Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
May 11, 2015
The Hill Tackles Cybersecurity
In a post last month, Take on Payments highlighted recent cybersecurity-related executive orders. Cybersecurity has been a hot item inside the Beltway in 2015, and the activity hasn't been limited to the executive office. Beginning on April 22, the House passed two separate cybersecurity bills. And now all eyes are on the Senate, as it looks like a vote on its own cybersecurity bill is set to take place later in May. Today's Take On Payments post will highlight the two House bills recently passed by the House and the Senate's bill under consideration.
Protecting Cyber Networks Act (H.R. 1560)
This bill encourages the timely sharing of cyber threat information among private entities, nonfederal government agencies, and local governments. It provides businesses liability protection for sharing cyber threat indicators when taking reasonable efforts to remove personally identifiable information (PII). The bill also allows the federal government (excluding the National Security Agency and Department of Defense) to share cyber threat information with private entities, nonfederal government agencies, and local governments. To further promote and protect individual privacy, it requires that the Department of Justice (DOJ) periodically review the information shared to ensure that PII is not being received, used, or disseminated by a federal entity. Finally, this bill directs the Cyber Threat Intelligence Integration Center (CTIIC), under the direction of the Office of the Director of National Intelligence, to serve as the primary organization to analyze and integrate all intelligence shared.
National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731)
The purpose of this bill is to also encourage information sharing of cyber related risks among the private sector and government. Unlike its companion bill, which directs the CTIIC as the overseer of the information-sharing program, this bill authorizes the Department of Homeland Security (DHS) to do so. In order for the DHS to serve in this capacity, the bill expands the composition and scope of the DHS national cybersecurity and communications integration center to include additional parties, namely private entities and information-sharing and analysis centers, among its non-federal representatives. As with H.R. 1560, the bill has provisions to protect individual privacy and requires that the DHS performs an annual privacy policies and procedures review. As with its companion House bill, liability protection is afforded to parties sharing information.
Cybersecurity Information Sharing Act (CISA) of 2015 (S. 754)
The Senate's version of cybersecurity legislation is a companion bill to the two recently passed House bills and combines tenets of both of them. It's viewed as an information-sharing bill, with the DHS serving as the federal entity responsible for overseeing the sharing of data between the government and private sector. The DOJ is responsible for ensuring that privacy and civil liberties are upheld within the information-sharing program. As with the House bills, liability protection is provided to all entities sharing information.
The goal of information sharing featured in these bills is the hope both government and private sector would benefit. As evidenced by the participation of a significant number of financial institutions (FIs) with the Financial Services Information Sharing and Analysis Center, many FIs are seeing value to sharing cybersecurity information within their own sectors. Additionally, the Retail Industry Leaders Association established the Retail Cyber Intelligence Sharing Center earlier this year to share cyber threat information between retailers and law enforcement. Whether or not these bills accomplish the goals of creating a private environment to safely share cybersecurity information and risks, I think the payments industry and other private industries would benefit from sharing information among themselves and with government and law enforcement agencies.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 27, 2014
The Importance of Partnerships between the Private Sector and Law Enforcement
Helen Keller once said, "Alone we can do so little; together we can do so much." As the "forum" part of our name implies, we tend to agree with Helen Keller's comment on collaboration. The mission of the Retail Payments Risk Forum (RPRF) is to identify, detect, educate, and encourage mitigation of risk in retail payment systems. We firmly believe that one of the ways to achieve our mission is to collaborate with industry participants, regulators, and law enforcement. And while we convene our own forums to encourage collaboration, ample opportunities for collaboration between law enforcement and the private sector exist beyond the boundaries of the RPRF.
Below are descriptions of organizations that are built on such collaborations.
- Financial Services Information Sharing and Analysis Center (FS-ISAC): An organization dedicated to gathering and disseminating reliable and timely information from financial services providers, security firms, local, state, and federal law enforcement agencies, and other trusted resources related to physical and cyber threats against the financial services community.
- National Cyber-Forensics &l Training Alliance (NCFTA): A nonprofit corporation with formal partnerships/agreements with more than 40 U.S. private-sector organizations and more than 15 U.S. and international law enforcement or regulatory agencies. The NCFTA enlists subject matter experts from stakeholder organizations to share real-time intelligence regarding cyber threats and supports the development of joint proactive strategies to better identity, mitigate, and ultimately neutralize threats.
- Electronic Crimes Task Forces: Led by the United States Secret Service, these groups bring together federal, state, and local law enforcement with prosecutors, private industry, and academia for the purpose of preventing, detecting, investigating, and mitigating attacks on the nation’s financial infrastructures. Groups are structured through local field offices and organized in most major metropolitan areas.
- InfraGard: Led by the Federal Bureau of Investigation, this association with representatives from the private sector, academia, and state, local, and federal law enforcement agencies is dedicated to sharing information and intelligence to prevent hostile acts against the United States. Like the Electronic Crimes Task Force, InfraGard is comprised of groups organized by FBI field offices in major metropolitan areas.
- Anti-Phishing Working Group (APWG): An organization that seeks to unify the global response to cybercrime across industry, government, and law enforcement through data sharing, education, and standards development.
Each of these groups is different, but the common thread is information sharing between the private sector and law enforcement. This collaboration increases knowledge and awareness of threats and is often required to effectively capture and prosecute the masterminds behind attacks on financial institutions and their customers. I encourage our readers to learn more about and take advantage of these opportunities and others for collaboration between law enforcement and the private sector.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 26, 2012
Highlights from a Conference on Technology and Payments
The retail payments landscape is rapidly evolving as technological advances promote new electronic payment methods. On October 15–16, the Risk Forum convened at the Atlanta Fed a diverse gathering of stakeholders in the payments industry. Industry representatives were from telecommunication firms, airlines, standards bodies, payments processors, and coffee house retailers, as well as the more traditional players.
Federal Reserve Bank of Atlanta President and CEO Dennis Lockhart kicked off the event. His opening remarks focused on the Federal Reserve System's role as a central bank in the country's retail payment system, both as a payments operator and as the country's guardian of financial stability. In the latter role, the Fed aims to preserve the integrity of both the retail and wholesale payments systems. Lockhart stressed that although this role has national strategy overtones, it is not intended to stifle innovation and competition but rather to support a market-oriented approach to payment developments. By noting the vulnerabilities that the fast pace of change and innovation in the industry create, Lockhart set the stage for the day's session, the highlights of which we are sharing here. You can find the complete presentation materials on the Atlanta Fed website.
Technology developments in card-based payments
Legacy plastic cards are likely to remain important for some time. Nevertheless, significant changes are under way. These technological changes were the focus of this panel. The U.S. payments industry is struggling to collectively shift from magnetic stripe-enabled card payments to a more secure and interoperable environment. Panelists discussed the challenges posed by the planned U.S. migration to chip-enabled cards and to the EMV standards already adopted in most of the globe's major developed countries. They discussed the potential shift in fraud to card-not-present payments in the shift from mag-stripe cards. Panelists said that fraud mitigation in the future U.S. EMV environment will require additional data analysis tools, including the use of better encryption methods and tokenization. They also touched on the benefits of PIN versus signature authentication.
The evolution of technology standards in retail payments
Technology standards provide the cohesion to ensure the critical mass needed for successful payment network adoption. At the same time, the myriad of new market solutions, patent issues, and even standards bodies themselves challenges industry cooperation and consensus building, slowing the standards development process. Panelists discussed the activities of various standards bodies that touch retail payments today. They also talked about how they are working to galvanize industry stakeholders to agree and employ standards that foster security and interoperability.
Mobile payment developments at the point of sale
This panel of experts reviewed technological developments in the mobile channel for payments at the merchant's point of sale (POS), including the rollout of several mobile wallet initiatives. Panelists discussed the challenges associated with the highly dynamic nature of the technologies. They noted that new complex business models are resulting in many different types of payment solutions, creating a confusing ecosystem for mobile proximity payments.
Panelists noted that the many new, thought-provoking products out in the market place today create many unknowns, not only with respect to security, but also future viability. They agreed that it is hard to predict which solutions have true scalability. An interesting discussion took place on the success of new payments such as Square, which changed the proverbial game by expanding the population of merchants that can accept card payments and by repurposing the mobile handset into a payment acceptance device. The panel also discussed how Starbucks unwittingly assumed the role of a payments pioneer when they moved to the mobile channel. Their original aim was not to adopt a new payments method but rather to increase customer loyalty and convenience.
The merits and challenges with the upcoming EMV migration were also top of mind for the panel.
Technology trends in mobile payment transfers
U.S. mobile payment developments have generally centered on payments at the POS. However, remote mobile payments, or person-to-person mobile transfers, are also taking form as a business model. Panelists discussed how nonbank players are entering the money transmission space hoping to leverage new mobile technologies. They explored the current environment for domestic and cross-border mobile transfer payment activity, analyzing the changing roles of payment service providers and the subsequent regulatory and policymaking considerations.
Panelists noted that we are seeing a huge paradigm shift in mobile money, with prepaid airtime credits looking more and more like currency in developing countries. Some countries permit payment service providers to provide airtime cash-out; Kenya's M Pesa is one of these providers. The lack of system interoperability across borders and liquidity management considerations are barriers to a global, scalable airtime transfer system. Panelists also noted, however, that airtime transfers are increasingly becoming a natural complement to traditional remittances.
In addition, traditional remittance providers are partnering with telecom firms to deliver services in emerging markets. These providers also work with banks in more developed countries, like the United States, to use the mobile channel in more efficient ways.
Technology threats and mitigants in electronic payment systems
Whether through scams such as “Obama Will Pay Your Bills” or corporate account takeovers, criminals are increasingly using electronic payments networks to perpetrate fraud. Panelists stressed that industry stakeholders must themselves become more sophisticated in order to develop solutions to better detect and mitigate these risks. Future fraud detection will require more sophisticated approaches to address growing vulnerabilities in web applications. Panelists also stressed that financial institutions must validate transactions to enforce rules and limits and to manage fraud.
The Risk Forum uses events such as this to encourage dialogue and share critical business intelligence among participants. We can then use information that comes out of such discussions to inform our work with the payments industry as we collectively work on better solutions to detect and mitigate risk. Expect to see more discussion in future posts. As always, we value your responses.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
May 14, 2012
Cooperating competitors? Yes, when it comes to payment standards
Standard sizes allow us to efficiently pick out clothing to try on at any store we go to, and even to shop online. Standard file formats enable the exchange of documents between computers with different operating systems and software programs. Similarly, standard payment formats ensure that our payment cards work at a wide range of merchants regardless of where we bank. Although we often take standards for granted, they are absolutely critical to the efficient functioning of the payment system.
Standard formats are a classic public good: they can be used by multiple people at no marginal cost per user and it is difficult to exclude people from using them. Typically, public goods have to be provided by the government, because no individual firm has sufficient incentive to provide them privately. However, in the payments industry, standard payment formats have frequently been adopted without government intervention. Instead, private firms generally cooperate to develop payment standards through membership organizations like NACHA, the Accredited Standards Committee X9, and EMVCo. These organizations are direct competitors who choose to cooperate in developing shared industry utilities. Atlanta Fed payments risk expert Doug King has written extensively on industry efforts to implement the EMV payment card standard in the United States.
The payments industry might be able to supply its own public goods due to the relatively low transaction costs of doing so. While a small number of companies manage the majority of card payments across the globe, the U.S. industry includes several well-established companies and numerous smaller competitors as well as start-ups. Most of the companies are already members of established industry organizations that facilitate collaboration. This is much simpler than the market providing a public good like low pollution in a river, for example. Somehow the many consumers and firms who access that river must assemble and agree on the pollution level, develop an enforcement mechanism, and implement the agreement—and many of these stakeholders will likely never have worked together before.
The effect of payment standards on competition is unclear. It’s possible that standards increase competition in the payments industry by leveling the playing field between established firms and start-ups. However, some payments standards are proprietary and may inherently favor the companies that most influenced their development. For example, to the extent that the largest card networks dictate the specifications for the EMV standard, this may disadvantage smaller networks. Those smaller networks are left in the unenviable position of having to comply with standards in which they had little voice in developing. Thus, although the payments industry seems to have been effective in developing standards cooperatively, it’s possible that this market activity has favored the dominant players. How will the move to the EMV payment card standard affect competition in the U.S. market?
By Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
Take On Payments Search
- account takeovers
- bank supervision
- banking regulations
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments studies/research
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- supervision and regulation
- thirdparty service provider
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud