Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

March 28, 2016


Continuing Education in Mobile Payments Security

Just over a year ago, I wrote a post raising the question of which stakeholder or stakeholders in the payments ecosystem had the responsibility for educating consumers regarding payments security. As new payment technologies such as mobile devices, wearables, and the Internet of things gain acceptance and increased usage, who is stepping up not only to teach consumers how to use the devices but also how to do so in a safe and secure manner?

Since it is generally financial institutions that have the greatest financial risk for payment transactions because of the protective liability legislation that exists in the United States, this responsibility has fallen largely to them. However, this educational effort has become increasingly difficult since consumers generally acquire these new products at retail outlets or mobile carrier stores, where the financial institution has no direct contact with the consumer.

The Consumer Federation of America (CFA) recently continued its ongoing efforts to provide educational information to consumers with the release of a guide to mobile payments. The guide is comprehensive, covering issues such as privacy, security of the mobile device, the dangers of malware, error resolution, and dispute procedures for mobile payments, and concludes with a humorous animated video that recaps some of the risks with mobile phones if they are not secured and used properly.

As an example, in its section on privacy, the guide offers the following tips:

  • Read the privacy policies of the companies whose services you are using to make mobile payments and the companies that you are paying.
  • If you don't like a company's privacy policy, take your business elsewhere.
  • Don't voluntarily provide information that is not necessary to use a product or service or make a payment.
  • Take advantage of the controls that you may be given over the collection and use of your personal information.
  • Since mobile payments, like all electronic payments, leave a trail, if there are transactions that you would prefer to make anonymously, pay with cash.

Kudos to the CFA for its work on this effort. I hope you will read the guide and spread the word about the availability of this valuable resource. It is through the combined efforts of the payments stakeholders that we can work to improve the knowledge level of all parties involved and promote secure usage.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 28, 2016 in consumer protection, innovation, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 8, 2016


Will Biometrics Breed Virtual Clones?

In the middle of last November, our group, the Retail Payments Risk Forum, hosted a conference on the application of biometrics for banking applications. For me, one of the important "ah-ha" moments from the conference was hearing about the potential downside to the technology. While the various speakers and panelists certainly pointed out the powerful security improvements that could result from an increased use of biometrics, there were also thoughtful contributions about what could go wrong. To illustrate one of these downsides, let me take you back to the breach that occurred at the United States' Office of Personnel Management (OPM) earlier this year. For those who may have applied for a position with a government agency over the last 20 years or so, the form letter notifying you of the potential breach of your personal data read like this:

Since you applied for a position or submitted a background investigation form, the information in our records may include your name, Social Security number, address, date and place of birth, residency, educational and employment history, personal foreign travel history, information about immediate family as well as business and personal acquaintances, and other information used to conduct and adjudicate your background investigation.
Our records also indicate your fingerprints were likely compromised during the cyber intrusion. Federal experts believe the ability to misuse fingerprint data is currently (emphasis mine) limited.… If new means are identified to misuse fingerprint data, additional information and guidance will be made available.

The conference made clear, to me anyway, that fingerprint data certainly has the potential to be misused—now. Experience leads me to conclude that it is bound to happen, especially if the biometric measurements captured at enrollment are not converted to templates that mask the data.

Biometrics are sure to proliferate in the next few years. I think everyone ought to pause and consider whether or not the security advantages—that have the potential to be turned against us in a moment—are worth it. Consider a future breach and the subsequent form letter from some entity that has built biometrics into its payment process. It could include all of those things noted in the OPM excerpt above. Additionally, victims could also have to be told that their iris, facial, and voice prints along with their DNA were taken. A virtual clone masquerading as me makes me shudder. Imagine standing up when they ask for the real you to do so—and then the dismay at not being believed.

The work to advance biometric security needs not just to be focused on advancing the accuracy and efficacy of the usage, but also to have a heavy emphasis on protecting the data collected—while it's collected and used and when it's at rest, in storage. And no matter how good all of that work is, I hope that choices for transacting business remain. Cash, which requires no authentication, and paper checks, which authenticate with a signature, figure to provide useful alternatives for quite some time.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

February 8, 2016 in authentication, biometrics, data security, identity theft, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 1, 2016


Putting All Our Payment Eggs in a Single Basket

More than 60 percent of risk managers at financial services firms believe the probability of a global, "high-impact event" has increased of late, according to a new survey from the Depository Trust & Clearing Corporation. Worry over actual or potential cyberattacks underpins this belief. In a discussion about the survey, a colleague lamented the invention of computers and wished that our financial transactions hadn't become so dependent on technology. At first I thought to agree until it dawned on me that this thinking is tantamount to tossing the baby with the bathwater.

The problem revolves around thieves, not their tools. We have never been free from worry over theft, and this was true when our best computer was an abacus. When the Aztecs used chocolate for money, counterfeiters of the day took the cacao bean, separated the original contents from the husk, and repacked it with mud. And still, in any place where commerce is overly cash-based, thieves tend to concentrate their efforts, targeting the most vulnerable with everything from counterfeit notes to outright theft. The digital age did not usher in larceny; thieves have always stolen, and hiding from computers won't insulate us from bad guys.

But hold up, you say. A block chain—the part of bitcoin technology that ensures anonymity—just might insulate you. Not to take away hope, but what have we ever invented that hasn't been hacked, cracked, or abused? I can think of nothing, no matter how cleverly conceived or well defended, that isn't eventually defeated.

I don't despair over it all and will say why in a moment, but first I need to note that even with a long list of advances, both in how and what we exchange, the new has not eradicated the old. Coins survived the advent of paper. And despite decades-old, recurring predictions of their looming demise, both coins and paper have survived the magic of computing. As a result, despair gives way to cheer. There are options, and plenty of them.

Options—different forms of payments based on diverse platforms and premises—make for textbook risk mitigation. First of all, what survives gets better. It must so that it can survive. Consider what bills look like today, with their numerous anticounterfeiting elements, compared to what they looked like 20 years ago. Or consider when checks dominated fraud conversations and contrast that to their relative (un)importance in fraud conversations today. Moreover, multiple payment channels and options mean less concentration of risk. To the extent that cash, checks, and more remain—"cyberstuff" too, but with the cyber-world diversified, not overly consolidated—risk can be spread and hence reduced.

An advanced society that wants to endure, stay resilient and strong cannot rely on only one means of exchange based on only one platform. For those wishing for one or just fewer, more modern payment solutions (with apologies to all paper haters), my advice is be careful what you wish for. For the average consumer, my advice is pay attention to the "payments intelligentsia" and be wary of pushes for an advanced, universal, singular way to do payments. Be particularly wary of changes that aren't being called for by the market itself. We can never eliminate risk but we can mitigate it and minimize the extent that bad people can create widespread trouble.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

February 1, 2016 in cybercrime, fraud, identity theft, innovation, payments risk | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 9, 2015


Is the Payment Franchise Up for Grabs?

I have lost count on the number of discussions at payment conferences over the last few years on this topic of financial institutions (FI) losing the payment franchise to various new payment start-ups and business models. This very topic was the focus of a session at the Code/Mobile conference in October that featured executives from Chase and PayPal debating "Will Banks Eat Payments, or Will Payments Eat The Banks?" This idea was stuck on my mind while I was recently reading Fidelity National Information Service's 2015 Consumer Banking Index Report. This report reveals the findings from a survey of a thousand household decision makers who ranked 18 attributes according to their importance and according to the respondents' perception of how well banks perform. I readily admit that one shouldn't read too much into the results of a single survey, but the results in the payments and product-related category really grabbed my attention.

blog-visual

Consumer expectations for their financial institution to provide digital payment options through more innovative products than other financial institutions scored extremely low in the importance category. Digital payments ranked as the 14th out of 18 attributes in importance, and delivering leading-edge products was the least important attribute surveyed. Though the importance of these two attributes was significantly lower than security and reliability attributes, consumers rated the performance of their financial institution on these two attributes favorably.

My interpretation of the survey is that consumers aren't expecting much from their FI when it comes to delivering digital payments and innovative products yet the FIs are exceeding these light expectations. The survey does not cover whether consumers place importance on others—say, non-bank payment providers—offering innovative products and payment options and how they are delivering on consumers' expectations.

If consumers expect non-FIs to provide digital payment options, then perhaps FIs are in danger of losing the payments franchise. Maybe consumers don't place a lot of importance on digital payment options because they are satisfied with the options their FIs provide and so the risk to FIs losing the payment franchise to non-FIs is low.

It's possible that the consumer falls somewhere in the middle of the two scenarios above. They may be pleased with the offerings of their FIs, which offer ubiquity and are not highly differentiated, so their expectations for options are low. The non-FI payments space is fragmented with new payment options being developed and deployed at a rapid pace that will take time for consumers to digest. Should consumers realize that any of these offerings present a significant improvement in the payments experience, they may raise their expectations for their FIs. This would suggest that the non-FI providers haven't fully delivered on a compelling, ubiquitous, and widely adopted offering yet.

I believe FIs remain firmly entrenched in the payment space today. However, the level of investment and innovation taking place in the industry should capture the FIs' attention. Consumers, me included, are a finicky bunch when it comes to expectations, and these expectations can change almost instantly with the amount of innovation occurring today. I see no reason why the digital payments arena would be any different, and FIs that fail to realize this as they consider future payment options risk a declining share of the payment franchise.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 9, 2015 in banks and banking, innovation, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 31, 2015


A Swing and a Miss

"Keep your eyes on the ball." I'm guessing my son heard those words at least 20 times a game this past baseball season. If you can't follow the ball, then your chances of a successful plate appearance are pretty slim.

Departing from the usual risk-related prose and taking a signal from the blog's name Take On Payments, I want to offer my thoughts on mobile payments. This topic floods my payments news feeds and is the subject du jour at nearly every payments-related event. Mobile payments can mean many things to many people, but one of the hottest areas is mobile at the point of sale (POS), also known as proximity payments—that is, what Apple Pay, Starbucks, and Samsung Pay among others all offer.

And this is where I think the payments industry is taking its eyes off the ball. Why do consumers want to use mobile phones to replace cash or cards at the POS? A key barrier cited by consumers who have not adopted mobile proximity payments is their satisfaction with current payment methods. So what is the best way to get consumers to use their mobile devices to replace cash or cards at the POS?

The mobile phone has significantly changed the way people interact. It's almost comical to me that the device has retained the word phone. While there will always be people who want to hear a voice or interact directly with another person, the mobile device is turning us into a society that prefers messaging over speaking and interacting through the device rather than face to face. (My nieces text each other while sitting in the same room!) Furthermore, we have come to expect information to be readily available to us whenever and wherever we desire it. People don't like waiting, and the mobile device has intensified this impatience. To understand consumer behavior in light of this mobile revolution, we don't have to look any further than the reduction of bank branches and staffing coupled with the rise of mobile banking solutions.

Yet the proximity payment solutions don't address consumer behavior with their mobile devices. I understand merchants valuing the ability of proximity payments to provide loyalty programs and targeted offers, but do these extra services really address consumers' core needs and wants? It seems to have worked for Starbucks in a closed-loop environment but has yet to be replicated in an open-loop environment. (Closed loop means that the payment is usable only at a provider's place of business, as for the Starbucks app. Open loop means the payment, like Apple Pay, is usable anywhere that has the infrastructure to read the app.)

By keeping the focus on the consumer, it seems to me that the mobile payments industry can work on reducing the physical interaction of payments and current wait times associated with the payment process. Uber, Chipotle, and the Starbucks mobile app are evolving to address these consumer needs. These apps essentially remove the payment from the POS (some would say that they make the payment invisible) and allow for minimal personal interaction and waiting times.

Hence, I predict the growth of mobile payments will come not from the POS but rather through mobile in-app payments. That's where I'd be setting my sights on the mobile payments diamond. Perhaps this will create a healthy discussion (hopefully not a bench-clearing brawl), but I think mobile at the POS is a swing and a miss. What do you think?

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


August 31, 2015 in innovation, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 17, 2015


Pigskin and Payments

For those who know me well, they know that I find August to be the slowest-moving month of the year. It's not because of the oppressive southern heat and humidity, but rather it's my anticipation for football season. To help speed along the "dog days of summer," I generally read my fair share of prognostication publications. Alongside the predictions, improving player safety has become a key discussion topic as the season approaches.

Armed with data showing an increase in injuries as well as long-term negative effects from playing the sport, football's governing bodies on both the collegiate and professional levels are instituting rule changes to make the game safer. Equipment manufacturers are introducing new gear to improve safety and individual teams are adding new experts to their medical staffs all in the name of player safety.

Ironically, while there is a focus on improving player safety, football players continue to get stronger and faster aided by advancements in nutrition and workout regimes. As player strength and speed improves, this contact sport becomes more vicious and dangerous. And as a fan, I'll admit that I find watching a game featuring stronger and faster players more exciting. I do not want to see players injured, but at the same time I enjoy the excitement that comes with hard tackles and big hits.

Does this state of football sound at all like the current state of the U.S. payments industry? To make payments safer, public and private entities are leading literally hundreds of initiatives across various payments rails. Network rule changes are taking place and new technologies are being harnessed all in an effort to better secure payments. At the same time, start-ups, established payment companies, payment associations, and the Federal Reserve are collaborating to improve the speed of payments.

It's hard not to get excited about the possibilities of faster payments, from important just-in-time supplier payments to simple repayments for borrowing money from a friend or family member. However, can securing payments better derail the speed of payments? By way of example and personal experience, my more secure EMV (chip) credit card has clearly reduced the speed at the point-of-sale for my card payment transactions.

But just as player strength and speed has evolved alongside safety through rule-making and technology (think about leather football helmets here), I think we have seen the same progression within the payments industry. I think football remains as exciting as ever, and the payments expert in me is clearly excited about the future of payments.

Speed and safety are not to be viewed as mutually exclusive, and I am confident that the payments industry supports this view. In both football and payments, elements of risk will exist, regardless of safety measures in place. Finding the right balance between speed and safety should be the goal in order to maintain an exciting football game or efficient payments system. I can't wait to see what lies ahead on the gridiron and within the payments industry.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 17, 2015 in emerging payments, EMV, fraud, innovation, risk management | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 10, 2015


Payments at the Speed of Electricity--What Could Go Wrong?

From mobile phones to the Internet—it's hard to think of many of today's great inventions that aren't beholden to the wonder of electricity and the pace at which it can facilitate the management and movement of data. Electricity has underpinned numerous payment advances already. Now, harnessed current promises to help us build a payments scheme that will make it possible to pay (and be paid) almost as fast as one can conceive of the need. That happy thought might cause us to forget this otherwise widely known truth: electricity is just as efficient in yielding a bad outcome as it is in bringing about a good one.

Those who have begun work to design a faster payment scheme will obviously be thoughtful about everything, from functional design and basic operation to ongoing management of the new system. Giving due consideration to what could go wrong may not be the most glamorous task, but it's necessary.

One way to identify potential problems is to reflect on lessons from the past. Look at the photograph below and see if you know what's depicted.

American-bank
Source: Wikimedia Commons

If you guessed the photo shows a bank run, congratulations. As most of us know, rapid, heavy cash withdrawals constitute a bank run and can be caused by a variety of things, including diminished confidence in a bank, in the banking system broadly, or the local economy, among other things.

Back to faster payments. A faster payment platform offers many upsides, but for all its promise, it could also offer the unexpected, the unintended. Circa 1929, when the picture was taken, making a run on a bank meant standing in line and waiting for a teller to retrieve your money. Circa 2015, even with ATMs and other improvements, bank runs still have some natural choke points, including weekends, when customers know with certainty that their bank is closed for at least one day, and limits on ATM withdrawal amounts in a 24-hour period. A fast, 24/7, universally accessible system could offer depositors a way to drain cash reserves like never before.

What to do? Setting aside broader systemic actions, it seems reasonable that individual banks consider measures to guard against this possibility. To deal with runs in the "old days," withdrawals were limited or even fully suspended for a time. These mitigations could be efficiently, readily mimicked and become part of the new system's basic construct. Automated tools capping withdrawal amounts might be in order. Logic in the core platform that considers the full range of activity across institutions and accounts and that allows for automated or manual controls (or a combination of these) may also make sense. Tailored rules could prove worthwhile.

The considerations should be fulsome—across not just this, but a range of issues—among those who may design, build, and operate the system and also those who may use it. Meanwhile, here's to anticipating a new system that moves money as fast as electricity allows, insulated from shocks.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

August 10, 2015 in innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 20, 2015


Unsafe at Any Speed?

If you're a Corvair enthusiast, you likely get the title's reference to Ralph Nader's book that polemically accused manufacturers of resistance to the advancement of automotive safety. Shift your thoughts from automobiles, axles, and bumpers to payments, cyberattacks and data breaches. Then consider this question—if we successfully speed up payments, is payment safety more likely to advance or retreat?

I hear the question often. Since I first blogged about this topic in January, I've attended several conferences set in the context of building a better, faster, more efficient payments system. If the conversation hasn't gone straight to "safety," the topic has surely been broached before closing. The answers that presenters offer, in terms of how we make payments more secure, remain unchanged from earlier this year. The updated summary follows.

  • Innovate. Make full use of such things as biometrics and tokenization. Do not fear but rather make use of the best things coming from the cryptocurrency world.
  • Collaborate and coordinate. Share everything, taking full advantage of groups of all types to facilitate deployment and spread of best practices, among other things.
  • Prevent and plan. In a continuous and ever-improving activity, make use of such things as enhanced threat detection and continue to layer security measures. Also, educate fully, across the spectrum of both providers and users.
  • Track and report. We must do more of this in a frank, transparent way and it must be timelier.

Emphasizing and pursuing all these goals is still right in my view, yet something seems missing. I believe what's missing is a more expansive, easily accessible law enforcement regime—something that more closely parallels what's available for conventional crime fighting.

There has been good news, of late, in that various law enforcement agencies have both apprehended and successfully prosecuted cybercriminals of all sorts. What's important about this is, as law enforcement has more success, there is hope that miscreants will have an increasing expectation of getting caught. Let's assume a drop in crime rates is highly correlated to the likelihood or certainty of being caught. Self-test the theory by thinking of it this way. How often do you exceed the speed limit (answer silently to yourself). Now consider—how often do you speed when a patrol car is in the lane right next to you? It's imperative that law enforcement continue to evolve and improve such that the criminals who contemplate cybercrime increasingly anticipate they'll be caught.

The cliché that faster payments will mean faster fraud if we don't have faster security is somewhat beside the point. The fact is cybercrime has been and remains a material and looming threat. The world is all but fully a digital one and that means our police have to be able to put more—and more effective—digital patrol cars on the digital highway. Until then, to varying extents, payments are likely to be unsafe—at any speed.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

July 20, 2015 in crime, cybercrime, innovation, law enforcement, payments risk | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 29, 2015


The More Things Change, the More They Stay the Same

As I write this blog on the screened porch of a North Alabama lake house, the cicadas are constantly buzzing in the background. I am fascinated by the life cycle of this species—namely, the emergence of the periodical cicadas from belowground every 13 to 17 years. This life cycle got me thinking how the world has changed since the last time the 17-year cicadas emerged. And while in this neck of the woods, some things have changed—new houses have been built and personal watercraft are now constantly buzzing on the lake—some things have remained the same. The nearest grocery store is still 30 minutes away and the iced tea is as sweet as it ever was. Is this mixed scenario really any different for payment card fraud?

Certainly a lot has changed in card payments during the last 17 or so years. We've witnessed the enormous growth of debit card transactions, the continued growth of credit card transactions, the emergence of the e-commerce and mobile payments channels, and the almost global adoption of the EMV (chip) card. As card payment usage has evolved, so has the fraud landscape. Lost and stolen card fraud fell out of vogue while counterfeit card fraud took off only to see stolen card fraud re-emerge when the issuance of EMV cards in most markets thwarted counterfeit card fraud. Point-of-sale (POS) fraud is occurring less often across the globe because of EMV and PIN verification, driving the fraudsters to the Internet to commit card-not-present (CNP) fraud.

But what hasn't changed is the global rate of fraud. An article in the August 2013 Nilson Report estimated that the annual cost of card fraud worldwide in 2012 was 5.2 cents for every $100 spent, resulting in $11.27 billion in losses. This figure compares to Nilson's estimate of fraud losses in 1998, which ran approximately 4.8 cents for every $100 spent and resulted in a little less than $2 billion of fraud. Perhaps a fraud rate in the 5 basis points range is the industry-wide acceptable rate, but with billions of dollars being invested to mitigate fraud, I would like to think that over time the rate would be reduced (though I must admit that I am not sure what the acceptable rate should be).

Maybe this speaks to the tenacity of the card fraudsters. As we in the Retail Payments Risk Forum have often stressed, once one door is fortified, the fraudsters find another door to enter. And if we could dive deeper within the figures, I am certain that is what we would find, according to various estimates of fraud and anecdotal evidence. For example, the emergence of EMV and the use of PIN verification instead of signature verification have reduced POS fraud. Today, CNP fraud rates are significantly higher than POS fraud rates and many industry risk efforts are focused on mitigating CNP fraud.

When the cicadas reappear, undoubtedly the payment card usage and fraud landscape will look different. Perhaps mobile payments will have taken off and the use of biometrics as a method of verification will be commonplace. I feel confident that in 17 years the industry will make substantial strides in reducing e-commerce CNP fraud rates—but also that new areas of fraud will appear. Is the industry prepared to fight the next generation of fraud or will it just continue to Band-Aid the past? Should we expect a 5 basis points rate of fraud when the cicadas emerge in another 17 years? I'd like to think the rate will be lower. At a minimum, hopefully, it will remain as consistent as the sweet iced tea in this neck of the woods.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


June 29, 2015 in cards, chip-and-pin, EMV, fraud, innovation, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 15, 2015


“Customer, You Have the Conn”

Sometimes when you're watching nautical-themed movies, you'll hear the phrase, "I have the conn." The person who speaks this phrase is alerting all those on the vessel that he or she is in control with regard to the vessel's direction and speed. Customers could utter that phrase with regard to their payment vessels—they pretty much have full control in that they make the final choices about their method of payment. They may be restricted by the payment options a merchant offers, but in most cases, if they don't like the options they can shop, or secure services elsewhere.

One of the challenges with payment security that we frequently mention in our posts and speaking engagements is the disincentive that various consumer protection regulations give for consumers to adopt strong security practices. We have all seen or heard of the consumers who write their PINs on their debit cards or set up the PIN 1-2-3-4. In addition, research consistently tells us that consumers often select easily guessed user IDs and passwords—and then often use those same ID/password combinations on multiple sites.

Financial institutions and other payment stakeholders have long worked to develop tools that will encourage customers to be more aware of their financial account activity and contribute to minimizing fraud losses. Account alerts are among the most useful and popular of the tools. When consumers set up account alerts, they can usually specify conditions that will trigger a text message or e-mail. Common alerts are sent when the account balance drops below a set threshold, a debit transaction posts in excess of a specified amount, or an address or phone number change was made on the account. These alerts are beneficial, but they are merely reactive; they report only when a condition has already occurred.

I believe we will soon see a major breakthrough in card security. There are new applications now in testing or in early roll-out phases. These applications will allow customers to be proactive because they will be able to set up a number of filters or controls on their payment cards that will dictate whether a transaction even gets to the point for an authorization decision. For example, if I have a payment card that I use only for gasoline purchases, I can designate my settings to reject transactions coming from other merchant categories. Or I can specify that no international transactions should be allowed. At the extreme end of the control options, I can "turn off" my card, thereby blocking all transactions, and then I can turn it back on when I am ready to use it again. The possible options and filters are almost limitless for this self-service function. Yes, there will be the need for strong customer education, and the choices will require a reasonable limit or the customer will never remember what they set.

If these options are enabled and cardholders are then willing to "take the conn," this new tool could help significantly reduce the number of unauthorized transactions. Critical to the success is whether cardholders will set a reasonable range of parameters based on their normal card usage patterns so they don't get transactions rejected they actually make themselves but still be able to weed out the truly unauthorized transactions. I say "full speed ahead" with such tools. What do you say?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 15, 2015 in consumer protection, data security, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


September 2016


Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  

Archives


Categories


Powered by TypePad