Please enable JavaScript to view the comments powered by Disqus.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

February 3, 2020

Fuel Pump EMV Chip Liability Shift Looms Large

It has been quite some time since the Retail Payments Risk Forum has blogged about the state of the EMV chip in the United States. Perhaps the lack of coverage is a nod to the success and growth of EMV chip issuance and acceptance since the point-of-sale (POS) and ATM liability shifts that began in 2015 and 2016, respectively. The Federal Reserve's newly released payments studyOff-site link found that 57 percent of in-person card payments in 2018 used chip authentication compared to 2 percent in 2015. Talk about phenomenal progress over a three-year period! Yet there is more to do, and 2020 will be a big year for closing a big gap—EMV chip acceptance at the fuel pump, or what the industry generally calls automated fuel dispensers (AFDs).

In October, all of the global card networks' liability shifts will be implemented for AFDs. As a brief reminder, this liability shift means that petrol retailers will now be responsible for incurring the fraud losses on all non-EMV-chip-authenticated transactions initiated by EMV cards at their pumps. According to several industry associations that represent the convenience and petroleum store industry, this liability shift date will be a challenge for many station operators to meet given a limited availability of EMV-compatible AFDs as well as the technicians to install and certify the machines as EMV ready.

Through the years, the Risk Forum has stressed that criminals tend to gravitate to the easy targets when it comes to committing card fraud, or really any fraud in general. Card skimmers at AFDs pulling data off a card's magnetic stripe have been a major problem for decades. I have no doubt that the fraudsters are fully aware of the impending liability shift and will be stepping up their AFDs attacks in 2020 before the window of counterfeit card opportunity closes. Those retailers who are delaying their EMV migration or are unable to migrate by the liability shift date will become giant bulls' eyes. Expected card fraud losses in 2020 for the industry are not inconsequential—one industry association has estimated losses of $451 millionOff-site link. I should also note that the costs faced by the industry to migrate to EMV are also significant, at an estimated $3.9 billion.

After witnessing the successful rush by the industry to implement EMV chip at the POS and ATM, I am confident that the AFD EMV chip implementation ahead of the October liability shift will be a success, but all involved will definitely experience challenges. My confidence stems from the positive momentum I have seen from everyone involved in the payments industry working together for the common good to mitigate card fraud. With counterfeit card fraud losses through June 2019 down by over 60 percentOff-site link since September 2015, I look forward to seeing even more decreases in counterfeit card fraud following this year's AFD liability shift.

October 15, 2019

The Range of Un-Friendly Fraud

My colleague Doug King recently penned a call to action in a Take On Payments post on friendly fraud. That post was the first we'd written about this issue in more than four years. But the feedback we received about the post echoed our concern that these disputes are becoming more frequent and expanding into new scenarios that clearly indicate that, at least to the merchant community, this type of fraud is anything but friendly.

Further research into this problem indicates a range of reasons for a cardholder to dispute a transaction. The spectrum runs from a well-intentioned misunderstanding to a premeditated effort to avoid paying for the goods or services. Below are some common friendly fraud scenarios.

Merchant description or error: A cardholder may be confused when a company descriptor in the transaction detail does not match the company name they are familiar with, so disputes a legitimate transaction. Sometimes this happens, as Doug described in his post, if a parent company name is used rather than the d/b/a name, which frequently occurs with online international transactions. Or sometimes the final transaction amount differs from the amount the cardholder thought he or she was supposed to pay because, for example, there was a miscalculation of sales tax or delivery charges. In most cases, the cardholder, upon seeing all the transaction details, remembers the transaction and withdraws the dispute.

Family usage: Family members sometimes use another family member's payment card without permission. For example, a child might use a parent's card to purchase online gaming credits or features, or a sibling might purchase gasoline, clothing, or something else. With ecommerce transactions, many merchants resort to "electronic fingerprinting" of the device used in the transaction to capture the device ID, IP address, and other details for further documentation. Hopefully, with this additional information provided to the cardholder, the cardholder will do some detective work to determine if the transaction should be honored.

Refunds or buyer's remorse: A cardholder with second thoughts about a nonrefundable purchase might deny that they made the transaction—perhaps a store's return policy deadline has passed or the cardholder just doesn't want the trouble of going through the refund process. To help combat this type of chargeback, the card brands all have "compelling evidence" chargeback documentation rules. These rules allow the merchant to provide additional documentation for certain disputes proving that the cardholder either participated in the transaction, actually received the goods or services, or benefited from the transaction. Merchants must be selective about which of these disputes to contest, depending on the transaction amount, the availability of supplemental evidence, and resource costs to collect and provide such evidence.

Criminal theft: A cardholder who understands the chargeback regulations may use them against a merchant, having purchased an item or service with no intention of making payment. The cardholder may falsely claim that goods were never delivered. Some colleagues and I recently spoke with a business owner who operates several casual dining restaurants. Because of a technology interoperability issue with the restaurant management software, the restaurant has not been able to implement EMV chip readers. The owner said that some patrons became aware of the absence of these readers and spread the word to others, to the point that the losses have become significant. Because of the EMV chip liability shift rules, the owner is considered noncompliant and has no defense against the chargebacks.

All these types of friendly fraud are almost impossible to detect upfront, especially those toward the more benign end of the range. For a merchant, having reasonable return policies and fully disclosing them and hiring exceptional customer service representatives will take them a long way with some of the disputes. But to defend themselves from the determined criminal, merchants' or card issuers' only recourse may be keeping a file listing cardholder accounts suspected of repeated friendly fraud claims.

What techniques do you think are most effective in combatting friendly fraud?

August 5, 2019

A Call to Action on Friendly Card Fraud and Loss?

I have recently had two conversations about the topics of friendly fraud and loss, one from a merchant's perspective and another from a financial institution's issuer perspective. Friendly fraud is often used interchangeably with first-party fraud, as was the case in the conversations, but they are quite different. First-party, sometimes called "bust-out," fraud occurs when an individual applies for and receives a loan or credit line with no intention of ever making a payment. (The term "bust-out" comes from when the individual maxes out the credit, getting as much "free" stuff as possible and making no plans to pay.) First-party fraud is generally considered credit fraud and not payment fraud.

Friendly fraud occurs when a cardholder disputes a transaction that the cardholder never intended to pay even though products or services were properly rendered. Sometimes cardholders dispute legitimate transactions that they honestly do not recognize or remember—think of an annual recurring charge that might slip a cardholder's mind, or the merchant name on the statement is the parent company and not the more easily recognized d/b/a store name. If the resolution of such a dispute is such that either the merchant or issuer takes a loss, this is not true payment card fraud but should be classified as a loss rather than fraud.

The two conversations were clearly around friendly fraud and loss situations that are transaction fraud rather than credit account fraud. Both the merchant and financial institution claimed that friendly fraud and loss transactions are growing rapidly yet are not necessarily being properly captured or categorized. One of the organizations even went so far as to suggest that third-party card fraud is being greatly overstated because a significant portion of that fraud is actually friendly fraud and loss, and this mismeasurement is directing fraud discussions and mitigation decisions away from creating ways to better identify and mitigate friendly card fraud and loss.

So I issue a call to action for Take on Payments readers with multiple questions:

  • What is your experience with friendly fraud and loss?
  • Are you able to track these independently of third-party fraud?
  • If so, are you seeing growth in friendly fraud and loss, as the merchant and financial institution stated was happening?
  • What's the driving force in the friendly fraud and loss that you are experiencing?
  • Does this particular fraud warrant more discussion by the industry, and in particular the Risk Forum, as it has not been an area of focus of ours relative to third-party card fraud?

Feel free to email me at douglas.a.king@atl.frb.org or use the comment button below. I would greatly value your thoughts on this topic.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


April 29, 2019

Next-Gen Security

In early April in Boston, I happened by the annual conference and competition of the Massachusetts School Bank Association (MSBA). Two hundred eighty-four students from 30 high schools competed in three segments: product design, marketing, and a quiz show that covered financial literacy topics. The MSBA is an association of schools with financial literacy programs and financial institutions that operate educational branch offices in schools.

I learned that next-gen security is firmly within the sights of the next gen of Massachusetts bankers. The conference theme of “personal financial security” played out in each segment. It was clear that the organizers—high school teachers and executives at financial institutions—had the financial safety of the next gen firmly in view:

  • The trivia contest consisted of general banking and personal finance questions including questions related to identity theft awareness, financial fraud, and financial cybersecurity.
  • The marketing challenge tackled the need to educate customers about security and, according to the prompt, "the need to use good security practices and tools to protect [customers] from identity theft and/or fraudulent use of their accounts."
  • In product design, the winning team from Taunton High School designed an app to help students determine if they were more or less likely to be victims of identity theft.

I chatted with students from Chelsea High School about their app: "Are you smarter than a fraudster?" Teaching others is a good way to learn yourself, and these young people were on top of best practices for protecting their payments cards (don't give out info in email or on the phone), preventing identity theft (shred documents), and keeping email safe (don't click on links from unknown parties).

When they aren't designing apps, the Chelsea students work as interns at the Chelsea High School branch of Metro Credit Union.

What is your bank doing to educate the next gen of security ninjas?