About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

March 26, 2018


Convenience Always Wins, In One Form or Another

My colleagues and I often write about the frustration that security professionals have that consumer convenience will almost always win over the adoption of more secure practices. We've seen this over the decades with poor password and PIN management and the often lackadaisical approach consumers take to keeping their payment devices safe and secure. This post will take a slightly different tack—it will explore the influence convenience has on the payment card issuance strategy of U.S. financial institutions (FI) and how convenience always seems to win, though sometimes in unexpected ways.

When the various mobile pay wallets were being launched, many observers speculated that they might be the beginning of the end for plastic payment cards. Some, presuming that mobile was a more convenient way to pay, opined that the day would come when FIs would have no reason to continue issuing cards since everyone was going to be using their phones. Although adoption has been increasing, the reality is that mobile payments at the point of sale have been slow to gain traction. Recently released results of a survey of FIs in seven of the Federal Reserve Bank districts revealed that 75 percent of respondents thought it would be at least three years before consumer adoption rates of mobile payments would exceed 50 percent; 40 percent said it would take five years or longer. Consumer surveys consistently indicate that consumers aren't adopting mobile payments because they find their plastic payment card more convenient. So for mobile devices, convenience still has a ways to go.

Some financial-institution-owned ATM operators, continuing efforts to provide alternatives to plastic cards, have recently begun supporting cardless ATM transactions. With this service, you use your FI's mobile banking application to set up or stage an ATM withdrawal, identifying the account and amount to be dispensed. The details of the various technologies differ, but they all work like this: you go to the FI's ATM, select the cardless ATM function, and use a smartphone to either scan a QR bar code or enter a one-time transaction code. (Sometimes you may have to use a PIN.) Nice and convenient! And you don't have to worry about damaged or forgotten cards, or getting your card skimmed. We'll have to wait to see how consumers react to this feature's convenience.

Some FIs currently issue, or plan to issue, dual interface cards when it's time for customers to replace their existing chip card. While costlier to the FI, the new cards include a contactless feature that allows an NFC-enabled terminal such as an ATM or point-of-service device to read the data on the chip when you pass the card within a couple of inches of the reader. Contactless transactions, which are quite popular in Canada and Europe and greatly desired by mass transit systems in the United States, are faster. And we all know that faster means more convenience—right? Like cardless ATM transactions, contactless offers some security benefits. But merchant terminal acceptance remains a concern, just as it has been for the various pay wallet applications.

So it seems that convenience comes in different forms, and it appears that many FIs are betting that, like currency and checks, the plastic payment card is going to be around for quite some time. Perhaps that is the best strategy: offer a wide range of options and let the customers decide for themselves which are the most convenient.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 26, 2018 in cards, debit cards, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 19, 2018


Mobile Banking and Payments' Weakest Link: Me

What's the biggest hole in mobile banking security? As my colleague Dave Lott reported in January, bankers say it's consumers' lack of protective behavior when using mobile devices. That means you and me.

In response, financial institutions (FI) have implemented controls including inactivity timeouts and multifactor authentication, as noted in Mobile Banking and Payment Practices of U.S. Financial Institutions, which reported the findings of a 2016 Federal Reserve survey.

Baking these controls into mobile apps makes sense because research on consumer behavior suggests that expecting consumers to independently take steps to protect their accounts and data is not realistic. Take as one example: I co-wrote a paper with Joanna Stavins for the Boston Fed reporting the results of our investigation into consumers' responses to the massive Target data breach. We found that while consumers do react to reports of fraud, their reactions can be short-lived. In addition, consumers' opinions may change, but their behavior may not. In other words, considerations aside from security could take priority. (See also a report on the 2012 South Carolina Department of Revenue breach.)

Debit and credit card data for 40 million cards used in Target stores were stolen in late 2013. The breach was widely reported in the news media and caused many financial institutions to reissue cards. Because it was primarily a debit card breach, one might reasonably expect consumers to take a jaundiced view of debit cards after the breach.

And, indeed, that was the case. The Survey of Consumer Payment Choice was in the field at the time of the Target breach. Some consumers answered questions about the security of debit cards before the breach became public. Others answered after.

Consumers who rated card security after the breach rated debit cards more poorly relative to the average rating of the other payment instruments—cash, paper checks, ACH methods, prepaid cards, and credit cards. So in that sense, they reacted to the news.

One year later, consumers in 2014 rated the security of debit cards more poorly both relative to their ratings of other payment instruments and absolutely (that is, a greater percentage of consumers rated debit cards as risky or very risky). In contrast, compared to 2013, the absolute security ratings of cash improved. There was no change in the security ratings of credit cards.

The more important question: Did consumers change their behavior in response to this massive and widely reported data breach? The answer: not according to this survey data. There was no statistically significant change in consumers' method of payment mix in 2014. Debit cards remained the most popular payment instrument among consumers in 2014, accounting for almost one-third of their payments per month.

What does this mean for financial institutions? Realism about my willingness to take action is well placed. You can't count on me.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 19, 2018 in account takeovers, banks and banking, cards, debit cards, identity theft, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 12, 2018


Webinars Discuss Mobile Banking and Payments Survey Results

Earlier this year, I wrote a post highlighting some of the Mobile Banking and Payments Survey results that were consolidated from the seven Federal Reserve districts that conducted the survey: Atlanta, Boston, Cleveland, Dallas, Kansas City, Minneapolis, and Richmond. The 706 responding financial institutions gave us valuable information about their current and planned services as well as security features for their mobile banking and mobile payments products. (You can download a copy of the report from the Boston Fed's website.)

You can get a more detailed review of the survey findings when the Boston Fed's Payment Strategies Group conducts two webinars on March 21 and March 22.

Attendees will learn about:

  • Current developments in mobile financial services
  • Practices, products, and trends related to consumer mobile banking and payment services
  • Financial Institution perspectives on mobile security, concerns, and mitigation tools

There is no charge for the webinars but you must register. To view both webinars, you must register for both. Select a link below, then click the Register button. After you have registered, you will receive a confirmation email with the access information.

REGISTER for Part I: Consumer Mobile Banking, Wednesday, March 21, 2018 at 2 p.m. (EDT)

REGISTER for Part 2: Consumer Mobile Payments, Thursday, March 22, 2018 at 2 p.m. (EDT)

Feel free to share this post with any of your colleagues who may wish to attend. If you have any questions about the webinars, please email elisa.tavilla@bos.frb.org.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 12, 2018 in banks and banking, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 12, 2018


If the Password Is Dying, Is the PIN Far Behind?

Back in January, I wrote a post that highlighted the rising incidence of lost-and-stolen card fraud in the United Kingdom. I concluded that the decades-old PIN solution for the card-present environment is now showing signs of weakness. Results of a recent Minneapolis Fed survey of 283 financial institutions offer some validity to my conclusion: the survey found that losses on PIN-based debit increased by 50 percent from 2015 to 2016. In fact, 81 percent of the respondents reported fraud losses from PIN-based debit, compared to only 77 percent for credit cards.

The news wasn't all bad for PIN-based debit. Signature-based debit and credit cards still had more fraud attempts than any other payment instrument. At 63 percent, signature debit fraud actually had a higher increase in fraud losses from 2015 to 2016 than did PIN debit. The PIN is a far superior verification method for card payments, but I'm willing to bet that the PIN, much like the password, has become less effective.

Is this coming at a time when the PIN is about to become more prominent? In late January, the PCI Security Standards Council announced a new security standard for software-based PIN entry, also known as "PIN on glass." This standard specifies the security requirements for accepting a PIN on a mobile point-of-sale device such as a Square card reader.

As an aside, I am a bit surprised by this announcement. Apparently, mobile phones are safe enough for entering PINs, but when someone uses a pay wallet such as Apple Pay or Samsung Pay, the card's PAN, or primary account number, is tokenized for security purposes. I'll save a discussion of this inconsistency for another post.

People have been talking for years now about how the password has passed its prime as a standalone authentication solution. Yet it continues to live, and it's as difficult as ever to mitigate its vulnerabilities. In my opinion, attempts to do so have increased customer friction and had minimal impact. I think the PIN is following a similar path. It creates customer friction (especially for me as I now have different PINs for multiple cards that I struggle to keep straight) and is losing its effectiveness, according to the data I mentioned in the first paragraph. But it appears that, with the PCI's recent announcement, the PIN could become even more prevalent for cardholders. Is it time, in the name of security and customer friction, for us to replace PINs and passwords with more modern authentication technologies such as biometrics?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

February 12, 2018 in authentication, banks and banking, cards, chip-and-pin, consumer fraud, debit cards, EMV, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 8, 2018


Consolidated Mobile Banking and Payments Survey Results Published

In earlier posts, we published highlights of the 2016 Mobile Banking and Payments Survey of Financial Institutions in the Sixth District results as well as a supplement showing the results by financial institution (FI) asset size. The survey was designed to determine the level and type of mobile financial services that FIs offered and to find out what plans FIs had to offer new services.

Six other Federal Reserve Banks also conducted the survey in their districts, and we've combined all the data into a single report. Marianne Crowe and Elisa Tavilla of the Boston Fed's Payment Strategies group led the team that consolidated the data. The report—now available on the Boston Fed's website—addresses mobile banking and payment services from the perspective of the FI. The report offers additional value with its inclusion of a large number of small banks and credit unions (under $500 million in assets), a group from which data are often difficult to obtain.

Consolidated-survey-respondents-by-asset-size

The seven districts participating were Atlanta, Boston, Cleveland, Dallas, Kansas City, Minneapolis, and Richmond. A total of 706 FIs responded.

Here are some of the key learnings from survey responses regarding mobile banking:

  • Retail mobile banking offerings are approaching ubiquity across financial institutions in the United States. Eighty-nine percent of respondents currently offer mobile banking services to consumers, and 97 percent plan to offer these services by 2018.
  • By the end of 2018, 77 percent of bank and 47 percent of credit union respondents will be providing mobile banking services to nonconsumers including commercial and small businesses, government agencies, educational entities, and nonprofits. Commercial and small businesses will be the most prevalent.
  • Among FIs offering and tracking business mobile banking adoption, more than half still have adoption rates of less than 5 percent.
  • The most important mobile banking security concern that respondents cited is the consumer's lack of protective behavior. In response, FIs have implemented a range of mitigating controls. To enhance security and help change consumer behavior, more than 80 percent of respondents support inactivity timeouts and multi-factor authentication (MFA) as well as mobile alerts.

And here are some important findings regarding mobile payments:

  • Implementation of mobile payment services is growing as FIs respond to competitive pressure and industry momentum. In addition to the 24 percent already offering mobile payments, 40 percent plan to do so within two years. However, the current offering level fell substantially short of the expected 57 percent predicted by the responses to the 2014 survey.
  • Mobile wallet implementations are increasing steadily, with Apple Pay as the current leader.
  • Enrollment and usage remain low. Eighty-one percent of the respondents had fewer than 5 percent of their customers enrolled and actively using their mobile payment services.
  • Asset size makes a difference in many areas: larger FIs have greater resources to expend on new services, implementations, and security technologies and controls.
  • Banks and credit unions often differ in approaches and strategies for mobile payments.

We will conduct the survey again this year and are eager to see how the mobile banking and payments landscape has changed. If you have any questions about the survey results, please let us know.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

January 8, 2018 in banks and banking, mobile banking, mobile payments, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 2, 2018


2017 Year-End Review

In December 2013, the Retail Payments Risk Forum began an annual tradition of authoring an end-of-year post highlighting what we consider to be the most significant payment topics or events of the year. We continued that tradition this year, but we changed our platform, instead covering our top events in our Talk About Payments webinar series. Watch a recording of the webinar's presentation.

We encourage you to listen to the webinar, during which we discussed in more detail the following key payment stories of 2017:

  • Fraud schemes
  • Data breaches
  • Chip migration
  • Payments security
  • Same-day ACH–phase II
  • Person-to-person payments
  • Fintech
  • Mobile payments
  • Virtual currency/Distributed ledger

As we begin 2018, we in the Risk Forum look forward to continuing our efforts to mitigate payments risks through industry collaboration and convening. We will also continue to offer our insights using multiple platforms, including this weekly blog and our quarterly webinar series, Talk About Payments. As always, we value your feedback and comments, so do not hesitate to reach out to any of the Risk Forum team members.

Best wishes for a happy, and fraud-free, new year from all of us at the Retail Payments Risk Forum!

Photo of Mary Kepler
Mary Kepler
Photo of Julius Weyman
Julius Weyman
Photo of Doug King
Doug King
Photo of David Lott
Dave Lott
Photo of Jessica Trundley</span>
</div>
Jessica Washington
Photo of Steven Cordray
Steven Cordray

 

January 2, 2018 in chip-and-pin, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 23, 2017


ACH and Consumer-Only Payments: Will the Twain Ever Meet?

For many years, person-to-person (P2P) payment providers have touted the emergence of compelling P2P mobile-based products that exploit some combination of financial institutions (FIs) and fintech providers. Several players have made notable inroads into P2P with certain demographics and use cases, but the overall results in terms of absolute numbers are far from ubiquitous. This post uses hard numbers to explore what progress ACH has made with P2P payments.

During a payments conference earlier this year that showcased findings from the Fed's triennial payments study (here and here), the table below was presented showing the number and value shares of domestic network ACH payments in 2015. The table is complicated because it shows both debit pull and credit push payments by consumer and business counterparties. Despite the complexity, the table distills ACH to its essence by removing details associated with the 14 transaction payment types (known as Standard Entry Class codes) that carry value for domestic payments. Many of these individual codes reflect similar types of payments (for example, three codes are used for converting first presentment checks to ACH). As expected, virtually all payments involve at least one business party to each payment. Consumer-only payments are negligible.

Chart-one

In a typical use case for consumer-only ACH, a consumer transfers funds from one account to another account across financial institutions. As shown in the solid red oval, 0.04 percent of all domestic payments were consumer-to-consumer payments, where the payee initiated a debit to the payer's bank account. For consumer credit push payments, the figure is 0.3 percent. The combined figure rounds to 0.3 percent. On the value side for consumer-only payments (in the dashed red oval), debit pulls, credit pushes, and the combined figure were 0.02 percent, 0.2 percent, and 0.2 percent, respectively. These types of payments typically reflect P2P payments1, when one consumer pushes funds to another consumer.

The next table shows the figures that prevailed in 2012. Given the modest share by both number and value across both years, it is apparent—and interesting—that ACH has made little progress in garnering consumer-only payments. Although ACH is ubiquitous on the receipt side across all financial institutions, it is not so for consumers, given the lack of widely promoted and compelling service offerings from FIs and no standardized form factor like there is for card payments. Additionally, many small FIs do not offer ACH origination services.

Chart-two


This lack of adoption is not unique to ACH. Although some of the electronic P2P entrants are experiencing significant growth, it will be some time before they supplant the billions of P2P cash and check payments. P2P players on the FI-centric side include Zelle, which a large consortium of banks owns. Non-FI providers include PayPal and its associated Venmo service. Given the lack of ubiquity with the new offerings, the fallback option for consumer-only payments is cash and checks. As the payments study reports, check use is still declining, though the most recent trend shows that this decline has slowed. ACH or other electronic options still seem a good bet to continue to erode paper options, but perhaps the market is signaling that paper options have ongoing utility and are still preferred if not optimal for some users in some instances.

So what would it take for ACH to gain some traction in the consumer payments space? Perhaps the presence of same-day ACH, in which credits were mandated in September of 2016 and debits followed in September 2017, offers some opportunity for compelling service offerings coupled with a user-friendly way to send an emergency payment to your ne'er-do-well son.

What are your views on the viability of ACH garnering more P2P payments?

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

 

_______________________________________

1 Sometimes account-to-account (A2A) transfers are lumped in with P2P payments.

 

October 23, 2017 in banks and banking, financial services, mobile banking, mobile payments, P2P, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 25, 2017


Fed Payments Webinar Series Launching

One of the comments we consistently received when we conducted the Mobile Banking/Payments Survey last fall was the desire for the Atlanta Federal Reserve to provide more educational opportunities on current payment technologies and issues. Not only have small and mid-sized financial institutions expressed this need, but so have consumer advocacy groups and law enforcement agencies. Educational efforts, along with research, on payment risk issues are at the core of the Retail Payments Risk Forum's overall mission.

In response to these requests, the Risk Forum is launching a webinar series called Talk About Payments (TAP). The TAP webinars will supplement this blog, forums and conferences we convene, and other works we publish on the Forum's web pages. The current plan is for the webinars to be presented once a quarter. Financial institutions, retailers, payment processors, law enforcement, academia, and other payment system stakeholders are all welcome to participate in the webinars. Participants can submit questions during the event.

We will have our first webinar—titled "How Safe Are Mobile Payments?"—on Thursday, October 5, from 1 to 2 p.m. (ET). The webinar will cover such topics as mcommerce growth, mobile wallets, tokenization, fraud attack points, and risk mitigation tools and tactics.

Participation in the webinar is complimentary, but you must register in advance. To register, go to the TAP webinar web page. After you complete your registration, you will receive a confirmation email with all the log-in and toll-free call-in information.

We hope you will join us for our first webinar on October 5, and for our future webinars. If there are any particular topics you would like for us to cover in future webinars, please let us know.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

 

September 25, 2017 in emerging payments, mobile banking, mobile payments, payments risk | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 14, 2017


Extra! Extra! Triennial Payments Data Available in Excel!

In countless old black-and-white movies, street newspaper vendors would shout out the latest sensational news from hot-off-the-press special editions. The Fed is no different in that we want to shout out that it is no longer necessary to mine the PDF-based Federal Reserve Payments Study report to extract the study's data. For the first time, we are offering our entire aggregated data set of estimated noncash payments in an Excel file. The report accompanying the data is here.

The data set is very rich and covers the following categories:

Accounts and cards
Private-label credit processors
Checks Person-to-person and money transfer
ACH Online bill pay
Non-prepaid debit Walk-in bill pay
General-purpose prepaid Private-label ACH debit
Private-label prepaid issuers & processors Online payment authentication
General-purpose credit Mobile wallet
Private-label credit merchant issuers  

Here is another table that is just one extract from the non-prepaid debit card portion of the extensive payments data available.

To get a taste of what this data can teach us, let's look closer at the cumulative volume distribution by payment dollar value threshold for non-prepaid debit cards (the data are shown above) along with general-purpose credit cards. The number and value of both types of payments grew substantially from 2012 to 2015, the last two survey periods. The chart compares these distributions, showing more vividly how this growth affected the relative proportions of payments of different dollar values.

Chart-two

For example, debit card payments below $25 accounted for 59.1 percent of all payments in 2012 versus 61.8 percent in 2015—evidence that debit card purchases are migrating to lower ticket amounts. The trend is even more dramatic over the same time span for general-purpose credit cards.

Because this is a distribution, increases in the relative number of small-value payments must be offset by decreases in the relative number of large-value payments. Unfortunately, our previous survey capped the payment threshold at $50 in 2012. Otherwise, we would see the dashed 2012 lines crossing over the solid 2015 lines at some payment value threshold above $50. In brief, the results suggest cash payments are continuing to migrate to debit cards, while credit cards may be garnering some share at the expense of both cash and debit cards.

The challenge is on for you data analysts out there. Please share your findings.

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

August 14, 2017 in ACH, cards, checks, debit cards, mobile payments, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 24, 2017


FIDO Tightens Authentication's Leash

Our blog often covers user authentication challenges confronting financial institutions and merchants. We feel this topic is essential given that consumers are increasingly going online to make payments and their passwords tend to be weak. Financial institutions and merchants face a difficult balancing act. They must be confident that their authentication tools effectively confirm the legitimacy of the individual attempting a transaction, but they also have to make sure these tools don't create a bad experience for the customer.

A meeting in 2009 between a fingerprint-sensor manufacturer and a global, third-party payment provider to fingerprint-enable online payments quickly turned into a conversation on how to develop an industry standard for the general use of biometrics to identify online users. Ultimately, this meeting led to the formation of the FIDO (Fast IDentity Online) Alliance in 2012. FIDO currently has a global membership of more than 250 companies and agencies spanning the payments, mobile, PC, and transaction security industries.

FIDO's principal effort has been to develop a set of specifications and certifications covering consumer devices, mobile and web applications, and biometric authentication methods for e-commerce applications. Products certified to these authentication specs reduce password dependence, transaction friction, and stolen password attacks such as phishing, man-in-the middle attacks, and transaction replays.

FIDO initially focused on mobile devices—which allow authentication with the fingerprint sensor, microphone, and camera—and developed the Universal Authentication Framework. This framework provides enhanced security using public-key cryptography, with the keys and biometric templates remaining on the mobile device. The user goes through a device registration process that creates the biometric template and a cryptographic key pair on the device and registers only the public key with the online service. To perform a transaction, the customer uses one of the phone's biometric sensors to unlock the private key on the device.

To expand these strong cryptographic authentication capabilities to second-factor use cases on the web, FIDO established a second set of specifications known as FIDO U2F, or Universal Second Factor protocol. With this protocol, the user inserts a certified U2F device, also known as a security key, into a device's USB port or uses the device's Bluetooth or near-field communication features. The application running in a FIDO-compliant web browser first challenges the user for a password and then authenticates the user with the cryptographic private key on the U2F device.

Authentication of customers, especially on a remote basis, will always be a challenge as criminals find more and more ways to spoof identities. The industry's efforts to increase the security of remote payments remain ongoing and the cooperative work demonstrated by groups such as the FIDO Alliance plays an important part in that effort.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 24, 2017 in banks and banking, biometrics, consumer fraud, consumer protection, identity theft, innovation, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad