Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

August 17, 2015


Pigskin and Payments

For those who know me well, they know that I find August to be the slowest-moving month of the year. It's not because of the oppressive southern heat and humidity, but rather it's my anticipation for football season. To help speed along the "dog days of summer," I generally read my fair share of prognostication publications. Alongside the predictions, improving player safety has become a key discussion topic as the season approaches.

Armed with data showing an increase in injuries as well as long-term negative effects from playing the sport, football's governing bodies on both the collegiate and professional levels are instituting rule changes to make the game safer. Equipment manufacturers are introducing new gear to improve safety and individual teams are adding new experts to their medical staffs all in the name of player safety.

Ironically, while there is a focus on improving player safety, football players continue to get stronger and faster aided by advancements in nutrition and workout regimes. As player strength and speed improves, this contact sport becomes more vicious and dangerous. And as a fan, I'll admit that I find watching a game featuring stronger and faster players more exciting. I do not want to see players injured, but at the same time I enjoy the excitement that comes with hard tackles and big hits.

Does this state of football sound at all like the current state of the U.S. payments industry? To make payments safer, public and private entities are leading literally hundreds of initiatives across various payments rails. Network rule changes are taking place and new technologies are being harnessed all in an effort to better secure payments. At the same time, start-ups, established payment companies, payment associations, and the Federal Reserve are collaborating to improve the speed of payments.

It's hard not to get excited about the possibilities of faster payments, from important just-in-time supplier payments to simple repayments for borrowing money from a friend or family member. However, can securing payments better derail the speed of payments? By way of example and personal experience, my more secure EMV (chip) credit card has clearly reduced the speed at the point-of-sale for my card payment transactions.

But just as player strength and speed has evolved alongside safety through rule-making and technology (think about leather football helmets here), I think we have seen the same progression within the payments industry. I think football remains as exciting as ever, and the payments expert in me is clearly excited about the future of payments.

Speed and safety are not to be viewed as mutually exclusive, and I am confident that the payments industry supports this view. In both football and payments, elements of risk will exist, regardless of safety measures in place. Finding the right balance between speed and safety should be the goal in order to maintain an exciting football game or efficient payments system. I can't wait to see what lies ahead on the gridiron and within the payments industry.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 17, 2015 in emerging payments, EMV, fraud, innovation, risk management | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 29, 2015


The More Things Change, the More They Stay the Same

As I write this blog on the screened porch of a North Alabama lake house, the cicadas are constantly buzzing in the background. I am fascinated by the life cycle of this species—namely, the emergence of the periodical cicadas from belowground every 13 to 17 years. This life cycle got me thinking how the world has changed since the last time the 17-year cicadas emerged. And while in this neck of the woods, some things have changed—new houses have been built and personal watercraft are now constantly buzzing on the lake—some things have remained the same. The nearest grocery store is still 30 minutes away and the iced tea is as sweet as it ever was. Is this mixed scenario really any different for payment card fraud?

Certainly a lot has changed in card payments during the last 17 or so years. We've witnessed the enormous growth of debit card transactions, the continued growth of credit card transactions, the emergence of the e-commerce and mobile payments channels, and the almost global adoption of the EMV (chip) card. As card payment usage has evolved, so has the fraud landscape. Lost and stolen card fraud fell out of vogue while counterfeit card fraud took off only to see stolen card fraud re-emerge when the issuance of EMV cards in most markets thwarted counterfeit card fraud. Point-of-sale (POS) fraud is occurring less often across the globe because of EMV and PIN verification, driving the fraudsters to the Internet to commit card-not-present (CNP) fraud.

But what hasn't changed is the global rate of fraud. An article in the August 2013 Nilson Report estimated that the annual cost of card fraud worldwide in 2012 was 5.2 cents for every $100 spent, resulting in $11.27 billion in losses. This figure compares to Nilson's estimate of fraud losses in 1998, which ran approximately 4.8 cents for every $100 spent and resulted in a little less than $2 billion of fraud. Perhaps a fraud rate in the 5 basis points range is the industry-wide acceptable rate, but with billions of dollars being invested to mitigate fraud, I would like to think that over time the rate would be reduced (though I must admit that I am not sure what the acceptable rate should be).

Maybe this speaks to the tenacity of the card fraudsters. As we in the Retail Payments Risk Forum have often stressed, once one door is fortified, the fraudsters find another door to enter. And if we could dive deeper within the figures, I am certain that is what we would find, according to various estimates of fraud and anecdotal evidence. For example, the emergence of EMV and the use of PIN verification instead of signature verification have reduced POS fraud. Today, CNP fraud rates are significantly higher than POS fraud rates and many industry risk efforts are focused on mitigating CNP fraud.

When the cicadas reappear, undoubtedly the payment card usage and fraud landscape will look different. Perhaps mobile payments will have taken off and the use of biometrics as a method of verification will be commonplace. I feel confident that in 17 years the industry will make substantial strides in reducing e-commerce CNP fraud rates—but also that new areas of fraud will appear. Is the industry prepared to fight the next generation of fraud or will it just continue to Band-Aid the past? Should we expect a 5 basis points rate of fraud when the cicadas emerge in another 17 years? I'd like to think the rate will be lower. At a minimum, hopefully, it will remain as consistent as the sweet iced tea in this neck of the woods.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


June 29, 2015 in cards, chip-and-pin, EMV, fraud, innovation, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 08, 2015


Is the Conventional Wisdom about EMV Migration Right?

We're within five months now of the initial EMV (chip) card liability shift for POS transactions. Most people in the industry have held the belief that as the ability to create counterfeit cards is shut down, the criminals will shift their focus primarily to the card-not-present (CNP) environment, where they can continue to use payment card data they take from the magnetic stripe or other data breaches. In fact, my colleagues and I have been broadcasting this message in our presentations and posts for quite some time. Our assessment, along with most other industry experts, was based on the statistics released by banking groups in major countries that had already gone through the EMV migration. The chart illustrates one view of their experiences. It seems to leave no doubt about what we can expect.

Chart_cnp_fraud_losses

But does it mean what we think it means? While the chart clearly shows an increase in the CNP channel in fraud losses, did the ratio of CNP fraud to overall sales increase? Unfortunately, definitive data is not readily available to provide that answer. Using some confidential sources and partial—but significant volumes of—payment data, we were able to determine that during the period from 2010 to 2013, as a percentage of overall sales, CNP fraud in Canada actually held relatively steady. But was that stability created due to the large increases in the recurring billing segment in the CNP environment, which has a relatively low rate of fraud? At this point, we just don't have data granular enough to tell us.

I don't think this means that there isn't a reason to be concerned about CNP fraud as the EMV migration in the United States continues. For one thing, the experience of others is no guarantee that we will experience the same. But perhaps the biggest reason for us not to relax about the issue is that, even if the levels hold flat through our migration, CNP fraud is still quite significant and has a major negative financial impact on merchants and issuers. The 2013 Federal Reserve Payments Study found that CNP fraud by volume is three times that of card-present fraud.

This situation also demonstrates the need to be able to collect detailed and accurate data on fraudulent payments activity. Fraud has been a real challenge in this country because of the large number of payments stakeholders that end up saddled with the loss. The Federal Reserve is interested in working with the industry to develop a process for collecting such information for the benefit of all.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 8, 2015 in chip-and-pin, cybercrime, EMV | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 16, 2015


Squeezing the Fraud Balloon

A number of our posts over the last year have discussed the U.S. migration to EMV (chip) cards. As we've mentioned, one of the primary motivations for the migration has been the ease with which fraudsters in our magnetic-stripe environment can create counterfeit payment cards. Other posts have mentioned that ubiquitous tenant of the criminal world—the person always on the lookout for the weakest link or the easiest target. And that criminal does not close up shop and go away in the chip-card world. There is clear evidence from other countries that criminals, after an EMV migration, look for, and find, other targets of opportunity—just as when you squeeze a balloon, you're constricting the middle, but both ends simultaneously expand.

One major area that criminals target post-EMV is online commerce, an activity referred to as card-not-present (CNP) fraud. However, criminals also target two other areas, according to speakers at the recent 2015 BAI Payments Connect conference: checks and account applications. Well before the EMV card liability shift occurs in the United States (October 1, 2015), a number of financial institutions have reported a marked increase in counterfeit checks and duplicate-item fraud, usually by way of the mobile deposit capture service. In many cases, the fraud takes place on accounts that have been open for more than six months, long enough to allow the criminal to have established an apparent pattern of "normalcy," although there are reports of newly opened accounts being used as well.

Canadian financial institutions report that fraudulent applications for credit and checking accounts have increased as much as 300 percent since that country's EMV liability shift. Criminals are opening checking accounts to perpetrate overall identity theft fraud as well as to create conduits for future counterfeit check or kiting fraud. And they're submitting fraudulent credit applications to purchase automobiles or other merchandise that they can then sell easily.

The time to examine and improve your fraud detection capabilities across all the channels customers use is now. Financial institutions should already be evaluating their check acceptance processes and account activity parameters to spot problem accounts early. Likewise, financial institutions should make sure their KYC, or know-your-customer, processes and tools are adequate to handle the additional threat that the credit and account application channel may experience. Be proactive to prevent the fraud in the first place while ensuring you have the proper detection capabilities to react quickly to potential fraudulent attempts. If we want to constrict the balloon of fraud, we're going to have to constrict the whole thing with consistent, equal pressure.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


March 16, 2015 in chip-and-pin, EMV, KYC | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d0ec46f0970c

Listed below are links to blogs that reference Squeezing the Fraud Balloon:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 02, 2015


Security at the ATM: We Have Some Educating to Do

ATM Marketplace recently published its 2015 triennial research report, which includes results of a poll of U.S. consumers on various issues related to ATMs. The online poll was conducted with a panel of 550+ individuals creating a representative sample of the adult (aged 18–65 years) population. Certain findings from the report stand out, in particular those related to consumers' expectations of various aspects of ATM transaction risk.

One question probed how concerned the respondent was about a skimming or camera device capturing their card information and PIN when they use the ATM. Thirty-eight percent indicated they were very concerned, but the remaining 61 percent indicated they were not that concerned or weren't even aware of what a skimming device is. The pie chart below breaks down each response.

01

Does the lack of concern come from a lack of education, or is it because the respondent knows the financial institution will have to bear the financial liability?

One of the final questions in the poll was whether the respondent felt an EMV card would make an ATM transaction more secure. As the chart below shows, more than half of the respondents believed there would be at least some level of improved security.

02

Of great concern to me is the 15 percent who indicated they don't know what an EMV card is. Of the two groups who mostly reported this lack of knowledge, one was the youngest (18–24) group, which surprised me. These younger people are supposed to be more tech-savvy than the rest of us. But of even greater surprise was that almost one-third (31 percent) of the most affluent group (those with a household income more than $150,000) responded they don't know what an EMV card is.

Clearly, the financial industry has a lot of educating to do as credit and debit card issuers ramp up their EMV card issuance in advance of the point-of-sale liability shift on October 1, 2015. While the ATM liability shift for domestic MasterCards won't be until October 2016 and Visa cards, a year later, it's never too early to begin or continue educational initiatives.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 2, 2015 in ATM fraud, chip-and-pin, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb07fb51bb970d

Listed below are links to blogs that reference Security at the ATM: We Have Some Educating to Do:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 23, 2015


Payments Stakeholders: Can't We All Just Work Together?

Coming together is a beginning; keeping together is progress; working together is success.
 – Henry Ford

In my physics classes at Georgia Tech, I found the principles around forces, momentum, and energy sometimes difficult to comprehend and distinguish. But I readily grasped a simplified version. I understood that if people apply their combined energy in the same direction, they can move the object of their attention to a designated spot faster and easier than if any of them tried it alone. And if they directly oppose one another or exert their efforts in different directions, the movement of the object is slow, its route is haphazard, and it may never reach its intended destination.

This last situation sometimes occurs with different groups of payments stakeholders—most notably, but not exclusively—the national card brands, along with their financial institution clients, and the merchant communities. Amidst all the charges and countercharges between the groups, it sometimes appears that these stakeholders are pushing in different directions—so the industry seems to be making little progress toward adopting payments standards and practices or fraud prevention solutions, for example.

An important payments risk issue affecting multiple stakeholders is card-not-present (CNP) fraud, which is expected to increase significantly after the United States migrates to EMV chip cards. We learned this from the experiences of other countries that have completed their migration. What happens is that EMV cards essentially close the door on the criminals' ability to create counterfeit EMV cards, so they shift focus to CNP opportunities.

Merchants contend that EMV card migration primarily benefits the card issuers since, for counterfeit-card-present (CCP) fraud, the issuer normally takes the loss—and EMV makes CCP fraud much less likely. Another way merchants may view EMV as being more issuer-friendly is that they must bear card-present fraud loss if they don't upgrade their terminals—at their expense—once the October 2015 liability shift goes into effect. So not only do they face increasing liability for card-present transactions, they will continue to be held responsible for the expected increase in CNP fraud losses.

The card brands and financial institutions counter the merchants' position on a number of fronts. For example, they point to the massive payment card data breaches that took place in 2014 at national merchants, saying these events eroded consumers' confidence in payment cards. Migrating to EMV cards and eventually replacing the magnetic stripe will provide clear improvements to payment card security, which will in turn increase consumer confidence in the safety of using cards. And that will benefit all stakeholders in this payment system. In addition, card brands and financial institutions are taking steps to help mitigate CNP fraud: they have invested heavily in several products and are collaborating with third-party providers to develop better customer authentication solutions to ultimately reduce the risk of CNP transactions for all stakeholders.

Disagreements among stakeholders will always exist, especially on elements that have a major financial impact on their businesses. However, there must be a diligent and ongoing effort by all parties, working together and with the same goal, to find areas of common ground that will result in a more secure payments environment.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


February 23, 2015 in cards, chip-and-pin, EMV, payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb07f047c8970d

Listed below are links to blogs that reference Payments Stakeholders: Can't We All Just Work Together?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 02, 2015


Does More Security Mean More Friction in Payments?

In a 2014 post, we discussed the issue of consumers' security practices in light of the regulatory liability protection provided to consumers, especially related to electronic transactions. Recognizing that poor security practices will continue, financial institutions, merchants, and solution vendors continue to implement additional security and fraud deterrence tools in the payment flow. Sometimes those tools can add complexity to a financial transaction.

One of the critical elements in a consumer's experience when performing a financial transaction is the concept of friction. In the payments environment, friction can be measured by the number and degree of barriers that impede a smooth and successful transaction flow. Potential causes of friction in a payment transaction include lack of acceptance, slow speed, inaccuracy, high cost, numerous steps, and lack of reliability. We usually think that to decrease friction is to increase convenience.

As the level of friction increases, consumers become more likely to rethink their purchase and payment decisions—an action that merchants and financial institutions alike dread because an abandoned payment transaction represents lost revenue. Individual consumers have their preferred payment methods, and their perspective of the convenience associated with a particular method is a key factor in their choice. For this reason, the payment industry stakeholders have been working diligently to reduce the level of friction in the various forms of payments. Technology provides a number of advantages, potentially reducing the overall friction of payments by providing consumers with a variety of payment form factors. For example, smartphones can support integrated payment applications allowing the consumer to easily call up their payment credentials and execute a payment transaction at a merchant's terminal. With abandonment rates as high as 68 percent, online merchants, working diligently to reduce friction, are streamlining their checkout process by reducing the number of screens to navigate.

Clearly cognizant of the friction issue, the industry has focused much of its efforts on operating fraud risk tools in the background, so that customers remain unaware of them. Other tools are more overt—biometrics on mobile phones, hardware tokens for PCs, and transaction alerts. But some security improvements the industry has undertaken have resulted in more friction, including the EMV card. A consumer must now leave the EMV card in the terminal for the duration of the transaction when previously all the consumer had to do was simply swipe the card. It will be interesting to see if and how consumers adjust their payment habits should they view the EMV card technology as high in friction. Will this motivate consumers to move away from card-based payments? Time will tell, and we will closely follow this issue.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


February 2, 2015 in biometrics, chip-and-pin, EMV, innovation, payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d0cd48cd970c

Listed below are links to blogs that reference Does More Security Mean More Friction in Payments?:

Comments

David,
You've touched upon an important continuing battle. The balancing act of maximizing conversion vs. maximizing security/fraud prevention can be a real conundrum. It impacts revenue and can even divide offices. It comes down to what your product/service is, what your appetite for risk is, and what tools you have in place. It is important though for financial institutions and ecommerce companies to seek out new technology solutions to maximize security and not be stagnant with the status quo.

Posted by: Logan | February 03, 2015 at 07:46 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 22, 2014


Top 10 Payments Events in 2014

As the year draws to a close, the Portals and Rails team would like to share its own "Top 10" list of major payments-related events and issues that took place in the United States this year.

#10: Proposed prepaid rule. After a long wait, the Consumer Financial Protection Bureau issued its proposed rules on general reloadable prepaid cards in November. While the major players in the prepaid card industry had already adopted most of the practices included in the proposed rule, the proposal allowing overdrafts and credit extensions is likely to generate differing perspectives during the comment period before a final rule is adopted in 2015.

#9: Regulation II. The U.S. Circuit Court of Appeals for the District of Columbia upheld the Federal Reserve Bank's rules regarding interchange fees and network routing rules, reversing a 2013 decision. Notice of appeal on the interchange fee portion of the ruling has been given, but resolution of the network routing rules has cleared the way for the development of applications supporting routing on chip cards.

#8: Payment trends. The detailed Federal Reserve Bank's triennial payments study results were released in July 2014, continuing the Fed's 15-year history of conducting this comprehensive payments research. Cash usage continued to decline but remained the most-used form of payment in terms of transaction volume.

#7: Card-not-present (CNP) fraud. With the growing issuance of chip cards and the experience of other countries post-EMV migration—with substantial amounts of fraud moving to the online commerce environment—the payments industry continues to search for improved security solutions for CNP fraud that minimize customer friction and abandonment.

#6: Faster payments. Continuing a process it began in the fall of 2013 at the release of a consultative white paper, the Federal Reserve Bank held town halls and stakeholder meetings throughout the year in preparation of the release of its proposed roadmap towards improving the payment system.

#5: Virtual currencies. Every conference we attended had sessions or tracks focused on virtual currencies like Bitcoin. While there was some advancement in the acceptance of Bitcoin by major retailers, the number of consumers using the currency did not rise significantly.

#4: Mobile payments. The entry of Apple with its powerful brand identity into the mobile payments arena with Apple Pay has energized the mobile payments industry and brought improved payment security through tokenization and biometrics closer to the mainstream. (Apple Pay's impact on mobile payment transaction volume will likely be negligible for a couple of years.) Additionally, the use of host card emulation, or HCE, as an alternative contactless communications technology provides another option for mobile wallet development.

#3: EMV migration. The frequency and magnitude of the data breaches this year have spurred financial institutions and merchants alike into speeding up their support of EMV chip cards in advance of the October 2015 liability shift.

#2: Third-party processors. Regulators and law enforcement escalated the attention they were giving to the relationships of financial institutions with third-party processors because of increased concerns about deceitful business practices as well as money laundering.

And…drum roll, please!

#1: Data breaches. The waves of data breaches that started in late 2013 continued to grow throughout 2014 as more and more retailers revealed that their transaction and customer data had been compromised. The size and frequency of the data breaches provided renewed impetus to improve the security of our payments system through chip card migration and the implementation of tokenization.

How does this list compare to your Top 10?

All of us at the Retail Payments Risk Forum wish our Portals and Rails readers Happy Holidays and a prosperous and fraud-free 2015!

Photo of Mary Kepler Photo of Doug King Photo of David Lott Photo of Julius Weyman



Mary Kepler, vice president; Doug King, payments risk specialist; Dave Lott, payments risk expert; and Julius Weyman, vice president—all of the Atlanta Fed's Retail Payments Risk Forum.


December 22, 2014 in chip-and-pin, cybercrime, data security, EMV, innovation, mobile payments, prepaid, regulations, third-party service provider | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b7c723d660970b

Listed below are links to blogs that reference Top 10 Payments Events in 2014:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 20, 2014


Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?

Portals and Rails recently embarked on a series of posts on tokenization. In the first installment, we defined tokenization and distinguished between a merchant-centric enterprise tokenization solution and payment tokens generated as an issuer-centric end-to-end solution. In the second installment, we examined several different attributes of the issuer-centric end-to-end token initiatives currently under way and considered their impact on mitigating risk. In this post, we examine the shortcomings of end-to-end token initiatives and question if they are really a coup in mitigating risks in today's environment.

The goal of payment tokenization is to substitute sensitive data—such as account numbers, expiration dates, and security codes—that criminals can use to extract monetary value with surrogate values that lack monetary value. In light of the number and depth of recent data breaches, tokenization seems like a grand idea—let's get data that fraudsters can use out of the payment transaction flow and the merchants' systems.

But current uses for these end-to-end initiatives are limited to card-on-file transactions for in-app or e-commerce payments and mobile proximity payments. I know you have to start somewhere but, in the near future, only a small percentage of transactions will use tokenization. These end-to-end initiatives are solid solutions, but are currently extremely limited. Thus, there will be a continued need for the industry to use a variety of methods to fight fraud, including the merchant-centric enterprise tokenization solutions the first installment discussed.

And isn't the point of the significant EMV investment currently under way to mitigate risks associated with counterfeit cards using compromised card data? In other words, it should render compromised card data useless. But I am hearing the EMV naysayers claiming that, in an EMV world, data compromises will still take place and, while fraudsters may not be able to counterfeit cards, they can still use that data to shop on the Internet.

Those naysayers are correct.

But let's circle back to the use cases for the current issuer-centric end-to-end token initiatives. Is tokenizing payment data for card-on-file and mobile proximity payments really going to have a material impact on preventing card-not-present fraud? Are these tokenization efforts really the best solution for this challenge? It could be many years before we regularly use our mobile phones for proximity payments. I am confident that we will be using chip-enabled cards for a significant number of transactions within two to three years. Would it be wiser to rely on solutions that leverage the chip or other security features of cards? Or maybe it's time we realize that cards weren't designed for card-not-present uses and place a higher priority on the broader adoption of existing and emerging non-card-based payment solutions in a multi-layered security approach.

Unfortunately, I do not have the answers. But these questions and topics will certainly be discussed during the upcoming Securing Remote Payments conference that the Retail Payments Risk Forum and the Secure Remote Payment Council is hosting. If you are interested in attending, please reach out to us. We will be in touch with more details.

In the next installment in this series, we'll look at new security and operational risks introduced with these token initiatives.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


October 20, 2014 in cards, data security, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d080b04d970c

Listed below are links to blogs that reference Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 15, 2014


Let’s Talk Token: Authenticating Payments

It's challenging to have a conversation about EMV cards—cards with chip technology—given their well-documented fraud-mitigating shortcomings, without diving into a conversation on tokenization. And these conversations just intensified with Apple announcing the use of tokenization with its soon-to-be launched mobile payment application. Tokenization of payment card data can provide an additional layer of security to EMV cards for in-person payments and mitigates fraud risks that these cards don't address in the non-face-to-face environment.

I recently spoke at a forum on EMV cards, where it became evident to me that there is a high degree of confusion in the payments industry, especially within the merchant community, about tokenization. Currently, multiple standards initiatives around a new tokenization framework are under way, so Portals and Rails is embarking on a series of posts on tokenization. In this first installment, we define tokenization and distinguish between tokens generated within the merchant's environment (an enterprise solution) and payment tokens generated as an end-to-end-solution. A future post will compare the various payment end-to-end tokenization initiatives that have been announced to date.

In the data security and payments environment, tokenization is the substitution of sensitive data with a surrogate value representing the original data but having no monetary value. For payment cards, tokenization refers to the substitution of part or all of a card’s PAN, or primary account number, with a totally randomized value, or token. A true token cannot be mathematically reversed to determine the original PAN, but a token service provider in a highly secure environment can subsequently link it to its associated PAN.

Tokenization of payment credentials has been around since the mid-2000s, driven primarily by the issuance in 2004 of the Payment Card Industry Data Security Standard (PCI-DSS), which defines merchant requirements for protecting cardholder data. Merchants historically stored PANs for a variety of reasons, including to use in settlement reconciliation, perform incremental authorizations, handle chargebacks, and identify cardholder transactions for loyalty programs. With tokenization, merchants can remove PANs from their data environment and replace them with tokens—and thereby reduce their PCI-DSS compliance requirements. However, this enterprise solution still requires that the PAN enter the merchant environment before the tokenization process taking place.

Under the tokenization initiatives currently under way from the Clearing House and EMVCo, a financial institution would issue a token replacing a cardholder's PAN to the person's mobile handset, tablet, or computer device before initiating a digital payment transaction. So the merchant, rather than receiving the cardholder's PAN for initiating a transaction, would receive a token value associated with that PAN, which would then be de-tokenized outside the merchant's environment to obtain the necessary authorization and complete the transaction. The merchant never has knowledge of the cardholder's PAN—and that is a significant difference between these tokenization initiatives and the enterprise solution related to handling payment credentials.

The Clearing House's and EMVCo's concepts for payment tokenization are similar in many ways, but they also have differences. A future post will delve into the end-to-end tokenization initiatives and consider the impact on mitigating risk in payment transactions.

Photo of Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 15, 2014 in cards, chip-and-pin, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d068d564970c

Listed below are links to blogs that reference Let’s Talk Token: Authenticating Payments:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


August 2015


Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          

Archives


Categories


Powered by TypePad