Take On Payments


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

October 11, 2016

Taking a Quantum Leap into Payment Security

It was 1969, and the only thing hotter than muscle cars was space exploration. Several of my elementary school books found ways to talk about space, astronauts, NASA, or all of them, and more than one almost guardedly indicated that someday man may even reach the moon. Those of you who recall black-and-white TV might remember watching the moon landing live in the summer of '69.

Despite all that was speculated and wondered about at the time—from extraterrestrials to moon colonies—the space race had been "won." There followed a decline in related interests and, ultimately, a moderating of investment in basic scientific research. One of those sciences, quantum research, is of particular note in regards to potential commercialization for computing and communications. And we're behind like we were in the space race in the early 1960s.

NASA research and development (R&D) appropriations in 1959 were about $200 million. By 1966, R&D totaled almost $5 billion, according to the NASA Historical Data Book for 1958–1968. U.S. federal funding for quantum research each year is just barely what space R&D totaled in 1959. Those numbers offer their own stark contrast, but I'll add one other point of comparison—between what we're spending in this area versus China—one of only three countries to ever soft land on the moon, and now the first to launch a quantum communications satellite. Their annual funding has been conservatively estimated at over $10 billion, according to the Wall Street Journal.

To explain why a payment blogger cares about all this, I'll ask a couple of questions. What would it be worth to have a payment scheme based on "unhackable" communication? Impossible? Maybe not.

Quantum communication is secure against computing because its encryption relies on physics, not math. Josh Chin's August 16 article in the Wall Street Journal explained it this way:

Quantum encryption is secure…because information encoded in a quantum particle is destroyed as soon as it is measured. Gregoir Ribordy…likened it to sending a message written on a soap bubble. "If someone tries to intercept it when it's being transmitted, by touching it, they make it burst," he said.

There are critics. U.S. security experts have questioned whether intricacies of quantum communication can be simplified enough for practical, broad use. Others have stipulated that it's possible for hackers to trick incautious recipients. Indeed, this blogger has espoused the idea that nothing is infallible against a determined criminal. But it's hard to argue the advance wouldn't change the game. One might speculate that quantum communication could yield results similar to those described in the etiological tale of the Tower of Babel where languages were confused. Mischief wasn't halted for all time, but altering communication put some pacing on misbehavior. Changing the game, wholesale, is worth considering as the evidence is overwhelming that we're losing in payment security by making changes at the margin to current schemes, methods, and processes.

I'll close with this. Substantial sums of federal money were spent on infrastructure, R&D, policing, and defense owing to the space race. I think most will agree we got our money's worth, especially considering that aside from stated objectives, investing in the space race gave us everything from microchips to satellite navigation—and let us not forget CorningWare. Investing in quantum research holds similar promise, and payment security might benefit from some catch-up.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

October 11, 2016 in payments risk | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 1, 2016

Putting All Our Payment Eggs in a Single Basket

More than 60 percent of risk managers at financial services firms believe the probability of a global, "high-impact event" has increased of late, according to a new survey from the Depository Trust & Clearing Corporation. Worry over actual or potential cyberattacks underpins this belief. In a discussion about the survey, a colleague lamented the invention of computers and wished that our financial transactions hadn't become so dependent on technology. At first I thought to agree until it dawned on me that this thinking is tantamount to tossing the baby with the bathwater.

The problem revolves around thieves, not their tools. We have never been free from worry over theft, and this was true when our best computer was an abacus. When the Aztecs used chocolate for money, counterfeiters of the day took the cacao bean, separated the original contents from the husk, and repacked it with mud. And still, in any place where commerce is overly cash-based, thieves tend to concentrate their efforts, targeting the most vulnerable with everything from counterfeit notes to outright theft. The digital age did not usher in larceny; thieves have always stolen, and hiding from computers won't insulate us from bad guys.

But hold up, you say. A block chain—the part of bitcoin technology that ensures anonymity—just might insulate you. Not to take away hope, but what have we ever invented that hasn't been hacked, cracked, or abused? I can think of nothing, no matter how cleverly conceived or well defended, that isn't eventually defeated.

I don't despair over it all and will say why in a moment, but first I need to note that even with a long list of advances, both in how and what we exchange, the new has not eradicated the old. Coins survived the advent of paper. And despite decades-old, recurring predictions of their looming demise, both coins and paper have survived the magic of computing. As a result, despair gives way to cheer. There are options, and plenty of them.

Options—different forms of payments based on diverse platforms and premises—make for textbook risk mitigation. First of all, what survives gets better. It must so that it can survive. Consider what bills look like today, with their numerous anticounterfeiting elements, compared to what they looked like 20 years ago. Or consider when checks dominated fraud conversations and contrast that to their relative (un)importance in fraud conversations today. Moreover, multiple payment channels and options mean less concentration of risk. To the extent that cash, checks, and more remain—"cyberstuff" too, but with the cyber-world diversified, not overly consolidated—risk can be spread and hence reduced.

An advanced society that wants to endure, stay resilient and strong cannot rely on only one means of exchange based on only one platform. For those wishing for one or just fewer, more modern payment solutions (with apologies to all paper haters), my advice is be careful what you wish for. For the average consumer, my advice is pay attention to the "payments intelligentsia" and be wary of pushes for an advanced, universal, singular way to do payments. Be particularly wary of changes that aren't being called for by the market itself. We can never eliminate risk but we can mitigate it and minimize the extent that bad people can create widespread trouble.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

February 1, 2016 in cybercrime, fraud, identity theft, innovation, payments risk | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 14, 2015

The Cost of Free Wi-Fi

When I was a teenager, my friends and I were often on the prowl for bargain restaurant offers. The all-you-can-eat buffet at our local Chinese restaurant was a favorite, but every so often we would discover a "free meal deal." We were once reminded by my friend's dad that "nothing in life is free." That quote left a lasting impression on me.

The validity of this quote was hammered home recently during a security discussion I had with a friend on connectivity to the Internet through free public Wi-Fi. Though free public Wi-Fi is, well, free, it has "soft" costs tied to the lack of security in the connection. And these soft causes can quickly lead to the "hard" costs of fraud—from theft of personal information, user names and passwords, or payment credentials, since hackers are easily able to intercept data transmitted over the Wi-Fi network. Beyond this method, which involves a legitimate network, fraudsters can also deploy rogue Wi-Fi networks for the sole purpose of stealing information. And then, once they have that information, the fraudster can use it to access your accounts under your identity.

This does not mean that people shouldn't use free or public Wi-Fi. When I am away from my home, whether I'm at a local coffee shop or on the road at a hotel, I often seek locations with free Wi-Fi. Apparently, I am not the only one. A recent survey by a U.K. hotel chain found that free Wi-Fi was the most important factor for its customers when choosing a hotel. Free Wi-Fi even ranked higher than a good night's sleep!

However, using free public Wi-Fi and trusting it are two different things. It should never be trusted, and therefore users should do everything to protect themselves and their information. Before joining a free public Wi-Fi network, users should ensure that it is a legitimate network offered by a legitimate entity such as a business, municipality, hotel, or airport. Criminals often will use deceptive Wi-Fi names to trick users into choosing bogus Wi-Fi networks, so users should pay close attention to signage promoting Wi-Fi networks or ask staff for help in identifying legitimate networks. The Federal Trade Commission offers detailed advice on protecting yourself against Wi-Fi security risks once you are connected, including:

  • Use a virtual private network, or VPN.
  • Use SSL-encrypted connections by enabling the "Always Use HTTPS" website option.
  • Turn off file sharing.

These risks are not just limited to free public Wi-Fi networks. They are also inherent to any public Wi-Fi network, including paid networks such as the in-flight Wi-Fi that many airlines offer. It is imperative that users of public networks take the necessary steps to safeguard their information, especially while conducting financial transactions. As free public Wi-Fi spots continue to proliferate and more financial transactions move to connected devices, rest assured that fraudsters will continue to exploit this communications channel. Educating users on how to protect themselves using public Wi-Fi is critical to safeguarding financial information.

What are you doing to bring awareness to your customers about public Wi-Fi risks?

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 14, 2015 in online banking fraud, payments risk | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 20, 2015

Unsafe at Any Speed?

If you're a Corvair enthusiast, you likely get the title's reference to Ralph Nader's book that polemically accused manufacturers of resistance to the advancement of automotive safety. Shift your thoughts from automobiles, axles, and bumpers to payments, cyberattacks and data breaches. Then consider this question—if we successfully speed up payments, is payment safety more likely to advance or retreat?

I hear the question often. Since I first blogged about this topic in January, I've attended several conferences set in the context of building a better, faster, more efficient payments system. If the conversation hasn't gone straight to "safety," the topic has surely been broached before closing. The answers that presenters offer, in terms of how we make payments more secure, remain unchanged from earlier this year. The updated summary follows.

  • Innovate. Make full use of such things as biometrics and tokenization. Do not fear but rather make use of the best things coming from the cryptocurrency world.
  • Collaborate and coordinate. Share everything, taking full advantage of groups of all types to facilitate deployment and spread of best practices, among other things.
  • Prevent and plan. In a continuous and ever-improving activity, make use of such things as enhanced threat detection and continue to layer security measures. Also, educate fully, across the spectrum of both providers and users.
  • Track and report. We must do more of this in a frank, transparent way and it must be timelier.

Emphasizing and pursuing all these goals is still right in my view, yet something seems missing. I believe what's missing is a more expansive, easily accessible law enforcement regime—something that more closely parallels what's available for conventional crime fighting.

There has been good news, of late, in that various law enforcement agencies have both apprehended and successfully prosecuted cybercriminals of all sorts. What's important about this is, as law enforcement has more success, there is hope that miscreants will have an increasing expectation of getting caught. Let's assume a drop in crime rates is highly correlated to the likelihood or certainty of being caught. Self-test the theory by thinking of it this way. How often do you exceed the speed limit (answer silently to yourself). Now consider—how often do you speed when a patrol car is in the lane right next to you? It's imperative that law enforcement continue to evolve and improve such that the criminals who contemplate cybercrime increasingly anticipate they'll be caught.

The cliché that faster payments will mean faster fraud if we don't have faster security is somewhat beside the point. The fact is cybercrime has been and remains a material and looming threat. The world is all but fully a digital one and that means our police have to be able to put more—and more effective—digital patrol cars on the digital highway. Until then, to varying extents, payments are likely to be unsafe—at any speed.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

July 20, 2015 in crime, cybercrime, innovation, law enforcement, payments risk | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 17, 2015

Introducing Take On Payments

Maybe you've already noticed it—it's at the top of this web page—but we've got a new name: Take On Payments, or TOP, for short. It's a change we made after a great deal of thought, internal discussion, and input from others. In our many presentations over the last year to payments-related groups consisting of financial institutions, merchants, processors, technology vendors, consumers, and regulators, we always promoted our blog. We put a great deal of effort into every post, and view the blog as an important channel to communicate to the payments industry on timely, risk-related payment topics in what we hope is an educational and thought-provoking way.

However, we were frequently asked about the significance of the name Portals and Rails. The majority of people get the "rails" part since that term is often used to refer to the payments infrastructure—such as in the phrase "riding the check rails." The "portals" part is more of a mystery. People aren't sure if we intend to use it with its generally accepted meaning—that is, an entranceway—or as a reference to a website, which provides information and links to other sites.

So we undertook an evaluation of alternative names that would more clearly identify the purpose for our posts, and we eventually chose Take On Payments. Yes, it's a bit of a play on the words as you can use "take" in a couple of different ways. First, you can think of it as a noun, as in the word "viewpoint." That was our primary thrust since we work hard to provide our perspective on the various payments issues and their risk-related factors. Second, you can also think of "take" as a verb, as in "assume possession of," since we are charged with the responsibility of engaging the entire payments community about payments risk issues. Finally, we like the acronym TOP—we hope Take On Payments will be at the top of your reading list.

In the end, a name is just a name, and we understand that the content of the blog is what is really important to our readers. While the Portals and Rails name has left the station for a final time, our commitment to providing the payments industry with timely and informative content to encourage thought-provoking dialogue about payments risk remains unchanged. As always, we encourage your feedback and hope you will encourage your colleagues to subscribe as well.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 17, 2015 in payments risk | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Introducing Take On Payments:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 14, 2012

How do new faces affect risks in money transfer business?

According to a February 21 American Banker article, Facebook has officially entered into the money transfer business. Facebook reported in its S-1 filing last month that it generated about $555 million dollars in 2010 (or 15 percent of its revenue that year) from payments, and that it holds money transmitter licenses in 15 states. Facebook credits are a digital currency that companies use on the site's online applications and games such as Farmville.

Facebook is not the only nonbank business entering the money transmittal business, though it certainly may be one of the more prominent. But as money transmitters are playing an increasingly larger role in our nation's payments system, now may be the time to take stock of the risk environment and continue our discussion on an appropriate strategy for risk governance.

FinCEN SAR filings on the rise for money transfer services
According to FinCEN's May 2011 report The SAR Activity Review: By the Numbers, depository institutions have a greater potential of exposure to money laundering crimes than do nondepository institutions. Nondepository institutions include money service businesses (MSBs), securities and insurance firms, and even casinos. You can see from the following table that over the last five years, the number of depository institution SARs decreased as of December 2010, while nondepository institution SARs have increased.

The report's findings for MSBs in particular are startling. It says, for example, that “in 2010, suspicious activity filings by the MSB industry hit an all time high with 596,494 SARs filed in 2010, up 12% from the prior year and over 18,000 more forms submitted than the previous high in 2007.” In fact, money transfer SAR filings in 2010 comprised 70 percent of all financial services filings by MSBs. SARs by MSBs listing money transfers increased 23 percent from 2009, while money order SARs fell 3 percent for the same period.

2010 SAR filings by financial services

Under the radar: When MSBs fail to file
When MSBs were subject to enforcement actions in 2011, their primary infraction often involved failure to register with FinCEN. In addition, according to FinCEN's 2011 Annual Report, filing failures were often accompanied by other legal violations, such as failing to file currency transaction reports and currency structuring.

To help industry partners, regulators, and law enforcement monitor MSBs, FinCEN recently announced the launch of a new MSB registration website. FinCEN updates the database weekly.

As nonbank companies, including social media firms like Facebook, enter the payments business, it will be critical to keep an eye on small innovative and possibly unlicensed start-up money transmitters.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

March 14, 2012 in fraud, money services business (MSB), payments risk | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference How do new faces affect risks in money transfer business?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 23, 2012

PIN authentication versus signature authentication

In the United States, surveys from several organizations help us determine approximate total fraud losses by different payment instruments. For example, the American Bankers Association's 2011 Deposit Account Fraud Survey Report estimates that 2010 industry fraud losses totaled $893 million for checks and $955 million for debit cards. The Nilson Report puts 2010 payment card fraud losses at $3.56 billion. And a 2011 PaymentsSource report estimates that bank card issuers experienced fraud losses of $1.16 billion in 2010.

Some of these industry surveys actually fail to illustrate the complete risk landscape—we must also consider trends in the underlying usage of various payment mechanisms. To better assess risks to financial institutions from various payment types, it is useful to compare fraud losses on a per-unit basis. By doing this for credit card, signature debit, and PIN debit transactions, the effectiveness of PIN authentication in preventing payment card fraud becomes clear (see the chart).

Estimated per Unit Fraud Losses by Payment Type Incurred by US FInancial Institutions

Credit card loss rates are the largest among payment cards and growing
According to PaymentsSource's bank card profitability studies, financial institutions' credit card-related fraud losses grew each year between 2006 and 2008, rising from $1 billion to $1.11 billion. After an aberration in 2009, when credit card fraud losses fell by 14 percent, fraud losses grew again in 2010, by 22 percent. The Nilson Report data showed a similar trend in both the number and dollar value of credit card transactions during this time period.

The Nilson Report data provide the basis for determining per-unit credit card loss estimates for financial institutions. On a per-transaction basis, annual credit card-related fraud losses reached their highest level in 2010, at 7.5 cents per transaction. This figure represents an almost 9 percent increase from the 2006 figure, which was 6.9 cents. Credit card fraud losses on a dollar-volume basis increased by nearly 27 percent during this same time period, from 6.7 basis points (or 0.067 percent) in 2006 to 8.5 basis points in 2010.

Debit card fraud loss rates vary by authentication method
Likewise, financial institutions have seen debit card fraud losses rise steadily since 2004. According to this PULSE Debit Issuer Study, fraud losses from purchase transactions (excluding losses from ATM fraud) were about $201 million in 2004. Looking at PULSE study data in conjunction with data from The Nilson Report shows that debit card fraud losses from point-of-sale transactions peaked at $880 million in 2010.

However, a large disparity exists between debit card fraud based on the authentication method employed. For example, signature debit transactions accounted for an estimated $804 million—91 percent—of the total debit card fraud in 2010.

The increase in fraud losses should come as no surprise given the rapid growth in debit card transactions over the past six years. According to The Nilson Report, debit transactions grew by more than 122 percent, or 14.3 percent on an annualized basis, between 2004 and 2010. Data from PULSE studies show that in 2010, financial institutions experienced a 2.7-cent fraud loss for every signature debit transaction, and a 0.5-cent loss for every PIN debit transaction. This translates to 7.5 basis points for signature transactions and 1.3 basis points for PIN transactions on a per-dollar volume basis. These figures are up from the 2006 numbers of 1.9 cents (or 4.8 basis points) and 0.3 cents (or 0.8 basis points), respectively.

Comparing signature and PIN transactions
Based on per-unit fraud losses of credit and debit cards, financial institutions have significantly more exposure to fraud losses from card payments with signature authentication than from those with PIN authentication. Yet PIN authentication is not accepted for credit transactions, and it accounted for only 32 percent of debit card purchase transactions in 2010. Although the fraud rates for both signature and PIN transactions have increased over time, signature transactions still exhibit significantly higher loss rates, especially when comparing the transactions on a per-dollar volume basis. The large disparity in per-transaction fraud losses between credit card and signature debit transactions stems from credit card transactions having an average ticket size of nearly 2.5 times that of signature debit transactions. Ultimately, PIN debit offers an additional and superior layer of authentication not offered on credit and signature debit transactions.

Admittedly, the limited number of merchants in the face-to-face environment who have the capability to accept PIN-based transactions, combined with the lack of PIN-based acceptance in the card-not-present environment, limits the use of PIN transactions. But given the ongoing displacement of cash and checks by payment cards and other forms of electronic payments, the continued adoption of PIN debit transactions and the potential introduction of PIN authentication for credit card transactions could go a long way toward reducing growing payment card fraud. However, given recent EMV-related statements that Visa and the Merchant Advisory Group have issued, it remains unclear whether or not PIN authentication will become the standard in the United States.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 23, 2012 in authentication, fraud, payments risk | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference PIN authentication versus signature authentication:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 17, 2012

How risky? The elements of an effective payments risk management program

Financial institutions manage a range of businesses with distinct risk management needs. Banks of all sizes that offer payment services to retail and commercial clients must appropriately identify and manage the myriad dimensions of risk entailed. The Retail Payments Risk Forum recently spoke with Tony DaSilva, a senior bank examiner at the Federal Reserve Bank of Atlanta. The conversation, captured in a podcast and highlighted in this post, covered the elements of a successful payments risk management program. Formerly a banker, DaSilva is able to take the perspective both of the supervisor and of the supervised institution when it comes to understanding the challenges of managing retail payments risk.

He said that in financial institutions today, "payments risk management is sometimes informal or decentralized." Without a comprehensive risk assessment, said DaSilva, these institutions have a heightened vulnerability to risks they do not understand. As a result, they may incur losses, lawsuits, or even regulatory formal actions.

Often, the scope and rigor of the bank's risk management program is not commensurate with the bank's risk profile. He added that the loose oversight combines with a variety of other factors to undercut a bank's risk management capabilities. A major driver in adding new payment services may be anxiety for fee income in an environment where many sources of payments revenue have been pressured.

Other factors include incomplete due diligence or inadequate "know-your-customer" (KYC) programs, or the institution may have insufficient payment expertise, senior leadership involvement, or employee and management training. DaSilva has seen institutions that do not perform adequate risk assessments or due diligence when deploying new payment products or services, for example, or when engaging in third-party service-provider relationships.

Implementing a strong risk management program
DaSilva explained that there are multiple types of risk in the payments business that institutions must consider. These types include "credit risk, compliance risk, transaction risk, fraud risk, and legal and reputational risk." Responding to all these requires establishing a risk management program with the following elements:

  • Planning. Having clear, defined objectives, a well-developed business strategy, clear risk payments parameters, and a role within the financial institution's strategic plan.
  • Risk identification and assessment. Senior management knowledge and understanding of their institution's risks is critical. The risk assessment should be incorporated into the bank's overall risk management process, which will vary by institution.
  • Mitigation. Establish policies and procedures to mitigate identified risks. These policies should consist of clearly defined responsibilities and strong internal controls over transactions. Mitigation is also achieved through a good risk-based audit program, and well-designed contracts and agreements.
  • Measurement and monitoring. Periodic reporting should enable the board and senior management to determine that payments activities remain within the bank's established risk parameters.

The role of bank leadership in risk management
DaSilva repeatedly emphasized that it is critical for bank board and senior management to be actively involved with and knowledgeable about their institution's payments risk management. For an institution to be able to gauge senior management knowledge, he suggested it begin by exploring whether management "understands the inherent product risks, the compliance requirements, the ability to monitor, the operations management and operational risks, [as well as] their reputational [and] legal risk."

DaSilva encouraged leveraging subject matter experts and ensuring that the retail payments strategy matches the bank's overall strategy and competencies. The best policy may be to limit product offerings to those for which management and employees have a full understanding of the accompanying risks. Despite the pressure to develop new sources of revenue, financial institutions should carefully evaluate the risks of any new payment product before adding it to their portfolio.

To end on a positive note, DaSilva has seen some institutions improving in all the right areas. They are assessing and mitigating risk across multiple payment channels, products, and delivery systems, including ACH, remote deposit capture, card products, and wire transfer. And for icing on the risk management cake, some do annual reviews of client accounts that include exposure from all payment, deposit, and loan products.

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

January 17, 2012 in banks and banking, payments risk, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference How risky? The elements of an effective payments risk management program:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 28, 2011

Portals and Rails welcomes new director of Retail Payments Risk Forum

On August 31, we said farewell to our director, Rich Oliver, when he officially retired from the Retail Payments Risk Forum after 38 years with the Federal Reserve. With his many accomplishments and significant contributions to the Fed, to the Forum, and to research in the payments industry, Rich left behind some pretty big shoes, and we've been looking for someone to fill them. Well, we've found someone more than capable of walking in these shoes, and we'd like to invite you to join the Portals and Rails team in welcoming the Forum's new director, Mary Kepler. On December 1, Mary will step into her new shoes—uh, role—overseeing the Forum and maintaining District and System-level relationships with industry executives and organizations in the payments arena and in payments risk and fraud prevention.

Now, we're not to going to divulge Mary's shoe size, because we're really only speaking metaphorically here and would never comment on anything so personal in such a public forum, but we can tell you about Mary's path that has brought her to us. She certainly comes to her new position with a variety of relevant experience, most recently as the vice president of Financial Management and Planning (FM&P) here at the Atlanta Fed.

Mary originally came to the Atlanta Fed in 1992, moving from the Kansas City Fed, so she has a long history with us. She joined the Atlanta Fed in Supervision and Regulation department and was soon promoted to relationship manager with the AmSouth Bancorporation. In 1998, she moved to the automation operations department, where she was assistant vice president until 2002, when she became vice president. Mary joined the Retail Payments Office in 2003 and for two years served as the Federal Reserve System liaison to the U. S. Treasury Department for retail payment services that the System provides to the U.S. Treasury.

From 2005 to 2006, Mary was senior human resources officer. She chaired the Bank's Human Resources Committee and was an advisor to the Bank's Management Committee. She then became senior officer over FM&P.

As you can see, Mary comes to the Retail Payments Risk Forum well qualified. We look forward to embarking on this next phase of our journey under her capable, proven leadership. So please help us congratulate Mary on her new position, wish her continued success, and tell her she wears her new shoes well.

By Cynthia Merritt, assistant director, Douglas A. King, payments risk expert, and Jennifer C. Windh, payments risk analyst, all of the Retail Payments Risk Forum

November 28, 2011 in payments, payments risk, payments systems | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Portals and Rails welcomes new director of Retail Payments Risk Forum:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 14, 2011

Evidence for PCI’s effectiveness in the fight against fraud

Despite the PCI Council's best efforts and laudable goals, the effectiveness of its data security standard, PCI DSS, is frequently questioned. This standard is sometimes disparaged as expensive and ineffective. One critic has even decried the standard as a "false god." Such criticisms have stuck in part because it is difficult to know how many breaches would have occurred if it weren't for the PCI standard, and supporters have essentially been left to argue a counterfactual. The PCI Council has long maintained that no organization that has been breached has been found to have been compliant at the time of the breach, but the claim has never been fully validated.

Contrary to the claims of PCI DSS critics, however, Verizon has collected some data that support the value of PCI. The Verizon 2011 Payment Card Industry Compliance Report provides evidence that PCI compliance is effective at preventing breaches, and that the most compliant organizations are the least likely to be breached. The Verizon report provides a detailed analysis of compliance and breach threats across their client portfolio. The report reviews the cases of annual audit clients to assess compliance across the 12 PCI DSS requirements. The report also lays out the authors' retroactive assessment of the compliance of organizations that used the firm's forensic services after they suffered a breach.

The report ends up offering two very different perspectives: that of organizations proactively pursuing PCI compliance and that of organizations reacting to a breach that may not have previously emphasized compliance. The study sample consists of more than 100 reports from primarily American and European companies, and is the second year that this study was published (see the 2010 report here.)

Figure 3: Distribution of testing procedures met at IROC

At first glance, the report's findings seem discouraging because only 21 percent of organizations are found to be fully compliant at the beginning of the audit. However, the researchers assessed each organization's compliance across each requirement, and found that a further 37 percent were compliant across 90 to 99 percent of requirements.

Verizon conducted these assessments to help clients identify gaps and prepare them for their annual audit process. Once Verizon issued their Initial Reports of Compliance, the organizations then worked to fill all gaps and achieve full compliance. Of course, achieving full compliance is not a simple task. Full PCI compliance is extremely complex and requires ongoing testing and updates, and many organizations succumb to complacency and fatigue between audits. They may not respond to changing circumstances, and in fact the researchers found that compliance levels sometimes deteriorated over the course of the year.

Table 3: Percent of organizations meeting PCI DSS requirements

The complexity of achieving full compliance is one reason the PCI Council released the Prioritized Approach to compliance in 2009. These guidelines are intended to help firms with limited resources tackle the most effective security requirements first. Unfortunately, the researchers found no evidence that organizations had implemented this prioritization, which raises the concern that companies are not taking a strategic approach to the compliance process.

In the second half of the Verizon report, the researchers tried to tease out how breached companies are attacked and what characteristics made them most vulnerable. They found that breached companies were less likely to meet individual PCI requirements, and scored overall worse than nonbreached clients by a 50 percent margin on average. Additionally, every threat action identified by the forensic team could have been prevented with full PCI compliance.

Jen Mack, the director of Verizon's PCI Services, believes that the Verizon report shows that PCI is effective. She says, "It's clear the standards provide protection for card data if organizations implement them correctly and maintain them throughout the year." Verizon's report does provide strong evidence that PCI DSS is an effective tool for preventing breaches and combating fraud. Since data breaches are repeatedly recognized as a major threat to the payments industry, it is critical to leverage tools like PCI DSS. How can the PCI Council encourage increased compliance among merchants and other organizations? Will increased recognition of the standard's effectiveness lead to greater adoption?

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

November 14, 2011 in data security, fraud, payments risk | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Evidence for PCI’s effectiveness in the fight against fraud:


At a time when consumer trust of financial institutions is at an all time low, companies that deal with consumer information should be taking a proactive approach to their security. The protection of consumer data is of utmost importance and the reputation of their brand hangs in the balance. Conducting audits internally or hiring a third party do do so on a regular basis to ensure companies are meeting PCI standards will help them stay vigilant about their security and regain their customers' trust.

Posted by: Cassie Fulton | December 6, 2011 at 05:10 PM

Whether PCI is effective in reducing fraud or not is not the issue. The question is whether it is COST EFFECTIVE. More specifically: Could a different approach achieve the same or better results, at lower cost?
Many experts consider PCI to be too expensive and difficult to implement for what it has achieved--and much less effective than could be accomplished using a more practical "risk based" approach.
The PCI program was poorly planned and is poorly managed, and has been co-opted by the QSA industry, which generates immense revenues from the ever-expanding scope and complexity.
The card brands do not seem to care about the expense, however, as the vast majority of the cost for PCI must be borne by the merchants.
The fact that "no organization has been found to have been compliant at the time of a breach" only underscores the problem, and speaks to the fruitlessness of merchants' efforts toward PCI compliance.

Posted by: Security Sam | November 16, 2011 at 04:37 PM

The fight against fraud is not an easy one and the fact that the number of breaches has been decreasing lately is down to the hard work from various parties, including the PCI Security Standards Council.
PCI DSS reassures consumers that cyber crime is taken seriously by the whole industry and that their card details will not be compromised.

Posted by: PayPoint.net Merchant Services | November 15, 2011 at 09:26 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts

October 2016

Sun Mon Tue Wed Thu Fri Sat
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          



Powered by TypePad