Take On Payments


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

September 14, 2015

The Cost of Free Wi-Fi

When I was a teenager, my friends and I were often on the prowl for bargain restaurant offers. The all-you-can-eat buffet at our local Chinese restaurant was a favorite, but every so often we would discover a "free meal deal." We were once reminded by my friend's dad that "nothing in life is free." That quote left a lasting impression on me.

The validity of this quote was hammered home recently during a security discussion I had with a friend on connectivity to the Internet through free public Wi-Fi. Though free public Wi-Fi is, well, free, it has "soft" costs tied to the lack of security in the connection. And these soft causes can quickly lead to the "hard" costs of fraud—from theft of personal information, user names and passwords, or payment credentials, since hackers are easily able to intercept data transmitted over the Wi-Fi network. Beyond this method, which involves a legitimate network, fraudsters can also deploy rogue Wi-Fi networks for the sole purpose of stealing information. And then, once they have that information, the fraudster can use it to access your accounts under your identity.

This does not mean that people shouldn't use free or public Wi-Fi. When I am away from my home, whether I'm at a local coffee shop or on the road at a hotel, I often seek locations with free Wi-Fi. Apparently, I am not the only one. A recent survey by a U.K. hotel chain found that free Wi-Fi was the most important factor for its customers when choosing a hotel. Free Wi-Fi even ranked higher than a good night's sleep!

However, using free public Wi-Fi and trusting it are two different things. It should never be trusted, and therefore users should do everything to protect themselves and their information. Before joining a free public Wi-Fi network, users should ensure that it is a legitimate network offered by a legitimate entity such as a business, municipality, hotel, or airport. Criminals often will use deceptive Wi-Fi names to trick users into choosing bogus Wi-Fi networks, so users should pay close attention to signage promoting Wi-Fi networks or ask staff for help in identifying legitimate networks. The Federal Trade Commission offers detailed advice on protecting yourself against Wi-Fi security risks once you are connected, including:

  • Use a virtual private network, or VPN.
  • Use SSL-encrypted connections by enabling the "Always Use HTTPS" website option.
  • Turn off file sharing.

These risks are not just limited to free public Wi-Fi networks. They are also inherent to any public Wi-Fi network, including paid networks such as the in-flight Wi-Fi that many airlines offer. It is imperative that users of public networks take the necessary steps to safeguard their information, especially while conducting financial transactions. As free public Wi-Fi spots continue to proliferate and more financial transactions move to connected devices, rest assured that fraudsters will continue to exploit this communications channel. Educating users on how to protect themselves using public Wi-Fi is critical to safeguarding financial information.

What are you doing to bring awareness to your customers about public Wi-Fi risks?

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 14, 2015 in online banking fraud, payments risk | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 20, 2015

Unsafe at Any Speed?

If you're a Corvair enthusiast, you likely get the title's reference to Ralph Nader's book that polemically accused manufacturers of resistance to the advancement of automotive safety. Shift your thoughts from automobiles, axles, and bumpers to payments, cyberattacks and data breaches. Then consider this question—if we successfully speed up payments, is payment safety more likely to advance or retreat?

I hear the question often. Since I first blogged about this topic in January, I've attended several conferences set in the context of building a better, faster, more efficient payments system. If the conversation hasn't gone straight to "safety," the topic has surely been broached before closing. The answers that presenters offer, in terms of how we make payments more secure, remain unchanged from earlier this year. The updated summary follows.

  • Innovate. Make full use of such things as biometrics and tokenization. Do not fear but rather make use of the best things coming from the cryptocurrency world.
  • Collaborate and coordinate. Share everything, taking full advantage of groups of all types to facilitate deployment and spread of best practices, among other things.
  • Prevent and plan. In a continuous and ever-improving activity, make use of such things as enhanced threat detection and continue to layer security measures. Also, educate fully, across the spectrum of both providers and users.
  • Track and report. We must do more of this in a frank, transparent way and it must be timelier.

Emphasizing and pursuing all these goals is still right in my view, yet something seems missing. I believe what's missing is a more expansive, easily accessible law enforcement regime—something that more closely parallels what's available for conventional crime fighting.

There has been good news, of late, in that various law enforcement agencies have both apprehended and successfully prosecuted cybercriminals of all sorts. What's important about this is, as law enforcement has more success, there is hope that miscreants will have an increasing expectation of getting caught. Let's assume a drop in crime rates is highly correlated to the likelihood or certainty of being caught. Self-test the theory by thinking of it this way. How often do you exceed the speed limit (answer silently to yourself). Now consider—how often do you speed when a patrol car is in the lane right next to you? It's imperative that law enforcement continue to evolve and improve such that the criminals who contemplate cybercrime increasingly anticipate they'll be caught.

The cliché that faster payments will mean faster fraud if we don't have faster security is somewhat beside the point. The fact is cybercrime has been and remains a material and looming threat. The world is all but fully a digital one and that means our police have to be able to put more—and more effective—digital patrol cars on the digital highway. Until then, to varying extents, payments are likely to be unsafe—at any speed.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

July 20, 2015 in crime, cybercrime, innovation, law enforcement, payments risk | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 17, 2015

Introducing Take On Payments

Maybe you've already noticed it—it's at the top of this web page—but we've got a new name: Take On Payments, or TOP, for short. It's a change we made after a great deal of thought, internal discussion, and input from others. In our many presentations over the last year to payments-related groups consisting of financial institutions, merchants, processors, technology vendors, consumers, and regulators, we always promoted our blog. We put a great deal of effort into every post, and view the blog as an important channel to communicate to the payments industry on timely, risk-related payment topics in what we hope is an educational and thought-provoking way.

However, we were frequently asked about the significance of the name Portals and Rails. The majority of people get the "rails" part since that term is often used to refer to the payments infrastructure—such as in the phrase "riding the check rails." The "portals" part is more of a mystery. People aren't sure if we intend to use it with its generally accepted meaning—that is, an entranceway—or as a reference to a website, which provides information and links to other sites.

So we undertook an evaluation of alternative names that would more clearly identify the purpose for our posts, and we eventually chose Take On Payments. Yes, it's a bit of a play on the words as you can use "take" in a couple of different ways. First, you can think of it as a noun, as in the word "viewpoint." That was our primary thrust since we work hard to provide our perspective on the various payments issues and their risk-related factors. Second, you can also think of "take" as a verb, as in "assume possession of," since we are charged with the responsibility of engaging the entire payments community about payments risk issues. Finally, we like the acronym TOP—we hope Take On Payments will be at the top of your reading list.

In the end, a name is just a name, and we understand that the content of the blog is what is really important to our readers. While the Portals and Rails name has left the station for a final time, our commitment to providing the payments industry with timely and informative content to encourage thought-provoking dialogue about payments risk remains unchanged. As always, we encourage your feedback and hope you will encourage your colleagues to subscribe as well.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 17, 2015 in payments risk | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Introducing Take On Payments:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 14, 2012

How do new faces affect risks in money transfer business?

According to a February 21 American Banker article, Facebook has officially entered into the money transfer business. Facebook reported in its S-1 filing last month that it generated about $555 million dollars in 2010 (or 15 percent of its revenue that year) from payments, and that it holds money transmitter licenses in 15 states. Facebook credits are a digital currency that companies use on the site's online applications and games such as Farmville.

Facebook is not the only nonbank business entering the money transmittal business, though it certainly may be one of the more prominent. But as money transmitters are playing an increasingly larger role in our nation's payments system, now may be the time to take stock of the risk environment and continue our discussion on an appropriate strategy for risk governance.

FinCEN SAR filings on the rise for money transfer services
According to FinCEN's May 2011 report The SAR Activity Review: By the Numbers, depository institutions have a greater potential of exposure to money laundering crimes than do nondepository institutions. Nondepository institutions include money service businesses (MSBs), securities and insurance firms, and even casinos. You can see from the following table that over the last five years, the number of depository institution SARs decreased as of December 2010, while nondepository institution SARs have increased.

The report's findings for MSBs in particular are startling. It says, for example, that “in 2010, suspicious activity filings by the MSB industry hit an all time high with 596,494 SARs filed in 2010, up 12% from the prior year and over 18,000 more forms submitted than the previous high in 2007.” In fact, money transfer SAR filings in 2010 comprised 70 percent of all financial services filings by MSBs. SARs by MSBs listing money transfers increased 23 percent from 2009, while money order SARs fell 3 percent for the same period.

2010 SAR filings by financial services

Under the radar: When MSBs fail to file
When MSBs were subject to enforcement actions in 2011, their primary infraction often involved failure to register with FinCEN. In addition, according to FinCEN's 2011 Annual Report, filing failures were often accompanied by other legal violations, such as failing to file currency transaction reports and currency structuring.

To help industry partners, regulators, and law enforcement monitor MSBs, FinCEN recently announced the launch of a new MSB registration website. FinCEN updates the database weekly.

As nonbank companies, including social media firms like Facebook, enter the payments business, it will be critical to keep an eye on small innovative and possibly unlicensed start-up money transmitters.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

March 14, 2012 in fraud, money services business (MSB), payments risk | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference How do new faces affect risks in money transfer business?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 23, 2012

PIN authentication versus signature authentication

In the United States, surveys from several organizations help us determine approximate total fraud losses by different payment instruments. For example, the American Bankers Association's 2011 Deposit Account Fraud Survey Report estimates that 2010 industry fraud losses totaled $893 million for checks and $955 million for debit cards. The Nilson Report puts 2010 payment card fraud losses at $3.56 billion. And a 2011 PaymentsSource report estimates that bank card issuers experienced fraud losses of $1.16 billion in 2010.

Some of these industry surveys actually fail to illustrate the complete risk landscape—we must also consider trends in the underlying usage of various payment mechanisms. To better assess risks to financial institutions from various payment types, it is useful to compare fraud losses on a per-unit basis. By doing this for credit card, signature debit, and PIN debit transactions, the effectiveness of PIN authentication in preventing payment card fraud becomes clear (see the chart).

Estimated per Unit Fraud Losses by Payment Type Incurred by US FInancial Institutions

Credit card loss rates are the largest among payment cards and growing
According to PaymentsSource's bank card profitability studies, financial institutions' credit card-related fraud losses grew each year between 2006 and 2008, rising from $1 billion to $1.11 billion. After an aberration in 2009, when credit card fraud losses fell by 14 percent, fraud losses grew again in 2010, by 22 percent. The Nilson Report data showed a similar trend in both the number and dollar value of credit card transactions during this time period.

The Nilson Report data provide the basis for determining per-unit credit card loss estimates for financial institutions. On a per-transaction basis, annual credit card-related fraud losses reached their highest level in 2010, at 7.5 cents per transaction. This figure represents an almost 9 percent increase from the 2006 figure, which was 6.9 cents. Credit card fraud losses on a dollar-volume basis increased by nearly 27 percent during this same time period, from 6.7 basis points (or 0.067 percent) in 2006 to 8.5 basis points in 2010.

Debit card fraud loss rates vary by authentication method
Likewise, financial institutions have seen debit card fraud losses rise steadily since 2004. According to this PULSE Debit Issuer Study, fraud losses from purchase transactions (excluding losses from ATM fraud) were about $201 million in 2004. Looking at PULSE study data in conjunction with data from The Nilson Report shows that debit card fraud losses from point-of-sale transactions peaked at $880 million in 2010.

However, a large disparity exists between debit card fraud based on the authentication method employed. For example, signature debit transactions accounted for an estimated $804 million—91 percent—of the total debit card fraud in 2010.

The increase in fraud losses should come as no surprise given the rapid growth in debit card transactions over the past six years. According to The Nilson Report, debit transactions grew by more than 122 percent, or 14.3 percent on an annualized basis, between 2004 and 2010. Data from PULSE studies show that in 2010, financial institutions experienced a 2.7-cent fraud loss for every signature debit transaction, and a 0.5-cent loss for every PIN debit transaction. This translates to 7.5 basis points for signature transactions and 1.3 basis points for PIN transactions on a per-dollar volume basis. These figures are up from the 2006 numbers of 1.9 cents (or 4.8 basis points) and 0.3 cents (or 0.8 basis points), respectively.

Comparing signature and PIN transactions
Based on per-unit fraud losses of credit and debit cards, financial institutions have significantly more exposure to fraud losses from card payments with signature authentication than from those with PIN authentication. Yet PIN authentication is not accepted for credit transactions, and it accounted for only 32 percent of debit card purchase transactions in 2010. Although the fraud rates for both signature and PIN transactions have increased over time, signature transactions still exhibit significantly higher loss rates, especially when comparing the transactions on a per-dollar volume basis. The large disparity in per-transaction fraud losses between credit card and signature debit transactions stems from credit card transactions having an average ticket size of nearly 2.5 times that of signature debit transactions. Ultimately, PIN debit offers an additional and superior layer of authentication not offered on credit and signature debit transactions.

Admittedly, the limited number of merchants in the face-to-face environment who have the capability to accept PIN-based transactions, combined with the lack of PIN-based acceptance in the card-not-present environment, limits the use of PIN transactions. But given the ongoing displacement of cash and checks by payment cards and other forms of electronic payments, the continued adoption of PIN debit transactions and the potential introduction of PIN authentication for credit card transactions could go a long way toward reducing growing payment card fraud. However, given recent EMV-related statements that Visa and the Merchant Advisory Group have issued, it remains unclear whether or not PIN authentication will become the standard in the United States.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 23, 2012 in authentication, fraud, payments risk | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference PIN authentication versus signature authentication:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 17, 2012

How risky? The elements of an effective payments risk management program

Financial institutions manage a range of businesses with distinct risk management needs. Banks of all sizes that offer payment services to retail and commercial clients must appropriately identify and manage the myriad dimensions of risk entailed. The Retail Payments Risk Forum recently spoke with Tony DaSilva, a senior bank examiner at the Federal Reserve Bank of Atlanta. The conversation, captured in a podcast and highlighted in this post, covered the elements of a successful payments risk management program. Formerly a banker, DaSilva is able to take the perspective both of the supervisor and of the supervised institution when it comes to understanding the challenges of managing retail payments risk.

He said that in financial institutions today, "payments risk management is sometimes informal or decentralized." Without a comprehensive risk assessment, said DaSilva, these institutions have a heightened vulnerability to risks they do not understand. As a result, they may incur losses, lawsuits, or even regulatory formal actions.

Often, the scope and rigor of the bank's risk management program is not commensurate with the bank's risk profile. He added that the loose oversight combines with a variety of other factors to undercut a bank's risk management capabilities. A major driver in adding new payment services may be anxiety for fee income in an environment where many sources of payments revenue have been pressured.

Other factors include incomplete due diligence or inadequate "know-your-customer" (KYC) programs, or the institution may have insufficient payment expertise, senior leadership involvement, or employee and management training. DaSilva has seen institutions that do not perform adequate risk assessments or due diligence when deploying new payment products or services, for example, or when engaging in third-party service-provider relationships.

Implementing a strong risk management program
DaSilva explained that there are multiple types of risk in the payments business that institutions must consider. These types include "credit risk, compliance risk, transaction risk, fraud risk, and legal and reputational risk." Responding to all these requires establishing a risk management program with the following elements:

  • Planning. Having clear, defined objectives, a well-developed business strategy, clear risk payments parameters, and a role within the financial institution's strategic plan.
  • Risk identification and assessment. Senior management knowledge and understanding of their institution's risks is critical. The risk assessment should be incorporated into the bank's overall risk management process, which will vary by institution.
  • Mitigation. Establish policies and procedures to mitigate identified risks. These policies should consist of clearly defined responsibilities and strong internal controls over transactions. Mitigation is also achieved through a good risk-based audit program, and well-designed contracts and agreements.
  • Measurement and monitoring. Periodic reporting should enable the board and senior management to determine that payments activities remain within the bank's established risk parameters.

