Payments exposure hits warp speed

Payment fraud schemes have evolved with the changing nature of payment systems, says Federal Reserve Board Governor Jerome Powell. Once crooks relied on the slow speed of the old paper check-clearing system to get away with their crimes, but now they take advantage of the rapid transmission of data to steal account information.

“Today, fraud can be executed quickly, perpetrated on a massive scale, and carried out remotely,” said Powell. In an address at the Federal Reserve Bank of Kansas City late last month, Powell discussed four areas all stakeholders in the payment systems should be considering.

Seeking safe innovation

“Although payments cards reduced the impact of a stolen wallet, they've also introduced new risks, like counterfeit card fraud,” Powell pointed out.  He said the payments industry must beware of such developments.

“These risks may be tolerable in the short run, so long as we work to identify, prevent, and mitigate them early on in the design and implementation process,” said Powell.

In the case of payment cards, over time, technologies have been broadly implemented to mitigate many risks.

“For instance,” said Powell, “computer algorithms now analyze transactions in real time and can prevent the same card number from being used to make purchases in Washington, D.C., and in Kansas City five minutes apart.”

At a minimum, he said, banks, merchants, and other institutions that process or store sensitive financial information need to keep their hardware and software current to the latest industry standards.

Prevention: Preparing to fight fraud

Powell said that one clear area of focus needs to be on implementing preventive tools, or simply put, defensive tactics

“The deployment of EMV chip cards in the United States represents an important step forward,” said Powell. “But we should not stop there.”

Powell noted that for many years, traditional authentication methods like signatures and static passwords have been used to verify an individual’s authority to initiate a payment. New approaches to authentication offer the potential for greater assurance and protection, however.

“Given the current technologies that we have at our disposal, we should assess the continued use of signatures as a means of authenticating card transactions,” Powell said.

“It is important to layer security tools and procedures,” Powell continued. “Methods to devalue payment data, like tokenization and encryption for data at rest, in use, and in transit, mitigate the effect of a data breach. Analytics can identify and prevent fraudulent transactions. Firewalls and segmentation of technology supporting critical functions can protect networks from outside attacks.”

Insider threats, as well, need to be guarded against, Powell said, citing a study that indicates more than 20% of security incidents can be attributed to insiders. “Segregation of duties, background checks, and monitoring for anomalies help reduce the risk of insider threats,” said Powell.

Planning can fight fraud

“You can't protect yourself unless you understand how your business is structured. This sounds simple enough, but an organization's computer systems are often unexpectedly interconnected,” said Powell.  

Powell pointed out that some of the largest point-of-sale data breaches originated outside the payment card systems.

Plans need to include methods to detect attacks, response procedures, and the ability to recover business functions, according to Powell. “You should also keep up to date on cyber developments and gather information about threats from information sharing forums, including FS-ISAC, US-CERT, and the FBI's InfraGard,” he said.

Education of consumers, the ultimate users

“Collectively, we could do more to empower consumers to use financial products safely by educating them on the risks they face and the steps they can take to protect themselves,” said Powell.

Powell also noted that banks must be prepared to respond to a security incident in a transparent and timely manner so consumers understand the implications.

The Federal Reserve is proceeding with an initiative started earlier this year to establish two task forces to advise on how to speed up the payments system and to identify ways to advance payment system safety. More than 300 participants have signed up for the faster payments task force and more than 200 have joined the secure payments task force.

“By the end of next year, the plan is for the faster payments task force, with input from the secure payments task force, to have laid out its detailed thinking on the most effective approaches for implementing faster payments in the United States. Then, it will be up to the industry to implement these approaches,” Powell said.

Download Powell’s speech, “The Puzzle of Payments Security: Fitting the Pieces Together to Protect the Retail Payments System”