The Federal Reserve Bank of Atlanta Retail Payments Risk Forum
Conference on Technology in Payments Innovation
October 15–16, 2012
Welcome and opening remarks
Federal Reserve Bank of Atlanta President and CEO Dennis Lockhart opened the day's events and welcomed conference attendees by noting the diversity in the stakeholders represented by speakers on the agenda. It is noteworthy that the theme of the conference, technology in retail payment innovations, should include representatives of telecommunication firms, airlines, encryption research, and even coffee house retailing, in addition to the more traditional payments players.
Lockhart described the Federal Reserve System's role as a central bank in the country's retail payments system. One very important role filled by the Fed is a payments operator role, one of two of the country's providers of ACH transfer services. But more importantly, the Fed is the country's guardian of financial stability, preserving the integrity of both the retail and wholesale payments systems. This responsibility is multidimensional as it requires attention to important issues such as readiness for natural disasters and defense against cyberattacks. Lockhart stressed that the Fed recognizes that the financial security of the U.S. payments system is an element of vital national infrastructure, analogous to the electrical grid or our communications systems.
While the Fed's financial stability role has national strategy overtones, he said, it is not intended to stifle innovation and competition. Instead, the Fed supports a market-oriented approach to payment developments. Lockhart feels this approach is working well, as evidenced by the numerous small innovators in payments today. Payments technology using telephony is advancing rapidly, perhaps more rapidly than regulatory oversight and risk management. New portals to the payments system create a new risk environment, Lockhart noted. Payments technology is increasingly outsourced by larger stakeholders allowing small innovators to participate. The fast pace of change creates challenges for standard development bodies concerned with ensuring technical interoperability and security. It is also arguable that financial institutions, as traditional payment service providers, have a lower risk tolerance in the current environment, as well as more rigorous compliance regime.
In conclusion, the Federal Reserve recognizes it plays an important role as a neutral convener of industry participants, bringing together diverse stakeholders to discuss the implications of technological developments and their impacts on the emerging payments landscape.
Panel 1: Technology developments in card-based payments
Speakers:
Jeff Bohlin; Director, Product Strategy; WorldPay
Drago Dzerve; Director, Business Development; Verifone Inc.
Bonnie Holland; Manager, Payment Processing, Accounting, and Reporting; Delta Airlines
Whitney Stewart; Mass Market Segment and Value-Added Services Executive; SunTrust Bank (Moderator)
Despite the emergence of new and innovative form factors, legacy plastic cards will remain important tools for credit, debit, and prepaid payments. This panel discussion focused on more secure technologies for card payments in the United States. Duplicate card fraud, resulting from data breaches, is a big problem today for both merchants and financial institutions. Counterfeit fraud reportedly represents about 60 percent of an estimated $8.6 billion of annual card fraud.
The card industry is contemplating a move from less secure magnetic-stripe technology. The panel explored the benefits and disadvantages of EMV standards for contact and contactless chip technology. Panelists agreed that EMV adoption will be an effective measure to combat counterfeit card fraud. However, EMV is still ineffective against card-not-present fraud, a scheme that generally involves unauthorized access to card data and subsequent fraudulent transactions online.
Other countries experienced a shift in fraud to card-not-present environments after they migrated to EMV chip payments from mag-stripe cards. As the United States looks ahead to an EMV migration, the industry must consider potential solutions to address a similar shift.
In addition, a holistic approach to fraud mitigation in an EMV environment will require additional data analytical systems and tools, including the use of end-to-end encryption and tokenization. If EMV technology is implemented with PIN, as opposed to signature, cardholder verification, the incidence of unauthorized transactions associated with lost or stolen cards—many of which occur in a card-not-present environment—may decline as well.
The U.S. EMV migration plans announced by the payment card brands do not require PIN authentication, which allows for the less secure signature-based verification methods. Many in the industry support PIN over other authentication methods, so signature authentication continues to spur controversy. The EMV migration plans also reduce PCI audit requirements—but EMV technology is not a silver bullet for PCI compliance, as primary account number data is still presented in the clear. Therefore, the PCI guidance is still relevant and important in an EMV environment.
In conclusion, card-not-present fraud is expected to grow in the wake of a U.S. EMV migration—fraud moves to the path of least resistance. Organizations are pursuing new authentication technologies to mitigate risk. However, in the short term, the costs and potential negative customer experiences may represent barriers to the adoption of new security solutions. In the longer term, they make customer education increasingly critical. Success in reducing card-not-present fraud will likely rely on tools that use big data and offer real-time transaction analysis.
Panel 2: The evolution of technology standards in retail payments
Speakers:
Chris Conn, Future Banking Initiatives Manager, SWIFT
Marianne Crowe, Vice President, Federal Reserve Bank of Boston
Scott Forbes, Director, Cryptography Research Inc.
Cynthia Fuller, Executive Director, X9
In a highly innovative and dynamic retail payments industry, technology standards build consensus and help make payment network adoption successful. At the same time, the myriad of new market solutions, patent issues, and standards bodies themselves in the ecosystem challenges industry cooperation and consensus building.
A key challenge for effective standards development, noted this panel, lies in the mere fact that a finite number of companies are inclined to adopt and adhere to emerging standards, while notable new players today are disrupting the payments landscape with new innovative services. These new players do not care about standards established for the industry at large as they create new products. In fact, those standards are sometimes rendered obsolete with the emergence of more advanced technologies.
Another challenge lies in the development of standards, because developing standards requires consensus. As a result, making decisions and changes can be slow. In some foreign markets, the government sets standards, which sidesteps having to achieve industry consensus and therefore ultimately creates benefits for consumers. However, as Lockhart noted in his opening remarks, the United States has not adopted such an approach.
Financial institutions have proven to be collaborative in standard-setting development. For example, SWIFT, as an open network, needs rules, service levels, and standards to ensure that it functions as an open network. But it allows stakeholders to customize endpoints for their customers. X9 is also an open-consensus body. ANSI, the overarching international standards organization insists only that X9 reach consensus. Many standards become international standards through the ISO standards body as a connection point. X9 has a payments committee that addresses wire, cards, and mobile payments, as well as a data security committee. Of all the standards developed through these committees, the data security standards change most frequently. They also have a corporate specifications committee.
The standards body ISO 20022 is progressing in the online environment, and X9 is considering the potential need for a U.S. EMV standard, in light of the payment card networks' planned EMV migration. But there are many standards bodies in the payments space. Furthermore, developing an industry standard can take a significant amount of time. Even then standards can become obsolete in the face of a new product or service that achieves market acceptance without conforming to an existing standard. In many instances however, when the industry truly galvanizes behind a standard initiative, it can achieve progress quickly. Standard implementation, as opposed to development, clearly takes more time.
In fact, the panel noted that technology is so flexible that standards may serve a less viable role in payment development. However, companies assume risk when they don't build on top of basic standards so most will innovate on top of existing standards. One example is biometrics, a science with many established governing technical standards that could be used more for authentication. Standards in the mobile channel are drawing on competing standards for marketing, security, and data privacy.
Panelists reiterated that in some markets, government has mandated standards. In the United States, the industry is being left to establish standards on its own through natural market dynamics, generally absent government intervention. In an environment with slow standard development alongside new technological developments, the industry is being forced to fall back on older standards that may not provide comprehensive governance. This situation is important to consider in light of the convergence of low- and high-value payments and the emergence of real time person-to-person payments.
The industry should consider some important questions with respect to how payments become final and whether or not they continue to ride existing rails. The existing payments infrastructure works well, and is subject to standards. Every new innovation at this point is being built on top of this established base. The bigger concern facing new industry participants is not so much related to standards as it is regulatory infrastructure.
Panel 3: Mobile payment developments at the point of sale
Speakers:
Jody Chafee, Esq, Director, Corporate Counsel, Starbucks
Bengt Horsma, Head of Mobile Enablement Services, Visa
Jack Jania, Senior Vice President/General Manager of Secure Transactions, Gemalto North America
Marc Keller, Global Director of Digital Networks and Mobile, Citigroup
This expert panel reviewed technological developments in using the mobile channel at the point of sale. Despite lackluster acceptance by merchants and consumers, 2012 witnessed the rollout of several mobile wallet initiatives. Panelists discussed challenges in mobile payments presented by the many disruptive product deployments.
Dynamic technologies and complex business models generally create a confusing payments ecosystem. There are many types of mobile, point-of-sale deployments beyond what was initially conceived. Initial solutions were conceived as card emulation payment services, using near-field communication (NFC) chip technology embedded in a phone's SIM card or micro SD card. However, more recent offerings are not relying on NFC. Technology providers are developing less expensive solutions in response to industry concern, particularly among merchants, for NFC chip supported payments at the point of sale. As a result, no one solution has so far filled the need for a uniform, ubiquitous system that can ensure both interoperability and security.
There remain numerous unknowns in many of the new solutions. Still, the use of bar codes, QR codes, and the emergence of new, closed-loop mobile payment systems are interesting initiatives.
Along with unknowns come misperceptions For example, questions often arise about the ease with which NFC-enabled chip payments—initiated with a plastic card or other access device—can be unknowingly breached. In fact, NFC can only be read within four centimeters. The dynamic nature of the authentication technology prevents counterfeit fraud that plagues the use of magnetic-stripe card technology. Another little-known fact is that NFC-enabled phones can get power without the mobile phone having power. A lack of phone power has often been raised as a potential concern for mobile payments.
In many of the new mobile payment deployments, the payment card information is stored on a secure element in the mobile device, such as the SIM card. The credentialing in the SIM can be electronically altered over the air to accommodate a change in card holder data and identification. Looking forward, this process is much faster and cheaper than reissuing plastic cards, as is done today after numerous highly publicized card data breaches. The panel agreed that card data breaches are a significant problem, and that EMV standard chip payments, being more secure than legacy magnetic stripe-enabled payments, represent a viable mitigant.
EMV migration is top of mind in the payments business these days. This is especially true with the card network-imposed deadlines looming for merchants and issuers to migrate to EMV-compliant systems. As a result, merchants and banks must consider numerous variables. For bank card issuers, the EMV implementation upgrade for back-office operations is a daunting prospect. Meanwhile, the merchant faces significant capital investment for new payment terminal infrastructure.
There is also confusion surrounding the distinction between NFC and EMV. EMV represents payment specifications for the card networks that have been transported to an NFC-enabled environment which relies on RFID for basic communication. NFC has the capacity to work even if the access device, say a mobile phone, is unpowered, because it adds radio communication capability. Industry discussions also focus on where in the handset the technology should be. Telecom firms, phone manufacturers and banks prefer either the SIM or the micro SD. Another concern with new NFC-enabled phones is that, while they are supported by telecom firms and the card brands, the certification process will be at issue, and the industry will require more technical expertise to certify mobile devices.
So complexity in the ecosystem creates challenges in building a scalable network in the near-term. But huge opportunities exist in the growing number of people worldwide who have phones but no bank account. New business cases are emerging to serve the unbanked. It is interesting that as the mobile channel has evolved, with banks fighting card network brands over deployment strategy, Starbucks achieved a huge consumer loyalty play with a closed-loop stored value payment system using bar code readers.
The Starbucks story is instructive, as the business case for using the mobile channel centered on addressing loyalty rewards with its stored value card system. Customers paying at the point of sale with their Starbucks cards could not access their balances or rewards points. So Starbucks created a mobile app for their stored-value cards to enable customers to make purchases, but also to track loyalty rewards and to speed up service lines. Starbucks quickly added features to the app, from downloading a free song via iTunes to applying for a barista job. The app uses bar code technology instead of embedded chips to access stored payment data. If a customer loses their phone, it can be reset over the air, by reloading value accessible through the mobile app. For the mobile rollout, Starbucks installed terminals with barcode readers in its 7,000 company-owned U.S. locations and the 2,000 licensed stores in airports and other retail stores.
Loyalty and location drove Starbucks to go mobile. The payments success, while huge, was a pleasant surprise. In June 2011, customers loaded $300,000, with $335,000 in redemptions. Ultimately, Starbucks served a higher market need by getting people used to paying with a phone.
With respect to mobile wallet developments, the new business models are complex and constantly changing, and the supporting business case is not always obvious. At this nascent stage in mobile wallet development, revenues and costs are hard to predict. Some mobile wallet partners will try to legitimately monetize data from transactions. Others will want to own a part of the contactless chip containing certain payment credentials and functionality. Banks generally want to stick to their knitting, merely using the mobile phone as an analogue to the cobranded card.
Aside from the banks, digital start-ups are developing exciting solutions. One example is Square, which "accomplished something that merchant acquirers were unable or unwilling to do before"—it offered small business operators the ability to use their mobile devices to accept payments. While Square and similar new technologies won't easily achieve scale, the potential for disintermediation for banks should be taken seriously.
Ultimately, however, the focus at the point of sale will be the convergence of innovation and security. And while mobile payments may happen through solutions that do not rely on NFC, this may eventually be the winning technology. NFC is complementary to the EMV standard that the world is embracing for a more secure card-based payment environment. Panelists described NFC technology in the context of different world trends—watches are slowly going away, and the mobile channel in Latin America is growing. In fact, there are more mobile phones than toothbrushes in Brazil. And NFC is enabling more than a chip on a payment card, driving more holistic business use cases.
Future industry discussions of security will center on trusted service manager (TSM) platforms, their function and their regulatory oversight, and the implications of those issues on payments at the point-of-sale. We are seeing different types of TSMs evolve for the different technology platforms banks will use.
With the card brands' recent announcements of U.S. EMV migration, the industry will see a changing point of sale environment. Speaking mainly of an online versus offline card payment acceptance network, multiple versions of EMV standards can be run. EMV-based transactions support larger amounts of data than magnetic-stripe transactions, which means that payment processors and issuers will need to upgrade their back-office operations. That will be time-consuming and expensive. However, from a security standpoint, EMV-enabled payments are superior as EMV cards cannot be easily cloned. That is largely because each transaction processes information through a specific algorithm. The few hacks that have been documented were done in labs. That shows that man-in-the-middle attacks are too difficult for the payoff, since the dynamic nature of the encrypted data makes the hack food for only one transaction.
In conclusion, NFC technology augments EMV standards, and together they represent a much more secure environment than that in the United States today.
Panel 4: Technology trends in mobile payment transfers
Speakers:
Eric Barbier, Chief Executive Officer, TransferTo
Nick LeCuyer, Vice President, Strategy and Distribution, Western Union
Bill Maurer, Director, Institute for Money, Technology, and Financial Inclusion, University of California, Irvine
Mobile payment developments in the United States have centered on the merchant's point of sale. But remote mobile payments, or person-to-person mobile transfers, are also taking form as a business model. Consequently, many new nonbank players are entering the money transmission space hoping to leverage new mobile technologies. This panel explored domestic and cross-border mobile transfer payment activity, analyzing the changing roles of payment service providers and the future regulatory and policy considerations.
We are seeing a huge paradigm shift in mobile money. Before 2007, mobile money in the developing world began with airtime credits exchanged via text messages. This activity gave rise to M Pesa, and provided the use case to evolve to money transfer and expanded financial inclusion. Telecommunication firms in developing markets are pushing the direct top-up of airtime because it is cheaper for mobile network operators, through agents, to manage the liquidity than in business models that engage a traditional retailer. So while some mobile money business models are being used to convert airtime to payments, the primary use of airtime transfer is still for the recipient to use to make phone calls.
Airtime remittance has emerged as a viable business because money transfer costs make it impractical to send very small amounts of money abroad. Money transfer fees are not suited to very small values in prepaid models, especially with 75 percent of the world's mobile subscribers prepaid. These airtime transfers can be as small as 10 cents in value, a transfer that was not possible in traditional channels. The average transfer is $2 to $10, a large sum in emerging countries. Airtime transfers serve as a natural complement to cash remittances, acting as a transfer of value which is less easily eroded with fees because there's no need to convert the airtime to cash. In some countries, the only infrastructure is the phone company and the post office. This is why the remittance company Western Union has partnered with mobile operators to use their networks.
For many consumers, it makes sense to transfer air time because of the ubiquity of mobile handsets and the developing world's growing dependence on wireless communications. Transferring prepaid airtime in most markets is much less costly than traditional remittances that involve transfer and foreign exchange fees. In airtime transfer there is a small cost to the sender, which translates to a huge value for the recipient. Globally, most mobile services are prepaid, roughly $4.5 billion of a $6 billion market. Another feature of airtime transfer businesses is that airtime can be sent to multiple recipients, whereas a traditional remittance is generally larger and sent to only one recipient. In most markets in the world, however, airtime is not cashed out of the phone, in part because of the liquidity management challenges born by the agents of the mobile money transfer provider.
TransferTo provides an international top-up solution designed to solve the problem of sending a small monetary gift back across a border. As a global airtime remittance hub that connects mobile operators' prepaid systems, TransferTo's model offers individuals less expensive transactions than do traditional remittance providers. The use case for international airtime top-up is driven by ubiquitous mobile usage and rapidly growing Internet access across the globe.
Western Union brings interoperability to multiple platforms with two distinct approaches to its mobile product. First, there's the Western Union service delivered via another provider's mobile wallet. Second, Western Union delivers service through its proprietary products. The company sees a justification for mobile money transfer because of size. Their average mobile transaction is between about $150 and $165, which is considerably smaller than a traditional transaction of $350.
Western Union is seeing the commercialization of the mobile channel simplified as a result of mobile applications that can bypass the mobile network operators. Western Union is actively participating with telecom firms in emerging markets. However, in the United States, where the financial system is much more developed, they are realizing more success with smartphone apps that customers can download as opposed to getting them online. This system uses Western Union's same backroom processing.
Western Union as a traditional remittance provider is providing prepaid cards in the mobile channel. The company has established agreements with mobile network operators all over the world. To Western Union, from a legal and technical perspective, telecoms are really prepaid cards "in masquerade." New financial inclusion initiatives have been inspired by the success of airtime credits in emerging countries, such as the M Pesa example in Kenya, and are heading down two distinct paths in the mobile channel—microlending and microsavings. M Pesa is one of Western Union's most successful partners.
The M Pesa payment sender buys airtime from the agent, who sends a text message with a code to load the value onto the phone for sending to another consumer. However, so far, M Pesa has not morphed into a more expansive financial service, despite some expectations that it would do so. Instead, Kenyan consumers are loading value to pay for specific expenses in the future rather than using the mobile phone as a savings mechanism. In this country, cash is still king. That said, innovation continues. New participants continue to enter the market with third-party solutions. For example, Kopo Kopo is an intermediary that layers its services onto the mobile operator to enable merchants to accept M Pesa for goods and services.
Industry experts question whether or not such developments do in fact signal the potential development of airtime as a new form of payment rail. In this instance, airtime actually works as a payment over the mobile network. In the near term, such a development is unlikely, mostly because of interoperability issues both domestically and across the border. In order to be successful, such payment systems must be scalable, and therefore "siloed" infrastructures cannot exist.
Emerging airtime business models will likely drive the creation of new participants and shifting roles of the issuers, acquirers, and processors. Mobile transfer businesses are deployed in multiple delivery models for topping up mobile phone value, including banks, mobile operators, and retail kiosks. Although the industry can expect many developments in delivery models, many questions remain concerning airtime as a possible remittance because of the complications involved in cashing out the airtime value. Still, history offers analogies between airtime transfers and the ATM networks. The initial impetus was the same—to achieve cost savings as opposed to generating profit. The regulatory environment is drawing a lot of attention with bank-centric regulatory schemes applied to the mobile channel.
Panel 5: Technology threats and mitigants in electronic payment systems
Speakers:
Debbie Peace, Chief Executive Officer, ACH Alert
Steve Robb, Senior Vice President or Products and Services, Control Scan
Terri Sands, Senior Vice President, Electronic Banking and Fraud Management, State Bank and Trust
Murray Walton, Chief Risk Officer, Fiserv
Moderator: Richard Fraher, Vice President and Counsel to the Retail Payments Office, Federal Reserve Bank of Atlanta
Whether through scams such as "Obama Will Pay Your Bills" or corporate account takeovers, criminals are increasingly using electronic payments networks to perpetrate fraud. They are using advanced technology to facilitate more sophisticated scams, sometimes even with the help of unwitting consumers. This panel explored how stakeholders can harness technology to develop better risk management solutions.
Technology can bolster fraud resilience and detection through transaction validation and behavior monitoring. At the same time, solid processes and sharp people are also needed. Numerous fraud threats may come from different angles, targeting both consumers and businesses. Often, players in the payments industry are their own worst enemy. Sound risk management programs and effective managerial oversight of those programs is essential. For example, the growing use of "big data" is a popular theme in discussion around fraud prevention, but this data must be real time and adaptable.
State Bank and Trust conducted an enterprise-wide risk assessment of the organization. The assessment subsequently led to the organization taking a consolidated approach to fraud. Now all payments streams have fraud considerations, and the company is taking a layered approach to fraud detection. For example, it now requires its corporate customers to use malware detection software. It has also trained staff to recognize and investigate red flags to recognize fraud more quickly. These practices extend to recognizing internal fraud as well.
The bank even requires its customers to undergo training. Consumers often lack understanding about use of privacy controls and as a result fall victim to social engineering schemes.
With new fraud schemes and the increasingly industrialized nature of hacking, resiliency and ultimately confidence in the financial system is at stake. Expanded connectivity creates broader surface of vulnerability with cloud computing, which can create more opportunities for hackers. The hacking community has changed its complexion, moving from gangs and organized crime to "hacktivitists" and state-sponsored entities with entirely different motivations for their system intrusions and associated financial crimes. They are advancing their schemes with training offered through YouTube videos. Because the United States is frequently targeted, the industry must keep an eye on advancing security controls.
Social engineering and cyberattacks can be hard to detect, as most sites that are hacked and taken over are actually authentic websites. Risk management requires critical detection and mitigation efforts using technology as a weapon against fraud. Technology is the driver of financial stability. Resilience is verifiable through due diligence and vendor management, validated by PCI standards and guidance. Fraud detection should address growing vulnerabilities in web applications and remediation through vulnerability patching. Corporate and retail customers need strong authentication for all access points to systems, including passwords and challenge questions. Finally, financial institutions must employ transaction validation to ensure enforcement of rules and limits as well as detection and management of fraud. Ultimately, this is the result of big data in action.