Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
June 15, 2015
“Customer, You Have the Conn”
Sometimes when you're watching nautical-themed movies, you'll hear the phrase, "I have the conn." The person who speaks this phrase is alerting all those on the vessel that he or she is in control with regard to the vessel's direction and speed. Customers could utter that phrase with regard to their payment vessels—they pretty much have full control in that they make the final choices about their method of payment. They may be restricted by the payment options a merchant offers, but in most cases, if they don't like the options they can shop, or secure services elsewhere.
One of the challenges with payment security that we frequently mention in our posts and speaking engagements is the disincentive that various consumer protection regulations give for consumers to adopt strong security practices. We have all seen or heard of the consumers who write their PINs on their debit cards or set up the PIN 1-2-3-4. In addition, research consistently tells us that consumers often select easily guessed user IDs and passwords—and then often use those same ID/password combinations on multiple sites.
Financial institutions and other payment stakeholders have long worked to develop tools that will encourage customers to be more aware of their financial account activity and contribute to minimizing fraud losses. Account alerts are among the most useful and popular of the tools. When consumers set up account alerts, they can usually specify conditions that will trigger a text message or e-mail. Common alerts are sent when the account balance drops below a set threshold, a debit transaction posts in excess of a specified amount, or an address or phone number change was made on the account. These alerts are beneficial, but they are merely reactive; they report only when a condition has already occurred.
I believe we will soon see a major breakthrough in card security. There are new applications now in testing or in early roll-out phases. These applications will allow customers to be proactive because they will be able to set up a number of filters or controls on their payment cards that will dictate whether a transaction even gets to the point for an authorization decision. For example, if I have a payment card that I use only for gasoline purchases, I can designate my settings to reject transactions coming from other merchant categories. Or I can specify that no international transactions should be allowed. At the extreme end of the control options, I can "turn off" my card, thereby blocking all transactions, and then I can turn it back on when I am ready to use it again. The possible options and filters are almost limitless for this self-service function. Yes, there will be the need for strong customer education, and the choices will require a reasonable limit or the customer will never remember what they set.
If these options are enabled and cardholders are then willing to "take the conn," this new tool could help significantly reduce the number of unauthorized transactions. Critical to the success is whether cardholders will set a reasonable range of parameters based on their normal card usage patterns so they don't get transactions rejected they actually make themselves but still be able to weed out the truly unauthorized transactions. I say "full speed ahead" with such tools. What do you say?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 06, 2015
What Can Parenting Teach Us about Data Security?
My older child often asks if he can play at his friend's Mac's house. If his homework is completed, my wife and I will give him the green light, as we are comfortable with where he is heading. This level of comfort comes from our due diligence of getting to know Mac's parents and even the different sitters who watch the children when Mac's parents might be working late. Things often get more challenging when he calls to tell us that he and Mac want to go to another friend's house. And this might not be the last request as our son might end up at yet another friend's house before finding his way home for dinner. We might not be familiar with these other environments beyond Mac's house so we often have to rely on other parents' or sitters' judgment and due diligence when deciding whether or not it is okay for our son to go. Regardless of under whose supervision he falls, we, as his parents, are ultimately responsible for his well-being and want to know where he is and who he is with.
As I think about my responsibility in protecting my children in their many different environments, I realize that parenting is an excellent metaphor for vendor risk management and data security. For financial institutions (FI), it is highly likely that they are intimately familiar with their core banking service providers. For merchants, the same can probably be said for their merchant acquiring relationship.
However, what about the relationships these direct vendors have with other third parties that could access your customers' valuable data? While it probably isn't feasible for FIs and merchants to be intimately familiar with the potentially hundreds of parties that have access to their information, they should be familiar with the policies and procedures and due diligence processes of their direct vendors as it relates to their vendor management programs.
In today's ever-connected world, with literally thousands of third-party solution providers, it is necessary for FIs and merchants to be familiar with who all has access to their customers' data and with the different places this data resides. Knowing this information, it is then important to assess whether or not you are comfortable with the entity you are entrusting with your customers' data. Just as I am responsible for ensuring my children's safety no matter where or who they are with, financial institutions and merchants are ultimately responsible for protecting their customers' data. This difficult endeavor should not be taken lightly. Beyond the financial risks of fraud losses associated with stolen or lost data, businesses might also be subject to compliance-related fines. And you are highly likely to take a negative hit to your reputation. What are you doing to ensure various third-parties are protecting your sensitive data?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference What Can Parenting Teach Us about Data Security?:
January 05, 2015
Can Insecurity Keep Us from Faster Payments?
Helen Keller once said, “Security is mostly a superstition. It does not exist in nature.… Avoiding danger is no safer in the long run than outright exposure.” It is unlikely that Ms. Keller was considering real-time payments when she offered this perspective, but this post will.
As part of its broad effort to chart a future for payments, the Federal Reserve conducted a Payment Security Landscape Study. It was no surprise that the study highlights “persistent and ever-changing threats” as a given within payment systems. The study suggested several improvement or focus areas:
- Improve industry coordination to increase the timely adoption and implementation of technology, standards and protocols.
- Improve the protection of sensitive data that can be used to perpetrate fraud, including devaluing or eliminating such data from the payments process.
- Strengthen authorization and authentication of parties and devices across all payment methods and channels and adapt approaches as the payment system evolves.
- Improve the collection and reporting of aggregate data on fraud losses and avoidance.
- Broaden access to actionable security and fraud threat information to payments system participants, including less technologically sophisticated participants and end users.
Applying Ms. Keller’s risk perspective to payments systems would suggest that work to prevent security breaches, fraud, or theft is futile. Fortunately, using the foregoing list as evidence, it’s clear that those considering the future of payments haven’t adopted this perspective. The most critical elements for optimizing the security of payments are all there, though some could surmise that detection or prevention measures have a disproportionate emphasis, with response measures perhaps rating as secondary. It is important to make sure that risk management is optimized across all three broad areas—prevention and detection, yes, but also response. In particular, in the context of response, the enforcement landscape will need to be ordered such that consequences for perpetrators are both timely and proportionate to the harm a given incident may cause. User protections will need to evolve as well.
If one agrees that advancing faster payments offers rewards and that holding back doesn’t promise freedom from harm, it’s encouraging to observe industry direction. Indeed, it seems reasonable to conclude that faster payments scheme architects will heed the notion that real-time payments will require real-time security. Particularly encouraging is that the discussion on payment security is at the center of industry dialogue and likely to remain so as the work to advance faster payments continues.
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Can Insecurity Keep Us from Faster Payments?:
December 22, 2014
Top 10 Payments Events in 2014
As the year draws to a close, the Portals and Rails team would like to share its own "Top 10" list of major payments-related events and issues that took place in the United States this year.
#10: Proposed prepaid rule. After a long wait, the Consumer Financial Protection Bureau issued its proposed rules on general reloadable prepaid cards in November. While the major players in the prepaid card industry had already adopted most of the practices included in the proposed rule, the proposal allowing overdrafts and credit extensions is likely to generate differing perspectives during the comment period before a final rule is adopted in 2015.
#9: Regulation II. The U.S. Circuit Court of Appeals for the District of Columbia upheld the Federal Reserve Bank's rules regarding interchange fees and network routing rules, reversing a 2013 decision. Notice of appeal on the interchange fee portion of the ruling has been given, but resolution of the network routing rules has cleared the way for the development of applications supporting routing on chip cards.
#8: Payment trends. The detailed Federal Reserve Bank's triennial payments study results were released in July 2014, continuing the Fed's 15-year history of conducting this comprehensive payments research. Cash usage continued to decline but remained the most-used form of payment in terms of transaction volume.
#7: Card-not-present (CNP) fraud. With the growing issuance of chip cards and the experience of other countries post-EMV migration—with substantial amounts of fraud moving to the online commerce environment—the payments industry continues to search for improved security solutions for CNP fraud that minimize customer friction and abandonment.
#6: Faster payments. Continuing a process it began in the fall of 2013 at the release of a consultative white paper, the Federal Reserve Bank held town halls and stakeholder meetings throughout the year in preparation of the release of its proposed roadmap towards improving the payment system.
#5: Virtual currencies. Every conference we attended had sessions or tracks focused on virtual currencies like Bitcoin. While there was some advancement in the acceptance of Bitcoin by major retailers, the number of consumers using the currency did not rise significantly.
#4: Mobile payments. The entry of Apple with its powerful brand identity into the mobile payments arena with Apple Pay has energized the mobile payments industry and brought improved payment security through tokenization and biometrics closer to the mainstream. (Apple Pay's impact on mobile payment transaction volume will likely be negligible for a couple of years.) Additionally, the use of host card emulation, or HCE, as an alternative contactless communications technology provides another option for mobile wallet development.
#3: EMV migration. The frequency and magnitude of the data breaches this year have spurred financial institutions and merchants alike into speeding up their support of EMV chip cards in advance of the October 2015 liability shift.
#2: Third-party processors. Regulators and law enforcement escalated the attention they were giving to the relationships of financial institutions with third-party processors because of increased concerns about deceitful business practices as well as money laundering.
And…drum roll, please!
#1: Data breaches. The waves of data breaches that started in late 2013 continued to grow throughout 2014 as more and more retailers revealed that their transaction and customer data had been compromised. The size and frequency of the data breaches provided renewed impetus to improve the security of our payments system through chip card migration and the implementation of tokenization.
How does this list compare to your Top 10?
All of us at the Retail Payments Risk Forum wish our Portals and Rails readers Happy Holidays and a prosperous and fraud-free 2015!
Mary Kepler, vice president; Doug King, payments risk specialist; Dave Lott, payments risk expert; and Julius Weyman, vice president—all of the Atlanta Fed's Retail Payments Risk Forum.
TrackBack URL for this entry:
Listed below are links to blogs that reference Top 10 Payments Events in 2014:
October 20, 2014
Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?
Portals and Rails recently embarked on a series of posts on tokenization. In the first installment, we defined tokenization and distinguished between a merchant-centric enterprise tokenization solution and payment tokens generated as an issuer-centric end-to-end solution. In the second installment, we examined several different attributes of the issuer-centric end-to-end token initiatives currently under way and considered their impact on mitigating risk. In this post, we examine the shortcomings of end-to-end token initiatives and question if they are really a coup in mitigating risks in today's environment.
The goal of payment tokenization is to substitute sensitive data—such as account numbers, expiration dates, and security codes—that criminals can use to extract monetary value with surrogate values that lack monetary value. In light of the number and depth of recent data breaches, tokenization seems like a grand idea—let's get data that fraudsters can use out of the payment transaction flow and the merchants' systems.
But current uses for these end-to-end initiatives are limited to card-on-file transactions for in-app or e-commerce payments and mobile proximity payments. I know you have to start somewhere but, in the near future, only a small percentage of transactions will use tokenization. These end-to-end initiatives are solid solutions, but are currently extremely limited. Thus, there will be a continued need for the industry to use a variety of methods to fight fraud, including the merchant-centric enterprise tokenization solutions the first installment discussed.
And isn't the point of the significant EMV investment currently under way to mitigate risks associated with counterfeit cards using compromised card data? In other words, it should render compromised card data useless. But I am hearing the EMV naysayers claiming that, in an EMV world, data compromises will still take place and, while fraudsters may not be able to counterfeit cards, they can still use that data to shop on the Internet.
Those naysayers are correct.
But let's circle back to the use cases for the current issuer-centric end-to-end token initiatives. Is tokenizing payment data for card-on-file and mobile proximity payments really going to have a material impact on preventing card-not-present fraud? Are these tokenization efforts really the best solution for this challenge? It could be many years before we regularly use our mobile phones for proximity payments. I am confident that we will be using chip-enabled cards for a significant number of transactions within two to three years. Would it be wiser to rely on solutions that leverage the chip or other security features of cards? Or maybe it's time we realize that cards weren't designed for card-not-present uses and place a higher priority on the broader adoption of existing and emerging non-card-based payment solutions in a multi-layered security approach.
Unfortunately, I do not have the answers. But these questions and topics will certainly be discussed during the upcoming Securing Remote Payments conference that the Retail Payments Risk Forum and the Secure Remote Payment Council is hosting. If you are interested in attending, please reach out to us. We will be in touch with more details.
In the next installment in this series, we'll look at new security and operational risks introduced with these token initiatives.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?:
August 18, 2014
Crooks Target Business Clients
Fraudsters are always looking for ways to take advantage of trusted relationships, such as between a business and their established vendors. The fraudster's goal is to trick the business into thinking they are paying their vendor when the dollars are actually being diverted to the crook. A common scheme is for a business to receive instructions on a spoofed but legitimate-seeming e-mailed invoice to send a wire transfer to the vendor or business partner immediately. The business may pay, not realizing until it's too late that the funds are actually going to a fraudster or money mule. The Internet Crime Complaint Center (IC3) recently issued a scam alert on this scheme noting reported losses averaging $55,000, with some losses exceeding $800,000.
Criminals can perpetrate this type of fraud in many ways. Devon Marsh, an operational risk manager at Wells Fargo and chairman of the Risk Management Advisory Group for NACHA–the Electronic Payments Association, addressed some of the ways at a Payments 2014 conference session "Supply Chain Fraud Necessitates Authentication for Everyone," including these:
- Calling or e-mailing the business, pretending to be the vendor, to change payment instructions
- Sending counterfeit invoices that appear genuine because they are patterned after actual invoices obtained through a breach of the business's e-mail system or a vendor's accounts receivable system
Marsh also discussed important ways to reduce the risk of falling victim to these schemes. As with any e-mail that seems questionable, the business should verify the legitimacy of the vendor's request by reaching out to the vendor with a phone call—and not using the number on the questionable e-mail or invoice. The business should also educate its accounts payable department to review any vendor's payment requests carefully, verifying that the goods or services were received or performed and questioning and checking on anything at all that does not look right, such as an incorrect or different vendor name or e-mail address.
The Federal Financial Institutions Examination Council's 2011 supplement to its guidance stresses the need in an internet environment for financial institutions to authenticate their customers. The concepts this guidance addresses are also sound practices for businesses to use in authenticating their vendors.
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Crooks Target Business Clients:
August 04, 2014
Fishing for Your Private Data
Recently, I received a text from my daughter about an e-mail that appeared to be from her financial institution. The e-mail stated that online access to her bank account would be terminated because she had tried to access her account from several computers. However, she could retain access by clicking on a link. While my daughter's natural reaction was concern that she would lose online access to her bank account, I told her that this was probably a phishing incident.
Unlike the hobby of fishing, phishing is the work of fraudsters. With phishing, fraudsters attempt to dupe a consumer or employee into believing that they must immediately provide personal or private data in response to an e-mail that appears to be (but is not actually) from a legitimate entity. Much like fishing, phishing relies on numerous casts, with the phisher hoping that many of those who receive the e-mail will be fooled and swallow the bait. If they get hooked, malware may be loaded on their computer to monitor their keystrokes and pull out financial service website log-on credentials. Or, in my daughter's case, if she had clicked on the link, it would have most likely taken her to a legitimate-looking web page of the bank and requested her online banking credentials. The volume and velocity by which anyone can send e-mails has created a wide window of opportunity for fraudsters.
In their e-mail, the fraudsters create a sense of urgency by indicating some sort of drastic action will be taken unless the customer acts immediately. Although organizations have repeatedly posted statements that they would never send an e-mail asking for private data, this threatened action often causes the recipient to act without considering the consequences or taking the time to call the company or organization to verify the e-mail's authenticity. If it is not authentic, the individual should immediately delete the e-mail without replying, without clicking on any links embedded in the email, and without opening any attachments.
In addition to the need for consumers and employees to be wary of e-mails that are not legitimate, financial institutions must continually stay abreast of the latest technologies to help combat these schemes and educate customers. In a past post, we discussed steps financial institutions should take to help customers protect themselves from fraudsters. These schemes remain in the news even though banks, businesses, and government entities continue to post educational information and best practices for consumers and employees. As my daughter's example demonstrates, consumers opening bank accounts for the first time are not likely to know these schemes. This example suggests that—in addition to educating both business and consumer customers generally—it would be beneficial for financial institutions to place more emphasis on education concerning these schemes at the time customers open their accounts.
TrackBack URL for this entry:
Listed below are links to blogs that reference Fishing for Your Private Data:
June 30, 2014
A Call to Action on Data Breaches?
I recently moved, so I had to go online to change my address with retailers, banks, and everyone else with whom I do business. It also seemed like an ideal opportunity to follow up on the recommendations that came out after the Heartbleed bug and diligently change all my passwords. Like many people, I had a habit of using similar passwords that I could recall relatively easily. Now, I am creating complex and different passwords for each site that would be more difficult for a fraudster to crack (and at the same time more difficult for me to remember) in an attack against my devices.
I have found myself worrying about a breach of my personal information more frequently since news of the Heartbleed bug. Before, if I heard about a breach of a certain retailer, I felt secure if I did not frequent that store or have their card. Occasionally, I would receive notification that my data "may" have been breached, and the threat seemed amorphous. But the frequency and breadth of data breaches are increasing, further evidenced by the recent breach of a major online retailer's customer records. This breach affects about 145 million people.
As a consumer, I find the balance between protecting my own data and my personal bandwidth daunting to maintain. I need to monitor any place that has my personal data, change passwords and security questions, and be constantly aware of the latest threat. Because I work in payments risk, this awareness comes more naturally for me than for most people. But what about consumers who have little time to focus on cybersecurity and need to rely on being notified and told specifically what to do when there's been a breach of their data? And are the action steps usually being suggested comprehensive enough to provide the maximum protection to the affected consumers?
Almost all states have data breach notification laws, and with recent breaches, a number of them are considering strengthening those laws. Congress has held hearings, federal bills have been proposed, and there has been much debate about whether there should be a consistent national data breach notification standard, but no direct action to create such a standard has taken place. Is it time now to do so, or does there need to be more major breaches before the momentum to create such a standard makes it happen?
TrackBack URL for this entry:
Listed below are links to blogs that reference A Call to Action on Data Breaches?:
June 23, 2014
Do Consumers REALLY Care about Payments Privacy and Security?
Consumer research studies have consistently shown that a top obstacle to adopting new payment technologies such as mobile payments is consumers' concern over the privacy and security protections of the technology. Could it be that consumers are indeed concerned but believe that the responsibility for ensuring their privacy and security falls to others? A May 2014 research study by idRADAR revealed the conundrum that risk managers often face: they know that consumers are concerned with security, but they also know they are not active in protecting themselves by adopting strong practices to safeguard their online privacy and security.
The survey asked respondents if they had taken any actions after hearing of the Target breach to protect their privacy or to prevent credit/debit card fraudulent activity. A surprising 79 percent admitted they had done nothing. Despite the scope of the Target data breach, only 4 percent of the respondents indicated that they had signed up for the credit and identity monitoring service that retailers who had been affected offered at no charge (see the chart).
In response to another question, this one asking about the frequency at which they changed their passwords, more than half (58 percent) admitted that they changed their personal e-mail or online passwords only when forced or prompted to do so. Fewer than 10 percent changed it monthly.
When we compare the results of this study with other consumer attitudinal studies, it becomes clear that the ability to get consumers to actually adopt strong security practices remains a major challenge. At "Portals and Rails, we will continue to stress the importance of efforts to educate consumers, and we ask that you join us in this effort.
TrackBack URL for this entry:
Listed below are links to blogs that reference Do Consumers REALLY Care about Payments Privacy and Security?:
May 05, 2014
There's No Such Thing as a Good Data Breach
While data breaches have been a persistent problem for many years (see the chart), until recently, their stories would quickly fade from the headlines due to their limited reach. In the three or four months that have passed since the huge data breach at some major retailers, there have been many congressional committee hearings, several new federal legislative bills on data security issues, and countless panels and speakers at industry conferences and workshops discussing this growing problem. Unfortunately, the interactions have occasionally included a little finger-pointing, which doesn’t always lead to effective solutions. Recent efforts to bring banks and merchants together to address the problem hold some promise.
It is important to understand the number of breaches from a trends perspective, but it is more important to understand the magnitude of the breaches in terms of the number of records obtained and the type of data in those records. Because state and territorial laws with differing requirements generally control data breach notifications, the notification reporting information is often incomplete. Additionally, many data security industry experts suspect that data breaches are underreported or even not reported at all. After all, what company wants to confess to having incurred a data breach when the result will be fines and reputational damage?
In the health care industry, the 2013 implementation of the HIPAA Breach Notification Rule (45 CFR §§164.400–414) addressed this reporting concern by involving a monetary cost to the breached company. The rule requires a HIPAA-covered business and its associates to notify its customers and the U.S. Department of Health and Human Services of any breach or it could face significant financial penalties. Because of the stronger notification requirement, it was not surprising to see that the health care industry reported a 63 percent increase in data breaches in 2013 over 2012, according to the Identity Theft Resource Center (ITRC). Health care accounted for the largest share of breaches on an industry segment basis, surpassing the general business segment for the first time since the ITRC began tracking this data in 2005.
But notification requirements are post-event, not preventive. While no data security architecture can provide 100 percent protection, there clearly is the need for improved security in the handling and storage of sensitive data to prevent such breaches from occurring. As with any risk management program, the level of security depends on the sensitive nature of the information that could be monetized in some way by the criminal. Because of the large losses from the production of counterfeit cards, the public has made much of—and justifiably so—the retailer payment data breaches involving more than 40 million accounts.
We must also remember that there was an even larger data breach at the same time as the retailer's payment card data breach, this one involving 70 million accounts. But the criminals obtained such sensitive information as customer's name, address, phone number, and e-mail address—no payment information. Because the data was not related to payment transactions, the incident has not received as much attention. Still, criminals can use such data to foster identity theft operations that generally result in much higher losses and greater customer impact.
These incidents serve as a reminder that not all data breaches are alike and will require different prevention and response methods.
Portals and Rails is interested in what you think is the best way to address the prevention and notification aspects of data breaches.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference There's No Such Thing as a Good Data Breach:
- The More Things Change, the More They Stay the Same
- The Current Tokenization Landscape in the United States
- “Customer, You Have the Conn”
- Is the Conventional Wisdom about EMV Migration Right?
- Follow the Money
- A Presumption of Innocence
- The Hill Tackles Cybersecurity
- Keeping Up with the Criminals: Improving Customer Authentication
- Not Seeing a Tree for the Forest
- Fed Survey Shows Mobile Banking on Rise in Southeast
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud