About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

April 17, 2017


Will the Password Ever Die? Part 1

It has been less than five years since the magazine Wired, in its November 2012 cover story, called for the demise of the password. It has been more than 13 years since Bill Gates called for the elimination of the password at a 2004 RSA conference. Despite these calls to action, the user ID and password remain the most common form of authentication that consumers use online.

Why has the password continued to defy its terminal prognosis? Several reasons come to mind. It remains the most ubiquitous authentication methodology. Even when you factor in the significant costs of companies supporting the need for password resets, I suspect the ongoing operating costs are lower than for other forms of authentication. The reality is that the password is generally a sufficient security tool for accessing low-value applications.

So why is the password criticized so often? Most of the weaknesses in the password are based on the latitude that customers have with selecting and managing their passwords. Surveyed consumers claim to have security in mind when they create passwords, but we have seen the stories about the most common passwords being "password" and the numbers "1-2-3-4-5-6." There is also the practice of using the same password for multiple sites. Frequently, the consumer is not required to use special characters (or the application doesn't accept special characters), nor to change their password on a regular basis.

Despite the frequency of data breaches and all the fallout that comes from them, online merchants are extremely leery of adding additional overt authentication requirements (multi-layered or multi-factor) for fear consumers would abandon their shopping sessions. Given that merchant reluctance along with consumers' general exemption from financial liability if fraudulent transactions are made when their account is hacked and online access credentials are compromised, how likely is it that password weaknesses will improve? So what can be done to strengthen authentication and produce a higher level of confidence that the customer generating a particular transaction is, in fact, the person authorized to perform that transaction?

We will look at some research into the consumer's willingness to adopt additional or alternative authentication methods within the next few weeks. Until then, let us know your suggestions for improving consumer authentication.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 17, 2017 in authentication, consumer protection, cybercrime, data security | Permalink

Comments

With many websites willing to "remember" passwords for future use, it is no surprise that some groups would not want to give up using something they don't need to remember. Perhaps some vendors or banks should turn this option off, in order to protect some consumers from themselves.

Posted by: Barbara Guhanick | April 24, 2017 at 01:24 PM

As a consumer, I would appreciate a vendor, whether it be a shopping site, bank, medical heath record site, etc. , to provide an easy to use software VPN application. Besides passwords, knowing that the link between my endpoint and the other is protected by more than a password, or internet security (https) would be wonderful. Layered security is really the key.

Posted by: Barbara Guhanick | April 24, 2017 at 01:14 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 13, 2017


Phone Scams and Phishing

According to a recent report from the Anti-Phishing Working Group (APWG), more phishing attacks were recorded in 2016 than in any prior year since the group began monitoring in 2004. The APWG defines phishing as a criminal mechanism employing both social engineering, often through the use of email, and technical subterfuge to steal consumers' personal identity data and financial account credentials.

While phishing attempts through electronic channels are undoubtedly up, the telephone call remains a valuable tool for fraudsters. The Federal Trade Commission (FTC) just released its 2016 Consumer Sentinel Network Data Book and revealed that of the fraud-related complaints it received in 2016 with the method of initial contact reported, 77 percent of the respondents claimed that initial contact was made via telephone. Only 8 percent reported email as the method of initial contact. Thinking broadly about these reported trends by the APWG and the FTC, I have two observations:

  • No doubt phishing emails are a growing concern based on the data from the APWG. The FTC data just might reveal what I have been hearing for the last few years: the sophistication of phishing schemes is increasing each day. About 45 percent of the fraud complaints filed with the FTC did not report the method of initial contact. Maybe these individuals did not want to report that information. Or with the increasing sophistication of phishing emails, perhaps many of these individuals still do not realize that email was in fact the entrée for fraudsters to obtain payment, personal, or financial information. Educating the public and our employees to recognize phishing emails is vitally important.
  • Phone scams are likely to increase as chip-enabled EMV cards and their acceptance become more widely adopted, making it more difficult for fraudsters to conduct counterfeit card fraud. Look no further than the United Kingdom, where the Financial Fraud ActionUK's Fraud The Facts 2016 report notes that overall financial fraud increased by 26 percent from 2014 to 2015, due in large part to the growth of impersonation and deception scams. It further notes that these scams typically involve a phone call, text message, or email. With the FTC reporting a 40 percent increase in the number of fraud complaints from 2014 to 2016, with the telephone being the initial method of contact, it is imperative for individuals to carefully handle calls before providing sensitive information.

The Retail Payments Risk Forum often stresses the importance of consumer education, as fraudsters often see the consumer as a weak link. Education is critical to preventing individuals from falling for phishing emails or phone scams. We strongly encourage individuals to exercise caution before opening attachments within emails or sharing personal or financial information over the phone. And before making good on an unexpected payment request from an email or phone call, it's a great practice to directly reach out to the payee through a known legitimate email address or phone number. For more information about recognizing and handling telephone scams, visit this FTC web page.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 13, 2017 in consumer fraud, consumer protection, phone fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 17, 2016


EMV Comments That Make Me Cringe

Some aspects of the chip card implementation in the United States certainly make us frustrated. For one, the customer experience could be seen as slightly more negative because of the longer transaction time and confusion about the debit card selection menu. However, at several payments conferences I have attended recently, I have heard comments made by speakers and panelists about EMV chip cards and their technology that caused me to cringe a bit. I understand that a number of stakeholders are not proponents of EMV technology for a variety of reasons and, while some parts of their comments are factually accurate, they certainly are not "the truth, the whole truth and nothing but the truth."

Cringe #1: The United States is implementing 20-year-old-technology with EMV chip cards. Yes, the first EMV specifications were publicly released in 1995. But isn't that like saying that the gasoline-powered automobile is technology that is 130 years old? Microsoft's first release of Windows was in 1985. Do we hear complaints about it being 30-plus years old? The reality is that the EMV specifications, like practically all software development, are continually updated over the years with enhancements continuing as long as the software is still being supported. The EMV specifications are now at version 4.3, released in November 2011, with 20 supplemental bulletins issued since then and more on the way.

Cringe #2: EMV (chip) cards haven't solved the card-not-present (CNP) fraud problem. Again, this is an accurate statement. CNP card fraud is the second largest category of fraud losses in the U.S. (see the chart). But, the statement is misleading inasmuch as the EMV specifications and chip cards were never intended to address the CNP ecommerce environment. Counterfeit card fraud, whereby the criminal produces a card using data obtained from a skimmer or data breach, has been the number-one source of card-present fraud in the United States. It was this type of card fraud that the chip card was designed to target, and, from all accounts to date, it has been highly successful in doing so.

table-one

Source: Chip Cards in the United States: The PIN, PINless, Debit, Credit Conundrum, Aite Group, July 2016

Cringe #3 – Using a PIN improves the security of the chip card. While a cardholder using a PIN in lieu of a signature does clearly result in a lower level of fraud losses, the claim is somewhat of an apples and oranges comparison. The chip on the card authenticates the card itself, while the use of a PIN is intended to authenticate the cardholder performing the transaction. These are two separate types of authentication which, when combined, make the transaction more secure—a good thing. The use of a PIN should result in lower lost/stolen card fraud as it invokes two-factor authentication—something you have (card) and something you know (PIN).

Are the current EMV specifications perfect? Of course not, and that is why there are constant efforts to identify ways to improve them. But one must recall that the EMV specifications provide global interoperability and must be developed keeping that requirement in mind. What are your thoughts on the EMV specifications and how they can be improved?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 17, 2016 in chip-and-pin, consumer fraud, consumer protection, EMV, fraud | Permalink

Comments

Good stuff, Dave; I fully agree with your first 2 cringes, but on the third I think the objection is that if minimizing fraud is so important, why would we not complete the process of requiring PIN and take security to the next logical step?

Of course this opens up plenty of other debates- consumer choice, merchant fee levels, etc.- but thought it would be helpful to clarify that point in hopes of advancing the dialogue.

Posted by: Glen Sarvady | December 12, 2016 at 02:28 PM

Hello Dave,
While I agree with much that you have written.
The EMV specification has not kept pace with modern needs. The Target breach was the catalyst for the US implementation of EMV. Yet the current implementation of EMV would not have prevented the breach. The chip card exposes the static, clear text Primary Account Number (PAN) and other Personally Identifiable Information (PII) in numerous places. It does not cryptographically protect the sensitive data. To match our current needs, the cryptographic and computational power of the chip should be harnessed to protect the PAN and the PII. Or better yet, remove the PAN and PII from the chip card entirely.
The card is a physical token which should represent the PAN, but not expose it. The PAN should remain inside the Financial Institution (FI) linked to various tokens, each of which has a Device ID. The physical token should be authenticated without revealing the PAN to the merchant or a payment intermediary. Once the token (the Card or other access device) has been authenticated by the Issuer, it can look up the corresponding account and move (or not move) the funds accordingly.
When the card is capable of protecting itself, it can be issued, secured and validated by the issuer without the need for any intermediaries (consumers, merchants, processors, acquirers, networks) to participate in the protection process. With a proper chip card specification, this can be accomplished while maintaining global interoperability.
Respectfully,
Mimi Hart, MagTek

Posted by: Mimi Hart | December 9, 2016 at 03:11 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 29, 2016


The Simple Consider Three but Four is the Key

In July of 1991 the late sports columnist and humorist Lewis Grizzard gave his top 30 reasons for loving America. The second item on his list read as follows:

I can still see reruns of the Andy Griffith Show. My favorite scene remains the time a reporter came to Mayberry to do a story on the city with the lowest crime rate in the state. The reporter found Barney alone at the sheriff's department and asked him, "How many are on the Mayberry force?"
Barney replied, "Well, there's Andy [the Sheriff] and me…," then patted his holster and added, "And baby makes three."

Payments has three officers, if you will, that are charged with securing the landscape, just like in Mayberry. In either case, the work of the officers on the beat is about "prevention, response, and remediation."

With payments, "prevention" is about thwarting attacks—both physical and cyber-related, fraud, and outright theft. The work consists largely of insulating and securing processes, systems, and valuables with the most up-to-date security tactics and applications. It also involves educating and training staff. Awareness of and good judgment about the landscape, discerning the right policies and approaches, are vital.

"Response" entails reacting to incidents or problems. Here, the work is about having the wherewithal to detect a problem. It also entails reporting—before, during, and after events, both internally and externally. Additionally, response is about investigating and understanding precisely what happened and how. Determining how to seal the hole or holes that gave rise to the problem in the first place also falls under "response."

"Remediation" is the after-event work. This is about repairing the damage resulting from an event and includes everything from recovering losses and further shoring up security to assisting those harmed by an event. Repairing reputational damage falls under remediation.

Back to Mayberry. In the show, Andy got credit for the town's sterling record, and rightly so—he had good judgment and instincts. However, in my opinion, some of the best episodes highlighted Andy's secret weapon, a fourth entity on the police force—the average citizen. Individual responsibility that rolled up into collective ownership for the town underpinned Mayberry's enviable crime record. Sometimes it was Floyd the Barber (and town gossip) who gave Andy the advance warning he needed. Other times it was Gomer at the gas station or Andy's son, Opie, who provided folksy wisdom or insight that ended up being the difference between triumph and tragedy.

For payments to attain Mayberry's covetable crime rate, the citizens—that is, the consumers—have to be fully empowered, thoroughly educated, and roundly encouraged to vigorously participate in their own security. In my opinion, payments are at least partially plagued by moral hazard that owes to blanket consumer liability protections in some instances with a seeming bias for more of that, not less. At the very least, we should question our experience, revisiting and debating the matter of balance between reasonable consumer protection versus the notion of applying blanket coverage, irrespective of consumer choice and action. I see no scenario where dread over what will descend on the payment landscape next abates, not until safety consciousness among users has become more deeply rooted and the culture stabilized in a place where ownership for our well-being is a duty embraced by all, all the time.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

August 29, 2016 in consumer protection | Permalink

Comments

Thank you Julius for a great article that highlights a dilemma that many in the industry are choosing to ignore. Consumers want more control and protection. The tipping point is now and many consumers are begging for more direct control toward protection. All we have to do is provide the new tools to do so, educate cardholders on how and why. It's no wonder the US has the highest fraud rates and incidents on the planet, the industry is opting for convenience over protection, when really if they look around they can have both.

Posted by: Maddy Aufseeser | August 29, 2016 at 01:45 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 28, 2016


Continuing Education in Mobile Payments Security

Just over a year ago, I wrote a post raising the question of which stakeholder or stakeholders in the payments ecosystem had the responsibility for educating consumers regarding payments security. As new payment technologies such as mobile devices, wearables, and the Internet of things gain acceptance and increased usage, who is stepping up not only to teach consumers how to use the devices but also how to do so in a safe and secure manner?

Since it is generally financial institutions that have the greatest financial risk for payment transactions because of the protective liability legislation that exists in the United States, this responsibility has fallen largely to them. However, this educational effort has become increasingly difficult since consumers generally acquire these new products at retail outlets or mobile carrier stores, where the financial institution has no direct contact with the consumer.

The Consumer Federation of America (CFA) recently continued its ongoing efforts to provide educational information to consumers with the release of a guide to mobile payments. The guide is comprehensive, covering issues such as privacy, security of the mobile device, the dangers of malware, error resolution, and dispute procedures for mobile payments, and concludes with a humorous animated video that recaps some of the risks with mobile phones if they are not secured and used properly.

As an example, in its section on privacy, the guide offers the following tips:

  • Read the privacy policies of the companies whose services you are using to make mobile payments and the companies that you are paying.
  • If you don't like a company's privacy policy, take your business elsewhere.
  • Don't voluntarily provide information that is not necessary to use a product or service or make a payment.
  • Take advantage of the controls that you may be given over the collection and use of your personal information.
  • Since mobile payments, like all electronic payments, leave a trail, if there are transactions that you would prefer to make anonymously, pay with cash.

Kudos to the CFA for its work on this effort. I hope you will read the guide and spread the word about the availability of this valuable resource. It is through the combined efforts of the payments stakeholders that we can work to improve the knowledge level of all parties involved and promote secure usage.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 28, 2016 in consumer protection, innovation, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 7, 2016


Card Chargebacks: Sorting Out the Facts

For years, I have heard conflicting statements by card issuers and acquiring merchants about the impact of chargebacks on their businesses. A chargeback is a demand by a card issuer for a merchant to make the issuer whole for the loss of a disputed transaction by a cardholder. Because of consumer liability protections afforded under various regulations and the card brand's liability rules, the issuer or the merchant typically incurs the final loss. The issuer initiates a chargeback when a cardholder disputes a transaction on the statement—for one of a variety of reasons—if the issuer believes the merchant is financially liable under the particular card network's operating rules. Merchants may accept the chargeback and assume the loss, or they may dispute it if they believe they were in compliance with the network rules.

The debate over the amount of chargeback losses to merchants has continued over the years because of a lack of independent research, but all that has changed with a study published in January by my colleagues at the Federal Reserve Bank of Kansas City. Senior economists Fumiko Hayashi and Rick Sullivan along with risk specialist Zach Markiewicz examined chargeback and sales data from October 2013 through September 2014 from selected merchant acquirers who process more than 20 percent of network-branded card transactions in the United States. While the study examines the full chargeback landscape of four-party networks (Visa and MasterCard) and three-party networks (American Express and Discover), the focus of this post is on their findings related to card fraud—both card present (CP) and card not present (CNP)—for the four-party networks. PIN debit transaction chargebacks were not included in this study.

Some of the study's key findings are:

  • Overall, merchants incur 70–80 percent of all chargeback losses.
  • Fraud is the most common chargeback reason and accounts for approximately 50 percent of total chargebacks in value.
  • The average value of a fraud chargeback was $200, compared to $56 for the average sales transaction. Clearly, the criminals are going after higher-dollar value goods.
  • The merchant loss rate in the CNP channel of 14.17 basis points (bps) is significantly higher than the 1.02 bps loss rate for the CP channel.
  • As the chart shows, the merchant categories incurring the highest fraud rates were the travel and department store categories. Grocery stores had the lowest.

chart-1

As previous posts have noted, the Federal Reserve is making a concerted effort to collect fraud data for non-cash payment channels to develop a holistic view and understanding of fraud trends. The Kansas City Fed is looking to repeat its study in the near future, when it will also include PIN debit transaction chargebacks. As our payments system evolves and user payment preferences change, it is vital for payments system stakeholders to be able to determine how these changes are affecting fraud losses being sustained by the various stakeholders.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 7, 2016 in card networks, cards, consumer protection | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 13, 2015


Biometrics and Privacy, or Locking Down the Super-Secret Control Room

Consumer privacy has been a topic of concern for many years now, and Take on Payments has contributed its share to the discussions. Rewinding to a post from November 2013, you'll see the focus then was on how robust data collection could affect a consumer's privacy. While biometrics technology—such as fingerprint, voice, and facial recognition for authenticating consumers—is still in a nascent stage, its emergence has begun to take more and more of the spotlight in these consumer privacy conversations. We have all seen the movie and television crime shows that depict one person's fingerprints being planted at the crime scene or severed fingers or lifelike masks being used to fool an access-control system into granting an imposter access to the super-secret control room.

Setting aside the Hollywood dramatics, there certainly are valid privacy concerns about the capture and use of someone's biometric features. The banking industry has a responsibility to educate consumers about how the technology works and how it will be used in providing an enhanced security environment for their financial transaction activities. Understanding how their personal information will be protected will help consumers be likelier to accept it.

As I outlined in a recent working paper, "Improving Customer Authentication," a financial institution should provide the following information about the biometric technology they are looking to employ for their various applications:

  • Template versus image. A system collecting the biometric data elements and processing it through a complex mathematical algorithm creates a mathematical score called a template. The use of a template-based system provides greater privacy than a process that captures an image of the biometric feature and overlays it to the original image captured at enrollment. Image-based systems provide the potential that the biometric elements could be reproduced and used in an unauthorized manner.
  • Open versus closed. In a closed system, the biometric template will not be used for any other purpose than what is stated and will not be shared with any other party without the consumer's prior permission. An open system is one that allows the template to be shared among other groups (including law enforcement) and provides less privacy.
  • User versus institutional ownership. Currently, systems that give the user control and ownership of the biometric data are rare. Without user ownership, it is important to have a complete disclosure and agreement as to how the data can be used and whether the user can request that the template and other information be removed.
  • Retention. Will a user's biometric data be retained indefinitely, or will it be deleted after a certain amount of time or upon a certain event, such as when the user closes the account? Providing this information may soften a consumer's concerns about the data being kept by the financial institution long after the consumer sees no purpose for it.
  • Device versus central database storage. Storing biometric data securely on a device such as a mobile phone provides greater privacy than cloud-based storage system. Of course, the user should use strong security, including setting strong passwords and making sure the phone locks after a period of inactivity.

The more the consumer understands the whys and hows of biometrics authentication technology, I believe the greater their willingness to adopt such technology. Do you agree?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 13, 2015 in biometrics, consumer protection, data security, privacy | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 6, 2015


Growing, Growing, Gone!

As we've blogged before, check writing has been steadily declining as electronic payments have grown. For example, the number of checks written in 2012 was 21 billion, down from 27.8 billion in 2009, according to the 2013 Federal Reserve Payments Study. We may be writing fewer checks than ever, but more than anything, we want the convenience of depositing our checks with mobile devices. A 2013 survey by ath Power Consulting found that mobile remote deposit capture (mRDC) is the "most sought-after mobile banking feature" among consumers. And financial institutions are answering this demand. According to 2014 surveys from Federal Reserve Banks (the Dallas Fed's, for example), about 48 percent of responding institutions are currently offering mobile capture and another 41 percent are planning to offer it within the next two years.

With mRDC in such demand, solutions providers and financial institutions should be investing in risk management strategies. But if check writing is a declining business, will mRDC risk management investments end up on the disabled list? Financial institutions must look at the potential losses and how they occur, evaluate the means to minimize these, and carefully weigh these factors against the dwindling check industry.

The mRDC channel faces two primary loss challenges: fraudulent items and duplicate check presentment. A fraudulent item might be an altered, forged, or counterfeit check; it can also be an intentional duplicate presentment. The other challenge occurs when a customer unintentionally presents a deposited item a second time. Research and anecdotal evidence suggest many duplicate presentments result from customer errors. These represent a growing customer education need. Financial institutions must find room in the allocated lineup and spending cap for fraud and duplicate detection enhancements.

Handling duplicate check presentments landed an all-star position on the agenda at most payments operation conferences this past year. Duplicate check presentments mean returns and adjustments, which in turn mean time and money for the financial institutions. When duplicate presentment involves more than one bank of first deposit, losses are often sustained from misunderstanding holder-in-due-course rights and return-versus-adjustment processes. Financial institutions often need to reconstruct what happened, analyze the facts, and possibly consult legal counsel.

But rather than handling these risks with expensive roster moves, considering the declining use of checks, financial institutions can meet the threat at the origin, through customer education and enforcement policies. Financial institutions that offer mRDC can make disclosed stipulations. For example, they can require that the original check be destroyed after confirmation, or that checks have a specific restrictive endorsement that includes "for mobile deposit only." Ultimately, if a consumer deposits a check twice, financial institutions can charge a fee or suspend service. In general, customers want to avoid fines, so they tend to play within the rules when fines are looming. If training customers is a home run in mitigation, then the grand slam is having detection systems that support the stipulations and rules put into place.

Photo of Douglas A. King By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 6, 2015 in checks, consumer protection, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 15, 2015


“Customer, You Have the Conn”

Sometimes when you're watching nautical-themed movies, you'll hear the phrase, "I have the conn." The person who speaks this phrase is alerting all those on the vessel that he or she is in control with regard to the vessel's direction and speed. Customers could utter that phrase with regard to their payment vessels—they pretty much have full control in that they make the final choices about their method of payment. They may be restricted by the payment options a merchant offers, but in most cases, if they don't like the options they can shop, or secure services elsewhere.

One of the challenges with payment security that we frequently mention in our posts and speaking engagements is the disincentive that various consumer protection regulations give for consumers to adopt strong security practices. We have all seen or heard of the consumers who write their PINs on their debit cards or set up the PIN 1-2-3-4. In addition, research consistently tells us that consumers often select easily guessed user IDs and passwords—and then often use those same ID/password combinations on multiple sites.

Financial institutions and other payment stakeholders have long worked to develop tools that will encourage customers to be more aware of their financial account activity and contribute to minimizing fraud losses. Account alerts are among the most useful and popular of the tools. When consumers set up account alerts, they can usually specify conditions that will trigger a text message or e-mail. Common alerts are sent when the account balance drops below a set threshold, a debit transaction posts in excess of a specified amount, or an address or phone number change was made on the account. These alerts are beneficial, but they are merely reactive; they report only when a condition has already occurred.

I believe we will soon see a major breakthrough in card security. There are new applications now in testing or in early roll-out phases. These applications will allow customers to be proactive because they will be able to set up a number of filters or controls on their payment cards that will dictate whether a transaction even gets to the point for an authorization decision. For example, if I have a payment card that I use only for gasoline purchases, I can designate my settings to reject transactions coming from other merchant categories. Or I can specify that no international transactions should be allowed. At the extreme end of the control options, I can "turn off" my card, thereby blocking all transactions, and then I can turn it back on when I am ready to use it again. The possible options and filters are almost limitless for this self-service function. Yes, there will be the need for strong customer education, and the choices will require a reasonable limit or the customer will never remember what they set.

If these options are enabled and cardholders are then willing to "take the conn," this new tool could help significantly reduce the number of unauthorized transactions. Critical to the success is whether cardholders will set a reasonable range of parameters based on their normal card usage patterns so they don't get transactions rejected they actually make themselves but still be able to weed out the truly unauthorized transactions. I say "full speed ahead" with such tools. What do you say?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 15, 2015 in consumer protection, data security, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 11, 2015


The Hill Tackles Cybersecurity

In a post last month, Take on Payments highlighted recent cybersecurity-related executive orders. Cybersecurity has been a hot item inside the Beltway in 2015, and the activity hasn't been limited to the executive office. Beginning on April 22, the House passed two separate cybersecurity bills. And now all eyes are on the Senate, as it looks like a vote on its own cybersecurity bill is set to take place later in May. Today's Take On Payments post will highlight the two House bills recently passed by the House and the Senate's bill under consideration.

Protecting Cyber Networks Act (H.R. 1560)
This bill encourages the timely sharing of cyber threat information among private entities, nonfederal government agencies, and local governments. It provides businesses liability protection for sharing cyber threat indicators when taking reasonable efforts to remove personally identifiable information (PII). The bill also allows the federal government (excluding the National Security Agency and Department of Defense) to share cyber threat information with private entities, nonfederal government agencies, and local governments. To further promote and protect individual privacy, it requires that the Department of Justice (DOJ) periodically review the information shared to ensure that PII is not being received, used, or disseminated by a federal entity. Finally, this bill directs the Cyber Threat Intelligence Integration Center (CTIIC), under the direction of the Office of the Director of National Intelligence, to serve as the primary organization to analyze and integrate all intelligence shared.

National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731)
The purpose of this bill is to also encourage information sharing of cyber related risks among the private sector and government. Unlike its companion bill, which directs the CTIIC as the overseer of the information-sharing program, this bill authorizes the Department of Homeland Security (DHS) to do so. In order for the DHS to serve in this capacity, the bill expands the composition and scope of the DHS national cybersecurity and communications integration center to include additional parties, namely private entities and information-sharing and analysis centers, among its non-federal representatives. As with H.R. 1560, the bill has provisions to protect individual privacy and requires that the DHS performs an annual privacy policies and procedures review. As with its companion House bill, liability protection is afforded to parties sharing information.

Cybersecurity Information Sharing Act (CISA) of 2015 (S. 754)
The Senate's version of cybersecurity legislation is a companion bill to the two recently passed House bills and combines tenets of both of them. It's viewed as an information-sharing bill, with the DHS serving as the federal entity responsible for overseeing the sharing of data between the government and private sector. The DOJ is responsible for ensuring that privacy and civil liberties are upheld within the information-sharing program. As with the House bills, liability protection is provided to all entities sharing information.

The goal of information sharing featured in these bills is the hope both government and private sector would benefit. As evidenced by the participation of a significant number of financial institutions (FIs) with the Financial Services Information Sharing and Analysis Center, many FIs are seeing value to sharing cybersecurity information within their own sectors. Additionally, the Retail Industry Leaders Association established the Retail Cyber Intelligence Sharing Center earlier this year to share cyber threat information between retailers and law enforcement. Whether or not these bills accomplish the goals of creating a private environment to safely share cybersecurity information and risks, I think the payments industry and other private industries would benefit from sharing information among themselves and with government and law enforcement agencies.

Photo of David Lott By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 11, 2015 in collaboration, consumer protection, cybercrime, law enforcement, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb082c5f0e970d

Listed below are links to blogs that reference The Hill Tackles Cybersecurity:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


May 2017


Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Archives


Categories


Powered by TypePad