Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« June 2012 | Main | August 2012 »

July 30, 2012

Even an Outsourced Cloud Can Have a Silver Lining: Shedding Light on Cloud Payments Risk Management

Outsourcing is not new in financial services. Banks continue to improve their operational efficiency—and even lower their risk exposures—by engaging third-party service providers to perform specific functions they used to manage internally. Now, technological advances are enabling financial institutions and other payment providers to shift certain data management functions to the cloud, an outsourcing practice we discussed in an earlier Portals and Rails post. Cloud outsourcing provides operational cost savings to the end user community, but these new services introduce new risks in payment systems.

On July 10, 2012, the Federal Financial Institutions Examination Council (FFIEC) published a statement on cloud computing to supplement its Outsourcing Technology Services booklet. The aim of the statement is to help financial institutions better understand the fundamental risks associated with these new services and the need for robust vendor management.

Cloud computing basics
The term "cloud computing" in its most basic sense describes a service that stores and processes data on a remote network. Cloud service providers are entrusted with ensuring the security of end user data within that remote network.

A notable feature of cloud computing is its deployment model. Risk profiles may differ, making some models more appropriate for some services than others. Some models may include private clouds operated for a single organization, community clouds that are shared by several organizations, or combinations of the two for hybrid business models.

According to a recent paper authored by Dan Schutzer, chief technology officer of BITS, small devices like mobile handsets have limited storage while communications networks are becoming faster and more efficient. These factors have led to more businesses offering services that allow data to reside in remote servers, or in "the cloud." He cites public cloud examples like Flikr, which allows consumers to store photos in the cloud, and Google Docs, which allows consumers to manage documents remotely.

Risk management in cloud computing
Arguably, the data in these examples may not be as sensitive as that managed by financial institutions and others involved in payment processing. The FFIEC statement notes that as financial institutions consider a cloud computing model in their outsourcing strategies, risk management and third-party oversight to protect sensitive personal consumer data become increasingly important.

The FFIEC statement maps the key elements of risk management articulated in the existing interagency guidance. It starts with due diligence, noting that financial institutions are responsible for ensuring that third-party activity is conducted according to applicable law and regulation, just as if they bank retained those functions in-house. It also discusses the key elements to consider in ongoing vendor management and business continuity planning.

The vendor management challenge
A major takeaway for financial institutions and other payment providers is in the part of the FFIEC statement that discusses "legal, regulatory, and reputational considerations":

The nature of cloud computing may increase the complexity of compliance with applicable laws and regulations because customer data may be stored or processed overseas. A financial institution’s ability to assess compliance may be more complex and difficult in an environment where the cloud computing service provider processes and stores data overseas or comingles the financial institution’s data with data from other customers that operate under diverse legal and regulatory jurisdictions.

While the risk management fundamentals for cloud computing remain the same, the increasing complexity of the operating environment will challenge the effectiveness of vendor management programs going forward. As outsourcing relationships expand geographically, the expertise required to oversee those activities will increase as well. Furthermore, third-party service providers may have outsourced relationships themselves, requiring inclusion of those downstream oversight processes in the financial institution’s vendor management program.

The FFIEC guidance provides a good description of these risks and challenges to consider in selecting and managing a cloud computing strategy, but also notes that "cloud computing may not be appropriate for all financial institutions."

Cynthia MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

July 30, 2012 in emerging payments, innovation | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Even an Outsourced Cloud Can Have a Silver Lining: Shedding Light on Cloud Payments Risk Management:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 23, 2012

The debate on credit card surcharges

Late Friday the 13th, Visa and MasterCard announced that they, along with several major issuers, reached a $7.25 billion class-action settlement with U.S. merchants. In addition to being party to the largest monetary antitrust settlement in U.S. history, the networks agreed to permit retailers to impose a surcharge on credit transactions subject to a cap and a level playing field with other general purpose card competitors. Previously, the no-surcharge rule (NSR) had been a staple for both MasterCard and Visa, ultimately prohibiting merchants from charging consumers more to pay with credit cards. Merchants claim that because of the NSR, all consumers, regardless of their payment method, incurred higher costs. Now, in theory, merchants should be able to lower their prices and pass along the costs of a credit card transaction only to those consumers paying with a credit card.

Theory versus practice
However, in the payment card market, theory and practice can differ. Look no further than the Durbin Amendment. In theory, Congress intended for this legislation to benefit consumers, assuming that merchants would pass along their savings through lower prices. However, the debate continues whether merchants who received interchange relief—some actually experienced increased rates and are in fact passing along these costs to consumers—are really passing on the savings.

Should the settlement be finalized, I believe we will see another debate about whether the consumer actually benefits, as with the Durbin Amendment. Will many merchants actually choose to impose a surcharge on credit-card-paying consumers? Will the surcharging merchants actually drop prices from their current levels or simply add a surcharge on top of existing prices? Will networks lower the effective interchange rates thus making it less costly for consumers to use credit cards should merchants choose to actually surcharge?

Will credit card surcharging take place in the United States?
Again, we have to look at theory versus practice. In theory, the surcharging provision seems like a win for merchants, but in practice, will the surcharge provision have any impact at the point of sale? And what will prevent surcharging from being put into widespread practice in the United States?

For starters, 10 states with 40 percent of the U.S. population—including California, Florida, New York, and Texas—currently prohibit retailers from charging customers a fee for using a credit card. Keeping the consumer in mind, remember the backlash that one bank experienced when it proposed a new debit card fee? Will any merchant that attempts to implement a surcharge—actual implementation of a surcharge with various types of cards and payment environments is worthy of an entire discussion itself—face similar scrutiny?

I also wonder: if a merchant chooses to charge consumers a fee for using a credit card, would the fee and the merchant then fall under the authority of the Consumer Financial Protection Bureau? The surcharging debate around this potential settlement and ultimate outcome will no doubt be interesting moving forward.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 23, 2012 in card networks, cards, regulators | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference The debate on credit card surcharges:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 16, 2012

Oh, SNAP! Benefit trafficking costs millions

As I watched the local evening news several weeks ago, one particular story caught my attention. A local convenience store owner had been arrested for the repeated abuse of the Supplemental Nutrition Assistance Program (SNAP), formerly known as the food stamp program. The store owner allowed SNAP recipients to exchange their electronic benefit transfer (EBT) cards for such items as cigarettes and alcoholic beverages, charging a premium of anywhere from 25 to 50 percent of the items' values. This type of SNAP fraud is known as "trafficking." Another form of trafficking fraud occurs when the program recipients sell their cards on the black market in exchange for cash. These cards are then reported as lost or stolen, so recipients receive a replacement card.

Upon performing an Internet search on this topic the next day, I was surprised to discover that SNAP trafficking is actually a $300 million-a-year problem. According to a 2011 report of the USDA Food and Nutrition Service, trafficking diverted an estimated $330 million annually from SNAP benefits, or about one cent for each SNAP dollar redeemed. Interestingly, this figure is down significantly from earlier reports published by the USDA. In 1993, trafficking resulted in more than $800 million of fraud, or nearly four cents per SNAP dollar redeemed. Since the first report, the trafficking rate has fallen, leveling off at its current rate of 1 percent. Still, fraud levels for this EBT program are significantly higher than for general purpose credit and debit card cards.

The main reason for this decline has been the electronification of the old food stamp program. During the mid to late 1990s, some states began replacing food stamps with EBT cards. And since June 2004, all states have used EBT cards to distribute SNAP funds.

Though taking this program from paper payments to plastic payments has dramatically reduced trafficking fraud, fraud is still an issue at 1 cent per dollar redeemed—so much so that the USDA recently proposed a new rule that would allow state agencies to deny replacement cards to recipients who make four replacement requests over a 12-month period.

The USDA's proposed rule is currently open for comment through July 30. I encourage anyone with thoughts or ideas on this particular rule and on trafficking fraud in general to make their voice heard and provide feedback to the USDA. The SNAP EBT fraud rate, which is substantially higher than credit and debit card fraud rates, is the burden of all taxpayers. What else can or should we do to further tackle this particular payments fraud?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 16, 2012 in crime, fraud, regulators | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 9, 2012

Can clouds and contactless chips coexist?

Mobile wallets have started to make their way into the market this year. Inevitably, industry stakeholders are joining opposing camps on the technology that these wallets use to keep payment information and other personal data safe and secure: contactless chips or cloud-based technology. The chips are embedded in a mobile handset that communicates with a terminal via near field communication (NFC), while the cloud-based technology involves an application downloaded to the mobile handset.

If the critical mass necessary for the successful adoption of a payment system relies on acceptance interoperability and technical standardization, can these two solutions coexist in a future mobile payments system? Or will technology debates threaten near-term interoperability and consumer adoption?

The first generation of mobile wallet trials such as Isis and Google are using contactless NFC technology. This is not surprising as early discussions found consensus on the need to move as an industry to NFC for mobile payments. In fact, as my coauthors and I noted in our 2011 paper, "Mobile Payments in the United States: Mapping out the Road Ahead," one of the key tenets agreed upon at the time by industry stakeholders for a safe and secure mobile payments system was the use of contactless NFC technology.

However, since that time, new mobile providers have been rolling out wallets that do not use NFC. Instead, they rely on store payment credentials in remotely based servers, more commonly referred to as the "cloud." The PayPal wallet, for example, leverages consumers' existing PayPal accounts where payment credentials are stored.

Benefits and challenges
Numerous complex variables are at play in the debate on NFC versus the cloud. A recently published TSYS whitepaper authored by Scot Yarbrough and Simon Taylor, "The Future of Payments: Is it in the Cloud or NFC?," provides a comprehensive explanation of the benefits and the challenges that opposing business models face.

The authors summarize the case for NFC by noting that it is backed by the major card networks and offers the capability to store and send information other than payment, such as contacts and videos. The case for payments in the cloud has a supply-side incentive in that the infrastructure costs are much lower for the merchants at the point of sale.

Both systems face challenges, of course, as evidenced by the current low adoption levels for any particular wallet. The TSYS authors note that cloud technology payments may offer so many different choices, "how many ways to pay will the consumer want to learn and adopt, especially when he or she can simply reach into their pocket, pull out their credit or debit card and pay?"

They also note that NFC is also not without flaws. Building consumer experience will require compelling value propositions to encourage new payment behaviors. Further, the complexity of the ecosystem to manage the payment credentials in the chip inside the mobile device among various players in the business model creates economic challenges as well.

In the near term, cloud-based solutions will likely disrupt the payments landscape as merchants look to manage their share of the infrastructure investment for new payments. As wallet providers identify efficiencies and optimal security propositions for data residence and transit, it is possible that hybrid business models will emerge. Finally, the TSYS authors aptly note that future game changers will likely alter the current argument completely. Will merchant investment costs matter in a future where the mobile handset is also the merchant's acceptance terminal?

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

July 9, 2012 in contactless, emerging payments, innovation | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Can clouds and contactless chips coexist?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 2, 2012

Are portable POS devices coming to a table near you?

Can you remember the last time you handed over your mobile phone to a friend, let alone a stranger? Writing from my own experience, I am guessing that it is not something people do very often. Back when our mobile phone's primary functionality was as a phone, we were generally open to letting someone borrow it to make a call. However, as phones become "smarter," we have become less inclined to give someone else access to a device that holds a wealth of information about us.

This behavior is in stark contrast to our behavior with our payment cards. While I can count on my hands the number of people whom I have let use my mobile phone, I have given my payment cards to hundreds of strangers at dine-in restaurants and allowed them to take my cards out of my sight. While an overwhelming majority of these card transactions are safe, this procedure does easily allow for bad characters to capture valuable card information that can lead to card fraud. One highly publicized skimming case that broke last November highlights the fraud risks inherent in a restaurant card transaction. This crime certainly would have been more difficult to perpetrate had the victims' cards been swiped tableside in front of them.

According to a recent Wall Street Journal article, the payment experience at restaurants might be changing. Several large restaurant chains are in the process of testing different portable tablet-type devices at the table. These devices allow restaurant patrons to perform traditional restaurant functions such as viewing menus, placing orders, and ultimately settling the bill. Some of these devices include advertising and, perhaps most intriguing, even allow patrons to play games, watch videos, and peruse news headlines.

While these portable devices have the "cool" factor, they also offer great benefits from a fraud-reduction perspective. Paying your restaurant tab without ever having your card leave your sight is a great first step in preventing the type of fraud described in the New York City incident highlighted above. Restaurants, in general, have shunned portable POS devices in the past due in large part to their expense in an industry that operates on thin margins. What's exciting with these new devices is that the new technology offers both top- and bottom-line benefits to restaurants that traditional portable POS devices don't. These devices can actually help drive an increase in existing revenues (higher average tickets) or even be a source of new revenue (advertising and fees from videogames) while also lowering a restaurant's fraud loss exposure.

I am hopeful that this new technology catches on and restaurants do adopt a safer payment card transaction. For the parent in me, the thought of the device entertaining my small children when our conversation fails to do so or the chips and salsa run out is promising. From my payments risk perspective, I am ready to keep full control of my cards and hopefully avoid that dreaded call, text, or e-mail from my bank that says my card has been compromised.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 2, 2012 in cards, consumer fraud, innovation | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Are portable POS devices coming to a table near you?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad