Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

February 18, 2014

The Mythical End State of Security

As a proponent of secure payments, I am happy to see the EMV (chip card technology) discussion take center stage with national media outlets and on the Hill after the recent revelation of data breaches involving payment card data at merchants. Having written and spoken extensively on the benefits (as well as the shortcomings) of migrating to the EMV standard here in the United States, I am a strong believer in EMV's ability to reduce counterfeit card-present fraud. But I do feel that a bigger story is getting lost in these EMV discussions—that of payment card data security.

Security approaches are not static, but must be constantly improving and evolving, thanks in large part to a rapidly changing technology environment and evolving tactics of criminals. A solution that is implemented today will more than likely become obsolete or in need of additional investment to remain viable in the future. There is no "end state" when it comes to security. A wait-and-see approach for this hypothetical end state is flawed.

Consider my home security system to which I recently added video monitoring capabilities. This addition to my system made my upgrade to glass-breaking sensors several years ago seem like a bad investment. But had I waited for the camera technology, perhaps I would have suffered the same fate of several of my neighbors who ended up with bad guys breaking windows to gain entrance into an empty house. And though I feel better protected now than I was several years ago, I realize that it is inevitable that another upgrade with additional costs will be necessary in due time to best protect my property and family.

EMV is a solution ready to have a positive and immediate impact on reducing the value of stolen card data. And because of that, I am an advocate for its adoption in the United States according to the adoption plans set by the card networks. However, EMV alone does not provide complete protection of card data, and stolen card data retains value to fraudsters even in an EMV world. Magnetic stripes will not disappear overnight with a migration to EMV. (The UK began their migration in earnest seven years ago and mag stripes are still commonly found on their cards.) And stolen card data can easily be used in the card-not-present environment.

The payment industry must strive to secure payments data so that data stolen from breaches cannot be exploited for monetary value by criminals. Until the industry does that, it is reasonable to believe that data breaches and the subsequent effort to monetize the information will continue. EMV is a step in the right direction, but it is not the final and only step. EMV will be costly to implement. It will not and cannot be the final investment spent on securing card payments.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 18, 2014 in chip-and-pin, EMV, innovation | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73d7ac64d970d

Listed below are links to blogs that reference The Mythical End State of Security:

Comments

The largest drawback to EMV is the cost; I recently read that it would cost over eight billion dollars to change the current U.S. payment infrastructure to an EMV system. In your example, the camera system was a home security option that wasn’t feasible several years ago because of price and technology issues. Could it be possible that something like PayPal’s new payment method is a more logical step to address card security for the time being? PayPal’s payment code system is able to work with retailers existing barcode scanners and pin pads and provides more security to POS transactions than a mag-strip. This would allow for increased card security, at a reasonable cost, while the industry decides what the next best option is.

Posted by: Karen Gordon | March 17, 2014 at 12:42 PM

Douglas,

Like you, I'm glad to see that the key participants and contributors to the US payment system are recognizing the need for improvement in card data security and considering how EMV might help. I also support your contention that EMV is neither a comprehensive nor final solution. Why isn't the Fed taking a proactive role to research solutions that would eliminate the capture and transfer of card data and thus remove the risks from the points of sale altogether? There are already some interesting products in the marketplace that enable this approach and it seems a better investment for the short and long term.

Posted by: Gary Yamamura | February 18, 2014 at 10:10 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 10, 2014

Chip-and-PIN, or Chip-and-Choice?

If the comments that legislators and industry representatives made at the recent congressional hearings on data breaches were any indication, any card issuer advocating or adopting a chip-and-signature approach to EMV smartcard implementation would appear to be incautious. Unquestionably, chip-and-PIN is more secure than chip-and-signature because it represents two forms of authentication—something you have (the card) and something you know (the PIN). However, chip-and-signature could be a reasonable first step in that it would generate less friction for the consumer, merchant, and card issuer. Let me explain why.

Most consumers don't know their credit card PINs
Although most people know their debit card PINs—you need one to use an ATM—few U.S. consumers know their credit card PINs. Various studies place consumers' knowledge of their credit card PINs in the 5 to 10 percent range. It would therefore be an educational as well as logistical effort to get consumers to begin using their credit card PINs if the industry moved to a chip-and-PIN-only environment.

Merchants would incur a big expense for the equipment
Only about 25 percent of the 8 million POS terminals operating in the United States are equipped with a PIN pad, according to data provided to the Federal Reserve. Before Regulation II, merchants had a financial incentive to encourage PIN-based debit transactions because the interchange rate was lower than for credit card transactions. However, Reg II eliminated this differential. (This despite the fact that PIN debit transactions have less than one-third of the fraud loss rate of signature debit transactions, according to the 2013 Fed Payments Study Summary.) Although a representative of the National Retail Federation endorsed a chip-and-PIN-only strategy at a congressional hearing, it's difficult to know if merchants will want to make the additional investment required to equip, program, and maintain their POS systems to support PIN transactions. Most merchants have not yet taken this step, so what has changed?

Customer experience would change
A PIN-based transaction, with its single-message authorization and settlement process, creates problems for certain merchants—like car rental and lodging companies—that must run preauthorization transactions before the final amount of the transaction is determined. The separate authorization and settlement process provided by the dual-message format of a signature-based transaction is more conducive to the business needs of these merchant segments. Are fine dining restaurants going to install the even more expensive mobile payment terminals so customers can pay at the table as they currently do? Or will they require the customer to go to a checkout and pay there? These merchants especially will have to consider the impact on their customer experience.

Backup method needed
With debit cards now, a signature authentication can be a backup method of acceptance. But in a chip-and-PIN environment, how high will the rate of incomplete transactions be when cardholders can't remember their PINs and they have no other method of payment?

As with any change, there are a number of positives and negatives to be considered. To avoid unintended consequences, we at Portals and Rails believe that issuers, merchants, and consumer groups should carefully evaluate all the issues to determine the best way to migrate to EMV payment cards. What do you think—chip-and-PIN only or chip-and-choice?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 10, 2014 in chip-and-pin, data security, debit cards, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73d743754970d

Listed below are links to blogs that reference Chip-and-PIN, or Chip-and-Choice?:

Comments

All issuers should support a well communicated and simple PIN change process (IVR, ATM or inbranch for example) for EMV cards. If cards are activated through an IVR; PIN selection could be added to the process. Cards can also be issued with unassigned PINs (the PIN is not sent to the cardholder) where the cardholder is forced to select a PIN; this process may encourage cardholders to proactively select a PIN they can remember. Re-issued cards can support PIN continuity (same PIN as previous card).

Support for PIN as the only permitted CVM will be more successful if ALL the card associations follow this practice. If one or more of them allow for signature CVM then cardholders may select the signature card and not bother to learn/select a PIN for the PINned card. This in turn leads to an uneven playing field and all chip cards may eventually revert to signature cards which would certainly be a step backwards.

As long as fallback to magstripe is supported, any cardholder that forgets their PIN can usually have the terminal revert to mag stripe (at least in Canada) by inserting the card backwards (you may have to do this three times). The terminal will attempt to read the chip (but can't because there is plastic where a chip should be) then ask for a mag stripe read while ignoring the service code (chip on board) info.

Posted by: M Ryan | February 11, 2014 at 12:49 PM

Your points are all valid, but I'd like to comment.

You are correct that most consumers don't know their credit card PINs and this would be a learning experience. Some POS application developers are putting in "PIN Bypass" functionality for this reason, although I believe that defeats the purpose of allowing the issuer to prefer PIN.

Merchants will incure some expense for migrating to EMV, but most EMV Card Readers are built into PIN pads, so with or without PIN, the expense is the same.

PIN based Credit transactions will continue to be dual message. PIN Debit transaction sre single message because they are "full financial" transactions that don't require a separate message.

EMV works perfectly fine with Hotels in the rest of the world, with incremental transactions after the original with PIN.

Yes, in Canada and Europe it is common for the customer to pay at the table with a wireless terminal. This supports the philosophy of "not handing your card to a stranger" that was promoted in those countries to support the implementation of EMV.

Yes, there will be a period of adjustment, perhaps painful - but not really much different than when PIN Debit at the POS was first introduced, just a larger scale.

Unfortunately, the more secure a process is, the less convenient it is. The U.S. has chosen convenience in the past, and we are seeing the repercussions of that approach.

Posted by: Allen Friedman | February 10, 2014 at 02:13 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 07, 2013

Fraud Happens. So What Do You Do?

As both a data junkie and someone interested in payments fraud, I must admit that I am envious of my colleagues across the pond in the United Kingdom. The Financial Fraud Action UK recently released Fraud the Facts 2013, its annual report providing insight and data on payments fraud in the U.K. financial services industry. Unfortunately, no such report exists in the United States.

This year's report drives home two key points that were discussed at our July 31 Improving Customer Authentication forum. First, the enrollment process is a critical initial step in securing transactions. Enrolling a fraudster can only result in fraudulent transactions. Second, consumer education remains an important aspect of mitigating fraud—a topic we at the Risk Forum have written and spoken on extensively. Despite the fact that the United Kingdom uses the EMV standard—which is based on chip card technology—overall payment card fraud increased by 14 percent from 2011 to 2012. Among its many insights, the report reinforces the idea that EMV adoption alone will not keep fraud from occurring.

Aside from the usual suspects of card-not-present (CNP) fraud and cross-border fraud in non-EMV countries, the report mentions two other contributors to payment card fraud growth that captured my attention. One, card ID theft fraud, which includes application fraud (using stolen or fake documents to open an account) and account takeover fraud (using another person’s credit or debit card account by posing as the genuine cardholder), increased by 42 percent from 2011 to 2012. Two, criminals have resorted to using "low-tech deception crimes" to convince consumers to part with their cards, PINs, and passwords.

