Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
April 30, 2012
Why are my credit and debit cards still embossed?
Having spent a number of years in the payments business focused on cards, I commonly receive questions from family and friends related to cards. I would be a wealthy individual if I received a dollar for every time someone asked me, "When am I going to get a card with a chip in it?" Although I am not able to offer any specifics on timing, I do feel confident in telling them that they are coming within a given time frame.
This past weekend, a neighbor out for a leisurely weekend stroll stopped me and asked, "Why do I still have an embossed credit card?" I must admit that I was a bit stumped by the question and couldn't offer him a reasonable explanation. I could not recall the last time that I had seen a "knuckle buster" machine used to make an imprint of a card. And who hasn't struggled trying to read your embossed card numbers and expiration date to make an Internet or phone transaction? Still pondering the question a few hours later, I did recall the food delivery driver who brought the old carbon paper slip, along with our food, to the door and used a writing pen to make an imprint of my card. I am quite certain that over the past five years, this was the only time an imprint of my card has been made—and this includes using my cards for purchases in taxis, from food truck vendors, and in developing countries such as Honduras, and remote Caribbean islands.
One answer to the need for embossed cards lies with network chargeback rules. Both MasterCard and Visa subject merchants to chargebacks on key-entered card-present transactions with no manual imprint. A key-entered transaction takes place when the terminal cannot read a card's magnetic stripe, so the vendor has to input the card number and expiration date. Even when this occurs, I am not so sure merchants follow the network's chargeback procedures. Do you remember a merchant making an imprint of your card in the rare instance your card information had to be manually keyed? Maybe it's time for the card networks to re-visit their chargeback procedures.
Another reason for maintaining embossed cards is that apparently some merchants, both domestically and internationally, still rely on imprints for transactions. I do not think that I am alone when it comes to my extremely limited experience with manual card imprints over the past five to even 10 years. With highly reliable telecommunication systems and the ever-growing number of mobile card readers, perhaps the networks should require all transactions to be swiped (for mag stripe cards), dipped (for EMV chip cards), or tapped (for contactless cards).
So while I have several answers to my neighbor's question, I am not convinced any of them are reasonable explanations in this day and age. Cards are embossed primarily for legacy reasons, and this embossing is irrelevant for most transactions. Maybe as issuers transition to chip-embedded cards (hopefully), they could subsequently transition away from embossed cards. In a recent American Banker article, Andrew Kahr discussed one good reason to change to nonembossed cards, and that would be to allow banks to instantly issue cards. I am quite certain my eyes would appreciate that change!
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Why are my credit and debit cards still embossed?:
April 23, 2012
Consumer protection: What to do when the consumer’s the threat?
How much for a cockroach in my take-out? What should the burger joint give me for gaining weight from eating their cheeseburgers? Consumers seeking a quick payday through frivolous lawsuits are old news in the food industry. What you may not know is that financial institutions must battle the same problem, as malicious actors twist consumer protection legislation for their own profit.
An American Banker article described how a federal court in Pennsylvania dismissed a lawsuit brought against a credit union claiming that one of their ATMs lacked a mandatory Electronic Funds Transfer Act (EFTA) sticker disclosing fees. This was just one in a string of lawsuits filed by the same plaintiffs. Some financial institutions have decided to settle instead of taking their chances in court. Some of the plaintiffs mentioned in the American Banker article have apparently decided to make a living by scoping out ATMs where stickers have fallen off or been removed, making transactions at these machines, and then filing suit against the unsuspecting operator.
This consumer behavior represents a type of second-order compliance risk. In addition to the formal consequences of noncompliance with regulation, financial institutions (FI) must also consider that some bad actors may attempt to undermine their compliance efforts. As a practical matter, FIs can manage this risk by validating EFTA compliance each time the ATM is serviced. As the machine is being refilled with cash and receipt paper, servicers should check for the disclosure sticker and have extras on hand in case it has been removed. The FI should maintain records of verification and/or replacement.
These lawsuits also raise larger questions. The other week I blogged about how the Federal Reserve has at times attempted to correct market failures in the payments industry. However, the unintended consequences of legislation discussed in this post demonstrate that government failure is also a risk. Government failure is any time that a government intervention to overcome a market failure results in a less efficient outcome than if no action had been taken. The case of these ATM vigilantes shows that legislation meant to protect the consumer can sometimes be used to justify wasteful lawsuits. In addition to determining if there is a legitimate market failure to correct, policymakers also need to consider the potential for government failure and unintended consequences of regulation before passage.
By Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Consumer protection: What to do when the consumer’s the threat?:
April 16, 2012
Online and mobile banking create many front doors
"The vulnerability is the front door of the bank." I've heard that quote many times over the years. With online banking continuing to grow, and mobile being the latest channel to access bank accounts and services, the bank suddenly has many more "doors" to worry about.
An August 2011 Consumer Trends Survey by Fiserv shows that 79 million households use online banking, and businesses are following suit. With this kind of competitive environment, most banks must offer online or even mobile banking to stay relevant. As banks strive to remain relevant, they must also stay safe.
The Federal Financial Institutions Examination Council (FFIEC) published the timely Supplement to Authentication in an Internet Banking Environment in June 2011 to address electronic banking security. As financial institutions enter the mobile banking world, the FFIEC's guidance helps banks to protect against risk in electronic access channels. NACHA also recently reviewed its existing policies and operating rules to ensure it has similar helpful guidance for financial institutions originating ACH transactions in this increasingly connected environment.
Whether it's FFIEC guidance or NACHA rules, these five sound business practices can go a long way toward safe electronic banking, whether through the Internet or mobile channel.
Customer Awareness and Education is ongoing, and one-time notices are not as effective as repeated messages on specific security concerns. Describe potential threats in language understood by the average consumer and business. Consider requiring business customers to perform risk assessments around online banking access and practices.
Layered Security Programs include the practice of tailoring different security tools to the type of account and activity and establishing appropriate controls over account activities based on typical account use patterns. Stay up to date on new layered security technologies and regulatory requirements.
Effectiveness of Authentication Techniques—not all techniques are equally effective. Use complex device authentication methods. Change those methods as technology changes. And establish challenge questions that have answers not readily available on the Internet or through social media sites. Incorporate "red herring" questions into the challenge questions, and use different challenge questions in different sessions.
Customer Authentication for High-Risk Transactions applies to both consumer and business accounts. Monitor accounts for unusual and out-of-pattern transactions on a regular basis. Establish procedures to do something when out-of-pattern transactions are detected.
Risk Assessments and "know your customer" are basic concepts that apply to both consumer and business banking products. Assess threat and risk-related information regularly. Identify types of changes that trigger additional assessments. "One and done" doesn't keep pace in this fast-moving environment. Review experiences with incidents and learn from them. And develop response teams and playbooks to respond quickly to threats or incidents that require immediate action.
With Internet and now mobile banking growing by leaps and bounds, the vulnerability is no longer just the front door of the bank. Following these sound business practices—and it's hard to argue against them—can help to secure all openings from dangers lurking in cyberspace.
By Mary Kepler, director of the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Online and mobile banking create many front doors:
April 9, 2012
Mobile payments malware: Assault and low battery
According to Dr. Markus Jakobsson, principal scientist at PayPal, malware is moving to the mobile channel as mobile handsets replace PCs. Criminals are businessmen and subsequently go for market size in their exploits. Within a year, he says we will see more handsets than PCs, and we can also expect to see more mobile abuse trends as a result. An interview of Markus on YouTube provides some startling facts and general insights on mobile security challenges and trends.
I first wrote about the emerging threat of malware migrating from PCs to the mobile channel in a July 2010 post titled "The confluence of payments, social networks, and malware: Elements of a perfect storm?" As Portals and Rails readers well know, mobile banking and payments and accessing payments via social networking were just beginning to take off. The post noted that the rapid pace of mobile application innovation and deployment creates vulnerabilities in payment systems accessed via mobile devices. Markus's interview reveals why malware-related intrusions are expected to become more commonplace in the mobile channel and offers some thoughts on a new paradigm for thinking about mobile security.
Mobile handset is a social device as well as a computer
This is the big issue. While numerous consumer behavioral surveys report that consumers are concerned about privacy and security, they treat the handset as a social device to interact quickly with websites, businesses, and other people. In short, consumers trust their mobile devices and value the ability to access social media. As a result, they often fail to adopt available safeguards such as password locks. Jakobsson says that people tend to dislike passwords because they are slow to enter and it's easy to make a fat-finger error. As a result, they opt to operate without cumbersome passwords. Jakobsson asserts that we need a new paradigm to encourage safe authentication going forward.
The problem with virus protection for mobile phones
Consumers don't think of their handsets as computers, but they actually are computers, except that they don't have equivalent battery resources. This means that mobile handsets lack the capacity to run the most basic anti-malware software. Antivirus software works by constantly scanning for malware intrusion. Jakobsson says this is fine if you have only a few instances of malware, but frequent incidents require more frequent scanning, which drains the battery. This is going to be a problem for mobile devices, a problem that to date has not received much recognition.
The root cause: Spoofing and spam
Some problems are beginning to arise with fraudulent apps that divert the user to an unintended website. Spoofing, the practice of sending forged e-mails or directing users to malicious websites, is a critical risk that is hard to manage. According to Key Findings of the 2010 Email MAAWG Security Awareness and Usage Survey, consumers admit to risky behaviors online, with four out of ten admitting to opening an e-mail they suspected was spam. The Messaging Anti-Abuse Working Group (or MAAWG) also reported that younger users are more likely than older users to open suspicious e-mails and click on links.
Mobile ecosystem will require different assumptions about security
As e-commerce increasingly moves to the mobile channel, handsets and networks will require new protections to protect data used for identity and payments. As consumers share more information via their handsets in social media and broadcast their geolocations to merchants, the mobile channel will become more vulnerable to criminal activity. Malware exposure will occur cross platform through gaming and social applications that are not suitably policed. While mobile malware circulation is not yet prevalent, the projected growth of mobile platforms versus traditional computers will make mobile an attractive target for organized crime. Industry stakeholders should consider the prospective risks of malware in discussions on mobile payments security.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
April 2, 2012
What defines an efficient market?
"There was an active debate on whether the Reserve Banks should be involved in card-based systems, but we concluded that card systems were not something that the Reserve Banks needed to become operationally involved in. [We concluded] that the private sector was developing these systems appropriately on their own, and that it didn't need public sector intervention." (From Louise Roseman's keynote address at the November 2011 Retail Payments Risk Forum conference, "The Role of Government in Payments Risk and Fraud.)
I recently re-watched video clips from Louise Roseman's keynote address at our November 2011 Retail Payments Risk Forum conference. In these clips, Roseman, who is the director of Reserve Bank operations and payment systems at the Board of Governors, explained that the Fed occasionally, but not always, provides payments services. She mentioned that when credit cards started to appear, the Fed debated whether or not they had a role in that market. However, the Fed determined that the market was functioning well enough on its own and that intervention was not justified.
Roseman discussed a contrasting example of when the Fed did intervene in a market: check clearing in the 1910s. In the 20th century, paper checks had to be physically presented at the bank they were drawn on in order to clear. While this process was easy for checks drawn on and deposited at banks located in the same major city, it was much more difficult for checks that had to travel inter-city or were drawn on country banks. To process these out-of-town checks, banks had to manage multiple correspondent relationships. Across banks and clearinghouses, this meant frequent handling and duplication of effort. And when a receiving bank did not have a correspondent relationship with the paying bank, these checks did not clear at par—that is, paying banks charged presentment fees for settling checks with noncorrespondents.
To minimize presentment fees, banks would sometimes send checks on a circuitous route. What follows is a real example of one check's meanderings. (This journey is documented in Clearing Houses and Credit Instruments, a 1911 publication of the National Monetary Commission.) Woodward Brothers of Sag Harbor, NY, wrote a check for $43.56 from its account at the Peconic Bank to Berry, Lohman, and Rasch of Hoboken, NJ. The check was deposited at the Second National Bank of Hoboken. The Second National Bank of Hoboken sent the check to Harvey Fisk and Sons, of New York, who sent the check to the Globe National Bank of Boston, who sent it to the First National Bank of Tonawanda (on the far western border of New York). From Tonawanda, the check made its way to the National Exchange Bank of Albany, was forwarded to the First National Bank of Port Jefferson, went on to the Far Rockaway Bank, and ended up going back to the Big Apple at Chase National Bank. From Chase, the check went to Queens County Bank of Brooklyn, and finally back to the Peconic Bank of Sag Harbor!
At the time, many bankers pushed for the Fed to provide check clearing to reduce these inefficiencies. The Fed obliged, which resulted in savings to the whole market and all checks clearing at par.
Check clearing is just one example of a payment system in which the Fed could improve the overall efficiency of clearing and settlement processes. Are there other markets for which we could replicate this success? What defines an efficiently functioning market?
By Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference What defines an efficient market?:
- Making the Choice to Use Cash
- We Are Thankful For...
- Will Payments Be Getting REAL?
- Financial Solutions for the Younger Generation
- Encouraging Password Hygiene
- Should We Throw in the Towel When It Comes to Data Breach Prevention?
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud