About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

June 11, 2018


Consumer Habits and Cash Use

As my colleague Doug King pointed out last month, cash is not going away anytime soon, Yanny/Laurel notwithstanding. By number, almost one-third of U.S. consumer payments were made in cash in 2017. Every year since 2008, the Survey of Consumer Payment Choice has found that cash is consumers' most popular or next-most-popular way to pay.

Many factors underlie cash's resilience, including access, current shopping habits, consumer ratings, and demographics.

Universal access. Paypal's chief financial officer commented to the Wall Street Journal earlier this year, "I don't think we will ever be entirely cashless, maybe in large part because I don't know if we will ever be in a world that every person has a smartphone or a mobile device."

Shopping habits. Most purchases—nine in 10—are made in person, not online (2015 Survey of Consumer Payment Choice). And when shopping in person, consumers prefer cash for small-dollar transactions. Two-thirds of U.S. consumers report that they prefer cash for in-person payments of less than $10 (2016 Dairy of Consumer Payment Choice). Forty percent prefer cash for in-person payments between $10 and $25.

Consumer ratings. Consumers say cash is the most cost-effective way to pay. The Survey of Consumer Payment Choice asks respondents to rate the cost of using a particular payment method, taking into account that fees, penalties, interest paid, etc. can raise the cost of a payment method, while discounts and rewards can lower it.

Demographics. People with fewer payment options use cash. That includes low-income people who have less access to credit cards as well as people without bank accounts who have no access to non-prepaid debit cards. It also includes millennials, who used cash for almost 30 percent of their payments in 2016 (Diary of Consumer Payment Choice).

You probably already know that card payments dwarf cash payments—almost 60 percent of consumer payments are made with some type of card, whether it's debit, prepaid, or credit. Yet cash persists. Recently, a new acquaintance told me he "never" uses cash. As evidence, he reported that he had no cash in his pocket, explaining "that's because I used my last $2 to buy coffee this morning."

Hmm. What does this say about the health of cash? What Dave Lott wrote in 2016 is still true today: not dead yet.

Next post: Merchant acceptance and the use of cash

To learn more about consumer payment choices and preferences, visit the Federal Reserve Bank of Atlanta’s new consumer payments web page that houses a variety of surveys, studies, and research reports on the topic.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 11, 2018 in cards, currency, debit cards, emerging payments, mobile payments, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 30, 2018


Cash Discount Programs: The Flip Side of Surcharging?

In a recent post, I reviewed the structure of credit card surcharging programs that a panel discussed at the Southeast Acquirers Association conference earlier this year. Since that post, some of my colleagues who have encountered cash discount programs asked me if they were simply the flip side of credit card surcharging. While there are some similarities in the requirements of the two programs, there are some key differences.

Cash discount programs became legal across the United States in October 2011, following the passage of the Durbin amendment of the Dodd–Frank Act. That amendment permitted merchants to offer a discount to cash (or check) customers as an incentive to use those payment methods instead of cards. The way it works is that the merchant charges a service fee to all transactions that the merchant then reverses or discounts if the customer pays with cash or check.

The sample receipts below illustrate the difference between a purchase made with a payment card and a cash payment from a merchant who uses a flat service charge pricing option.

Images-of-reciepts

Unlike surcharges, which apply only to credit card payments, service fees are applied against all types of card payments. And while surcharge program fees are always a certain percentage of the transaction, a cash discount program can use a flat fee (usually based on the average ticket size) or a percentage of the transaction amount. Businesses with a wide range of sales values would best be served using the percentage model, while a flat fee works better for businesses with relatively consistent ticket sizes. Credit card surcharge program rates are capped at 4 percent of the transaction amount, but cash discounting has no restriction. Of course, the higher the service fee the more likely the customer will be to notice and possibly move to another merchant who does not have such a program.

As with surcharges, the cash discount merchant must prominently display consumer notices at the entry points of the store as well as at the register about the service charge—that the customer can reduce or avoid by using cash. In addition, the sales receipt must explicitly display the service charge and, when applicable, the cash discount.

Among the possible benefits, merchants can lower their effective card processing expenses by collecting the service charge. Colleagues at the Boston Fed authored a discussion paper titled "Why Don't Most Merchants Use Price Discounts to Steer Consumer Payment Choice?" in late 2012 that reviewed a number of factors that might cause merchants to think twice about implementing a cash discount program. I believe the factors they reviewed are as relevant today as they were at the time of the paper. As for the credit card surcharge, the merchant has to consider customers' potentially negative response to such a fee, especially if they believe that the merchant has already built much of the cost of payment acceptance into the goods and services.

Merchants have to register credit card surcharge programs with the card brands prior to implementation. However, cash discount programs have no such requirement, so their adoption rate among the merchant community is difficult to quantify. One indicator may be from the Federal Reserve's 2015 Diary of Consumer Payment Choices. According to an analysis of the data, the national sample of respondents indicated they received a cash discount on 1.9 percent of their non-bill transactions that had a median value of $20. Interestingly, in a breakdown by industry type, transactions at automobile/vehicle-related and entertainment/transportation businesses were more likely to offer a cash discount—of 8.2 percent and 5.1 percent, respectively.

What has been your experience with cash discount or credit card surcharging programs? Did such a program cause you to change your initial form of payment?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 30, 2018 in cards, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 16, 2018


Not Just a Card-Not-Present Problem

In 2012, I published a paper that looked at trends in card fraud in several countries that had adopted or were in the later stages of adopting EMV chip cards. The United States is now in the process of adopting EMV, so I am refreshing that paper with an eye towards fraud trends in what are now mature EMV markets. Payments experts know that card-not-present (CNP) fraud will continue to pose challenges that EMV chip cards do not solve, but are there other challenges lurking in these markets that the U.S. payments industry should note?

Although I'm still gathering data, one particular data point from the United Kingdom—lost and stolen fraud—already has me intrigued. In 2016, losses from this type of fraud stood at more than £96 million (about $130 million), up from more than £44 million (about $60 million) in 2010, a 117 percent increase. In 2010, lost and stolen fraud accounted for 12 percent of overall card fraud in that country. By the end of 2016, it had become 16 percent of card fraud. It is now the second leading type of fraud in the United Kingdom, though it still falls far behind CNP fraud, which accounts for 70 percent.

Remember that in the United Kingdom, PIN usage was adopted to mitigate lost and stolen card fraud at the same time that EMV chip cards were implemented. Yet lost and stolen card fraud is up significantly. According to Financial Fraud Action UK, fraudsters are getting their hands on the PINs—a static data element—through distraction tactics and scams. Other factors, such as the proliferation of contactless transactions and those that have no cardholder verification method, could also be drivers of this fraud, as could an increase of reports of lost or stolen fraud that is actually first-party, or "friendly," fraud. EMV has proven to be an effective tool to authenticate cards, but authenticating an individual using a card, even in a card-present environment, remains a challenge.

The lost and stolen fraud figures out of the United Kingdom lead me to believe that cardholder authentication isn't just a CNP problem. Furthermore, the decades-old PIN solution for the card-present environment is now showing signs of weakness. At the same time, to reduce customer friction, many card networks are eliminating signature verification and relying on data analytics to authenticate transactions. Is this a perfect storm for lost and stolen card fraud? Is it the foreshadowing of the emergence of biometrics, or some lesser known technology? Or will I find that this problem is isolated and should not worry us in the United States?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

January 16, 2018 in authentication, cards, chip-and-pin, debit cards, EMV, fraud, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 18, 2017


Training Workers for Payments Jobs

Do you boast, or at least talk, about your work in payments at social events? When I tell someone in a social setting that I work in payments, they either move on, after a polite pause, to meet the next person, or they take a deep breath and ask, “What does that entail?” What is most humbling is when I overhear my husband trying to explain my job. And what has been the most entertaining was when a four-year old asked me to perform an interpretive dance representing my occupation—a payments Nutcracker, if you will. Whatever the circumstance, you have to be ready to engage and convey excitement about all things payments to keep our workforce thriving. The industry is growing so rapidly that many employers are struggling to fill positions.

Many people I meet assume I am a mathematician when I talk about my work in payments. While I do own a calculator, I tell them, people in the payments workforce have diverse skill sets that go above and beyond using calculators. This diversity becomes more important every day, as technology keeps growing and changing. Ultimately, the majority of the population may not care how payments work, and they may not care to see an interpretive dance about payments. But there are dedicated, skilled professionals who, thankfully, perform their payments-related jobs safely and efficiently. And we need more of them.

The payments industry is growing. Fintechs alone account for a good portion of this growth. According to an industry research firm, venture capital-backed fintech companies globally raised a total of $5.2 billion in the second quarter of this year—–a 19 percent increase from last year. U.S. fintech funding saw a 58 percent rise, to $1.9 billion in the second quarter this year compared to $1.2 billion in the first quarter.

We need a more robust pipeline of available workers to support the growth in the industry. We need to both cultivate new talent and attract available skilled talent. This task can be daunting given the range of jobs available in the industry that transcend traditional educational curriculums.

Here are just a very few of many inspiring workforce training initiatives supporting industry growth today:

  • FinTech Atlanta, along with the University System of Georgia and other colleges and universities in Georgia, launched a FinTech Degree and Certificate Programs to create needed talent to fuel the fintech workforce.
  • NACHA, with the regional payments associations, has launched a Payments Risk Professional accreditation program. The program brings together skills for managing risk combined with knowledge in payment services, whether for financial institutions, solution providers, processors, businesses, or other end users.
  • Workforce Innovation Hub, sponsored by Accenture and affiliated with Atlanta's City of Refuge, provides nonprofit technical education options to lift the underemployed and underprivileged. The IT training program teaches software and application development, IT support, web development, graphic design, and more—all skills that can be put to use in payments and fintechs.
  • Some professional development programs work with military veterans, offering career opportunities and education resources that can help prepare them for careers in the payments industry. One example is First Data Salutes; another is Syracuse University's Institute for Veterans and Military Families (IVMF) and its affiliated program Entrepreneurs Bootcamp for Veterans with Disabilities.

Be a payments ambassador at your next social event and talk about your favorite payments initiative. It is up to you to decide if you want to perform an interpretive dance of your payments job—but it's up to all of us to keep our workforce growing at pace with the industry.

Photo of Jessica Washington  By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

December 18, 2017 in financial services, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 27, 2017


How Intelligent Is Artificial Intelligence?

At the recent Money20/20 conference, sessions on artificial intelligence (AI) joined those on friction in regulatory and technological innovation in dominating the agenda. A number of panels highlighted the competitive advantages AI tools offer companies. It didn't matter if the topic was consumer marketing, fraud prevention, or product development—AI was the buzzword. One speaker noted the social good that could come from such technology, pointing to the work of a Stanford research team trying to identify individuals with a strong likelihood of developing diabetes by running an automated review of photographic images of their eyes. Another panel discussed the privacy and ethical issues around the use of artificial intelligence.

But do any of these applications marketed as AI pass Alan Turing's 1950s now-famous Turing test defining true artificial intelligence? Turing was regarded as the father of computer science. It was his efforts during World War II that led a cryptographic team to break the Enigma code used by the Germans, as featured in the 2014 movie The Imitation Game. Turing once said, "A computer would deserve to be called intelligent if it could deceive a human into believing that it was human." An annual competition held since 1991, aims to award a solid 18-karat gold medal and a monetary prize of $100,000 for the first computer whose responses are indistinguishable from a real human's. To date, no one has received the gold medal, but every year, a bronze medal and smaller cash prize are given to the "most humanlike."

Incidentally, many vendors seem to use artificial intelligence as a synonym for the terms deep learning and machine learning. Is this usage of AI mostly marketing hype for the neural network technology developed in the mid-1960s, now greatly improved thanks to the substantial increase in computing power? A 2016 Forbes article by Bernard Marr provides a good overview of the different terms and their applications.

My opinion is that none of the tools in the market today meet the threshold of true artificial intelligence based on Turing's criteria. That isn't to say the lack of this achievement should diminish the benefits that have already emerged and will continue to be generated in the future. Computing technology certainly has advanced to be able to handle complex mathematical and programmed instructions at a much faster rate than a human.

What are your thoughts?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

 

November 27, 2017 in emerging payments, innovation, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 12, 2017


Watching Your Behavior

Customer authentication has been at the core of the Retail Payments Risk Forum's payments risk education efforts from the beginning. We've stressed not only that there are legal and regulatory requirements for certain parties to "know your customer," but also that it is in the best interest of merchants and issuers to be sure that the party on the other end of a given transaction is who he or she claims to be and is authorized to perform that transaction. After all, if you allow a fraudster in, you have to expect that you or someone else will be defrauded. That said, we also know that performing this authentication, especially remotely, has several challenges.

The recently released 2017 Identity Fraud Study from Javelin Strategy & Research estimated that account takeover (ATO) fraud losses in 2016 amounted to $2.3 billion—a 61 percent increase over 2015's losses. (ATO fraud occurs when an unauthorized individual performs fraudulent transactions through a victim's account.) Additionally, new-account fraud on deposit and credit accounts has increased significantly and generated several public warnings from the FBI.

In payments, the balancing act between imposing additional customer authentication requirements and maintaining a positive, low-friction customer experience has always been a challenge. Retailers, especially online merchants, have been reluctant to add authentication modalities in their checkout process for fear that customers will abandon their shopping carts and move their purchase to another merchant with lower security requirements. Some merchants have recently introduced physical biometrics modalities such as fingerprint or facial recognition for online orders through mobile phones. Although these modalities have gained a high acceptance rate, they still require the consumer to actively participate in the authentication process.

Enter behavioral biometrics for online transactions. Behavioral biometrics develops a pattern of a user's unique, identifiable attributes from when the user is online at a merchant's website or using the merchant's proprietary mobile app. Attributes measured include such elements as typing speed, pressure on the keyboard, use of keyboard shortcuts, mouse movement, phone orientation, and screen navigation. Coupled with device fingerprinting for the customer's desktop, laptop, tablet, or mobile phone, behavioral biometrics gives the merchant and issuer a higher level of confidence in the customer's authenticity. Another benefit is that behavioral biometrics is passive—it is performed without the user's involvement, which eliminates additional friction in the overall customer experience. Proponents claim that while it takes several sessions to develop a strong user profile, they can often spot fraudsters' attempts because fraudsters often exhibit certain recognizable traits.

Behavioral biometrics is still fairly new to the market but over the last couple of years, some major online retailers have adopted it as an additional authentication tool. Like any of the physical biometric modalities, no single behavioral authentication methodology is a silver bullet, and multi-factor authentication is still recommended for moderate- and higher-risk transactions.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 12, 2017 in authentication, banks and banking, consumer fraud, fraud, mobile banking, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 15, 2017


What Canada Knows That We Don't

In a previous post, I made reference to the pending release of a Bank of Canada study on the costs of point-of-sale payments in Canada. Last month, the study was released. This study covers cash as well as debit and credit card payments. It's a fascinating read that highlights what little comprehensive knowledge we have about comparable costs of payments in the United States.

The scope of the study was limited to the following parties in the payment chain:

  • Bank of Canada and Royal Canadian Mint (prints and distributes currency)
  • Financial institutions (FIs) and infrastructure providers (includes cash transport companies, payment networks and payment card acquirers)
  • Retailers (covers retail trade, accommodation, food services, and personal service providers)
  • Consumers

As background, the study categorizes costs of payments from the parties above into social (or resource) and private costs. Social costs include all internal and outsourced costs to parties outside the scope of the study. Excluded are transfer fees paid among parties within the scope of the study (for example, fees paid by retailers to FIs serving as card acquirers). This exclusion avoids overstating total social costs since fees paid to one party in the payments chain are revenue to another party in the payments chain. With this adjustment, aggregating social costs across all parties reflects the total resources expended for the entire country to facilitate payments. True or private costing from a particular party in the payment chain is simply the sum of its social costs plus any transfer fees paid to other parties within the scope of the study. Knowing private costs provides insight into which payment instruments are preferred from a costing perspective.

Here are some selected highlights from the study:

  • Total annual social costs clocked in at 15.3 billion (Can$), which comprises 0.78 percent of Canada's gross domestic product (GDP). In comparison, a paper from the Kansas City Fed highlights GDP figures ranging from 0.5 percent to 0.9 percent for other developed countries. Unfortunately, no comparable comprehensive study has been conducted in the United States. Using indirect approaches based on assumptions, some sources have estimated that the cost of the payments system in the United States could be as high as 2 percent of GDP. Unfortunately, we don't have any definitive sources on what the figure really is.
  • Below are the average social costs, transfer fees, and private costs (that is, sum of social costs and transfer fees) per transaction across the payment chain (in Can¢) by payment instrument.

    Table-one


    We can see that transfer fees among the parties in the payments chain are relatively minimal for cash. Consumers proportionally pay higher transfer fees for debit card payments due to transaction fees paid to FIs. Transfer fees that retailers pay are proportionally high for debit cards and significantly higher for credit cards. Based on private costs alone, credit cards costs are less costly to consumers, while retailers incur the highest cost in accepting credit cards. These findings are generally consistent with studies conducted in other countries.
  • Lastly, the study further subdivides costs into fixed costs and variable costs based on the number of payments and by the value of payments. Along with the number and value of payments, costing components in Canadian dollars are itemized below:

    Table-two


    The proportion of variable costs to overall costs for cash, debit cards and credit cards comprise 55 percent, 64 percent, and 64 percent, respectively.

Because of the central and significant role payments play in any economy, many current payments policy questions circulate around payments—in particular the costs associated with adopting and accepting various payment methods, fraud experience and prevention, and compliance with security standards and requirements. What are your views on the value of a comprehensive cost survey in this country?

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

 

May 15, 2017 in banks and banking, cards, debit cards, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 6, 2017


ACH: No Trace Left Behind

In my payments research role, I believe that one problem with ACH is the lack of any definitive method for identifying a payment and any associated return, dishonored return, or contested-dishonored return using only the existing 15-digit trace number. Ideally, the trace number alone should facilitate the correct retrieval of payment or return details even if other payments contain duplicate payment details, such as for recurring payments.

This PDF file contains an image that outlines the complex web of relationships that can be used to trace back returns to the original payment. Without the benefit of a unique trace number, the identification of the original payment could involve using common data elements to minimize misidentifying the payment.

A unique trace number would offer the following advantages:

  • Unambiguously identify a specific payment
  • Facilitate tracking features similar to what is available from package delivery services such as transmittal, settlement and receipt date/time, and similar tracking of any associated return(s)
  • Enhance risk-monitoring capability
  • Simplify reconciliation and auditing
  • Flag or prevent a return from settling before its associated forward payment
  • Identify "orphan" returns sent across the public network when the original payment was sent privately between financial institutions (FI)
  • Link together forward and return payments for certain international payment applications that are not possible today

Under NACHA rules, the FI originating the payment assigns a unique 15-digit trace number; the trace number's uniqueness is necessary to differentiate each payment in the batch. Uniqueness is not mandated across payments in other batches in the same payments file. Consequently, a trace number could be repeated in multiple payment files on the same day or across many days—and, even more troublesome, within the same payments file. NACHA strives for uniqueness by mating the trace number with an associated batch number, transmission (file creation) date, and a file ID modifier. Unfortunately, any return of a payment only passes along the original trace number without the benefit of the mated data.

A possible solution that could overcome the current limitations of the trace number would be a one-time-use, ACH-operator-assigned, 15-character alphanumeric trace number. When the originating network operator receives a file, the operator would replace the FI trace number with a unique trace number that he or she would forward to the receiving FI. Any return sent back to the originating FI would have the unique operator trace number converted back to the original FI trace number. For convenience, a cross-reference file associating operator trace numbers with FI trace numbers could help facilitate non-network communication between originating and receiving banks.

Operators could guarantee uniqueness by allowing an operator trace number to contain digits and upper and lowercase letters. Expanding to a 62-character set results in over 3.5 trillion distinct values using the last seven characters of the trace number (the first eight characters are the originating FI's routing and transit number). Further requiring at least one non-numeric character allows differentiation with FI numeric-only trace numbers.

What are your views on the benefits and disadvantages of non-repeatable trace numbers?

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

February 6, 2017 in ACH, payments | Permalink

Comments

If the unique trace number could be assigned on the FI side, it would eliminate the extra step of forwarding of a unique number (which has its own chance of failing to forward) and some possible non-repudiation risks.

Perhaps this could be done by assigning each FI their own identifier, and pair that identifier with a unique number which is never used across batches, file IDs or dates. (A unique ID which is never reused since the FI Identifier would always make it unique across all FIs).

This would mean changes on the FI side and so some analysis would have to be done to find the cost benefits for NACHA, FI and FRS.

Posted by: B. Guhanick | February 8, 2017 at 09:40 AM

I like this idea. It would also make it extremely easy for an FI to research a transaction within their records by using the unique trace number. You are looking at around 20 billion transactions per year so the 3.5 trillion should easily cover the 6 year record retention requirement.

Posted by: David L Payne | February 7, 2017 at 06:58 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 30, 2017


Pssst…Have You Heard about PSD2?

No, I'm not talking about the latest next-generation video gaming console. I am referring to the revised Directive on Payment Services (PSD2) that the European Parliament adopted in October 2015 and that will serve as the legal foundation for a single market for European Union (EU) payments. The original PSD was adopted in 2007 but, according to official statements, the Parliament found that an update was necessary to incorporate new types of payment services, improve consumer protection, strengthen payment transaction security, and increase competitiveness with an expected result of lower consumer fees in the payments processing market. PSD2 applies only to digital payments and must be in force in all EU countries by January 13, 2018.

The directive and subsequent implementation rules that the European Banking Authority* is developing make a number of major changes in the European banking landscape, including:

  • Opens up the regulated financial services system to merchants and processors who might initiate payments on their consumer customer's behalf as well as data aggregator firms. In particular, PSD2 will apply to any financial institutions already operating within the scope of the PSD but will also apply to third parties such as operators of e-commerce marketplaces, gift card and loyalty plans, bill payment service providers, public communication networks, account access services, mobile wallets, and those who receive payment by direct debit.
  • Requires financial institutions, upon the request of their customers, to allow these approved nonbank, third parties significant, but not unlimited, access to the customer's account and transaction data through APIs (application program interfaces). Many financial institutions see having to turn over customer data to potential competitors as a significant threat to the retention of their customer's business as well as concerns with data security.
  • Sets out two-factor customer authentication as an absolute minimum, with additional security such as one-time passwords required for higher-value transactions. The card issuer must actively authenticate all transactions above 10 euros. Critics of these provisions point out that the criminals will have fixed transaction amounts and authentication methodology information to modify their attacks.
  • Supplementing card interchange limits imposed in December 2015, prevents merchants from adding surcharges to payment card transactions. Under the original directive, each country established rules regarding surcharging on card payments. It has been a common practice of European merchants to levy a surcharge on payment card transactions to offset the interchange fee paid to issuers.

While such a comprehensive single package of regulations is unlikely to occur in the United States, various flavors of these items have been and continue to be discussed. Do you favor such types of regulation here in the United States? I suspect the answer depends on your role in the payments ecosystem. I am interested in hearing from you.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed



_______________________________________

* Final rules are expected to be published in January 2017.


January 30, 2017 in emerging payments, mobile payments, payments, payments risk, payments systems, regulations, regulators, risk | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 17, 2017


Expanding Cybersecurity

Payments people start biting their nails when they hear "share more with more." They have been conditioned to keep payments information from ever being shared. But that is in the context of protecting legitimate payments system users from losing money while a fraudulent party benefits. At 7,000 members, the Financial Services Information Sharing and Analysis Center (FS-ISAC) is currently the largest financial services trade association in the world. I attended their Fall Summit last October, a month fittingly designated National Cybersecurity Awareness Month, and heard plenty about sharing. The mission of FS-ISAC is always strength in sharing; this year's summit focused on expanding the trust.

Payments people are used to looking for fraud by way of chargebacks and returns, one payment-channel silo at a time. Shhh. Don't let ACH people share information with wire people, and vice versa—the risk department will let us know if there is an issue. Of course, payments fraud is an ever-increasing battle, and we must remain vigilant. However, who is prepared to recognize payment events that from a bird's-eye view may look legitimate but, when analyzed, point to a threat of mass destruction?

Recent distributed denial-of-service (DDoSs) attacks highlight the scale of network bandwidth that can be unleashed on connected systems. Payments are just that, a network of systems that connect every aspect of our economy. There are countless examples of services or goods not being rendered when payments aren't received. Liquidity failures do tend to cause a state of panic. Even attacking one specific sector such as payroll processing on the first of the month could lead to disaster. As my colleague pointed out in a July 2016 blog, cash is alive and well, but payments systems today rely totally on telecommunications, which rely on our power grid.

Admiral James Stavridis, the keynote speaker at the FS-ISAC Summit, echoed the importance of expanding trust, along with the need to increase the resiliency of the nation in the event of a cyber-incident. Stavridis provided many encouraging solutions, one being that it is time for a cyber-force branch of the military. The United States Air Force was formed as a separate branch of the military in September 1947 under the National Security Act of 1947 as aerial warfare advanced. Stavridis proposed that now is the time for us to consider that cyber-incidents could be used as weapons of mass destruction. He applauded the current combat against cybercrime, yet encouraged new thought on what could be in store and how quickly it could arrive.

How do payments people continue down the path of protecting individual players while simultaneously protecting the nation from a crippling cyber-incident? It could be just a matter of whom you invite to the table. As I saw with attendance at the FS-ISAC Summit, the cybersecurity conversation needs to include diverse skill sets. There has been a trend in moving information security departments away from their information technology partners and under the risk and compliance umbrella so they can remain unbiased when scrutinizing payment transaction red flags and other systems. Additionally, legal barriers are being reevaluated to ensure that law enforcement can access information, most notably by FinCEN expanding Suspicious Activity Report requirements to include cyber events.

And, more deeply about whom we are trusting at the table, are we actually expanding the information shared? Could we make correlations by looking at payment volumes together with cyber activity and reports of fraud?

There is a growing sense that payment security equates to cybersecurity and national security. With Stavridis and others promoting the movement for "expanding the trust," new ideas continue to emerge. Hopefully, the technologies and strategies that are made to wow us (for example, the internet-of-things, machine learning, and the distributed ledger) can also serve to unite and protect us.

Photo of Jessica Washington  By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

January 17, 2017 in cybercrime, payments, payments risk | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad