Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
December 19, 2011
The many flavors of EMV
As 2011 comes to an end, EMV (Europay, MasterCard, and Visa) transactions are still the exception in the United States. However, the United States has made some progress towards an EMV migration—several financial institutions are now issuing EMV cards for select portfolios. Also, on the acquiring side, some large merchants voiced strong opinions during the year about adopting the EMV standard. And towards the end of summer, Visa announced details of its "chip migration and adoption of mobile payments acceleration plan."
The perceived cost of a full EMV migration has been a great barrier for the U.S. payments industry. Further complicating the migration are the different ways issues and merchants can implement EMV. In particular, the various transaction authorization processes of card authentication, cardholder verification, and payment authorization take place in an online or offline environment or a combination of the two.
This week's post highlights the differences between offline and online transactions and the implications for U.S. migration to EMV-supported card payments.
Prior to the introduction of chip cards in the United Kingdom, cards used the same magnetic stripe technology that is currently the standard in the United States. However, the difference is that in the United Kingdom most card transactions were authorized offline. In an offline authorization environment, card transactions are batched over a given time period and then transmitted to issuers, usually at the close of business, for authorization. Because the offline authorization environment does not permit real-time authentication, fraud rates were significantly higher than in markets using online authorization. To mitigate the additional risk inherent in the offline environment, the United Kingdom adopted the EMV standard—more specifically, chip and PIN.
In an offline EMV chip-and-PIN transaction, the payment terminal communicates with the integrated circuit card (ICC), or chip, embedded in the payment card rather than using telecommunications to connect and communicate with the issuing bank. This communication between the ICC and terminal allows for real-time card authentication, cardholder verification, and payment authorization. However, because most payment terminals (not unattended terminals) now support online authorization, payment authorization usually occurs online while card authentication and cardholder verification usually take place offline.
In contrast to the United Kingdom's predominately offline authorization experience, nearly all card transactions in the United States are authorized online. This environment allows issuers to authorize transactions at the time of sale using multiple fraud and risk parameters.
In an online EMV transaction, the ICC-embedded card generates a cryptogram that is authenticated by the issuer during the authorization request. Assuming the card is authenticated and the merchant requires cardholder verification, either the terminal transmits the cardholder's encrypted PIN to the card issuer for verification or the merchant verifies the customer's signature to the signature on the card. Finally, for payment authorization, the terminal transmits payment-related information and a transaction-specific cryptogram to the issuer, which then authorizes or declines the transaction. This online payment authorization process is the same process that magnetic stripe cards currently use.
What does this mean for a U.S. EMV migration?
Unfortunately, the many methods for card authentication, cardholder verification, and payment authorization that EMV supports could lead to many different implementations in the United States. The few EMV-issuing financial institutions in the United States have reached no consensus when it comes to cardholder verification methods. Some issuers support offline PIN, others support online PIN, and still others support signature-only verification. Perhaps most critical to the EMV discussion is whether to support online or offline transactions, or both.
The costs associated with an offline implementation are higher. First, ICCs in an offline environment require an additional processor on the card—to support dynamic data authentication—that ICCs in an online environment do not. Second, PIN management in the offline environment involves manipulation of the PIN resident within the ICC, a process that requires issuers to purchase technologies they do not need in the online environment.
From a risk standpoint, both offline and online EMV card authentication support dynamic data and offer superior protection against counterfeit fraud compared to the magnetic stripe. For PIN cardholder verification, offline and online PIN offer the same protection against lost or stolen card fraud.
Offline EMV implementations were necessary in many markets around the globe because of a lack of telecommunications access at the payment terminals. Because the United States already operates in an online environment and the costs to implement an offline adoption are higher, the business case for an online EMV implementation is stronger than an offline adoption. Further, with most payment terminals in the world now supporting online transactions, global interoperability of online-only EMV cards is not the barrier that it was in the past.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The many flavors of EMV:
December 12, 2011
Retail Payments Risk Forum conference explores the role of government
In light of the many legislative and regulatory changes affecting the payments industry that are already underway, how and when does government intervene in today's highly dynamic marketplace? To answer this question and more, a mix of regulators, legal professionals, and law enforcement representatives participated in the Risk Forum's fifth annual signature conference, "The Role of Government in Payments Risk and Fraud," held November 17–18 at the Atlanta Fed.
Marie Gooding, first vice president of the Atlanta Fed kicked off the event with some opening remarks. Next up was Louise Roseman , director of reserve bank operations and payment systems at the Fed's Board of Governors, with the conference's keynote address. Roseman offered some historical perspective on the relevance of government in the nation's payments systems. The conference continued with five key sessions relating to the governance of risk and fraud in retail payments. We present the highlights of each session in this post. You can get the presentation materials on the Atlanta Fed website.
Changes in regulatory oversight and self-governance crucial
Government oversight of the nation's retail payment system is delivered through different models at the federal and state levels. Complicating matters further, regulatory oversight depends on whether the payment service provider is a bank or a nonbank third party. As the payments environment grows more complex with new nonbank entrants in the payment system and many new alternative payment alternatives, it will be challenging for traditional governance to fully understand the emerging risks Alongside regulatory oversight, self-governance in the form of compliance programs, rules, and standards can contribute to effective alternative models. This panel also explored the role and scope of the new Consumer Financial Protection Bureau and how it plans to fulfill its newly established mission.
Law enforcement challenges
Panelists discussed the importance of collaboration among law enforcement agencies as payment crimes become more sophisticated and proliferate across global geographies. Cross-border financial transactions will demand collaboration among international and domestic law enforcement organizations, as well as among the industry participants themselves and their respective regulators. The panel addressed the growing need for law enforcement to collaborate with regulators who have fragmented state-level authority and are not required to exercise prudential supervision.
The need for better fraud data
Panelists discussed the growing incidence of payment crimes, noting that the United States' efforts to address payments risk and fraud may be hindered by a lack of supporting data on the costs of prevention and the losses incurred. The United States is virtually the only country that does not keep comprehensive data on such losses and costs. The panel discussed how the industry could benefit from complete quantitative information. Armed with such information, the industry could more effectively allocate resources to payment mechanisms and channels posing the most significant risks. This knowledge will become increasingly necessary as payment providers and businesses plan future investments in payment fraud risk management programs.
Changes in the U.S. regulatory environment
2011 witnessed significant regulatory efforts such as the CARD Act, overdraft legislation, the Durbin amendment, and the effects of these initiatives on the behaviors of such stakeholders as the merchants, banks, and even consumers. Panelists engaged in a comprehensive discussion on the current state of these initiatives and what to expect. The audience participated in the dialogue on noteworthy issues such as payment authentication methods and fraud management systems resulting from the industry's response to the Durbin amendment, and the response from Congress to marketplace changes such as new bank fees.
Payment laws and regulations in a dynamic payment environment
Panelists in this session explored how a complex matrix of federal and state laws for retail payments in the United States poses challenges as the industry migrates to alternative payment mechanisms. At issue is the lack of a common playing field for banks and nonbanks regarding legal compliance and safety and soundness. Also at issue is the inapplicability of some laws and regulations to specific payment methods. While many panelists agreed that it is desirable to harmonize efforts under Dodd Frank, they noted that small changes in some payment systems can create significant complications in others. Finally, the panelists discussed the current need for commercially reasonable security methods to limit a financial institution's liability within the current legal and regulatory framework.
This event provides the Retail Payments Risk Forum with critical business intelligence from participants to drive our thought leadership and strategic planning as we move forward into 2012. Look forward to further discussion on these topics as our team explores these evolving issues, and as always, we invite your dialogue in the conversation.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Retail Payments Risk Forum conference explores the role of government:
December 5, 2011
The future of mobile payments
Although mobile payments have been much slower to develop in the United States than many industry observers had predicted, there have been a number of encouraging recent developments. Starbucks, for example, has processed more than 20 million mobile payments since launching its app, and the Chicago Transit Authority's new fare collection system will be able to accept mobile payments starting in 2013. Still, despite these small successes, the United States has not seen the mobile phone really take off as a vehicle for point-of-sale payments.
The Retail Payments Risk Forum takes an active interest in mobile payments. For the past few years, we have gathered together key industry stakeholders to promote dialogue about barriers to adoption and reach a collective understanding about the state of the industry. Forum members have recently published a paper describing the views of these stakeholders and outlining the necessary elements of a successful mobile payments system.
The Retail Payments Risk Forum recently interviewed David Evans, a payments industry consultant and the founder of Market Platform Dynamics, in a podcast exploring some of the challenges facing widespread mobile payments adoption. Evans maintained that a couple of obstacles have kept mobile payments from taking off in the United States. "Barrier number one is that there is not a very persuasive mobile payments alternative for consumers to use at the point of sale, and the second is that there's really not the technology at the point of sale capable of processing a mobile payments-type transaction."
In addition to these barriers, he said, is the simple fact that most consumers are satisfied with the way things are. Evans explained, "I can pull out a credit or a debit card at the point of sale, I can swipe it, and it works beautifully. Takes about a second. No fuss, no muss—the clerk knows what to do. The technology is all there. So we have this wonderful system that works really well right now that's extremely efficient." To change the status quo, a compelling value proposition must emerge for all parties. "Someone's going to have to come up with a really great alternative that adds value to the merchant and adds value to the consumers to make both of them want to do something different than [what] they are currently doing," said Evans.
Regarding the prospects for mobile payments outside the United States, Evans said, "I think that where we are going to see mobile payments take off around the world is primarily in countries that do not already have a very well-developed payment card industry with acceptance at the point of sale and that have very well-developed mobile phone systems."
The role of different types of market players has been a major source of debate among those forecasting mobile payments. Many disagree how the mobile carriers, such as Verizon and AT&T, will fit into the new landscape. Evans predicted that "the likely role of the carriers in payments is basically being a pipe." He stressed that mobile carriers do not have the expertise to operate mobile payments and are more likely to become pipes for others who will develop mobile payments alternatives.
When asked about his predictions about the type of technology that will ultimately support mobile payments, Evans said that it was still too early to know. However, he did say that "it's really the solution that is going to drive the adoption of a particular acceptance technology at the point of sale, rather than the acceptance technology driving the solution." There are clearly still a lot of unknowns with regards to mobile payments, and Evans wisely concluded that "we should talk about this in 10 years when we may actually know the answer!"
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The future of mobile payments:
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud