Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

July 21, 2014

How Much Will Chip-Card Technology Affect ATM Owners?

Last week, my colleague Doug King wrote a post about the impact of the migration to chip-card technology on financial institutions that issue cards, with a focus on the smaller issuers. What happens with ATMs is an aspect of the chip-card migration that hasn't received much media attention. This may be because the liability shift timetable for ATMs—for MasterCard, it's October 2016; for Visa, October 2017—comes after the merchants' October 2015 deadline.

Of the roughly 430,000 ATMs in the country, nonfinancial institutions own just over half. The size of these independent ATM deployers (called IADs) range from two large companies with installed ATM bases of 60,000+ machines to thousands of small independent owners with a handful of ATMs. The conversion to support chip cards can cost these businesses up to $500–800 per machine. This impending ATM upgrade has echoes of the Triple DES (or Triple Data Encryption Standard) upgrade that Visa and MasterCard mandated in 2003, with a 2007 deadline. That upgrade involved strengthening ATM transaction security to better protect cardholder's personal identification numbers. Like today's chip-card upgrade, some of the older ATMs did not have the computing power necessary to support the upgrade, which meant the owners had the additional expense of replacing or decommissioning these machines. The independent-ATM installed base declined by more than 12 percent from 2007 to 2009 because many of the owners could not afford the Triple DES upgrade.

The costs of the current upgrade come at a time when the operators are seeing a constriction of their revenues. ATM usage has not kept up with the increased number of machines, which has resulted in lower average volumes per ATM and lower transaction revenues. The increased use of debit cards at retailers along with the cash-back option that many retailers offer are primary reasons for the lower usage.

The ATM owner has two main sources of revenue: interchange fees and surcharge fees. The card issuer pays the interchange fee; the cardholder pays the surcharge, which the ATM owner adds to the transaction amount. (The cardholder may also incur a "foreign transaction" fee from their financial institution for using an ATM outside their financial institution's network, but the ATM owner receives no portion of that fee.)

For 10 years, net interchange revenue to the IADs been steadily decreased. An industry survey showed that average interchange revenue per cash withdrawal dropped from $0.555 in 2006 to $0.3625 in 2012. ATM owners have some ability to raise their surcharge amount, but they have to remain competitive. (The average ATM surcharge amount for ATMs is about $2.50, according to Bankrate.com’s 2012 Checking Survey.) To offset these profitability constrictions, ATM owners are continuing to look for additional revenue sources, such as video advertising or branding their ATM with the name of a financial institution.

As the chip-card deadline for ATMs gets closer, Portals and Rails will continue to monitor and report on its impact.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed.

July 21, 2014 | Permalink | Comments (0) | TrackBack (0)

July 14, 2014

EMV Train is Gathering Steam: Procrastinators Take Warning

With each passing day it becomes more apparent that the United States’ EMV train—the one carrying the chip-embedded credit and debit cards—has left the station and is gaining steam for the ride towards the October 2015 POS liability shift timetable. In a June 12 press release, the EMV Migration Forum estimates that 100 million EMV cards (approximately 9 percent of the card base) will be issued by the end of 2014 plus an estimated 4.5 million chip-capable terminals (approximately 40 percent of terminals) will be installed by year’s end. Demonstrating different perspectives on the speed of the EMV train, two research groups, Aite Group and Javelin Strategy & Research, released their card conversion estimates:

EMC Card Conversion

Javelin also projects that 53 percent of POS terminals will be chip-enabled by the end of 2015.

The newly released PULSE 2014 Debit Issuer Study perhaps best captures EMV’s gathering speed. Of the issuers surveyed for this study, 86 percent plan to issue EMV cards in the next two years, compared to only 50 percent in the previous year’s study. However, the study reveals there is a bit of discrepancy between the EMV plans of large and small financial institutions. About 22 percent of community banks and 17 percent of credit unions have no EMV issuance plans compared to only 4 percent of large banks.

We know from experience that fraud generally migrates to the weakest link. So the EMV issuance findings are a bit troublesome, especially when we consider that the study found credit unions and community banks had already experienced significant increases to their signature debit fraud rates in 2013 from 2012 compared to large banks. Further, in 2013, credit unions and community banks had fraud rates approximately 25 percent and 15 percent, respectively, greater than that of large banks.

Despite the EMV naysayers, the U.S. payments industry is moving ahead with this initiative. For those smaller financial institutions waiting to see how EMV will unfold, the future has become clearer. By not acting, those financial institutions could become the "weakest link" and an easier target for the fraudsters compared to peers and competitors that do migrate. The train is rumbling down the EMV tracks, but there still is time to get an issuance plan in place.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 14, 2014 | Permalink | Comments (0) | TrackBack (0)

July 07, 2014

Fighting the High-Tech Criminals

The days of small gangs or the lone criminal committing "grab-and-go" robberies or counterfeiting checks and currency are certainly not over. However, crime stories involving millions of dollars and criminal networks that span the globe tend to grab the headlines these days. Just about everyone has heard about the recent data breaches at major retailers and ATM cash-outs that have netted criminals millions of dollars. A presentation at a recent payments security conference addressed the role of high-tech criminal groups in such crimes and the major threat they present to the security and reputation of our payment system. The speaker described how law enforcement agencies are working vigilantly to shut down these large global criminal enterprises and their cybercriminal activities.

The speaker detailed the composition of a criminal network, which closely resembles the organizational structure of a multinational corporation with numerous subsidiaries. This image shows the major components of the criminal enterprise.

major compoenents of the criminal enterprise

  • Executives—These people serve as the originating group and ultimate beneficiaries of the spoils of their successful attacks. They identify the types of criminal cyberactivity to pursue, including identifying the target companies or computer systems.
  • Financiers—If the executives don't have the financial resources to carry out their scheme, they often link to a funding source. The financiers may receive a share of the executives' profits as compensation, or they may simply treat the transaction as a loan, charging interest until the loan proceeds are repaid.
  • Exploiters—The hackers and software personnel identify vulnerabilities in software or systems and write malware code to compromise a target's account credentials. They normally receive compensation based on the type of attack and the level of sophistication.
  • Botnet operators—A botnet is a network of compromised computers. The botnet operators, sometimes called "bot herders," control these systems. They run automated programs in the background, so they are often undetected by the legitimate computer owners, to send massive amounts of spam, conduct spear phishing attacks, or in some other way launch attacks against their targets. Botnet operators receive payment based on the number of compromised computers they use and the time required for the attack.
  • Money mules—These players are in the most vulnerable group; they are the people on the street, retrieving the stolen funds and sending them, minus their cut, to the executives. Some law enforcement authorities have said that mules' share of the ill-gotten proceeds can be as high as 60 percent, depending on an operation's level of risk.

While these players are closely linked, they are generally separate criminal groups that have developed niche roles. The separation provides some safety to the executive group in that if members of one of the linked groups are arrested, executives can find another group to take their place so they can continue their illegal activities.

The major global criminal networks have proven to be formidable because of their resilience, but they are not invulnerable. Law enforcement agencies in the United States and other countries are working together to attack these networks through a variety of strategies. Unfortunately, in many cases, the core criminal leaders are physically located in safe havens, so called because local policies may prevent extradition or because governmental officials may be complicit or corrupt so they ignore the criminal activity as long as the targets of the crime are outside their borders.

Portals and Rails salutes the law enforcement personnel for their tireless efforts in this constant battle.

Photo of Deborah Shaw

July 7, 2014 | Permalink | Comments (0) | TrackBack (0)

June 30, 2014

A Call to Action on Data Breaches?

I recently moved, so I had to go online to change my address with retailers, banks, and everyone else with whom I do business. It also seemed like an ideal opportunity to follow up on the recommendations that came out after the Heartbleed bug and diligently change all my passwords. Like many people, I had a habit of using similar passwords that I could recall relatively easily. Now, I am creating complex and different passwords for each site that would be more difficult for a fraudster to crack (and at the same time more difficult for me to remember) in an attack against my devices.

I have found myself worrying about a breach of my personal information more frequently since news of the Heartbleed bug. Before, if I heard about a breach of a certain retailer, I felt secure if I did not frequent that store or have their card. Occasionally, I would receive notification that my data "may" have been breached, and the threat seemed amorphous. But the frequency and breadth of data breaches are increasing, further evidenced by the recent breach of a major online retailer's customer records. This breach affects about 145 million people.

As a consumer, I find the balance between protecting my own data and my personal bandwidth daunting to maintain. I need to monitor any place that has my personal data, change passwords and security questions, and be constantly aware of the latest threat. Because I work in payments risk, this awareness comes more naturally for me than for most people. But what about consumers who have little time to focus on cybersecurity and need to rely on being notified and told specifically what to do when there's been a breach of their data? And are the action steps usually being suggested comprehensive enough to provide the maximum protection to the affected consumers?

Almost all states have data breach notification laws, and with recent breaches, a number of them are considering strengthening those laws. Congress has held hearings, federal bills have been proposed, and there has been much debate about whether there should be a consistent national data breach notification standard, but no direct action to create such a standard has taken place. Is it time now to do so, or does there need to be more major breaches before the momentum to create such a standard makes it happen?

Photo of Deborah Shaw

June 30, 2014 in consumer protection, cybercrime, data security, privacy | Permalink | Comments (0) | TrackBack (0)