Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
February 27, 2017
Wouldn't It Be Nice to Tap and Pay?
In the mid-2000s, after setting up a new checking account following a move, I received a debit card that, in addition to the magnetic stripe, had contactless functionality. I remember thinking how "cool" this feature would be, not having to swipe the magnetic stripe but simply tapping the card on the point-of-sale (POS) terminal. However, I quickly became disappointed, as I couldn't use the tap functionality in most places that I shopped. In the few places that did allow for taps, I don't recall the tap ever working properly. After a few months, I never attempted to tap it again and reverted to the traditional swipe.
Fast forward to 2017, and contactless card usage is surging in the United Kingdom, Australia, and Canada while remaining all but nonexistent in the United States. In November 2016, contactless cards accounted for nearly 25 percent of all card payments in the United Kingdom, up from 11 percent since November 2015. In Australia, Visa reported that 75 percent of face-to-face transactions over their network happen via their contactless solution. And in Canada, 99 percent of Mastercard's consumer credit cards are contactless-enabled. A 2016 report found that Canadian consumers were frustrated by merchants that didn't accept contactless payments. All of these countries have also gone through a migration of their payments cards to EMV chip cards. Did the United States miss a great opportunity when chip cards replaced the magnetic-stripe-only payment cards?
Interestingly, in these markets where contactless card adoption rates are surging, contactless cards are leading the contactless payment push ahead of mobile payments. In the United States, we are heading in the opposite direction, with mobile contactless attempting, and struggling, to get traction. No doubt, mobile is the more challenging environment, with a variety of form factors (iPhone, GalaxyS7, Pixel, and more), different ways that the form factor can interact with the POS terminal (such as near-field communication, magnetic source transmission, and barcode), and a variety of different wallets compatible with the different form factors. With a contactless card, you get one form factor—a card—and one method of contactless interaction. (Multiple-interface cards can still be swiped or dipped at the POS.)
I am convinced that the investments made in mobile contactless to this point are one of several factors holding up this country's transition to a contactless card environment. Consumers are confused by the experience and merchants and issuers are struggling with the wide range of options to consider, such as which wallets to enable and which technologies to support. Contactless cards have the ability to create a ubiquitous experience for both consumers and merchants. And this writer believes that a payment experience can't get any easier than a tap of the card.
It's hard for me to believe that it has been 20 years since I received my keychain Speedpass fob. I have positive memories of the simple and seamless transactions that I experienced when purchasing gas by touching the contactless fob to the gas pump reader. Unfortunately, I moved to a location with very few stations that accepted my fob. I always wished that I could have a similar experience for other purchases. Contactless cards allow for that and in a much easier and simpler fashion than my mobile phone allows. So can we get on with contactless cards? I am ready to tap and pay everywhere. Are you?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 21, 2017
The Social Benefits of Biometrics
Based on my experience, most discussions about the authentication of individuals using a biometric modality (such as fingerprints, or voice or facial recognition) often just focus on key issues such as reliability, security, ease of use, cost, and privacy concerns. Certainly these are important issues, but one that is often omitted in the conversation is the use of a biometrics system for health and safety purposes.
My wife and I were recently blessed with the birth of our fifth grandchild, a beautiful baby girl. During the hospital visit, the risk management side of me evaluated the security aspects of the facility. What methods prevent the accidental swapping of babies or the theft of a newborn? While the frequency of such incidents in developed countries is very low, it is a more challenging issue in developing countries where medical recordkeeping is often minimal and limited to paper documents.
Talking to the hospital staff, I found out they have a number of safeguards in place to ensure the right baby is with the right mother:
- Wristbands with barcodes that have to be scanned each time the nurse visits their room
- An embedded RFID transmitter in a cut-resistant bracelet on the baby's leg that allows staff to see on a locational display where the baby is at any time and to sound an alarm if the infant is taken outside the protective area
These systems link the baby to the mother, but what actually documents the identity of the baby? The paper card with the baby's left and right footprints and the mother's right thumbprint has been used for decades, but is that sufficient for the future?
This issue of infant authentication reminded me of a presentation I recently attended given by noted educator and biometrics researcher Professor Anil Jain at Michigan State University. Jain and his team worked under a grant from the Bill and Melinda Gates Foundation to develop a reliable, low-cost authentication process for young children. The primary purpose was to enable the tracking of children's vaccination schedules to ensure that the right child receives the full regimen of immunizations. One of the critical issues Jain and his team faced is the difficulty in obtaining usable fingerprints from newborns—the skin on their fingertips is pliable, which results in poor contrast between the pattern of their ridges and valleys.
The goal of the research program was to determine the earliest possible age at which reliable fingerprints could be obtained using current technology. Using a high-resolution optical reader providing a fast capture rate (infants don't like to be still for very long), the research team found that fingerprint enrollment for children older than six months provides acceptance rates of 99 percent. This method can potentially serve as a reliable authentication method for the remainder of their life. Coupled with the creation of an electronic health registry, the health care worker needs only to scan a child's finger to bring up immunization records and determine any future vaccinations required. You can find a short presentation of Jain's work here.
While the public is likely to continue to question the overall benefits of biometrics, Jain's work shows an additional use for biometrics technology. Where else might biometric programs be applied?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 13, 2017
The Five-Star That Flops
For the most rabid college football fans, a major day just occurred—National Signing Day, the day when high school seniors sign scholarship papers to attend their colleges of choice. Not only have these seniors been evaluated by coaches, but also entire websites are devoted to their evaluation and ranking using a star-based system, with a five-star player being a top-rated, can't-miss player. Traditionally, much fanfare accompanies these players, and media and fans shower them with attention. Many times, these five-star players go on to accomplish great things at their respective schools, but sometimes they are "busts," failing to live up to lofty expectations and making minimal or no impact for their team. Unfortunately, my college team has had its fair share of five-star busts. Because of being let down, I no longer get caught up in recruiting rankings and I don't fret about the big recruit that got away. And in 2017, this is my new attitude when it comes to mobile payments at the point of sale, or POS.
I've been in the payments industry for a decade, and for over half of that time, I've been hearing and reading how mobile payments are going to change the POS experience. I've heard major announcements about new mobile payment wallets, from Apple Pay to Samsung Pay, and platforms, such as LevelUp, time and time again. I have overheard conversations with contemporaries and colleagues about the latest and greatest mobile solution that will forever change my experience at the POS.
But in 2017, I am not hearing any of this anymore because I am tuning it out. Oh, I am sure that I could attend a conference this year and within the first hour, someone would state that 2017 is the year of mobile payments. But after hearing about the next great mobile wallet or that this wallet will finally bring mobile payments to scale repeatedly, year after year (you get my tone by now), I am no longer getting caught up in the hype around using my phone instead of a card at the POS.
However, I will continue to get excited about mobile commerce opportunities. With more and more people shopping on their mobile phones and tablets, apps and in-browser platforms are making that experience so much better. When picking up a coffee on my way to the office or grabbing a chicken sandwich for lunch after ordering ahead on my mobile phone, I always wonder to myself, why are all those people standing in line? (I am a bit worried, and apparently rightfully so, that as more people use order-ahead features, that pick-up line might grow to be worse than the traditional ordering line.) During the Christmas season, I purchased many gifts on my mobile phone, and that experience was almost always simple and seamless—unlike in years past, when it was a bit cumbersome.
Using my phone to order ahead or shop online has truly simplified my life, unlike using my phone as a replacement to a card at the POS. With so much hype around mobile at the POS, I believe that many people only relate mobile payments to this use case, but it is so much broader. And I believe the mobile commerce piece is akin to the unheralded two-star recruit who goes on to lead his team to the national championship. What do you think 2017 entails for mobile and its place in payments and commerce?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 6, 2017
ACH: No Trace Left Behind
In my payments research role, I believe that one problem with ACH is the lack of any definitive method for identifying a payment and any associated return, dishonored return, or contested-dishonored return using only the existing 15-digit trace number. Ideally, the trace number alone should facilitate the correct retrieval of payment or return details even if other payments contain duplicate payment details, such as for recurring payments.
This PDF file contains an image that outlines the complex web of relationships that can be used to trace back returns to the original payment. Without the benefit of a unique trace number, the identification of the original payment could involve using common data elements to minimize misidentifying the payment.
A unique trace number would offer the following advantages:
- Unambiguously identify a specific payment
- Facilitate tracking features similar to what is available from package delivery services such as transmittal, settlement and receipt date/time, and similar tracking of any associated return(s)
- Enhance risk-monitoring capability
- Simplify reconciliation and auditing
- Flag or prevent a return from settling before its associated forward payment
- Identify "orphan" returns sent across the public network when the original payment was sent privately between financial institutions (FI)
- Link together forward and return payments for certain international payment applications that are not possible today
Under NACHA rules, the FI originating the payment assigns a unique 15-digit trace number; the trace number's uniqueness is necessary to differentiate each payment in the batch. Uniqueness is not mandated across payments in other batches in the same payments file. Consequently, a trace number could be repeated in multiple payment files on the same day or across many days—and, even more troublesome, within the same payments file. NACHA strives for uniqueness by mating the trace number with an associated batch number, transmission (file creation) date, and a file ID modifier. Unfortunately, any return of a payment only passes along the original trace number without the benefit of the mated data.
A possible solution that could overcome the current limitations of the trace number would be a one-time-use, ACH-operator-assigned, 15-character alphanumeric trace number. When the originating network operator receives a file, the operator would replace the FI trace number with a unique trace number that he or she would forward to the receiving FI. Any return sent back to the originating FI would have the unique operator trace number converted back to the original FI trace number. For convenience, a cross-reference file associating operator trace numbers with FI trace numbers could help facilitate non-network communication between originating and receiving banks.
Operators could guarantee uniqueness by allowing an operator trace number to contain digits and upper and lowercase letters. Expanding to a 62-character set results in over 3.5 trillion distinct values using the last seven characters of the trace number (the first eight characters are the originating FI's routing and transit number). Further requiring at least one non-numeric character allows differentiation with FI numeric-only trace numbers.
What are your views on the benefits and disadvantages of non-repeatable trace numbers?
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Calculating Fraud: Part 2
- Watching Your Behavior
- Responsible Innovation Part 1: Can Community Banks Remain Competitive?
- The Year(s) of Ransomware
- What Canada Knows That We Don't
- Calculating Fraud: Part 1
- Additional Authentication: Is the Protection Worth the Hassle?
- Would Consumers Ever Give Up Their Passwords?
- Will the Password Ever Die? Part 1
- Catch Me If You Can
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud