Please enable JavaScript to view the comments powered by Disqus.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

December 9, 2019

Payments in Review: A Webinar

Whether you are out dipping your payment card at a store, waiting in line behind a check writer, trying to look like you're working while you shop online for last-minute gifts using your digital wallet, or just always looking for more information about payments, grab your headphones for the last Talk About Payments webinar of 2019. On December 19, the Retail Payments Risk Forum team continues its tradition of discussing what we consider to be the significant payments events and issues of the year. We invite financial institutions, retailers, payments processors, law enforcement officials, academics, and other payments system stakeholders to participate.

The webinar 2019: Payments in Review features a live roundtable discussion with payments risk experts Doug King, Dave Lott, and Jessica Washington. You will be able to see how your reflections on 2019 payment events compare to the Risk Forum's perspectives and reflections on the year. To liven up the party, polling questions and real-time questions and comments will let you engage with the speakers.

Last year ended with increasing momentum in technology research and development—distributed ledger technology, contactless, machine learning—which continued into 2019, mixed with the some of the largest fintech mergers and acquisitions the industry has seen. Faster payments started taking new forms with added interest from industry stakeholders. The fight against payments fraud also changed shape during 2019, with some new collaborations and methods worth mentioning. Fintech is surely to be discussed along with other topics such as the proliferation of digital payment methods versus the state of cash.

Find out what you might need to consider as you promote safer payments innovation in the coming year.

The webinar will happen on Thursday, December 19, from 1 to 2 p.m. (ET). Participation is free, but you must register in advanceOff-site link. Once you register, you will receive a confirmation email with the log-in and toll-free call-in information. A recording of the webinar will be available to all registered participants in various formats within a couple of weeks after the event.

We look forward to you joining us on December 19 and sharing your perspectives on the payment events that took place in 2019.

October 15, 2019

The Range of Un-Friendly Fraud

My colleague Doug King recently penned a call to action in a Take On Payments post on friendly fraud. That post was the first we'd written about this issue in more than four years. But the feedback we received about the post echoed our concern that these disputes are becoming more frequent and expanding into new scenarios that clearly indicate that, at least to the merchant community, this type of fraud is anything but friendly.

Further research into this problem indicates a range of reasons for a cardholder to dispute a transaction. The spectrum runs from a well-intentioned misunderstanding to a premeditated effort to avoid paying for the goods or services. Below are some common friendly fraud scenarios.

Merchant description or error: A cardholder may be confused when a company descriptor in the transaction detail does not match the company name they are familiar with, so disputes a legitimate transaction. Sometimes this happens, as Doug described in his post, if a parent company name is used rather than the d/b/a name, which frequently occurs with online international transactions. Or sometimes the final transaction amount differs from the amount the cardholder thought he or she was supposed to pay because, for example, there was a miscalculation of sales tax or delivery charges. In most cases, the cardholder, upon seeing all the transaction details, remembers the transaction and withdraws the dispute.

Family usage: Family members sometimes use another family member's payment card without permission. For example, a child might use a parent's card to purchase online gaming credits or features, or a sibling might purchase gasoline, clothing, or something else. With ecommerce transactions, many merchants resort to "electronic fingerprinting" of the device used in the transaction to capture the device ID, IP address, and other details for further documentation. Hopefully, with this additional information provided to the cardholder, the cardholder will do some detective work to determine if the transaction should be honored.

Refunds or buyer's remorse: A cardholder with second thoughts about a nonrefundable purchase might deny that they made the transaction—perhaps a store's return policy deadline has passed or the cardholder just doesn't want the trouble of going through the refund process. To help combat this type of chargeback, the card brands all have "compelling evidence" chargeback documentation rules. These rules allow the merchant to provide additional documentation for certain disputes proving that the cardholder either participated in the transaction, actually received the goods or services, or benefited from the transaction. Merchants must be selective about which of these disputes to contest, depending on the transaction amount, the availability of supplemental evidence, and resource costs to collect and provide such evidence.

Criminal theft: A cardholder who understands the chargeback regulations may use them against a merchant, having purchased an item or service with no intention of making payment. The cardholder may falsely claim that goods were never delivered. Some colleagues and I recently spoke with a business owner who operates several casual dining restaurants. Because of a technology interoperability issue with the restaurant management software, the restaurant has not been able to implement EMV chip readers. The owner said that some patrons became aware of the absence of these readers and spread the word to others, to the point that the losses have become significant. Because of the EMV chip liability shift rules, the owner is considered noncompliant and has no defense against the chargebacks.

All these types of friendly fraud are almost impossible to detect upfront, especially those toward the more benign end of the range. For a merchant, having reasonable return policies and fully disclosing them and hiring exceptional customer service representatives will take them a long way with some of the disputes. But to defend themselves from the determined criminal, merchants' or card issuers' only recourse may be keeping a file listing cardholder accounts suspected of repeated friendly fraud claims.

What techniques do you think are most effective in combatting friendly fraud?

April 29, 2019

Next-Gen Security

In early April in Boston, I happened by the annual conference and competition of the Massachusetts School Bank Association (MSBA). Two hundred eighty-four students from 30 high schools competed in three segments: product design, marketing, and a quiz show that covered financial literacy topics. The MSBA is an association of schools with financial literacy programs and financial institutions that operate educational branch offices in schools.

I learned that next-gen security is firmly within the sights of the next gen of Massachusetts bankers. The conference theme of “personal financial security” played out in each segment. It was clear that the organizers—high school teachers and executives at financial institutions—had the financial safety of the next gen firmly in view:

  • The trivia contest consisted of general banking and personal finance questions including questions related to identity theft awareness, financial fraud, and financial cybersecurity.
  • The marketing challenge tackled the need to educate customers about security and, according to the prompt, "the need to use good security practices and tools to protect [customers] from identity theft and/or fraudulent use of their accounts."
  • In product design, the winning team from Taunton High School designed an app to help students determine if they were more or less likely to be victims of identity theft.

I chatted with students from Chelsea High School about their app: "Are you smarter than a fraudster?" Teaching others is a good way to learn yourself, and these young people were on top of best practices for protecting their payments cards (don't give out info in email or on the phone), preventing identity theft (shred documents), and keeping email safe (don't click on links from unknown parties).

When they aren't designing apps, the Chelsea students work as interns at the Chelsea High School branch of Metro Credit Union.

What is your bank doing to educate the next gen of security ninjas?

January 7, 2019

A New You: Synthetic Identity Fraud

With the start of the new year, you may have resolved to make a change in your life. Maybe you've even gone so far as to pledge to become a "new you." But someone may have already claimed that "new you," stealing your credentials and using them to create a new identity. Identity theft is a growing problem, resulting in millions of dollars in damage around the world. And now there is a modern twist to this old and costly problem: synthetic identity fraud. Panelists at a forum convened by the Government Accountability Office (GAO) define this problem as a "crime in which perpetrators combine real and/or fictitious information, such as Social Security numbers and names, to create identities with which they may defraud financial institutions, government agencies, or individuals." (Read forum highlights on the GAO website.) According to the U.S. Federal Trade Commission, synthetic identity fraud is the "fastest growing and hardest to detect" form of identity theft.

This graphic from the GAO illustrates how this type of identity fraud differs from what we have traditionally defined as identity theft.

GAPSIF

As this image shows, in traditional identity fraud, the criminal pretends to be another (real) person and uses his or her accounts. In synthetic identity fraud, the criminal establishes a new identity using a person's real details (such as social security number), combining this information with fictitious information to create a new credit record.

The challenge for the payments industry is determining whether an identity is planted or legitimate. For example, parents with excellent credit histories sometimes add their children to their existing credit accounts to give their children the benefit of their positive financial behavior. This action allows the children to kick-start their own credit records. Similarly, a criminal could plant a synthetic identity in an existing credit account and from there build a credit history for this identity. (In many cases, the criminal works for years on building a strong credit history for that false identity before "cashing out" and inflicting financial damages on a large scale.)

So what can consumers do to protect themselves? Here are some simple ways to make it harder for a thief to steal your personal information:

  • Shred documents containing personal information.
  • Do not provide your social security number to businesses unless you absolutely have to.
  • Use tools that monitor credit and identity usage.
  • Freeze your credit account as well as that of any of your minor children.
  • Check your accounts regularly to ensure that all transactions are legitimate and report any suspicious activity immediately.

Staying informed about synthetic identity fraud tactics and taking these steps to protect yourself can help you get one step closer to (preventing) "a new you."

Photo of Catherine Thaliath By Catherine Thaliath, project management expert in the Retail Payments Risk Forum at the Atlanta Fed