Please enable JavaScript to view the comments powered by Disqus.

We use cookies on our website to give you the best online experience. Please know that if you continue to browse on our site, you agree to this use. You can always block or disable cookies using your browser settings. To find out more, please review our privacy policy.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

July 15, 2019

The Future of Fraud in a Post-EMV Chip Environment

"Doug: Your conclusion has me worried about credit-push in an environment where payments are irrevocable." I received this brief email a few days after my latest paper  was published on the Atlanta Fed website. In this paper, I explore fraud trends in countries with a fully mature, or close to it, EMV chip card environment—trends we are likely to see in the United States as our EMV chip card implementation matures.

When the topic of EMV chip card fraud comes up, the conversation nearly always makes its way to the documented shift from counterfeit card fraud to card-not-present (CNP) fraud. While that is a fair and valid conversation, times are changing, and we just may need to refocus the fraud conversation, as this email indicates—my emailer was referring to credit-push payments and the fraud that can happen, and is happening, in this environment.

Data clearly show that when countries such as the United Kingdom, France, and Australia migrated to EMV chip cards, CNP fraud rose—in some instances, dramatically. And where the data are available, we can see that the fraud rate for CNP transactions also initially rose. But over the last several years something interesting has happened. Both absolute CNP fraud and CNP fraud rates are declining in some of the countries. While these countries did not have many CNP fraud prevention techniques and tools at their disposal when they first migrated to EMV chip cards, the technology is catching up and they have more tools now. If there was any benefit for the United States from being an EMV laggard, perhaps this is it: we are better equipped to deal with CNP fraud.

But back to push payments. Authorized push payment (APP) fraud, which is a form of credit-push fraud, is a growing problem. In the United Kingdom, the real-time payment system is being used extensively to carry out this type of fraud. Just as other countries didn't have many tools to fight CNP fraud in early EMV chip adoptions, we don't have all the tools yet to mitigate APP fraud.

At the heart of APP fraud is business email compromise, which we've covered in this blog and which was the featured topic in the Atlanta Fed's most recent Economy Matters podcast episode . To read more about this particular fraud trend and other trends the U.S. payments industry should be wary of as our EMV chip card environment matures, be sure to read the paper .

Back to the email I received—it was short, but my reply was even shorter: "You should be worried."

April 1, 2019

Contactless Cards: The Future King of Payments?

Just over two years ago, my colleague Doug King penned a post lamenting the lack of dual interface, or "contactless," chip payment cards in the United States. In addition to having the familiar embedded chip, a dual interface card contains a hidden antenna that allows the holder to tap the card on or wave it near the POS terminal. This is the same technology—near field communications (NFC)—that various pay wallets inside mobile devices use.

Doug is now doing his daily fitness runs with a bigger smile on his face as the indicators appear more and more promising that 2019 will be the year of the contactless card. Large issuers have been announcing plans to distribute dual interface cards either in mass reissues or as a cardholder's current card expires. Earlier this year, some of the global brand networks launched advertising campaigns to make customers aware of the convenience that contactless cards offer.

So why have U.S. issuers not moved on this idea before now? I think there have been several reasons. First, for the last several years, financial institutions have focused a lot of their resources on chip card migration. Contactless cards will create an additional expense for issuers and many of them wanted to let the market mature as it has done in a number of other countries. They were also concerned about the failure of contactless card programs that some of the large FIs introduced in the early 2000s—most merchants lacked terminals capable of handling the technology.

The EMV chip migration solved much of the merchant terminal acceptance problem as the vast majority of POS terminals upgraded to support EMV chips can also support contactless cards. (While a terminal may have the ability to support the technology, the merchant has to enable that support.) Visa claims that as of mid-2018, half of POS transactions in the United States were occurring at terminals that were contactless-enabled. Another factor favoring contactless transactions is the plan by major U.S. mass transit agencies to begin accepting contactless payment cards. According to the American Public Transportation Association's 2017 Ridership Report, there were 41 transit agencies in the United States with annual passenger trip volumes of over 20 million trips.

Given that consumer payments is largely a total sum environment, these developments have led me to ask myself and others what effect contactless cards will have on consumers' use of other payment forms—in particular, mobile payments. As my colleagues and I have written numerous times in this blog, mobile payments continue to struggle to obtain consumer adoption, despite earlier predictions that they would catch on quickly. There are some who believe that the convenience of ubiquity and fast transaction speed will favor the dual purpose card. Others think that the increased merchant acceptance of contactless will help push the mobile phone into becoming the primary payment form.

My personal perspective is that contactless cards will hinder the growth of in-person mobile payments. There are those who claim to leave their wallet at home and never their phone, and they will continue to be strong users of mobile payments. But the reality is that mobile payments are not accepted at all merchant locations, whereas payment cards are practically ubiquitous. While I am a frequent user of mobile payments, simply waving or tapping a card appeals to me. It's much more convenient than having to open the pay application on my phone, sign on, and then authorize the transaction.

Do you believe the adoption of contactless cards by consumers and merchants will be as successful as it was for EMV chip cards? And do you think that contactless cards will help or hinder the growth of mobile payments? Let us hear from you.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

February 4, 2019

So, How Often Do You Dip?

Remember how s-l-o-w dipping your payment card seemed when you were shopping back in 2015? Molasses? Honey? The dregs of the ketchup bottle? These days, I'm dipping more—that is, inserting my card into a chip reader—and complaining about it less. (I don't have a contactless card, so tapping isn't yet an option for me.) I still think swiping is faster, but familiarity means that dipping bugs me less. And it's become rare for me to encounter a jerry-rigged chip reader with the insert slot blocked by cardboard or duct tape, forcing me to swipe instead.

Turns out my shopping experiences—dipping more—line up with new data released by the Federal Reserve Payments Study in December 2018. The study reports some information on how in-person general-purpose card payments were authenticated in the United States in 2017.

For the first time, more than half of these payments by value were chip-authenticated in 2017. In contrast, just three percent of general-purpose card payments used chips in 2015—hence, my lack of familiarity with dipping back in the day. Because contactless chip cards were in use before the EMV-based dipping method began to take off in 2015, these data are an approximation of the increasing use of dipping, not an exact measure.

The chart below is based on figure 8 in the Federal Reserve Payments Study: 2018 Annual Supplement; it shows the substantial uptake in chip authentication at the point of sale from 2016 to 2017. (Check out the supplement for more detail.)

By-value-shares-of-in-person-general-purpose

Note: Chip payments were a negligible fraction in 2012.
Source: Federal Reserve Payments Study data (available here and here)

By number, more than 40 percent of general-purpose card payments were chip-authenticated. By card type, credit card payments are most likely to be chip-authenticated and prepaid card payments are least likely to be chip-authenticated (see the chart below). Prepaid cards are less likely to be chip-enabled, certainly a factor in the low shares of chip authentication, in part because of a business decision not to go to the expense of adding chips to low-value cards.

Shares-of-in-person-general-purpose-card-chart

By this time next year, my view of dipping could have changed again. A large card issuer has announced that all its credit cards will be tap-to-pay (that is, contactless) by mid-2019, so it's possible that my dipping will go the way of swiping.

For me, it feels more natural and faster to insert a chip card than it did a year ago. How about you?

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

February 12, 2018

If the Password Is Dying, Is the PIN Far Behind?

Back in January, I wrote a post that highlighted the rising incidence of lost-and-stolen card fraud in the United Kingdom. I concluded that the decades-old PIN solution for the card-present environment is now showing signs of weakness. Results of a recent Minneapolis Fed survey of 283 financial institutions offer some validity to my conclusion: the survey found that losses on PIN-based debit increased by 50 percent from 2015 to 2016. In fact, 81 percent of the respondents reported fraud losses from PIN-based debit, compared to only 77 percent for credit cards.

The news wasn't all bad for PIN-based debit. Signature-based debit and credit cards still had more fraud attempts than any other payment instrument. At 63 percent, signature debit fraud actually had a higher increase in fraud losses from 2015 to 2016 than did PIN debit. The PIN is a far superior verification method for card payments, but I'm willing to bet that the PIN, much like the password, has become less effective.

Is this coming at a time when the PIN is about to become more prominent? In late January, the PCI Security Standards Council announced a new security standard for software-based PIN entry, also known as "PIN on glass." This standard specifies the security requirements for accepting a PIN on a mobile point-of-sale device such as a Square card reader.

As an aside, I am a bit surprised by this announcement. Apparently, mobile phones are safe enough for entering PINs, but when someone uses a pay wallet such as Apple Pay or Samsung Pay, the card's PAN, or primary account number, is tokenized for security purposes. I'll save a discussion of this inconsistency for another post.

People have been talking for years now about how the password has passed its prime as a standalone authentication solution. Yet it continues to live, and it's as difficult as ever to mitigate its vulnerabilities. In my opinion, attempts to do so have increased customer friction and had minimal impact. I think the PIN is following a similar path. It creates customer friction (especially for me as I now have different PINs for multiple cards that I struggle to keep straight) and is losing its effectiveness, according to the data I mentioned in the first paragraph. But it appears that, with the PCI's recent announcement, the PIN could become even more prevalent for cardholders. Is it time, in the name of security and customer friction, for us to replace PINs and passwords with more modern authentication technologies such as biometrics?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed