Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
February 4, 2019
So, How Often Do You Dip?
Remember how s-l-o-w dipping your payment card seemed when you were shopping back in 2015? Molasses? Honey? The dregs of the ketchup bottle? These days, I'm dipping more—that is, inserting my card into a chip reader—and complaining about it less. (I don't have a contactless card, so tapping isn't yet an option for me.) I still think swiping is faster, but familiarity means that dipping bugs me less. And it's become rare for me to encounter a jerry-rigged chip reader with the insert slot blocked by cardboard or duct tape, forcing me to swipe instead.
Turns out my shopping experiences—dipping more—line up with new data released by the Federal Reserve Payments Study in December 2018. The study reports some information on how in-person general-purpose card payments were authenticated in the United States in 2017.
For the first time, more than half of these payments by value were chip-authenticated in 2017. In contrast, just three percent of general-purpose card payments used chips in 2015—hence, my lack of familiarity with dipping back in the day. Because contactless chip cards were in use before the EMV-based dipping method began to take off in 2015, these data are an approximation of the increasing use of dipping, not an exact measure.
The chart below is based on figure 8 in the Federal Reserve Payments Study: 2018 Annual Supplement; it shows the substantial uptake in chip authentication at the point of sale from 2016 to 2017. (Check out the supplement for more detail.)
By number, more than 40 percent of general-purpose card payments were chip-authenticated. By card type, credit card payments are most likely to be chip-authenticated and prepaid card payments are least likely to be chip-authenticated (see the chart below). Prepaid cards are less likely to be chip-enabled, certainly a factor in the low shares of chip authentication, in part because of a business decision not to go to the expense of adding chips to low-value cards.
By this time next year, my view of dipping could have changed again. A large card issuer has announced that all its credit cards will be tap-to-pay (that is, contactless) by mid-2019, so it's possible that my dipping will go the way of swiping.
For me, it feels more natural and faster to insert a chip card than it did a year ago. How about you?
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 12, 2018
If the Password Is Dying, Is the PIN Far Behind?
Back in January, I wrote a post that highlighted the rising incidence of lost-and-stolen card fraud in the United Kingdom. I concluded that the decades-old PIN solution for the card-present environment is now showing signs of weakness. Results of a recent Minneapolis Fed survey of 283 financial institutions offer some validity to my conclusion: the survey found that losses on PIN-based debit increased by 50 percent from 2015 to 2016. In fact, 81 percent of the respondents reported fraud losses from PIN-based debit, compared to only 77 percent for credit cards.
The news wasn't all bad for PIN-based debit. Signature-based debit and credit cards still had more fraud attempts than any other payment instrument. At 63 percent, signature debit fraud actually had a higher increase in fraud losses from 2015 to 2016 than did PIN debit. The PIN is a far superior verification method for card payments, but I'm willing to bet that the PIN, much like the password, has become less effective.
Is this coming at a time when the PIN is about to become more prominent? In late January, the PCI Security Standards Council announced a new security standard for software-based PIN entry, also known as "PIN on glass." This standard specifies the security requirements for accepting a PIN on a mobile point-of-sale device such as a Square card reader.
As an aside, I am a bit surprised by this announcement. Apparently, mobile phones are safe enough for entering PINs, but when someone uses a pay wallet such as Apple Pay or Samsung Pay, the card's PAN, or primary account number, is tokenized for security purposes. I'll save a discussion of this inconsistency for another post.
People have been talking for years now about how the password has passed its prime as a standalone authentication solution. Yet it continues to live, and it's as difficult as ever to mitigate its vulnerabilities. In my opinion, attempts to do so have increased customer friction and had minimal impact. I think the PIN is following a similar path. It creates customer friction (especially for me as I now have different PINs for multiple cards that I struggle to keep straight) and is losing its effectiveness, according to the data I mentioned in the first paragraph. But it appears that, with the PCI's recent announcement, the PIN could become even more prevalent for cardholders. Is it time, in the name of security and customer friction, for us to replace PINs and passwords with more modern authentication technologies such as biometrics?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 16, 2018
Not Just a Card-Not-Present Problem
In 2012, I published a paper that looked at trends in card fraud in several countries that had adopted or were in the later stages of adopting EMV chip cards. The United States is now in the process of adopting EMV, so I am refreshing that paper with an eye towards fraud trends in what are now mature EMV markets. Payments experts know that card-not-present (CNP) fraud will continue to pose challenges that EMV chip cards do not solve, but are there other challenges lurking in these markets that the U.S. payments industry should note?
Although I'm still gathering data, one particular data point from the United Kingdom—lost and stolen fraud—already has me intrigued. In 2016, losses from this type of fraud stood at more than £96 million (about $130 million), up from more than £44 million (about $60 million) in 2010, a 117 percent increase. In 2010, lost and stolen fraud accounted for 12 percent of overall card fraud in that country. By the end of 2016, it had become 16 percent of card fraud. It is now the second leading type of fraud in the United Kingdom, though it still falls far behind CNP fraud, which accounts for 70 percent.
Remember that in the United Kingdom, PIN usage was adopted to mitigate lost and stolen card fraud at the same time that EMV chip cards were implemented. Yet lost and stolen card fraud is up significantly. According to Financial Fraud Action UK, fraudsters are getting their hands on the PINs—a static data element—through distraction tactics and scams. Other factors, such as the proliferation of contactless transactions and those that have no cardholder verification method, could also be drivers of this fraud, as could an increase of reports of lost or stolen fraud that is actually first-party, or "friendly," fraud. EMV has proven to be an effective tool to authenticate cards, but authenticating an individual using a card, even in a card-present environment, remains a challenge.
The lost and stolen fraud figures out of the United Kingdom lead me to believe that cardholder authentication isn't just a CNP problem. Furthermore, the decades-old PIN solution for the card-present environment is now showing signs of weakness. At the same time, to reduce customer friction, many card networks are eliminating signature verification and relying on data analytics to authenticate transactions. Is this a perfect storm for lost and stolen card fraud? Is it the foreshadowing of the emergence of biometrics, or some lesser known technology? Or will I find that this problem is isolated and should not worry us in the United States?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 2, 2018
2017 Year-End Review
In December 2013, the Retail Payments Risk Forum began an annual tradition of authoring an end-of-year post highlighting what we consider to be the most significant payment topics or events of the year. We continued that tradition this year, but we changed our platform, instead covering our top events in our Talk About Payments webinar series. Watch a recording of the webinar's presentation.
We encourage you to listen to the webinar, during which we discussed in more detail the following key payment stories of 2017:
- Fraud schemes
- Data breaches
- Chip migration
- Payments security
- Same-day ACH–phase II
- Person-to-person payments
- Mobile payments
- Virtual currency/Distributed ledger
As we begin 2018, we in the Risk Forum look forward to continuing our efforts to mitigate payments risks through industry collaboration and convening. We will also continue to offer our insights using multiple platforms, including this weekly blog and our quarterly webinar series, Talk About Payments. As always, we value your feedback and comments, so do not hesitate to reach out to any of the Risk Forum team members.
Best wishes for a happy, and fraud-free, new year from all of us at the Retail Payments Risk Forum!