About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« February 2016 | Main | April 2016 »

March 28, 2016


Continuing Education in Mobile Payments Security

Just over a year ago, I wrote a post raising the question of which stakeholder or stakeholders in the payments ecosystem had the responsibility for educating consumers regarding payments security. As new payment technologies such as mobile devices, wearables, and the Internet of things gain acceptance and increased usage, who is stepping up not only to teach consumers how to use the devices but also how to do so in a safe and secure manner?

Since it is generally financial institutions that have the greatest financial risk for payment transactions because of the protective liability legislation that exists in the United States, this responsibility has fallen largely to them. However, this educational effort has become increasingly difficult since consumers generally acquire these new products at retail outlets or mobile carrier stores, where the financial institution has no direct contact with the consumer.

The Consumer Federation of America (CFA) recently continued its ongoing efforts to provide educational information to consumers with the release of a guide to mobile payments. The guide is comprehensive, covering issues such as privacy, security of the mobile device, the dangers of malware, error resolution, and dispute procedures for mobile payments, and concludes with a humorous animated video that recaps some of the risks with mobile phones if they are not secured and used properly.

As an example, in its section on privacy, the guide offers the following tips:

  • Read the privacy policies of the companies whose services you are using to make mobile payments and the companies that you are paying.
  • If you don't like a company's privacy policy, take your business elsewhere.
  • Don't voluntarily provide information that is not necessary to use a product or service or make a payment.
  • Take advantage of the controls that you may be given over the collection and use of your personal information.
  • Since mobile payments, like all electronic payments, leave a trail, if there are transactions that you would prefer to make anonymously, pay with cash.

Kudos to the CFA for its work on this effort. I hope you will read the guide and spread the word about the availability of this valuable resource. It is through the combined efforts of the payments stakeholders that we can work to improve the knowledge level of all parties involved and promote secure usage.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 28, 2016 in consumer protection, innovation, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 21, 2016


The Insider on the Outside

Having had a few days to digest my RSA Conference 2016 experience (and let my feet recover), I'm not sure whether to be more concerned about cybersecurity challenges or more at ease due to the sheer number of solutions on display that are available to mitigate these challenges. In reality, my emotions are mixed.

On the one hand, the cybersecurity threat is real and spreading across all types and sizes of businesses and government agencies. On the other hand, information sharing is taking place across, and within, industries like never before, and technology is being harnessed in an effort to strengthen defenses against the latest cybersecurity threats. But my biggest takeaway from the week might be different from that of the many technology evangelists and cyber risk experts that I encountered: the human element might be the most important element in mitigating data loss risks.

The risk of data loss due to the human element is quite substantial and probably merits a paper on its own or perhaps a dedicated Take on Payments series. Today, I'm going to focus on a single aspect of the human element: the expanding nature of the insider threat. In a Take On Payments post from the summer of 2013, I discussed some access and security management principles to thwart malicious behavior from an insider.

Traditionally, an insider has been thought of as an employee. That definition has broadened as organizations outsource more internal-support functions to third-party providers. Much has been written and discussed concerning regulatory and compliance issues related to third-party providers, and this notion of the "outside insider" is a logical extension of a company's risk management practice. The insider threat is real and costly. According to data from the Ponemon Institute, malicious insider attacks cost companies an average of about $144,000 annually.

Ensuring that any third-party provider has the necessary policies and procedures in place to secure your data from outsiders is paramount, but what about the sufficiency of their controls to protect your data from potential bad actors within these third parties? Have you given much thought to this notion of the "outside insider"? If you have, what recommendations or best practices do you have to avoid becoming a victim of a malicious insider on the outside?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 21, 2016 in cybercrime, data security, third-party service provider | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 14, 2016


Same-Day ACH: An NFAQ

The NFAQ—meaning "non-frequently asked question"—will come just a bit further down in this post. First, I need to say the Forum's prediction that same-day ACH would not be a huge hit this year may have been misunderstood. The prediction wasn't meant to say that the service wouldn't gain steam over time; it was more a comment about the type of lift the initiative could experience at the start. But if usage of same-day ACH even somewhat mirrors the level of enthusiasm and participation that attendees lavished on sessions that revolved around the topic at Information Interchange, an annual regional payments association conference sponsored by EastPay and the Atlanta Fed, same-day ACH could become a big hit.

The aforementioned annual payment conference featured four sessions related to same-day ACH. Attendance at each session was standing room only. Topics focused on everything from understanding and preparing for the change to promoting usage and enhancing payment services for customers of all types.

It was really good stuff, I must say, and I managed to squeeze in all but one of the sessions. In the last session, the moderator opened by asking the audience questions to test their knowledge of the rule change and to help panelists focus on what information might be most useful for informing and instructing attendees. The audience didn't miss a single question, which included a trick question about the dollar threshold for "IATs" or international transactions. (IATs aren't eligible, so there is no applicable dollar threshold related to these payment types.)

Perhaps the most important question of the day, which takes me to the NFAQ in the title, didn't get asked in the open sessions. However, a gentleman leaned over and asked me if U.S Treasury transactions were eligible. I didn't think so and told him that, but he pushed back and suddenly we were both unsure. So after a short back and forth with my colleagues, I pointed him to a definitive answer in the same-day FAQs on frbservices.org. It reads as follows:

Q: Will the federal government be participating in Same Day ACH at any phase of implementation?

A: At this time, the federal government will not be participating in phase 1 of the Same Day ACH implementation. Therefore, any entry originated from, or received by, the federal government will not be eligible for same day settlement and will continue to settle on a future date. Information regarding the federal government's participation in later implementation phases will be forthcoming.

I felt compelled to share this "NFAQ" because after asking others about their understanding of the matter, I found general awareness and understanding mixed, but largely incorrect. The distinction between federal government payments and other types of government payments (state government agency payments will be eligible for same-day ACH in phase 1) may be important and may not be as widely known as it should be.

By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

March 14, 2016 in ACH | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 7, 2016


Card Chargebacks: Sorting Out the Facts

For years, I have heard conflicting statements by card issuers and acquiring merchants about the impact of chargebacks on their businesses. A chargeback is a demand by a card issuer for a merchant to make the issuer whole for the loss of a disputed transaction by a cardholder. Because of consumer liability protections afforded under various regulations and the card brand's liability rules, the issuer or the merchant typically incurs the final loss. The issuer initiates a chargeback when a cardholder disputes a transaction on the statement—for one of a variety of reasons—if the issuer believes the merchant is financially liable under the particular card network's operating rules. Merchants may accept the chargeback and assume the loss, or they may dispute it if they believe they were in compliance with the network rules.

The debate over the amount of chargeback losses to merchants has continued over the years because of a lack of independent research, but all that has changed with a study published in January by my colleagues at the Federal Reserve Bank of Kansas City. Senior economists Fumiko Hayashi and Rick Sullivan along with risk specialist Zach Markiewicz examined chargeback and sales data from October 2013 through September 2014 from selected merchant acquirers who process more than 20 percent of network-branded card transactions in the United States. While the study examines the full chargeback landscape of four-party networks (Visa and MasterCard) and three-party networks (American Express and Discover), the focus of this post is on their findings related to card fraud—both card present (CP) and card not present (CNP)—for the four-party networks. PIN debit transaction chargebacks were not included in this study.

Some of the study's key findings are:

  • Overall, merchants incur 70–80 percent of all chargeback losses.
  • Fraud is the most common chargeback reason and accounts for approximately 50 percent of total chargebacks in value.
  • The average value of a fraud chargeback was $200, compared to $56 for the average sales transaction. Clearly, the criminals are going after higher-dollar value goods.
  • The merchant loss rate in the CNP channel of 14.17 basis points (bps) is significantly higher than the 1.02 bps loss rate for the CP channel.
  • As the chart shows, the merchant categories incurring the highest fraud rates were the travel and department store categories. Grocery stores had the lowest.

chart-1

As previous posts have noted, the Federal Reserve is making a concerted effort to collect fraud data for non-cash payment channels to develop a holistic view and understanding of fraud trends. The Kansas City Fed is looking to repeat its study in the near future, when it will also include PIN debit transaction chargebacks. As our payments system evolves and user payment preferences change, it is vital for payments system stakeholders to be able to determine how these changes are affecting fraud losses being sustained by the various stakeholders.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 7, 2016 in card networks, cards, consumer protection | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad