Take On Payments


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

September 8, 2015

Why Is the U.S. Card-Present Fraud Breakout Not Present?

Before answering the question the title poses, let me introduce myself. I'm the newest blogger in the Risk Forum. Recently, I was the faster-payments-product guy in the Retail Payments Office (RPO) at the Atlanta Fed. While in the RPO, I was a cheerleader who pushed and cajoled the industry to get same-day ACH off the ground. Incidentally, same-day ACH is due to become available universally as early as September 2016 due to a recent rule change passed by NACHA.

Back to my question—while doing some research on expanding fraud data coverage in the Fed's upcoming triennial payments study, I came across a gap in publicly available detailed fraud data for the United States compared to other geographies. As the table shows, the gap is evident from the Fourth Report on Card Fraud published in July 2015 by the European Central Bank. You probably see the "Not available" designation in the card-present subcategory.


What gives? What could be gained if this information were made available? As the footnote shows, the high-level data is taken from the Fed's last triennial payments study published in 2014. And as a previous post notes, the United States does not have a publicly available, single, uniform repository for payments fraud data. Back in 2009, the problem was covered in detail in the briefing paper "The Benefits of Collecting and Reporting Payment Fraud Statistics for the United States" by my colleague Rick Sullivan from the Kansas City Fed. In fairness, it should be noted that information is available in the United States to varying levels of detail as a paid service or through surveys conducted by such organizations as the Association of Financial Professionals and is typically distributed only to the organization's membership.

So that you know what we are missing out on in the United States, here are capsule descriptions of each card-present fraud type:

  • Counterfeit/Skimming: Fraud is perpetrated using an altered or cloned card.
  • Lost/Stolen: Fraudulent transactions result from the use of a lost or stolen card.
  • Card not received: A newly issued card in transit to a card holder is intercepted and used to commit fraud.
  • Fraudulent application: A new card is issued based on a faked identity or using someone else's identity.
  • Other: This is a catchall category for fraud not covered above.

The card-not-present subcategory, which is fully reported on in the triennial study, generally covers fraudulent payments initiated online, or by mail or telephone. Unlike card-present fraud, this type of fraud is not usually subdivided any further.

It should be noted that the current study was the first of the triennial series to report on fraud. Unfortunately, scope limitations precluded breaking out fraud further. As it is, the current study offers a wealth of payment and fraud data for cards and all other forms of noncash payments.

Adding a level of specificity for card-present fraud in the United States will help in tracking the movement of fraud from one type to another and the migration of fraud to other countries. In the United States, fraud is likely to further shift from card present to card not present due to increased counterfeiting controls at the point of sale from the anticipated broad adoption of EMV (chips) for cards and POS terminals. The Federal Reserve, in partnership with other payment system stakeholders, hopes to track these and other developments by collecting additional fraud data for the next triennial study due to be published in 2017.

What suggestions do you have for identifying and collecting other fraud data?

By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 8, 2015 in EMV, fraud | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 17, 2015

Pigskin and Payments

For those who know me well, they know that I find August to be the slowest-moving month of the year. It's not because of the oppressive southern heat and humidity, but rather it's my anticipation for football season. To help speed along the "dog days of summer," I generally read my fair share of prognostication publications. Alongside the predictions, improving player safety has become a key discussion topic as the season approaches.

Armed with data showing an increase in injuries as well as long-term negative effects from playing the sport, football's governing bodies on both the collegiate and professional levels are instituting rule changes to make the game safer. Equipment manufacturers are introducing new gear to improve safety and individual teams are adding new experts to their medical staffs all in the name of player safety.

Ironically, while there is a focus on improving player safety, football players continue to get stronger and faster aided by advancements in nutrition and workout regimes. As player strength and speed improves, this contact sport becomes more vicious and dangerous. And as a fan, I'll admit that I find watching a game featuring stronger and faster players more exciting. I do not want to see players injured, but at the same time I enjoy the excitement that comes with hard tackles and big hits.

Does this state of football sound at all like the current state of the U.S. payments industry? To make payments safer, public and private entities are leading literally hundreds of initiatives across various payments rails. Network rule changes are taking place and new technologies are being harnessed all in an effort to better secure payments. At the same time, start-ups, established payment companies, payment associations, and the Federal Reserve are collaborating to improve the speed of payments.

It's hard not to get excited about the possibilities of faster payments, from important just-in-time supplier payments to simple repayments for borrowing money from a friend or family member. However, can securing payments better derail the speed of payments? By way of example and personal experience, my more secure EMV (chip) credit card has clearly reduced the speed at the point-of-sale for my card payment transactions.

But just as player strength and speed has evolved alongside safety through rule-making and technology (think about leather football helmets here), I think we have seen the same progression within the payments industry. I think football remains as exciting as ever, and the payments expert in me is clearly excited about the future of payments.

Speed and safety are not to be viewed as mutually exclusive, and I am confident that the payments industry supports this view. In both football and payments, elements of risk will exist, regardless of safety measures in place. Finding the right balance between speed and safety should be the goal in order to maintain an exciting football game or efficient payments system. I can't wait to see what lies ahead on the gridiron and within the payments industry.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 17, 2015 in emerging payments, EMV, fraud, innovation, risk management | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 29, 2015

The More Things Change, the More They Stay the Same

As I write this blog on the screened porch of a North Alabama lake house, the cicadas are constantly buzzing in the background. I am fascinated by the life cycle of this species—namely, the emergence of the periodical cicadas from belowground every 13 to 17 years. This life cycle got me thinking how the world has changed since the last time the 17-year cicadas emerged. And while in this neck of the woods, some things have changed—new houses have been built and personal watercraft are now constantly buzzing on the lake—some things have remained the same. The nearest grocery store is still 30 minutes away and the iced tea is as sweet as it ever was. Is this mixed scenario really any different for payment card fraud?

Certainly a lot has changed in card payments during the last 17 or so years. We've witnessed the enormous growth of debit card transactions, the continued growth of credit card transactions, the emergence of the e-commerce and mobile payments channels, and the almost global adoption of the EMV (chip) card. As card payment usage has evolved, so has the fraud landscape. Lost and stolen card fraud fell out of vogue while counterfeit card fraud took off only to see stolen card fraud re-emerge when the issuance of EMV cards in most markets thwarted counterfeit card fraud. Point-of-sale (POS) fraud is occurring less often across the globe because of EMV and PIN verification, driving the fraudsters to the Internet to commit card-not-present (CNP) fraud.

But what hasn't changed is the global rate of fraud. An article in the August 2013 Nilson Report estimated that the annual cost of card fraud worldwide in 2012 was 5.2 cents for every $100 spent, resulting in $11.27 billion in losses. This figure compares to Nilson's estimate of fraud losses in 1998, which ran approximately 4.8 cents for every $100 spent and resulted in a little less than $2 billion of fraud. Perhaps a fraud rate in the 5 basis points range is the industry-wide acceptable rate, but with billions of dollars being invested to mitigate fraud, I would like to think that over time the rate would be reduced (though I must admit that I am not sure what the acceptable rate should be).

Maybe this speaks to the tenacity of the card fraudsters. As we in the Retail Payments Risk Forum have often stressed, once one door is fortified, the fraudsters find another door to enter. And if we could dive deeper within the figures, I am certain that is what we would find, according to various estimates of fraud and anecdotal evidence. For example, the emergence of EMV and the use of PIN verification instead of signature verification have reduced POS fraud. Today, CNP fraud rates are significantly higher than POS fraud rates and many industry risk efforts are focused on mitigating CNP fraud.

When the cicadas reappear, undoubtedly the payment card usage and fraud landscape will look different. Perhaps mobile payments will have taken off and the use of biometrics as a method of verification will be commonplace. I feel confident that in 17 years the industry will make substantial strides in reducing e-commerce CNP fraud rates—but also that new areas of fraud will appear. Is the industry prepared to fight the next generation of fraud or will it just continue to Band-Aid the past? Should we expect a 5 basis points rate of fraud when the cicadas emerge in another 17 years? I'd like to think the rate will be lower. At a minimum, hopefully, it will remain as consistent as the sweet iced tea in this neck of the woods.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 29, 2015 in cards, chip-and-pin, EMV, fraud, innovation, mobile payments | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 8, 2015

Is the Conventional Wisdom about EMV Migration Right?

We're within five months now of the initial EMV (chip) card liability shift for POS transactions. Most people in the industry have held the belief that as the ability to create counterfeit cards is shut down, the criminals will shift their focus primarily to the card-not-present (CNP) environment, where they can continue to use payment card data they take from the magnetic stripe or other data breaches. In fact, my colleagues and I have been broadcasting this message in our presentations and posts for quite some time. Our assessment, along with most other industry experts, was based on the statistics released by banking groups in major countries that had already gone through the EMV migration. The chart illustrates one view of their experiences. It seems to leave no doubt about what we can expect.


But does it mean what we think it means? While the chart clearly shows an increase in the CNP channel in fraud losses, did the ratio of CNP fraud to overall sales increase? Unfortunately, definitive data is not readily available to provide that answer. Using some confidential sources and partial—but significant volumes of—payment data, we were able to determine that during the period from 2010 to 2013, as a percentage of overall sales, CNP fraud in Canada actually held relatively steady. But was that stability created due to the large increases in the recurring billing segment in the CNP environment, which has a relatively low rate of fraud? At this point, we just don't have data granular enough to tell us.

I don't think this means that there isn't a reason to be concerned about CNP fraud as the EMV migration in the United States continues. For one thing, the experience of others is no guarantee that we will experience the same. But perhaps the biggest reason for us not to relax about the issue is that, even if the levels hold flat through our migration, CNP fraud is still quite significant and has a major negative financial impact on merchants and issuers. The 2013 Federal Reserve Payments Study found that CNP fraud by volume is three times that of card-present fraud.

This situation also demonstrates the need to be able to collect detailed and accurate data on fraudulent payments activity. Fraud has been a real challenge in this country because of the large number of payments stakeholders that end up saddled with the loss. The Federal Reserve is interested in working with the industry to develop a process for collecting such information for the benefit of all.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 8, 2015 in chip-and-pin, cybercrime, EMV | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 16, 2015

Squeezing the Fraud Balloon

A number of our posts over the last year have discussed the U.S. migration to EMV (chip) cards. As we've mentioned, one of the primary motivations for the migration has been the ease with which fraudsters in our magnetic-stripe environment can create counterfeit payment cards. Other posts have mentioned that ubiquitous tenant of the criminal world—the person always on the lookout for the weakest link or the easiest target. And that criminal does not close up shop and go away in the chip-card world. There is clear evidence from other countries that criminals, after an EMV migration, look for, and find, other targets of opportunity—just as when you squeeze a balloon, you're constricting the middle, but both ends simultaneously expand.

One major area that criminals target post-EMV is online commerce, an activity referred to as card-not-present (CNP) fraud. However, criminals also target two other areas, according to speakers at the recent 2015 BAI Payments Connect conference: checks and account applications. Well before the EMV card liability shift occurs in the United States (October 1, 2015), a number of financial institutions have reported a marked increase in counterfeit checks and duplicate-item fraud, usually by way of the mobile deposit capture service. In many cases, the fraud takes place on accounts that have been open for more than six months, long enough to allow the criminal to have established an apparent pattern of "normalcy," although there are reports of newly opened accounts being used as well.

Canadian financial institutions report that fraudulent applications for credit and checking accounts have increased as much as 300 percent since that country's EMV liability shift. Criminals are opening checking accounts to perpetrate overall identity theft fraud as well as to create conduits for future counterfeit check or kiting fraud. And they're submitting fraudulent credit applications to purchase automobiles or other merchandise that they can then sell easily.

The time to examine and improve your fraud detection capabilities across all the channels customers use is now. Financial institutions should already be evaluating their check acceptance processes and account activity parameters to spot problem accounts early. Likewise, financial institutions should make sure their KYC, or know-your-customer, processes and tools are adequate to handle the additional threat that the credit and account application channel may experience. Be proactive to prevent the fraud in the first place while ensuring you have the proper detection capabilities to react quickly to potential fraudulent attempts. If we want to constrict the balloon of fraud, we're going to have to constrict the whole thing with consistent, equal pressure.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 16, 2015 in chip-and-pin, EMV, KYC | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Squeezing the Fraud Balloon:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 2, 2015

Security at the ATM: We Have Some Educating to Do

ATM Marketplace recently published its 2015 triennial research report, which includes results of a poll of U.S. consumers on various issues related to ATMs. The online poll was conducted with a panel of 550+ individuals creating a representative sample of the adult (aged 18–65 years) population. Certain findings from the report stand out, in particular those related to consumers' expectations of various aspects of ATM transaction risk.

One question probed how concerned the respondent was about a skimming or camera device capturing their card information and PIN when they use the ATM. Thirty-eight percent indicated they were very concerned, but the remaining 61 percent indicated they were not that concerned or weren't even aware of what a skimming device is. The pie chart below breaks down each response.


Does the lack of concern come from a lack of education, or is it because the respondent knows the financial institution will have to bear the financial liability?

One of the final questions in the poll was whether the respondent felt an EMV card would make an ATM transaction more secure. As the chart below shows, more than half of the respondents believed there would be at least some level of improved security.


Of great concern to me is the 15 percent who indicated they don't know what an EMV card is. Of the two groups who mostly reported this lack of knowledge, one was the youngest (18–24) group, which surprised me. These younger people are supposed to be more tech-savvy than the rest of us. But of even greater surprise was that almost one-third (31 percent) of the most affluent group (those with a household income more than $150,000) responded they don't know what an EMV card is.

Clearly, the financial industry has a lot of educating to do as credit and debit card issuers ramp up their EMV card issuance in advance of the point-of-sale liability shift on October 1, 2015. While the ATM liability shift for domestic MasterCards won't be until October 2016 and Visa cards, a year later, it's never too early to begin or continue educational initiatives.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 2, 2015 in ATM fraud, chip-and-pin, EMV | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Security at the ATM: We Have Some Educating to Do:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 23, 2015

Payments Stakeholders: Can't We All Just Work Together?

Coming together is a beginning; keeping together is progress; working together is success.
 – Henry Ford

In my physics classes at Georgia Tech, I found the principles around forces, momentum, and energy sometimes difficult to comprehend and distinguish. But I readily grasped a simplified version. I understood that if people apply their combined energy in the same direction, they can move the object of their attention to a designated spot faster and easier than if any of them tried it alone. And if they directly oppose one another or exert their efforts in different directions, the movement of the object is slow, its route is haphazard, and it may never reach its intended destination.

This last situation sometimes occurs with different groups of payments stakeholders—most notably, but not exclusively—the national card brands, along with their financial institution clients, and the merchant communities. Amidst all the charges and countercharges between the groups, it sometimes appears that these stakeholders are pushing in different directions—so the industry seems to be making little progress toward adopting payments standards and practices or fraud prevention solutions, for example.

An important payments risk issue affecting multiple stakeholders is card-not-present (CNP) fraud, which is expected to increase significantly after the United States migrates to EMV chip cards. We learned this from the experiences of other countries that have completed their migration. What happens is that EMV cards essentially close the door on the criminals' ability to create counterfeit EMV cards, so they shift focus to CNP opportunities.

Merchants contend that EMV card migration primarily benefits the card issuers since, for counterfeit-card-present (CCP) fraud, the issuer normally takes the loss—and EMV makes CCP fraud much less likely. Another way merchants may view EMV as being more issuer-friendly is that they must bear card-present fraud loss if they don't upgrade their terminals—at their expense—once the October 2015 liability shift goes into effect. So not only do they face increasing liability for card-present transactions, they will continue to be held responsible for the expected increase in CNP fraud losses.

The card brands and financial institutions counter the merchants' position on a number of fronts. For example, they point to the massive payment card data breaches that took place in 2014 at national merchants, saying these events eroded consumers' confidence in payment cards. Migrating to EMV cards and eventually replacing the magnetic stripe will provide clear improvements to payment card security, which will in turn increase consumer confidence in the safety of using cards. And that will benefit all stakeholders in this payment system. In addition, card brands and financial institutions are taking steps to help mitigate CNP fraud: they have invested heavily in several products and are collaborating with third-party providers to develop better customer authentication solutions to ultimately reduce the risk of CNP transactions for all stakeholders.

Disagreements among stakeholders will always exist, especially on elements that have a major financial impact on their businesses. However, there must be a diligent and ongoing effort by all parties, working together and with the same goal, to find areas of common ground that will result in a more secure payments environment.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 23, 2015 in cards, chip-and-pin, EMV, payments | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Payments Stakeholders: Can't We All Just Work Together?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 2, 2015

Does More Security Mean More Friction in Payments?

In a 2014 post, we discussed the issue of consumers' security practices in light of the regulatory liability protection provided to consumers, especially related to electronic transactions. Recognizing that poor security practices will continue, financial institutions, merchants, and solution vendors continue to implement additional security and fraud deterrence tools in the payment flow. Sometimes those tools can add complexity to a financial transaction.

One of the critical elements in a consumer's experience when performing a financial transaction is the concept of friction. In the payments environment, friction can be measured by the number and degree of barriers that impede a smooth and successful transaction flow. Potential causes of friction in a payment transaction include lack of acceptance, slow speed, inaccuracy, high cost, numerous steps, and lack of reliability. We usually think that to decrease friction is to increase convenience.

As the level of friction increases, consumers become more likely to rethink their purchase and payment decisions—an action that merchants and financial institutions alike dread because an abandoned payment transaction represents lost revenue. Individual consumers have their preferred payment methods, and their perspective of the convenience associated with a particular method is a key factor in their choice. For this reason, the payment industry stakeholders have been working diligently to reduce the level of friction in the various forms of payments. Technology provides a number of advantages, potentially reducing the overall friction of payments by providing consumers with a variety of payment form factors. For example, smartphones can support integrated payment applications allowing the consumer to easily call up their payment credentials and execute a payment transaction at a merchant's terminal. With abandonment rates as high as 68 percent, online merchants, working diligently to reduce friction, are streamlining their checkout process by reducing the number of screens to navigate.

Clearly cognizant of the friction issue, the industry has focused much of its efforts on operating fraud risk tools in the background, so that customers remain unaware of them. Other tools are more overt—biometrics on mobile phones, hardware tokens for PCs, and transaction alerts. But some security improvements the industry has undertaken have resulted in more friction, including the EMV card. A consumer must now leave the EMV card in the terminal for the duration of the transaction when previously all the consumer had to do was simply swipe the card. It will be interesting to see if and how consumers adjust their payment habits should they view the EMV card technology as high in friction. Will this motivate consumers to move away from card-based payments? Time will tell, and we will closely follow this issue.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 2, 2015 in biometrics, chip-and-pin, EMV, innovation, payments | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Does More Security Mean More Friction in Payments?:


You've touched upon an important continuing battle. The balancing act of maximizing conversion vs. maximizing security/fraud prevention can be a real conundrum. It impacts revenue and can even divide offices. It comes down to what your product/service is, what your appetite for risk is, and what tools you have in place. It is important though for financial institutions and ecommerce companies to seek out new technology solutions to maximize security and not be stagnant with the status quo.

Posted by: Logan | February 3, 2015 at 07:46 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 22, 2014

Top 10 Payments Events in 2014

As the year draws to a close, the Portals and Rails team would like to share its own "Top 10" list of major payments-related events and issues that took place in the United States this year.

#10: Proposed prepaid rule. After a long wait, the Consumer Financial Protection Bureau issued its proposed rules on general reloadable prepaid cards in November. While the major players in the prepaid card industry had already adopted most of the practices included in the proposed rule, the proposal allowing overdrafts and credit extensions is likely to generate differing perspectives during the comment period before a final rule is adopted in 2015.

#9: Regulation II. The U.S. Circuit Court of Appeals for the District of Columbia upheld the Federal Reserve Bank's rules regarding interchange fees and network routing rules, reversing a 2013 decision. Notice of appeal on the interchange fee portion of the ruling has been given, but resolution of the network routing rules has cleared the way for the development of applications supporting routing on chip cards.

#8: Payment trends. The detailed Federal Reserve Bank's triennial payments study results were released in July 2014, continuing the Fed's 15-year history of conducting this comprehensive payments research. Cash usage continued to decline but remained the most-used form of payment in terms of transaction volume.

#7: Card-not-present (CNP) fraud. With the growing issuance of chip cards and the experience of other countries post-EMV migration—with substantial amounts of fraud moving to the online commerce environment—the payments industry continues to search for improved security solutions for CNP fraud that minimize customer friction and abandonment.

#6: Faster payments. Continuing a process it began in the fall of 2013 at the release of a consultative white paper, the Federal Reserve Bank held town halls and stakeholder meetings throughout the year in preparation of the release of its proposed roadmap towards improving the payment system.

#5: Virtual currencies. Every conference we attended had sessions or tracks focused on virtual currencies like Bitcoin. While there was some advancement in the acceptance of Bitcoin by major retailers, the number of consumers using the currency did not rise significantly.

#4: Mobile payments. The entry of Apple with its powerful brand identity into the mobile payments arena with Apple Pay has energized the mobile payments industry and brought improved payment security through tokenization and biometrics closer to the mainstream. (Apple Pay's impact on mobile payment transaction volume will likely be negligible for a couple of years.) Additionally, the use of host card emulation, or HCE, as an alternative contactless communications technology provides another option for mobile wallet development.

#3: EMV migration. The frequency and magnitude of the data breaches this year have spurred financial institutions and merchants alike into speeding up their support of EMV chip cards in advance of the October 2015 liability shift.

#2: Third-party processors. Regulators and law enforcement escalated the attention they were giving to the relationships of financial institutions with third-party processors because of increased concerns about deceitful business practices as well as money laundering.

And…drum roll, please!

#1: Data breaches. The waves of data breaches that started in late 2013 continued to grow throughout 2014 as more and more retailers revealed that their transaction and customer data had been compromised. The size and frequency of the data breaches provided renewed impetus to improve the security of our payments system through chip card migration and the implementation of tokenization.

How does this list compare to your Top 10?

All of us at the Retail Payments Risk Forum wish our Portals and Rails readers Happy Holidays and a prosperous and fraud-free 2015!

Photo of Mary Kepler Photo of Doug King Photo of David Lott Photo of Julius Weyman

Mary Kepler, vice president; Doug King, payments risk specialist; Dave Lott, payments risk expert; and Julius Weyman, vice president—all of the Atlanta Fed's Retail Payments Risk Forum.

December 22, 2014 in chip-and-pin, cybercrime, data security, EMV, innovation, mobile payments, prepaid, regulations, third-party service provider | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Top 10 Payments Events in 2014:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 20, 2014

Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?

Portals and Rails recently embarked on a series of posts on tokenization. In the first installment, we defined tokenization and distinguished between a merchant-centric enterprise tokenization solution and payment tokens generated as an issuer-centric end-to-end solution. In the second installment, we examined several different attributes of the issuer-centric end-to-end token initiatives currently under way and considered their impact on mitigating risk. In this post, we examine the shortcomings of end-to-end token initiatives and question if they are really a coup in mitigating risks in today's environment.

The goal of payment tokenization is to substitute sensitive data—such as account numbers, expiration dates, and security codes—that criminals can use to extract monetary value with surrogate values that lack monetary value. In light of the number and depth of recent data breaches, tokenization seems like a grand idea—let's get data that fraudsters can use out of the payment transaction flow and the merchants' systems.

But current uses for these end-to-end initiatives are limited to card-on-file transactions for in-app or e-commerce payments and mobile proximity payments. I know you have to start somewhere but, in the near future, only a small percentage of transactions will use tokenization. These end-to-end initiatives are solid solutions, but are currently extremely limited. Thus, there will be a continued need for the industry to use a variety of methods to fight fraud, including the merchant-centric enterprise tokenization solutions the first installment discussed.

And isn't the point of the significant EMV investment currently under way to mitigate risks associated with counterfeit cards using compromised card data? In other words, it should render compromised card data useless. But I am hearing the EMV naysayers claiming that, in an EMV world, data compromises will still take place and, while fraudsters may not be able to counterfeit cards, they can still use that data to shop on the Internet.

Those naysayers are correct.

But let's circle back to the use cases for the current issuer-centric end-to-end token initiatives. Is tokenizing payment data for card-on-file and mobile proximity payments really going to have a material impact on preventing card-not-present fraud? Are these tokenization efforts really the best solution for this challenge? It could be many years before we regularly use our mobile phones for proximity payments. I am confident that we will be using chip-enabled cards for a significant number of transactions within two to three years. Would it be wiser to rely on solutions that leverage the chip or other security features of cards? Or maybe it's time we realize that cards weren't designed for card-not-present uses and place a higher priority on the broader adoption of existing and emerging non-card-based payment solutions in a multi-layered security approach.

Unfortunately, I do not have the answers. But these questions and topics will certainly be discussed during the upcoming Securing Remote Payments conference that the Retail Payments Risk Forum and the Secure Remote Payment Council is hosting. If you are interested in attending, please reach out to us. We will be in touch with more details.

In the next installment in this series, we'll look at new security and operational risks introduced with these token initiatives.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 20, 2014 in cards, data security, EMV | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts

October 2015

Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31



Powered by TypePad