Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
June 8, 2015
Is the Conventional Wisdom about EMV Migration Right?
We're within five months now of the initial EMV (chip) card liability shift for POS transactions. Most people in the industry have held the belief that as the ability to create counterfeit cards is shut down, the criminals will shift their focus primarily to the card-not-present (CNP) environment, where they can continue to use payment card data they take from the magnetic stripe or other data breaches. In fact, my colleagues and I have been broadcasting this message in our presentations and posts for quite some time. Our assessment, along with most other industry experts, was based on the statistics released by banking groups in major countries that had already gone through the EMV migration. The chart illustrates one view of their experiences. It seems to leave no doubt about what we can expect.
But does it mean what we think it means? While the chart clearly shows an increase in the CNP channel in fraud losses, did the ratio of CNP fraud to overall sales increase? Unfortunately, definitive data is not readily available to provide that answer. Using some confidential sources and partial—but significant volumes of—payment data, we were able to determine that during the period from 2010 to 2013, as a percentage of overall sales, CNP fraud in Canada actually held relatively steady. But was that stability created due to the large increases in the recurring billing segment in the CNP environment, which has a relatively low rate of fraud? At this point, we just don't have data granular enough to tell us.
I don't think this means that there isn't a reason to be concerned about CNP fraud as the EMV migration in the United States continues. For one thing, the experience of others is no guarantee that we will experience the same. But perhaps the biggest reason for us not to relax about the issue is that, even if the levels hold flat through our migration, CNP fraud is still quite significant and has a major negative financial impact on merchants and issuers. The 2013 Federal Reserve Payments Study found that CNP fraud by volume is three times that of card-present fraud.
This situation also demonstrates the need to be able to collect detailed and accurate data on fraudulent payments activity. Fraud has been a real challenge in this country because of the large number of payments stakeholders that end up saddled with the loss. The Federal Reserve is interested in working with the industry to develop a process for collecting such information for the benefit of all.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
December 22, 2014
Top 10 Payments Events in 2014
As the year draws to a close, the Portals and Rails team would like to share its own "Top 10" list of major payments-related events and issues that took place in the United States this year.
#10: Proposed prepaid rule. After a long wait, the Consumer Financial Protection Bureau issued its proposed rules on general reloadable prepaid cards in November. While the major players in the prepaid card industry had already adopted most of the practices included in the proposed rule, the proposal allowing overdrafts and credit extensions is likely to generate differing perspectives during the comment period before a final rule is adopted in 2015.
#9: Regulation II. The U.S. Circuit Court of Appeals for the District of Columbia upheld the Federal Reserve Bank's rules regarding interchange fees and network routing rules, reversing a 2013 decision. Notice of appeal on the interchange fee portion of the ruling has been given, but resolution of the network routing rules has cleared the way for the development of applications supporting routing on chip cards.
#8: Payment trends. The detailed Federal Reserve Bank's triennial payments study results were released in July 2014, continuing the Fed's 15-year history of conducting this comprehensive payments research. Cash usage continued to decline but remained the most-used form of payment in terms of transaction volume.
#7: Card-not-present (CNP) fraud. With the growing issuance of chip cards and the experience of other countries post-EMV migration—with substantial amounts of fraud moving to the online commerce environment—the payments industry continues to search for improved security solutions for CNP fraud that minimize customer friction and abandonment.
#6: Faster payments. Continuing a process it began in the fall of 2013 at the release of a consultative white paper, the Federal Reserve Bank held town halls and stakeholder meetings throughout the year in preparation of the release of its proposed roadmap towards improving the payment system.
#5: Virtual currencies. Every conference we attended had sessions or tracks focused on virtual currencies like Bitcoin. While there was some advancement in the acceptance of Bitcoin by major retailers, the number of consumers using the currency did not rise significantly.
#4: Mobile payments. The entry of Apple with its powerful brand identity into the mobile payments arena with Apple Pay has energized the mobile payments industry and brought improved payment security through tokenization and biometrics closer to the mainstream. (Apple Pay's impact on mobile payment transaction volume will likely be negligible for a couple of years.) Additionally, the use of host card emulation, or HCE, as an alternative contactless communications technology provides another option for mobile wallet development.
#3: EMV migration. The frequency and magnitude of the data breaches this year have spurred financial institutions and merchants alike into speeding up their support of EMV chip cards in advance of the October 2015 liability shift.
#2: Third-party processors. Regulators and law enforcement escalated the attention they were giving to the relationships of financial institutions with third-party processors because of increased concerns about deceitful business practices as well as money laundering.
And…drum roll, please!
#1: Data breaches. The waves of data breaches that started in late 2013 continued to grow throughout 2014 as more and more retailers revealed that their transaction and customer data had been compromised. The size and frequency of the data breaches provided renewed impetus to improve the security of our payments system through chip card migration and the implementation of tokenization.
How does this list compare to your Top 10?
All of us at the Retail Payments Risk Forum wish our Portals and Rails readers Happy Holidays and a prosperous and fraud-free 2015!
Mary Kepler, vice president; Doug King, payments risk specialist; Dave Lott, payments risk expert; and Julius Weyman, vice president—all of the Atlanta Fed's Retail Payments Risk Forum.
August 18, 2014
Crooks Target Business Clients
Fraudsters are always looking for ways to take advantage of trusted relationships, such as between a business and their established vendors. The fraudster's goal is to trick the business into thinking they are paying their vendor when the dollars are actually being diverted to the crook. A common scheme is for a business to receive instructions on a spoofed but legitimate-seeming e-mailed invoice to send a wire transfer to the vendor or business partner immediately. The business may pay, not realizing until it's too late that the funds are actually going to a fraudster or money mule. The Internet Crime Complaint Center (IC3) recently issued a scam alert on this scheme noting reported losses averaging $55,000, with some losses exceeding $800,000.
Criminals can perpetrate this type of fraud in many ways. Devon Marsh, an operational risk manager at Wells Fargo and chairman of the Risk Management Advisory Group for NACHA–the Electronic Payments Association, addressed some of the ways at a Payments 2014 conference session "Supply Chain Fraud Necessitates Authentication for Everyone," including these:
- Calling or e-mailing the business, pretending to be the vendor, to change payment instructions
- Sending counterfeit invoices that appear genuine because they are patterned after actual invoices obtained through a breach of the business's e-mail system or a vendor's accounts receivable system
Marsh also discussed important ways to reduce the risk of falling victim to these schemes. As with any e-mail that seems questionable, the business should verify the legitimacy of the vendor's request by reaching out to the vendor with a phone call—and not using the number on the questionable e-mail or invoice. The business should also educate its accounts payable department to review any vendor's payment requests carefully, verifying that the goods or services were received or performed and questioning and checking on anything at all that does not look right, such as an incorrect or different vendor name or e-mail address.
The Federal Financial Institutions Examination Council's 2011 supplement to its guidance stresses the need in an internet environment for financial institutions to authenticate their customers. The concepts this guidance addresses are also sound practices for businesses to use in authenticating their vendors.
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
June 30, 2014
A Call to Action on Data Breaches?
I recently moved, so I had to go online to change my address with retailers, banks, and everyone else with whom I do business. It also seemed like an ideal opportunity to follow up on the recommendations that came out after the Heartbleed bug and diligently change all my passwords. Like many people, I had a habit of using similar passwords that I could recall relatively easily. Now, I am creating complex and different passwords for each site that would be more difficult for a fraudster to crack (and at the same time more difficult for me to remember) in an attack against my devices.
I have found myself worrying about a breach of my personal information more frequently since news of the Heartbleed bug. Before, if I heard about a breach of a certain retailer, I felt secure if I did not frequent that store or have their card. Occasionally, I would receive notification that my data "may" have been breached, and the threat seemed amorphous. But the frequency and breadth of data breaches are increasing, further evidenced by the recent breach of a major online retailer's customer records. This breach affects about 145 million people.
As a consumer, I find the balance between protecting my own data and my personal bandwidth daunting to maintain. I need to monitor any place that has my personal data, change passwords and security questions, and be constantly aware of the latest threat. Because I work in payments risk, this awareness comes more naturally for me than for most people. But what about consumers who have little time to focus on cybersecurity and need to rely on being notified and told specifically what to do when there's been a breach of their data? And are the action steps usually being suggested comprehensive enough to provide the maximum protection to the affected consumers?
Almost all states have data breach notification laws, and with recent breaches, a number of them are considering strengthening those laws. Congress has held hearings, federal bills have been proposed, and there has been much debate about whether there should be a consistent national data breach notification standard, but no direct action to create such a standard has taken place. Is it time now to do so, or does there need to be more major breaches before the momentum to create such a standard makes it happen?
Take On Payments Search
- account takeovers
- bank supervision
- banking regulations
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments studies/research
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- supervision and regulation
- thirdparty service provider
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud