Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

April 25, 2016


Be Careful, Be Very Careful

Less than halfway through the spring season of banking and payments conferences, the dominant theme of cybercrime is ringing loud and clear. In the 2015 conferences, it was virtual currency, but this year, it is the threat of cyberattacks against individuals and business in both widespread and singular manners. At a payments conference last week, a representative of the Internet Crime Complaint Center (IC3) told the session audience about her center's work. The IC3 has served since 2000 as a conduit for the public to provide information to the FBI regarding suspected Internet-facilitated criminal activity. IC3 tracks and investigates hacking, money laundering, identity theft, advanced fee, and ransomware schemes. It also tracks and investigates efforts to steal intellectual property and trade secrets.

In its latest annual report, IC3 provides detailed statistics on Internet-related complaints and trends. In 2014, the center received almost 270,000 complaints, accounting for more than $800 million in losses. Average monthly complaints received were 22,452. Complaint volume peaked in July at 24,521; the month with the fewest was February, with 20,888.

I asked the IC3 representative about the top complaints the unit was currently seeing. She indicated that email compromise of targeted businesses was the primary complaint and the one that generally resulted in the highest financial loss per complaint. It is common for employees in accounting areas to be targeted. They receive spoofed emails instructing them to initiate wire transfers or to change invoice remittance payments to fraudulent parties and locations, often accounts at financial institutions located in eastern Europe or the Asian-Pacific region. Although representing less than 1 percent of the total complaints filed in 2014, the losses from business email compromise accounted for 28 percent of the total losses reported, and from January 2015 to January 2016 the loss rate increased 270 percent.

Advanced fee schemes involving home rentals or sales, automobile sales, dating services, and lottery/prize winnings are also common. As the name implies, the criminals gain the confidence of victims and demand upfront payment as a sign of good faith. Once they receive the first payment, they will often try for additional payments before disappearing.

Finally, intimidation or extortion schemes are becoming more prevalent. The criminal generally contacts the victims by phone, accuses them of being past due on tax payments or utility bills, and says if immediate payment is not made, their property will be confiscated or they will be arrested. Often the criminal has used social engineering or public records to obtain legitimate data to make their representation of the agency seem more legitimate.

The size and frequency of data breaches of financial institutions, retailers, health care and insurance companies, and government agencies have led some people to conclude that just about everyone's personal identification information has been compromised to some level. I believe it is sensible to be a bit distrustful and apprehensive about the legitimacy of offers or information you might receive through emails or websites, especially those with which you are unfamiliar. Many of the attempts are easy to spot but many others involve highly sophisticated techniques, so one should be extremely careful when on the Internet.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 25, 2016 in cybercrime, data security, fraud, identity theft | Permalink | Comments (0)

April 18, 2016


"I want to be alone; I just want to be alone"

This was spoken forlornly by the Russian ballerina Grusinskaya in the 1932 film Grand Hotel by the famously reclusive screen star Greta Garbo. This movie line causes me to occasionally wonder why we all can't just be left alone. Narrowed to payments, why does paying anonymously have to indicate you are hiding something nefarious?

Some of you may be asking why it would be necessary to hide anything. I offer the following examples of cases when someone would want to pay anonymously, either electronically or with cash.

  • Make an anonymous contribution to a charitable or political organization to avoid being hounded later for further contributions.
  • Make a large anonymous charitable contribution to avoid attention or the appearance of self-aggrandizement.
  • Recompense someone in need who may or may not be known personally with no expectation or wish to be repaid.
  • Pay anonymously at a merchant to avoid being tracked for unwelcome solicitations and offers.
  • Make a purchase for a legal but socially-frowned-upon good or service.
  • Shield payments from scrutiny for medical procedures or pharmacy purchases that are stigmatized.
  • Personally, use an anonymous form of payment to avoid letting my wife find out what she will be getting as a gift. (Don't worry; my spouse never reads my blogs so she doesn't know she needs to dig deeper to figure out what she is getting.)

Some of these cases can be handled easily with the anonymity of cash. As cash becomes less frequently used or accepted or perhaps even unsafe or impractical, what do we have as an alternative form of payment? Money orders such as those offered by the U.S. Postal Service are an option. The postal service places a cap of $1,000 on what can be paid for in cash. Nonreloadable prepaid cards such as gift cards offer some opportunity as long as the amount is below a certain threshold. Distributed networks like bitcoin offer some promise but may come with greater oversight and regulations in the future. Some emerging payment providers claim to offer services tailored for anonymous payments. Still, though, the future for a truly anonymous, ubiquitous payment alternative like cash doesn't look promising, given the current regulatory climate.

I acknowledge that one needs to find a proper balance between vigorously tackling financial fraud, money laundering, and terrorist financing and the need that I think most of us share for regulators and others to keep out of our personal business unless a compelling reason justifies such an intrusion. Consequently, we should be scrupulous about privacy but offer the investigatory tools when payments are used for nefarious purposes to identify the activities and the people involved. In many ways, this balancing act dovetails with the highly charged debate going on between the value of encryption and the needs of law enforcement and intelligence agencies to have the investigatory tools to read encrypted data. As Greta Garbo famously said and perhaps inadvertently foretold, some of us just want to be left alone.

Photo of Steven Cordray By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 18, 2016 in privacy, regulators | Permalink | Comments (2)

April 11, 2016


Combat Gear for Tax Season

Recently, a local newspaper reported on two ex-bankers who were sentenced for their roles in a two-year-long fraud scheme. These ex-bankers created fraudulent bank accounts, then generated more than 2,000 false tax returns totaling more than $2.8 million in fraudulent refunds. The IRS has plenty more stories of tax fraud to tell.

Currently, "file taxes" is number one on my to-do list, and maybe yours. Do you shiver considering the possibility a tax return in your name has already been filed by someone else? Criminals, organized or not, know they can earn a living by filing fake returns. Even a legitimate taxpayer who owes taxes can be a victim of identity theft tax (IDT) refund fraud, as defined by the Internal Revenue Service's (IRS) Security Summit. (Note: The Electronic Tax Administration Advisory Committee, which reports to Congress, calls IDT refund fraud stolen identity refund fraud, or SIRF).

Formed on March 19, 2015, the Security Summit joins the IRS, state departments of revenue, and members of the tax refund ecosystem to discuss ways to combat IDT refund fraud. The Summit currently has seven working groups, including one focused on refund authentication and fraud detection. We have blogged before on the importance of data analytics in detecting fraudulent filings; this working group is attempting to strengthen these data tools. The working group also laid out best practices for software providers in enhancing identity requirements and strengthening validation procedures. At the end of last year, Congress provided a big assist in these efforts by passing the Protecting Americans from Tax Hikes, or PATH, Act of 2015, which closes one of the biggest loopholes in the tax refund process by requiring employers to electronically file W-2 forms and 1099 forms with the IRS by January 31 of each year instead of March 31. This new requirement, which becomes effective in 2017, will allow federal and state taxing authorities to match returns with actual W-2s for the first time.

The Security Summit also has a Financial Services Working Group, which explores ways to prevent criminals from using stolen identification credentials to establish financial services products such as checking accounts and prepaid cards that would allow the criminal to access the proceeds of fraudulent returns. After all, fraud may not be realized until after processing the tax return. Refunds are distributed either by check or direct deposit via ACH, which can be sent to a prepaid account (card) or traditional bank account. The IRS can't determine which account type an ACH refund is destined for since routing number and account number aren't standardized by account type, nor is there a database of routing numbers to identify prepaid accounts. Some have suggested that knowing when it is a prepaid account could be helpful in risk rating the return before sending the refund. The Financial Services Working Group has developed a standard state ACH file-naming convention so that state tax refunds can be identified by the industry in order to apply enhanced fraud filtering. Suspicious state tax refund deposits can be detected based on amounts, name matching, account type, length of relationship, and volume of deposits or withdrawals. The new format standard will strengthen fraud control systems in that all tax refund deposits will be able to be further scrutinized.

The Security Summit has a total of seven working groups, and they have their work cut out for them. While I shiver to think I could be a victim to identity theft, I support the progressive efforts to stop this crime, especially in the pre-filing and pre-refund stages so the criminals can't see a reward for their efforts.

Photo of Jessica Trundley By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 11, 2016 in ACH, consumer fraud, fraud, identity theft | Permalink | Comments (0)

April 4, 2016


Same-Day ACH: A Call to Action

As my colleague recently blogged, there were standing-room only crowds during four sessions related to same-day ACH at an annual conference sponsored by EastPay and the Atlanta Fed. I moderated two of the sessions, which focused on operational and product opportunities available to financial institutions (FIs) in supporting faster payments.

My suspicion is that attendance was so heavy because many FIs still have a lot to do to get ready for faster payments. I was already aware of the lack of readiness among some of the processors that these FIs rely on so heavily. During one session, only a few hands were raised among 60 attendees when they were asked if they had been contacted by their processor about preparing for the September 2016 rollout. Of course, engagement is best when it's a two-way street. On the other side of things I have heard that processor training sessions devoted to supporting same-day ACH have been poorly attended. Additionally, FI session attendees indicated that no efforts were under way to educate corporate account holders about the looming service changes to ACH.

If my suspicions are right, the current state of things is troubling; the window of time left to prepare for Phase 1 is shrinking. September is less than six short months away.

Not being ready has some potentially serious, but avoidable, consequences for FIs and their account holders. Here are a few of the risks:

  • The two same-day submittal windows, which narrows the time between payment submittal and settlement, added to Phase 1 offer potentially greater risk of funds being sent out fraudulently as a result of corporate account takeovers unless FIs put proper controls in place to mitigate this risk. The potential for harm may be somewhat diminished given the individual transaction cap of $25,000.
  • Since the identification method for same-day payments relies on the requested settlement date using the Effective Entry Date field, some FIs could end up being surprised to learn their credits have settled sooner than they intended. Originators that have not been careful in selecting the settlement date will experience this "surprise."
  • If corporate originators inadvertently send same-day payments, such a mistake could prove costly. This is because the 5.2 cent same-day interbank fee, paid by the originating bank to the receiving bank, will likely be passed along to the originator. A corporate originator mistakenly sending same-day credit payments to 10,000 employees could incur an additional $520 fee plus any other upcharge associated with sending same-day payments.
  • Taxpayers may expect that just-in-time payments or late payments to avoid additional penalties can be made using same-day ACH to the IRS. As my colleague noted in the post I mentioned above, such payments will not be supported in Phase 1. Therefore, it is critical that FIs educate their account holders about this limitation.
  • Unless controls are put in place by their processors, FIs may have difficulty stopping same-day service to corporate account holders they judge to be too risky for sending same-day payments, or when agreements have not been put in place allowing corporate participation.
  • Since next-day ACH is the earliest settlement generally available today, some processors preclude using today's date as a settlement date. Unless this restriction is removed, originators would not be able to send same-day payments when Phase 1 service becomes available.

The risks outlined above are just some of the reasons FIs and their processors will want to be sure they are prepared for the September 23 deadline. Failure to do so could damage account holder relationships. NACHA, the regional payments associations, and the ACH operators offer a wealth of information on same-day ACH that all parties need to avail themselves of.

By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 4, 2016 in ACH | Permalink | Comments (0)

March 28, 2016


Continuing Education in Mobile Payments Security

Just over a year ago, I wrote a post raising the question of which stakeholder or stakeholders in the payments ecosystem had the responsibility for educating consumers regarding payments security. As new payment technologies such as mobile devices, wearables, and the Internet of things gain acceptance and increased usage, who is stepping up not only to teach consumers how to use the devices but also how to do so in a safe and secure manner?

Since it is generally financial institutions that have the greatest financial risk for payment transactions because of the protective liability legislation that exists in the United States, this responsibility has fallen largely to them. However, this educational effort has become increasingly difficult since consumers generally acquire these new products at retail outlets or mobile carrier stores, where the financial institution has no direct contact with the consumer.

The Consumer Federation of America (CFA) recently continued its ongoing efforts to provide educational information to consumers with the release of a guide to mobile payments. The guide is comprehensive, covering issues such as privacy, security of the mobile device, the dangers of malware, error resolution, and dispute procedures for mobile payments, and concludes with a humorous animated video that recaps some of the risks with mobile phones if they are not secured and used properly.

As an example, in its section on privacy, the guide offers the following tips:

  • Read the privacy policies of the companies whose services you are using to make mobile payments and the companies that you are paying.
  • If you don't like a company's privacy policy, take your business elsewhere.
  • Don't voluntarily provide information that is not necessary to use a product or service or make a payment.
  • Take advantage of the controls that you may be given over the collection and use of your personal information.
  • Since mobile payments, like all electronic payments, leave a trail, if there are transactions that you would prefer to make anonymously, pay with cash.

Kudos to the CFA for its work on this effort. I hope you will read the guide and spread the word about the availability of this valuable resource. It is through the combined efforts of the payments stakeholders that we can work to improve the knowledge level of all parties involved and promote secure usage.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 28, 2016 in consumer protection, innovation, mobile banking, mobile payments | Permalink | Comments (0)

March 21, 2016


The Insider on the Outside

Having had a few days to digest my RSA Conference 2016 experience (and let my feet recover), I'm not sure whether to be more concerned about cybersecurity challenges or more at ease due to the sheer number of solutions on display that are available to mitigate these challenges. In reality, my emotions are mixed.

On the one hand, the cybersecurity threat is real and spreading across all types and sizes of businesses and government agencies. On the other hand, information sharing is taking place across, and within, industries like never before, and technology is being harnessed in an effort to strengthen defenses against the latest cybersecurity threats. But my biggest takeaway from the week might be different from that of the many technology evangelists and cyber risk experts that I encountered: the human element might be the most important element in mitigating data loss risks.

The risk of data loss due to the human element is quite substantial and probably merits a paper on its own or perhaps a dedicated Take on Payments series. Today, I'm going to focus on a single aspect of the human element: the expanding nature of the insider threat. In a Take On Payments post from the summer of 2013, I discussed some access and security management principles to thwart malicious behavior from an insider.

Traditionally, an insider has been thought of as an employee. That definition has broadened as organizations outsource more internal-support functions to third-party providers. Much has been written and discussed concerning regulatory and compliance issues related to third-party providers, and this notion of the "outside insider" is a logical extension of a company's risk management practice. The insider threat is real and costly. According to data from the Ponemon Institute, malicious insider attacks cost companies an average of about $144,000 annually.

Ensuring that any third-party provider has the necessary policies and procedures in place to secure your data from outsiders is paramount, but what about the sufficiency of their controls to protect your data from potential bad actors within these third parties? Have you given much thought to this notion of the "outside insider"? If you have, what recommendations or best practices do you have to avoid becoming a victim of a malicious insider on the outside?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 21, 2016 in cybercrime, data security, third-party service provider | Permalink | Comments (0)

March 14, 2016


Same-Day ACH: An NFAQ

The NFAQ—meaning "non-frequently asked question"—will come just a bit further down in this post. First, I need to say the Forum's prediction that same-day ACH would not be a huge hit this year may have been misunderstood. The prediction wasn't meant to say that the service wouldn't gain steam over time; it was more a comment about the type of lift the initiative could experience at the start. But if usage of same-day ACH even somewhat mirrors the level of enthusiasm and participation that attendees lavished on sessions that revolved around the topic at Information Interchange, an annual regional payments association conference sponsored by EastPay and the Atlanta Fed, same-day ACH could become a big hit.

The aforementioned annual payment conference featured four sessions related to same-day ACH. Attendance at each session was standing room only. Topics focused on everything from understanding and preparing for the change to promoting usage and enhancing payment services for customers of all types.

It was really good stuff, I must say, and I managed to squeeze in all but one of the sessions. In the last session, the moderator opened by asking the audience questions to test their knowledge of the rule change and to help panelists focus on what information might be most useful for informing and instructing attendees. The audience didn't miss a single question, which included a trick question about the dollar threshold for "IATs" or international transactions. (IATs aren't eligible, so there is no applicable dollar threshold related to these payment types.)

Perhaps the most important question of the day, which takes me to the NFAQ in the title, didn't get asked in the open sessions. However, a gentleman leaned over and asked me if U.S Treasury transactions were eligible. I didn't think so and told him that, but he pushed back and suddenly we were both unsure. So after a short back and forth with my colleagues, I pointed him to a definitive answer in the same-day FAQs on frbservices.org. It reads as follows:

Q: Will the federal government be participating in Same Day ACH at any phase of implementation?

A: At this time, the federal government will not be participating in phase 1 of the Same Day ACH implementation. Therefore, any entry originated from, or received by, the federal government will not be eligible for same day settlement and will continue to settle on a future date. Information regarding the federal government's participation in later implementation phases will be forthcoming.

I felt compelled to share this "NFAQ" because after asking others about their understanding of the matter, I found general awareness and understanding mixed, but largely incorrect. The distinction between federal government payments and other types of government payments (state government agency payments will be eligible for same-day ACH in phase 1) may be important and may not be as widely known as it should be.

By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

March 14, 2016 in ACH | Permalink | Comments (0)

March 7, 2016


Card Chargebacks: Sorting Out the Facts

For years, I have heard conflicting statements by card issuers and acquiring merchants about the impact of chargebacks on their businesses. A chargeback is a demand by a card issuer for a merchant to make the issuer whole for the loss of a disputed transaction by a cardholder. Because of consumer liability protections afforded under various regulations and the card brand's liability rules, the issuer or the merchant typically incurs the final loss. The issuer initiates a chargeback when a cardholder disputes a transaction on the statement—for one of a variety of reasons—if the issuer believes the merchant is financially liable under the particular card network's operating rules. Merchants may accept the chargeback and assume the loss, or they may dispute it if they believe they were in compliance with the network rules.

The debate over the amount of chargeback losses to merchants has continued over the years because of a lack of independent research, but all that has changed with a study published in January by my colleagues at the Federal Reserve Bank of Kansas City. Senior economists Fumiko Hayashi and Rick Sullivan along with risk specialist Zach Markiewicz examined chargeback and sales data from October 2013 through September 2014 from selected merchant acquirers who process more than 20 percent of network-branded card transactions in the United States. While the study examines the full chargeback landscape of four-party networks (Visa and MasterCard) and three-party networks (American Express and Discover), the focus of this post is on their findings related to card fraud—both card present (CP) and card not present (CNP)—for the four-party networks. PIN debit transaction chargebacks were not included in this study.

Some of the study's key findings are:

  • Overall, merchants incur 70–80 percent of all chargeback losses.
  • Fraud is the most common chargeback reason and accounts for approximately 50 percent of total chargebacks in value.
  • The average value of a fraud chargeback was $200, compared to $56 for the average sales transaction. Clearly, the criminals are going after higher-dollar value goods.
  • The merchant loss rate in the CNP channel of 14.17 basis points (bps) is significantly higher than the 1.02 bps loss rate for the CP channel.
  • As the chart shows, the merchant categories incurring the highest fraud rates were the travel and department store categories. Grocery stores had the lowest.

chart-1

As previous posts have noted, the Federal Reserve is making a concerted effort to collect fraud data for non-cash payment channels to develop a holistic view and understanding of fraud trends. The Kansas City Fed is looking to repeat its study in the near future, when it will also include PIN debit transaction chargebacks. As our payments system evolves and user payment preferences change, it is vital for payments system stakeholders to be able to determine how these changes are affecting fraud losses being sustained by the various stakeholders.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 7, 2016 in card networks, cards, consumer protection | Permalink | Comments (0)

February 29, 2016


Warning! This Vehicle Has Been Immobilized

Imagine my frustration when, after a long day at work followed by a nice dinner catching up with an out-of-town friend, I found my vehicle booted in a parking lot 30 miles from home, at 9 p.m. on a Tuesday. The boot immobilized my car because I violated a 6 p.m. curfew. Those details were printed in small print on the receipt I received after paying the automated kiosk and did not read. I pleaded with the boot company attendant to waive the $75 removal fee to no avail. He was a third-party to the lot owner. A man who lived in the apartment building next door was walking his dog and sympathetically shouted, "This happens all the time."

Being deceived is damaging, especially when it comes with a price tag. I felt like a victim. In fact, deceptive acts or practices are unlawful by Section 5 of the Federal Trade Commission (FTC) Act and Section 1031 of the Dodd-Frank Act. Deception is defined as representation, omission, or practice that is likely to mislead a consumer acting reasonably in the circumstances, to the consumer's detriment.

Deception—or alternatively, forthrightness—is circumstance-driven and involves subjectivity, leading us to base judgments on precedent and personal perspective. A practice can't be decidedly deceptive with a yes or no. The Federal Trade Commission (FTC) and federal banking regulators have applied deception interpretation standards through case law, official policy statements, guidance, examination procedures, and enforcement actions.

Two recent interpretations came by way of consent orders from the FDIC (or Federal Deposit Insurance Corporation) at the end of December 2015, both including deceptive practices. My analysis mixes in themes from recent proposed regulation. Deception appears to exist when layering circumstances mislead and cause injury, and when consumers may have chosen differently but for deception. The orders state that (1) consumers shouldn't be forced into receiving funds via one payment type; give them a choice; (2) before consumers make a choice, give them information about fees, features, and limitations, as well as how to use the product; (3) provide error resolution; (4) be clear about account termination and fee practices; (5) pay attention to complaints, and make this a program; and (6) you can't blame noncompliance on the third party.

I would not have parked in the lot if I had known about the 6 p.m. curfew with a $75 penalty. Will UDAAP compliance be an active project for your financial services, or could your most rewarding business vehicle get the boot?

Photo of Jessica J. Trundley By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 29, 2016 in Unfair and Deceptive Acts and Practices (UDAP) | Permalink | Comments (0)

February 22, 2016


2016 Payment Predictions

In our 2015 year-end review, we promised we would provide some predictions and expectations for payments in the United States during 2016. Predictions are usually pretty…unpredictable, so by waiting a couple of months to release ours, we're hoping they will end up being more accurate than usual. Disclaimer: These predictions are through the collective wisdom of the Retail Payments Risk Forum staff and do not reflect the opinions of the Federal Reserve System or the Board of Governors. So here we go in no particular order or probability of happening.

  • Cyberattacks will be the top threat to payments security: Cyberattacks and data breaches will be as robust as ever and will be the number one threat in the payments ecosystem. As retailers and financial service companies strengthen their defenses, the Risk Forum predicts that hackers will widen their focus.
  • This will be the year for mobile point-of-service (POS) payments…not!: Like the broken analog clock face that is correct twice a day, we believe that those forecasting 2016 as the "year of mobile payments" (as they did in 2013, 2014, and 2015) will be a little bit right, but will still be waiting for this optimistic prediction to be fully true. While the adoption pace of mobile payments is growing because of the increasing influence of millennials, the issues of limited merchant acceptance points, fragmentation, and consumer concerns over security and privacy will remain as substantial hurdles. Major educational efforts will be launched stressing the increased security provided by mobile payments through tokenization and biometrics.
  • EMV (chip card) POS migration will pick up the pace from 2015: The liability shift for POS took place October 1, 2015, and projections for both card and terminal capability missed their optimistic marks for a variety of reasons. Credit and debit card reissuance will continue during 2016 and should reach significant conversion levels by the end of the year. The Risk Forum expects the pace of merchant terminal conversions to pick up as certifications are completed and merchants targeted by counterfeit card fraudsters feel the sting of losses. However, we also think some merchant categories, such as restaurants, will continue to proceed at a tepid pace.
  • ACH same-day service will not be a huge hit: The Risk Forum forecasts that the roll-out of NACHA's mandated same-day ACH service in September will, at least initially, have modest adoption because corporate originators will have to update internal systems to support faster payments, the dollar cap of $25,000 per payment, and the imposition of the interbank fee. Consumer payment applications will have modest uptake due to competing payment alternatives.
  • EMV ATM liability shift will cause the number of ATMs to shrink: The implementation of chip card readers in ATMs will follow the same pattern as POS terminals did in 2015—the large ATM owners and operators will meet the October 2016 deadline but many of the small and mid-sized operators, especially those owned by nonfinancial institutions, will not and will be faced with absorbing the loss of transactions made with counterfeit cards—a fraud loss they haven't experienced in the past. Overall, the Risk Forum looks for the ATM base in the U.S. to contract by 10 to 15 percent because of financial institution mergers and the cost of EMV upgrades.
  • Mobile wallet space will continue to see turbulence: 2015 saw the launch or announcement of more mobile wallets by payment stakeholders such as Samsung, Google, Chase, Capital One, Walmart, and Target. Then add the retailer and credit union consortiums (MCX CurrentC and CU Wallet) that are struggling to emerge from uncertainty. How many wallets will the consumer be willing to load on a phone and which providers do they trust to keep their payments and banking credentials safe? We believe we'll see continued turbulence in this space during 2016, with some settling of the dust by next year.
  • Blockchain technology interest will accelerate: Cryptocurrencies will continue to exist in the "novelty" space, but we think large payments players will direct efforts to leveraging the distributed ledger technology for various uses and will proceed at an accelerated pace.
  • Biometric technology improves, but passwords remain supreme: Despite continued cries for intervention, the user ID and password will remain the primary authentication method that consumers use to access their various applications. Biometrics technology for payment and customer authentication applications will continue to improve while decreasing in price. Fingerprint, facial recognition, and eye/iris recognition will dominate as the most-used biometrics although voice recognition will serve as a key method in certain environments such as call centers. The Risk Forum believes that the technology will continue to face critical adoption challenges due to concerns about privacy, security, and safety, but educational programs will lower this resistance.
Photo of Mary Kepler
Mary Kepler
Photo of Steven Cordray
Steven Cordray
Photo of Doug King
Doug King
Photo of David Lott
Dave Lott
Photo of Jessica Trundley</span>
</div>
Jessica Trundley
Photo of Julius Weyman
Julius Weyman

February 22, 2016 in cybercrime, data security, EMV, mobile payments | Permalink | Comments (0)

Google Search



Recent Posts


May 2016


Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        

Archives


Categories


Powered by TypePad