The important takeaway I got from this report is that no matter the technology or standard used on payment cards, it remains critical to keep personally identifiable information protected and to continue to educate consumers about sound payment practices. The industry could use the most sophisticated and secure solutions to authorize and authenticate transactions, but those sophisticated, secure solutions can do very little to prevent the use of accounts established fraudulently.

Criminals are exploiting weaknesses in both the enrollment process and consumer behavior. These weaknesses are not something a chip-embedded card can solve.

So what tools can and should the industry use to prevent a criminal from using a stolen or synthetic identity to open an account? Do you think information available through social media could play a role in this process? We would value your thoughts.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 7, 2013 in authentication, cards, chip-and-pin, EMV, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019affd3f992970b

Listed below are links to blogs that reference Fraud Happens. So What Do You Do?:

Comments

While everyone is focused on the water main, there are millions of slow, steady fraud drips that aren't getting any attention: call center transactions.

Just started a subscription yesterday and read my CC# to some faceless agent in some unknown call center. Did she write it down? The call was recorded. Are the quality monitoring people writing it down and selling it?

There are solutions readily available. They are simple. They are cheap. They work. But there is no hue and cry to use them...from consumers, from banks, from regulators, or from businesses.

Until known solutions to known and supposedly big problems are implemented, the hand wringing about fraud is beginning to look like a Potemkin Village...a veneer of concern with nothing behind it.

Posted by: Dennis Adsit | October 21, 2013 at 12:12 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 11, 2013

Is Growing Fraud Really a Catalyst for EMV?

My payments news feed has been filled with a heavy dose of EMV-related news these last few days. Take the January 2013 article from the American Banker that looks at the incidence of increasing fraud losses as the United States continues to lag on the implementation of EMV chip cards. This one especially caught my attention given that I had written a paper on this topic early in 2012.

In recent SEC filings, both Discover Financial Services and Capital One reported significant increases in fraud losses. Based on calculations using figures from Discover's latest annual report, its fraud rate on sales volume increased from 4.8 basis points in 2010 to 7.2 basis points in 2011, and reached 8.8 basis points in 2012. Because of our nation's continued reliance on magnetic-stripe cards, "we are the weakest link around the world," according to one analyst. According to another, "the fraud comes here." Given this trend of rising fraud losses, is fraud finally becoming a bigger part of the business case for EMV with card networks' liability shifts for counterfeit fraudulent transactions a little more than two years out?

I don't think that it is. While the American Banker article, and even my paper, paints a somewhat discouraging picture of the fraud situation, the fact remains that fraud is but a small, albeit growing, expense on an issuers' income statement. For example, Discover reported $93 million in fraud losses for 2012, or roughly $8 million more than it spent on postage. By comparison, net charge-offs from credit card debt cost them over $1.2 billion in 2012 and as much as $3.7 billion in 2010. Fraud risk as measured by fraud losses is just "another expense" to issuers while credit risk, measured by credit losses, has one of the largest, if not the largest, negative impact on an issuers' bottom line. Is it possible that fraud losses will have a larger negative impact further down the road? Absolutely, and I think they will. I also recognize there are other "soft costs" associated with card fraud in terms of cardholder inconvenience and overall payment safety perception.

Further, EMV does not address the entire fraud loss problem. It's no secret by now that while EMV has been excellent at reducing face-to-face fraud, card-not-present (CNP) fraud continues to rise because EMV does not effectively prevent it in today's online environment. For example, since the rollout of chip-and-PIN in 2008 in Canada, CNP fraud increased from C$128 million to C$259.5 million in 2011. This is another example of fraud moving to the weakest link in the payments chain. Ultimately, EMV as it exists today only solves part of the fraud equation. Until a cost-effective and consumer-friendly CNP fraud reduction solution gains traction, I believe a business case for EMV built around fraud losses will remain difficult to build. For some, the costs to implement EMV may be viewed as an insurance policy against a widespread compromise of the mag-stripe technology.

It has been more than 17 months since Visa announced its EMV U.S. migration plan and a year since MasterCard announced its EMV "Roadmap." Still, issuance and acceptance of EMV cards remains tepid, if that, here in the United States. With a little over two years until the first liability shifts for the U.S. are scheduled to take place in April 2015, issuers will need to make EMV migration decisions soon if they intend to take advantage. But is the business case there currently?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 11, 2013 in card networks, cards, chip-and-pin, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d40f3aa2f970c

Listed below are links to blogs that reference Is Growing Fraud Really a Catalyst for EMV?:

Comments

My view on EMV is that it is a fundamentally more secure payment vehicle than typical magnetic stripe cards - plain and simple.

There are many benefits outside of just fraud savings. Consider missed transactions that international travelers might incur with a traditional card. Aite analysis reveals that card issuers missed out on $4 billion in charge volume in 2008 because of problems cardholders had with their cards while traveling abroad.

Then there is consumer perception. Ask a consumer today if he/she would like to own a car without air bags? The answer is likely no. The same is likely to hold true for EMV cards. If I have two options, traditional or EMV, I'm likely to choose EMV because it's safer. We all need to protect and enhance the consumer experience.

One cannot accurately predict future fraud costs with any degree of certainty. The pie for fraudsters is getting smaller, and if I'm a bank or credit union I don't want to be in the cross-hairs, especially if those vulnerable are getting smaller. CNP fraud is escalating. The payments industry will need to solve for that.

Chris Slane, VP, Business Development, Quatrro Processing Services

Posted by: Chris Slane | February 28, 2013 at 07:41 AM

Excellent article. One that takes the credit card fraud issue head-on and establishes that issuers and merchants have more serious issues to worry about than controlling fraud. I also found @MikeB's comment - especially the part about "issue that matters most for consumers and that is False Positives and the need for their cards to always work, particularly for when they need them most" - very sensible.

Posted by: Ketharaman Swaminathan | February 17, 2013 at 12:41 PM

I think you need to add other costs in (eg, PCI-DSS compliance and fraudulent portion of charge-offs) to obtain the correct cost/benefit calculation.

Posted by: Dave Birch | February 15, 2013 at 02:26 AM

Douglas,
Very interesting article and I agree that it appears that the EMV benefit is perhaps not worth the industry expense particularly if you're also shifting fraud from CP to CNP. In addition, it seems that here in the US, we're poised to move to new payment technologies such as Digital Wallets, NFC and/or Bar-codes that are more inline with the American customer, who I'm sure won't want to slow down at the point of sale to put in a PIN number on a Credit card transaction.

We conducted trials in the UK last year that I believe get to the issue that matters most for consumers and that is False Positives and the need for their cards to always work, particularly for when they need them most. By using Location-Based Analytic, we saw a 55% reduction of false positives while at the same time seeing a 30% increase in fraud detection . All of this in a non-intrusive manner, allowing the consumer the convenience of just swiping their card and moving on.
Mike

Posted by: Mike Buhrmann, CEO Finsphere | February 12, 2013 at 02:11 PM

Fraud may continue to be manageable from a cost perspective, but it is ultimately damaging to the user experience and the network brand experience. Consumers are increasingly frustrated by dealing with fraudulent charges (even with zero liability), receiving notices that their accounts are being breached, receiving re-issued cards, and having to re-configure their automatic payments. The networks are the ones pushing EMV because ultimately it's confidence in their systems that is taking the hit.

Posted by: Aaron Press | February 11, 2013 at 04:26 PM

Your comments raise an interesting question, namely, how much of what banks allocate as net charge-offs are actually fraud losses - especially in cases of account takeover fraud. The bad guy gains access to an account, changes the address, runs up a huge balance and bolts. As these balances get stale, the bank can either categorize them as fraud or simply charge them off.

Posted by: Chip Wickenden | February 11, 2013 at 10:23 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 10, 2012

The Interchange Fee Cap: One Year Later

Make no mistake about it, I'm a debit card person, and a PIN debit one at that. So I write this under full disclosure of that bias. I haven't written a check at a retail merchant in more than 10 years and no longer even carry a checkbook. Rarely do I have more than $10 in my pocket—just enough for the purchase of some miscellaneous small-value items. I have always found PIN debit to be a highly convenient form of payment due to its reliability, accuracy, speed, and general acceptance at merchants that I frequent. If I forget or lose a receipt, a quick check of my account online will always show the transaction so I can record it in the balance register.

I know I am in the minority preferring PIN debit, as signature debit has dominated the debit card market both in terms of transaction and sales volume. Consumers like signature debit because of its acceptance at significantly more merchants, and they don't have to worry about remembering a PIN. Pre-Durbin, issuers preferred that their cardholders use signature debit because it generated substantially more point-of-sale (POS) interchange revenue than PIN debit. Some issuers encouraged their cardholders to select “credit” when using their debit card so the transaction would be processed on the signature debit rails and qualify for the higher interchange rate. That was the rub with merchants, especially the larger, high-volume ones. Signature debit was more expensive for them to process. In response, merchants with PIN pads programmed their terminals to encourage PIN usage by designating it as the default debit payment method.

Then came the Durbin Amendment (part of the Dodd-Frank Wall Street Reform and Consumer Protection Act) and the resulting implementation through Regulation II in October 2011 that changed the debit card world forever. The rule set a maximum interchange fee for signature and PIN debit and made no differentiation between the two, despite the overwhelming evidence that fraud losses on signature debit transactions were significantly higher than on PIN debit transactions. Although the final rule raised the interchange cap and reduced the fee-income hit to the issuers, forecasts of a diminished role in the market, especially for signature debit and other core bank products, came quickly from the bankers. A number of issuers that had established rewards programs linked to signature debit transactions (no or lower points for PIN debit transactions) announced plans to discontinue or reduce their debit rewards programs. Some major banks announced they would be imposing a monthly or annual fee for debit cards as a way to partially recover some of the revenue lost by the lower interchange fees. Another expected casualty was the free checking account. The banks said they could not afford to subsidize other account services without the fee income from debit card usage and the revenue loss suffered earlier in the year by the opt-in requirement for overdraft coverage for ATM and POS transactions.

Now, just over a year after the interchange cap took effect, what has been the result? There clearly has been a decrease in the number of rewards programs tied to debit cards as issuers sought to reduce program costs. Bankrate's 2011 Debit Card Rewards Study reported a 30 percent decline in debit rewards programs, even though the survey was taken before the interchange cap became effective. Not surprisingly, this study found that of the programs still operating, many were still offering reward points only for signature debit transactions.

Efforts by a number of the larger banks to impose a new debit card fee never gained traction. Many of the fee plans were dropped or modified to provide waivers if minimum balances were maintained. Free checking has certainly been a casualty as Bankrate's September 2012 Checking Survey showed that the number of banks offering free checking with no minimum balance requirement dropped from a high of 76 percent in 2009 to 45 percent in 2010, and then declined further, to 39 percent, in 2011.

Clearly, banks have suffered from the impact of Regulation II, with significant reductions in fee-income revenue through the lower interchange rate, especially for signature debit transactions. And consumers have a harder time finding debit rewards programs, and their account maintenance fees may have increased. The big winners have been the large to mid-sized retailers who have been able to renegotiate discount rates with their card processors. The merchant community says that consumers ultimately benefitted from the lower debit card processing expenses because the merchants have lowered or held steady their prices. However, the merchant claims are virtually impossible to validate since the pricing of goods and services is impacted by a large number of different elements, and interchange rates represent only a small one.

On a related note: the $7 billion class-action credit card interchange fee settlement recently received preliminary court approval amid opposition from some of the country's largest retailers and retailer industry groups. The litigation that originated in 2005 has used many of the same arguments that led to the passage of the Durbin Amendment legislation—primarily, that the interchange rates set by two major card issuers were arbitrary and excessive. Another major issue was that the payment card networks' rules prevented a merchant from implementing a surcharge to offset the increased costs claimed by merchants in accepting a credit card.

Clearly, the subject of interchange fees is not going to disappear anytime soon. What will be the longer term impact, if any, of the debit—and possibly credit—card interchange constraints? Will they impact the conversion of debit cards from magnetic-stripe technology to chip? We would like to hear your thoughts on who you believe are the winners and losers from Regulation II as well as its impact on debit and credit cards going forward.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 10, 2012 in cards, chip-and-pin, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c347ac8b4970b

Listed below are links to blogs that reference The Interchange Fee Cap: One Year Later:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 26, 2012

Highlights from a Conference on Technology and Payments

The retail payments landscape is rapidly evolving as technological advances promote new electronic payment methods. On October 15–16, the Risk Forum convened at the Atlanta Fed a diverse gathering of stakeholders in the payments industry. Industry representatives were from telecommunication firms, airlines, standards bodies, payments processors, and coffee house retailers, as well as the more traditional players.

Federal Reserve Bank of Atlanta President and CEO Dennis Lockhart kicked off the event. His opening remarks focused on the Federal Reserve System's role as a central bank in the country's retail payment system, both as a payments operator and as the country's guardian of financial stability. In the latter role, the Fed aims to preserve the integrity of both the retail and wholesale payments systems. Lockhart stressed that although this role has national strategy overtones, it is not intended to stifle innovation and competition but rather to support a market-oriented approach to payment developments. By noting the vulnerabilities that the fast pace of change and innovation in the industry create, Lockhart set the stage for the day's session, the highlights of which we are sharing here. You can find the complete presentation materials on the Atlanta Fed website.

Technology developments in card-based payments
Legacy plastic cards are likely to remain important for some time. Nevertheless, significant changes are under way. These technological changes were the focus of this panel. The U.S. payments industry is struggling to collectively shift from magnetic stripe-enabled card payments to a more secure and interoperable environment. Panelists discussed the challenges posed by the planned U.S. migration to chip-enabled cards and to the EMV standards already adopted in most of the globe's major developed countries. They discussed the potential shift in fraud to card-not-present payments in the shift from mag-stripe cards. Panelists said that fraud mitigation in the future U.S. EMV environment will require additional data analysis tools, including the use of better encryption methods and tokenization. They also touched on the benefits of PIN versus signature authentication.

The evolution of technology standards in retail payments
Technology standards provide the cohesion to ensure the critical mass needed for successful payment network adoption. At the same time, the myriad of new market solutions, patent issues, and even standards bodies themselves challenges industry cooperation and consensus building, slowing the standards development process. Panelists discussed the activities of various standards bodies that touch retail payments today. They also talked about how they are working to galvanize industry stakeholders to agree and employ standards that foster security and interoperability.

Mobile payment developments at the point of sale
This panel of experts reviewed technological developments in the mobile channel for payments at the merchant's point of sale (POS), including the rollout of several mobile wallet initiatives. Panelists discussed the challenges associated with the highly dynamic nature of the technologies. They noted that new complex business models are resulting in many different types of payment solutions, creating a confusing ecosystem for mobile proximity payments.

Panelists noted that the many new, thought-provoking products out in the market place today create many unknowns, not only with respect to security, but also future viability. They agreed that it is hard to predict which solutions have true scalability. An interesting discussion took place on the success of new payments such as Square, which changed the proverbial game by expanding the population of merchants that can accept card payments and by repurposing the mobile handset into a payment acceptance device. The panel also discussed how Starbucks unwittingly assumed the role of a payments pioneer when they moved to the mobile channel. Their original aim was not to adopt a new payments method but rather to increase customer loyalty and convenience.

The merits and challenges with the upcoming EMV migration were also top of mind for the panel.

Technology trends in mobile payment transfers
U.S. mobile payment developments have generally centered on payments at the POS. However, remote mobile payments, or person-to-person mobile transfers, are also taking form as a business model. Panelists discussed how nonbank players are entering the money transmission space hoping to leverage new mobile technologies. They explored the current environment for domestic and cross-border mobile transfer payment activity, analyzing the changing roles of payment service providers and the subsequent regulatory and policymaking considerations.

Panelists noted that we are seeing a huge paradigm shift in mobile money, with prepaid airtime credits looking more and more like currency in developing countries. Some countries permit payment service providers to provide airtime cash-out; Kenya's M Pesa is one of these providers. The lack of system interoperability across borders and liquidity management considerations are barriers to a global, scalable airtime transfer system. Panelists also noted, however, that airtime transfers are increasingly becoming a natural complement to traditional remittances.

In addition, traditional remittance providers are partnering with telecom firms to deliver services in emerging markets. These providers also work with banks in more developed countries, like the United States, to use the mobile channel in more efficient ways.

Technology threats and mitigants in electronic payment systems
Whether through scams such as “Obama Will Pay Your Bills” or corporate account takeovers, criminals are increasingly using electronic payments networks to perpetrate fraud. Panelists stressed that industry stakeholders must themselves become more sophisticated in order to develop solutions to better detect and mitigate these risks. Future fraud detection will require more sophisticated approaches to address growing vulnerabilities in web applications. Panelists also stressed that financial institutions must validate transactions to enforce rules and limits and to manage fraud.

Conclusion
The Risk Forum uses events such as this to encourage dialogue and share critical business intelligence among participants. We can then use information that comes out of such discussions to inform our work with the payments industry as we collectively work on better solutions to detect and mitigate risk. Expect to see more discussion in future posts. As always, we value your responses.

Cynthia MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

November 26, 2012 in chip-and-pin, collaboration, cybercrime, emerging payments, innovation | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c33fde72b970b

Listed below are links to blogs that reference Highlights from a Conference on Technology and Payments:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 05, 2012

While Stalemate Continues, Another Retailer Data Breach Announced

We haven't heard about significant data breaches at any retailer's brick-and-mortar lately. In fact, the prevalence of cybercrimes and malware-related incidences has momentarily redirected our attention to payments made through online and wireless channels along with related payment crimes such as social engineering and malware-enabled account takeovers and card data theft. However, according to Verizon's 2012 Data Breach Investigations Report, while most attacks are not related to physical tampering, "there was no shortage of payment card skimming in 2011, and there were notable arrests." In fact, a recent press release from a major book retailer is cause to sharpen our focus on in-store card payments and the use of mag-stripe technology at payment terminals.

Tampering with PIN pad devices in stores
On October 24, 2012, the retailer announced that it had "detected tampering with PIN pad devices used in 63 of its stores" and that it had notified federal law enforcement to support an investigation into the criminal activity. Furthermore, it is working with the banks and payment card network brands to identify potential compromised accounts. Much to the retailer's credit, the press release also outlines precautionary steps consumers should take if they have shopped in any of the impacted stores—namely, changing PINs, reviewing account activity for unauthorized transactions, and notifying banks about unusual or unauthorized activity.

PCI compliance is not enough
How can retailers protect themselves from PIN pad tampering fraud? We explored the growing prevalence of card data breach incidents in a May 2011 post describing how a crafts retailer had experienced card terminal tampering that may have led to customer card data compromise. The post noted that while the Payment Card Industry (PCI) Data Security Council guidelines attempt to address advanced security measures, the vulnerabilities inherent in mag-stripe card technology present serious management challenges. The threats to terminals can come in the form of crime rings, company insiders, or the terminal manufacturers themselves.

Will merchants follow the EMV migration roadmap?
Card network brands separately issued announcements in 2011 and 2012 with their own EMV deployment milestones, which can be viewed as a collective roadmap. A summary of these milestones, grouped by payment network, is included in the October 2012 edition of Smart Card Talk and reproduced below. This publication explains the incentives in the form of audit relief from PCI compliance as well as liability shifts for counterfeit card losses for noncompliant banks and merchants.

However, many industry experts surmise that merchants are willing to take their chances on the potential card fraud losses for such a liability shift, judging them to be lower than the costs involved in terminal replacement for chip card acceptance.

Technology adoption stalemate
Industry participants continue to argue about the inequities in the economics for moving forward to a new security environment enabled with more secure chip-based technology. It is highly likely that there will never be a collective path forward considered fair to all, with the large number of industry players and dichotomies in revenue and cost-sharing expectations. So as the U.S. payments industry keeps moving along the same path, with participants arguing the merits and inadequacies of various deployment options for chip-based payments, we can expect to see more crimes at retailer terminals. These crimes will cause merchants to experience technology costs and even customer loss in unexpected and unpredictable ways. And bank issuers will continue to pay for cleanup in the aftermath, by issuing new cards. Perhaps an analysis of the economics of moving to chip-and-PIN should reflect a higher emphasis on the cost of data breach events and their cleanup efforts in the aftermath.

Cynthia MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

November 5, 2012 in chip-and-pin, fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee4c5bf78970d

Listed below are links to blogs that reference While Stalemate Continues, Another Retailer Data Breach Announced:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 27, 2012

Mind the Gap: PIN versus Signature Authentication

In a January post, Portals and Rails considered the difference in fraud rates for payments using signature versus those using PIN authentication. Based on the data at hand, we concluded that "financial institutions have significantly more exposure to fraud losses from card payments with signature authentication than those from PIN authentication." The just-released PULSE Debit Issuer Study reveals that in 2011 the gap in loss rates between signature and PIN debit transactions has widened further. Issuers lost an average of three cents per signature debit transaction compared to less than one-half of one cent on PIN transactions.

Debit Card Issuer Loss Rates

Fraud is a concern for issuers
According to the study, which was conducted by the consulting firm Oliver Wyman on 57 banks and credit unions, 74 percent of large financial institutions (asset size greater than $10 billion) and 90 percent of small institutions (asset size under $10 billion) view fraud as a major challenge for 2012. Looking deeper into 2012 fraud concerns, 54 percent of issuers, regardless of their size, expect signature debit fraud to increase, while only 37 percent of issuers expect an increase in PIN debit fraud levels.

With fraud being of such high concern to issuers, I expected EMV card issuance to be high on their priority list, but that is not the case. In fact, 71 percent of the financial institutions have no immediate plans to issue EMV cards. In the past, we've highlighted some of the many possible ways to do an EMV implementation—according to the study, these unknowns of a U.S. EMV implementation have many financial institutions taking a "wait-and-see" approach.

Of particular note, issuers are interested in knowing if PIN authentication will become mandatory or if it will continue to coexist with signature authentication. Hopefully, this issue and others surrounding EMV implementation will soon be addressed by the industry through the recently announced collaborative EMV Migration Forum created by the Smart Card Alliance. The sooner these issues get sorted out, obviously, the better, as signature debit card fraud is showing no signs of slowing down.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 27, 2012 in chip-and-pin, crime, EMV, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0177445db2c5970d

Listed below are links to blogs that reference Mind the Gap: PIN versus Signature Authentication:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 30, 2012

Why are my credit and debit cards still embossed?

Having spent a number of years in the payments business focused on cards, I commonly receive questions from family and friends related to cards. I would be a wealthy individual if I received a dollar for every time someone asked me, "When am I going to get a card with a chip in it?" Although I am not able to offer any specifics on timing, I do feel confident in telling them that they are coming within a given time frame.

This past weekend, a neighbor out for a leisurely weekend stroll stopped me and asked, "Why do I still have an embossed credit card?" I must admit that I was a bit stumped by the question and couldn't offer him a reasonable explanation. I could not recall the last time that I had seen a "knuckle buster" machine used to make an imprint of a card. And who hasn't struggled trying to read your embossed card numbers and expiration date to make an Internet or phone transaction? Still pondering the question a few hours later, I did recall the food delivery driver who brought the old carbon paper slip, along with our food, to the door and used a writing pen to make an imprint of my card. I am quite certain that over the past five years, this was the only time an imprint of my card has been made—and this includes using my cards for purchases in taxis, from food truck vendors, and in developing countries such as Honduras, and remote Caribbean islands.

One answer to the need for embossed cards lies with network chargeback rules. Both MasterCard and Visa subject merchants to chargebacks on key-entered card-present transactions with no manual imprint. A key-entered transaction takes place when the terminal cannot read a card's magnetic stripe, so the vendor has to input the card number and expiration date. Even when this occurs, I am not so sure merchants follow the network's chargeback procedures. Do you remember a merchant making an imprint of your card in the rare instance your card information had to be manually keyed? Maybe it's time for the card networks to re-visit their chargeback procedures.

Another reason for maintaining embossed cards is that apparently some merchants, both domestically and internationally, still rely on imprints for transactions. I do not think that I am alone when it comes to my extremely limited experience with manual card imprints over the past five to even 10 years. With highly reliable telecommunication systems and the ever-growing number of mobile card readers, perhaps the networks should require all transactions to be swiped (for mag stripe cards), dipped (for EMV chip cards), or tapped (for contactless cards).

So while I have several answers to my neighbor's question, I am not convinced any of them are reasonable explanations in this day and age. Cards are embossed primarily for legacy reasons, and this embossing is irrelevant for most transactions. Maybe as issuers transition to chip-embedded cards (hopefully), they could subsequently transition away from embossed cards. In a recent American Banker article, Andrew Kahr discussed one good reason to change to nonembossed cards, and that would be to allow banks to instantly issue cards. I am quite certain my eyes would appreciate that change!

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 30, 2012 in cards, chip-and-pin | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016304f8a05b970d

Listed below are links to blogs that reference Why are my credit and debit cards still embossed?:

Comments

I live in Dublin, Ireland and even though all cards issued here since 2006 are chip embedded or contactless the cards are still embossed and I cannot understand why. Does anyone know why this might be? Surely it makes it easier for someone to commit card fraud if cards are embossed and not chipped etc? Am I to understand that all cards being chipped or contactless is not the case in other countries?

Posted by: John Quinn | June 11, 2013 at 08:03 AM

One thing to consider as a positive for embossing is someone who has difficulty seeing; they can feel the embossing if they are using the card over the phone, or even if they are swiping at POS to make sure they're getting their card back.

Of course, what I've found when designing card plastic is that embossing can also step on the text on the back of the card, obscuring fun things like Customer Service phone numbers.

Your article makes a good point tho; do we really need embossing in the 21st century, especially with the push to EMV that will happen in the next few years?

Posted by: C. David | May 01, 2012 at 08:50 AM

One of the reason that our company still issues embossed cards (in Europe) is that non embossed cards aren't taken seriously. This is obviously a public perception issue but when you have a piece of plastic with a printed PAN, expiry, etc, it just looks like a bit of a cheap imitation of a "real" card. I think this is most likely the biggest hurdle to get people using non-embossed cards.

For what it's worth, I haven't seen a knuckle duster in over 10 years, maybe even longer, but it's slightly different being in the UK as we migrated to EMV a while ago.

Posted by: chunk | May 01, 2012 at 07:04 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 30, 2012

Is the United States payments industry following in the footsteps of the Netherlands?

The Forum recently took a dive into card fraud data from the many countries (not the United States, of course) that have tossed out their old magnetic-stripe cards and adopted the EMV standard. You can read the paper—it's available on our website—but here's a quick recap.

What we found in the data is a recurring pattern of fraud losses. For instance, the data show that chip-and-PIN has been highly successful in the domestic card-present environment in reducing counterfeit and lost or stolen card fraud. This chart depicts the United Kingdom's positive domestic card-present experience.

Fraud Losses on UK-Issued Cards at UK Retailers

On the other hand, fraud on non-chip-and-PIN transactions—most notably in the card-not-present and cross-border environments—has actually increased. Ultimately, the net results to date on EMV chip-and-PIN's impact on total card fraud losses in these countries have been marginal. As an example, this next table shows Canada's growing card-not-present fraud loss trend.

Card-Not-Present Fraud Losses on Canadian-Issued Credit Cards

The working paper uses the Netherlands experience as a case study because of the country's similarities to the United States. Much like the United States, the Netherlands was experiencing low rates of payment card fraud, so this country did not migrate to the EMV standard when all the rest of Europe was adopting it. Eventually, fraud loss rates in the Netherlands climbed, ultimately propelling the Netherlands banking industry into implementing chip-and-PIN.

Like the Netherlands, the United States is now seeing a growth of card fraud loss rates on both credit and debit cards. As we've blogged several times, the costs for an EMV implementation here in the United States have so far outweighed the fraud loss reduction benefits of chip-embedded cards, according to some industry stakeholders. But given the parallels between the United States and the Netherlands, it is reasonable to expect card fraud losses to continue to grow here as long as the industry relies on mag-stripe technology.

Clearly, there is a need for industry coordination for an EMV implementation to effectively reduce payment card fraud. Based on the fraud trends experienced by countries adopting EMV chip-and-PIN, implementing the EMV standard in the United States for only certain types of card products or without solutions for mitigating card-not-present fraud could lead to only a marginal reduction in total fraud losses as fraudsters seek to exploit the lowest hanging fruit.

It should be noted that while the card industry in each of the countries investigated in the working paper adopted PIN authentication, this method is only one of several options. The working paper focused on PIN authentication because of the abundance of card fraud and transaction data reported by these countries' payments industries.

For more details on the successes and failures that a number of countries have experienced in moving to EMV technology, read the paper on our website.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 30, 2012 in chip-and-pin, EMV, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0167615c8cea970b

Listed below are links to blogs that reference Is the United States payments industry following in the footsteps of the Netherlands?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in