About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

January 9, 2017


The Year in Review

As we move into 2017, the Take on Payments team would like to share its perspectives of major payment-related events and issues that took place in the United States in 2016, in no particular order of importance.

Cybersecurity Moves to Forefront—While cyber protection is certainly not new, the increased frequency and sophistication of cyber threats in 2016 accelerated the need for financial services enterprises, businesses, and governmental agencies to step up their external and internal defenses with more staff and better protection and detection tools. The federal government released a Cybersecurity National Action Plan and established the Federal Chief Information Security Office position to oversee governmental agencies' management of cybersecurity and protection of critical infrastructure.

Same-Day ACH—Last September, NACHA's three-phase rules change took effect, mandating initially a credit-only same-day ACH service. It is uncertain this early whether NACHA will meet its expectations of same-day ACH garnering 1 percent of total ACH payment volume by October 2017. Anecdotally, we are hearing that some payments processors have been slow in supporting the service. Further clarity on the significance of same-day service will become evident with the addition of debit items in phase two, which takes effect this September.

Faster Payments—Maybe we're the only ones who see it this way, but in this country, "faster payments" looks like the Wild West—at least if you remember to say, "Howdy, pardner!" Word counts won't let us name or fully describe all of the various wagon trains racing for a faster payments land grab, but it seemed to start in October 2015 when The Clearing House announced it was teaming with FIS to deliver a real-time payment system for the United States. By March 2016, Jack Henry and Associates Inc. had joined the effort. Meanwhile, Early Warning completed its acquisition of clearXchange and announced a real-time offering in February. By August, this solution had been added to Fiserv's offerings. With Mastercard and Visa hovering around their own solutions and also attaching to any number of others, it seems like everybody is trying to make sure they don't get left behind.

Prepaid Card Account Rules—When it comes to compliance, "prepaid card" is now a misnomer based on the release of the Consumer Financial Protection Bureau's 2016 final ruling. The rule is access-device-agnostic, so the same requirements are applied to stored funds on a card, fob, or mobile phone app, to name a few. Prepaid accounts that are transactional and ready to use at a variety of merchants or ATMS, or for person-to-person, are now covered by Reg. E-Lite, and possibly Reg. Z, when overdraft or credit features apply. In industry speak, the rule applies to payroll cards, government benefit cards, PayPal-like accounts, and general-purpose reloadable cards—but not to gift cards, health or flexible savings accounts, corporate reimbursement cards, or disaster-relief-type accounts, for example.

Mobile Payments Move at Evolutionary, Not Revolutionary, Pace—While the Apple, Google, and Samsung Pay wallets continued to move forward with increasing financial institution and merchant participation, consumer usage remained anemic. With the retailer consortium wallet venture MCX going into hibernation, a number of major retailers announced or introduced closed-loop mobile wallet programs hoping to emulate the success of retailers such as Starbucks and Dunkin' Brands. The magic formula of payments, loyalty, and couponing interwoven into a single application remains elusive.

EMV Migration—The migration to chip cards and terminals in the United States continued with chip cards now representing approximately 70 percent of credit/debit cards in the United States. Merchant adoption of chip-enabled terminals stands just below 40 percent of the market. The ATM liability shift for Mastercard payment cards took effect October 21, with only an estimated 30 percent of non-FI-owned ATMs being EMV operational. Recognizing some of the unique challenges to the gasoline retailers, the brands pushed back the liability shift timetable for automated fuel dispensers three years, to October 2020. Chip card migration has clearly reduced counterfeit card fraud, but card-not-present (CNP) fraud has ballooned. Data for 2015 from the 2016 Federal Reserve Payments Study show card fraud by channel in the United States at 54 percent for in person and 46 percent for remote (or CNP). This is in contrast to comparable fraud data in other countries further along in EMV implementation, where remote fraud accounts for the majority of card fraud.

Distributed Ledger—Although venture capital funding in blockchain and distributed ledger startups significantly decreased in 2016 from 2015, interest remains high. Rather than investing in startups, financial institutions and established technology companies, such as IBM, shifted their funding focus to developing internal solutions and their technology focus from consumer-facing use cases such as Bitcoin to back-end clearing and settlement solutions and the execution of smart contracts.

Same Song, Same Verse—Some things just don't seem to change from year to year. Notifications of data breaches of financial institutions, businesses, and governmental agencies appear to have been as numerous as in previous years. The Fed's Consumer Payment Choices study continued to show that cash remains the most frequent payment method, especially for transactions under 10 dollars.

All of us at the Retail Payments Risk Forum wish all our Take On Payments readers a prosperous 2017.

Photo of Mary Kepler
Mary Kepler
Photo of Julius Weyman
Julius Weyman
Photo of Doug King
Doug King
Photo of David Lott
Dave Lott
Photo of Jessica Trundley</span>
</div>
Jessica Washington
Photo of Steven Cordray
Steven Cordray

 

January 9, 2017 in ACH, ATM fraud, cards, chip-and-pin, cybercrime, debit cards, emerging payments, EMV, fraud, mobile banking, mobile payments, P2P, prepaid, regulations | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 22, 2016


Why U.S. Card Fraud Is Now Present and Accounted For

Last year, I wrote a post called "Why Is the U.S. Card-Present Fraud Breakout Not Present?" in which I discussed the lack of publicly available information on the distribution of U.S. card fraud by type. I'm happy to report that more detailed data on card fraud in the United States is now present and accounted for in the Initial Data Release (IDR) of the 2016 Federal Reserve Payments Study.

As is common in other countries, card fraud can be categorized as follows across person-present and remote payment channels:

  • Counterfeit card: Fraud is perpetrated using an altered or cloned card.
  • Lost or stolen card: Fraud is undertaken using a lost or stolen card.
  • Card issued but not received: A newly issued card in transit to a card holder is intercepted and used to commit fraud.
  • Fraudulent application: A new card is issued based on a fake identity or on someone else's identity.
  • Other: "Other" fraud includes account takeover and other types of fraud not covered above.
  • Fraudulent use of account number: Fraud is perpetrated without using a physical card.

An extract from the fraud section of the IDR shows breakouts for card fraud by type across five countries.

Percentage-of-total-domestic-general-purpose-card-fraud

As reflected in the numbers, the United States continues to be by roughly an order of magnitude a continuing and persistent target for card counterfeiters using stolen card data compared to other countries that have adopted much earlier counterfeiting controls using EMV (chip) cards. Use of chips makes in-person card fraud more difficult, because of built-in technology to thwart the creation of counterfeit chip cards. As adoption of chips for cards and terminals improves in the United States, fraud using stolen card data is likely to shift from person-present to remote channels as has already occurred in other developed countries. My colleague, Doug King, discusses these issues in detail in an interview conducted last year.

Look for other Take On Payments posts that highlight additional key findings from the 2016 payments study.

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

December 22, 2016 in cards, chip-and-pin, EMV, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 17, 2016


EMV Comments That Make Me Cringe

Some aspects of the chip card implementation in the United States certainly make us frustrated. For one, the customer experience could be seen as slightly more negative because of the longer transaction time and confusion about the debit card selection menu. However, at several payments conferences I have attended recently, I have heard comments made by speakers and panelists about EMV chip cards and their technology that caused me to cringe a bit. I understand that a number of stakeholders are not proponents of EMV technology for a variety of reasons and, while some parts of their comments are factually accurate, they certainly are not "the truth, the whole truth and nothing but the truth."

Cringe #1: The United States is implementing 20-year-old-technology with EMV chip cards. Yes, the first EMV specifications were publicly released in 1995. But isn't that like saying that the gasoline-powered automobile is technology that is 130 years old? Microsoft's first release of Windows was in 1985. Do we hear complaints about it being 30-plus years old? The reality is that the EMV specifications, like practically all software development, are continually updated over the years with enhancements continuing as long as the software is still being supported. The EMV specifications are now at version 4.3, released in November 2011, with 20 supplemental bulletins issued since then and more on the way.

Cringe #2: EMV (chip) cards haven't solved the card-not-present (CNP) fraud problem. Again, this is an accurate statement. CNP card fraud is the second largest category of fraud losses in the U.S. (see the chart). But, the statement is misleading inasmuch as the EMV specifications and chip cards were never intended to address the CNP ecommerce environment. Counterfeit card fraud, whereby the criminal produces a card using data obtained from a skimmer or data breach, has been the number-one source of card-present fraud in the United States. It was this type of card fraud that the chip card was designed to target, and, from all accounts to date, it has been highly successful in doing so.

table-one

Source: Chip Cards in the United States: The PIN, PINless, Debit, Credit Conundrum, Aite Group, July 2016

Cringe #3 – Using a PIN improves the security of the chip card. While a cardholder using a PIN in lieu of a signature does clearly result in a lower level of fraud losses, the claim is somewhat of an apples and oranges comparison. The chip on the card authenticates the card itself, while the use of a PIN is intended to authenticate the cardholder performing the transaction. These are two separate types of authentication which, when combined, make the transaction more secure—a good thing. The use of a PIN should result in lower lost/stolen card fraud as it invokes two-factor authentication—something you have (card) and something you know (PIN).

Are the current EMV specifications perfect? Of course not, and that is why there are constant efforts to identify ways to improve them. But one must recall that the EMV specifications provide global interoperability and must be developed keeping that requirement in mind. What are your thoughts on the EMV specifications and how they can be improved?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 17, 2016 in chip-and-pin, consumer fraud, consumer protection, EMV, fraud | Permalink

Comments

Good stuff, Dave; I fully agree with your first 2 cringes, but on the third I think the objection is that if minimizing fraud is so important, why would we not complete the process of requiring PIN and take security to the next logical step?

Of course this opens up plenty of other debates- consumer choice, merchant fee levels, etc.- but thought it would be helpful to clarify that point in hopes of advancing the dialogue.

Posted by: Glen Sarvady | December 12, 2016 at 02:28 PM

Hello Dave,
While I agree with much that you have written.
The EMV specification has not kept pace with modern needs. The Target breach was the catalyst for the US implementation of EMV. Yet the current implementation of EMV would not have prevented the breach. The chip card exposes the static, clear text Primary Account Number (PAN) and other Personally Identifiable Information (PII) in numerous places. It does not cryptographically protect the sensitive data. To match our current needs, the cryptographic and computational power of the chip should be harnessed to protect the PAN and the PII. Or better yet, remove the PAN and PII from the chip card entirely.
The card is a physical token which should represent the PAN, but not expose it. The PAN should remain inside the Financial Institution (FI) linked to various tokens, each of which has a Device ID. The physical token should be authenticated without revealing the PAN to the merchant or a payment intermediary. Once the token (the Card or other access device) has been authenticated by the Issuer, it can look up the corresponding account and move (or not move) the funds accordingly.
When the card is capable of protecting itself, it can be issued, secured and validated by the issuer without the need for any intermediaries (consumers, merchants, processors, acquirers, networks) to participate in the protection process. With a proper chip card specification, this can be accomplished while maintaining global interoperability.
Respectfully,
Mimi Hart, MagTek

Posted by: Mimi Hart | December 9, 2016 at 03:11 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 16, 2016


Improving Customer Authentication: Is the PIN Past Its Prime?

The Financial Fraud Action UK recently released its Year-End 2015 Fraud Update. This report, filled with fraud-related figures from a fully EMV(chip)-migrated country, provides insight into what the future of fraud in the United States might look like as we are approximately eight months into our EMV journey. And if indeed the United Kingdom’s experience is a harbinger of things to come in the United States, then I think there will be disappointment for anyone who thought EMV by itself would be a magic bullet. After I spent time studying this report, it became evident that customer authentication is the latest low-hanging fruit and fraudsters are having a feast.

Fraud losses on payment cards in the United Kingdom (£567.5m) are approaching pre-EMV migration levels, and fraud loss rates have increased above 8 basis points (0.08%), hitting a level last seen in 2009. Diving deeper, we find that:

  • As expected, card-not-present (CNP) fraud losses represent a majority of card fraud losses (70 percent). Interestingly though, ecommerce spend volume grew faster than ecommerce fraud losses in 2015, suggesting that the industry made headway in its efforts to mitigate ecommerce fraud.
  • Lost and stolen card fraud (remember, the United Kingdom is a PIN environment) increased more than 24 percent in 2015, reaching levels last seen in 2006. The report highlights distraction thefts through cameras or simply shoulder surfing as methods of fraudulently obtaining PINs.
  • Card ID theft fraud losses, defined as losses from spend on fraudulently opened or obtained cards through stolen personal information, increased by 28 percent and are now approaching counterfeit card levels.
  • A bit of good news is that counterfeit card fraud losses remain well below pre-EMV levels and fell even further in 2015—perhaps, as the report suggests, driven partly by the increased acceptance of EMV cards in the United States.
  • Beyond cards, remote banking fraud losses (losses from Internet, telephone, and mobile banking) increased by more than 134 percent during the last two years, totaling nearly £169 million.

EMV is performing exactly as expected and doing a phenomenal job of authenticating payment cards in the card-present environment. Why are fraud losses increasing in a mature EMV environment? Because customer authentication remains a challenge, as is evident by rising fraud losses from lost and stolen cards, card applications with stolen identities, and remote banking.

Whether on the front end of authenticating the user during the account opening process or the back end of authenticating the user at the time of payment, authentication measures are coming up short, and these measures include PINs and passwords. Replacing passwords has been an ongoing conversation and likely may continue to be a conversation piece rather than a prolific action item. Yet there is a growing push for the use of PINs coupled with EMV cards here in the United States. While PIN authentication is an improvement over signature authentication, it, too, has its flaws. With improvements and advancements in new technologies such as biometrics, perhaps it's time for the industry to advance beyond PINs. Because of the current signature-laden EMV environment in the U.S., the timing is perfect.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 16, 2016 in chip-and-pin, EMV, fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 22, 2016


2016 Payment Predictions

In our 2015 year-end review, we promised we would provide some predictions and expectations for payments in the United States during 2016. Predictions are usually pretty…unpredictable, so by waiting a couple of months to release ours, we're hoping they will end up being more accurate than usual. Disclaimer: These predictions are through the collective wisdom of the Retail Payments Risk Forum staff and do not reflect the opinions of the Federal Reserve System or the Board of Governors. So here we go in no particular order or probability of happening.

  • Cyberattacks will be the top threat to payments security: Cyberattacks and data breaches will be as robust as ever and will be the number one threat in the payments ecosystem. As retailers and financial service companies strengthen their defenses, the Risk Forum predicts that hackers will widen their focus.
  • This will be the year for mobile point-of-service (POS) payments…not!: Like the broken analog clock face that is correct twice a day, we believe that those forecasting 2016 as the "year of mobile payments" (as they did in 2013, 2014, and 2015) will be a little bit right, but will still be waiting for this optimistic prediction to be fully true. While the adoption pace of mobile payments is growing because of the increasing influence of millennials, the issues of limited merchant acceptance points, fragmentation, and consumer concerns over security and privacy will remain as substantial hurdles. Major educational efforts will be launched stressing the increased security provided by mobile payments through tokenization and biometrics.
  • EMV (chip card) POS migration will pick up the pace from 2015: The liability shift for POS took place October 1, 2015, and projections for both card and terminal capability missed their optimistic marks for a variety of reasons. Credit and debit card reissuance will continue during 2016 and should reach significant conversion levels by the end of the year. The Risk Forum expects the pace of merchant terminal conversions to pick up as certifications are completed and merchants targeted by counterfeit card fraudsters feel the sting of losses. However, we also think some merchant categories, such as restaurants, will continue to proceed at a tepid pace.
  • ACH same-day service will not be a huge hit: The Risk Forum forecasts that the roll-out of NACHA's mandated same-day ACH service in September will, at least initially, have modest adoption because corporate originators will have to update internal systems to support faster payments, the dollar cap of $25,000 per payment, and the imposition of the interbank fee. Consumer payment applications will have modest uptake due to competing payment alternatives.
  • EMV ATM liability shift will cause the number of ATMs to shrink: The implementation of chip card readers in ATMs will follow the same pattern as POS terminals did in 2015—the large ATM owners and operators will meet the October 2016 deadline but many of the small and mid-sized operators, especially those owned by nonfinancial institutions, will not and will be faced with absorbing the loss of transactions made with counterfeit cards—a fraud loss they haven't experienced in the past. Overall, the Risk Forum looks for the ATM base in the U.S. to contract by 10 to 15 percent because of financial institution mergers and the cost of EMV upgrades.
  • Mobile wallet space will continue to see turbulence: 2015 saw the launch or announcement of more mobile wallets by payment stakeholders such as Samsung, Google, Chase, Capital One, Walmart, and Target. Then add the retailer and credit union consortiums (MCX CurrentC and CU Wallet) that are struggling to emerge from uncertainty. How many wallets will the consumer be willing to load on a phone and which providers do they trust to keep their payments and banking credentials safe? We believe we'll see continued turbulence in this space during 2016, with some settling of the dust by next year.
  • Blockchain technology interest will accelerate: Cryptocurrencies will continue to exist in the "novelty" space, but we think large payments players will direct efforts to leveraging the distributed ledger technology for various uses and will proceed at an accelerated pace.
  • Biometric technology improves, but passwords remain supreme: Despite continued cries for intervention, the user ID and password will remain the primary authentication method that consumers use to access their various applications. Biometrics technology for payment and customer authentication applications will continue to improve while decreasing in price. Fingerprint, facial recognition, and eye/iris recognition will dominate as the most-used biometrics although voice recognition will serve as a key method in certain environments such as call centers. The Risk Forum believes that the technology will continue to face critical adoption challenges due to concerns about privacy, security, and safety, but educational programs will lower this resistance.
Photo of Mary Kepler
Mary Kepler
Photo of Steven Cordray
Steven Cordray
Photo of Doug King
Doug King
Photo of David Lott
Dave Lott
Photo of Jessica Trundley</span>
</div>
Jessica Trundley
Photo of Julius Weyman
Julius Weyman

February 22, 2016 in cybercrime, data security, EMV, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 25, 2016


Waiting for the Other EMV Shoe to Drop

The EMV, or chip card, liability shift for point-of-service (POS) transactions began on October 1, 2015. The sun continued to rise and set each day thereafter, despite the predictions of a few that EMV conversions would bring retailer POS checkout processes to a grinding halt and create major consumer dissatisfaction. Sure, there have been some issues around longer card transaction processing time and, some retailers chose to defer their EMV implementation until after the holiday buying season. But, all in all, the terminal and card conversions have moved steadily forward.

In the United States, there are an estimated 410,000 to 425.000 ATMs operating with 55–60 percent of them owned by independent (non-financial-institution) deployers. The impact of the next EMV liability shift on October 1, 2016, might be more significant, especially for these independent ATM operators. On that date, an ATM that accepts any MasterCard-branded card must be EMV operational or the ATM owner will face liability for any fraudulent transaction performed with a counterfeit MasterCard. Under current network rules, the card issuer currently assumes 100 percent of fraud losses from ATM withdrawals made with a counterfeit card. While Visa's timetable for ATMs to be EMV operational is not until a year later, since virtually all ATMs in the United States accept both Visa- and MasterCard-branded cards, the earlier timeline for MasterCard essentially forces all ATM deployers to be ready. While the liability shift is not a mandate, it is expected that most ATM deployers will make their ATMs EMV operational to avoid being saddled with the additional liability.

For the independent ATM owner, their decision to upgrade, maintain, or remove a particular terminal is a challenging one. Their terminals are generally the more simplified table-top cash dispensers rather than the fully function ATMs installed by financial institutions. They are often installed in convenience stores, restaurants, bars, and other specialty retail locations. While their purchase cost is substantially less than full-service, heavily armored ATMs, their average transaction volume is also substantially less due to their location and the foreign transaction fees imposed by most cardholders' financial institutions. Their revenue comes primarily from an ATM surcharge fee and a dwindling network interchange, out of which they have to pay all their operating expenses, including rent to the retailer where the ATM is located. An ATM generating $100 a month in net profit is considered a successful ATM. The cost to upgrade such a terminal is highly variable depending on its current hardware and processing capability, but just the cost of an EMV card reader, its installation, and testing is generally in the $500 to $800 range. The older cash dispensers may not be suitable for upgrades.

This industry has seen its cyclical periods of prosperity and austerity over the last 15 years, with its financial challenges generally centered on the hardware and software upgrades related to regulatory compliance—first with Y2K compliance, then with the American with Disabilities Act (ADA), Triple DES, PCI, Windows XP nonsupport, and now EMV. As occurred with these earlier technology upgrades, the industry is seeing further consolidation of ATM terminal portfolios. A number of industry observers share my prediction of a contraction in the ATM installed base by as much as 15 percent by the end of 2016 due to further bank consolidations and the cost impact of the EMV upgrade. Since cash operations is a major function of the Federal Reserve System, we will be watching this impact with considerable interest.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 25, 2016 in EMV | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 8, 2015


Why Is the U.S. Card-Present Fraud Breakout Not Present?

Before answering the question the title poses, let me introduce myself. I'm the newest blogger in the Risk Forum. Recently, I was the faster-payments-product guy in the Retail Payments Office (RPO) at the Atlanta Fed. While in the RPO, I was a cheerleader who pushed and cajoled the industry to get same-day ACH off the ground. Incidentally, same-day ACH is due to become available universally as early as September 2016 due to a recent rule change passed by NACHA.

Back to my question—while doing some research on expanding fraud data coverage in the Fed's upcoming triennial payments study, I came across a gap in publicly available detailed fraud data for the United States compared to other geographies. As the table shows, the gap is evident from the Fourth Report on Card Fraud published in July 2015 by the European Central Bank. You probably see the "Not available" designation in the card-present subcategory.

Percentage-of-total-card-table

What gives? What could be gained if this information were made available? As the footnote shows, the high-level data is taken from the Fed's last triennial payments study published in 2014. And as a previous post notes, the United States does not have a publicly available, single, uniform repository for payments fraud data. Back in 2009, the problem was covered in detail in the briefing paper "The Benefits of Collecting and Reporting Payment Fraud Statistics for the United States" by my colleague Rick Sullivan from the Kansas City Fed. In fairness, it should be noted that information is available in the United States to varying levels of detail as a paid service or through surveys conducted by such organizations as the Association of Financial Professionals and is typically distributed only to the organization's membership.

So that you know what we are missing out on in the United States, here are capsule descriptions of each card-present fraud type:

  • Counterfeit/Skimming: Fraud is perpetrated using an altered or cloned card.
  • Lost/Stolen: Fraudulent transactions result from the use of a lost or stolen card.
  • Card not received: A newly issued card in transit to a card holder is intercepted and used to commit fraud.
  • Fraudulent application: A new card is issued based on a faked identity or using someone else's identity.
  • Other: This is a catchall category for fraud not covered above.

The card-not-present subcategory, which is fully reported on in the triennial study, generally covers fraudulent payments initiated online, or by mail or telephone. Unlike card-present fraud, this type of fraud is not usually subdivided any further.

It should be noted that the current study was the first of the triennial series to report on fraud. Unfortunately, scope limitations precluded breaking out fraud further. As it is, the current study offers a wealth of payment and fraud data for cards and all other forms of noncash payments.

Adding a level of specificity for card-present fraud in the United States will help in tracking the movement of fraud from one type to another and the migration of fraud to other countries. In the United States, fraud is likely to further shift from card present to card not present due to increased counterfeiting controls at the point of sale from the anticipated broad adoption of EMV (chips) for cards and POS terminals. The Federal Reserve, in partnership with other payment system stakeholders, hopes to track these and other developments by collecting additional fraud data for the next triennial study due to be published in 2017.

What suggestions do you have for identifying and collecting other fraud data?

By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 8, 2015 in EMV, fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 17, 2015


Pigskin and Payments

For those who know me well, they know that I find August to be the slowest-moving month of the year. It's not because of the oppressive southern heat and humidity, but rather it's my anticipation for football season. To help speed along the "dog days of summer," I generally read my fair share of prognostication publications. Alongside the predictions, improving player safety has become a key discussion topic as the season approaches.

Armed with data showing an increase in injuries as well as long-term negative effects from playing the sport, football's governing bodies on both the collegiate and professional levels are instituting rule changes to make the game safer. Equipment manufacturers are introducing new gear to improve safety and individual teams are adding new experts to their medical staffs all in the name of player safety.

Ironically, while there is a focus on improving player safety, football players continue to get stronger and faster aided by advancements in nutrition and workout regimes. As player strength and speed improves, this contact sport becomes more vicious and dangerous. And as a fan, I'll admit that I find watching a game featuring stronger and faster players more exciting. I do not want to see players injured, but at the same time I enjoy the excitement that comes with hard tackles and big hits.

Does this state of football sound at all like the current state of the U.S. payments industry? To make payments safer, public and private entities are leading literally hundreds of initiatives across various payments rails. Network rule changes are taking place and new technologies are being harnessed all in an effort to better secure payments. At the same time, start-ups, established payment companies, payment associations, and the Federal Reserve are collaborating to improve the speed of payments.

It's hard not to get excited about the possibilities of faster payments, from important just-in-time supplier payments to simple repayments for borrowing money from a friend or family member. However, can securing payments better derail the speed of payments? By way of example and personal experience, my more secure EMV (chip) credit card has clearly reduced the speed at the point-of-sale for my card payment transactions.

But just as player strength and speed has evolved alongside safety through rule-making and technology (think about leather football helmets here), I think we have seen the same progression within the payments industry. I think football remains as exciting as ever, and the payments expert in me is clearly excited about the future of payments.

Speed and safety are not to be viewed as mutually exclusive, and I am confident that the payments industry supports this view. In both football and payments, elements of risk will exist, regardless of safety measures in place. Finding the right balance between speed and safety should be the goal in order to maintain an exciting football game or efficient payments system. I can't wait to see what lies ahead on the gridiron and within the payments industry.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 17, 2015 in emerging payments, EMV, fraud, innovation, risk management | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 29, 2015


The More Things Change, the More They Stay the Same

As I write this blog on the screened porch of a North Alabama lake house, the cicadas are constantly buzzing in the background. I am fascinated by the life cycle of this species—namely, the emergence of the periodical cicadas from belowground every 13 to 17 years. This life cycle got me thinking how the world has changed since the last time the 17-year cicadas emerged. And while in this neck of the woods, some things have changed—new houses have been built and personal watercraft are now constantly buzzing on the lake—some things have remained the same. The nearest grocery store is still 30 minutes away and the iced tea is as sweet as it ever was. Is this mixed scenario really any different for payment card fraud?

Certainly a lot has changed in card payments during the last 17 or so years. We've witnessed the enormous growth of debit card transactions, the continued growth of credit card transactions, the emergence of the e-commerce and mobile payments channels, and the almost global adoption of the EMV (chip) card. As card payment usage has evolved, so has the fraud landscape. Lost and stolen card fraud fell out of vogue while counterfeit card fraud took off only to see stolen card fraud re-emerge when the issuance of EMV cards in most markets thwarted counterfeit card fraud. Point-of-sale (POS) fraud is occurring less often across the globe because of EMV and PIN verification, driving the fraudsters to the Internet to commit card-not-present (CNP) fraud.

But what hasn't changed is the global rate of fraud. An article in the August 2013 Nilson Report estimated that the annual cost of card fraud worldwide in 2012 was 5.2 cents for every $100 spent, resulting in $11.27 billion in losses. This figure compares to Nilson's estimate of fraud losses in 1998, which ran approximately 4.8 cents for every $100 spent and resulted in a little less than $2 billion of fraud. Perhaps a fraud rate in the 5 basis points range is the industry-wide acceptable rate, but with billions of dollars being invested to mitigate fraud, I would like to think that over time the rate would be reduced (though I must admit that I am not sure what the acceptable rate should be).

Maybe this speaks to the tenacity of the card fraudsters. As we in the Retail Payments Risk Forum have often stressed, once one door is fortified, the fraudsters find another door to enter. And if we could dive deeper within the figures, I am certain that is what we would find, according to various estimates of fraud and anecdotal evidence. For example, the emergence of EMV and the use of PIN verification instead of signature verification have reduced POS fraud. Today, CNP fraud rates are significantly higher than POS fraud rates and many industry risk efforts are focused on mitigating CNP fraud.

When the cicadas reappear, undoubtedly the payment card usage and fraud landscape will look different. Perhaps mobile payments will have taken off and the use of biometrics as a method of verification will be commonplace. I feel confident that in 17 years the industry will make substantial strides in reducing e-commerce CNP fraud rates—but also that new areas of fraud will appear. Is the industry prepared to fight the next generation of fraud or will it just continue to Band-Aid the past? Should we expect a 5 basis points rate of fraud when the cicadas emerge in another 17 years? I'd like to think the rate will be lower. At a minimum, hopefully, it will remain as consistent as the sweet iced tea in this neck of the woods.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


June 29, 2015 in cards, chip-and-pin, EMV, fraud, innovation, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 8, 2015


Is the Conventional Wisdom about EMV Migration Right?

We're within five months now of the initial EMV (chip) card liability shift for POS transactions. Most people in the industry have held the belief that as the ability to create counterfeit cards is shut down, the criminals will shift their focus primarily to the card-not-present (CNP) environment, where they can continue to use payment card data they take from the magnetic stripe or other data breaches. In fact, my colleagues and I have been broadcasting this message in our presentations and posts for quite some time. Our assessment, along with most other industry experts, was based on the statistics released by banking groups in major countries that had already gone through the EMV migration. The chart illustrates one view of their experiences. It seems to leave no doubt about what we can expect.

Chart_cnp_fraud_losses

But does it mean what we think it means? While the chart clearly shows an increase in the CNP channel in fraud losses, did the ratio of CNP fraud to overall sales increase? Unfortunately, definitive data is not readily available to provide that answer. Using some confidential sources and partial—but significant volumes of—payment data, we were able to determine that during the period from 2010 to 2013, as a percentage of overall sales, CNP fraud in Canada actually held relatively steady. But was that stability created due to the large increases in the recurring billing segment in the CNP environment, which has a relatively low rate of fraud? At this point, we just don't have data granular enough to tell us.

I don't think this means that there isn't a reason to be concerned about CNP fraud as the EMV migration in the United States continues. For one thing, the experience of others is no guarantee that we will experience the same. But perhaps the biggest reason for us not to relax about the issue is that, even if the levels hold flat through our migration, CNP fraud is still quite significant and has a major negative financial impact on merchants and issuers. The 2013 Federal Reserve Payments Study found that CNP fraud by volume is three times that of card-present fraud.

This situation also demonstrates the need to be able to collect detailed and accurate data on fraudulent payments activity. Fraud has been a real challenge in this country because of the large number of payments stakeholders that end up saddled with the loss. The Federal Reserve is interested in working with the industry to develop a process for collecting such information for the benefit of all.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 8, 2015 in chip-and-pin, cybercrime, EMV | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


February 2017


Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28        

Archives


Categories


Powered by TypePad