Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
April 6, 2020
Will COVID-19 Exacerbate Ecommerce Fraud?
Ecommerce sales in the United States continue to gain a greater share of overall retail sales each year. The Department of Commerce reports that in 2019, total ecommerce sales increased almost 15 percent over 2018 and represented 11 percent of total retail sales. There is no question that with the current COVID-19 environment, our daily habits have undergone tremendous change. As part of that change, I expect that ecommerce sales will increase at a greater rate in 2020 than in 2019.
Following social isolation guidelines, consumers and businesses are turning more and more to conducting their commerce transactions online. Prepaid carry-out, drive-through, and delivery orders now dominate the dining industry as inside dining options have been largely shuttered. Large retailers have been promoting online ordering and ship-to-home delivery options as their stores are closed. TransUnion reports that in the week from March 11 to 17, when the World Health Organization classified COVID-19 as a global pandemic, ecommerce transaction volume increased 23 percent over the previous week.
This spike in ecommerce traffic will likely bring with it a parallel spike in criminal activity, possibly adding to the increasing fraud levels in ecommerce. This shouldn't come as any surprise. It will be important for the good guys not only to be expecting this but also to be prepared for it by making swift adjustments that match the challenge.
One of the key adjustments to consider and apply quickly is properly tuning algorithms for detecting ecommerce fraud. In normal times, anomalous-pattern detection schemes are relied on to expose fraudsters. Elements such as the type of stores commonly used, frequency of usage, average or range of transaction values, and more go into making up an overall usage pattern for a given customer. While these transaction risk models have become very sophisticated over the years, they are challenged by abrupt changes in usage patterns, especially at an individual account level. They need to be smartly and quickly adjusted. Issuers and merchants need to balance the decision of denying transactions—which brings with it the risk of disgruntled legitimate customers and lost revenues—against approving fraudulent transactions and taking financial losses. No easy task, but doable and necessary to undertake, with constant attention.
Working collaboratively with merchants, consumers can help to surprise the criminals as fraud fighting evolves. The good guys win if we exercise patience with one another and remain mindful of the balance between purchase friction and fraud avoidance as fraud-fighting tools and methods adjust. Both sides being considerate of the needs on both sides of the transaction—working together, again, with patience and willingness to engage, perhaps differently than we've been willing to in the past, could yield results that everyone (except the crooks) is happier with, in both the short run and long run.
We know fraud management teams will be busy managing their fraud-detection tools and processes and expect they will rise to the challenge. We also expect consumers are ready and willing to assist in ways that are helpful as well. The constant chess match with the criminal element will continue, and we look forward to seeing a chess piece on the good guys ' side of the board with some new moves to help aid in the fight against the bad guys.
March 30, 2020
Do We Use a Payments Risk Thermostat?
I read a blog post last week that is eerily evocative of the individual actions we take—or don't take—to protect our personal and payments information. You can read it here: Handwashing Can Stop a Virus—So Why Don't We Do it?
The blogger identifies some reasons we don't wash our hands as much—or as thoroughly—as we should, including lack of awareness and inconvenience.
- We are not aware that hand washing is so effective.
- We balk at the least inconvenience or practical barriers—for example, having to take a few extra steps to get to the soap and water.
Sounds a lot like the reasons people may cut corners on payments security. For example, people may not be aware of the efficacy of credit freezes, or they might find imposing them to be inconvenient. People may not be aware that it is not optimal to use the same password for multiple accounts, or they may consider it to be inconvenient to set up different passwords.
I think this paper positing a "risk thermostat" applies not only to handwashing but also to payments security. We use our risk thermostats to make tradeoffs, so taking one kind of preventive measure could increase our willingness to accept more risk in another way. The author writes: "individual risk taking decisions represent a balancing act in which perceptions of risk are weighed against propensity to take risk."
So, for example, maybe you start wearing gloves and stop washing your hands so carefully. (Don't do that, please.) Or maybe you put a credit freeze on your accounts at the major credit bureaus and stop watching your bank and card statements so carefully. (Don't do that, either.)
As these writers on behavioral science note, awareness is the first step. So be aware of payments and other financial risks facing your business and your customers during the coronavirus outbreak. Here are some resources you can use to educate your colleagues and customers:
- U.S. Secret Service : Watch out for phishing scams posing as medical or health providers, charity scams on social media.
- Federal Trade Commission (FTC): Ignore emails claiming to be from the CDC; ignore online offers for vaccinations.
- U.S. Securities and Exchange Commission Beware internet and social media promotions claiming that products or services "prevent, detect, or cure coronavirus" and that the stock of providing companies will increase in value.
As of March 16, the FTC and the Food and Drug Administration already have issued warning letters to seven sellers of unapproved and misbranded products.
Best wishes and good health to you and your families. Now, go wash your hands. And check your bank account when you're done.
February 3, 2020
Fuel Pump EMV Chip Liability Shift Looms Large
It has been quite some time since the Retail Payments Risk Forum has blogged about the state of the EMV chip in the United States. Perhaps the lack of coverage is a nod to the success and growth of EMV chip issuance and acceptance since the point-of-sale (POS) and ATM liability shifts that began in 2015 and 2016, respectively. The Federal Reserve's newly released payments study found that 57 percent of in-person card payments in 2018 used chip authentication compared to 2 percent in 2015. Talk about phenomenal progress over a three-year period! Yet there is more to do, and 2020 will be a big year for closing a big gap—EMV chip acceptance at the fuel pump, or what the industry generally calls automated fuel dispensers (AFDs).
In October, all of the global card networks' liability shifts will be implemented for AFDs. As a brief reminder, this liability shift means that petrol retailers will now be responsible for incurring the fraud losses on all non-EMV-chip-authenticated transactions initiated by EMV cards at their pumps. According to several industry associations that represent the convenience and petroleum store industry, this liability shift date will be a challenge for many station operators to meet given a limited availability of EMV-compatible AFDs as well as the technicians to install and certify the machines as EMV ready.
Through the years, the Risk Forum has stressed that criminals tend to gravitate to the easy targets when it comes to committing card fraud, or really any fraud in general. Card skimmers at AFDs pulling data off a card's magnetic stripe have been a major problem for decades. I have no doubt that the fraudsters are fully aware of the impending liability shift and will be stepping up their AFDs attacks in 2020 before the window of counterfeit card opportunity closes. Those retailers who are delaying their EMV migration or are unable to migrate by the liability shift date will become giant bulls' eyes. Expected card fraud losses in 2020 for the industry are not inconsequential—one industry association has estimated losses of $451 million. I should also note that the costs faced by the industry to migrate to EMV are also significant, at an estimated $3.9 billion.
After witnessing the successful rush by the industry to implement EMV chip at the POS and ATM, I am confident that the AFD EMV chip implementation ahead of the October liability shift will be a success, but all involved will definitely experience challenges. My confidence stems from the positive momentum I have seen from everyone involved in the payments industry working together for the common good to mitigate card fraud. With counterfeit card fraud losses through June 2019 down by over 60 percent since September 2015, I look forward to seeing even more decreases in counterfeit card fraud following this year's AFD liability shift.
October 28, 2019
Should We Throw in the Towel When It Comes to Data Breach Prevention?
We've all heard it said—we've probably, cynically, said it ourselves: "It's not a matter of if but when your company will be hit by a data breach." Reports about cyberattacks and network breaches fill my daily newsfeed with headlines on ransomware attacks, attacks on multifactor authentication, and 5G network vulnerabilities. For each new, better, stronger, faster solution the industry comes up with, criminals find a way to circumvent it in seemingly short order. Is there anyone whose personal information hasn't been stolen once, twice, five times? I've lost count of how many times I've received six months of free credit monitoring.
In today's world, is there any way for an organization to fully protect itself against the broad spectrum of ever-evolving threats and still have time, resources, and capital left over to conduct its everyday business? Or should we assume that breaches are a foregone conclusion, throw in the towel when it comes to prevention, and turn our focus instead to incident response?
According to Verizon's 2019 Data Breach Investigations Report , small businesses were frequent targets of breaches. (The report looked at incidents occurring from November 1, 2017, to October 31, 2018.) Other findings it reported: outside actors perpetrated 69 percent of breaches, 52 percent were the result of hacking, and it took months or longer to discover 56 percent of the incidents.
Last year, I wrote about committing to muscle memory your organization's plan for the right of boom. A Google search on "data breach response" returns pages of results with guides, resources, and services, but the midst of a cyber-event is probably not the best time to come up with a plan. Turns out, there's an app for that! At a recent fintech conference, I saw a demo of a dynamic breach response solution that turns response into a routine business process. The company likens its app to "an airbag for network breaches" and claims the tool helps organizations prepare for, detect, and respond to data breaches. Another company demonstrated a white-labeled application for financial institutions that aims to reduce post-breach fraud and identity theft of consumers through algorithmic risk assessments that produce recommendations for actions to take to mitigate these risks.
October is National Cybersecurity Awareness Month. It's a good time to review your own right of boom plan or take steps to implement one. One resource: the Department of Homeland Security's Cybersecurity Resources Road Map for small and midsize businesses.
While it is not hyperbole to assert that criminals will breach your organization's network, you should not throw in the towel or lower your defenses against such threats. Rather, you should avail yourself of technological innovations to support breach prevention and response preparedness so your organization can restore normal business operations as quickly as possible. What approach has your organization taken to adopting threat prevention and response preparedness?
Take On Payments Search
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- mobile payments
- money laundering
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- thirdparty service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud