Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« April 2011 | Main | June 2011 »

May 31, 2011

Stemming the rising tide of card breach incidents: PCI compliance or chip-and-pin?

Incidents of card data breaches continue to rise despite industry efforts to safeguard customer payment information in transactions with merchants. Arts and crafts retailer Michaels was the most recent target of a large data breach. The company announced on May 4 that several of its stores, including three in Atlanta, had been victimized by card-terminal tampering and that customer credit and debit card information might have been compromised. The tampering activity enabled card data skimming, a scheme used to clone cards to create new counterfeit cards or to make payments online illegally using the customer's stolen identity.

The Payment Card Industry (PCI) Data Security Council guidelines have promoted advances in the way the industry addresses card data security–but in many ways, the PCI guidelines are necessary, unfortunately, because of cards that use mag-stripe technology instead of the more secure chip-and-pin technology, a subject we've blogged on before. With this in mind, is it time to reexamine the long-term effectiveness of PCI guidance as a mitigation solution for payment card skimming fraud?

The growing incidence of skimming schemes
Many are the potential ways for criminals to gain access to card data from credit or debit card transactions today. For example, criminals use various forms of social engineering to install malware over the Internet on victims' PCs to gain access to personal and financial information that they can use to commit payments crimes. Another increasingly worrisome method is card skimming, a scheme that takes place at an ATM or a merchant's handheld or stand-alone point-of-sale terminal. The criminal either embeds an overlay device in the existing point-of-sale card reader to harvest card data or replaces the pin pad altogether by swapping it for a bogus reader to collect card data. Data-skimming breaches give criminals access to the card information necessary to commit identity theft, create counterfeit cards, or use the card information online for illegal purchases.

Bankinfosecurity.com describes the growing prevalence of skimming and payment fraud in an interactive 2010 timeline updated through October 2010. The timeline describes reported skimming events and how the businesses and financial institutions were attacked.

The PCI security standards council has developed guidelines for retailers to best protect point-of-sale card readers to prevent card skimming, including how to detect device tampering. As schemes become increasingly sophisticated, however, these guidelines will likely be less and less effective—a possibility that should give the industry pause to reconsider the value of PCI compliance guidance in light of risk mitigation alternatives, such as a migration to chip-and-pin card technology.

Mag-stripe technology and global crime rings: A perfect storm
The continued shift of retail payments from paper to electronic formats makes online channels attractive targets for sophisticated global crime rings. In fact, the 2010 Data Breach Investigations Report published by Verizon attributes 85 percent of compromised records to organized criminal groups. These groups have established their own illicit marketplaces and online forums that serve as social networks for exchanging black market data harvested in skimming schemes and information on criminal services. The development of this geographically expansive criminal infrastructure online presents global challenges to law enforcement charged with investigation and prosecuting these crimes. In the future, as credit and debit card data become increasingly valuable commodities for these black marketplaces, merchants and financial institutions will likely be challenged by more advanced skimming schemes and possibly more expansive data breaches.

Fighting skimming fraud is challenging but so is technology change
The vulnerabilities inherent in mag-stripe technology are expected to contribute to ongoing skimming attacks in the future, not to mention the associated credit and debit card losses. Other countries, including Canada and many in Europe, that have converted to the EMV chip technology standard have effectively mitigated skimming. (EMV technology relies on an embedded microchip for data storage on the card instead of the magnetic stripe.) As more countries employ EMV, skimming in the United States is expected to rise. In fact, according to a recent article from bankinfosecurity.com, "...skimming has become a staple of Eastern European criminal gangs, who recognize the U.S. is one of the last holdouts on chip and PIN."

However, as my colleague Doug King noted in an earlier post, "the bad news for the United States is that a coordinated effort to migrate to EMV would be very challenging" because of our large number of card networks and payment card issuers, as well as the multitude of acceptance locations in the marketplace. For now, market participants—and in particular, the merchants—will need to be on guard against increasingly sophisticated skimming schemes perpetrated by organized crime rings.

Cindy MerrittBy Cindy Merritt, assistant director of the Retail Payments Risk Forum

May 31, 2011 | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Stemming the rising tide of card breach incidents: PCI compliance or chip-and-pin?:


This is a refreshing, plain talking critique. It goes to the heart of the matter; the rewards for organised crime are simply so vast that a process and audit based security regime like PCI-DSS doesn't stand a chance. PCI (like policy based security generally) mitigates against accidental loss or amateur attack, but it is near useless against concerted sophisticated attacks or inside jobs.

We also need to look a little beyond EMV, because on its own, it still leaves the system open to CNP fraud. The experience worldwide is that organised crime turns to CNP when their skimming methods are throttled by chip cards.

If deployed artfully, chip cards from the EMV system can also thwart CNP attack by introducing strong asymmentric cryptography (digital signing) to Internet transactions.

While the US bricks-and-mortar retail environment faces major switching costs, e-merchants have a wonderful opportunity to foster the use of chip cards to secure payment data in online shopping, for the price of a smartcard reader for each customer. For precedent, online games providers like World of Warcraft already deploy smartcards and readers for their members.

Posted by: Stephen Wilson - Lockstep | June 1, 2011 at 04:21 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 23, 2011

The dilemma of measuring fraud in the U.S. payments system

Growing up, I was fascinated with books about animals, particularly those focusing on totally unique and strange Australian animals. Kangaroos, wallabies, duck-billed platypuses, and spiny echidnas caught my fancy because they were unique, existing nowhere else on the planet. Perhaps one reason I am so fascinated with the U.S. payments system is that it is totally unique and replicated nowhere else in the world.

Limited government engagement in payments system policies
While part of its uniqueness stems from its size and scope, the true novelty of the U.S. payments system lies in its exceedingly free market roots. That is, relative to most other developed countries, our system is very lightly regulated. Certainly, there are a reasonable number of regulations that afford consumer protection, but in the nearly 30 years from 1980 to 2009, Congress only occasionally addressed payments system issues, most notably with the Expedited Funds Availability Act of 1988 and the Check Truncation Act of 2003. One would normally expect infrequent legislative engagement in situations where a strong government regulator was in place, making legislative activity unnecessary, but there is no government agency specifically charged with regulating the overall U.S. payments system.

This arrangement has created an environment where innovation flourishes, but it also has allowed for a bit of a void when the evolution of the payment system creates public policy issues, either internally or with respect to global compatibility. Recent history bears witness to this point as Congress has suddenly become more engaged in passing the CARD Act of 2009, the overdraft legislation of 2009, and the debit card interchange legislation housed in the Durbin Amendment to the Dodd-Frank financial reform legislation of 2010. While each of these efforts was directed at increasing transparency and promoting choice for consumer and business users of the payments system, there has been little effort to address another important public policy issue—the increasing concern over risk and fraud in the payments system.

Through the creation of the National Strategy for Trusted Identities in Cyberspace, the current administration has proactively addressed growing concerns over ID theft in an increasingly electronic and globally accessible payments system. But many other tangential and separate fraud issues loom on the horizon. In tough economic times, however, organizations make difficult choices about the business case behind any fraud mitigation investments. Individual organizations generally have the data necessary to conduct such assessments, but from a broader national viewpoint, precious little data exist on which to base needed public policy analysis. For example, when the Federal Reserve Board, via the aforementioned Durbin Amendment, was handed the responsibility to oversee debit card interchange and fraud management issues, they had no choice but to begin their work by developing and distributing extensive surveys so they could get a handle on experiences in the marketplace.

Lack of a public fraud measurement systems
Much of what exists publicly today in terms of payments system measurements and metrics for fraud comes from independent survey work initiated by trade associations or consultants, such as the American Bankers Association, the Independent Community Bankers Association, and the Association for Financial Professionals. While the data flowing from these efforts is extremely helpful, each survey has its own focus, methodologies differ, and voluntary participation levels vary the statistical accuracy of results.

In other countries, the government, central bank, or bank-centered payments authorities systematically and accurately gather and report fraud data, and then publish such data for all to use as they go about managing their payments portfolios and making investment decisions in technology. Recently, I have engaged in discussions with many payments leaders about the dilemma of not having good data on which to base fraud-mitigation decisions related to growing concerns about the use of chip-and-pin card technology being implemented across the globe versus the magnetic-stripe technology used in the United States.

As a result, U.S. decision makers have to examine instances of card fraud mitigation in the United Kingdom, or the Netherlands, or Brazil, or Canada, and opine on whether these foreign experiences are pertinent to this country. Moreover, while we have seen some results of surveys looking at fraud losses, there is almost no public data with respect to the perhaps more critical factor of the costs of managing fraud.

Is it time to address the issue?
I have heard increasing industry concern about this lack of data, to the point where it may be time to ask how such a limitation can be addressed. My sense is that any voluntary private sector effort will continue to be snubbed by respondents who have neither the time nor the inclination to share data that they fear may be made public at the individual respondent level. Additionally, entities that could conduct such work are not positioned to address fraud across all channels, but are likely to focus on a single channel, such as check or credit card.

Perhaps it is time for the government or collective industry groups to address this shortcoming and organize an effort to design and support an approach to collecting statistically accurate, cross-channel payments fraud data to be publically shared. Metrics stemming from a data-gathering initiative could go a long way toward helping a troubled industry wrestle with the business case behind more aggressive fraud-management efforts.

Photo of Rich OliverBy Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum

May 23, 2011 in fraud, payments systems | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference The dilemma of measuring fraud in the U.S. payments system:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 16, 2011

Practical tips for enhanced mobile security

We recently sat down to talk with Soren Bested to discuss mobile security. Soren, who has more than ten years of experience in high-tech industries, currently serves as managing director of Monitise Americas, a leading provider of mobile banking and payments in both the U.K. and U.S. markets. Mobile security is a hot topic at Portals and Rails. Recent posts have covered common myths about mobile banking and payments and laid out foundational principles for a successful mobile payments ecosystem in the United States. Continuing in this vein, Soren offers some practical tips on using mobile devices to secure financial transactions today.

Mobile security is top-of-mind for consumers, and their concerns about the safety of the mobile channel have limited mobile banking and payments adoption. Soren suggests, however, that mobile has the potential to be "super-secure," and even to enhance the security of existing financial service channels. Financial institutions and technology providers might consider the following recommendations in approaching mobile to take advantage of this potential security.

Match service channel to function
The mobile channel incorporates several different technologies, or service channels: SMS (text messages), mobile applications, and mobile browsers. Each of these service channels has a unique security profile,and as such is best suited for different tasks. SMS, for example, transmits information over the air in an unencrypted format, and is therefore inappropriate for carrying payment or personal identification details. However, SMS is perfect for sending notifications because it is immediate, inexpensive, and convenient. Banks might insist that customers use a password-protected mobile application when they conduct more sensitive business, like initiating a peer-to-peer transaction or transferring a balance between accounts. These examples illustrate that the mobile channel cannot be approached with a single security protocol, but rather that security practices should be tailored to each channel and its unique risk profile.

Use existing industry security guidelines
Soren advises that financial institutions not reinvent the wheel when they design mobile security. The industry can instead apply established security guidelines. These are the PCI DSS (Payment Card Industry Data Security Standards) guidelines for card transactions, the SAS70 operational standards, and the FFIEC standards for multi-factor authentication. Conforming to these existing standards decreases the burden on banks by allowing them to take advantage of existing industry expertise in developing a secure product. Banks can then outsource some security development and auditing functions, in the same way that merchants rely on vendors to ensure compliance with existing PCI DSS requirements. Not only does this improve the customer's security, it also lowers the upfront cost and shortens the timeframe to launch a mobile product.

Implement true two-factor authentication
Strong authentication requires multiple unique factors. Possible factors for authentication include "something you know," like a password or your mother's maiden name, "something you have," like an RSA token or an ATM card, and "something you are," which could be a biometric identifier like a fingerprint or voice pattern. Currently, most online banking security consists of username and password, and sometimes challenge questions—all things that the user knows. This approach is not two-factor authentication, but is essentially single-factor authentication twice, and as such offers only limited security. Mobile financial services can also incorporate passwords but can also add the "something-you-have" factor with the mobile device itself. A mobile phone is a personal device unique to the user in a way that computers often are not. While families may share a computer, usually each person has his or her own mobile phone. In addition, technology allows for the unique identification of any mobile device, tying the device to the individual user. Some companies have even experimented with adding a third factor to mobile banking by enabling biometric voice authentication of mobile transactions.

Mobile phones can also increase existing online banking security by acting as a second factor for customer authentication. The user's phone will often be only a few feet away when they log into online banking on the computer, and the user could take a call or SMS to authenticate the session. Mobile technology may be the key that allows banks to fully implement multi-factor authentication, a gold standard of security.

These are just a few of the ways that mobile technology might lead us to greater security in financial services. But we know many of our readers are also mobile experts, and have even more ideas about enhancing security with mobile. Leave a comment or send us an e-mail with your tips on improving mobile security.

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

May 16, 2011 in authentication, mobile banking, mobile payments | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Practical tips for enhanced mobile security:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 9, 2011

United front needed to prevent EMV card fraud from picking low-hanging fruit

I was pleased to see in the news recently that Chase and Wells Fargo announced the issuance of EMV chip-enabled cards for several of their credit card portfolios. Though these EMV chip-enabled cards will still have mag stripes and are primarily intended for customers who travel internationally, these announcements represent a positive move toward a more secure payment card environment in the United States.

Based on available data from countries around the globe with EMV experience, EMV chip-enabled cards have been highly successful at reducing counterfeit and lost or stolen card fraud within market. However, these cards have had less impact on overall fraud levels. Fraud has simply shifted to different products (from credit to debit), other channels (from card-present to card-not-present, or CNP), or other geographies (fraud perpetrated abroad).

If the U.S. payments industry does decide to move forward with EMV, the experiences in markets that have already undergone or are undergoing the migration to EMV teaches us that issuers, networks, and merchants across all payment channels must make a coordinated effort in order to achieve a positive impact on overall payment card fraud levels. Without coordination, the United States would likely see fraud shifting to other products and channels but not geographies—by then, all developed countries will have converted to EMV, including our neighbors, Canada and Mexico.

EMV migration experience: Card-present fraud shifts to card-not-present fraud
The success of EMV in reducing card-present fraud in countries that have made the move is impressive. Based on the latest figures from the UK Cards Association, face-to-face card fraud at United Kingdom retailers fell by nearly 70 percent after the widespread introduction of EMV in 2004. Yet, during that same time, CNP fraud rose by 50 percent and now represents 62 percent of all payment card fraud in the country. Likewise, according to figures from the Observatory for Payment Cards Security, fraud rates in France on face-to-face transactions with French-issued cards fell from 0.029 percent in 2004 to 0.014 percent in 2009—but then CNP fraud rates for transactions within France rose from 0.177 percent to 0.263 percent. And in Australia, a similar pattern is emerging. According to the Australian Payments Clearing Association's latest release of fraud data for the 12 months ending June 30, 2010, skimming fraud is down significantly, yet overall payment card fraud continues to rise, in part due to a 25 percent increase in CNP fraud.

EMV migration experience: Fraud shifts between products
In Canada, the migration to the EMV standard has been led by the credit networks, namely Visa and MasterCard, who are all but done with the migration. (Liability shift—the movement of liability from the issuer to the merchant—took place March 31.) With a migration completion mandate set for January 2015, Interac, Canada's national debit payment network, has been much slower to migrate to the EMV standard. Criminal Intelligence Service Canada reported a slight decrease in payment card fraud from $512.2 million in 2008 to $500.7 million in 2009. However, as credit cards were the first to migrate, fraud shifted to debit cards. Interac reported a 36 percent increase in fraud in 2009—from $104.5 million in 2008 to $142.3 million. Interac, which Is deploying chip-and-pin in earnest now, recently reported a 2010 fraud loss figure of $119 million, down 16 percent from 2009. Australia is seeing a similar development. Scheme debit, credit, and charge cards are in the process of migrating to the EMV standard, while proprietary debit cards continue to use mag-stripe technology. Skimming fraud is down on scheme cards, but proprietary debit cards experienced a 94 percent increase in skimming fraud.

Coordination prevents fraudsters from identifying weakest link
The bad news for the United States is that a coordinated effort to migrate to EMV would be very challenging. First, we have a large number of credit and debit networks, payment card issuers, and payment cards in circulation (including closed-loop prepaid and private label), as well as acceptance locations (including ATMs) in the marketplace. Second, the number of card purchases in a CNP environment through the Internet or mobile device is continuing to proliferate.

But the good news for the United States is that not only can we learn from the experiences of the earlier-adopting countries but we can also take advantage of new technologies coming to market. For example, First Data's EMV Go-Cap and SecureKey's One Tap both work in the CNP environment. Also, as my colleague Cindy Merritt recently blogged on, mobile has great potential to address the increasing fraud in the CNP environment.

If all participants in the payments industry coordinate their efforts while also adopting new technologies, we could keep fraudsters scratching their heads as they search for the lowest-hanging fruit during a U.S. migration to EMV.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 9, 2011 in EMV, fraud | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference United front needed to prevent EMV card fraud from picking low-hanging fruit:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 2, 2011

The check's in the mail, but it might be fraudulent

Amid the constant hubbub of emerging fraud schemes, research shows us that criminals are rational consumers of the nth degree. They instinctively move to the path of least resistance. While the exciting and glamorous fraud topics today involve wire fraud, account takeovers, ID theft, and skimming, the results of the Association for Financial Professionals' (AFP) annual corporate fraud survey remind us that the most fraud vulnerable instrument available today is the paper check. Why? Because check fraud is a decidedly low-tech practice whose ingredients include a bit of thievery, a good copying machine, and possibly, but not necessarily, some magnetic ink.

Corporate experiences with check fraud
The AFP's study tabulated survey results from around 400 public, private, nonprofit, and government organizations across a wide range of sizes. Over 70 percent of the respondents reported that they had been the victim of fraud in 2010. Of those, 93 percent reported fraud involving checks, compared to 25 percent with ACH debit fraud and 23 percent with consumer card fraud. Moreover, of the fraudulent methods used, checks also experienced the highest rate of increase, with 30 percent of organizations reporting an increase in check fraud. And check fraud accounted for 53 percent of the reporting organizations’ financial losses. Interestingly, while actual fraud losses were deemed to be modest in total dollar terms, 84 percent of the respondents had made efforts to protect themselves against check fraud by implementing positive pay controls on their corporate accounts; 53 percent had implemented payee positive pay.

Bank experiences with check fraud
The corporate responses synchronized well with the results of the American Bankers Association's (ABA) last deposit account fraud survey in 2009. At that time, 80 percent of respondent banks reported check fraud losses totaling over $1 billion, which is 23 percent higher than losses experienced with debit/ATM cards. Interestingly, there seems to be little evidence in the ABA report or elsewhere to indicate that check fraud stems from abuse of new technology. At the outset of the implementation of the Check 21 legislation, many industry pundits forecasted that losses would climb as a result of widespread implementation of remote deposit capture (RDC) technology, but it appears such has not been the case. In fact, several large banks, emboldened by the experiences of pioneers such as USAA, have even extended remote capture into the homes of their depositors who are armed with the latest in RDC technology—the smart phone.

Yet, there are growing concerns within the industry that the "gild may be off the lily," as the bad guys learn more about the opportunities. A friend and Sunday school classmate of mine who works for a large national bank reported to me that they had been beset over the past few weeks with an interesting scheme involving new account fraud and checks. Individuals have been opening new accounts and obtaining a debit/ATM card at the outset. After making a modest deposit of good funds to open the account, the new customer then used their ATM card to deposit several counterfeit checks at ATM locations. Per the bank’s policy, some or all funds were made available to the customer immediately (depending on the dollar amount of the check). The customer took advantage of that fact, withdrew the maximum amount possible the next day, before the return deadlines, and then walked away (well, one actually complained because not all funds were made available, but that’s another story, involving criminal indignation).

The unit cost of fraud and fee revenue deliberations
The upshot of all this is that there is a lesson to be learned. Just because we see checks as a diminishing-use instrument doesn't mean we should let our guard down whether we are a consumer, a corporation, or a bank. In tough economic times, a billion-dollar loss to the banking industry is still an expensive ticket. Having just wrapped up the Federal Reserve's 2010 Retail Payments Study, I was interested in exploring fraud from a slightly different angle by looking at the average fraud per check written in the United States. While not all industry surveys align perfectly with respect to samples, time frames, response levels, and so forth, they are close enough to produce some interesting observations. Further, such a calculation might help us understand what the actual "fraud tax" is on checks as banks consider future check service fee issues.

The 2009 ABA study estimated that 760,955 cases of check fraud took place in the 2008 reporting year, with actual losses estimated at $1.024 billion. Compare these numbers to 561,306 cases and $969 million in the 2006 study and 616,469 cases and $677 million in the 2003 study. The concurrent Fed payments studies in 2004, 2007, and 2010 estimated the number of checks written in the United States at 37.6, 33.1, and 27.8 billion, respectively. Doing the math reveals that the per-item cost of fraud losses has gone from $.018 to $.029 to $.036 (unadjusted for inflation). Said differently, the unit cost of fraud for every check written has doubled in six years to 3.6 cents per item even as aggregate check volume has fallen by 26 percent. By the way, this figure represents the costs of fraud losses, not the total cost of fraud management for the check world.

In summary, while the industry debates the issue of the cost of fraud management in the Durbin debit card interchange regulation, perhaps similar scrutiny should be applied to the cost of fraud management in the check world as check volume diminishes. Somewhere out there is an opportunity to adopt an overall fraud management fee strategy as yet another arrow in the quiver of strategically leading customers to payments choices that make sense for the bottom line of a bank.

Photo of Rich OliverBy Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum

May 2, 2011 in banks and banking, check fraud, checks | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference The check's in the mail, but it might be fraudulent:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad