Take On Payments


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

November 9, 2015

Is the Payment Franchise Up for Grabs?

I have lost count on the number of discussions at payment conferences over the last few years on this topic of financial institutions (FI) losing the payment franchise to various new payment start-ups and business models. This very topic was the focus of a session at the Code/Mobile conference in October that featured executives from Chase and PayPal debating "Will Banks Eat Payments, or Will Payments Eat The Banks?" This idea was stuck on my mind while I was recently reading Fidelity National Information Service's 2015 Consumer Banking Index Report. This report reveals the findings from a survey of a thousand household decision makers who ranked 18 attributes according to their importance and according to the respondents' perception of how well banks perform. I readily admit that one shouldn't read too much into the results of a single survey, but the results in the payments and product-related category really grabbed my attention.


Consumer expectations for their financial institution to provide digital payment options through more innovative products than other financial institutions scored extremely low in the importance category. Digital payments ranked as the 14th out of 18 attributes in importance, and delivering leading-edge products was the least important attribute surveyed. Though the importance of these two attributes was significantly lower than security and reliability attributes, consumers rated the performance of their financial institution on these two attributes favorably.

My interpretation of the survey is that consumers aren't expecting much from their FI when it comes to delivering digital payments and innovative products yet the FIs are exceeding these light expectations. The survey does not cover whether consumers place importance on others—say, non-bank payment providers—offering innovative products and payment options and how they are delivering on consumers' expectations.

If consumers expect non-FIs to provide digital payment options, then perhaps FIs are in danger of losing the payments franchise. Maybe consumers don't place a lot of importance on digital payment options because they are satisfied with the options their FIs provide and so the risk to FIs losing the payment franchise to non-FIs is low.

It's possible that the consumer falls somewhere in the middle of the two scenarios above. They may be pleased with the offerings of their FIs, which offer ubiquity and are not highly differentiated, so their expectations for options are low. The non-FI payments space is fragmented with new payment options being developed and deployed at a rapid pace that will take time for consumers to digest. Should consumers realize that any of these offerings present a significant improvement in the payments experience, they may raise their expectations for their FIs. This would suggest that the non-FI providers haven't fully delivered on a compelling, ubiquitous, and widely adopted offering yet.

I believe FIs remain firmly entrenched in the payment space today. However, the level of investment and innovation taking place in the industry should capture the FIs' attention. Consumers, me included, are a finicky bunch when it comes to expectations, and these expectations can change almost instantly with the amount of innovation occurring today. I see no reason why the digital payments arena would be any different, and FIs that fail to realize this as they consider future payment options risk a declining share of the payment franchise.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 9, 2015 in banks and banking, innovation, payments | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 19, 2015

Got Cash?

The governments in countries such as Sweden and Nigeria may have taken initial steps to move to a "cashless" nation, but here in the United States, there is no question that cash is still king. It remains the most-used retail payment instrument, especially for low-value payments. This finding from the Fed's Cash Product Office (CPO) was welcome news to a group of independent (nonfinancial institution) ATM operators that I had the pleasure of addressing last month at their annual conference. The primary business of these entrepreneurs is getting cash into the hands of consumers through their terminals located in a variety of malls and merchandise, food, and beverage stores. Of the estimated 400,000–425, 000 ATMs and cash dispensers operating in the United States, approximately 60 percent are owned by these nonfinancial institutions.

One of the CPO's main missions is maintaining a supply of currency and coin to meet demand in both normal times and special situations such as natural disasters, when other forms of payment might be unavailable. As a critical part of accomplishing that mission, the CPO constantly evaluates research to determine how cash use is changing in this country. One of the main sources of research is the Fed's Diary of Consumer Payment Choice (DCPC). Data collection was last fielded in 2012, but is being conducted again now. To collect the data, the DCPC asks a representative national sample of about 2,500 individuals to record all their financial transactions over a rolling three-day period. In addition to recording the transaction and demographic information, respondents were also asked to indicate their top preferred payment method and their second preferred method of payment in instances when their top choice is not available.

Some of the major findings of that study include:

  • Debit and credit cards represent the stated primary payment choice, at 64 percent, but 30 percent of the consumers stated their primary payment preference was cash.
  • Cash serves as the backup payment method for all segments, reflecting its importance in our overall payment infrastructure.
  • Interestingly, although 3 percent of the consumers said their preferred payment method was checks, they actually used cash twice as often as writing checks.
  • Reflecting the tendency for people to use cash for small-value payments, cash payments represented 40 percent of the number of payments made by the survey participants but only 14 percent of the total value of the payments.
  • Cash clearly dominates the small-value segment under $10.
  • Cash was the payment method used in two-thirds of person-to-person (P2P) payments.
  • The use of cash in P2P transactions is different from other cash transactions; P2P transactions are two-thirds higher in value ($35 versus $21) than other types of expenditures.
  • While 51 percent of the adults in the 18–34-year-old age group indicated that debit cards are their most preferred payment method, cash followed closely at 40 percent for the 18–24 year olds and 31 percent for the 25–34 age groups. Will the 2015 results show a departure from this finding?

It is clear that the United States is a long way from becoming a cashless society despite the predictions of many over the last twenty years. The 2015 results will provide important information as to how cash continues to be used by the general population and the emerging millennials segment in particular.

So is there cash in your wallet? I bet there is and will be for quite some time.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 19, 2015 in cards, checks, currency, payments | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 28, 2015

I Want My Two Dollars!

Dizziness and nausea come over me sometimes when I have to pay individuals. My mind scrambles. I don't carry cash or have checks. What grueling, lengthy steps will I have to go through to pay this person? Besides worrying about forgetting to meet my financial obligation if I don't pay right now, I find myself crossing my fingers behind my back hoping they have the same mobile app as I do. Or maybe we use the same bank, with any random luck. I picture myself as Layne Frost, the character played by John Cusack, from the movie Better Off Dead, with the paperboy at my doorstep insisting, "I want my two dollars!"

From bartering to exchanging livestock and shells, from cash and coin to checks and now mobile, it is inevitable that people will always find a way to pay and be paid. Forrester Research forecasts that the U.S. mobile peer-to-peer (P2P) market will grow to nearly $17 billion in transaction value by 2019. Yet the United States P2P payment volume by instrument is still largely cash-based, followed by check. Forecasters are planning on migration from over 6 billion cash and 2.1 billion check P2P transactions to the mobile space. Who will win the lion's share of paper-based P2P payments as people embrace electronic payments?

Let's look at the P2P payment lifecycle before you make your predictions:


My expectation is that everyone in the P2P space today faces challenges in getting there from here. Some will have a handsome share of the market but in doing so may suffocate opportunity for ubiquitous solutions that will benefit consumers nationwide. Fragmentation is our obstacle in P2P today. If both Ps don't have something in common (for example, financial institution, phone manufacturer, mobile application, social media, branded debit card), then the payment can't occur and...back to the basics we go. Cash and checks are accepted by almost everyone. Moreover, cash eliminates the middle part—cash means finality of good funds, sender to recipient, instantly.

All P2P access channels, or funds load, providers who offer accounts to consumers—whether these providers are financial institutions; virtual wallets like Google and Paypal; mobile/online applications like SquareCash, Venmo, or Dwolla; or prepaid accounts like Bluebird or NetSpend—should be able to access a directory to process payments from anyone to anyone. Ubiquity means debit card or not, banked or unbanked, same state or not. This can be achieved when financial institutions cooperate through open access to a directory, since all nonbank P2P providers ultimately use a bank to conduct the business of processing payments.

There is an option that could surpass directory deliberations. Bitcoin's blockchain technology, like cash, can eliminate middle participants—like cash, it is finality of good funds, sender to recipient, instantly. Perhaps the directory will be technology nonpartisan and connect all payments. Until then, I'll keep crossing my fingers when the paperboy shows up.

Photo of Jessica J. Trundley By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 28, 2015 in P2P, payments | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 22, 2015

The Current Tokenization Landscape in the United States

Last fall, Take on Payments featured a three-post series on tokenization. The first post introduced the technology regarding payment credentials and noted that merchant-centric tokenization solutions came to the market in the mid-2000s, driven by the Payment Card Industry Data Security Standard (PCI-DSS) requiring merchants to protect cardholder data. The second post examined some of the distinguishing attributes of payment token solutions in mobile wallets that were developed to replace the payment card's primary account number (PAN) with a token so the presence of the cardholder's PAN would be minimized or eliminated in the payment's data transmissions. The final post examined the challenges of payment tokenization and discussed its effect on payment risk over the short term.

Working with the Mobile Payments Industry Workgroup (MPIW), the Federal Reserve Bank of Boston's Payments Strategies group and the Federal Reserve Bank of Atlanta's Retail Payment Risk Forum just released a comprehensive white paper on the current tokenization landscape in the United States. Based on our research and interviews with more than 30 payment stakeholders, the white paper provides an overview of the U.S. payment tokenization landscape for mobile and digital commerce (versus physical card payments), describes the interoperability of different tokenization systems, and examines the status of these 30 stakeholders' plans to implement to a broader audience of industry stakeholders, policymakers, and regulators.

The paper discusses the many benefits, challenges, gaps, and opportunities of tokenization from the perspectives of the major industry stakeholder groups, while acknowledging that there is not always full agreement on current approaches or underlying details. The goal in authoring this paper is to encourage further collaboration among the stakeholders to resolve differences to the mutual satisfaction of stakeholders in the industry and to provide what is best for consumers.

Tokenization in mobile payments is just a very small part of the potential impact that tokenization can have in reducing fraud in the overall payments environment, but it is a start in a payments channel that is expected to grow significantly in the years ahead. We hope that you find the paper informative and feel free to contact us if you have any questions.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 22, 2015 in payments | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 23, 2015

Payments Stakeholders: Can't We All Just Work Together?

Coming together is a beginning; keeping together is progress; working together is success.
 – Henry Ford

In my physics classes at Georgia Tech, I found the principles around forces, momentum, and energy sometimes difficult to comprehend and distinguish. But I readily grasped a simplified version. I understood that if people apply their combined energy in the same direction, they can move the object of their attention to a designated spot faster and easier than if any of them tried it alone. And if they directly oppose one another or exert their efforts in different directions, the movement of the object is slow, its route is haphazard, and it may never reach its intended destination.

This last situation sometimes occurs with different groups of payments stakeholders—most notably, but not exclusively—the national card brands, along with their financial institution clients, and the merchant communities. Amidst all the charges and countercharges between the groups, it sometimes appears that these stakeholders are pushing in different directions—so the industry seems to be making little progress toward adopting payments standards and practices or fraud prevention solutions, for example.

An important payments risk issue affecting multiple stakeholders is card-not-present (CNP) fraud, which is expected to increase significantly after the United States migrates to EMV chip cards. We learned this from the experiences of other countries that have completed their migration. What happens is that EMV cards essentially close the door on the criminals' ability to create counterfeit EMV cards, so they shift focus to CNP opportunities.

Merchants contend that EMV card migration primarily benefits the card issuers since, for counterfeit-card-present (CCP) fraud, the issuer normally takes the loss—and EMV makes CCP fraud much less likely. Another way merchants may view EMV as being more issuer-friendly is that they must bear card-present fraud loss if they don't upgrade their terminals—at their expense—once the October 2015 liability shift goes into effect. So not only do they face increasing liability for card-present transactions, they will continue to be held responsible for the expected increase in CNP fraud losses.

The card brands and financial institutions counter the merchants' position on a number of fronts. For example, they point to the massive payment card data breaches that took place in 2014 at national merchants, saying these events eroded consumers' confidence in payment cards. Migrating to EMV cards and eventually replacing the magnetic stripe will provide clear improvements to payment card security, which will in turn increase consumer confidence in the safety of using cards. And that will benefit all stakeholders in this payment system. In addition, card brands and financial institutions are taking steps to help mitigate CNP fraud: they have invested heavily in several products and are collaborating with third-party providers to develop better customer authentication solutions to ultimately reduce the risk of CNP transactions for all stakeholders.

Disagreements among stakeholders will always exist, especially on elements that have a major financial impact on their businesses. However, there must be a diligent and ongoing effort by all parties, working together and with the same goal, to find areas of common ground that will result in a more secure payments environment.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 23, 2015 in cards, chip-and-pin, EMV, payments | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Payments Stakeholders: Can't We All Just Work Together?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 2, 2015

Does More Security Mean More Friction in Payments?

In a 2014 post, we discussed the issue of consumers' security practices in light of the regulatory liability protection provided to consumers, especially related to electronic transactions. Recognizing that poor security practices will continue, financial institutions, merchants, and solution vendors continue to implement additional security and fraud deterrence tools in the payment flow. Sometimes those tools can add complexity to a financial transaction.

One of the critical elements in a consumer's experience when performing a financial transaction is the concept of friction. In the payments environment, friction can be measured by the number and degree of barriers that impede a smooth and successful transaction flow. Potential causes of friction in a payment transaction include lack of acceptance, slow speed, inaccuracy, high cost, numerous steps, and lack of reliability. We usually think that to decrease friction is to increase convenience.

As the level of friction increases, consumers become more likely to rethink their purchase and payment decisions—an action that merchants and financial institutions alike dread because an abandoned payment transaction represents lost revenue. Individual consumers have their preferred payment methods, and their perspective of the convenience associated with a particular method is a key factor in their choice. For this reason, the payment industry stakeholders have been working diligently to reduce the level of friction in the various forms of payments. Technology provides a number of advantages, potentially reducing the overall friction of payments by providing consumers with a variety of payment form factors. For example, smartphones can support integrated payment applications allowing the consumer to easily call up their payment credentials and execute a payment transaction at a merchant's terminal. With abandonment rates as high as 68 percent, online merchants, working diligently to reduce friction, are streamlining their checkout process by reducing the number of screens to navigate.

Clearly cognizant of the friction issue, the industry has focused much of its efforts on operating fraud risk tools in the background, so that customers remain unaware of them. Other tools are more overt—biometrics on mobile phones, hardware tokens for PCs, and transaction alerts. But some security improvements the industry has undertaken have resulted in more friction, including the EMV card. A consumer must now leave the EMV card in the terminal for the duration of the transaction when previously all the consumer had to do was simply swipe the card. It will be interesting to see if and how consumers adjust their payment habits should they view the EMV card technology as high in friction. Will this motivate consumers to move away from card-based payments? Time will tell, and we will closely follow this issue.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 2, 2015 in biometrics, chip-and-pin, EMV, innovation, payments | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Does More Security Mean More Friction in Payments?:


You've touched upon an important continuing battle. The balancing act of maximizing conversion vs. maximizing security/fraud prevention can be a real conundrum. It impacts revenue and can even divide offices. It comes down to what your product/service is, what your appetite for risk is, and what tools you have in place. It is important though for financial institutions and ecommerce companies to seek out new technology solutions to maximize security and not be stagnant with the status quo.

Posted by: Logan | February 3, 2015 at 07:46 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 27, 2014

ISO 20022 in the United States: What, When, Why, and How?

At the October 2014 Sibos conference in Boston, there was considerable discussion about the International Organization for Standardization (ISO) 20022 standard, which many major non-U.S. financial markets began moving toward a few years ago. ISO 20022 is a public international standard for financial sector global business messaging that facilitates the processing and exchange of financial information worldwide.

In Canada, adoption drivers include the use of domestic messaging standards in proprietary ways that created inefficiencies and the need for enhanced remittance data to add straight-through processing and automated reconciliation, according to a Canadian speaker at the conference. A speaker from Australia explained how the new real-time payment system that country is building will use ISO 20022, and one of the drivers is the desire for rich data to enable automation.

The United States is behind in the adoption curve, which raises the question, why? Several Sibos sessions included discussion of a study commissioned by an industry stakeholder group and conducted by the advisory firm KPMG. (The stakeholder group—which consists of representatives from the New York Fed, the Clearing House Payments Company, NACHA–The Electronic Payments Association, and the Accredited Standards Committee X9—formed to evaluate the business case of U.S. adoption of the ISO 20022 standard.)

