Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

April 20, 2015


Fed Survey Shows Mobile Banking on Rise in Southeast

In August 2014, the Retail Payments Risk Forum conducted a mobile banking and payments survey of financial institutions in the Sixth Federal Reserve District. (The Sixth District comprises Alabama, Florida, Georgia, and portions of Louisiana, Mississippi, and Tennessee.) The Federal Reserve's Board of Governors has annually conducted a national survey of mobile financial services for the last four years from the consumer perspective. We conducted this inaugural survey to determine the level and type of mobile financial services offered by financial institutions (FIs) in our region. (At the same time, the Federal Reserve Banks of Boston, Dallas, and Richmond conducted an identical survey of the financial institutions in their districts. (So far, only the results of the Dallas District's survey are available.)

Of the 189 validated responses, 75 percent were from banks and 25 percent from credit unions (CUs). Six of the respondents (five banks and one CU) indicated that they did not currently offer nor had any plans to provide mobile banking services. The two most important reasons given by the FIs for not offering the service were security and regulatory concerns.

The full survey report is available on the Retail Payments Risk Forum website, but some of the key findings from the survey include:

  • While mobile banking was first launched in the United States in 2007, it is a relatively new service for many FIs in the Sixth District. Almost 23 percent launched it within the last year, and an additional 15 percent are planning to offer mobile banking within the next two years.
  • The primary reason FIs selected for offering mobile banking was to retain customers. Some saw it as an opportunity to gain new customers.
  • There is very little difference in the basic mobile banking functions that banks and credit unions offer.
  • Sixth District FIs use more than 30 mobile banking application vendors, although there is a large concentration with three of these providers.
  • Despite the current headlines, the respondents expressed little to no interest in using biometrics and tokenization. (But note that the survey was conducted before the Apple Pay rolled out.)
  • Security concerns related to identity theft, data breaches, malware, and poor customer security practices remain primary concerns of FIs.
  • With the possible exception of the remote deposit capability, FIs do not expect to charge customers for mobile banking or payment services.
  • The mobile payments environment is nascent and highly fragmented in both the number of vendors and the wide range of technologies. This fragmentation has created some inertia while the FIs wait for the environment to sort itself out.

The Retail Payments Risk Forum plans to conduct this survey every two years in order to measure changing penetration and attitudes. If you have any questions concerning the survey results, please contact me via e-mail.


April 20, 2015 in mobile payments | Permalink | Comments (0) | TrackBack (0)

April 13, 2015


Leaving a Cybersecurity Legacy

On April 1, the current administration's fourth executive order related to cybersecurity was signed into action. This executive order shows an ongoing commitment to securing cyberspace. In 2009, the executive office released its Cyberspace Policy Review, which triggered a flurry of cybersecurity policy. (Relatedly, the government's "Buy Secure" initiative to increase payment security mandated the issuance of chip-and-PIN cards for all federal employees and benefits programs beginning in January 2015.) This week, Take On Payments summarizes the four cybersecurity-related executive orders that have ben signed over the last six months and what these orders could mean for the banking and payments industries.

Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (4/1/15)
Authorizes swift and severe sanctions by the Treasury Department to those engaged in malicious cyber activities that pose a significant threat to national security, foreign policy, economic health, or the financial stability of the United States. This action occurs regardless of where the offenders are domiciled, and can include the freezing of assets and denial of entry into the United States for individuals and entities. These malicious activities include, but are not limited to, distributed denial-of-service (DDOS) attacks and misappropriation of financial information for financial gain. According to an insider, attacks on banks and the financial sector, including the unauthorized access of payment credentials, would likely qualify as significant enough to warrant these new sanctions. While critics debate the enforceability of these sanctions, the banking and payments industry should find this development promising. Law enforcement is often challenged to bring these individuals to swift justice.

Promoting Private Sector Cybersecurity Information Sharing (2/13/15)
Encourages the Secretary of Homeland Security to establish information sharing and analysis organizations (ISAOs) as well as standards and guidelines to establish a robust information-sharing network related to cybersecurity incidents and risks. ISAOs can be organized on the basis of multiple attributes, including industry sector or region. Information sharing would take place both within and across ISAOs. Although the financial services industry has had some success with information sharing within their sector through organizations such as Financial Sector-Information and Security Center, the private sector generally remains challenged to share information across sectors. We hope this order will lead to the development of standards and better coordination to allow for information sharing of cybersecurity incidents and risks between the financial services sector and other industries.

Improving the Security of Consumer Financial Transactions (10/17/14)
Although cybersecurity wasn't the main focus of this executive order, two cybersecurity components are included in it. The first relates to the remediation of identity theft. It specifies that the Attorney General will issue guidance to promote regular submissions by federal law enforcement agencies of compromised credentials to the National Cyber-Forensics and Training Alliance (NCFTA) Internet Fraud Alert System. Secondly, the order requires that all federal agencies that make personal data accessible develop a plan to implement multifactor authentication. While directed towards federal agencies, it is possible that this order will pressure financial institutions and other private industry entities within the payments industry to adopt similar compromised credential submission and multifactor authentication practices, if they have not already.

The current cybersecurity activity isn't just limited to executive orders. Several cyber-related bills have circulated the congressional floor the past several years. A future Take On Payments post will highlight several bills that have been introduced in 2015 on Capitol Hill and what they could mean for banking and payments.

Photo of Douglas KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 13, 2015 in cybercrime | Permalink | Comments (0) | TrackBack (0)

April 06, 2015


What Can Parenting Teach Us about Data Security?

My older child often asks if he can play at his friend's Mac's house. If his homework is completed, my wife and I will give him the green light, as we are comfortable with where he is heading. This level of comfort comes from our due diligence of getting to know Mac's parents and even the different sitters who watch the children when Mac's parents might be working late. Things often get more challenging when he calls to tell us that he and Mac want to go to another friend's house. And this might not be the last request as our son might end up at yet another friend's house before finding his way home for dinner. We might not be familiar with these other environments beyond Mac's house so we often have to rely on other parents' or sitters' judgment and due diligence when deciding whether or not it is okay for our son to go. Regardless of under whose supervision he falls, we, as his parents, are ultimately responsible for his well-being and want to know where he is and who he is with.

As I think about my responsibility in protecting my children in their many different environments, I realize that parenting is an excellent metaphor for vendor risk management and data security. For financial institutions (FI), it is highly likely that they are intimately familiar with their core banking service providers. For merchants, the same can probably be said for their merchant acquiring relationship.

However, what about the relationships these direct vendors have with other third parties that could access your customers' valuable data? While it probably isn't feasible for FIs and merchants to be intimately familiar with the potentially hundreds of parties that have access to their information, they should be familiar with the policies and procedures and due diligence processes of their direct vendors as it relates to their vendor management programs.

In today's ever-connected world, with literally thousands of third-party solution providers, it is necessary for FIs and merchants to be familiar with who all has access to their customers' data and with the different places this data resides. Knowing this information, it is then important to assess whether or not you are comfortable with the entity you are entrusting with your customers' data. Just as I am responsible for ensuring my children's safety no matter where or who they are with, financial institutions and merchants are ultimately responsible for protecting their customers' data. This difficult endeavor should not be taken lightly. Beyond the financial risks of fraud losses associated with stolen or lost data, businesses might also be subject to compliance-related fines. And you are highly likely to take a negative hit to your reputation. What are you doing to ensure various third-parties are protecting your sensitive data?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


April 6, 2015 in consumer protection, data security, KYC, risk management, third-party service provider | Permalink | Comments (0) | TrackBack (0)

March 30, 2015


Safely Motoring the Payments Highway

I've ridden a motorcycle for 30-plus years and, except for a slight bump from behind by a car when I was stopped at a four-way stop sign, I have a perfect safety record. Some say I'm lucky. While there is probably some element of truth to that—I've made it through a number of dangerous situations over the years—I believe my good safety record is largely because early on in my riding days, I invested in proper safety clothing and took classes in motorcycle riding skills and safety. In addition, when I've been out on the road, risk management has played an integral role in my safety: I follow the Motorcycle Safety Foundation's recommended practice of S-I-P-D-E: scan, identify, predict, decide, and execute.

I recently took advantage of an early spring day and rode the North Georgia back roads. Later that evening, when I thought back over my day, I couldn't help but think of the parallel between motorcycling risk management and payments risk management. To maintain a good safety record in both, you should practice SIPDE. Here's how SIPDE can work with payments.

Scan: Constantly examine the environment you are in. Don't focus on a particular payment method or channel or you will get target fixation and be likely to miss threats to other payment types. How often have we heard that while resources were focused on responding to a distributed denial of service attack, the criminals took advantage of the distraction and executed some unauthorized transactions? When riding, I try to always be alert and I constantly move my sight lines to spot any dangers.

Identify: As you conduct your examination, identify all potential risks. Some may be immediately apparent, and some may be hidden. Some may be major threats, and others less serious. While most of the criminal threats will come from external elements, don't forget about insider fraud.

Predict: After you have identified the risks, run through scenarios as to potential outcomes given a variety of circumstances. I sometimes change my lane position to increase my visibility and always cover the brake lever to prepare for that emergency stop. You must certainly consider the worst-case scenario, but don't forget that an accumulation of less-severe situations may result in a loss that is just as big.

Decide: After weighing all the options and the likelihood of their panning out, determine your course of action so that you're ready if one of the scenarios becomes a reality. Reaction time is critical with motorcycle riding and dealing with criminal attacks.

Execute: Put into motion that course of action to deal with the risk. This is where your training, skills, and tools come into play, helping you to properly and completely execute your plan.

Just as when I ride and the environmental factors and potential threats around me are constantly changing, such is the case in our payments environment. We must constantly use our S-I-P-D-E skills to assess and react to the environment, whether that's the road you're riding on or the payments environment you're operating in.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


March 30, 2015 in consumer protection, risk management | Permalink | Comments (0) | TrackBack (0)

March 23, 2015


Balancing Security and Friction

Several weeks ago, my colleague, Dave Lott, wrote a post addressing the question "Does More Security Mean More Friction in Payments?" Having had several weeks to ponder this concept while attending multiple payments conferences and participating in similar discussions, I can say that I believe that securing payments does mean more friction. Friction may not be seen as good for commerce, but it can be good for security. An enormous challenge that those in the payments industry face is determining the right balance of friction and security. This challenge is heightened since consumers have a range of choices in payment types, yet do not often bear financial liability for fraudulent transactions.

It is absolutely critical to secure the enrollment or provisioning of the payment instrument on the front end. However, this introduces friction before a payment transaction is even attempted. And if consumers deem the process too onerous, they can reject that payment instrument or seek alternative providers. The recent media coverage of fraud occurring through Apple Pay highlights the challenge in the onboarding process. Consumers and pundits have raved about the ease of provisioning a card to their Apple Pay wallet through what they already have on file with iTunes. But fraudsters have taken advantage of this easy onboarding process. I should stress that this isn't just a mobile payments or Apple Pay problem—fraudsters are well-versed in opening bank accounts, credit cards, and other payment instruments using synthetic or stolen identities.

Let's assume that a person's payment credentials are in fact legitimate. Verifying that legitimacy introduces more friction into the payment process. A transaction that requires no verification obviously comes with the least friction, but it is the riskiest. Signatures and PINs bring a small amount of friction to the process, with very different results in terms of fraud losses. We don't know yet what kind of friction, if any, different biometric solutions create during both provisioning and the transaction. Issuers must enable the various forms of verification, and it is up to the merchants to implement solutions that will use various verification methods. Yet consumers, who bear less of the risk of financial loss from fraudulent transactions than the merchants, can choose which payment method, and sometimes which verification method, to use—and they often do so according to the amount of friction involved, with little to no regard for the security.

Issuers and merchants will offer the right balance of friction and security based on the risks they are willing to take and the investments they make in security processes and solutions. But it is the consumer who will ultimately decide just by accepting or rejecting the options. With limited or no financial liability, consumers are often willing to trade off security in favor of less friction—and the financial institutions and merchants have to bear the losses. So I'll ask our Take On Payments readers, how do you balance friction and security in this environment?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


March 23, 2015 in biometrics, consumer fraud, identity theft | Permalink | Comments (0) | TrackBack (0)

March 16, 2015


Squeezing the Fraud Balloon

A number of our posts over the last year have discussed the U.S. migration to EMV (chip) cards. As we've mentioned, one of the primary motivations for the migration has been the ease with which fraudsters in our magnetic-stripe environment can create counterfeit payment cards. Other posts have mentioned that ubiquitous tenant of the criminal world—the person always on the lookout for the weakest link or the easiest target. And that criminal does not close up shop and go away in the chip-card world. There is clear evidence from other countries that criminals, after an EMV migration, look for, and find, other targets of opportunity—just as when you squeeze a balloon, you're constricting the middle, but both ends simultaneously expand.

One major area that criminals target post-EMV is online commerce, an activity referred to as card-not-present (CNP) fraud. However, criminals also target two other areas, according to speakers at the recent 2015 BAI Payments Connect conference: checks and account applications. Well before the EMV card liability shift occurs in the United States (October 1, 2015), a number of financial institutions have reported a marked increase in counterfeit checks and duplicate-item fraud, usually by way of the mobile deposit capture service. In many cases, the fraud takes place on accounts that have been open for more than six months, long enough to allow the criminal to have established an apparent pattern of "normalcy," although there are reports of newly opened accounts being used as well.

Canadian financial institutions report that fraudulent applications for credit and checking accounts have increased as much as 300 percent since that country's EMV liability shift. Criminals are opening checking accounts to perpetrate overall identity theft fraud as well as to create conduits for future counterfeit check or kiting fraud. And they're submitting fraudulent credit applications to purchase automobiles or other merchandise that they can then sell easily.

The time to examine and improve your fraud detection capabilities across all the channels customers use is now. Financial institutions should already be evaluating their check acceptance processes and account activity parameters to spot problem accounts early. Likewise, financial institutions should make sure their KYC, or know-your-customer, processes and tools are adequate to handle the additional threat that the credit and account application channel may experience. Be proactive to prevent the fraud in the first place while ensuring you have the proper detection capabilities to react quickly to potential fraudulent attempts. If we want to constrict the balloon of fraud, we're going to have to constrict the whole thing with consistent, equal pressure.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


March 16, 2015 in chip-and-pin, EMV, KYC | Permalink | Comments (0) | TrackBack (0)

March 09, 2015


Who's to Stand in for Mom?

You have likely heard about the fraud that's clouding one of the newest mobile payment solutions. Credit where it is due, the security underpinning the mobile payments themselves represents an amalgamation of strong advances including such things as tokenization, biometric authentication (at the time of the transaction), encryption, and on-device secure storage. The problem that's generating the latest buzz pivots around a gap in authentication—specifically, verification of the legitimacy of those registering the cards that will be used to effect subsequent transactions. Truth is, this isn't a misstep by a singular entity. We've seen this trouble pop up in any number of payment channels.

Some institutions have put a lot of thought into enrollment authentication while others may have felt a need to rush to market at the expense of developing a fully effective authentication process. In November 2014, First Annapolis Consulting/M & A Advisory Services documented various approaches in use by issuers and followed up this past February with emerging best practices and recommendations.

To tack in the way I want for this topic, I will quote a thought provided in one of our recent forums that was given by Peter Tapling, president and CEO of Authentify Inc.: authentication is proving "you are who your mother says you are." This could be key to the best practice of all. But if moms everywhere prove disinclined to authenticate all of us rascals at the provisioning stage (and let's be frank, they're a little busy) can another stand for Mom in this place?

Since we're talking about payments, banks seem a logical option. Consider these highlights of their responsibilities related to "customer due diligence" (CDD) as detailed by the Federal Financial Institutions Examination Council:

  • The concept of CDD begins with verifying the customer's identity….
  • The cornerstone of a strong… compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all (emphasis added) customers…
  • CDD policies, procedures, and processes are critical to the bank because they can aid in:
    • Avoiding criminal exposure from persons who use or attempt to use the bank's products and services for illicit purposes.
    • Adher(ing) to safe and sound banking practices….
    • Provid(ing) guidance for resolving issues when insufficient or inaccurate information is obtained.

The context of the excerpt above is BSA/AML—or Bank Secrecy Act/anti-money laundering—compliance and is generally applied to customers in the business space. However, it seems reasonable to think the skill set might be brought to bear wherever there is need. Banks are clearly best positioned to determine who is setting up a payment and whether or not that person should be. Yet the responsibility is a broad one. Those party to any payment solution, including innovators, provisioning banks, and consumers, should demand that new and extant solutions include enrollment authentication that is well considered and properly coordinated using the best techniques for thwarting fraud. To get the best authentication, it's about who you know—and also, who knows you, besides your mother.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed


March 9, 2015 in authentication, mobile payments | Permalink | Comments (0) | TrackBack (0)

March 02, 2015


Security at the ATM: We Have Some Educating to Do

ATM Marketplace recently published its 2015 triennial research report, which includes results of a poll of U.S. consumers on various issues related to ATMs. The online poll was conducted with a panel of 550+ individuals creating a representative sample of the adult (aged 18–65 years) population. Certain findings from the report stand out, in particular those related to consumers' expectations of various aspects of ATM transaction risk.

One question probed how concerned the respondent was about a skimming or camera device capturing their card information and PIN when they use the ATM. Thirty-eight percent indicated they were very concerned, but the remaining 61 percent indicated they were not that concerned or weren't even aware of what a skimming device is. The pie chart below breaks down each response.

01

Does the lack of concern come from a lack of education, or is it because the respondent knows the financial institution will have to bear the financial liability?

One of the final questions in the poll was whether the respondent felt an EMV card would make an ATM transaction more secure. As the chart below shows, more than half of the respondents believed there would be at least some level of improved security.

02

Of great concern to me is the 15 percent who indicated they don't know what an EMV card is. Of the two groups who mostly reported this lack of knowledge, one was the youngest (18–24) group, which surprised me. These younger people are supposed to be more tech-savvy than the rest of us. But of even greater surprise was that almost one-third (31 percent) of the most affluent group (those with a household income more than $150,000) responded they don't know what an EMV card is.

Clearly, the financial industry has a lot of educating to do as credit and debit card issuers ramp up their EMV card issuance in advance of the point-of-sale liability shift on October 1, 2015. While the ATM liability shift for domestic MasterCards won't be until October 2016 and Visa cards, a year later, it's never too early to begin or continue educational initiatives.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 2, 2015 in ATM fraud, chip-and-pin, EMV | Permalink | Comments (0) | TrackBack (0)

February 23, 2015


Payments Stakeholders: Can't We All Just Work Together?

Coming together is a beginning; keeping together is progress; working together is success.
 – Henry Ford

In my physics classes at Georgia Tech, I found the principles around forces, momentum, and energy sometimes difficult to comprehend and distinguish. But I readily grasped a simplified version. I understood that if people apply their combined energy in the same direction, they can move the object of their attention to a designated spot faster and easier than if any of them tried it alone. And if they directly oppose one another or exert their efforts in different directions, the movement of the object is slow, its route is haphazard, and it may never reach its intended destination.

This last situation sometimes occurs with different groups of payments stakeholders—most notably, but not exclusively—the national card brands, along with their financial institution clients, and the merchant communities. Amidst all the charges and countercharges between the groups, it sometimes appears that these stakeholders are pushing in different directions—so the industry seems to be making little progress toward adopting payments standards and practices or fraud prevention solutions, for example.

An important payments risk issue affecting multiple stakeholders is card-not-present (CNP) fraud, which is expected to increase significantly after the United States migrates to EMV chip cards. We learned this from the experiences of other countries that have completed their migration. What happens is that EMV cards essentially close the door on the criminals' ability to create counterfeit EMV cards, so they shift focus to CNP opportunities.

Merchants contend that EMV card migration primarily benefits the card issuers since, for counterfeit-card-present (CCP) fraud, the issuer normally takes the loss—and EMV makes CCP fraud much less likely. Another way merchants may view EMV as being more issuer-friendly is that they must bear card-present fraud loss if they don't upgrade their terminals—at their expense—once the October 2015 liability shift goes into effect. So not only do they face increasing liability for card-present transactions, they will continue to be held responsible for the expected increase in CNP fraud losses.

The card brands and financial institutions counter the merchants' position on a number of fronts. For example, they point to the massive payment card data breaches that took place in 2014 at national merchants, saying these events eroded consumers' confidence in payment cards. Migrating to EMV cards and eventually replacing the magnetic stripe will provide clear improvements to payment card security, which will in turn increase consumer confidence in the safety of using cards. And that will benefit all stakeholders in this payment system. In addition, card brands and financial institutions are taking steps to help mitigate CNP fraud: they have invested heavily in several products and are collaborating with third-party providers to develop better customer authentication solutions to ultimately reduce the risk of CNP transactions for all stakeholders.

Disagreements among stakeholders will always exist, especially on elements that have a major financial impact on their businesses. However, there must be a diligent and ongoing effort by all parties, working together and with the same goal, to find areas of common ground that will result in a more secure payments environment.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


February 23, 2015 in cards, chip-and-pin, EMV, payments | Permalink | Comments (0) | TrackBack (0)

February 17, 2015


Introducing Take On Payments

Maybe you've already noticed it—it's at the top of this web page—but we've got a new name: Take On Payments, or TOP, for short. It's a change we made after a great deal of thought, internal discussion, and input from others. In our many presentations over the last year to payments-related groups consisting of financial institutions, merchants, processors, technology vendors, consumers, and regulators, we always promoted our blog. We put a great deal of effort into every post, and view the blog as an important channel to communicate to the payments industry on timely, risk-related payment topics in what we hope is an educational and thought-provoking way.

However, we were frequently asked about the significance of the name Portals and Rails. The majority of people get the "rails" part since that term is often used to refer to the payments infrastructure—such as in the phrase "riding the check rails." The "portals" part is more of a mystery. People aren't sure if we intend to use it with its generally accepted meaning—that is, an entranceway—or as a reference to a website, which provides information and links to other sites.

So we undertook an evaluation of alternative names that would more clearly identify the purpose for our posts, and we eventually chose Take On Payments. Yes, it's a bit of a play on the words as you can use "take" in a couple of different ways. First, you can think of it as a noun, as in the word "viewpoint." That was our primary thrust since we work hard to provide our perspective on the various payments issues and their risk-related factors. Second, you can also think of "take" as a verb, as in "assume possession of," since we are charged with the responsibility of engaging the entire payments community about payments risk issues. Finally, we like the acronym TOP—we hope Take On Payments will be at the top of your reading list.

In the end, a name is just a name, and we understand that the content of the blog is what is really important to our readers. While the Portals and Rails name has left the station for a final time, our commitment to providing the payments industry with timely and informative content to encourage thought-provoking dialogue about payments risk remains unchanged. As always, we encourage your feedback and hope you will encourage your colleagues to subscribe as well.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 17, 2015 in payments risk | Permalink | Comments (0) | TrackBack (0)

Google Search



Recent Posts


May 2015


Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            

Archives


Categories


Powered by TypePad