Portals and Rails

About


Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.

October 20, 2014


Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?

Portals and Rails recently embarked on a series of posts on tokenization. In the first installment, we defined tokenization and distinguished between a merchant-centric enterprise tokenization solution and payment tokens generated as an issuer-centric end-to-end solution. In the second installment, we examined several different attributes of the issuer-centric end-to-end token initiatives currently under way and considered their impact on mitigating risk. In this post, we examine the shortcomings of end-to-end token initiatives and question if they are really a coup in mitigating risks in today's environment.

The goal of payment tokenization is to substitute sensitive data—such as account numbers, expiration dates, and security codes—that criminals can use to extract monetary value with surrogate values that lack monetary value. In light of the number and depth of recent data breaches, tokenization seems like a grand idea—let's get data that fraudsters can use out of the payment transaction flow and the merchants' systems.

But current uses for these end-to-end initiatives are limited to card-on-file transactions for in-app or e-commerce payments and mobile proximity payments. I know you have to start somewhere but, in the near future, only a small percentage of transactions will use tokenization. These end-to-end initiatives are solid solutions, but are currently extremely limited. Thus, there will be a continued need for the industry to use a variety of methods to fight fraud, including the merchant-centric enterprise tokenization solutions the first installment discussed.

And isn't the point of the significant EMV investment currently under way to mitigate risks associated with counterfeit cards using compromised card data? In other words, it should render compromised card data useless. But I am hearing the EMV naysayers claiming that, in an EMV world, data compromises will still take place and, while fraudsters may not be able to counterfeit cards, they can still use that data to shop on the Internet.

Those naysayers are correct.

But let's circle back to the use cases for the current issuer-centric end-to-end token initiatives. Is tokenizing payment data for card-on-file and mobile proximity payments really going to have a material impact on preventing card-not-present fraud? Are these tokenization efforts really the best solution for this challenge? It could be many years before we regularly use our mobile phones for proximity payments. I am confident that we will be using chip-enabled cards for a significant number of transactions within two to three years. Would it be wiser to rely on solutions that leverage the chip or other security features of cards? Or maybe it's time we realize that cards weren't designed for card-not-present uses and place a higher priority on the broader adoption of existing and emerging non-card-based payment solutions in a multi-layered security approach.

Unfortunately, I do not have the answers. But these questions and topics will certainly be discussed during the upcoming Securing Remote Payments conference that the Retail Payments Risk Forum and the Secure Remote Payment Council is hosting. If you are interested in attending, please reach out to us. We will be in touch with more details.

In the next installment in this series, we'll look at new security and operational risks introduced with these token initiatives.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


October 20, 2014 in cards, data security, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d080b04d970c

Listed below are links to blogs that reference Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 15, 2014


Let’s Talk Token: Authenticating Payments

It's challenging to have a conversation about EMV cards—cards with chip technology—given their well-documented fraud-mitigating shortcomings, without diving into a conversation on tokenization. And these conversations just intensified with Apple announcing the use of tokenization with its soon-to-be launched mobile payment application. Tokenization of payment card data can provide an additional layer of security to EMV cards for in-person payments and mitigates fraud risks that these cards don't address in the non-face-to-face environment.

I recently spoke at a forum on EMV cards, where it became evident to me that there is a high degree of confusion in the payments industry, especially within the merchant community, about tokenization. Currently, multiple standards initiatives around a new tokenization framework are under way, so Portals and Rails is embarking on a series of posts on tokenization. In this first installment, we define tokenization and distinguish between tokens generated within the merchant's environment (an enterprise solution) and payment tokens generated as an end-to-end-solution. A future post will compare the various payment end-to-end tokenization initiatives that have been announced to date.

In the data security and payments environment, tokenization is the substitution of sensitive data with a surrogate value representing the original data but having no monetary value. For payment cards, tokenization refers to the substitution of part or all of a card’s PAN, or primary account number, with a totally randomized value, or token. A true token cannot be mathematically reversed to determine the original PAN, but a token service provider in a highly secure environment can subsequently link it to its associated PAN.

Tokenization of payment credentials has been around since the mid-2000s, driven primarily by the issuance in 2004 of the Payment Card Industry Data Security Standard (PCI-DSS), which defines merchant requirements for protecting cardholder data. Merchants historically stored PANs for a variety of reasons, including to use in settlement reconciliation, perform incremental authorizations, handle chargebacks, and identify cardholder transactions for loyalty programs. With tokenization, merchants can remove PANs from their data environment and replace them with tokens—and thereby reduce their PCI-DSS compliance requirements. However, this enterprise solution still requires that the PAN enter the merchant environment before the tokenization process taking place.

Under the tokenization initiatives currently under way from the Clearing House and EMVCo, a financial institution would issue a token replacing a cardholder's PAN to the person's mobile handset, tablet, or computer device before initiating a digital payment transaction. So the merchant, rather than receiving the cardholder's PAN for initiating a transaction, would receive a token value associated with that PAN, which would then be de-tokenized outside the merchant's environment to obtain the necessary authorization and complete the transaction. The merchant never has knowledge of the cardholder's PAN—and that is a significant difference between these tokenization initiatives and the enterprise solution related to handling payment credentials.

The Clearing House's and EMVCo's concepts for payment tokenization are similar in many ways, but they also have differences. A future post will delve into the end-to-end tokenization initiatives and consider the impact on mitigating risk in payment transactions.

Photo of Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 15, 2014 in cards, chip-and-pin, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d068d564970c

Listed below are links to blogs that reference Let’s Talk Token: Authenticating Payments:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 09, 2014


Magic 8 Ball, Will We Ever Be Cashless?

Predictions of a cashless society have been broadcast sporadically throughout the decades. It became a popular concept in the United States in 1965 when Thomas J. Watson Jr., CEO of IBM, said, "In our lifetime, we may see electronic transactions virtually eliminate the need for cash." Watson believed, or hoped, that the newly released IBM mainframe computers would revolutionize financial transaction processing and make carrying cash unnecessary. Later that decade, the concept was expanded to a checkless/cashless society, with some predicting that both payment forms would be extinct by the 1980s.

Despite consumers' growing use of cards and the emergence of the ACH system, the cashless society concept took a bit of a detour during the 1980s and 1990s—ATMs and shared EFT networks proliferated, both offering tremendous convenience and making it very easy to distribute currency. When card-based point-of-sale (POS) programs also emerged, they offered an alternative to currency and checks, while also increasing the convenience of currency by allowing cash-back transactions. This expansion of currency convenience took place even as consumers were being warned of the dangers of coin and currency—the germs, the cocaine residue, the increased chance of robbery, and so on. Certainly this was a more intense negative campaign than the spontaneous combustion danger my mother warned me about when I was young. I'd received some birthday money that I was anxious to spend, and she declared that the money was "burning a hole in your pocket."

While the central banking authorities of some countries such as Sweden and Nigeria have announced a goal of moving to a less-cash society, consumers in the United States are seemingly moving in the opposite direction, as evidenced by some recent San Francisco Fed research. Researchers examined the data from the 2012 Diary of Consumer Payment Choice (DCPC) study by the Boston, Richmond, and San Francisco Federal Reserve Banks. The San Francisco Fed research included these key findings

  • Cash remains the most-used form of payment, accounting for 40 percent of payment transactions.
  • Cash is generally used for lower-value transactions. The average value of a cash transaction was only $21, compared with $168 for checks and $44 for debit cards.
  • Cash is used most often in gift and P2P (or "person-to-person") transfers, with food and personal care supply purchases second (see the chart).
    Figure 4: Payment Instrument Shares, by Spending Category
  • Contrary to the conventional wisdom of millennials' love for all things electronic, 40 percent of 18–24 year olds prefer cash over all other payment methods—the highest percentage of any age group.

Yes, card, ACH, and other electronic transactions are continuing to increase and gain larger shares of the overall consumer transaction mix while check usage remains in a steady decline. Despite the dire outlook for checks, my colleague Doug King pointed out in a recent post that check usage among P2P users actually increased, according to the latest Fed payments study. My Magic 8 ball is predicting that coin and currency are going to be around for quite some time. What does yours say?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 9, 2014 in cards, checks, currency | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a3fd1ade46970b

Listed below are links to blogs that reference Magic 8 Ball, Will We Ever Be Cashless?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 14, 2014


Danger Ahead! ATM Cash-Outs

The Federal Financial Institutions Examination Council (FFIEC) issued a warning in April to financial institutions about criminals continuing to launch attacks against ATM and web-based card management systems, especially those of small- to medium-size financial institutions (FI). Dubbed "unlimited operation" by the U. S. Secret Service, this type of attack can saddle a financial institution with fraud losses in the millions of dollars. As we highlighted in a post from last May, a bank in Oman experienced this type of attack in late 2012, which resulted in a loss to the bank of almost $40 million. Imagine the impact of a loss of that magnitude to a small to midsized FI.

These attacks are especially concerning for a number of reasons. First, the criminal organizations that carry them out are highly sophisticated and well-organized, and they have an international reach. The Oman attack included a money mule network across 26 countries—including the United States—performing more than 36,000 withdrawals in a 12-hour period.

Second, unlike typical counterfeit card fraud attacks that involve a large number of accounts, the criminals behind the card management system frauds need to compromise only a small number of card accounts. The attack that resulted in the $40 million loss involved only 12 accounts. Early in this type of operation, the criminals generally obtain the PINs of the cards for these accounts by conducting some sort of covert surveillance (pinhole camera or shoulder surfing). They then counterfeit the cards using those PINs.

Third, the attacks are generally timed to take place around holidays, when bank, IT, and fraud monitoring staff levels are low.

Fourth, the criminals get remote access to the financial institutions' card management systems to reset account balances and card withdrawal parameters. They can then use the counterfeit cards over their pre-established transaction limits or balances and drain the ATMs of all cash. The criminals usually obtain access to FIs' networks using e-mail phishing schemes that target processor or network employees. Through gullible employees, malware is loaded onto the network that later gives the criminals access to the FIs’ card management systems.

Major online networks now have transaction velocity monitoring capability, which detects a high number of transactions on an individual account. This approach is necessarily only a secondary and reactive measure, not a preventive measure.

FIs should immediately address the risk mitigation steps that the new FFIEC warning outlines. Because the vast majority of small to midsized FIs depend on third-party processors to run their card management systems, it is imperative all FIs verify that their processors have the controls and safeguards in place to prevent such attacks, and they should insist on seeing validation of those controls.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 14, 2014 in ATM fraud, cards, cybercrime, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a5119e4e38970c

Listed below are links to blogs that reference Danger Ahead! ATM Cash-Outs:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 07, 2013


Fraud Happens. So What Do You Do?

As both a data junkie and someone interested in payments fraud, I must admit that I am envious of my colleagues across the pond in the United Kingdom. The Financial Fraud Action UK recently released Fraud the Facts 2013, its annual report providing insight and data on payments fraud in the U.K. financial services industry. Unfortunately, no such report exists in the United States.

This year's report drives home two key points that were discussed at our July 31 Improving Customer Authentication forum. First, the enrollment process is a critical initial step in securing transactions. Enrolling a fraudster can only result in fraudulent transactions. Second, consumer education remains an important aspect of mitigating fraud—a topic we at the Risk Forum have written and spoken on extensively. Despite the fact that the United Kingdom uses the EMV standard—which is based on chip card technology—overall payment card fraud increased by 14 percent from 2011 to 2012. Among its many insights, the report reinforces the idea that EMV adoption alone will not keep fraud from occurring.

Aside from the usual suspects of card-not-present (CNP) fraud and cross-border fraud in non-EMV countries, the report mentions two other contributors to payment card fraud growth that captured my attention. One, card ID theft fraud, which includes application fraud (using stolen or fake documents to open an account) and account takeover fraud (using another person’s credit or debit card account by posing as the genuine cardholder), increased by 42 percent from 2011 to 2012. Two, criminals have resorted to using "low-tech deception crimes" to convince consumers to part with their cards, PINs, and passwords.

The important takeaway I got from this report is that no matter the technology or standard used on payment cards, it remains critical to keep personally identifiable information protected and to continue to educate consumers about sound payment practices. The industry could use the most sophisticated and secure solutions to authorize and authenticate transactions, but those sophisticated, secure solutions can do very little to prevent the use of accounts established fraudulently.

Criminals are exploiting weaknesses in both the enrollment process and consumer behavior. These weaknesses are not something a chip-embedded card can solve.

So what tools can and should the industry use to prevent a criminal from using a stolen or synthetic identity to open an account? Do you think information available through social media could play a role in this process? We would value your thoughts.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 7, 2013 in authentication, cards, chip-and-pin, EMV, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019affd3f992970b

Listed below are links to blogs that reference Fraud Happens. So What Do You Do?:

Comments

While everyone is focused on the water main, there are millions of slow, steady fraud drips that aren't getting any attention: call center transactions.

Just started a subscription yesterday and read my CC# to some faceless agent in some unknown call center. Did she write it down? The call was recorded. Are the quality monitoring people writing it down and selling it?

There are solutions readily available. They are simple. They are cheap. They work. But there is no hue and cry to use them...from consumers, from banks, from regulators, or from businesses.

Until known solutions to known and supposedly big problems are implemented, the hand wringing about fraud is beginning to look like a Potemkin Village...a veneer of concern with nothing behind it.

Posted by: Dennis Adsit | October 21, 2013 at 12:12 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 24, 2013


Using Analytics to Improve Credit Quality

With consumer credit products such as mortgages and payday loans occupying headlines, credit card portfolios have been quietly and steadily marching towards improvement in quality over the last three years, according to data released by the Fed’s Board of Governors. As the chart shows, seasonally adjusted charge-off rates are down to 3.9 percent, and delinquency rates are at 2.6 percent for the largest 100 commercial banks in the United States, the lowest rate since the Federal Reserve began tracking this statistic at the start of 1991.

Credit Card Charge-Offs and Delinquency Rates: Top 100 US Commercial Banks

But how have credit card issuers been able to improve the quality and profitability of their card portfolio since the severe economic impact felt by all during the recession? One of the many tools the Board identified—and one cited by portfolio managers—is the increasing use of analytics. Issuers collect and comb vast amounts of data from a variety of sources to ensure that cardholders are equipped to manage their balances.

Credit issuers use analytics for a variety of purposes, including establishing credit limits, monitoring ongoing credit quality, targeting marketing efforts, and detecting fraud. They perform analytics at the individual cardholder level—looking at credit history and purchasing patterns, for example—as well as at the customer segmentation level to identify correlations between certain data elements and indicators of potential changes in credit quality. The increased power of these analytical tools over the last decade is due primarily to the incredible advancements in data collection and analysis technology. These advances have provided issuers with the ability to run sophisticated "what if" models to determine how changes in various key attributes of cardholders or in the overall economic environment will affect the quality of their portfolio.

Clearly, many of the issuers have taken other proven steps to improve the credit quality of their portfolios: they’ve reduced credit lines and increased payment monitoring management for existing accounts during and after the recession. And they applied more stringent credit policies, making it more difficult for new applicants to be approved (or likelier to be approved at lower credit limits than they would have been before). These are all sound risk management techniques. But data analytics has been a very powerful additional tool, allowing issuers to make huge strides in ensuring ongoing credit quality.

How are you using increased technology capabilities to improve your risk management capabilities?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 24, 2013 in cards, debt, innovation, payments study | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019aff958780970c

Listed below are links to blogs that reference Using Analytics to Improve Credit Quality:

Comments

Data and analytics can provide a competitive advantage for financial institutions (FIs) of all sizes. Sophisticated models can lead to better decisions and improve your institution's risk management, marketing, price optimization, offer optimization, and more. Arguably, the most important area is risk management. FIs need to find their happy median for risk. Effective decisioning won’t be profitable if high-risk customers are approved for too many cards or approved for credit limits that will overreach their ability to pay, but FIs also don’t want to necessarily turn a consumer away due to an address discrepancy. The FIs that can most effectively leverage their data and analytics will gain the competitive edge. It appears many credit card issuers have already figured this out.

Posted by: Christina Lysacek | October 21, 2013 at 02:53 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 11, 2013


Is Growing Fraud Really a Catalyst for EMV?

My payments news feed has been filled with a heavy dose of EMV-related news these last few days. Take the January 2013 article from the American Banker that looks at the incidence of increasing fraud losses as the United States continues to lag on the implementation of EMV chip cards. This one especially caught my attention given that I had written a paper on this topic early in 2012.

In recent SEC filings, both Discover Financial Services and Capital One reported significant increases in fraud losses. Based on calculations using figures from Discover's latest annual report, its fraud rate on sales volume increased from 4.8 basis points in 2010 to 7.2 basis points in 2011, and reached 8.8 basis points in 2012. Because of our nation's continued reliance on magnetic-stripe cards, "we are the weakest link around the world," according to one analyst. According to another, "the fraud comes here." Given this trend of rising fraud losses, is fraud finally becoming a bigger part of the business case for EMV with card networks' liability shifts for counterfeit fraudulent transactions a little more than two years out?

I don't think that it is. While the American Banker article, and even my paper, paints a somewhat discouraging picture of the fraud situation, the fact remains that fraud is but a small, albeit growing, expense on an issuers' income statement. For example, Discover reported $93 million in fraud losses for 2012, or roughly $8 million more than it spent on postage. By comparison, net charge-offs from credit card debt cost them over $1.2 billion in 2012 and as much as $3.7 billion in 2010. Fraud risk as measured by fraud losses is just "another expense" to issuers while credit risk, measured by credit losses, has one of the largest, if not the largest, negative impact on an issuers' bottom line. Is it possible that fraud losses will have a larger negative impact further down the road? Absolutely, and I think they will. I also recognize there are other "soft costs" associated with card fraud in terms of cardholder inconvenience and overall payment safety perception.

Further, EMV does not address the entire fraud loss problem. It's no secret by now that while EMV has been excellent at reducing face-to-face fraud, card-not-present (CNP) fraud continues to rise because EMV does not effectively prevent it in today's online environment. For example, since the rollout of chip-and-PIN in 2008 in Canada, CNP fraud increased from C$128 million to C$259.5 million in 2011. This is another example of fraud moving to the weakest link in the payments chain. Ultimately, EMV as it exists today only solves part of the fraud equation. Until a cost-effective and consumer-friendly CNP fraud reduction solution gains traction, I believe a business case for EMV built around fraud losses will remain difficult to build. For some, the costs to implement EMV may be viewed as an insurance policy against a widespread compromise of the mag-stripe technology.

It has been more than 17 months since Visa announced its EMV U.S. migration plan and a year since MasterCard announced its EMV "Roadmap." Still, issuance and acceptance of EMV cards remains tepid, if that, here in the United States. With a little over two years until the first liability shifts for the U.S. are scheduled to take place in April 2015, issuers will need to make EMV migration decisions soon if they intend to take advantage. But is the business case there currently?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 11, 2013 in card networks, cards, chip-and-pin, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d40f3aa2f970c

Listed below are links to blogs that reference Is Growing Fraud Really a Catalyst for EMV?:

Comments

My view on EMV is that it is a fundamentally more secure payment vehicle than typical magnetic stripe cards - plain and simple.

There are many benefits outside of just fraud savings. Consider missed transactions that international travelers might incur with a traditional card. Aite analysis reveals that card issuers missed out on $4 billion in charge volume in 2008 because of problems cardholders had with their cards while traveling abroad.

Then there is consumer perception. Ask a consumer today if he/she would like to own a car without air bags? The answer is likely no. The same is likely to hold true for EMV cards. If I have two options, traditional or EMV, I'm likely to choose EMV because it's safer. We all need to protect and enhance the consumer experience.

One cannot accurately predict future fraud costs with any degree of certainty. The pie for fraudsters is getting smaller, and if I'm a bank or credit union I don't want to be in the cross-hairs, especially if those vulnerable are getting smaller. CNP fraud is escalating. The payments industry will need to solve for that.

Chris Slane, VP, Business Development, Quatrro Processing Services

Posted by: Chris Slane | February 28, 2013 at 07:41 AM

Excellent article. One that takes the credit card fraud issue head-on and establishes that issuers and merchants have more serious issues to worry about than controlling fraud. I also found @MikeB's comment - especially the part about "issue that matters most for consumers and that is False Positives and the need for their cards to always work, particularly for when they need them most" - very sensible.

Posted by: Ketharaman Swaminathan | February 17, 2013 at 12:41 PM

I think you need to add other costs in (eg, PCI-DSS compliance and fraudulent portion of charge-offs) to obtain the correct cost/benefit calculation.

Posted by: Dave Birch | February 15, 2013 at 02:26 AM

Douglas,
Very interesting article and I agree that it appears that the EMV benefit is perhaps not worth the industry expense particularly if you're also shifting fraud from CP to CNP. In addition, it seems that here in the US, we're poised to move to new payment technologies such as Digital Wallets, NFC and/or Bar-codes that are more inline with the American customer, who I'm sure won't want to slow down at the point of sale to put in a PIN number on a Credit card transaction.

We conducted trials in the UK last year that I believe get to the issue that matters most for consumers and that is False Positives and the need for their cards to always work, particularly for when they need them most. By using Location-Based Analytic, we saw a 55% reduction of false positives while at the same time seeing a 30% increase in fraud detection . All of this in a non-intrusive manner, allowing the consumer the convenience of just swiping their card and moving on.
Mike

Posted by: Mike Buhrmann, CEO Finsphere | February 12, 2013 at 02:11 PM

Fraud may continue to be manageable from a cost perspective, but it is ultimately damaging to the user experience and the network brand experience. Consumers are increasingly frustrated by dealing with fraudulent charges (even with zero liability), receiving notices that their accounts are being breached, receiving re-issued cards, and having to re-configure their automatic payments. The networks are the ones pushing EMV because ultimately it's confidence in their systems that is taking the hit.

Posted by: Aaron Press | February 11, 2013 at 04:26 PM

Your comments raise an interesting question, namely, how much of what banks allocate as net charge-offs are actually fraud losses - especially in cases of account takeover fraud. The bad guy gains access to an account, changes the address, runs up a huge balance and bolts. As these balances get stale, the bank can either categorize them as fraud or simply charge them off.

Posted by: Chip Wickenden | February 11, 2013 at 10:23 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 04, 2013


The Promises and Pitfalls of Big Data

In reviewing one of my recent credit card statements, I noticed a marketing message offering $5 off for an online purchase using their credit card at one of the online retailers I frequently visit. At first I thought this was a bit strange as I had not used that particular credit card at that merchant. Then I realized this was likely "Big Data" in action. Evidently, this credit card issuer had gotten information from some database, perhaps from the retailer, that I was a frequent customer of that retailer. The card issuer then checked its records and found that its card wasn't the one I used for the purchases, so it tried to entice me with $5 savings to switch my card usage habits.

A recent Harris Interactive poll of 1,000 U.S. Internet users showed that the typical consumer has an extremely high level of concern about the amount of personally identifiable data (PID) that is collected about them from public databases, e-mails, web access, and private data aggregators and how that information is being used. Big Data has opened a new world of marketing opportunities for companies with the capability to analyze and use such a wide array of information. In addition to marketing opportunities, Big Data technology can also provide enhanced risk assessment capabilities.

Card issuers have used data analysis at both the macro and individual cardholder level for several decades for fraud management purposes. With sufficient transaction history, the issuer creates a cardholder's purchase profile and evaluates future transactions against that profile. In the early stages of such efforts, if a transaction fell outside the normal profile parameters, the issuer was likely to authorize the purchase and then attempt to contact the cardholder later to verify its legitimacy. Before the wide usage of cell phones or text alerts, contacting the customer was often delayed by days until he or she could be reached on a landline. With advances in software and processing technology, some issuers risk rate transactions as they are received for authorization and may deny a transaction with a high risk score or one that exceeds parameters the customer has personally established. Of course, the downside to such a process is a false denial resulting in a less-than-satisfied cardholder.

While few may find fault with using data for financial risk management purposes, the line is blurry between privacy and data analysis for behavioral activity. Let's say you normally use a particular prescription medication for treatment of a chronic medical condition. Data analysis can tell how frequently you should be getting refills of that medication from your pharmacy. On the positive side, the pharmacy can use this information to send you reminders that it is time to order a refill. But what if the data shows that your refills are spaced further apart than the quantity and dosage level dictate? Is it ethical for the online pharmacy to notify your insurance provider that you appear to have significant lapses in taking your medicine when doing so could affect future coverage? At what point does "Big Data" become "Big Brother"?

In 2013, data security and privacy—the issues associated with Big Data—will be a major area of focus for the Retail Payments Risk Forum. In addition to looking at these issues in our Portals and Rails posts, we will be publishing white papers and convening forums with designated stakeholders to further discuss these issues. We welcome your input on what topics you would like to see us cover.

Oh, and as to that $5 offer, I think I'm going to hold out for a few months and see if they are willing to raise the ante. If this blog is being data scrubbed, I think $10 will do it!

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


On a different note, the Retail Payments Risk Forum would like your feedback on our blog. We would be grateful if you would take a moment to complete our survey. It really is very short.

February 4, 2013 in cards, consumer protection, privacy | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee8360ee4970d

Listed below are links to blogs that reference The Promises and Pitfalls of Big Data:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 10, 2012


The Interchange Fee Cap: One Year Later

Make no mistake about it, I'm a debit card person, and a PIN debit one at that. So I write this under full disclosure of that bias. I haven't written a check at a retail merchant in more than 10 years and no longer even carry a checkbook. Rarely do I have more than $10 in my pocket—just enough for the purchase of some miscellaneous small-value items. I have always found PIN debit to be a highly convenient form of payment due to its reliability, accuracy, speed, and general acceptance at merchants that I frequent. If I forget or lose a receipt, a quick check of my account online will always show the transaction so I can record it in the balance register.

I know I am in the minority preferring PIN debit, as signature debit has dominated the debit card market both in terms of transaction and sales volume. Consumers like signature debit because of its acceptance at significantly more merchants, and they don't have to worry about remembering a PIN. Pre-Durbin, issuers preferred that their cardholders use signature debit because it generated substantially more point-of-sale (POS) interchange revenue than PIN debit. Some issuers encouraged their cardholders to select “credit” when using their debit card so the transaction would be processed on the signature debit rails and qualify for the higher interchange rate. That was the rub with merchants, especially the larger, high-volume ones. Signature debit was more expensive for them to process. In response, merchants with PIN pads programmed their terminals to encourage PIN usage by designating it as the default debit payment method.

Then came the Durbin Amendment (part of the Dodd-Frank Wall Street Reform and Consumer Protection Act) and the resulting implementation through Regulation II in October 2011 that changed the debit card world forever. The rule set a maximum interchange fee for signature and PIN debit and made no differentiation between the two, despite the overwhelming evidence that fraud losses on signature debit transactions were significantly higher than on PIN debit transactions. Although the final rule raised the interchange cap and reduced the fee-income hit to the issuers, forecasts of a diminished role in the market, especially for signature debit and other core bank products, came quickly from the bankers. A number of issuers that had established rewards programs linked to signature debit transactions (no or lower points for PIN debit transactions) announced plans to discontinue or reduce their debit rewards programs. Some major banks announced they would be imposing a monthly or annual fee for debit cards as a way to partially recover some of the revenue lost by the lower interchange fees. Another expected casualty was the free checking account. The banks said they could not afford to subsidize other account services without the fee income from debit card usage and the revenue loss suffered earlier in the year by the opt-in requirement for overdraft coverage for ATM and POS transactions.

Now, just over a year after the interchange cap took effect, what has been the result? There clearly has been a decrease in the number of rewards programs tied to debit cards as issuers sought to reduce program costs. Bankrate's 2011 Debit Card Rewards Study reported a 30 percent decline in debit rewards programs, even though the survey was taken before the interchange cap became effective. Not surprisingly, this study found that of the programs still operating, many were still offering reward points only for signature debit transactions.

Efforts by a number of the larger banks to impose a new debit card fee never gained traction. Many of the fee plans were dropped or modified to provide waivers if minimum balances were maintained. Free checking has certainly been a casualty as Bankrate's September 2012 Checking Survey showed that the number of banks offering free checking with no minimum balance requirement dropped from a high of 76 percent in 2009 to 45 percent in 2010, and then declined further, to 39 percent, in 2011.

Clearly, banks have suffered from the impact of Regulation II, with significant reductions in fee-income revenue through the lower interchange rate, especially for signature debit transactions. And consumers have a harder time finding debit rewards programs, and their account maintenance fees may have increased. The big winners have been the large to mid-sized retailers who have been able to renegotiate discount rates with their card processors. The merchant community says that consumers ultimately benefitted from the lower debit card processing expenses because the merchants have lowered or held steady their prices. However, the merchant claims are virtually impossible to validate since the pricing of goods and services is impacted by a large number of different elements, and interchange rates represent only a small one.

On a related note: the $7 billion class-action credit card interchange fee settlement recently received preliminary court approval amid opposition from some of the country's largest retailers and retailer industry groups. The litigation that originated in 2005 has used many of the same arguments that led to the passage of the Durbin Amendment legislation—primarily, that the interchange rates set by two major card issuers were arbitrary and excessive. Another major issue was that the payment card networks' rules prevented a merchant from implementing a surcharge to offset the increased costs claimed by merchants in accepting a credit card.

Clearly, the subject of interchange fees is not going to disappear anytime soon. What will be the longer term impact, if any, of the debit—and possibly credit—card interchange constraints? Will they impact the conversion of debit cards from magnetic-stripe technology to chip? We would like to hear your thoughts on who you believe are the winners and losers from Regulation II as well as its impact on debit and credit cards going forward.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 10, 2012 in cards, chip-and-pin, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c347ac8b4970b

Listed below are links to blogs that reference The Interchange Fee Cap: One Year Later:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 13, 2012


The Rule of 3, or Desperately Seeking Payment Products

Generally speaking, I have always believed in the "Rule of 3." When you're looking for something new—with your home, for example, or with your clothing style—try out three, and the obvious will likely emerge as a winner. When I had my design business and helped people pick products out for their homes, I never presented them with more than three options for any one product. If I did, sure enough they would get frustrated and become unlikely to make a confident decision.

When I changed career paths here at the Fed and entered the world of retail payments, I decided to look into some new payment products and services for my children. I am the mother of teenagers who are always asking for money, so my first goal was to provide them with a safe, easy, and secure way to have and spend money.

I began to research some products, and narrowed my choices down to three options to explore: gift cards, prepaid debit cards, and bank-issued debit cards. Immediately, I eliminated gift cards, which once depleted are usually not reloadable. I wanted this to be a lifestyle change, something that could be extended; therefore, I focused my research on option number 2, reloadable cards. I started at a local grocery store, where I stood looking in awe at the tower of choices I had before me. Most cards here cost $4.95 before you load money on them. A store clerk told me that a big-box retailer had the same products for $3, so off I went.

prepaid card display The first purchase was for my son. At the checkout, I asked the clerk to load $40 on the card. The clerk informed me that I could not use my credit card to fund a prepaid card—I needed cash, or a preprinted payroll or government check, or direct deposit from my paycheck, or a standard transfer from my bank that could take up to 13 days—and then I would be charged a fee.

This did not seem very user-friendly, especially since I do not carry an ATM card, nor do I frequent this big-box retailer often. But I was determined to try this new payment method, so I returned the next day and paid $3 to buy a $40 card. (I now know that this $3 fee is waived if you get your card online and that there is a reload fee of $3 and a monthly maintenance fee of $3.) This still seemed like a better option than a bank debit card. I registered the card online for my son (required for activation) and entered personal information like name, address, and social security number. I was not thrilled with that level of privacy loss—however, as the small print explained, "Federal law requires us to obtain, verify, and record information that identifies you when you open up this account." In addition, this is the only way I could get a refund if the card were lost or stolen, and that was one of my three preliminary requirements.

So I started looking for the actual custom card in the mail with my son's name on it. I waited two weeks—and no card. I reviewed the fine print included inside the package to discover that you must be over the age of 16 to buy and use this kind of card. This information was printed nowhere on the outside of the packaging. My son is 15, not even 16 yet. So, there will not be a custom card coming in the mail, and this temporary card I have will become useless once the balance falls to zero. Have I mentioned that there is a $3 monthly maintenance fee that applies after the tenth day you have the card? So far, I have paid $6 to lend him $40 on a card that is not reloadable.

This led me to option number 3, my bank, where I learned about student accounts that don't charge for bank-issued debit cards. And, for convenience, I can transfer funds from my checking account into the student account, which funds the debit card. Honestly, this was not my first choice, but it emerged as the safest, cheapest, and most convenient. I decided to use this opportunity to teach my kids about online banking, overdraft fees (because I am not linking the student account to my account), the importance of passwords, and balancing their (virtual) checkbooks.

This account has proven to be a wonderful tool, and my kids now look forward to logging in and checking their balances and confirming that their "payday" has been deposited upon completion of their agreed-upon chores. I can't wait to discover more opportunities of my new job here in the Forum!

Michelle CastellBy Michelle Castell, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

November 13, 2012 in cards, prepaid | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d3d9951c0970c

Listed below are links to blogs that reference The Rule of 3, or Desperately Seeking Payment Products:

Comments

I am surprised that you did not come across the prepaid "teen" card offerings such as Visa Buxx, which is a prepaid card specifically designed for parents with teenagers who would like to provide their child with a bank account type of relationship. The beauty of the teen card is that there are 2 account holders and one card holder. The parent has total visibility on the account and can load funds (without a fee from a checking account) from any source, even limit where the card is used and look at the account activity. The teen, can use the card anytime any place and also monitor statements on line. This product has become very popular with high school and college students and it has all the safety and security of a DDA account without having to keep a minimum balance or having the risk of over drafting the account. It is definitely worth looking into.

Posted by: Madeline K. Aufseeser | November 14, 2012 at 09:40 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


December 2014


Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Archives


Categories


Powered by TypePad