Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

August 03, 2015


Friendly Fraud: Nothing to Smile About (Part 2)

Last week's post discussed the increasing frequency of friendly fraud and the problems it presents for e-commerce merchants. A transaction that could be classified as friendly fraud might actually be one the customer just forget about, or one involving a family member using the customer's card without permission, or one with the customer actually not receiving the goods. So the merchant really can't just assume the customer is out to commit fraud and take an aggressive approach in dealing with the customer. The merchant would probably then have lost the customer's business altogether. But with the burden of proof on the merchant, the merchant must adopt a number of best practices to help minimize losses.

A company that works with merchants to both prevent chargeback disputes and respond to them has published a detailed guide (the site requires e-mail registration for access to the guide) to help merchants deal with friendly fraud. The following list includes some of the guide's best practices:

  • Promote a clear and fair refund policy that encourages customers to contact the merchant directly instead of the card issuer.
  • Make sure that the name of the business is on all billing statements—clearly, to avoid confusion.
  • Ensure that the customer communication channels—such as a call center or e-mail—are accessible.
  • Be responsive to customer inquiries.
  • Clearly communicate shipping charges and delivery timeframes to avoid misunderstandings about the total cost or delivery date of orders.
  • Always obtain the card security code and use address validation services. For larger-value purchases, consider the use of delivery confirmation and other validation services.
  • With digital goods or services, consider using a secondary verification tool—an activation code or purchase confirmation page—to ascertain that the customer received the goods.
  • When there is a chargeback, make every effort to contact the customer directly to attempt to resolve the matter. While the contact may not resolve this particular situation, it may offer a lesson that might help prevent future chargebacks from other customers.
  • Keep a database of customers who initiate chargebacks that appear fraudulent. Research shows that customers who deliberately defraud merchants and succeed at it are very likely to do it again.

As with all efforts to fight payments fraud, merchants must study their own customer base. They should identify their particular risks and then employ the practices that will help them best mitigate their fraud losses.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 3, 2015 in cards, fraud | Permalink | Comments (0)

July 27, 2015


Friendly Fraud: Nothing to Smile About (Part 1)

Friendly fraud (also referred to as chargeback fraud or first-party fraud) occurs when someone makes an online purchase then later requests a chargeback from the bank. The person has received the goods or services, but claims they were defective or the transaction never authorized. Sometimes this happens because of buyer's remorse—the customer just doesn't want to have to explain his or her regret to the merchant, preferring to initiate a chargeback and let the bank resolve it with the merchant. Sometimes the buyer's remorse comes from a child making purchases, particularly digital goods, using the parent's card, or when a merchant's refund time limit has passed but the cardholder still wants to be reimbursed.

While there certainly can be legitimate disputes, friendly fraud is becoming a growing problem for e-commerce merchants. Not only are the merchants out the cost of the goods or services, but they also incur administrative costs and fees from the card-issuing bank. Companies selling digital goods, office supplies, or electronics—as well as auction sites—seem to be the most frequent targets of friendly fraud, but other types of businesses can also be affected.

One of the main difficulties merchants experience in combating this fraud is predicting or recognizing when it first occurs, since it often occurs on the account of a "good" customer. And with these remote purchases, the merchant is at a disadvantage in determining if a legitimate cardholder made the purchase or the goods were actually received by the cardholder.

Because the burden of proof is on the merchant, the merchant community has started to implement a number of tactics to help reduce this increasing problem. In our next installment on this topic, we will discuss some of those tactics.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 27, 2015 in cards, fraud | Permalink | Comments (0)

July 20, 2015


Unsafe at Any Speed?

If you're a Corvair enthusiast, you likely get the title's reference to Ralph Nader's book that polemically accused manufacturers of resistance to the advancement of automotive safety. Shift your thoughts from automobiles, axles, and bumpers to payments, cyberattacks and data breaches. Then consider this question—if we successfully speed up payments, is payment safety more likely to advance or retreat?

I hear the question often. Since I first blogged about this topic in January, I've attended several conferences set in the context of building a better, faster, more efficient payments system. If the conversation hasn't gone straight to "safety," the topic has surely been broached before closing. The answers that presenters offer, in terms of how we make payments more secure, remain unchanged from earlier this year. The updated summary follows.

  • Innovate. Make full use of such things as biometrics and tokenization. Do not fear but rather make use of the best things coming from the cryptocurrency world.
  • Collaborate and coordinate. Share everything, taking full advantage of groups of all types to facilitate deployment and spread of best practices, among other things.
  • Prevent and plan. In a continuous and ever-improving activity, make use of such things as enhanced threat detection and continue to layer security measures. Also, educate fully, across the spectrum of both providers and users.
  • Track and report. We must do more of this in a frank, transparent way and it must be timelier.

Emphasizing and pursuing all these goals is still right in my view, yet something seems missing. I believe what's missing is a more expansive, easily accessible law enforcement regime—something that more closely parallels what's available for conventional crime fighting.

There has been good news, of late, in that various law enforcement agencies have both apprehended and successfully prosecuted cybercriminals of all sorts. What's important about this is, as law enforcement has more success, there is hope that miscreants will have an increasing expectation of getting caught. Let's assume a drop in crime rates is highly correlated to the likelihood or certainty of being caught. Self-test the theory by thinking of it this way. How often do you exceed the speed limit (answer silently to yourself). Now consider—how often do you speed when a patrol car is in the lane right next to you? It's imperative that law enforcement continue to evolve and improve such that the criminals who contemplate cybercrime increasingly anticipate they'll be caught.

The cliché that faster payments will mean faster fraud if we don't have faster security is somewhat beside the point. The fact is cybercrime has been and remains a material and looming threat. The world is all but fully a digital one and that means our police have to be able to put more—and more effective—digital patrol cars on the digital highway. Until then, to varying extents, payments are likely to be unsafe—at any speed.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

July 20, 2015 in crime, cybercrime, innovation, law enforcement, payments risk | Permalink | Comments (0)

July 13, 2015


Biometrics and Privacy, or Locking Down the Super-Secret Control Room

Consumer privacy has been a topic of concern for many years now, and Take on Payments has contributed its share to the discussions. Rewinding to a post from November 2013, you'll see the focus then was on how robust data collection could affect a consumer's privacy. While biometrics technology—such as fingerprint, voice, and facial recognition for authenticating consumers—is still in a nascent stage, its emergence has begun to take more and more of the spotlight in these consumer privacy conversations. We have all seen the movie and television crime shows that depict one person's fingerprints being planted at the crime scene or severed fingers or lifelike masks being used to fool an access-control system into granting an imposter access to the super-secret control room.

Setting aside the Hollywood dramatics, there certainly are valid privacy concerns about the capture and use of someone's biometric features. The banking industry has a responsibility to educate consumers about how the technology works and how it will be used in providing an enhanced security environment for their financial transaction activities. Understanding how their personal information will be protected will help consumers be likelier to accept it.

As I outlined in a recent working paper, "Improving Customer Authentication," a financial institution should provide the following information about the biometric technology they are looking to employ for their various applications:

  • Template versus image. A system collecting the biometric data elements and processing it through a complex mathematical algorithm creates a mathematical score called a template. The use of a template-based system provides greater privacy than a process that captures an image of the biometric feature and overlays it to the original image captured at enrollment. Image-based systems provide the potential that the biometric elements could be reproduced and used in an unauthorized manner.
  • Open versus closed. In a closed system, the biometric template will not be used for any other purpose than what is stated and will not be shared with any other party without the consumer's prior permission. An open system is one that allows the template to be shared among other groups (including law enforcement) and provides less privacy.
  • User versus institutional ownership. Currently, systems that give the user control and ownership of the biometric data are rare. Without user ownership, it is important to have a complete disclosure and agreement as to how the data can be used and whether the user can request that the template and other information be removed.
  • Retention. Will a user's biometric data be retained indefinitely, or will it be deleted after a certain amount of time or upon a certain event, such as when the user closes the account? Providing this information may soften a consumer's concerns about the data being kept by the financial institution long after the consumer sees no purpose for it.
  • Device versus central database storage. Storing biometric data securely on a device such as a mobile phone provides greater privacy than cloud-based storage system. Of course, the user should use strong security, including setting strong passwords and making sure the phone locks after a period of inactivity.

The more the consumer understands the whys and hows of biometrics authentication technology, I believe the greater their willingness to adopt such technology. Do you agree?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 13, 2015 in biometrics, consumer protection, data security, privacy | Permalink | Comments (0)

July 06, 2015


Growing, Growing, Gone!

As we've blogged before, check writing has been steadily declining as electronic payments have grown. For example, the number of checks written in 2012 was 21 billion, down from 27.8 billion in 2009, according to the 2013 Federal Reserve Payments Study. We may be writing fewer checks than ever, but more than anything, we want the convenience of depositing our checks with mobile devices. A 2013 survey by ath Power Consulting found that mobile remote deposit capture (mRDC) is the "most sought-after mobile banking feature" among consumers. And financial institutions are answering this demand. According to 2014 surveys from Federal Reserve Banks (the Dallas Fed's, for example), about 48 percent of responding institutions are currently offering mobile capture and another 41 percent are planning to offer it within the next two years.

With mRDC in such demand, solutions providers and financial institutions should be investing in risk management strategies. But if check writing is a declining business, will mRDC risk management investments end up on the disabled list? Financial institutions must look at the potential losses and how they occur, evaluate the means to minimize these, and carefully weigh these factors against the dwindling check industry.

The mRDC channel faces two primary loss challenges: fraudulent items and duplicate check presentment. A fraudulent item might be an altered, forged, or counterfeit check; it can also be an intentional duplicate presentment. The other challenge occurs when a customer unintentionally presents a deposited item a second time. Research and anecdotal evidence suggest many duplicate presentments result from customer errors. These represent a growing customer education need. Financial institutions must find room in the allocated lineup and spending cap for fraud and duplicate detection enhancements.

Handling duplicate check presentments landed an all-star position on the agenda at most payments operation conferences this past year. Duplicate check presentments mean returns and adjustments, which in turn mean time and money for the financial institutions. When duplicate presentment involves more than one bank of first deposit, losses are often sustained from misunderstanding holder-in-due-course rights and return-versus-adjustment processes. Financial institutions often need to reconstruct what happened, analyze the facts, and possibly consult legal counsel.

But rather than handling these risks with expensive roster moves, considering the declining use of checks, financial institutions can meet the threat at the origin, through customer education and enforcement policies. Financial institutions that offer mRDC can make disclosed stipulations. For example, they can require that the original check be destroyed after confirmation, or that checks have a specific restrictive endorsement that includes "for mobile deposit only." Ultimately, if a consumer deposits a check twice, financial institutions can charge a fee or suspend service. In general, customers want to avoid fines, so they tend to play within the rules when fines are looming. If training customers is a home run in mitigation, then the grand slam is having detection systems that support the stipulations and rules put into place.

Photo of Douglas A. King By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 6, 2015 in checks, consumer protection, mobile banking, mobile payments | Permalink | Comments (0)

June 29, 2015


The More Things Change, the More They Stay the Same

As I write this blog on the screened porch of a North Alabama lake house, the cicadas are constantly buzzing in the background. I am fascinated by the life cycle of this species—namely, the emergence of the periodical cicadas from belowground every 13 to 17 years. This life cycle got me thinking how the world has changed since the last time the 17-year cicadas emerged. And while in this neck of the woods, some things have changed—new houses have been built and personal watercraft are now constantly buzzing on the lake—some things have remained the same. The nearest grocery store is still 30 minutes away and the iced tea is as sweet as it ever was. Is this mixed scenario really any different for payment card fraud?

Certainly a lot has changed in card payments during the last 17 or so years. We've witnessed the enormous growth of debit card transactions, the continued growth of credit card transactions, the emergence of the e-commerce and mobile payments channels, and the almost global adoption of the EMV (chip) card. As card payment usage has evolved, so has the fraud landscape. Lost and stolen card fraud fell out of vogue while counterfeit card fraud took off only to see stolen card fraud re-emerge when the issuance of EMV cards in most markets thwarted counterfeit card fraud. Point-of-sale (POS) fraud is occurring less often across the globe because of EMV and PIN verification, driving the fraudsters to the Internet to commit card-not-present (CNP) fraud.

But what hasn't changed is the global rate of fraud. An article in the August 2013 Nilson Report estimated that the annual cost of card fraud worldwide in 2012 was 5.2 cents for every $100 spent, resulting in $11.27 billion in losses. This figure compares to Nilson's estimate of fraud losses in 1998, which ran approximately 4.8 cents for every $100 spent and resulted in a little less than $2 billion of fraud. Perhaps a fraud rate in the 5 basis points range is the industry-wide acceptable rate, but with billions of dollars being invested to mitigate fraud, I would like to think that over time the rate would be reduced (though I must admit that I am not sure what the acceptable rate should be).

Maybe this speaks to the tenacity of the card fraudsters. As we in the Retail Payments Risk Forum have often stressed, once one door is fortified, the fraudsters find another door to enter. And if we could dive deeper within the figures, I am certain that is what we would find, according to various estimates of fraud and anecdotal evidence. For example, the emergence of EMV and the use of PIN verification instead of signature verification have reduced POS fraud. Today, CNP fraud rates are significantly higher than POS fraud rates and many industry risk efforts are focused on mitigating CNP fraud.

When the cicadas reappear, undoubtedly the payment card usage and fraud landscape will look different. Perhaps mobile payments will have taken off and the use of biometrics as a method of verification will be commonplace. I feel confident that in 17 years the industry will make substantial strides in reducing e-commerce CNP fraud rates—but also that new areas of fraud will appear. Is the industry prepared to fight the next generation of fraud or will it just continue to Band-Aid the past? Should we expect a 5 basis points rate of fraud when the cicadas emerge in another 17 years? I'd like to think the rate will be lower. At a minimum, hopefully, it will remain as consistent as the sweet iced tea in this neck of the woods.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


June 29, 2015 in cards, chip-and-pin, EMV, fraud, innovation, mobile payments | Permalink | Comments (0)

June 22, 2015


The Current Tokenization Landscape in the United States

Last fall, Take on Payments featured a three-post series on tokenization. The first post introduced the technology regarding payment credentials and noted that merchant-centric tokenization solutions came to the market in the mid-2000s, driven by the Payment Card Industry Data Security Standard (PCI-DSS) requiring merchants to protect cardholder data. The second post examined some of the distinguishing attributes of payment token solutions in mobile wallets that were developed to replace the payment card's primary account number (PAN) with a token so the presence of the cardholder's PAN would be minimized or eliminated in the payment's data transmissions. The final post examined the challenges of payment tokenization and discussed its effect on payment risk over the short term.

Working with the Mobile Payments Industry Workgroup (MPIW), the Federal Reserve Bank of Boston's Payments Strategies group and the Federal Reserve Bank of Atlanta's Retail Payment Risk Forum just released a comprehensive white paper on the current tokenization landscape in the United States. Based on our research and interviews with more than 30 payment stakeholders, the white paper provides an overview of the U.S. payment tokenization landscape for mobile and digital commerce (versus physical card payments), describes the interoperability of different tokenization systems, and examines the status of these 30 stakeholders' plans to implement to a broader audience of industry stakeholders, policymakers, and regulators.

The paper discusses the many benefits, challenges, gaps, and opportunities of tokenization from the perspectives of the major industry stakeholder groups, while acknowledging that there is not always full agreement on current approaches or underlying details. The goal in authoring this paper is to encourage further collaboration among the stakeholders to resolve differences to the mutual satisfaction of stakeholders in the industry and to provide what is best for consumers.

Tokenization in mobile payments is just a very small part of the potential impact that tokenization can have in reducing fraud in the overall payments environment, but it is a start in a payments channel that is expected to grow significantly in the years ahead. We hope that you find the paper informative and feel free to contact us if you have any questions.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 22, 2015 in payments | Permalink | Comments (0)

June 15, 2015


“Customer, You Have the Conn”

Sometimes when you're watching nautical-themed movies, you'll hear the phrase, "I have the conn." The person who speaks this phrase is alerting all those on the vessel that he or she is in control with regard to the vessel's direction and speed. Customers could utter that phrase with regard to their payment vessels—they pretty much have full control in that they make the final choices about their method of payment. They may be restricted by the payment options a merchant offers, but in most cases, if they don't like the options they can shop, or secure services elsewhere.

One of the challenges with payment security that we frequently mention in our posts and speaking engagements is the disincentive that various consumer protection regulations give for consumers to adopt strong security practices. We have all seen or heard of the consumers who write their PINs on their debit cards or set up the PIN 1-2-3-4. In addition, research consistently tells us that consumers often select easily guessed user IDs and passwords—and then often use those same ID/password combinations on multiple sites.

Financial institutions and other payment stakeholders have long worked to develop tools that will encourage customers to be more aware of their financial account activity and contribute to minimizing fraud losses. Account alerts are among the most useful and popular of the tools. When consumers set up account alerts, they can usually specify conditions that will trigger a text message or e-mail. Common alerts are sent when the account balance drops below a set threshold, a debit transaction posts in excess of a specified amount, or an address or phone number change was made on the account. These alerts are beneficial, but they are merely reactive; they report only when a condition has already occurred.

I believe we will soon see a major breakthrough in card security. There are new applications now in testing or in early roll-out phases. These applications will allow customers to be proactive because they will be able to set up a number of filters or controls on their payment cards that will dictate whether a transaction even gets to the point for an authorization decision. For example, if I have a payment card that I use only for gasoline purchases, I can designate my settings to reject transactions coming from other merchant categories. Or I can specify that no international transactions should be allowed. At the extreme end of the control options, I can "turn off" my card, thereby blocking all transactions, and then I can turn it back on when I am ready to use it again. The possible options and filters are almost limitless for this self-service function. Yes, there will be the need for strong customer education, and the choices will require a reasonable limit or the customer will never remember what they set.

If these options are enabled and cardholders are then willing to "take the conn," this new tool could help significantly reduce the number of unauthorized transactions. Critical to the success is whether cardholders will set a reasonable range of parameters based on their normal card usage patterns so they don't get transactions rejected they actually make themselves but still be able to weed out the truly unauthorized transactions. I say "full speed ahead" with such tools. What do you say?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 15, 2015 in consumer protection, data security, innovation | Permalink | Comments (0)

June 08, 2015


Is the Conventional Wisdom about EMV Migration Right?

We're within five months now of the initial EMV (chip) card liability shift for POS transactions. Most people in the industry have held the belief that as the ability to create counterfeit cards is shut down, the criminals will shift their focus primarily to the card-not-present (CNP) environment, where they can continue to use payment card data they take from the magnetic stripe or other data breaches. In fact, my colleagues and I have been broadcasting this message in our presentations and posts for quite some time. Our assessment, along with most other industry experts, was based on the statistics released by banking groups in major countries that had already gone through the EMV migration. The chart illustrates one view of their experiences. It seems to leave no doubt about what we can expect.

Chart_cnp_fraud_losses

But does it mean what we think it means? While the chart clearly shows an increase in the CNP channel in fraud losses, did the ratio of CNP fraud to overall sales increase? Unfortunately, definitive data is not readily available to provide that answer. Using some confidential sources and partial—but significant volumes of—payment data, we were able to determine that during the period from 2010 to 2013, as a percentage of overall sales, CNP fraud in Canada actually held relatively steady. But was that stability created due to the large increases in the recurring billing segment in the CNP environment, which has a relatively low rate of fraud? At this point, we just don't have data granular enough to tell us.

I don't think this means that there isn't a reason to be concerned about CNP fraud as the EMV migration in the United States continues. For one thing, the experience of others is no guarantee that we will experience the same. But perhaps the biggest reason for us not to relax about the issue is that, even if the levels hold flat through our migration, CNP fraud is still quite significant and has a major negative financial impact on merchants and issuers. The 2013 Federal Reserve Payments Study found that CNP fraud by volume is three times that of card-present fraud.

This situation also demonstrates the need to be able to collect detailed and accurate data on fraudulent payments activity. Fraud has been a real challenge in this country because of the large number of payments stakeholders that end up saddled with the loss. The Federal Reserve is interested in working with the industry to develop a process for collecting such information for the benefit of all.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 8, 2015 in chip-and-pin, cybercrime, EMV | Permalink | Comments (0)

June 01, 2015


Follow the Money

This blog is inspired by Jack Weatherford's The History of Money, and I'll open with a quote from the book's introduction, attributed to Gertrude Stein: "The thing that differentiates man from animals is money." Now I'm guessing most of us can think of a few more distinctions than that, but I will wager her item would make just about any top ten list.

In his book, Mr. Weatherford discusses three generations of money, noting that today's free market systems saw their genesis in Lydia several millennia ago with the advent of coins. He credits the invention not only with leading to our free market systems but also with destroying "the great tributary empires of history." In other words, money can build new, mighty things and fell that which was once mighty.

Mr. Weatherford describes the second generation of money as beginning in Italy with the Renaissance and moving through the Industrial Revolution. What emerged in this turning was paper money and banking and what fell was feudalism, "changing the basis of organization from heredity to money," with ownership of land supplanted by ownership of stocks, bonds, and the like. In other words, modern capitalism took hold and society evolved into something very different from what it had been.

He describes stage three as electronic money and the virtual economy. Instantly, we recognize the current age. In the way he presents the history, he makes a compelling case that noteworthy evolution and reinvention of money changes the world.

"Fascinating," you might say, "but so what?" Before suggesting an answer, I point out that Mr. Weatherford published this work in 1997. Nevertheless, presciently, he said, "A new struggle is beginning for the control of [money]... We are likely to see a prolonged era of competition during which many kinds of money will appear, proliferate, and disappear in rapidly crashing waves. In the quest to control the new money [emphasis mine], many contenders are struggling to become the primary money institution of the new era."

Indeed. So, I get to my answer. At the moment, one of the focal points for many payment wonks is making platforms "faster." A lot has gone into that already, and much more seems yet to come. A key risk if not the chief risk in this endeavor is ending up with an industry focus that is too narrow (platforms only). It could cause key payment participants to end up missing an important change—in money—not the mechanisms for moving it.

As work progresses to reach consensus on what and how to improve the extant payment mechanism, it seems good to pause and make sure the focus. Pursuit of a purely faster mechanism that envisions world monetary systems continuing to be based on the things they've been based on for centuries now could cause us to overlook or miss the next evolution of money. It would have been of little use to invest in improving the systems for speeding the exchange of cowrie shells as the turn was made toward paper money and banking. I think that to get this right, it is important to worry less about improving the system(s) for facilitating exchange, and more about what's going to be exchanged.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

June 1, 2015 in emerging payments, innovation | Permalink | Comments (1)

Google Search



Recent Posts


August 2015


Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          

Archives


Categories


Powered by TypePad