Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 25, 2011
Is the final Durbin Amendment rule an impetus for EMV in the United States?
On June 29, the Federal Reserve Board released its much-anticipated final rule, Regulation II, to the Durbin Amendment. The Board's final rule significantly differs from its interim rule on this amendment, resulting in ample commentary from the payments industry, financial institutions, and the merchant community.
However, there has been little commentary provided about the potential impact the final rule may have on encouraging the migration of debit cards away from mag stripe to the EMV standard. Upon closer examination of the Board's lengthy final rule, it appears that issuers might have the ability to recoup a portion of EMV-related costs should they opt to migrate away from magnetic-stripe technology in the years ahead.
Initially, the Board limited allowable costs for the calculation of the interchange fee cap of $0.12 to include only variable costs associated with the authorization, clearance, and settlement (ACS) of transactions. In setting the final interchange cap base component at $0.21, the Board broadened its definition of allowable costs and included costs incurred to effect a debit transaction such as network connectivity and processing fees. The Board also included fixed costs, such as hardware and software costs, in developing its final interchange cap.
In addition to the $0.21 base component of the interchange cap, the Board included an ad valorem component of 5 basis points of the transaction value to reflect a portion of issuers' fraud losses. Finally, the final rule allows for a fraud-prevention adjustment of $0.01 per transaction, conditioned upon the issuer adopting effective fraud-prevention policies and procedures. These interchange fees become effective on October 1, 2011.
The final rule requires that the Board collect cost data from debit card issuers biennially. Presumably, the Board can make any necessary adjustments to the base component, the ad valorem component, and the fraud-prevention adjustment based on issuers' biennial reports of incurred costs.
What impact will the Board's final rule have on the future of EMV?
If the Board makes future adjustments to the interchange standard components based on the survey of costs every two years, language within the Board's final rule suggests that issuers may be able to recoup some, but not all, costs associated with an EMV migration. Given the Board's addition of fixed costs as allowable costs, hardware and software costs incurred by issuers to migrate to EMV might be included in future adjustments to the base component of the interchange cap. While the research and development (R&D) costs are not included in the base interchange standard, the rule states "the cost of research and development of new authentication methods would be considered in the fraud-prevention adjustment." Should issuers adopt EMV, R&D costs incurred are allowable under the fraud prevention adjustment standard. Finally, the final rule clearly excludes the cost of card production and delivery—a requirement for migration to EMV—as an allowable cost.
The impact of the Durbin Amendment on movement toward EMV remains open to debate. Is the potential for future debit card interchange rate increases enough to motivate issuers to finally migrate to the EMV standard? Do the current interchange cap and exclusion of some EMV-related costs from the interchange standard hinder a future move toward EMV? I am optimistic that future potential adjustments to the components of the interchange standard under the final rule's expanded set of allowable costs—along with the consideration of R&D costs as part of the fraud adjustment component—will have a positive impact on migration to EMV.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Is the final Durbin Amendment rule an impetus for EMV in the United States?:
July 14, 2011
Where will biometric ID technologies fit in fight against fraud?
Biometric systems are designed to recognize individuals based on their unique biological and behavioral traits. Traits such as hand geometry; fingerprints; voice and vein recognition; and retina, iris, and facial scans are all personal characteristics that can authenticate someone's identity. Using biometrics to combat fraud is not novel. In addition, a California-based company introduced in 2008 a risk management solution that identifies fraudsters through the use of voice printing, which allows the company to compare a caller's voice against a database of known criminals before the company authorizes a credit card payment.
In a previous post, we discussed the concept of using biometric technology to combat ATM fraud. Since then, we learned of ATMs abroad that are equipped with voice-based biometric technology that determine user honesty and help prevent consumer credit fraud. In this post, we revisit the issue of biometrics, touching briefly on new developments in the payments industry as well as on issues reported on by companies and researchers.
Biometrics gain trust
Summarizing a poll it took of credit card users, Unisys reported in 2010 that consumers are becoming comfortable with the use of biometrics. In fact, according to the report, about two-thirds of the respondents indicated a preference for fingerprint biometrics over the use of photo verification, PINs, and signatures. A 2009 Gallup survey revealed that 58 percent of survey respondents would use biometrics to verify their identities, and a staggering 93 percent preferred fingerprints as their biometric of choice.
Searching for a secure biometric storage process
The life of biometric data on portable devices such as cards can exist anywhere from six to 12 years. Technology such as Precise Biometrics' Match-on-Card allows cards to be activated with a fingerprint or iris scan instead of a PIN. All biometric information is stored on the card, so the matching of the biometric data takes place on the card.
This type of technology sends a biometric template to the card processor, which is matched to a reference biometric template stored on the card itself. The card protects personal identity information as it is transmitted across a contactless interface using radio frequency technology. Other companies have introduced similar products retaining all the biometric data on the portable device, which can lessen user anxiety since their biometric data is stored in a device the users control. However, user control over biometric data does not necessarily lessen the potential risk for lost, stolen, or damaged credentials.
Recommended considerations for biometric recognition technologies
According to a report by the National Research Council, "no single trait has been identified as stable and distinctive across all groups," so we cannot rely solely on voice printing, for example, or on fingerprints to guarantee security. The report also points out that biometric systems contain numerous "sources of uncertainty" that "need to be considered in system design and operation." For example, biometric characteristics often vary over an individual's lifetime due to a number of factors, including age or disease, and the systems may not capture or account for this variability. Other, more technical, issues may also create variability in these systems, including sensor calibration and data degradation. Even security breaches themselves add variability. As another "source of uncertainty," the report points to the fact that biometric systems may not be "designed and evaluated relative to their specific intended purposes," so they fail to account for factors such as the competence of the systems' users.
A final note
While there is no such thing as an impregnable security system, using multiple forms of credentials and identification components can strengthen most security systems. If biometrics is one of those layers, careful consideration should be given to measuring the merits and risks relative to other authentication technologies, such as PINs and signatures, as well as ensuring that the biometric that is selected functions as intended. Like any other authentication form factor, any biometric identification technology used should undergo a thorough threat assessment to determine its vulnerabilities and its potential for mitigating attacks. Biometrics may or may not become the panacea to authentication, but ensuring that users trust the entire biometric system is integral to its successful implementation and adoption in the fight against payments fraud.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
July 8, 2011
Data collection: Is more better? What does the future hold?
As part of our Payments Spotlight podcast series, we recently sat down with Will Roberds to discuss the economic theory behind payments risk and data security. Roberds is a research economist and senior policy adviser at the Federal Reserve Bank of Atlanta. His research spans a range of payments topics, and we discussed two recent papers on risk management in emerging payments and the causes of data breaches.
The externalities of personal data collection According to Roberds, personal data collection creates some externalities in the normal course of enabling consumer payments. Briefly, an externality is an unintended side effect of a transaction imposed on those who are not party to the transaction. An example of a positive externality is when your neighbors plant a rose garden for their own benefit, but you also benefit because you enjoy the fragrance of the flowers whenever you walk by their yard.
Understanding risk management in emerging retail payments; Michele Braun, James McAndrews, William Roberds, and Richard Sullivan; September 2008
Data breaches and identity theft; William Roberds and Stacey Schreft, September 2008
Roberds said that banks and other service providers create a negative externality whenever they verify payer identities by collecting personal data. He warned that "as more and more of that data is assembled and it becomes more and more extensive, it becomes a riper target for theft by talented individuals who are able to access that data, use that data to construct pseudo-identities that allow them to illegitimately purchase goods and services, and thereby impose costs on everyone else who's working within the credit system."
Roberds explained that excessive data collection is continuing to happen "because there are so many entities out there in the economy right now collecting this data, it's difficult for them to coordinate on the right level of personal data collection and to make the right decision about how much data and how much security effort should be expended to preserve the privacy of that data."
Security as a weakest-link public good
The security of payments data often functions as a weakest-link public good. Roberds noted that, "a lot times the level of security is not related to the total amount of effort or cost that's put forth in protecting and keeping that data secure. Instead, it follows a weakest link, or lowest-point rule, meaning that the data is only as secure as the weakest place within the system that's using it in terms of its security and its ability to be breached by hackers and other malefactors." Total security, therefore, depends on those players who have the least to lose in the event of a data breach, or who are the least savvy in implementing security. Oftentimes, emerging payments companies have both less risk management experience and less to lose than more established players.
Self-policed market place for now
Economic theory illustrates how excessive data collection and insufficient risk mitigation can result from mismatched incentives. Nevertheless, the U.S. payments industry has been fairly effective at managing these risks with market mechanisms. Pricing is one tool. Riskier payments are often more expensive. For example, part of the reason credit cards cost more for merchants to accept than debit cards is that credit cards have higher fraud incidence. Insurance is another tool for managing risk. Card issuers guarantee that merchants will be paid when they accept a card, thereby increasing issuers' incentives to decrease the credit risk of their cardholders.
The industry also manages risk through self-regulation. Card network rules, for example, ensure that merchants follow certain standards or risk losing the right to accept cards. Private contracts may require that participants meet industry standards like PCI-DSS or face increased liability for losses.
Sometimes the market may not be able to ensure cooperation. In such cases, there may be a role for regulatory intervention. Well-designed regulations can support industry efforts to coordinate risk management and enforce standards. Recent attempts to implement a national data breach law are one example. Rich Oliver, executive VP at the Atlanta Fed and director of the Retail Payments Risk Forum, has previously suggested in this space that there may also be a public policy role in prompting the U.S. payments industry to move to the global EMV standard. Despite the generally robust market response to risks in the payments industry, government intervention is appropriate when the market fails. In those cases, regulators and industry should cooperate to ensure that policy minimizes unintended consequences while supporting innovation and efficiency.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
July 8, 2011 | Permalink
TrackBack URL for this entry:
Listed below are links to blogs that reference Data collection: Is more better? What does the future hold?:
July 5, 2011
Dispelling prepaid card myths: Not all cards are created equal
Prepaid cards are garnering quite a bit of attention these days. According to the 2010 Federal Reserve Payments Study, consumers conducted 6 billion transactions on prepaid cards with a dollar value of $140 billion during 2009. These figures represent annual growth of more than 20 percent a year from 2006 to 2009. Perhaps an even better indication that prepaid cards have moved into the mainstream: a recent Today Show report focused on the pros and cons of prepaid cards.
With large numbers of individuals who are un- and underbanked, and with the implementation of the Durbin Amendment looming over the debit card industry, it is reasonable to assume that prepaid cards will continue to see significant growth. In fact, American Express recently announced it was offering a new general-purpose reloadable (GPR) prepaid card in an attempt to attract debit card users.
It is easy to understand that confusion exists among consumers and the media when it comes to prepaid cards and their risks given the variety of prepaid cards and their different consumer protections. Although GPR cards do not always have to offer the same consumer protections as do debit cards, market dynamics and industry competition have resulted in these cards having more robust consumer protections than closed-loop prepaid cards, such as gift cards.
In our continued effort to dispel some of the confusion that exists in the payments industry, this post looks at two myths pertaining to prepaid cards.
Myth: Consumers are not protected when prepaid cards are lost or stolen and used by others to make fraudulent transactions.
Nonreloadable gift cards, whether closed loop (for use at a specific retailer) or open loop (network-branded), are generally not registered in the name of the account holder and therefore lack consumer protections. However, in the unfortunate event that a GPR card is lost or stolen, the consumer is subject to the same voluntary zero liability protection policies that applies to credit and debit cards of the payment networks as follows:
- American Express: Consumers are not liable for fraudulent transactions as long as the transactions are reported within 60 days of discovery.
- Discover: Consumers are protected with a $0 fraud liability guarantee.
- Visa: Consumers are not liable for either signature or PIN fraudulent transactions over the Visa and Interlink networks unless it is determined that the cardholder was grossly negligent or fraudulent in the handling of the card.
- MasterCard: Consumers are protected with zero liability only on signature transactions and as long as the card is in good standing, the consumer exercised reasonable care to protect the card, and the consumer reported no more than two incidents of unauthorized use over the previous 12 months. Fraudulent PIN transactions are not protected.
If a fraudulent transaction occurs that is not subject to zero-liability protection—that is, a PIN transaction over an EFT network or a MasterCard PIN transaction—many issuing banks voluntarily offer cardholders the same protection that debit cardholders receive under Reg. E: a $50 maximum liability if the cardholder notifies the bank within two days of discovering the unauthorized use and a $500 maximum liability if he or she notifies the bank within 60 days. Although issuing banks are not mandated to offer this protection on prepaid cards, competition in the industry has led to many prepaid cards with liability protection. Consumers should read the cardholder agreements to better understand each issuer's liability policy for unauthorized transactions.
Myth: Consumers who use prepaid cards have no guarantee that they will be able to recover their money in the event of a bank failure.
While cardholders are at risk of losing the balance of a closed-loop prepaid card should the issuing business or retailer fail, this risk does not exist for GPR cards. Based on a November 2008 FDIC legal opinion, if the issuing bank of a GPR card fails, the funds on the prepaid cards are subject to FDIC assessments and are insured.
Reality: Prepaid cards often safer than cash
Just as the type of prepaid card varies, so does the accompanying consumer risk. While closed-loop prepaid cards pose certain risks related to the stored value on the card, GPR cards do not carry those same risks. These cards pose less risk to the consumer than cash and, for a majority of issuers, are on par with debit cards.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 5, 2011 | Permalink
TrackBack URL for this entry:
Listed below are links to blogs that reference Dispelling prepaid card myths: Not all cards are created equal:
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud