Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

March 28, 2016


Continuing Education in Mobile Payments Security

Just over a year ago, I wrote a post raising the question of which stakeholder or stakeholders in the payments ecosystem had the responsibility for educating consumers regarding payments security. As new payment technologies such as mobile devices, wearables, and the Internet of things gain acceptance and increased usage, who is stepping up not only to teach consumers how to use the devices but also how to do so in a safe and secure manner?

Since it is generally financial institutions that have the greatest financial risk for payment transactions because of the protective liability legislation that exists in the United States, this responsibility has fallen largely to them. However, this educational effort has become increasingly difficult since consumers generally acquire these new products at retail outlets or mobile carrier stores, where the financial institution has no direct contact with the consumer.

The Consumer Federation of America (CFA) recently continued its ongoing efforts to provide educational information to consumers with the release of a guide to mobile payments. The guide is comprehensive, covering issues such as privacy, security of the mobile device, the dangers of malware, error resolution, and dispute procedures for mobile payments, and concludes with a humorous animated video that recaps some of the risks with mobile phones if they are not secured and used properly.

As an example, in its section on privacy, the guide offers the following tips:

  • Read the privacy policies of the companies whose services you are using to make mobile payments and the companies that you are paying.
  • If you don't like a company's privacy policy, take your business elsewhere.
  • Don't voluntarily provide information that is not necessary to use a product or service or make a payment.
  • Take advantage of the controls that you may be given over the collection and use of your personal information.
  • Since mobile payments, like all electronic payments, leave a trail, if there are transactions that you would prefer to make anonymously, pay with cash.

Kudos to the CFA for its work on this effort. I hope you will read the guide and spread the word about the availability of this valuable resource. It is through the combined efforts of the payments stakeholders that we can work to improve the knowledge level of all parties involved and promote secure usage.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 28, 2016 in consumer protection, innovation, mobile banking, mobile payments | Permalink | Comments (0)

March 21, 2016


The Insider on the Outside

Having had a few days to digest my RSA Conference 2016 experience (and let my feet recover), I'm not sure whether to be more concerned about cybersecurity challenges or more at ease due to the sheer number of solutions on display that are available to mitigate these challenges. In reality, my emotions are mixed.

On the one hand, the cybersecurity threat is real and spreading across all types and sizes of businesses and government agencies. On the other hand, information sharing is taking place across, and within, industries like never before, and technology is being harnessed in an effort to strengthen defenses against the latest cybersecurity threats. But my biggest takeaway from the week might be different from that of the many technology evangelists and cyber risk experts that I encountered: the human element might be the most important element in mitigating data loss risks.

The risk of data loss due to the human element is quite substantial and probably merits a paper on its own or perhaps a dedicated Take on Payments series. Today, I'm going to focus on a single aspect of the human element: the expanding nature of the insider threat. In a Take On Payments post from the summer of 2013, I discussed some access and security management principles to thwart malicious behavior from an insider.

Traditionally, an insider has been thought of as an employee. That definition has broadened as organizations outsource more internal-support functions to third-party providers. Much has been written and discussed concerning regulatory and compliance issues related to third-party providers, and this notion of the "outside insider" is a logical extension of a company's risk management practice. The insider threat is real and costly. According to data from the Ponemon Institute, malicious insider attacks cost companies an average of about $144,000 annually.

Ensuring that any third-party provider has the necessary policies and procedures in place to secure your data from outsiders is paramount, but what about the sufficiency of their controls to protect your data from potential bad actors within these third parties? Have you given much thought to this notion of the "outside insider"? If you have, what recommendations or best practices do you have to avoid becoming a victim of a malicious insider on the outside?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 21, 2016 in cybercrime, data security, third-party service provider | Permalink | Comments (0)

March 14, 2016


Same-Day ACH: An NFAQ

The NFAQ—meaning "non-frequently asked question"—will come just a bit further down in this post. First, I need to say the Forum's prediction that same-day ACH would not be a huge hit this year may have been misunderstood. The prediction wasn't meant to say that the service wouldn't gain steam over time; it was more a comment about the type of lift the initiative could experience at the start. But if usage of same-day ACH even somewhat mirrors the level of enthusiasm and participation that attendees lavished on sessions that revolved around the topic at Information Interchange, an annual regional payments association conference sponsored by EastPay and the Atlanta Fed, same-day ACH could become a big hit.

The aforementioned annual payment conference featured four sessions related to same-day ACH. Attendance at each session was standing room only. Topics focused on everything from understanding and preparing for the change to promoting usage and enhancing payment services for customers of all types.

It was really good stuff, I must say, and I managed to squeeze in all but one of the sessions. In the last session, the moderator opened by asking the audience questions to test their knowledge of the rule change and to help panelists focus on what information might be most useful for informing and instructing attendees. The audience didn't miss a single question, which included a trick question about the dollar threshold for "IATs" or international transactions. (IATs aren't eligible, so there is no applicable dollar threshold related to these payment types.)

Perhaps the most important question of the day, which takes me to the NFAQ in the title, didn't get asked in the open sessions. However, a gentleman leaned over and asked me if U.S Treasury transactions were eligible. I didn't think so and told him that, but he pushed back and suddenly we were both unsure. So after a short back and forth with my colleagues, I pointed him to a definitive answer in the same-day FAQs on frbservices.org. It reads as follows:

Q: Will the federal government be participating in Same Day ACH at any phase of implementation?

A: At this time, the federal government will not be participating in phase 1 of the Same Day ACH implementation. Therefore, any entry originated from, or received by, the federal government will not be eligible for same day settlement and will continue to settle on a future date. Information regarding the federal government's participation in later implementation phases will be forthcoming.

I felt compelled to share this "NFAQ" because after asking others about their understanding of the matter, I found general awareness and understanding mixed, but largely incorrect. The distinction between federal government payments and other types of government payments (state government agency payments will be eligible for same-day ACH in phase 1) may be important and may not be as widely known as it should be.

By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

March 14, 2016 in ACH | Permalink | Comments (0)

March 7, 2016


Card Chargebacks: Sorting Out the Facts

For years, I have heard conflicting statements by card issuers and acquiring merchants about the impact of chargebacks on their businesses. A chargeback is a demand by a card issuer for a merchant to make the issuer whole for the loss of a disputed transaction by a cardholder. Because of consumer liability protections afforded under various regulations and the card brand's liability rules, the issuer or the merchant typically incurs the final loss. The issuer initiates a chargeback when a cardholder disputes a transaction on the statement—for one of a variety of reasons—if the issuer believes the merchant is financially liable under the particular card network's operating rules. Merchants may accept the chargeback and assume the loss, or they may dispute it if they believe they were in compliance with the network rules.

The debate over the amount of chargeback losses to merchants has continued over the years because of a lack of independent research, but all that has changed with a study published in January by my colleagues at the Federal Reserve Bank of Kansas City. Senior economists Fumiko Hayashi and Rick Sullivan along with risk specialist Zach Markiewicz examined chargeback and sales data from October 2013 through September 2014 from selected merchant acquirers who process more than 20 percent of network-branded card transactions in the United States. While the study examines the full chargeback landscape of four-party networks (Visa and MasterCard) and three-party networks (American Express and Discover), the focus of this post is on their findings related to card fraud—both card present (CP) and card not present (CNP)—for the four-party networks. PIN debit transaction chargebacks were not included in this study.

Some of the study's key findings are:

  • Overall, merchants incur 70–80 percent of all chargeback losses.
  • Fraud is the most common chargeback reason and accounts for approximately 50 percent of total chargebacks in value.
  • The average value of a fraud chargeback was $200, compared to $56 for the average sales transaction. Clearly, the criminals are going after higher-dollar value goods.
  • The merchant loss rate in the CNP channel of 14.17 basis points (bps) is significantly higher than the 1.02 bps loss rate for the CP channel.
  • As the chart shows, the merchant categories incurring the highest fraud rates were the travel and department store categories. Grocery stores had the lowest.

chart-1

As previous posts have noted, the Federal Reserve is making a concerted effort to collect fraud data for non-cash payment channels to develop a holistic view and understanding of fraud trends. The Kansas City Fed is looking to repeat its study in the near future, when it will also include PIN debit transaction chargebacks. As our payments system evolves and user payment preferences change, it is vital for payments system stakeholders to be able to determine how these changes are affecting fraud losses being sustained by the various stakeholders.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 7, 2016 in card networks, cards, consumer protection | Permalink | Comments (0)

February 29, 2016


Warning! This Vehicle Has Been Immobilized

Imagine my frustration when, after a long day at work followed by a nice dinner catching up with an out-of-town friend, I found my vehicle booted in a parking lot 30 miles from home, at 9 p.m. on a Tuesday. The boot immobilized my car because I violated a 6 p.m. curfew. Those details were printed in small print on the receipt I received after paying the automated kiosk and did not read. I pleaded with the boot company attendant to waive the $75 removal fee to no avail. He was a third-party to the lot owner. A man who lived in the apartment building next door was walking his dog and sympathetically shouted, "This happens all the time."

Being deceived is damaging, especially when it comes with a price tag. I felt like a victim. In fact, deceptive acts or practices are unlawful by Section 5 of the Federal Trade Commission (FTC) Act and Section 1031 of the Dodd-Frank Act. Deception is defined as representation, omission, or practice that is likely to mislead a consumer acting reasonably in the circumstances, to the consumer's detriment.

Deception—or alternatively, forthrightness—is circumstance-driven and involves subjectivity, leading us to base judgments on precedent and personal perspective. A practice can't be decidedly deceptive with a yes or no. The Federal Trade Commission (FTC) and federal banking regulators have applied deception interpretation standards through case law, official policy statements, guidance, examination procedures, and enforcement actions.

Two recent interpretations came by way of consent orders from the FDIC (or Federal Deposit Insurance Corporation) at the end of December 2015, both including deceptive practices. My analysis mixes in themes from recent proposed regulation. Deception appears to exist when layering circumstances mislead and cause injury, and when consumers may have chosen differently but for deception. The orders state that (1) consumers shouldn't be forced into receiving funds via one payment type; give them a choice; (2) before consumers make a choice, give them information about fees, features, and limitations, as well as how to use the product; (3) provide error resolution; (4) be clear about account termination and fee practices; (5) pay attention to complaints, and make this a program; and (6) you can't blame noncompliance on the third party.

I would not have parked in the lot if I had known about the 6 p.m. curfew with a $75 penalty. Will UDAAP compliance be an active project for your financial services, or could your most rewarding business vehicle get the boot?

Photo of Jessica J. Trundley By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 29, 2016 in Unfair and Deceptive Acts and Practices (UDAP) | Permalink | Comments (0)

February 22, 2016


2016 Payment Predictions

In our 2015 year-end review, we promised we would provide some predictions and expectations for payments in the United States during 2016. Predictions are usually pretty…unpredictable, so by waiting a couple of months to release ours, we're hoping they will end up being more accurate than usual. Disclaimer: These predictions are through the collective wisdom of the Retail Payments Risk Forum staff and do not reflect the opinions of the Federal Reserve System or the Board of Governors. So here we go in no particular order or probability of happening.

  • Cyberattacks will be the top threat to payments security: Cyberattacks and data breaches will be as robust as ever and will be the number one threat in the payments ecosystem. As retailers and financial service companies strengthen their defenses, the Risk Forum predicts that hackers will widen their focus.
  • This will be the year for mobile point-of-service (POS) payments…not!: Like the broken analog clock face that is correct twice a day, we believe that those forecasting 2016 as the "year of mobile payments" (as they did in 2013, 2014, and 2015) will be a little bit right, but will still be waiting for this optimistic prediction to be fully true. While the adoption pace of mobile payments is growing because of the increasing influence of millennials, the issues of limited merchant acceptance points, fragmentation, and consumer concerns over security and privacy will remain as substantial hurdles. Major educational efforts will be launched stressing the increased security provided by mobile payments through tokenization and biometrics.
  • EMV (chip card) POS migration will pick up the pace from 2015: The liability shift for POS took place October 1, 2015, and projections for both card and terminal capability missed their optimistic marks for a variety of reasons. Credit and debit card reissuance will continue during 2016 and should reach significant conversion levels by the end of the year. The Risk Forum expects the pace of merchant terminal conversions to pick up as certifications are completed and merchants targeted by counterfeit card fraudsters feel the sting of losses. However, we also think some merchant categories, such as restaurants, will continue to proceed at a tepid pace.
  • ACH same-day service will not be a huge hit: The Risk Forum forecasts that the roll-out of NACHA's mandated same-day ACH service in September will, at least initially, have modest adoption because corporate originators will have to update internal systems to support faster payments, the dollar cap of $25,000 per payment, and the imposition of the interbank fee. Consumer payment applications will have modest uptake due to competing payment alternatives.
  • EMV ATM liability shift will cause the number of ATMs to shrink: The implementation of chip card readers in ATMs will follow the same pattern as POS terminals did in 2015—the large ATM owners and operators will meet the October 2016 deadline but many of the small and mid-sized operators, especially those owned by nonfinancial institutions, will not and will be faced with absorbing the loss of transactions made with counterfeit cards—a fraud loss they haven't experienced in the past. Overall, the Risk Forum looks for the ATM base in the U.S. to contract by 10 to 15 percent because of financial institution mergers and the cost of EMV upgrades.
  • Mobile wallet space will continue to see turbulence: 2015 saw the launch or announcement of more mobile wallets by payment stakeholders such as Samsung, Google, Chase, Capital One, Walmart, and Target. Then add the retailer and credit union consortiums (MCX CurrentC and CU Wallet) that are struggling to emerge from uncertainty. How many wallets will the consumer be willing to load on a phone and which providers do they trust to keep their payments and banking credentials safe? We believe we'll see continued turbulence in this space during 2016, with some settling of the dust by next year.
  • Blockchain technology interest will accelerate: Cryptocurrencies will continue to exist in the "novelty" space, but we think large payments players will direct efforts to leveraging the distributed ledger technology for various uses and will proceed at an accelerated pace.
  • Biometric technology improves, but passwords remain supreme: Despite continued cries for intervention, the user ID and password will remain the primary authentication method that consumers use to access their various applications. Biometrics technology for payment and customer authentication applications will continue to improve while decreasing in price. Fingerprint, facial recognition, and eye/iris recognition will dominate as the most-used biometrics although voice recognition will serve as a key method in certain environments such as call centers. The Risk Forum believes that the technology will continue to face critical adoption challenges due to concerns about privacy, security, and safety, but educational programs will lower this resistance.
Photo of Mary Kepler
Mary Kepler
Photo of Steven Cordray
Steven Cordray
Photo of Doug King
Doug King
Photo of David Lott
Dave Lott
Photo of Jessica Trundley</span>
</div>
Jessica Trundley
Photo of Julius Weyman
Julius Weyman

February 22, 2016 in cybercrime, data security, EMV, mobile payments | Permalink | Comments (0)

February 16, 2016


Changing How We Pay Online in 2016

Over the past few years, I've done the majority of my Christmas shopping online through my laptop or mobile device. This year, I did 100 percent of my shopping online due to an accident that left me mostly immobile. Though shopping online was certainly easier for me than trying to get out in the hustle and bustle of the December shopping madness, the payment experience for some of my transactions was as painful as my leg injury.

I have been hearing for years how the mobile phone is going to replace my wallet, and one reason is that our phones are increasingly with us while our wallets are not. Yet I never leave my house or office without my wallet unless I forget it. In fact, I forget my mobile phone more often than my wallet, but apparently I'm an exception. However, I realized that when I'm home, I am rarely with my wallet. Out of habit, I leave my wallet sitting on a shelf in the closet. This habit never created issues for me until recently.

Except for websites that have my card on file, I am almost always required to enter my card information (account number, expiration date, and maybe the card security code). The expiration or CVV2 are still required even for some of my card-on-file transactions. While it's always been something of a hassle to go get my card information from my closet, I never gave much thought to the friction of the experience—that is, until my left leg was temporarily rendered useless and making it to my wallet in the closet became difficult. When my wife wasn't around to get my wallet, my cart abandonment rate pushed 100 percent.

Then I discovered how easy it is to use online digital wallets. And I tried a lot of them—PayPal, American Express Checkout (actually more of a platform than a wallet), Visa Checkout, and MasterCard's MasterPass, to name a few. While each wallet has its pros and cons and merchant acceptance varies by wallet, I gained a greater appreciation for these transactions because of how easy it was not needing to physically have my card to enter the requested information for each transaction beyond the initial wallet setup. And I liked not having my card on file with a merchant. By the end of the shopping season, I had become a big fan of digital wallets.

Removing friction from the consumer experience is just one reason why many believe that mobile proximity payments will flourish. I never agreed with that reason (this was in a pre-EMV world though!) but it is a big reason why I believe online commerce will experience a significant transformation in 2016 with both merchant and consumer adoption of digital wallets taking off this year.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 16, 2016 in mobile banking, mobile payments | Permalink | Comments (0)

February 8, 2016


Will Biometrics Breed Virtual Clones?

In the middle of last November, our group, the Retail Payments Risk Forum, hosted a conference on the application of biometrics for banking applications. For me, one of the important "ah-ha" moments from the conference was hearing about the potential downside to the technology. While the various speakers and panelists certainly pointed out the powerful security improvements that could result from an increased use of biometrics, there were also thoughtful contributions about what could go wrong. To illustrate one of these downsides, let me take you back to the breach that occurred at the United States' Office of Personnel Management (OPM) earlier this year. For those who may have applied for a position with a government agency over the last 20 years or so, the form letter notifying you of the potential breach of your personal data read like this:

Since you applied for a position or submitted a background investigation form, the information in our records may include your name, Social Security number, address, date and place of birth, residency, educational and employment history, personal foreign travel history, information about immediate family as well as business and personal acquaintances, and other information used to conduct and adjudicate your background investigation.
Our records also indicate your fingerprints were likely compromised during the cyber intrusion. Federal experts believe the ability to misuse fingerprint data is currently (emphasis mine) limited.… If new means are identified to misuse fingerprint data, additional information and guidance will be made available.

The conference made clear, to me anyway, that fingerprint data certainly has the potential to be misused—now. Experience leads me to conclude that it is bound to happen, especially if the biometric measurements captured at enrollment are not converted to templates that mask the data.

Biometrics are sure to proliferate in the next few years. I think everyone ought to pause and consider whether or not the security advantages—that have the potential to be turned against us in a moment—are worth it. Consider a future breach and the subsequent form letter from some entity that has built biometrics into its payment process. It could include all of those things noted in the OPM excerpt above. Additionally, victims could also have to be told that their iris, facial, and voice prints along with their DNA were taken. A virtual clone masquerading as me makes me shudder. Imagine standing up when they ask for the real you to do so—and then the dismay at not being believed.

The work to advance biometric security needs not just to be focused on advancing the accuracy and efficacy of the usage, but also to have a heavy emphasis on protecting the data collected—while it's collected and used and when it's at rest, in storage. And no matter how good all of that work is, I hope that choices for transacting business remain. Cash, which requires no authentication, and paper checks, which authenticate with a signature, figure to provide useful alternatives for quite some time.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

February 8, 2016 in authentication, biometrics, data security, identity theft, innovation | Permalink | Comments (0)

February 1, 2016


Putting All Our Payment Eggs in a Single Basket

More than 60 percent of risk managers at financial services firms believe the probability of a global, "high-impact event" has increased of late, according to a new survey from the Depository Trust & Clearing Corporation. Worry over actual or potential cyberattacks underpins this belief. In a discussion about the survey, a colleague lamented the invention of computers and wished that our financial transactions hadn't become so dependent on technology. At first I thought to agree until it dawned on me that this thinking is tantamount to tossing the baby with the bathwater.

The problem revolves around thieves, not their tools. We have never been free from worry over theft, and this was true when our best computer was an abacus. When the Aztecs used chocolate for money, counterfeiters of the day took the cacao bean, separated the original contents from the husk, and repacked it with mud. And still, in any place where commerce is overly cash-based, thieves tend to concentrate their efforts, targeting the most vulnerable with everything from counterfeit notes to outright theft. The digital age did not usher in larceny; thieves have always stolen, and hiding from computers won't insulate us from bad guys.

But hold up, you say. A block chain—the part of bitcoin technology that ensures anonymity—just might insulate you. Not to take away hope, but what have we ever invented that hasn't been hacked, cracked, or abused? I can think of nothing, no matter how cleverly conceived or well defended, that isn't eventually defeated.

I don't despair over it all and will say why in a moment, but first I need to note that even with a long list of advances, both in how and what we exchange, the new has not eradicated the old. Coins survived the advent of paper. And despite decades-old, recurring predictions of their looming demise, both coins and paper have survived the magic of computing. As a result, despair gives way to cheer. There are options, and plenty of them.

Options—different forms of payments based on diverse platforms and premises—make for textbook risk mitigation. First of all, what survives gets better. It must so that it can survive. Consider what bills look like today, with their numerous anticounterfeiting elements, compared to what they looked like 20 years ago. Or consider when checks dominated fraud conversations and contrast that to their relative (un)importance in fraud conversations today. Moreover, multiple payment channels and options mean less concentration of risk. To the extent that cash, checks, and more remain—"cyberstuff" too, but with the cyber-world diversified, not overly consolidated—risk can be spread and hence reduced.

An advanced society that wants to endure, stay resilient and strong cannot rely on only one means of exchange based on only one platform. For those wishing for one or just fewer, more modern payment solutions (with apologies to all paper haters), my advice is be careful what you wish for. For the average consumer, my advice is pay attention to the "payments intelligentsia" and be wary of pushes for an advanced, universal, singular way to do payments. Be particularly wary of changes that aren't being called for by the market itself. We can never eliminate risk but we can mitigate it and minimize the extent that bad people can create widespread trouble.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

February 1, 2016 in cybercrime, fraud, identity theft, innovation, payments risk | Permalink | Comments (0)

January 25, 2016


Waiting for the Other EMV Shoe to Drop

The EMV, or chip card, liability shift for point-of-service (POS) transactions began on October 1, 2015. The sun continued to rise and set each day thereafter, despite the predictions of a few that EMV conversions would bring retailer POS checkout processes to a grinding halt and create major consumer dissatisfaction. Sure, there have been some issues around longer card transaction processing time and, some retailers chose to defer their EMV implementation until after the holiday buying season. But, all in all, the terminal and card conversions have moved steadily forward.

In the United States, there are an estimated 410,000 to 425.000 ATMs operating with 55–60 percent of them owned by independent (non-financial-institution) deployers. The impact of the next EMV liability shift on October 1, 2016, might be more significant, especially for these independent ATM operators. On that date, an ATM that accepts any MasterCard-branded card must be EMV operational or the ATM owner will face liability for any fraudulent transaction performed with a counterfeit MasterCard. Under current network rules, the card issuer currently assumes 100 percent of fraud losses from ATM withdrawals made with a counterfeit card. While Visa's timetable for ATMs to be EMV operational is not until a year later, since virtually all ATMs in the United States accept both Visa- and MasterCard-branded cards, the earlier timeline for MasterCard essentially forces all ATM deployers to be ready. While the liability shift is not a mandate, it is expected that most ATM deployers will make their ATMs EMV operational to avoid being saddled with the additional liability.

For the independent ATM owner, their decision to upgrade, maintain, or remove a particular terminal is a challenging one. Their terminals are generally the more simplified table-top cash dispensers rather than the fully function ATMs installed by financial institutions. They are often installed in convenience stores, restaurants, bars, and other specialty retail locations. While their purchase cost is substantially less than full-service, heavily armored ATMs, their average transaction volume is also substantially less due to their location and the foreign transaction fees imposed by most cardholders' financial institutions. Their revenue comes primarily from an ATM surcharge fee and a dwindling network interchange, out of which they have to pay all their operating expenses, including rent to the retailer where the ATM is located. An ATM generating $100 a month in net profit is considered a successful ATM. The cost to upgrade such a terminal is highly variable depending on its current hardware and processing capability, but just the cost of an EMV card reader, its installation, and testing is generally in the $500 to $800 range. The older cash dispensers may not be suitable for upgrades.

This industry has seen its cyclical periods of prosperity and austerity over the last 15 years, with its financial challenges generally centered on the hardware and software upgrades related to regulatory compliance—first with Y2K compliance, then with the American with Disabilities Act (ADA), Triple DES, PCI, Windows XP nonsupport, and now EMV. As occurred with these earlier technology upgrades, the industry is seeing further consolidation of ATM terminal portfolios. A number of industry observers share my prediction of a contraction in the ATM installed base by as much as 15 percent by the end of 2016 due to further bank consolidations and the cost impact of the EMV upgrade. Since cash operations is a major function of the Federal Reserve System, we will be watching this impact with considerable interest.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 25, 2016 in EMV | Permalink | Comments (0)

Google Search



Recent Posts


April 2016


Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

Archives


Categories


Powered by TypePad