Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
January 20, 2020
We're Number 1! But Why?
A new paper from the Kansas City Fed asks the question, why are U.S. card fraud rates higher than those of other developed countries? Economist Fumiko Hayashi found that even after EMV migration in 2015, the U.S. had a significantly higher in-person card fraud rate than did Australia, France, and the United Kingdom. In all three years studied—2012, 2015, and 2016—the U.S. in-person fraud rate was more than three times higher than that of the other countries (see the chart).
She attributes these differences to three factors:
- The United States had a smaller share of chip transactions. EMV migration in the United States didn't really begin until 2015, compared to years (even decades) earlier for the other countries. According to the Federal Reserve Payments Study, 2 percent of in-person general-purpose card payments used chip authentication in 2015; that share increased to 57 percent in 2018.
- The other three countries use the multi-factor chip-and-PIN verification, which is a stronger method than what U.S. networks use: most chip transactions are chip only. For in-person general-purpose card payments in the United States in 2018, the Federal Reserve Payments Study found that 21 percent (17.8 billion payments) used chip-and-PIN.
- U.S. cardholders are more likely to use credit cards, which typically have higher fraud rates than debit cards.
Hayashi's paper gives a snapshot of the four countries at three points in time. Another approach to doing a country-to-country comparison would be to make a moving picture depicting the aftermath of the adoption of EMV chips for in-person payments. My Retail Payments Risk Forum colleague Doug King, in a paper published in June 2019, looked at the change in in-person fraud for Australia, France, and the United Kingdom and found that fraud rates for in-person transactions dropped after chip-and-PIN implementation. You can see in the figure above that U.S. in-person card fraud rates declined from 2015 to 2016, over the time of EMV implementation here.
Keep in mind that this post is a simplification of two complex papers. For example, Hayashi also analyzed remote card fraud rates. And Doug included some data from other nations. If you want more information, the Federal Reserve Payments Study has reported details on fraud for noncash payments in the United States, cards included, and also authorization methods for in-person general-purpose card payments (see figure 6 in the 2019 Federal Reserve Payments Study). I invite you to read these reports.
November 25, 2019
We Are Thankful For...
Several years ago, I began the practice of making a list around Thanksgiving of things I am thankful for. I was pondering what I might include on my list this year while I was stuck in traffic behind an awful wreck I was thankful I wasn’t involved in. And then the idea hit me that maybe we at the Risk Forum should create our own list focused on what we are thankful for in payments.
To keep the list at proper blog length, I asked each Risk Forum member to name just one item. Without further ado, the Risk Forum presents to you our 2019 Thanksgiving week "What we are thankful for in payments" list.
- Nancy Donahue, project manager: I’m thankful that my debit card has only been breached once this year and although the criminal lived it up at several fast food restaurants and c-stores, it was less than $100 total and I got my money back!
- Claire Greene, payments risk expert: I am thankful that direct deposit lets me put my finances on autopilot. I’ve split my paycheck into different accounts: one for retirement, one for the mortgage, one for saving, and one for everyday expenses.
- Douglas King, payments risk expert: I am thankful for the ability to pay via self-checkout at my local grocery store and receive cash back when using my debit card.
Pictured from left: Jessica Washington, Douglas King, Nancy Donahue, Dave Lott, Catherine Thaliath, Julius Weyman; Not pictured: Claire Greene
- Dave Lott, payments risk expert: I am thankful for law enforcement and other security professionals who work diligently to protect the integrity of our payments system.
- Catherine Thaliath, project management expert: I am thankful for credit card rewards programs. It is nice to get rewarded with cash back or even a free plane ticket just by using your credit card for everyday purchases!
- Jessica Washington. payments risk expert: I am thankful for payments industry collaboration. This year I have seen improvements in fraud information sharing across stakeholders; partnerships between fintechs, financial institutions, and payment networks to promote financial inclusion; and working groups embracing emerging payment innovations.
- Julius Weyman, vice president and forum director: I am thankful that I can write a check where it makes sense; pay online where it makes sense; get paid via ACH (no choice in that, but wouldn’t choose otherwise); pull bills from a real wallet (not the fake kind) and pay that way, where it makes sense; and use a card (and get rewards), which almost always makes sense and is the one I use the most.
And we are thankful for YOU: our readers of Take On Payments and supporters of the Risk Forum. We sincerely appreciate your comments, kudos, and criticism, and hope that you all find value in the information we provide and share. As we enter into these crazy last weeks of 2019, we wish you and yours a wonderful holiday season.
August 19, 2019
Why Should You Care about PSD2?
The revised Payment Services Directive (PSD2) is major payments legislation in the European Union (EU) that is intended to provide consumers increased competition, innovation, and security in banking and payment services. PSD2 specifications were released by the European Banking Authority in November 2017 and requires all companies in the EU to be in compliance by September 14, 2019. Earlier this year, the European Banking Authority had refused a request by numerous stakeholders in the payments industry for a blanket delay of the regulation, citing a lack of legal authority to do so, although it announced it would permit local regulatory authorities to extend compliance deadlines a "limited additional time." In the United Kingdom, however, the Financial Conduct Authority (FCA) announced on August 7 that it was deferring general enforcement of the PSD2 authentication provisions until March 2021, and allowing the industry an additional six months beyond that to develop more advanced forms of authentication. The Central Bank of Ireland has also granted an extension that is expected to be similar to the FCA's, but one has not been announced as of this writing.
The PSD2 has two major requirements: offer open banking and strong customer authentication (SCA). With open banking, consumers can authorize financial services providers to access and use their financial data that another financial institution is holding. (Application programming interfaces, or APIs, allow that access.) The FCA had mandated that open banking for U.K. banks be in place by early 2018 while the rest of the EU kept the open banking compliance deadline the same as that for SCA compliance. While open banking represents a major change in the EU's financial services landscape, the rest of this post focuses on the PSD2's strong customer authentication requirements.
Generally, PSD2 requires financial service providers to implement multi-factor authentication for in-person and remote financial transactions performed through any payment channel. As we have discussed before in this blog, there are three main authentication factor categories:
- Something you know (for example, PIN or password)
- Something you have (for example, chip card, mobile phone, or hardware token)
- Something you are (for example, biometric modality such as fingerprints or facial or voice recognition)
PSD2 compliance requires the user to be authenticated using elements from at least two of these categories. For payments that are transacted remotely, authentication tokens linking the specific transaction amount and the payee's account number are an additional requirement.
The regulation provides for a number of exemptions to the SCA requirement. Key exemptions include:
- Low-value transactions (under €30, approximately $33)
- Transactions with businesses that the consumer identifies as trusted
- Recurring transactions for consistent amounts after SCA is used for the first transaction. If the amount changes, SCA is required.
- "Low-risk" transactions based on the acquirer's overall fraud rate calculated on a 90-day basis. Transaction values can be as high as €500 (about $555).
- Mail-order and telephone-order payments, since they are not considered electronic payments covered by the regulation
- Business-to-business (B2B) payments
Since PSD2 does not apply to payments where the acquirer or the issuer is not based in the EU, why would understanding this regulation be important to non-EU consumers and payment system stakeholders? From 2015 through 2018, the Federal Reserve established and provided leadership for the Secure Payments Task Force as it identified ways to enhance payments security, especially for remote payments. One critical need the task force identified is stronger identity authentication. So far, the United States has avoided any legislation concerning authentication, but will actions like the PSD2 create pressures to mandate such protections here? Or will the industry continue to work together through efforts like the FedPayments Improvement Community to develop improved authentication approaches? Please let us know what you think.
July 22, 2019
Ransomware Attacks Continue
Ransomware attacks have only continued since I addressed the problem in a recent post, and they've continued to target municipal and state agencies. Riviera Beach (May) and Lake City (June), both in Florida, were successfully attacked. Lake City paid a bitcoin ransom of approximately $470,000 while Riviera Beach paid about $600,000, also in bitcoin. These attacks took place soon after the one in Jackson County, Georgia, whose government paid $400,000 for decryption keys. While law enforcement officials recommend that victims not pay ransom for fear that doing so encourages the criminals to continue their attacks, the affected agencies often view paying the ransom as a cost-effective way to restore operations as soon as possible. Moreover, Lake City and Riviera Beach were both insured against such attacks, with a $10,000 and a $25,000 deductible, respectively. It appears that in all three of these instances, when they got their ransom, the criminals supplied the necessary data that allowed officials to regain control of the systems.
So how can governments, schools, hospitals and doctors' offices, financial services, and consumers best protect their systems from these nefarious attacks? It's not easy—criminals are constantly developing new malware to get into systems. However, here are some critical guidelines from IT security professionals that can help us all avoid or minimize the impact of a ransomware attack.
- Perform data backups at least daily, and keep at least one backup copy offsite or on portable storage devices not connected to the network.
- Avoid using end-of-life operating systems and software that cannot be updated to address known vulnerabilities.
- Install software updates and security patches as soon as possible, and follow established change control guidelines.
- Evaluate segmenting your network into separate zones to minimize the spread of a ransomware infection.
- Train and test employees regularly about how criminals use phishing attacks to load malware onto computers that can then compromise system access credentials.
- Require employees to use strong passwords.
- The IT security community is divided about how frequently passwords should be changed, but do so at least every six months.
- Maintain comprehensive access controls so that only the employees that require access to individual system have such rights, especially regarding remote access.
- Use reliable security software and, as the second bulleted item recommends, keep it updated. Evaluate adding special trusted anti-ransomware tools, some of which are free.
- Evaluate your cybersecurity insurance policy in terms of its ransomware coverage.
In addition, every agency and organization should develop a ransomware response plan that can be implemented as soon as an attack has been detected. While the immediate focus should be on minimizing the impact of the attack, elements for business continuity, law enforcement notification, media communications must also be part of the plan.
We hope you won't be a victim, but simply keeping your fingers crossed isn't an effective plan.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
Take On Payments Search
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- mobile payments
- money laundering
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- thirdparty service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud