Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
November 26, 2012
Highlights from a Conference on Technology and Payments
The retail payments landscape is rapidly evolving as technological advances promote new electronic payment methods. On October 15–16, the Risk Forum convened at the Atlanta Fed a diverse gathering of stakeholders in the payments industry. Industry representatives were from telecommunication firms, airlines, standards bodies, payments processors, and coffee house retailers, as well as the more traditional players.
Federal Reserve Bank of Atlanta President and CEO Dennis Lockhart kicked off the event. His opening remarks focused on the Federal Reserve System's role as a central bank in the country's retail payment system, both as a payments operator and as the country's guardian of financial stability. In the latter role, the Fed aims to preserve the integrity of both the retail and wholesale payments systems. Lockhart stressed that although this role has national strategy overtones, it is not intended to stifle innovation and competition but rather to support a market-oriented approach to payment developments. By noting the vulnerabilities that the fast pace of change and innovation in the industry create, Lockhart set the stage for the day's session, the highlights of which we are sharing here. You can find the complete presentation materials on the Atlanta Fed website.
Technology developments in card-based payments
Legacy plastic cards are likely to remain important for some time. Nevertheless, significant changes are under way. These technological changes were the focus of this panel. The U.S. payments industry is struggling to collectively shift from magnetic stripe-enabled card payments to a more secure and interoperable environment. Panelists discussed the challenges posed by the planned U.S. migration to chip-enabled cards and to the EMV standards already adopted in most of the globe's major developed countries. They discussed the potential shift in fraud to card-not-present payments in the shift from mag-stripe cards. Panelists said that fraud mitigation in the future U.S. EMV environment will require additional data analysis tools, including the use of better encryption methods and tokenization. They also touched on the benefits of PIN versus signature authentication.
The evolution of technology standards in retail payments
Technology standards provide the cohesion to ensure the critical mass needed for successful payment network adoption. At the same time, the myriad of new market solutions, patent issues, and even standards bodies themselves challenges industry cooperation and consensus building, slowing the standards development process. Panelists discussed the activities of various standards bodies that touch retail payments today. They also talked about how they are working to galvanize industry stakeholders to agree and employ standards that foster security and interoperability.
Mobile payment developments at the point of sale
This panel of experts reviewed technological developments in the mobile channel for payments at the merchant's point of sale (POS), including the rollout of several mobile wallet initiatives. Panelists discussed the challenges associated with the highly dynamic nature of the technologies. They noted that new complex business models are resulting in many different types of payment solutions, creating a confusing ecosystem for mobile proximity payments.
Panelists noted that the many new, thought-provoking products out in the market place today create many unknowns, not only with respect to security, but also future viability. They agreed that it is hard to predict which solutions have true scalability. An interesting discussion took place on the success of new payments such as Square, which changed the proverbial game by expanding the population of merchants that can accept card payments and by repurposing the mobile handset into a payment acceptance device. The panel also discussed how Starbucks unwittingly assumed the role of a payments pioneer when they moved to the mobile channel. Their original aim was not to adopt a new payments method but rather to increase customer loyalty and convenience.
The merits and challenges with the upcoming EMV migration were also top of mind for the panel.
Technology trends in mobile payment transfers
U.S. mobile payment developments have generally centered on payments at the POS. However, remote mobile payments, or person-to-person mobile transfers, are also taking form as a business model. Panelists discussed how nonbank players are entering the money transmission space hoping to leverage new mobile technologies. They explored the current environment for domestic and cross-border mobile transfer payment activity, analyzing the changing roles of payment service providers and the subsequent regulatory and policymaking considerations.
Panelists noted that we are seeing a huge paradigm shift in mobile money, with prepaid airtime credits looking more and more like currency in developing countries. Some countries permit payment service providers to provide airtime cash-out; Kenya's M Pesa is one of these providers. The lack of system interoperability across borders and liquidity management considerations are barriers to a global, scalable airtime transfer system. Panelists also noted, however, that airtime transfers are increasingly becoming a natural complement to traditional remittances.
In addition, traditional remittance providers are partnering with telecom firms to deliver services in emerging markets. These providers also work with banks in more developed countries, like the United States, to use the mobile channel in more efficient ways.
Technology threats and mitigants in electronic payment systems
Whether through scams such as “Obama Will Pay Your Bills” or corporate account takeovers, criminals are increasingly using electronic payments networks to perpetrate fraud. Panelists stressed that industry stakeholders must themselves become more sophisticated in order to develop solutions to better detect and mitigate these risks. Future fraud detection will require more sophisticated approaches to address growing vulnerabilities in web applications. Panelists also stressed that financial institutions must validate transactions to enforce rules and limits and to manage fraud.
The Risk Forum uses events such as this to encourage dialogue and share critical business intelligence among participants. We can then use information that comes out of such discussions to inform our work with the payments industry as we collectively work on better solutions to detect and mitigate risk. Expect to see more discussion in future posts. As always, we value your responses.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Highlights from a Conference on Technology and Payments:
November 19, 2012
The Art of Capturing Customers with Mobile Remote Deposit Capture
Last November, Portals and Rails took a look at remote deposit capture (RDC) and wondered if deposit fraud would rise as more financial intuitions roll out the service to more customers. We've seen no evidence in the past year to support an uptick in fraud. However, we have ample evidence demonstrating that the product is becoming mainstream through the mobile channel. With four large financial institutions incorporating RDC with their mobile applications over the summer, eight out of the ten largest depository institutions currently offer the product.
As with any new offering, financial institutions need to understand the risks behind new products and develop strategies to mitigate these risks. At a recent conference, I sat in on a wonderful discussion led by Terri Ferrise and Hunter Wolfe with Cachet Financial Solutions that highlighted the growing demand for mobile RDC and best practices for risk management of the product. Given banks' rapid adoption of the product, Portals and Rails would like to pass along some of the best practices for mobile RDC shared by Terri and Hunter as well as other financial institutions that were engaged in the discussion.
"Know your customer" (KYC) is essential with mobile RDC. Financial institutions should prioritize their customers and offer mobile RDC only to their best customers, closely aligning the product offering with customer characteristics. When considering which customers to offer the product to, they should take into consideration these issues:
- The length of the customer's relationship. Some financial institutions require that an account be open for at least 90 or 180 days before offering the service to their customers.
- The depth of the customer's relationship. The more products the customer has with a financial institution, the better the financial institution should know that customer.
- The experience with the customer. For example, has the customer previously used check deposit at the ATM? Has the customer previously attempted to deposit bad checks?
Deposit and velocity limits
Even with strong customer controls in place, financial institutions must also consider and employ deposit and velocity limits, which would include taking these steps:
- Set realistic deposit limits (daily, weekly, and monthly) and availability rules based on the customer profile.
- Consider velocity limits and other tools to analyze individual transactions and customer trends. Have a system in place to flag certain deposited items that are out of the ordinary for closer (or even manual) examination.
- Continually monitor these limits and adjust them depending on the customer's behavior.
Front and back end processes
Financial institutions must also have adequate risk management at both the front end and the back end of the deposit process, which would include some of these strategies:
- Procedures for dealing with RDC items post deposit. Destruction and franking protect against double presentment.
- Strong user and hardware authentication routines.
- Strong image validation and quality guidelines.
- Customer education to ensure that images are not being stored on their mobile devices.
Just like any other successful product launch, mobile RDC creates new risk considerations. To date, it appears that those financial institutions offering the product are successfully controlling their risks. As this product begins to become commoditized, perhaps the biggest risk to financial institutions may be losing customers if they don't offer the product. For additional information on risk management of RDC, I encourage everyone to read the Federal Financial Institutions Examination Council's guidance on the topic.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The Art of Capturing Customers with Mobile Remote Deposit Capture:
November 13, 2012
The Rule of 3, or Desperately Seeking Payment Products
Generally speaking, I have always believed in the "Rule of 3." When you're looking for something new—with your home, for example, or with your clothing style—try out three, and the obvious will likely emerge as a winner. When I had my design business and helped people pick products out for their homes, I never presented them with more than three options for any one product. If I did, sure enough they would get frustrated and become unlikely to make a confident decision.
When I changed career paths here at the Fed and entered the world of retail payments, I decided to look into some new payment products and services for my children. I am the mother of teenagers who are always asking for money, so my first goal was to provide them with a safe, easy, and secure way to have and spend money.
I began to research some products, and narrowed my choices down to three options to explore: gift cards, prepaid debit cards, and bank-issued debit cards. Immediately, I eliminated gift cards, which once depleted are usually not reloadable. I wanted this to be a lifestyle change, something that could be extended; therefore, I focused my research on option number 2, reloadable cards. I started at a local grocery store, where I stood looking in awe at the tower of choices I had before me. Most cards here cost $4.95 before you load money on them. A store clerk told me that a big-box retailer had the same products for $3, so off I went.
The first purchase was for my son. At the checkout, I asked the clerk to load $40 on the card. The clerk informed me that I could not use my credit card to fund a prepaid card—I needed cash, or a preprinted payroll or government check, or direct deposit from my paycheck, or a standard transfer from my bank that could take up to 13 days—and then I would be charged a fee.
This did not seem very user-friendly, especially since I do not carry an ATM card, nor do I frequent this big-box retailer often. But I was determined to try this new payment method, so I returned the next day and paid $3 to buy a $40 card. (I now know that this $3 fee is waived if you get your card online and that there is a reload fee of $3 and a monthly maintenance fee of $3.) This still seemed like a better option than a bank debit card. I registered the card online for my son (required for activation) and entered personal information like name, address, and social security number. I was not thrilled with that level of privacy loss—however, as the small print explained, "Federal law requires us to obtain, verify, and record information that identifies you when you open up this account." In addition, this is the only way I could get a refund if the card were lost or stolen, and that was one of my three preliminary requirements.
So I started looking for the actual custom card in the mail with my son's name on it. I waited two weeks—and no card. I reviewed the fine print included inside the package to discover that you must be over the age of 16 to buy and use this kind of card. This information was printed nowhere on the outside of the packaging. My son is 15, not even 16 yet. So, there will not be a custom card coming in the mail, and this temporary card I have will become useless once the balance falls to zero. Have I mentioned that there is a $3 monthly maintenance fee that applies after the tenth day you have the card? So far, I have paid $6 to lend him $40 on a card that is not reloadable.
This led me to option number 3, my bank, where I learned about student accounts that don't charge for bank-issued debit cards. And, for convenience, I can transfer funds from my checking account into the student account, which funds the debit card. Honestly, this was not my first choice, but it emerged as the safest, cheapest, and most convenient. I decided to use this opportunity to teach my kids about online banking, overdraft fees (because I am not linking the student account to my account), the importance of passwords, and balancing their (virtual) checkbooks.
This account has proven to be a wonderful tool, and my kids now look forward to logging in and checking their balances and confirming that their "payday" has been deposited upon completion of their agreed-upon chores. I can't wait to discover more opportunities of my new job here in the Forum!
By Michelle Castell, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The Rule of 3, or Desperately Seeking Payment Products:
November 05, 2012
While Stalemate Continues, Another Retailer Data Breach Announced
We haven't heard about significant data breaches at any retailer's brick-and-mortar lately. In fact, the prevalence of cybercrimes and malware-related incidences has momentarily redirected our attention to payments made through online and wireless channels along with related payment crimes such as social engineering and malware-enabled account takeovers and card data theft. However, according to Verizon's 2012 Data Breach Investigations Report, while most attacks are not related to physical tampering, "there was no shortage of payment card skimming in 2011, and there were notable arrests." In fact, a recent press release from a major book retailer is cause to sharpen our focus on in-store card payments and the use of mag-stripe technology at payment terminals.
Tampering with PIN pad devices in stores
On October 24, 2012, the retailer announced that it had "detected tampering with PIN pad devices used in 63 of its stores" and that it had notified federal law enforcement to support an investigation into the criminal activity. Furthermore, it is working with the banks and payment card network brands to identify potential compromised accounts. Much to the retailer's credit, the press release also outlines precautionary steps consumers should take if they have shopped in any of the impacted stores—namely, changing PINs, reviewing account activity for unauthorized transactions, and notifying banks about unusual or unauthorized activity.
PCI compliance is not enough
How can retailers protect themselves from PIN pad tampering fraud? We explored the growing prevalence of card data breach incidents in a May 2011 post describing how a crafts retailer had experienced card terminal tampering that may have led to customer card data compromise. The post noted that while the Payment Card Industry (PCI) Data Security Council guidelines attempt to address advanced security measures, the vulnerabilities inherent in mag-stripe card technology present serious management challenges. The threats to terminals can come in the form of crime rings, company insiders, or the terminal manufacturers themselves.
Will merchants follow the EMV migration roadmap?
Card network brands separately issued announcements in 2011 and 2012 with their own EMV deployment milestones, which can be viewed as a collective roadmap. A summary of these milestones, grouped by payment network, is included in the October 2012 edition of Smart Card Talk and reproduced below. This publication explains the incentives in the form of audit relief from PCI compliance as well as liability shifts for counterfeit card losses for noncompliant banks and merchants.
However, many industry experts surmise that merchants are willing to take their chances on the potential card fraud losses for such a liability shift, judging them to be lower than the costs involved in terminal replacement for chip card acceptance.
Technology adoption stalemate
Industry participants continue to argue about the inequities in the economics for moving forward to a new security environment enabled with more secure chip-based technology. It is highly likely that there will never be a collective path forward considered fair to all, with the large number of industry players and dichotomies in revenue and cost-sharing expectations. So as the U.S. payments industry keeps moving along the same path, with participants arguing the merits and inadequacies of various deployment options for chip-based payments, we can expect to see more crimes at retailer terminals. These crimes will cause merchants to experience technology costs and even customer loss in unexpected and unpredictable ways. And bank issuers will continue to pay for cleanup in the aftermath, by issuing new cards. Perhaps an analysis of the economics of moving to chip-and-PIN should reflect a higher emphasis on the cost of data breach events and their cleanup efforts in the aftermath.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference While Stalemate Continues, Another Retailer Data Breach Announced:
- Tackling Fraud with Data
- Phone Scams: Still Calling Around
- Forming a More Perfect Union (for Faster Payments)
- Can Insecurity Keep Us from Faster Payments?
- Top 10 Payments Events in 2014
- Under Pressure: The Fate of the Independent ATM Operators
- What’s Unsettled in Faster Payments?
- Consumer Prepaid Protections May Be Catching Up with Prepaid Use
- Virtual Currency Environment Still Fluid after Latest Rulings
- ISO 20022 in the United States: What, When, Why, and How?
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud