so on.
  • User-embraced. Even when people have to use certain biometric authentication systems as a condition of their employment, the technology should be one that has a high level of acceptance, with minimal cultural, religious, collective bargaining, or regulatory implications.
  • Cost-effectiveness. As with all risk management practices, the cost of implementing and operating the system must be commensurate with the risk exposure for using a less secure authentication system.

As you consider the possibility of implementing a biometric authentication methodology for your customers, I hope you will find these evaluation elements helpful.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 8, 2014 in authentication, biometrics, innovation | Permalink | Comments (0) | TrackBack (0)

September 02, 2014

Not All Digital Currencies Are Virtual

Besides a few classic novels, my summer reading list has largely consisted of various papers and reports on virtual and digital currencies. Not all digital currencies are virtual currencies, though these two terms are often incorrectly used interchangeably. For example, the Consumer Financial Protection Bureau recently issued a warning about the risks associated with Bitcoin and other virtual currencies, yet some media outlets reported that the agency issued a warning about digital currencies. And while the media statements are technically correct since virtual currency is one form of digital currency, they fail to recognize that digital currencies are broader than just virtual currencies. In an effort to clear up confusion and create a better understanding of digital currencies, Portals and Rails offers the following simple framework and definitions.

Framework-image

Digital currency is a digital representation of value and consists of both electronic and virtual currency. Digital currency can be used to purchase physical, digital, and virtual goods. Some, but not all, digital currencies use cryptography as their primary method of security.

Electronic currency, also referred to as e-money, is pegged to a fiat currency. It is a digital representation of value that is government-issued legal tender. The link between electronic currency and fiat currency is preserved and has a legal foundation. The funds of an electronic currency are expressed in the same unit of account as the fiat currency. Examples of electronic currency transactions include payments via credit, debit, and prepaid cards; ACH; and PayPal.

Virtual currency is not pegged to a fiat currency. It is a digital representation of value that is not government-issued legal tender. The funds of a virtual currency are not expressed in a fiat currency. There are currently more than 300 tracked virtual currencies, and as we noted in a Portals and Rails post last year, these currencies can take on multiple characteristics. Examples of virtual currencies include Bitcoin, Ripple, Ven, and Dogecoin.

Photo of Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 2, 2014 in currency | Permalink | Comments (0) | TrackBack (0)

August 25, 2014

Forty Years and Still Scamming

I suspect that a lot of us have received a letter or an e-mail supposedly from another country's government official or banker informing us that there were some unexpected riches coming our way. We could become millionaires, these strangers tell us, by claiming a prize from a lottery that we don't remember entering. Or they say we just might become millionaires by helping them transfer money out of their country, since they can't because of some sort of bureaucracy or regulation. Before tossing these letters or e-mails into the trash, did you ever linger for just a moment wondering if these riches could actually be coming to you?

A large number of people, particularly in the United States, think the scam is legitimate and are willing to invest up to tens of thousands of dollars to claim their share of the pot of gold. Sadly, they find not only that there is no gold, but also that there isn't even a pot. This type of fraud is classified as an advance fee fraud because the scam involves the victim having to send money in advance, to cover fees or taxes, before they can receive their share of the bounty. The advance fee fraud is one type of 419 Nigerian fraud, so called because early versions originated in Nigeria, where criminal code 419 describes the fraud. 419 fraud began in the 1970s with letters—often with counterfeit postage marks—that targeted small business owners, requesting their help in handling new oil wealth.

Over the next three decades, the solicitations grew at such a tremendous pace that in 2002, the Department of Justice got a court order to allow postal employees to open every letter from Nigeria that was handled through the United States Postal Service's mail facility at John F. Kennedy Airport. They found that more than 70 percent of these letters contained some sort of fraudulent scheme solicitation.

As law enforcement's focus on Nigeria intensified, the 419 groups moved to other countries. These groups reportedly have major operations in at least 150 countries and the involvement of more than 800,000 people. Ultrascan Advanced Global Investigations (UAGI), an Amsterdam-based association focused on disrupting the operations of criminal networks, stated in a preliminary 2013 report that U.S. victims lost $2.3 billion in 2013—more than in any other country.

As with other types of criminal activity, the techniques that advance fee criminals use have become more sophisticated, evolving alongside technological advances. They've moved their method of solicitation from mail to faxes and then to e-mails. And now, instead of just sending mass mailings or e-mails, many of the criminals are tailoring e-mail messages, lacing them with personalized information obtained from social networks and professional and dating websites. For lottery-themed advance fee schemes, the UAGI estimates that 3 percent of the targets respond and make at least one advance payment.

Even more interesting, the report refutes some common misconceptions about the victims usually being lower income or with less education and desperate for some sort of financial windfall. In fact, a number of high-income professionals are taken in by some of the more sophisticated schemes involving high-dollar ventures including real estate development and medical equipment. The report also notes that, for victims losing more than $200,000, 85 percent of them had recently experienced some sort of life-changing family trauma such as a death, divorce, or major illness.

Education by financial institutions remains the most valuable tool to defend against these schemes. These institutions should use in-house media and other methods, such as public service announcements, to alert consumers to these scams, particularly those that appear in the FIs' service areas. I know of some institutions that train their frontline staff to watch for such unusual transactions, particularly by the elderly, as a supplement to their anti-money-laundering education. Financial institutions and consumers should report advance fee fraud attempts immediately to the local Secret Service or FBI office for investigation.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 25, 2014 in consumer fraud, consumer protection | Permalink | Comments (0) | TrackBack (0)