A series of events—one dramatic, the others significant, but quieter—have pushed the current and future status of the U.S. payments system front and center.
The dramatic event is Target—the breach that just keeps getting worse. The situation has been a nightmare for consumers and financial institutions (and a windfall for card production companies). At the level of even 70 million affected cardholders (the figures are hard to know accurately), card-issuing banks will foot a $700 million-dollar bill if you estimate the reissue cost at $10 per card. That does not include costs associated with dealing with the resulting fraud and responding to alarmed customers.
The quiet events were the recent release of ABA’s Deposit Account Fraud report and the Federal Reserve’s Payment System Improvement paper. Taken together, the three events make clear that there are two distinctly different issues that are often merged together in the payments system debate: the transaction, and data safekeeping..
Issue 1 - The Transaction
Speeding up the payment system into a contemporary end-to-end real time or near real time link of all parties where the transaction (purchase or payment) is credited, posted and settled at the time of the transaction (in milliseconds) and essentially mobile enabled. The theory is that an end-to-end real time network would provide instant feedback on the validity of the transaction, the account, available funds, or fraudulent characteristics of the activity itself.
Issue 2 - Data Safekeeping
How is the information that businesses or consumers entrust to merchants, vendors, or processors being protected? Clearly the answer too often is, "not well." This information includes the Bank Identification Number (Bin), the Personal Identification Number (PIN), Routing, Transit and Account Number information.
70 Million And Counting
Target Corporation, no doubt, is on the top of mind of American consumers by virtue of the announcement that keeps getting worse. The tallies vary, but it has been reported that 70 million customers have had their card information compromised simply by being a customer of Target. This is not good news for anyone and is just one example of several security breach events that have occurred in the recent past. The most notable, other than Target, have been Heartland Payment Systems and Sunrise Prepaid (a subsidiary of Fidelity National Information Solutions- FIS). Central in each of these events is undetected malware.
The ABA fraud report states that almost 55% of deposit account fraud is debit card fraud and the number is increasing. Furthermore, there is a conflict in the perception of how to fight fraud and the big business it represents. As a result of the Target mega-breach, millions of cards were compromised. Every card processor and card production company in the country will see a significant spike in fraud related revenue. Conservatively speaking, 70 million cards at $10 per card to re-issue means $700 million in cost—much of it borne by banks—not to mention the costs associated with fighting the fraud at impacted financial institutions, reviewing system reports, and responding to alarmed customers. The ABA report clearly states that the fraud losses reported by the survey participants does not include these costs.
The Fed weighs in
Timing being everything, while the breach at Target was occurring, the Federal Reserve published the “Payment System Improvement – Public Consultation” paper. At selected Federal Reserve locations, a number of Town Hall meetings were held to foster a contemporary dialog and obtain feedback. If you could not attend one of these Town Hall meetings, you can submit comments via the website established for the project fedpaymentsimprovement.org Thus far, about 190 comment have been submitted.
The premise of the project is acknowledging that the U.S. payment system is undergoing significant change (innovation) and that expectations of consumers and businesses alike are evolving. The willingness to adopt new payment options is not, however without risks. Clearly, threats to the payments system are also increasing. The industry has the opportunity to not only improve efficiency, but it needs to consider how to counter the growing threat environment as current events reveal.
The Fed paper establishes a framework for the conversation by identifying gaps that exist today in the U.S. payment system and suggests opportunities. Central to the dialogue is a focus on achieving a real-time or near real-time payment system, improving transaction security by masking financial institution and customer account information, and the adoption of innovative payment options that have yet to gain ubiquity. Also discussed is the impact that mobile devices have in transforming the industry, the cost of changes to newer systems, the decline in check volume, consumer fears about payment security that hinder adoption of electronic payments.
What the comments say
Of the four major card brands, American Express, Discover, MasterCard and VISA, only VISA and MasterCard have submitted comments in response to the Fed paper. Generally speaking, MasterCard and VISA concur with the gaps put forth by the Fed, but also state that the payment system is efficient, that innovation is driving the marketplace, and the Fed should stay out of it.
They further state that work is underway on new card securities technologies, referencing the EMV (Chip + Pin) based security, but both fail to mention that the imitative has stalled around a Dodd-Frank requirement that gives merchants a choice of how their transactions are processed. The new EMV technology, at least for now, does not accommodate the number of processing choices that current credit and debit card systems offer.
American Express and Discover were notably silent and did not submit their comments in response to the paper.
The ABA in a comment letter to the Fed put forth the position that non-bank payment providers should also be subjected to the same regulatory oversight and held to the same high payments standards as banks. The Consumer Financial Protection Bureau summited a comment that any improvement in the payment system should focus on protecting the consumer. This could be perceived as a warning shot across the financial industries’ bow.
Confusion and consensus
There is a general consensus between the companion document to the ABA Fraud Report issued by the ABA titled the Changing Face of the Payments System and the comments submitted to the FED pertaining to speeding up the payment system. That is, if you speed up the payment system through the advent of real time interfaces, the available fraud tools and methods should also keep pace.
The interesting point is that the speeding up the payment system and fraud fighting tools does not address the Target issue and that is where the confusion is. The payment system will ultimately transition into a real time system that is efficient, mobility based, and in keeping with contemporary expectations; but if the payment method used is not secure and safe, mega-breaches will continue to occur and customer confidence in the payment system will plummet.
Financial Institutions are at a disadvantage when that data systems at merchants and processors are breached and data is stolen. Can the costs associated with the investigating and fighting the fraud or reissuing of cards be refunded to the institution? No! More questions are being raised due to the fact that these events are becoming all too common. Can the merchant be held accountable? How can market place enforce the enforce data safekeeping? Hard questions.
Which is more important -- speeding up the payment system or data safekeeping? Even though they are separate issues, they are tied together.
What is the Future?
User expectations and an evolving mobility based lifestyle are driving the changes in the payment systems. It can also be said that the industry, outside of the innovators, has been slow to respond. The gap between these two represents the weakest link and is open to compromise and exploitation. In essence, the customer data; the storage of and subsequent use, to complete a transaction, should be maintained in a secure environment at all times and not just at the financial institution.
The payment system will speed up and fraud tools will improve. Mobility enabled products services and payments will continue to grow. When looking at the bigger picture, efficiency and speed does little to instill consumer confidence when the systems and servers that reside at non-regulated merchants, entities, and processors store information that can be easily compromised and stolen. Furthermore, if litigation is the primary tool used to enforce responsibility and accountability, then the trend of increasing fraud will continue for the foreseeable future and until end to end security is addressed and resolved.
Adeptra, Falcon, and Prism are the three most popular systems that are used to fight card fraud. These systems use an arsenal of tools to scrub credit and debit card transactions looking for fraudulent activity. Systems like these have been very effective in blocking fraud, as reported by the ABA, but they are card only. With the advent of internet banking, mobility based platforms, and the growth of electronic payments, just looking at card transactions is not enough. The transaction enterprise is also exposed to compromise, take-over, and fraud. Fraud monitoring system capabilities need to be expanded to scrub all transactions passing across all of the channels, alerting the financial institution first of potentially fraudulent activity, even before the big card companies do because they don’t have all your transaction information.
In reviewing some of the comments summited, several placed the onus on the financial institution to “Know Your Customer” and in a sense, when it comes to the customer, the financial has more information available regarding the total customer relationship. The available countermeasure in this regard, as the industry waits for action, is to install a transaction enterprise risk management and fraud monitoring system. With the system running in background inside your environment, it may be your only line of defense at this time. Verafin, Guardian Analytics, and Threat Metrix are all emerging players in this space and are worthy of a look.