The role of bank leadership in risk management
DaSilva repeatedly emphasized that it is critical for bank board and senior management to be actively involved with and knowledgeable about their institution's payments risk management. For an institution to be able to gauge senior management knowledge, he suggested it begin by exploring whether management "understands the inherent product risks, the compliance requirements, the ability to monitor, the operations management and operational risks, [as well as] their reputational [and] legal risk."

DaSilva encouraged leveraging subject matter experts and ensuring that the retail payments strategy matches the bank's overall strategy and competencies. The best policy may be to limit product offerings to those for which management and employees have a full understanding of the accompanying risks. Despite the pressure to develop new sources of revenue, financial institutions should carefully evaluate the risks of any new payment product before adding it to their portfolio.

To end on a positive note, DaSilva has seen some institutions improving in all the right areas. They are assessing and mitigating risk across multiple payment channels, products, and delivery systems, including ACH, remote deposit capture, card products, and wire transfer. And for icing on the risk management cake, some do annual reviews of client accounts that include exposure from all payment, deposit, and loan products.

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

January 17, 2012 in banks and banking, payments risk, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference How risky? The elements of an effective payments risk management program:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 28, 2011

Portals and Rails welcomes new director of Retail Payments Risk Forum

On August 31, we said farewell to our director, Rich Oliver, when he officially retired from the Retail Payments Risk Forum after 38 years with the Federal Reserve. With his many accomplishments and significant contributions to the Fed, to the Forum, and to research in the payments industry, Rich left behind some pretty big shoes, and we've been looking for someone to fill them. Well, we've found someone more than capable of walking in these shoes, and we'd like to invite you to join the Portals and Rails team in welcoming the Forum's new director, Mary Kepler. On December 1, Mary will step into her new shoes—uh, role—overseeing the Forum and maintaining District and System-level relationships with industry executives and organizations in the payments arena and in payments risk and fraud prevention.

Now, we're not to going to divulge Mary's shoe size, because we're really only speaking metaphorically here and would never comment on anything so personal in such a public forum, but we can tell you about Mary's path that has brought her to us. She certainly comes to her new position with a variety of relevant experience, most recently as the vice president of Financial Management and Planning (FM&P) here at the Atlanta Fed.

Mary originally came to the Atlanta Fed in 1992, moving from the Kansas City Fed, so she has a long history with us. She joined the Atlanta Fed in Supervision and Regulation department and was soon promoted to relationship manager with the AmSouth Bancorporation. In 1998, she moved to the automation operations department, where she was assistant vice president until 2002, when she became vice president. Mary joined the Retail Payments Office in 2003 and for two years served as the Federal Reserve System liaison to the U. S. Treasury Department for retail payment services that the System provides to the U.S. Treasury.

From 2005 to 2006, Mary was senior human resources officer. She chaired the Bank's Human Resources Committee and was an advisor to the Bank's Management Committee. She then became senior officer over FM&P.

As you can see, Mary comes to the Retail Payments Risk Forum well qualified. We look forward to embarking on this next phase of our journey under her capable, proven leadership. So please help us congratulate Mary on her new position, wish her continued success, and tell her she wears her new shoes well.

By Cynthia Merritt, assistant director, Douglas A. King, payments risk expert, and Jennifer C. Windh, payments risk analyst, all of the Retail Payments Risk Forum

November 28, 2011 in payments, payments risk, payments systems | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Portals and Rails welcomes new director of Retail Payments Risk Forum:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 14, 2011

Evidence for PCI’s effectiveness in the fight against fraud

Despite the PCI Council's best efforts and laudable goals, the effectiveness of its data security standard, PCI DSS, is frequently questioned. This standard is sometimes disparaged as expensive and ineffective. One critic has even decried the standard as a "false god." Such criticisms have stuck in part because it is difficult to know how many breaches would have occurred if it weren't for the PCI standard, and supporters have essentially been left to argue a counterfactual. The PCI Council has long maintained that no organization that has been breached has been found to have been compliant at the time of the breach, but the claim has never been fully validated.

Contrary to the claims of PCI DSS critics, however, Verizon has collected some data that support the value of PCI. The Verizon 2011 Payment Card Industry Compliance Report provides evidence that PCI compliance is effective at preventing breaches, and that the most compliant organizations are the least likely to be breached. The Verizon report provides a detailed analysis of compliance and breach threats across their client portfolio. The report reviews the cases of annual audit clients to assess compliance across the 12 PCI DSS requirements. The report also lays out the authors' retroactive assessment of the compliance of organizations that used the firm's forensic services after they suffered a breach.

The report ends up offering two very different perspectives: that of organizations proactively pursuing PCI compliance and that of organizations reacting to a breach that may not have previously emphasized compliance. The study sample consists of more than 100 reports from primarily American and European companies, and is the second year that this study was published (see the 2010 report here.)

Figure 3: Distribution of testing procedures met at IROC

At first glance, the report's findings seem discouraging because only 21 percent of organizations are found to be fully compliant at the beginning of the audit. However, the researchers assessed each organization's compliance across each requirement, and found that a further 37 percent were compliant across 90 to 99 percent of requirements.

Verizon conducted these assessments to help clients identify gaps and prepare them for their annual audit process. Once Verizon issued their Initial Reports of Compliance, the organizations then worked to fill all gaps and achieve full compliance. Of course, achieving full compliance is not a simple task. Full PCI compliance is extremely complex and requires ongoing testing and updates, and many organizations succumb to complacency and fatigue between audits. They may not respond to changing circumstances, and in fact the researchers found that compliance levels sometimes deteriorated over the course of the year.

Table 3: Percent of organizations meeting PCI DSS requirements

The complexity of achieving full compliance is one reason the PCI Council released the Prioritized Approach to compliance in 2009. These guidelines are intended to help firms with limited resources tackle the most effective security requirements first. Unfortunately, the researchers found no evidence that organizations had implemented this prioritization, which raises the concern that companies are not taking a strategic approach to the compliance process.

In the second half of the Verizon report, the researchers tried to tease out how breached companies are attacked and what characteristics made them most vulnerable. They found that breached companies were less likely to meet individual PCI requirements, and scored overall worse than nonbreached clients by a 50 percent margin on average. Additionally, every threat action identified by the forensic team could have been prevented with full PCI compliance.

Jen Mack, the director of Verizon's PCI Services, believes that the Verizon report shows that PCI is effective. She says, "It's clear the standards provide protection for card data if organizations implement them correctly and maintain them throughout the year." Verizon's report does provide strong evidence that PCI DSS is an effective tool for preventing breaches and combating fraud. Since data breaches are repeatedly recognized as a major threat to the payments industry, it is critical to leverage tools like PCI DSS. How can the PCI Council encourage increased compliance among merchants and other organizations? Will increased recognition of the standard's effectiveness lead to greater adoption?

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

November 14, 2011 in data security, fraud, payments risk | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Evidence for PCI’s effectiveness in the fight against fraud:


At a time when consumer trust of financial institutions is at an all time low, companies that deal with consumer information should be taking a proactive approach to their security. The protection of consumer data is of utmost importance and the reputation of their brand hangs in the balance. Conducting audits internally or hiring a third party do do so on a regular basis to ensure companies are meeting PCI standards will help them stay vigilant about their security and regain their customers' trust.

Posted by: Cassie Fulton | December 6, 2011 at 05:10 PM

Whether PCI is effective in reducing fraud or not is not the issue. The question is whether it is COST EFFECTIVE. More specifically: Could a different approach achieve the same or better results, at lower cost?
Many experts consider PCI to be too expensive and difficult to implement for what it has achieved--and much less effective than could be accomplished using a more practical "risk based" approach.
The PCI program was poorly planned and is poorly managed, and has been co-opted by the QSA industry, which generates immense revenues from the ever-expanding scope and complexity.
The card brands do not seem to care about the expense, however, as the vast majority of the cost for PCI must be borne by the merchants.
The fact that "no organization has been found to have been compliant at the time of a breach" only underscores the problem, and speaks to the fruitlessness of merchants' efforts toward PCI compliance.

Posted by: Security Sam | November 16, 2011 at 04:37 PM

The fight against fraud is not an easy one and the fact that the number of breaches has been decreasing lately is down to the hard work from various parties, including the PCI Security Standards Council.
PCI DSS reassures consumers that cyber crime is taken seriously by the whole industry and that their card details will not be compromised.

Posted by: PayPoint.net Merchant Services | November 15, 2011 at 09:26 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 7, 2011

International Fraud Awareness Week is here

According to the Association of Certified Fraud Examiners (ACFE), organizations worldwide lose roughly 5 percent of annual revenues to fraud. That's huge. A theme that we return to again and again in Portals and Rails is the fact that technology is making our lives—including the ways we transact consumer payments—more efficient and secure. But these new technologies also offer fraudsters new and sometimes better ways to perpetrate crime.

Fraud Awareness WeekIn an effort to promote fraud awareness and education, starting November 7, the ACFE is sponsoring International Fraud Awareness Week, a "time dedicated to fraud awareness, detection, and prevention." So in keeping with this theme, we are using this space to refocus on some of the issues around payments fraud in the United States.

U.S. payments fraud is on the rise but hard to measure
Unlike other countries, the United States does not have a single, uniform repository for collecting fraud loss data. Industry analysts primarily base their concerns about the industry on anecdotes from law enforcement, financial intelligence agencies, and regulators. In addition, recent media accounts of check fraud, corporate account takeovers, payment card breaches, card payment terminal skimming, and the like leave no doubt that in the retail payments arena, leave no doubt that the problem of fraud is universal and growing.

Also validating the growing concern are proxies such as fraud surveys from organizations like the American Bankers Association (ABA), which measures deposit account fraud in banks, and the Association for Financial Professionals, which works with corporations to measure their fraud loss experience. However, more information may be needed as payment systems grow more complex, provide new alternative solutions and access new electronic channels.

Internal fraud is growing globally
The global economic downturn has led to an increased incidence of payments fraud. Sometimes financially distressed employees—rationalizing their behavior in light of dire circumstances—commit frauds within a business, effectively stealing from their employers. For example, employees in financial institutions who have access to large amounts of customer data may use their insider access to commit fraud. In one of our podcasts, an expert noted that internal fraud is more growing more common—and complex—as criminal rings increasingly place their people within legitimate organizations, where they can then steal data. Once they have the data, they can use it to commit a variety of frauds, including identity theft and payment crimes, such as card counterfeiting and counterfeit checks, to name just a few.

Fraud awareness week highlights old-school solutions
The International Fraud Week web page highlights resources for fraud prevention and education that businesses and consumers can tailor to their own particular needs. For example, the site offers a link to a Fraud Prevention Check-Up, which provides a framework for business to assess their risk and evaluate the strength of their fraud mitigation environment. Another anti-fraud resource is a presentation with tips to help organizations prevent and detect fraud.

To that same end, Portals and Rails in an earlier blog offered a recommendation for businesses to be proactive by adopting relatively simple control processes. For example, basic checklists like the one that follows can help organizations comply with ACH rules and regulations, avoid human error, and reduce fraud.

Electroic Payment Checklist

International Fraud Awareness Week activities
To help raise awareness around fraud, the ACFE recommends that businesses participate year round in its blog and in other social media initiatives, such as forums for dialoguing and sharing ideas on fraud detection and mitigation. It also suggests that organizations spread the word to colleagues and clients about International Fraud Awareness Week and the resources available to promote strong fraud risk management program development.

One thing we know for certain, and can't say enough, is that our payment systems are growing more and more complex, in terms both of sophisticated technologies and of multiple new nonbank service partners entering the mix. With this constant change and development, the payment distribution chain will undoubtedly contain more points of potential vulnerability to risk and fraud. Taking basic preventive measures and increasing industry awareness through the activities and resources highlighted during International Fraud Awareness Week can go a long way to combating payment-related risks and fraud.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

November 7, 2011 in crime, fraud, identity theft, payments risk, payments systems | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference International Fraud Awareness Week is here:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 24, 2011

Keeping pace as money transmitters proliferate

As the United States migrates from paper-based retail payments to electronically enabled methods, we are witnessing a proliferation of entrepreneurial and innovative nonbank stakeholders entering the retail payments market. As my colleague discussed in a previous post, these nonbanks provide a variety of services that banks can use to create more efficient payment systems. But the fast pace of technological change and the ease with which these new companies can enter the retail payments arena may also be translating into new risk vulnerabilities for the nation's retail payments systems.

There are many different types of nonbanks in U.S. payments systems today, including technology developers, aggregators, agents, third-party service providers, and money service businesses (MSB) and transmitters. As technology enables more nimble and innovative payments, the role of MSBs and, in particular, money transmitters is growing more important.

Am I an MSB?
According to this table from the Financial Crimes Enforcement Network (FinCEN), certain products or service offerings may dictate the capacities in which a business might fit the definition of an MSB. Note that money transmitters represent a specific type of MSB that engages primarily in funds transfer services.

The innovations that PayPal introduced illustrate the value that transmitters add to the payment system through the provision of nimble service offerings that respond to consumer payment needs. Over time, PayPal has evolved into a mainstream payment service provider and household name, and has demonstrated a commitment to risk management and regulatory compliance across all the jurisdictions in which it operates. But PayPal's commitment contrasts with the overall state of the industry of MSBs, whose efforts are not completely transparent. MSBs and transmitters today operate in a fragmented regulatory environment determined by the specific governing laws, licensing requirements, and permissible business activities of each U.S. state.

As money transmitters become more prevalent players in our nation's payment system, is it time to reassess their regulatory environment and consider the potential benefits of a national supervisory framework?

Transmitters and the U.S. regulatory structure
Money transmitters are required to register with FinCEN and to comply with federal laws for anti-money-laundering and counterterrorist-financing provisions of the Bank Secrecy Act. In addition, 48 states require the licensing of money transmitters before they can do business. For money transmitters that operate in more than one state and across state lines, differences in state legal requirements create challenges to developing effective enterprise-wide compliance and risk-management programs. Furthermore, monitoring changes in various state legal regimes can be extremely complicated, not to mention costly.

Ironically, state regulatory authorities governing money transmitter businesses are generally budget-strapped in today's economically distressed environment, and lack the financial resources for taking action against all but the most egregious of bad actors. Unlike the prudential regulatory governance employed by the agencies of the Federal Financial Institutions Examination Council for the nation's mainstream financial institutions, regulatory response for the oversight of money transmitters is prompted instead by complaints to state authorities, or by the filing of suspicious activity reports to FinCEN.

Future regulatory considerations
There are many risks to consider in this nascent segment of the retail payments industry. With the ease of entry into the market for money transmitters and the potential lack of funding in some states for comprehensive regulatory oversight, some startups may circumvent licensing and capital requirements by merely opening for business, undetected by state authorities. FinCEN has issued advisories requesting that financial institutions that discover such businesses file suspicious activity reports (SARs) as a means of mitigating unlicensed and potentially illegal activity. Unfortunately, as technology supports more sophisticated advancements in electronic payments as well as new alliances between carriers and money transmitters, regulatory efforts will become increasingly difficult.

The newly established Consumer Financial Protection Bureau is empowered to exercise enforcement authority for improper conduct on behalf of money transmitters, but the task is daunting, considering the disproportionate state-by-state regulatory framework currently in place. Is it time to consider a more consistent, national approach to the legal and regulatory oversight of money transmitters? And, considering the onerous compliance costs that the current environment imposes, would money transmitters in fact welcome a more consistent, uniform environment?

Cindy MerrittBy Cindy Merritt, assistant director of the Retail Payments Risk Forum


October 24, 2011 in money services business (MSB), payments risk, payments systems, regulators, transmitters | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Keeping pace as money transmitters proliferate:


You are right to ask the question Cindy. A national framework that works to separate payments and other banking businesses ought to be a straightforward first step toward a more efficient payment sector. Innovation in the "money transmitter" segment should be decoupled from the areas of systemic risk (eg, credit creation).

Posted by: twitter.com/dgwbirch | October 29, 2011 at 04:58 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts

October 2015

Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31



Powered by TypePad