Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
February 28, 2011
Gains made in reducing identity theft, but significant fraud losses still loom
Was it a mere coincidence that the day following the release of Javelin Strategy & Research's 2011 Identity Fraud Survey Report, CNBC aired American Greed: Operation Get Rich or Die Tryin'? This show examines Albert Gonzalez's hacking into computer networks of retailers (most notorious, TJX Companies) and a payment processor (Heartland Payment Systems) and the subsequent extensive fraud using compromised credit and debit card information.
While the CNBC story was intriguing, Javelin's 2011 report just might be even more intriguing given the surprising results that identity thefts and the related losses in 2010 were at their lowest levels since 2003, when the survey began. In 2010, the incidence rate for existing card account fraud stood at a lowly 2.3 percent and only 7 percent of consumers were notified of a data breach, compared to 11 percent in 2008. While many factors are responsible for these low levels, it seems that preventive and detection measures by financial institutions, merchants, and consumers are playing a positive role. However, the fact remains that in the current magnetic-stripe environment, all parties could still experience significant losses from counterfeit cards if a large data breach were to occur.
Merchants and PCI implementation: Success in reducing data breaches
At year-end 2010, Visa reported that 96 percent of its Level 1 and 2 merchants (merchants with more than 1 million transactions a year) were compliant with the Payment Card Industry Data Security Standard (PCI DSS), and 100 percent had been validated as not storing prohibited data. For smaller merchants (Level 3 and 4), Visa reports moderate PCI DSS compliance but does not offer any figures. Watching the CNBC special, it was a bit harrowing to fully understand the amount of card and personally identifiable data that merchants and processors store, sometimes without even encrypting the data. The PCI DSS was put into place to not only require the encryption of data, but also prohibit the storage of certain sensitive cardholder authentication data such as full magnetic-stripe data, CVV2 codes, and PINs. In the event that a PCI DSS-compliant merchant is hacked, it would be much more difficult to perpetrate a fraud as extensive as Albert Gonzalez and his accomplices pulled off. It’s possible that these strict data standards have been effective in thwarting fraudsters and hackers.
Financial institutions and consumers working together to reduce detection times
Not only are the incidence of existing card account fraud and related losses stemming from identity theft at all time lows, the detection time—and subsequent losses—for this type of fraud is significantly shorter than for existing noncard fraud and new account fraud. According to Javelin, 31 percent of all existing card fraud is detected within a day or so, and nearly another 30 percent within a week. The top three fraud detection methods as reported by Javelin are notification to a consumer by a financial institution, consumer's monitoring of accounts through paper statements, and consumer's monitoring of accounts through electronic means or ATM. With increased availability, and consumer usage, of online and mobile banking, consumers can more easily monitor their accounts and more quickly identify fraudulent transactions than with the traditional method of a monthly paper statement. Many financial institutions are also being proactive in their battle against fraud by using the mobile channel to push notification alerts of potential fraudulent transactions to the consumer. According to Javelin's 2010 Banking Identity Safety Scorecard, 85 percent of the top 30 banks or credit unions offer mobile phone alerts.
Still vulnerable from the mag stripe, but where to go from here?
Even though we've taken great strides to reduce identity theft and related fraud losses, we can't make the same claim for card technology in the United States. As history shows us, fraudsters are often a step ahead of the industry. And unfortunately, implementation of new standards and technology is often reactive to the latest fraud rather than proactive to fraud that could happen. As long as the United States remains a magnetic-stripe country, we'll continue to have the risk for widespread fraud losses from the counterfeiting of magnetic-stripe cards.
Visa recently recognized the importance of chip-and-pin along with PCI DSS compliance when it announced its Technology Innovation Program (TIP). With TIP, merchants will no longer have to go through costly annual PCI DSS validation if 75 percent of their Visa transactions are completed at chip-and-pin-enabled terminals—but TIP is not available to merchants in the United States. Though much has been written about the lack of a business case for contact or contactless chip form factors in the United States, will continued mag-stripe fraud and the potential for even larger losses—all while the rest of the world migrates to chip-and-pin—finally build that case?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Gains made in reducing identity theft, but significant fraud losses still loom:
February 22, 2011
Third-party service provider risk and the Unfair and Deceptive Acts and Practices rule
Financial institutions and other financial service providers commonly provide products and services through arrangements with third parties. When appropriately managed, third-party relationships can enhance competitiveness and diversification of goods and services. However, these third-party arrangements, absent adequate risk management controls, can expose companies to reputational, operational, and compliance risks.
One possible measurement of a financial institution's reputational risk is how well the institution complies with the Unfair and Deceptive Acts and Practices (UDAP, or Regulation AA). While UDAP applies more specifically to credit card issuers and consumers regarding disclosure rules and restrictions on lender practices, it can also apply to third parties when a financial institution outsources functions of its card programs—for example, credit or stored value.
Increased use of third-party arrangements in consumer products
The Federal Deposit Insurance Corporation (FDIC) recently examined how financial institutions have used third-party providers to roll out new and innovative products and services during the current economic challenges. The FDIC released its findings in the Supervisory Insights Winter 2010 newsletter, which revealed that financial institutions are increasingly relying on third-party vendors. Specifically, over 60 percent of credit card programs that financial institutions offer are the assets of third parties. Additionally, of the 19 percent of financial institutions surveyed that offered stored-value cards, 94 percent involved a third-party service provider.
Costly lessons for violating UDAP
Noncompliance with UDAP generally occurs when a financial institution outsources the development and administration of a new credit card product to a third party unfamiliar with the necessary disclosure requirements regarding finance charges and fees, for example. Complaints alleging UDAP violations generally stem from credit card marketing products released by a financial institution’s third party vendor. These types of practices can potentially expose a financial institution to a host of legal and regulatory sanctions.
Recent enforcement actions against financial institutions that have violated UDAP due to poor oversight of third-party service providers have proven costly. If a financial institution insufficiently supervises a third-party vendor engaging in acts that meet the standards for deception—for example, the third party knowingly uses representations or omissions likely to mislead a consumer—it could face enforcement action.
Incorporating UDAP risk into an existing vendor-management risk tool kit
Data security is certainly an integral aspect of managing third-party service provider risk, but it is only one part of the picture. By also including UDAP risk management in their tool kits, financial institutions can better position themselves to manage their overall risk in relation to third-party service providers.
In recent years, the FDIC and the Board of Governors of the Federal Reserve System released joint guidance on the need for a financial institution to include UDAP risks with regard to third-party service providers. Some of the key components the guidance identifies are maintaining awareness of the risks associated with outsourcing, establishing controls over such relationships, exercising proper due diligence when identifying, selecting, and maintaining a third party, and creating comprehensive written contracts.
The joint guidance recommends that the financial institutions relying on third-party service providers maintain UDAP compliance by paying close attention to the service providers' card program promotional materials, advertisements, claims, and representations that could mislead a target audience regarding the cost, availability, or terms of the product or service.
Taking the needed precautions
By outsourcing to a partner, a financial institution places a great deal of trust in that provider, but that's no excuse for poor due diligence and oversight, which could readily lead to violations of the UDAP. The financial institution successfully monitoring its UDAP compliance specifically tailors its approach to the third party with which it has a relationship.
Financial service providers must look beyond the data protection measures of third-party service providers to ensure they are also in compliance with UDAP requirements.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
February 14, 2011
Can mobile address the rising tide of fraud in card-not-present transactions?
Combating fraud in credit and debit card payments is a challenge for all payment system participants, from the banks that issue the cards to the merchants that accept those cards as payments for goods and services. One particularly troubling channel, with a rising incidence of card fraud, is on the Internet. Retailers are increasing their efforts to attract customers online with discounts, online-only specials, and free shipping and returns. While the use of cards for website payments, also known as card-not-present (CNP) transactions, is inherently riskier than face-to-face transactions at a merchant's point-of-sale, the dramatic rise in e-commerce suggests it is a trend that is here to stay. As the mobile channel develops for card payments, can the security capabilities of mobile handsets protect consumers against CNP fraud?
CNP fraud: The U.K. experience
While data regarding fraud loss and mitigation costs are hard to come by in the United States, the U.K. Card Association gathers information that we can use as a good proxy for gauging experiences in other markets. This organization found that as the Internet environment has become an increasingly hospitable environment for commerce, CNP has risen dramatically, from just 16 percent in 1999 to 60 percent of total card fraud losses in 2009.
As we noted in an earlier 2010 post, CNP fraud escalated when the U.K. migrated from magnetic stripe technology to credit cards with microcomputer chips. Consequently, the more secure technology at the point of sale drove fraudsters to the more vulnerable online channel.
However, the U.K. took quick action against CNP fraud, implementing better screening and detection tools and, in 2009, U.K. CNP fraud actually declined 19 percent.
Though not directly measurable, CNP fraud, industry experts agree, has made its way to the United States, where the magnetic stripe card technology remains prevalent. In fact, according to the U.K. Card Association's 2010 report, the majority of online payment fraud involves the use of card data obtained through illicit means such as card skimming, a crime that is actually mitigated with chip technology.
Growing Internet sales and CNP: A perfect storm?
According to a report by Javelin Strategy & Research, which forecasts online retail payments, the United States has fostered a robust online transaction market in recent years despite the economic downturn. This trend is expected to continue as consumers and merchants alike become increasingly comfortable conducting e-commerce for everyday goods and services.
The proliferation of smartphone applications for retailer websites along with a broader use of social media to distribute coupons and loyalty rewards are working together to drive consumers to shop online where card payments are widely accepted.
As merchants embrace a rise in retail sales, how do we mitigate the growing threat of CNP fraud in the United States?
Mobile security advantages
One benefit of a contactless mobile payments system is the potential to reduce fraud by eliminating magnetic stripe technology in favor of more intelligent chip technology, which has better security features for combating CNP fraud. The future mobile payments system introduces the ability to layer security tools unique to both the hardware and software resident in the mobile handset. Furthermore, the chip that enables the payment can contain account credentials and additional authentication factors, including location awareness applications, which can enhance the security of the payments transaction.
It is time that merchants, issuers, and payment regulators seriously consider the growing threat of CNP fraud in the debate on how and when to move to more secure payment methods.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
February 7, 2011
Cash acceptance: A risky proposition for merchants
This blog frequently deals with the risks of electronic transactions—debit and credit card payments, mobile payments, international money transfers, etc. These modern instruments often replace cash, a payment method with its own, sometimes overlooked, risks. While new threats against electronic payments continue to emerge, the transition away from cash may drive down other important risks. Robbery, employee theft, and counterfeit currency are key threats facing merchants and others who accept cash for payment.
More robberies (lower tips)
Businesses dealing primarily in cash run increased risks of robbery. The Occupational Safety and Health Administration (OSHA) lists handling cash as a major risk factor in workplace violence, primarily due to the danger of violent robbery. The Centers for Disease Control and Prevention (CDC) recommends moving to cashless transactions when possible to decrease workplace violence, further supporting OSHA's assessment. Taxi driver, retail and convenience store worker, and restaurant delivery worker are all occupations vulnerable to violence because they exchange cash directly with the public. According to the Department of Justice, taxi drivers suffer the highest rate of robbery of any profession, along with a high rate of robbery-motivated assault and homicide. OSHA recommends that cab drivers shift to credit card payments to mitigate these risks. The Center for Problem-Oriented Policing also suggests that convenience stores limit cash in the till and taxis eliminate cash payments to deter robbery.
However, merchants have largely failed to implement these recommendations. The Police Chief Magazine found that while cash control is the most effective strategy in reducing robberies, it is also the least frequently implemented. Regulation seems to be the most effective way to discourage the acceptance of cash payments. In New York City and Philadelphia, for example, local authorities require taxis to accept credit and debit card payments. These cities met with stiff resistance from drivers at first, but the realization of other benefits, including higher tips, has led to broader acceptance of the mandate. Anecdotal evidence suggests that crime may already be decreasing as a result of the shift away from cash to credit and debit card payments in recent decades.
More employee theft
The 2009 National Retail Security Survey finds that employees were responsible for 43 percent of inventory shrinkage, or theft, resulting in an annual cost to retailers of $14.4 billion. Although this survey focuses on inventory losses, it also indicates that employees pose the single greatest threat of losses for retailers. Cash is more vulnerable to employee theft than electronic payment methods because unlike cards, cash does not leave an electronic audit trail. Card payments are also automatically deposited to merchant accounts, while cash must first pass through employee hands, where it can be pilfered.
Merchants that accept cash payments occasionally suffer losses from accepting a counterfeit note. The Federal Reserve Bank of Chicago found that there is a low incidence of counterfeits in U.S. currency: fewer one in 10,000 notes by both volume and value is counterfeit. Actual losses were lower still, as many low-quality notes can be detected with basic anti-counterfeit procedures. However, according to the Secret Service's Annual Report, the agency removed more than $182 million of counterfeit currency from circulation in 2009, more than double the amount recovered in 2008. Although these losses may be small relative to the entire economy, individual businesses can still experience nontrivial losses, like the bar in New York that received $700 in counterfeit bills in one night last year.
Cash acceptance entails risks distinct from those related to electronic payments. While it is unlikely that any merchant can eliminate all cash transactions, key questions have yet to be answered. Are merchants underestimating the risks posed by cash acceptance? How can the industry and regulators move to mitigate the risks posed by cash acceptance? While there are many possible responses, the most effect answer may lie in the adoption of technology emphasizing the use of debit, credit, and prepaid cards.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud