About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

November 4, 2019


Encouraging Password Hygiene

Practicing good password hygiene such as using strong passwords and never using them for any other application can be a huge nuisance. Many people, including yours truly, would love to see passwords fade into oblivion and be replaced by stronger authentication technologies, such as biometrics. But the fact remains that passwords will continue to be used extensively for the foreseeable future, and for as long as they remain with us, it's imperative that we adhere to good password protocol. Verizon's 2019 Data Breach Investigation Report reveals that more than 60 percent of successful data breach hacks were due to compromised or stolen log-in credentials.

Information that describes good password practices is abundant, but people continue to be careless. So how can we successfully encourage people to actually follow these practices?

Interestingly, while I was pondering this issue, I came across a Wall Street Journal article. Written by a cybersecurity professor, the article describes research that the author and her colleagues did on this very topic—how to get people to create strong passwords—and I thought it would be useful to share their findings.

So what's the secret to getting us to use strong passwords, according to these researchers? It's the simple incentive of time—and by this I mean the length of time we're allowed to keep our passwords. The researchers found that people were willing to use stronger passwords if they could keep them for longer than they had in the past.

The conventional wisdom used to be that we should change passwords at least once a year. Now many financial service providers and others require users to change passwords every 30 days. However, some organizations continue to allow longer time periods, or perhaps don't enforce change at all, but offset the longer duration with stricter rules, requiring longer passwords with a minimum number of special characters. I imagine most of us are accustomed to the strength bar or bubble graphic that shows us the strength of a password as we're creating it. These might be useful in educating us about what strong passwords look like, but the researchers found them to be ineffective in driving people to create strong passwords.

I'll admit I don't always practice the best password hygiene. One of several reasons for this is that it seems my passwords expire so frequently. But I could get fully on board with building stronger, unique passwords if that meant I would have more time before I had to change them.

Have you seen or experienced other tactics or solutions that have pushed you to use better password hygiene? If so, we would love to hear from you!

November 4, 2019 in authentication, cybersecurity | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 19, 2019


Why Should You Care about PSD2?

The revised Payment Services Directive (PSD2) is major payments legislation in the European Union (EU) that is intended to provide consumers increased competition, innovation, and security in banking and payment services. PSD2 specifications were released by the European Banking Authority in November 2017 and requires all companies in the EU to be in compliance by September 14, 2019. Earlier this year, the European Banking Authority had refused a request by numerous stakeholders in the payments industry for a blanket delay of the regulation, citing a lack of legal authority to do so, although it announced it would permit local regulatory authorities to extend compliance deadlines a "limited additional time." In the United Kingdom, however, the Financial Conduct Authority (FCA) announced on August 7 that it was deferring general enforcement of the PSD2 authentication provisions until March 2021, and allowing the industry an additional six months beyond that to develop more advanced forms of authentication. The Central Bank of Ireland has also granted an extension that is expected to be similar to the FCA's, but one has not been announced as of this writing.

The PSD2 has two major requirements: offer open banking and strong customer authentication (SCA). With open banking, consumers can authorize financial services providers to access and use their financial data that another financial institution is holding. (Application programming interfaces, or APIs, allow that access.) The FCA had mandated that open banking for U.K. banks be in place by early 2018 while the rest of the EU kept the open banking compliance deadline the same as that for SCA compliance. While open banking represents a major change in the EU's financial services landscape, the rest of this post focuses on the PSD2's strong customer authentication requirements.

Generally, PSD2 requires financial service providers to implement multi-factor authentication for in-person and remote financial transactions performed through any payment channel. As we have discussed before in this blog, there are three main authentication factor categories:

  • Something you know (for example, PIN or password)
  • Something you have (for example, chip card, mobile phone, or hardware token)
  • Something you are (for example, biometric modality such as fingerprints or facial or voice recognition)

PSD2 compliance requires the user to be authenticated using elements from at least two of these categories. For payments that are transacted remotely, authentication tokens linking the specific transaction amount and the payee's account number are an additional requirement.

The regulation provides for a number of exemptions to the SCA requirement. Key exemptions include:

  • Low-value transactions (under €30, approximately $33)
  • Transactions with businesses that the consumer identifies as trusted
  • Recurring transactions for consistent amounts after SCA is used for the first transaction. If the amount changes, SCA is required.
  • "Low-risk" transactions based on the acquirer's overall fraud rate calculated on a 90-day basis. Transaction values can be as high as €500 (about $555).
  • Mail-order and telephone-order payments, since they are not considered electronic payments covered by the regulation
  • Business-to-business (B2B) payments

Since PSD2 does not apply to payments where the acquirer or the issuer is not based in the EU, why would understanding this regulation be important to non-EU consumers and payment system stakeholders? From 2015 through 2018, the Federal Reserve established and provided leadership for the Secure Payments Task Force as it identified ways to enhance payments security, especially for remote payments. One critical need the task force identified is stronger identity authentication. So far, the United States has avoided any legislation concerning authentication, but will actions like the PSD2 create pressures to mandate such protections here? Or will the industry continue to work together through efforts like the FedPayments Improvement Community to develop improved authentication approaches? Please let us know what you think.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 19, 2019 in authentication, banks and banking, consumer protection, fraud, Payment Services Directive, PSD2 | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 4, 2019


So, How Often Do You Dip?

Remember how s-l-o-w dipping your payment card seemed when you were shopping back in 2015? Molasses? Honey? The dregs of the ketchup bottle? These days, I'm dipping more—that is, inserting my card into a chip reader—and complaining about it less. (I don't have a contactless card, so tapping isn't yet an option for me.) I still think swiping is faster, but familiarity means that dipping bugs me less. And it's become rare for me to encounter a jerry-rigged chip reader with the insert slot blocked by cardboard or duct tape, forcing me to swipe instead.

Turns out my shopping experiences—dipping more—line up with new data released by the Federal Reserve Payments Study in December 2018. The study reports some information on how in-person general-purpose card payments were authenticated in the United States in 2017.

For the first time, more than half of these payments by value were chip-authenticated in 2017. In contrast, just three percent of general-purpose card payments used chips in 2015—hence, my lack of familiarity with dipping back in the day. Because contactless chip cards were in use before the EMV-based dipping method began to take off in 2015, these data are an approximation of the increasing use of dipping, not an exact measure.

The chart below is based on figure 8 in the Federal Reserve Payments Study: 2018 Annual Supplement; it shows the substantial uptake in chip authentication at the point of sale from 2016 to 2017. (Check out the supplement for more detail.)

By-value-shares-of-in-person-general-purpose

Note: Chip payments were a negligible fraction in 2012.
Source: Federal Reserve Payments Study data (available here and here)

By number, more than 40 percent of general-purpose card payments were chip-authenticated. By card type, credit card payments are most likely to be chip-authenticated and prepaid card payments are least likely to be chip-authenticated (see the chart below). Prepaid cards are less likely to be chip-enabled, certainly a factor in the low shares of chip authentication, in part because of a business decision not to go to the expense of adding chips to low-value cards.

Shares-of-in-person-general-purpose-card-chart

By this time next year, my view of dipping could have changed again. A large card issuer has announced that all its credit cards will be tap-to-pay (that is, contactless) by mid-2019, so it's possible that my dipping will go the way of swiping.

For me, it feels more natural and faster to insert a chip card than it did a year ago. How about you?

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

February 4, 2019 in authentication, cards, chip-and-pin, credit cards, debit cards, EMV, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 7, 2019


A New You: Synthetic Identity Fraud

With the start of the new year, you may have resolved to make a change in your life. Maybe you've even gone so far as to pledge to become a "new you." But someone may have already claimed that "new you," stealing your credentials and using them to create a new identity. Identity theft is a growing problem, resulting in millions of dollars in damage around the world. And now there is a modern twist to this old and costly problem: synthetic identity fraud. Panelists at a forum convened by the Government Accountability Office (GAO) define this problem as a "crime in which perpetrators combine real and/or fictitious information, such as Social Security numbers and names, to create identities with which they may defraud financial institutions, government agencies, or individuals." (Read forum highlights on the GAO website.) According to the U.S. Federal Trade Commission, synthetic identity fraud is the "fastest growing and hardest to detect" form of identity theft.

This graphic from the GAO illustrates how this type of identity fraud differs from what we have traditionally defined as identity theft.

GAPSIF

As this image shows, in traditional identity fraud, the criminal pretends to be another (real) person and uses his or her accounts. In synthetic identity fraud, the criminal establishes a new identity using a person's real details (such as social security number), combining this information with fictitious information to create a new credit record.

The challenge for the payments industry is determining whether an identity is planted or legitimate. For example, parents with excellent credit histories sometimes add their children to their existing credit accounts to give their children the benefit of their positive financial behavior. This action allows the children to kick-start their own credit records. Similarly, a criminal could plant a synthetic identity in an existing credit account and from there build a credit history for this identity. (In many cases, the criminal works for years on building a strong credit history for that false identity before "cashing out" and inflicting financial damages on a large scale.)

So what can consumers do to protect themselves? Here are some simple ways to make it harder for a thief to steal your personal information:

  • Shred documents containing personal information.
  • Do not provide your social security number to businesses unless you absolutely have to.
  • Use tools that monitor credit and identity usage.
  • Freeze your credit account as well as that of any of your minor children.
  • Check your accounts regularly to ensure that all transactions are legitimate and report any suspicious activity immediately.

Staying informed about synthetic identity fraud tactics and taking these steps to protect yourself can help you get one step closer to (preventing) "a new you."

Photo of Catherine Thaliath By Catherine Thaliath, project management expert in the Retail Payments Risk Forum at the Atlanta Fed

January 7, 2019 in authentication, consumer fraud, consumer protection, data security, fraud, identity theft | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 12, 2018


If the Password Is Dying, Is the PIN Far Behind?

Back in January, I wrote a post that highlighted the rising incidence of lost-and-stolen card fraud in the United Kingdom. I concluded that the decades-old PIN solution for the card-present environment is now showing signs of weakness. Results of a recent Minneapolis Fed survey of 283 financial institutions offer some validity to my conclusion: the survey found that losses on PIN-based debit increased by 50 percent from 2015 to 2016. In fact, 81 percent of the respondents reported fraud losses from PIN-based debit, compared to only 77 percent for credit cards.

The news wasn't all bad for PIN-based debit. Signature-based debit and credit cards still had more fraud attempts than any other payment instrument. At 63 percent, signature debit fraud actually had a higher increase in fraud losses from 2015 to 2016 than did PIN debit. The PIN is a far superior verification method for card payments, but I'm willing to bet that the PIN, much like the password, has become less effective.

Is this coming at a time when the PIN is about to become more prominent? In late January, the PCI Security Standards Council announced a new security standard for software-based PIN entry, also known as "PIN on glass." This standard specifies the security requirements for accepting a PIN on a mobile point-of-sale device such as a Square card reader.

As an aside, I am a bit surprised by this announcement. Apparently, mobile phones are safe enough for entering PINs, but when someone uses a pay wallet such as Apple Pay or Samsung Pay, the card's PAN, or primary account number, is tokenized for security purposes. I'll save a discussion of this inconsistency for another post.

People have been talking for years now about how the password has passed its prime as a standalone authentication solution. Yet it continues to live, and it's as difficult as ever to mitigate its vulnerabilities. In my opinion, attempts to do so have increased customer friction and had minimal impact. I think the PIN is following a similar path. It creates customer friction (especially for me as I now have different PINs for multiple cards that I struggle to keep straight) and is losing its effectiveness, according to the data I mentioned in the first paragraph. But it appears that, with the PCI's recent announcement, the PIN could become even more prevalent for cardholders. Is it time, in the name of security and customer friction, for us to replace PINs and passwords with more modern authentication technologies such as biometrics?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

February 12, 2018 in authentication, banks and banking, cards, chip-and-pin, consumer fraud, debit cards, EMV, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 16, 2018


Not Just a Card-Not-Present Problem

In 2012, I published a paper that looked at trends in card fraud in several countries that had adopted or were in the later stages of adopting EMV chip cards. The United States is now in the process of adopting EMV, so I am refreshing that paper with an eye towards fraud trends in what are now mature EMV markets. Payments experts know that card-not-present (CNP) fraud will continue to pose challenges that EMV chip cards do not solve, but are there other challenges lurking in these markets that the U.S. payments industry should note?

Although I'm still gathering data, one particular data point from the United Kingdom—lost and stolen fraud—already has me intrigued. In 2016, losses from this type of fraud stood at more than £96 million (about $130 million), up from more than £44 million (about $60 million) in 2010, a 117 percent increase. In 2010, lost and stolen fraud accounted for 12 percent of overall card fraud in that country. By the end of 2016, it had become 16 percent of card fraud. It is now the second leading type of fraud in the United Kingdom, though it still falls far behind CNP fraud, which accounts for 70 percent.

Remember that in the United Kingdom, PIN usage was adopted to mitigate lost and stolen card fraud at the same time that EMV chip cards were implemented. Yet lost and stolen card fraud is up significantly. According to Financial Fraud Action UK, fraudsters are getting their hands on the PINs—a static data element—through distraction tactics and scams. Other factors, such as the proliferation of contactless transactions and those that have no cardholder verification method, could also be drivers of this fraud, as could an increase of reports of lost or stolen fraud that is actually first-party, or "friendly," fraud. EMV has proven to be an effective tool to authenticate cards, but authenticating an individual using a card, even in a card-present environment, remains a challenge.

The lost and stolen fraud figures out of the United Kingdom lead me to believe that cardholder authentication isn't just a CNP problem. Furthermore, the decades-old PIN solution for the card-present environment is now showing signs of weakness. At the same time, to reduce customer friction, many card networks are eliminating signature verification and relying on data analytics to authenticate transactions. Is this a perfect storm for lost and stolen card fraud? Is it the foreshadowing of the emergence of biometrics, or some lesser known technology? Or will I find that this problem is isolated and should not worry us in the United States?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

January 16, 2018 in authentication, cards, chip-and-pin, debit cards, EMV, fraud, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 28, 2017


Identity Theft: A Growing Epidemic

I recently attended a conference that explored improvements in identifying and authenticating individuals. Many of the sessions focused on identity theft. While the conference primarily targeted law enforcement, immigration control, and the military, many of the lessons can easily apply to the public sector. A recent industry report validated the conference's focus, noting that in 2016, 15.4 million Americans were victims of identity theft, an increase of 18 percent from the previous year.

Identity theft (also called identity fraud) covers a wide range of crimes in which the criminal obtains and illegally uses another person's personal information in a fraudulent or deceptive manner, typically for economic benefit. In most cases, the criminals get personal information through a data breach, but malware on a computer or mobile phone or email phishing are other sources. Sometimes criminals can get enough personal information from public data—such as property and voter records, as well as social media accounts—to create a false identity and commit a crime.

Social Security numbers appear to be the most valuable information element in creating false identities. For this reason, legislation was passed in 2015 mandating that the Centers for Medicare and Medicaid Services (CMS) remove Social Security numbers from Medicaid cards. CMS recently announced that it will reissue Medicaid cards in April 2018 with a new beneficiary identification scheme.

The criminal actions of identity theft include using account numbers to obtain merchandise that can be monetized, filing fraudulent tax refund returns, and applying for credit to buy cars, lease homes, or even get home equity lines of credit. Outside the financial services arena, identity theft crimes include obtaining medical services, social program benefits, and false identification documents.

The Identity Theft Resource Center is a nonprofit organization established in 1999 to help identity theft victims resolve their cases and to broaden public education and awareness of identity theft, data breaches, cybersecurity, scams and fraud, and privacy issues. The center also tracks the number of data breaches across five industry sectors. As this chart shows, businesses remain the number one target for data breaches, and the number of attacks targeting businesses increased 4.4 percent during the first half of 2017 compared to that same period in 2016.

Us-breaches-by-industry-sector-chart

The increased use of chip cards at merchant terminals has made it more difficult for the criminal element to commit point-of-sale card fraud. Meanwhile, however, overall identity theft fraud is on the rise. So how do we combat this growing threat? We will look at some threat mitigation tactics and tools in a future post.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

August 28, 2017 in authentication, cybercrime, data security, identity theft, malware | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 12, 2017


Watching Your Behavior

Customer authentication has been at the core of the Retail Payments Risk Forum's payments risk education efforts from the beginning. We've stressed not only that there are legal and regulatory requirements for certain parties to "know your customer," but also that it is in the best interest of merchants and issuers to be sure that the party on the other end of a given transaction is who he or she claims to be and is authorized to perform that transaction. After all, if you allow a fraudster in, you have to expect that you or someone else will be defrauded. That said, we also know that performing this authentication, especially remotely, has several challenges.

The recently released 2017 Identity Fraud Study from Javelin Strategy & Research estimated that account takeover (ATO) fraud losses in 2016 amounted to $2.3 billion—a 61 percent increase over 2015's losses. (ATO fraud occurs when an unauthorized individual performs fraudulent transactions through a victim's account.) Additionally, new-account fraud on deposit and credit accounts has increased significantly and generated several public warnings from the FBI.

In payments, the balancing act between imposing additional customer authentication requirements and maintaining a positive, low-friction customer experience has always been a challenge. Retailers, especially online merchants, have been reluctant to add authentication modalities in their checkout process for fear that customers will abandon their shopping carts and move their purchase to another merchant with lower security requirements. Some merchants have recently introduced physical biometrics modalities such as fingerprint or facial recognition for online orders through mobile phones. Although these modalities have gained a high acceptance rate, they still require the consumer to actively participate in the authentication process.

Enter behavioral biometrics for online transactions. Behavioral biometrics develops a pattern of a user's unique, identifiable attributes from when the user is online at a merchant's website or using the merchant's proprietary mobile app. Attributes measured include such elements as typing speed, pressure on the keyboard, use of keyboard shortcuts, mouse movement, phone orientation, and screen navigation. Coupled with device fingerprinting for the customer's desktop, laptop, tablet, or mobile phone, behavioral biometrics gives the merchant and issuer a higher level of confidence in the customer's authenticity. Another benefit is that behavioral biometrics is passive—it is performed without the user's involvement, which eliminates additional friction in the overall customer experience. Proponents claim that while it takes several sessions to develop a strong user profile, they can often spot fraudsters' attempts because fraudsters often exhibit certain recognizable traits.

Behavioral biometrics is still fairly new to the market but over the last couple of years, some major online retailers have adopted it as an additional authentication tool. Like any of the physical biometric modalities, no single behavioral authentication methodology is a silver bullet, and multi-factor authentication is still recommended for moderate- and higher-risk transactions.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 12, 2017 in authentication, banks and banking, consumer fraud, fraud, mobile banking, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 1, 2017


Additional Authentication: Is the Protection Worth the Hassle?

Last week, we discussed some findings from a research study conducted earlier this year to understand consumer knowledge of and attitudes regarding other authentication methodologies.

The survey participants read a brief description of alternative authentication methods and then answered a series of questions regarding their attitudes about the ease of use and willingness to adopt these alternatives. Some of the authentication methodologies reviewed were:

  • Fingerprint biometric
  • Device location
  • Eye vein biometric
  • Facial recognition
  • Device fingerprinting/identification
  • KBA (knowledge-based authentication, or personal data challenge questions)
  • Two-way text message
  • Voice-recognition biometric

The participants were asked to rate the ease of use for the alternative methodologies. The table shows the percentage of respondents rating the methodology as “very easy” or “somewhat easy.”

Chart-one

All age segments rated the user ID and password as the methodology having the greatest ease of use. All the groups ranked the eye vein biometric low in user ease; voice and facial recognition also scored low across the segments.

One key finding, which points out the continuing need for consumer education, was that many people did not understand the various alternative methodologies, even after reading a description and the pros and cons of each. Seniors were more likely to respond “Don’t Know”; millennials indicated a greater level of understanding.

Of particular interest, the study probed the ability of a financial incentive to entice customers to agree to adopt additional authentication tools. Just over half (51 percent) of the respondents indicated they would agree to additional authentication tools without any financial compensation. Offering a one-time $10 cash bonus would result in an additional 15 percent, and raising the ante to $25 would bring in 9 percent more. One-fourth of the respondents indicated they wouldn’t sign up for additional authentication with or without an incentive. Seniors are the least likely group (33 percent) to adopt additional authentication without an incentive, and millennials are the most likely (62 percent).

While the level of resistance by consumers to adopting stronger authentication processes seems to be dropping, there remains a strong need for customer education to demonstrate the benefits over any inconvenience. Meanwhile, a number of financial institutions and merchants are using covert authentication tools such as transaction-pattern anomalies and risk-based transaction scoring based on historical fraud experiences.

Passwords are likely to be around for quite some time as a basic means of authentification, but the payments industry and consumers must work together to provide a higher level of security for transactions. Do you think disincentives such as the service remaining free if you agreed to use additional authentication tools or being charged a monthly fee if you remain with a password as your only means of authentication are viable options? As always, your comments are welcome.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

May 1, 2017 in authentication, biometrics | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 24, 2017


Would Consumers Ever Give Up Their Passwords?

In a post last week, we revisited the issue of passwords and their suitability in serving as a secure authentication method for consumers to gain access to websites and applications. Payment security professionals generally agree that most consumers do not voluntarily adopt strong security practices in selecting and managing their passwords. Consumers often select easily guessed passwords and even use the same password across numerous websites. Given these tendencies, the payments industry is looking for alternative authentication methods that either consumers could adopt or the industry could perform covertly—methods that would ultimately provide for a higher level of customer authentication.

The Aite Group conducted a research study in January 2017 to understand consumer knowledge of and attitudes regarding other authentication methodologies. In particular, the study looked at responses at the generational level, with the respondent base broken into four age segments:

  • Seniors: 70+ years of age
  • Baby boomers: 53–70 years of age
  • Gen X: 37–52 years of age
  • Millennials (Gen Y): 16–36 years of age

The study revealed a universal attitude that passwords are easy to use. Only 7 percent of the seniors indicated they are difficult to use, compared to 1 percent or less for the other three groups. Millennials use the same passwords the most, with 39 percent indicating they use only one or two different passwords and more than three-fourths (77 percent) using five or fewer passwords among all their online accounts.

The participants were asked to rank the importance of different attributes in their consideration for using their financial institution's online banking service. All the age groups indicated that ease of use is topmost. While a majority within each group also cited strong security and fraud prevention as important, seniors especially indicated its importance, giving it equal weight to ease of use.

Although the majority of the respondents in each of the groups indicated some level of willingness to change their authentication method to access their bank account, as the chart show, there was a clear relationship between their age and level of willingness (see the chart).

Chart-one

So what authentication method did the segments favor? Go read the full report or wait until our next post, which will also discuss whether it will be necessary to offer consumers incentives to get them to change their habits.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 24, 2017 in authentication, biometrics | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad