About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

February 27, 2017


Wouldn't It Be Nice to Tap and Pay?

In the mid-2000s, after setting up a new checking account following a move, I received a debit card that, in addition to the magnetic stripe, had contactless functionality. I remember thinking how "cool" this feature would be, not having to swipe the magnetic stripe but simply tapping the card on the point-of-sale (POS) terminal. However, I quickly became disappointed, as I couldn't use the tap functionality in most places that I shopped. In the few places that did allow for taps, I don't recall the tap ever working properly. After a few months, I never attempted to tap it again and reverted to the traditional swipe.

Fast forward to 2017, and contactless card usage is surging in the United Kingdom, Australia, and Canada while remaining all but nonexistent in the United States. In November 2016, contactless cards accounted for nearly 25 percent of all card payments in the United Kingdom, up from 11 percent since November 2015. In Australia, Visa reported that 75 percent of face-to-face transactions over their network happen via their contactless solution. And in Canada, 99 percent of Mastercard's consumer credit cards are contactless-enabled. A 2016 report found that Canadian consumers were frustrated by merchants that didn't accept contactless payments. All of these countries have also gone through a migration of their payments cards to EMV chip cards. Did the United States miss a great opportunity when chip cards replaced the magnetic-stripe-only payment cards?

Interestingly, in these markets where contactless card adoption rates are surging, contactless cards are leading the contactless payment push ahead of mobile payments. In the United States, we are heading in the opposite direction, with mobile contactless attempting, and struggling, to get traction. No doubt, mobile is the more challenging environment, with a variety of form factors (iPhone, GalaxyS7, Pixel, and more), different ways that the form factor can interact with the POS terminal (such as near-field communication, magnetic source transmission, and barcode), and a variety of different wallets compatible with the different form factors. With a contactless card, you get one form factor—a card—and one method of contactless interaction. (Multiple-interface cards can still be swiped or dipped at the POS.)

I am convinced that the investments made in mobile contactless to this point are one of several factors holding up this country's transition to a contactless card environment. Consumers are confused by the experience and merchants and issuers are struggling with the wide range of options to consider, such as which wallets to enable and which technologies to support. Contactless cards have the ability to create a ubiquitous experience for both consumers and merchants. And this writer believes that a payment experience can't get any easier than a tap of the card.

It's hard for me to believe that it has been 20 years since I received my keychain Speedpass fob. I have positive memories of the simple and seamless transactions that I experienced when purchasing gas by touching the contactless fob to the gas pump reader. Unfortunately, I moved to a location with very few stations that accepted my fob. I always wished that I could have a similar experience for other purchases. Contactless cards allow for that and in a much easier and simpler fashion than my mobile phone allows. So can we get on with contactless cards? I am ready to tap and pay everywhere. Are you?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 27, 2017 in chip-and-pin, contactless, debit cards, EMV, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 9, 2017


The Year in Review

As we move into 2017, the Take on Payments team would like to share its perspectives of major payment-related events and issues that took place in the United States in 2016, in no particular order of importance.

Cybersecurity Moves to Forefront—While cyber protection is certainly not new, the increased frequency and sophistication of cyber threats in 2016 accelerated the need for financial services enterprises, businesses, and governmental agencies to step up their external and internal defenses with more staff and better protection and detection tools. The federal government released a Cybersecurity National Action Plan and established the Federal Chief Information Security Office position to oversee governmental agencies' management of cybersecurity and protection of critical infrastructure.

Same-Day ACH—Last September, NACHA's three-phase rules change took effect, mandating initially a credit-only same-day ACH service. It is uncertain this early whether NACHA will meet its expectations of same-day ACH garnering 1 percent of total ACH payment volume by October 2017. Anecdotally, we are hearing that some payments processors have been slow in supporting the service. Further clarity on the significance of same-day service will become evident with the addition of debit items in phase two, which takes effect this September.

Faster Payments—Maybe we're the only ones who see it this way, but in this country, "faster payments" looks like the Wild West—at least if you remember to say, "Howdy, pardner!" Word counts won't let us name or fully describe all of the various wagon trains racing for a faster payments land grab, but it seemed to start in October 2015 when The Clearing House announced it was teaming with FIS to deliver a real-time payment system for the United States. By March 2016, Jack Henry and Associates Inc. had joined the effort. Meanwhile, Early Warning completed its acquisition of clearXchange and announced a real-time offering in February. By August, this solution had been added to Fiserv's offerings. With Mastercard and Visa hovering around their own solutions and also attaching to any number of others, it seems like everybody is trying to make sure they don't get left behind.

Prepaid Card Account Rules—When it comes to compliance, "prepaid card" is now a misnomer based on the release of the Consumer Financial Protection Bureau's 2016 final ruling. The rule is access-device-agnostic, so the same requirements are applied to stored funds on a card, fob, or mobile phone app, to name a few. Prepaid accounts that are transactional and ready to use at a variety of merchants or ATMS, or for person-to-person, are now covered by Reg. E-Lite, and possibly Reg. Z, when overdraft or credit features apply. In industry speak, the rule applies to payroll cards, government benefit cards, PayPal-like accounts, and general-purpose reloadable cards—but not to gift cards, health or flexible savings accounts, corporate reimbursement cards, or disaster-relief-type accounts, for example.

Mobile Payments Move at Evolutionary, Not Revolutionary, Pace—While the Apple, Google, and Samsung Pay wallets continued to move forward with increasing financial institution and merchant participation, consumer usage remained anemic. With the retailer consortium wallet venture MCX going into hibernation, a number of major retailers announced or introduced closed-loop mobile wallet programs hoping to emulate the success of retailers such as Starbucks and Dunkin' Brands. The magic formula of payments, loyalty, and couponing interwoven into a single application remains elusive.

EMV Migration—The migration to chip cards and terminals in the United States continued with chip cards now representing approximately 70 percent of credit/debit cards in the United States. Merchant adoption of chip-enabled terminals stands just below 40 percent of the market. The ATM liability shift for Mastercard payment cards took effect October 21, with only an estimated 30 percent of non-FI-owned ATMs being EMV operational. Recognizing some of the unique challenges to the gasoline retailers, the brands pushed back the liability shift timetable for automated fuel dispensers three years, to October 2020. Chip card migration has clearly reduced counterfeit card fraud, but card-not-present (CNP) fraud has ballooned. Data for 2015 from the 2016 Federal Reserve Payments Study show card fraud by channel in the United States at 54 percent for in person and 46 percent for remote (or CNP). This is in contrast to comparable fraud data in other countries further along in EMV implementation, where remote fraud accounts for the majority of card fraud.

Distributed Ledger—Although venture capital funding in blockchain and distributed ledger startups significantly decreased in 2016 from 2015, interest remains high. Rather than investing in startups, financial institutions and established technology companies, such as IBM, shifted their funding focus to developing internal solutions and their technology focus from consumer-facing use cases such as Bitcoin to back-end clearing and settlement solutions and the execution of smart contracts.

Same Song, Same Verse—Some things just don't seem to change from year to year. Notifications of data breaches of financial institutions, businesses, and governmental agencies appear to have been as numerous as in previous years. The Fed's Consumer Payment Choices study continued to show that cash remains the most frequent payment method, especially for transactions under 10 dollars.

All of us at the Retail Payments Risk Forum wish all our Take On Payments readers a prosperous 2017.

Photo of Mary Kepler
Mary Kepler
Photo of Julius Weyman
Julius Weyman
Photo of Doug King
Doug King
Photo of David Lott
Dave Lott
Photo of Jessica Trundley</span>
</div>
Jessica Washington
Photo of Steven Cordray
Steven Cordray

 

January 9, 2017 in ACH, ATM fraud, cards, chip-and-pin, cybercrime, debit cards, emerging payments, EMV, fraud, mobile banking, mobile payments, P2P, prepaid, regulations | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 22, 2016


Why U.S. Card Fraud Is Now Present and Accounted For

Last year, I wrote a post called "Why Is the U.S. Card-Present Fraud Breakout Not Present?" in which I discussed the lack of publicly available information on the distribution of U.S. card fraud by type. I'm happy to report that more detailed data on card fraud in the United States is now present and accounted for in the Initial Data Release (IDR) of the 2016 Federal Reserve Payments Study.

As is common in other countries, card fraud can be categorized as follows across person-present and remote payment channels:

  • Counterfeit card: Fraud is perpetrated using an altered or cloned card.
  • Lost or stolen card: Fraud is undertaken using a lost or stolen card.
  • Card issued but not received: A newly issued card in transit to a card holder is intercepted and used to commit fraud.
  • Fraudulent application: A new card is issued based on a fake identity or on someone else's identity.
  • Other: "Other" fraud includes account takeover and other types of fraud not covered above.
  • Fraudulent use of account number: Fraud is perpetrated without using a physical card.

An extract from the fraud section of the IDR shows breakouts for card fraud by type across five countries.

Percentage-of-total-domestic-general-purpose-card-fraud

As reflected in the numbers, the United States continues to be by roughly an order of magnitude a continuing and persistent target for card counterfeiters using stolen card data compared to other countries that have adopted much earlier counterfeiting controls using EMV (chip) cards. Use of chips makes in-person card fraud more difficult, because of built-in technology to thwart the creation of counterfeit chip cards. As adoption of chips for cards and terminals improves in the United States, fraud using stolen card data is likely to shift from person-present to remote channels as has already occurred in other developed countries. My colleague, Doug King, discusses these issues in detail in an interview conducted last year.

Look for other Take On Payments posts that highlight additional key findings from the 2016 payments study.

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

December 22, 2016 in cards, chip-and-pin, EMV, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 17, 2016


EMV Comments That Make Me Cringe

Some aspects of the chip card implementation in the United States certainly make us frustrated. For one, the customer experience could be seen as slightly more negative because of the longer transaction time and confusion about the debit card selection menu. However, at several payments conferences I have attended recently, I have heard comments made by speakers and panelists about EMV chip cards and their technology that caused me to cringe a bit. I understand that a number of stakeholders are not proponents of EMV technology for a variety of reasons and, while some parts of their comments are factually accurate, they certainly are not "the truth, the whole truth and nothing but the truth."

Cringe #1: The United States is implementing 20-year-old-technology with EMV chip cards. Yes, the first EMV specifications were publicly released in 1995. But isn't that like saying that the gasoline-powered automobile is technology that is 130 years old? Microsoft's first release of Windows was in 1985. Do we hear complaints about it being 30-plus years old? The reality is that the EMV specifications, like practically all software development, are continually updated over the years with enhancements continuing as long as the software is still being supported. The EMV specifications are now at version 4.3, released in November 2011, with 20 supplemental bulletins issued since then and more on the way.

Cringe #2: EMV (chip) cards haven't solved the card-not-present (CNP) fraud problem. Again, this is an accurate statement. CNP card fraud is the second largest category of fraud losses in the U.S. (see the chart). But, the statement is misleading inasmuch as the EMV specifications and chip cards were never intended to address the CNP ecommerce environment. Counterfeit card fraud, whereby the criminal produces a card using data obtained from a skimmer or data breach, has been the number-one source of card-present fraud in the United States. It was this type of card fraud that the chip card was designed to target, and, from all accounts to date, it has been highly successful in doing so.

table-one

Source: Chip Cards in the United States: The PIN, PINless, Debit, Credit Conundrum, Aite Group, July 2016

Cringe #3 – Using a PIN improves the security of the chip card. While a cardholder using a PIN in lieu of a signature does clearly result in a lower level of fraud losses, the claim is somewhat of an apples and oranges comparison. The chip on the card authenticates the card itself, while the use of a PIN is intended to authenticate the cardholder performing the transaction. These are two separate types of authentication which, when combined, make the transaction more secure—a good thing. The use of a PIN should result in lower lost/stolen card fraud as it invokes two-factor authentication—something you have (card) and something you know (PIN).

Are the current EMV specifications perfect? Of course not, and that is why there are constant efforts to identify ways to improve them. But one must recall that the EMV specifications provide global interoperability and must be developed keeping that requirement in mind. What are your thoughts on the EMV specifications and how they can be improved?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 17, 2016 in chip-and-pin, consumer fraud, consumer protection, EMV, fraud | Permalink

Comments

Good stuff, Dave; I fully agree with your first 2 cringes, but on the third I think the objection is that if minimizing fraud is so important, why would we not complete the process of requiring PIN and take security to the next logical step?

Of course this opens up plenty of other debates- consumer choice, merchant fee levels, etc.- but thought it would be helpful to clarify that point in hopes of advancing the dialogue.

Posted by: Glen Sarvady | December 12, 2016 at 02:28 PM

Hello Dave,
While I agree with much that you have written.
The EMV specification has not kept pace with modern needs. The Target breach was the catalyst for the US implementation of EMV. Yet the current implementation of EMV would not have prevented the breach. The chip card exposes the static, clear text Primary Account Number (PAN) and other Personally Identifiable Information (PII) in numerous places. It does not cryptographically protect the sensitive data. To match our current needs, the cryptographic and computational power of the chip should be harnessed to protect the PAN and the PII. Or better yet, remove the PAN and PII from the chip card entirely.
The card is a physical token which should represent the PAN, but not expose it. The PAN should remain inside the Financial Institution (FI) linked to various tokens, each of which has a Device ID. The physical token should be authenticated without revealing the PAN to the merchant or a payment intermediary. Once the token (the Card or other access device) has been authenticated by the Issuer, it can look up the corresponding account and move (or not move) the funds accordingly.
When the card is capable of protecting itself, it can be issued, secured and validated by the issuer without the need for any intermediaries (consumers, merchants, processors, acquirers, networks) to participate in the protection process. With a proper chip card specification, this can be accomplished while maintaining global interoperability.
Respectfully,
Mimi Hart, MagTek

Posted by: Mimi Hart | December 9, 2016 at 03:11 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 16, 2016


Improving Customer Authentication: Is the PIN Past Its Prime?

The Financial Fraud Action UK recently released its Year-End 2015 Fraud Update. This report, filled with fraud-related figures from a fully EMV(chip)-migrated country, provides insight into what the future of fraud in the United States might look like as we are approximately eight months into our EMV journey. And if indeed the United Kingdom’s experience is a harbinger of things to come in the United States, then I think there will be disappointment for anyone who thought EMV by itself would be a magic bullet. After I spent time studying this report, it became evident that customer authentication is the latest low-hanging fruit and fraudsters are having a feast.

Fraud losses on payment cards in the United Kingdom (£567.5m) are approaching pre-EMV migration levels, and fraud loss rates have increased above 8 basis points (0.08%), hitting a level last seen in 2009. Diving deeper, we find that:

  • As expected, card-not-present (CNP) fraud losses represent a majority of card fraud losses (70 percent). Interestingly though, ecommerce spend volume grew faster than ecommerce fraud losses in 2015, suggesting that the industry made headway in its efforts to mitigate ecommerce fraud.
  • Lost and stolen card fraud (remember, the United Kingdom is a PIN environment) increased more than 24 percent in 2015, reaching levels last seen in 2006. The report highlights distraction thefts through cameras or simply shoulder surfing as methods of fraudulently obtaining PINs.
  • Card ID theft fraud losses, defined as losses from spend on fraudulently opened or obtained cards through stolen personal information, increased by 28 percent and are now approaching counterfeit card levels.
  • A bit of good news is that counterfeit card fraud losses remain well below pre-EMV levels and fell even further in 2015—perhaps, as the report suggests, driven partly by the increased acceptance of EMV cards in the United States.
  • Beyond cards, remote banking fraud losses (losses from Internet, telephone, and mobile banking) increased by more than 134 percent during the last two years, totaling nearly £169 million.

EMV is performing exactly as expected and doing a phenomenal job of authenticating payment cards in the card-present environment. Why are fraud losses increasing in a mature EMV environment? Because customer authentication remains a challenge, as is evident by rising fraud losses from lost and stolen cards, card applications with stolen identities, and remote banking.

Whether on the front end of authenticating the user during the account opening process or the back end of authenticating the user at the time of payment, authentication measures are coming up short, and these measures include PINs and passwords. Replacing passwords has been an ongoing conversation and likely may continue to be a conversation piece rather than a prolific action item. Yet there is a growing push for the use of PINs coupled with EMV cards here in the United States. While PIN authentication is an improvement over signature authentication, it, too, has its flaws. With improvements and advancements in new technologies such as biometrics, perhaps it's time for the industry to advance beyond PINs. Because of the current signature-laden EMV environment in the U.S., the timing is perfect.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 16, 2016 in chip-and-pin, EMV, fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 29, 2015


The More Things Change, the More They Stay the Same

As I write this blog on the screened porch of a North Alabama lake house, the cicadas are constantly buzzing in the background. I am fascinated by the life cycle of this species—namely, the emergence of the periodical cicadas from belowground every 13 to 17 years. This life cycle got me thinking how the world has changed since the last time the 17-year cicadas emerged. And while in this neck of the woods, some things have changed—new houses have been built and personal watercraft are now constantly buzzing on the lake—some things have remained the same. The nearest grocery store is still 30 minutes away and the iced tea is as sweet as it ever was. Is this mixed scenario really any different for payment card fraud?

Certainly a lot has changed in card payments during the last 17 or so years. We've witnessed the enormous growth of debit card transactions, the continued growth of credit card transactions, the emergence of the e-commerce and mobile payments channels, and the almost global adoption of the EMV (chip) card. As card payment usage has evolved, so has the fraud landscape. Lost and stolen card fraud fell out of vogue while counterfeit card fraud took off only to see stolen card fraud re-emerge when the issuance of EMV cards in most markets thwarted counterfeit card fraud. Point-of-sale (POS) fraud is occurring less often across the globe because of EMV and PIN verification, driving the fraudsters to the Internet to commit card-not-present (CNP) fraud.

But what hasn't changed is the global rate of fraud. An article in the August 2013 Nilson Report estimated that the annual cost of card fraud worldwide in 2012 was 5.2 cents for every $100 spent, resulting in $11.27 billion in losses. This figure compares to Nilson's estimate of fraud losses in 1998, which ran approximately 4.8 cents for every $100 spent and resulted in a little less than $2 billion of fraud. Perhaps a fraud rate in the 5 basis points range is the industry-wide acceptable rate, but with billions of dollars being invested to mitigate fraud, I would like to think that over time the rate would be reduced (though I must admit that I am not sure what the acceptable rate should be).

Maybe this speaks to the tenacity of the card fraudsters. As we in the Retail Payments Risk Forum have often stressed, once one door is fortified, the fraudsters find another door to enter. And if we could dive deeper within the figures, I am certain that is what we would find, according to various estimates of fraud and anecdotal evidence. For example, the emergence of EMV and the use of PIN verification instead of signature verification have reduced POS fraud. Today, CNP fraud rates are significantly higher than POS fraud rates and many industry risk efforts are focused on mitigating CNP fraud.

When the cicadas reappear, undoubtedly the payment card usage and fraud landscape will look different. Perhaps mobile payments will have taken off and the use of biometrics as a method of verification will be commonplace. I feel confident that in 17 years the industry will make substantial strides in reducing e-commerce CNP fraud rates—but also that new areas of fraud will appear. Is the industry prepared to fight the next generation of fraud or will it just continue to Band-Aid the past? Should we expect a 5 basis points rate of fraud when the cicadas emerge in another 17 years? I'd like to think the rate will be lower. At a minimum, hopefully, it will remain as consistent as the sweet iced tea in this neck of the woods.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


June 29, 2015 in cards, chip-and-pin, EMV, fraud, innovation, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 8, 2015


Is the Conventional Wisdom about EMV Migration Right?

We're within five months now of the initial EMV (chip) card liability shift for POS transactions. Most people in the industry have held the belief that as the ability to create counterfeit cards is shut down, the criminals will shift their focus primarily to the card-not-present (CNP) environment, where they can continue to use payment card data they take from the magnetic stripe or other data breaches. In fact, my colleagues and I have been broadcasting this message in our presentations and posts for quite some time. Our assessment, along with most other industry experts, was based on the statistics released by banking groups in major countries that had already gone through the EMV migration. The chart illustrates one view of their experiences. It seems to leave no doubt about what we can expect.

Chart_cnp_fraud_losses

But does it mean what we think it means? While the chart clearly shows an increase in the CNP channel in fraud losses, did the ratio of CNP fraud to overall sales increase? Unfortunately, definitive data is not readily available to provide that answer. Using some confidential sources and partial—but significant volumes of—payment data, we were able to determine that during the period from 2010 to 2013, as a percentage of overall sales, CNP fraud in Canada actually held relatively steady. But was that stability created due to the large increases in the recurring billing segment in the CNP environment, which has a relatively low rate of fraud? At this point, we just don't have data granular enough to tell us.

I don't think this means that there isn't a reason to be concerned about CNP fraud as the EMV migration in the United States continues. For one thing, the experience of others is no guarantee that we will experience the same. But perhaps the biggest reason for us not to relax about the issue is that, even if the levels hold flat through our migration, CNP fraud is still quite significant and has a major negative financial impact on merchants and issuers. The 2013 Federal Reserve Payments Study found that CNP fraud by volume is three times that of card-present fraud.

This situation also demonstrates the need to be able to collect detailed and accurate data on fraudulent payments activity. Fraud has been a real challenge in this country because of the large number of payments stakeholders that end up saddled with the loss. The Federal Reserve is interested in working with the industry to develop a process for collecting such information for the benefit of all.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 8, 2015 in chip-and-pin, cybercrime, EMV | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 16, 2015


Squeezing the Fraud Balloon

A number of our posts over the last year have discussed the U.S. migration to EMV (chip) cards. As we've mentioned, one of the primary motivations for the migration has been the ease with which fraudsters in our magnetic-stripe environment can create counterfeit payment cards. Other posts have mentioned that ubiquitous tenant of the criminal world—the person always on the lookout for the weakest link or the easiest target. And that criminal does not close up shop and go away in the chip-card world. There is clear evidence from other countries that criminals, after an EMV migration, look for, and find, other targets of opportunity—just as when you squeeze a balloon, you're constricting the middle, but both ends simultaneously expand.

One major area that criminals target post-EMV is online commerce, an activity referred to as card-not-present (CNP) fraud. However, criminals also target two other areas, according to speakers at the recent 2015 BAI Payments Connect conference: checks and account applications. Well before the EMV card liability shift occurs in the United States (October 1, 2015), a number of financial institutions have reported a marked increase in counterfeit checks and duplicate-item fraud, usually by way of the mobile deposit capture service. In many cases, the fraud takes place on accounts that have been open for more than six months, long enough to allow the criminal to have established an apparent pattern of "normalcy," although there are reports of newly opened accounts being used as well.

Canadian financial institutions report that fraudulent applications for credit and checking accounts have increased as much as 300 percent since that country's EMV liability shift. Criminals are opening checking accounts to perpetrate overall identity theft fraud as well as to create conduits for future counterfeit check or kiting fraud. And they're submitting fraudulent credit applications to purchase automobiles or other merchandise that they can then sell easily.

The time to examine and improve your fraud detection capabilities across all the channels customers use is now. Financial institutions should already be evaluating their check acceptance processes and account activity parameters to spot problem accounts early. Likewise, financial institutions should make sure their KYC, or know-your-customer, processes and tools are adequate to handle the additional threat that the credit and account application channel may experience. Be proactive to prevent the fraud in the first place while ensuring you have the proper detection capabilities to react quickly to potential fraudulent attempts. If we want to constrict the balloon of fraud, we're going to have to constrict the whole thing with consistent, equal pressure.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


March 16, 2015 in chip-and-pin, EMV, KYC | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d0ec46f0970c

Listed below are links to blogs that reference Squeezing the Fraud Balloon:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 2, 2015


Security at the ATM: We Have Some Educating to Do

ATM Marketplace recently published its 2015 triennial research report, which includes results of a poll of U.S. consumers on various issues related to ATMs. The online poll was conducted with a panel of 550+ individuals creating a representative sample of the adult (aged 18–65 years) population. Certain findings from the report stand out, in particular those related to consumers' expectations of various aspects of ATM transaction risk.

One question probed how concerned the respondent was about a skimming or camera device capturing their card information and PIN when they use the ATM. Thirty-eight percent indicated they were very concerned, but the remaining 61 percent indicated they were not that concerned or weren't even aware of what a skimming device is. The pie chart below breaks down each response.

01

Does the lack of concern come from a lack of education, or is it because the respondent knows the financial institution will have to bear the financial liability?

One of the final questions in the poll was whether the respondent felt an EMV card would make an ATM transaction more secure. As the chart below shows, more than half of the respondents believed there would be at least some level of improved security.

02

Of great concern to me is the 15 percent who indicated they don't know what an EMV card is. Of the two groups who mostly reported this lack of knowledge, one was the youngest (18–24) group, which surprised me. These younger people are supposed to be more tech-savvy than the rest of us. But of even greater surprise was that almost one-third (31 percent) of the most affluent group (those with a household income more than $150,000) responded they don't know what an EMV card is.

Clearly, the financial industry has a lot of educating to do as credit and debit card issuers ramp up their EMV card issuance in advance of the point-of-sale liability shift on October 1, 2015. While the ATM liability shift for domestic MasterCards won't be until October 2016 and Visa cards, a year later, it's never too early to begin or continue educational initiatives.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 2, 2015 in ATM fraud, chip-and-pin, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb07fb51bb970d

Listed below are links to blogs that reference Security at the ATM: We Have Some Educating to Do:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 23, 2015


Payments Stakeholders: Can't We All Just Work Together?

Coming together is a beginning; keeping together is progress; working together is success.
 – Henry Ford

In my physics classes at Georgia Tech, I found the principles around forces, momentum, and energy sometimes difficult to comprehend and distinguish. But I readily grasped a simplified version. I understood that if people apply their combined energy in the same direction, they can move the object of their attention to a designated spot faster and easier than if any of them tried it alone. And if they directly oppose one another or exert their efforts in different directions, the movement of the object is slow, its route is haphazard, and it may never reach its intended destination.

This last situation sometimes occurs with different groups of payments stakeholders—most notably, but not exclusively—the national card brands, along with their financial institution clients, and the merchant communities. Amidst all the charges and countercharges between the groups, it sometimes appears that these stakeholders are pushing in different directions—so the industry seems to be making little progress toward adopting payments standards and practices or fraud prevention solutions, for example.

An important payments risk issue affecting multiple stakeholders is card-not-present (CNP) fraud, which is expected to increase significantly after the United States migrates to EMV chip cards. We learned this from the experiences of other countries that have completed their migration. What happens is that EMV cards essentially close the door on the criminals' ability to create counterfeit EMV cards, so they shift focus to CNP opportunities.

Merchants contend that EMV card migration primarily benefits the card issuers since, for counterfeit-card-present (CCP) fraud, the issuer normally takes the loss—and EMV makes CCP fraud much less likely. Another way merchants may view EMV as being more issuer-friendly is that they must bear card-present fraud loss if they don't upgrade their terminals—at their expense—once the October 2015 liability shift goes into effect. So not only do they face increasing liability for card-present transactions, they will continue to be held responsible for the expected increase in CNP fraud losses.

The card brands and financial institutions counter the merchants' position on a number of fronts. For example, they point to the massive payment card data breaches that took place in 2014 at national merchants, saying these events eroded consumers' confidence in payment cards. Migrating to EMV cards and eventually replacing the magnetic stripe will provide clear improvements to payment card security, which will in turn increase consumer confidence in the safety of using cards. And that will benefit all stakeholders in this payment system. In addition, card brands and financial institutions are taking steps to help mitigate CNP fraud: they have invested heavily in several products and are collaborating with third-party providers to develop better customer authentication solutions to ultimately reduce the risk of CNP transactions for all stakeholders.

Disagreements among stakeholders will always exist, especially on elements that have a major financial impact on their businesses. However, there must be a diligent and ongoing effort by all parties, working together and with the same goal, to find areas of common ground that will result in a more secure payments environment.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


February 23, 2015 in cards, chip-and-pin, EMV, payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb07f047c8970d

Listed below are links to blogs that reference Payments Stakeholders: Can't We All Just Work Together?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


November 2017


Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30    

Archives


Categories


Powered by TypePad