KPMG interviewed participants of markets already moving toward adoption and found that adoption was largely driven by both infrastructure change, as in the Australian example, and regulatory requirements. In addition, many U.S. firms, beyond the large financial institutions and corporations, lack in-depth knowledge about ISO 20022. Two additional barriers in the United States are (1) the exact costs of ISO 20022 implementation are difficult to pinpoint, in part because they vary by participant, and (2) the country has no industry mandate for adopting the standard.

In one conference session, a speaker categorized some of the strategic reasons the United States should move forward, framing them in terms of the risks of nonadoption. These reasons include:

  • Commercial reasons: The U.S. industry will have to bear the incremental costs of maintaining a payments system that does not integrate seamlessly with an emerging global standard.
  • Competitive reasons: Many countries are experiencing such benefits of the ISO standard as increased efficiencies and rich data content, but U.S. corporations and financial institutions will fall farther behind.
  • Policy reasons: The U.S. market will become increasingly idiosyncratic, with more payment transactions conducted in currencies other than the U.S. dollar.

Recommendations from the KPMG study include initiating adoption of the ISO 20022 standard in this country first for cross-border activity, starting with wires, and then ACH. The U.S. industry should then reassess domestic implementation.

Because communication is keenly important to overcoming the lack of knowledge of ISO 20022 in the U.S. market, the stakeholder group is currently focusing on educating affected groups about the key observations and findings of the KPMG study.

No particular timetable or course of action has been determined for U.S. adoption, which makes it the ideal time for industry input. What's your institution's perspective on the adoption of the ISO 20022 standard in the U.S. market?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 27, 2014 in financial services, payments, regulations | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference ISO 20022 in the United States: What, When, Why, and How?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 7, 2014

Learning from Experience to Handle Suspicious Payment Transactions

In a post earlier this year, we addressed the difficulty of identifying and tracking remotely created checks (RCCs) in the payments stream. Electronic payment orders (EPOs), which are electronic images of "checks" that never exist in paper form, are another payment vehicle difficult to identify and track. EPOs can be created by the payee as an image of an RCC, or created and electronically signed by the payer.

Financial institutions have to address all suspicious payment transactions, whether they occur with traditional payments, like checks and ACH or these new variants, the RCCs and EPOs. Institutions rely on a variety of ways to become aware of suspicious payment transactions:

  • The institution's anomaly detection processes highlight transaction patterns that are atypical for a customer.
  • A bank customer contacts the bank after identifying an unauthorized transaction on the bank statement.
  • Consumer complaints about a business suddenly increase.
  • Another institution contacts the bank with concerns about a particular business.
  • The bank becomes aware of legal actions taken against a business.
  • Returns for a business's payment transactions increase.

Regardless of payment type, institutions can apply the simple approach in this diagram to handling suspicious payment transactions.

diagram on handling suspicious payment transactions

When an institution becomes aware of suspicious transactions, its first step is to take care of the customer. This may include returning transactions, placing stop payments, monitoring account activity, addressing security protocols, or changing authentication tools.

The next step would be to reach out to other institutions, law enforcement, and regulators. Other institutions may not be aware of the issue and can assist with resolving the customer’s concern and addressing the underlying cause of the problem. Support for information sharing between financial institutions includes the safe harbor provisions within Section 314(b) of the U.S. Patriot Act. Submitting suspicious activity reports, or SARs, and contacting appropriate law enforcement such as the local police or FBI enables law enforcement to address fraudulent behavior, monitor the extent of the fraud, and address areas of concern that are affecting multiple institutions. Information-sharing groups, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and BITS, are other important avenues.

Critical to the approach is the importance of the affected institution consistently adjusting its identification processes based on its experiences with suspicious transactions. For example, if the anomaly detection system has default settings for origination volume or return rates, and the institution learns that those settings were ineffective in identifying a problem, then the institution should adjust the settings.

As the payments industry continues to evolve, with newer payment types such as RCCs and EPOs, criminals will find new ways to use them to their benefit. And as perpetrators of fraudulent payments adjust their approaches, a financial institution must also be a "learning" institution and adjust its approach to identifying the suspicious payments.

How often does your institution adjust its processes for handling suspicious transactions based on current fraud experiences?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 7, 2014 in fraud, payments, remotely created checks | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Learning from Experience to Handle Suspicious Payment Transactions:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 25, 2013

What's Next in Mobile Payments?

I recently participated in two banking conferences that displayed the full spectrum of strategic options and plans of banks regarding mobile payments. The first event was the annual operations/technology conference of a statewide bankers' association with all the attendees being small- to mid-sized community banks. All these banks currently offer an online banking application to their customers; about half of these have customized their online banking application for mobile device usage. Only one bank indicated they had a mobile payments application currently in operation. I was surprised to find that only a couple other banks planned to offer a mobile payments application within the next 12–18 months.

Later in the day, a panel of four MBA graduate students from a prestigious business school of a private southeastern university gave their views on mobile payments. The objective of this panel was to help the bankers understand the key drivers of this demographic's banking relationships and needs. All four panel members indicated they frequently accessed their banks' online banking services with their mobile devices as well as their laptops and tablets. They also unanimously stated they would switch financial institutions if the banks didn't offer the service or if they began charging a fee for the service. Interestingly, only one panelist used the mobile payments application from his bank, and his usage was infrequent. The reasons the panel members gave for their disinterest in mobile payments included difficulty of use of a mobile phone versus a laptop or tablet for bill payment or little need for the service because they found their existing payment methods to be as or more convenient.

At the Bank Administration Institute's (BAI) Payments Connect 2013 conference the following week, a featured track of the two-and-a-half-day event was the wide range of marketing, operational, risk, and technology issues related to mobile banking and payments. The prognosis for mobile payments couldn't have been more optimistic, with a number of panelists declaring that the tipping point for mobile payments had been realized earlier in the year. They credited the adoption rate for smartphones and other indicators they believed to be key drivers. Of course, we have to realize that many expressing such optimism worked for a company that has a vested interest in the success of mobile payments. However, that optimism was supported by a number of research studies delivered during the conference that concluded that the rate of smartphone penetration, the growing volume of mobile payment transactions, and overall consumer attitudes would translate to successful mobile payments programs.

One of the questions bankers frequently asked during the BAI conference was what a panelist would recommend the bank do regarding their mobile payments strategy. While there were some slight variations, panelists consistently responded that banks should get involved now and try a number of different, small-scale strategies. Several panelists used the gambling analogy of placing a distributed number of bets of small amounts rather than going "all in" with one particular mobile payments scheme. They acknowledged that the technology winner(s) of mobile payments was far from certain at this point, with near field communication, QR codes, and cloud options all in different states of adoption and each with their individual advantages and disadvantages.

The practice of "spreading your bets" is certainly a valid risk management strategy, but how practical is such a strategy for small financial institutions? The large banks have their research-and-development budgets, IT development staff, and other resources that allow them to participate in multiple pilot programs, but smaller institutions do not have such resources. Most would be able to offer only a mobile payments program supported by their core application processing provider.

As with many new payment products in the past, larger banks have led the initial efforts, and the smaller banks followed suit after customer demand for the service became more certain and with the realization that not offer the service would put them at a competitive disadvantage. Could this be the reason many banks, especially the smaller ones, have been sitting on the sidelines for now until the mobile payments picture becomes a bit clearer? Let us know what you think.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 25, 2013 in mobile banking, mobile payments, payments | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference What's Next in Mobile Payments?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 7, 2013

Boston Fed on mobile phone technology: "Smarter than we thought"

When it comes to mobile payments security, will the most secure solution win out, or will convenience rule the day? Mobile payment services are coming to market, however slowly, and as they do, security in supporting technology platforms is a critical consideration for merchants and consumers. In fact, many consumer surveys, such as this one released by the Federal Reserve Board, have reported that U.S. consumers consider security to be an important factor when deciding if they will use a mobile device to access financial information or engage in a payment service. Because security is a major contributor to the success and ultimate broad adoption of mobile payments, Boston Fed researchers examined how the primary technologies supporting mobile payments at the merchant point-of-sale address payments security. These technologies include near-field communication (or NFC) and cloud solutions.

This post looks at some of the high points of a paper written by the Boston Fed researchers about their analysis. The paper, published November 2012 and titled "Mobile phone technology: 'Smarter than we thought,'" discusses the unique characteristics of each technology and why security practices will vary accordingly.

NFC mobile payment options vary in security and convenience
The three primary approaches to NFC mobile payments all involve storing payment credentials in an encrypted smart card chip within the mobile phone. This chip, also known as the "secure element," may reside in the subscriber identity module (SIM) card, it may reside in the micro secure digital (SD)—or memory—card, or it may be hardwired into the actual device. Each of these approaches has benefits and disadvantages with respect to convenience and security.

For example, the SIM card's storage capability provides an additional layer of security. The wireless carrier can manage the SIM card remotely to prevent unauthorized access if the phone is lost or stolen or if the SIM card is removed. In other words, the mobile network operator controls access to the SIM card, which, depending on your perspective, may also be a drawback.

The memory card is also portable and communicates with apps to enable mobile payments. This method can be speedy to deploy. As a result, several U.S. banks, card networks, and transit authorities have piloted solutions using memory cards. However, these cards typically support only a single application or payment account, so they may not be the best long-term solution. Furthermore, their portability presents security concerns because there is no lock or PIN to prevent removal of the card from the phone and then subsequent unauthorized access to the payment information stored within it.

The third approach has the chip soldered into the hardware, making it relatively tamper-proof. Although it is less costly than the other NFC options, it provides no portability feature. So despite the stronger security features, this lack of portability makes this approach inconvenient because consumers cannot easily transfer payment credentials and applications when they switch phones.

Mobile payments in the cloud: A new security paradigm
While industry stakeholders were discussing the security options of NFC technology deployments, new alternatives emerged that rely on cloud computing. In cloud-based payment business models, the consumer's payment credentials are stored remotely on a server—which a merchant or payment services provider manages—as opposed to on the phone's hardware. Cloud-based services are less costly to deploy than NFC-based services. In addition, because they are hardware-agnostic, they are essentially portable and convenient for the consumer. In some ways, cloud-based payments can be more secure than in-phone solutions, since the consumer's payment credentials are not stored in the mobile phone and are not potentially exposed during transactions. However, it is still necessary to take steps to secure the remote storage of payment credentials and other important data. And, as the paper notes:

There are still many unknowns to be addressed. Because payments data can be compromised in the cloud, it is essential that: 1) payments data is not transmitted via SMS [short message service, or instant messaging] or email because these platforms are not encrypted; and 2) payments to the cloud are transmitted between secure, encrypted endpoints handled either by mobile carrier data networks or merchant-provided secure Wi-Fi hotspots, and are not transmitted unencrypted over any network.

Data privacy remains a critical concern
Cloud providers have a responsibility to protect consumer data. They must comply with privacy laws and obtain explicit permission before sharing data or mining it for other monetization opportunities. Ultimately, cloud providers must make sure that the underlying payment services are secure and resilient.

When it comes to new mobile payment methods in the cloud, how will we make sure that cloud service providers are fulfilling these responsibilities? This new paradigm requires new processes for vendor management, especially for banks in mobile payments. Banks will need to be able to demonstrate to regulators that they have conducted a comprehensive risk assessment on service offerings and done third-party due diligence at the onset of an outsourced relationship. Regulators must provide ongoing oversight for financial stability and fulfillment of contractual responsibility.

Complex business models likely will use combinations of technology
As the paper notes, it is likely that we will see hybrid models that use both NFC and the cloud for managing different pieces of information associated with a payments transaction. As we noted in a previous post, there are benefits and challenges to both NFC and cloud technologies. Numerous complex variables are at play when it comes to their security environments. As these technologies are likely to coexist, it will be important to understand the underlying security features as new mobile payment solutions come to market in the future.

Cynthia MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

January 7, 2013 in consumer protection, mobile banking, payments | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Boston Fed on mobile phone technology: "Smarter than we thought":


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts

November 2015

Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30          



Powered by TypePad