About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« June 2018 | Main | August 2018 »

July 30, 2018


Are You at Risk from Zombie Credit Cards?

Do you have any infrequently used credit cards hiding in the back of a drawer? Maybe a card you applied for to get a discount on a new washing machine? Or a card you used frequently a few years ago that has been superseded by a newer card with better rewards or a lower interest rate? You know, the kind of card you might think is dead but isn't quite.

I had a card like that in the back of a drawer, until my bank canceled it a few weeks ago. The bank pointed out that I hadn't used the card in years but offered me the opportunity to reactivate.

No, thanks. I don't need the extra exposure of a forgotten card that has long outlived its usefulness. It's enough trouble keeping track of the cards I do use.

When it comes to inactive credit cards, it turns out I'm not alone. The 2016 Federal Reserve Payments Study finds that, of general-purpose credit cards issued to consumers, 42 percent were not used to make at least one purchase a month during 2015. As a percentage share, this is about the same as 2012, when 44 percent of credit cards were not used at least once a month. ("General-purpose" cards use one of the four major credit card networks, while "private-label" cards can be used only at a particular merchant or limited set of merchants.)

In 2015, there were 192 million consumer general-purpose credit cards outstanding and inactive. That's about four inactive credit cards for every five adults in the United States. (The adult U.S. population in 2015 was 247 million.)

Of course, inactive cards are not necessarily abandoned cards, as mine was. Perhaps their owners reserve them for a special purpose, or keep them around for times when particular retailers offer discounts. Perhaps they are backups in case primary cards are compromised. Or perhaps they serve as an emergency credit cushion—a "just-in-case" line of credit.

Nevertheless, these account numbers are out there. Mine could be sitting in the database of a magazine that is automatically renewed every year or maybe attached to an expired membership at a website I don't use anymore. It's good to have that card canceled, to avoid the risk that the card will rack up charges, zombie-like.

So what about those infrequently used cards at your house? Are you holding on to an older card because a longer lifespan card could possibly improve your credit score? If not, today might be a good day to cancel and then cut them up.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 30, 2018 in cards, consumer fraud, data security | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 23, 2018


Learning about Card-Not-Present Fraud Mitigation

Over the last year, I have had the pleasure of working with Fed colleagues and other payments industry experts on one of the Accredited Standards Committee's X9A Financial Industry Standards workgroups in writing a technical report on U.S. card-not-present (CNP) fraud mitigation. You can download the final report (at no cost) from the ANSI (American National Standards Institute) web store.

As this blog and other industry publications have been forecasting for years, the migration to payment cards containing EMV chips may already be resulting in a reduction of counterfeit card fraud and an increase in CNP fraud and other fraudulent activity. This has been the trend in other countries that have gone through the chip card migration, and there was no reason to believe that it would be any different in the United States. The purpose of the technical report was to identify the major types of CNP fraud and present guidelines for mitigating these fraud attacks to the various payments industry stakeholders.

Graph-image-b

Source: Data from Card-Not-Present (CNP) Fraud Mitigation in the United States, the 2018 technical report prepared by the Accredited Standards Committee X9, Incorporated Financial Industry Standards

After an initial section identifying the primary stakeholders that CNP fraud affects, the technical report reviews five major CNP transaction scenarios, complete with transaction flow diagrams. The report continues with a detailed section of terms, definitions, and initialisms and acronyms.

The best defense against CNP fraud from an industry standpoint is the protection of data from being breached in the first place. Section 5 of the report reviews the role that data security takes in CNP fraud mitigation. It contains references to other documents providing detailed data protection recommendations.

Criminals will gather personal and payment data in various attacks against those who don't use strong data protection practices, so the next sections deal with the heart of CNP fraud mitigation.

  • Section 6 identifies the major types of CNP fraud attacks, both attacks that steal data and those that use that data to conduct fraudulent activities.
  • Section 7 reviews mitigation tools and approaches to take against such attacks. The section is subdivided into perspectives of various stakeholders, including merchants, merchant acquirers and gateways, issuers and issuer processors, and, finally, payment card networks.
  • Section 8 discusses how a stakeholder should identify key fraud performance metrics and then analyze, report, and track those metrics. While stakeholders will have different elements of metrics, they must each go to a sufficient level so the results will provide key insights and predictive indicators.

The report concludes with several annex sections (appendices) covering a variety of subjects related to CNP fraud. Suggestions for the improvement or revision of the technical report are welcome. Please send them to the X9 Committee Secretariat, Accredited Standards Committee X9 Inc., Financial Industry Standards, 275 West Street, Suite 107, Annapolis, MD 21401. I hope you will distribute this document among those in your institution involved with CNP fraud prevention, detection, and response to use as an educational or reference document. I think it will be quite useful.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

July 23, 2018 in card networks, cards, consumer fraud, consumer protection, cybercrime, cybersecurity, debit cards, identity theft | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 12, 2018


Behind the Growth in Debit Card Payments

U.S. consumers make more payments with nonprepaid debit cards than with other types of cards (credit and prepaid) combined. The 2016 Federal Reserve Payments Study found that consumers made 57.5 billion payments in 2015 using nonprepaid debit cards.

That's a 26 percent increase over 2012, when consumers made 45.7 billion nonprepaid debit card payments.

No doubt, effects of more favorable economic conditions—including declining unemployment, increasing wages, and greater consumer confidence—were important factors in increased consumer spending from 2012 to 2015. But from a payment choice perspective, such as which method or card to use, what might be driving this increase of almost 12 billion? Two factors related to those choices could be at play:

  • Maybe people started using the cards more intensively. That is, people who owned nonprepaid debit cards started using them more often, making more payments per card per month.
  • Maybe people started using the cards more extensively. That is, more people owned and actively used a nonprepaid debit card or more people owned and actively used multiple cards.

For this discussion, an "active" card is defined to be one that is not expired and had purchase activity or bill pay associated with the card during at least one month of the year 2015 or, for the 2012 estimate, at least one transaction during the month of March 2013. Note that the difference between the 2012 and 2015 estimates could, in part, be related to the different definitions of the measurement periods. (The Federal Reserve Payments Study also measures nonprepaid debit, credit, and prepaid cards that are in circulation but not used.)

Let's look at the numbers:

  • In 2012, there were 173.9 million active consumer nonprepaid debit cards in circulation. These cards are linked to a transaction account at a financial institution and can be used to make purchases at the point of sale.
  • In 2015, there were 209.6 million active consumer nonprepaid debit cards. That's an increase of 21 percent over the three years.
  • In 2012, U.S. consumers made 21.9 purchases per month per active nonprepaid debit card. In 2015, on average, across the months, they made 22.8 per card. That's almost flat—an increase of just four percent in the number of payments per card per month over three years.

These numbers overall tell us that increases in payments per card is not the main driver of this phenomenal increase in the number of nonprepaid debit card payments (see the chart). Note that payments per card is an average of various behaviors. Some people could be using their cards more—for example, new debit card owners may be moving from using cash or prepaid cards. Others could be using their cards less—for example, new owners of credit cards may be moving away from debit cards.

Number-of-non-prepaid-debit-cards-increases-chart

Rather, the increased number of active cards seems to be the source of the jump in the number of nonprepaid debit card payments. Here are some factors that could relate to the greater numbers of cards:

  • The U.S. population ages 18 and older grew from 240 million to 247 million during this time, a three percent increase (American FactFinder search).
  • The percentage share of consumers with a bank account (and thus able to own a nonprepaid debit card) increased from 91.8 percent in 2011 to 93 percent in 2015 (FDIC Survey of Banked and Unbanked Consumers [2012 estimate not available]).
  • By birth year, the share of people more likely to own a debit card increased. Young people born between 1995 and 1997 turned 18 between 2012 and 2015—about 14 million of them (American FactFinder search). At the same time, the population of people born before 1940 declined by about 4 million between 2012 and 2015.

Whatever the source of the increase in the number of cards, we see here that typical behavior for an active nonprepaid debt card is around 23 purchases per month. How many times per month do you use your card or cards?

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 12, 2018 in cards, debit cards, payments study, prepaid | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 6, 2018


Attack of the Smart Refrigerator

We've all heard about refrigerators that automatically order groceries when they sense the current supply is running low or out. These smart refrigerators are what people usually point to when giving an example of an "internet-of-things" (IoT) device. Briefly, an IoT device is a physical device connected to the internet wirelessly that transmits data, sometimes without direct human interaction. I suspect most of you have at least one of these devices already operating in your home or office, whether it's a wireless router, baby monitor, or voice-activated assistant or "smart" lights, thermostats, security systems, or TVs.

Experts are forecasting that IoT device manufacturing will be one of the fastest growing industries over the next decade. Gartner estimates there were more than 8 billion connected IoT devices globally in 2017, with about $2 trillion going toward IoT endpoints and services. In 2020, the number of these devices will increase to more than 20 billion. But what security are manufacturers building into these devices to prevent monitoring or outside manipulation? What prevents someone from hacking into your security system and monitoring the patterns of your house or office or turning on your interior security cameras and invading your privacy? For those devices that can generate financial transactions, what authentication processes will ensure that transactions are legitimate? It's one kind of mistake to order an unneeded gallon of milk, but another one entirely to use that connection to access a home computer to monitor one's online banking transaction activity and capture log-on credentials.

As one would probably suspect, there is no simple or consistent answer to these security questions, but the overall track record of device security has not been a great one. There have been major DDOS attacks against websites using botnets composed of millions of IoT devices. Ransomware attacks have been made against consumers' home security systems and thermostats, forcing consumers to pay the extortionist to get their systems working again.

Some of the high-end devices such as the driverless cars and medical devices have been designed with security controls at the forefront, but most other manufacturers have given little thought to the criminal's ability to use a device to access and control other devices running on the same network. Adding to the problem is that many of these devices do not get software updates, including security patches.

With cybersecurity issues grabbing so many headlines, people are paying more and more attention to the role and impact of IoT devices. The National Institute of Standards and Technology (NIST) has begun efforts to develop security standards for cryptology that can operate within IoT devices. However, NIST estimates it will take two to four years to get the standard out.

In the meantime, the Department of Justice has some recommendations for securing IoT devices, including:

  • Research your device to determine security features. Does it have a changeable password? Does the manufacturer deliver security updates?
  • After you purchase a device and before you install it, download security updates and reset any default passwords.
  • If automatic updates are not provided to registered users, check at least monthly to determine if there are updates and download only from reputable sites.
  • Protect your routers and home Wi-Fi networks with firewalls, strong passwords, and security keys.

I see IoT device security as an issue that will continue to grow in importance. In a future post, I will discuss the privacy issues that IoT devices could create.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 6, 2018 in consumer fraud, cybercrime, cybersecurity, fraud, identity theft, innovation, online banking fraud, privacy | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad