U. S. Payments Landscape Perspective Fresh from the Fed U. S. Payments Landscape Perspective AFP - Nashville March 8, 2018 Dave Lott, Payments Risk Expert Federal Reserve Bank of Atlanta The views expressed in this presentation are those of the presenters and do not necessarily reflect the views of the Federal Reserve Bank of Atlanta or the Federal Reserve System.
Detect and identify; assist and encourage… Forum’s Mission Detect and identify; assist and encourage… Identify: What? Risk - in existing and emerging retail payments Help how? Contribute to mitigating payment risks by: Researching products, services, and systems Collaborating with industry Convening Take On Payments weekly blog http://takeonpayments.frbatlanta.org 2 2
Agenda Payments Overview EMV Migration at POS Fraud Schemes Questions and Discussion 3
Payments Overview 4
Cash continues to dominate small-value, in-store payments Cash Usage Cash continues to dominate small-value, in-store payments 5
Key Themes Continue Key Theme 2012 Diary 2015 Diary Most frequently used payment method Dominant for small-value transactions Wide array of users and use cases Critical in contingency situations Consistent with other data sources, we also see evolution Cash’s share of consumer payments is declining Consumers are holding more cash, but using it less often 6
About the Payments Study Calendar year 2015 estimates, comparisons with 2012 estimates Sixth in triennial series since 2000 National estimates from institutional surveys Representative data from almost 1,400 depository institutions Census of general-purpose card networks Processors and issuers of various private-label payment instruments Covers total number and value of all US noncash payments Payments by consumers and businesses 7
Trends in Noncash Payments 2000-15, by Number U.S. noncash payments continued to rise Debit cards showed the largest increase in number of payments Credit cards showed the largest growth rate in number of payments ACH continued growth Check continued to decline, but at a slower rate SOURCE: Federal Reserve Payments Study 2016 8
Distribution of Core Noncash Payments by Type, Number and Value - 2015 # $ The Inverse Number-Value Relationship Across Payment Types SOURCE: Federal Reserve Payments Study 2016 9
Trends in Checks Written, 2000-15, Number and Value By number, the decline in checks appeared to taper off 2012-15 By value, checks have not declined as much Checks converted to ACH dropping faster than checks overall SOURCE: Federal Reserve Payments Study 2016 10
Distribution of Card Fraud Types – United States and Selected Countries - 2015 SOURCE: Federal Reserve Payments Study 2016 Counterfeit & lost or stolen are in-person while fraudulent use of account number reflects remote fraud Chips help reduce in-person fraud by making card counterfeiting harder Only 2 percent of U.S. card payments were chip based Other countries adopted sooner, had much higher chip usage 11
EMV Migration 12
EMV Migration 13
Chip Card Types There are two major types of chip cards, but each must communicate to the POS terminal chip reader Contact Card inserted or dipped and retained for the duration of the transaction Contactless Using Near Field Communications (NFC) technology, the card is placed within 4 cm (≈ 1.5”) of reader on terminal Faster than contact transaction and desired by high throughput merchants such as transit systems High utilization in international markets but little success to this point in the US Major issuers plan to add contactless feature to chip cards during normal reissuance cycle in 2019 – 2021 timeframe 14
EMV’s Benefits For Card Fraud Protection Dynamic Card Authentication A dynamic (transaction-unique) cryptogram presented with each transaction mitigates counterfeit card fraud risk. In a mag stripe environment, card authentication, if performed, is a static process performed at the POS. Magnetic stripe data indicates if card contains a chip and to process as a chip card Fallback (reverting to magnetic stripe) approval at discretion of merchant and issuer. Cardholder Verification (if implemented in a PIN environment) Provides superior protection against lost or stolen card fraud compared to other verification methods currently used in the market. Each application supports its own cardholder verification method. 15
EMV’s Benefits For Card Fraud Protection (cont.) Global interoperability Longer card life than magnetic stripe, although more expensive ( 2-3 x) Foundation for next generation of payments Merchants may qualify for some PCI audit relief 16
EMV’s Shortcomings For Card Fraud Protection PAN data remains vulnerable at POS PAN, expiry and name data travels “in the clear” inside terminal Highly valuable to fraudsters for: Counterfeiting in a mag stripe environment Card-not-present (CNP) transactions Designed for face-to-face transactions Card authentication requires a direct connection to allow the card to communicate With the terminal (offline environment) To the host (online environment) Fraudsters migrate from the card-present environment to the card-not-present (CNP) environment 17
Current State of EMV Deployment Card migration is nearing almost complete deployment Glenbrook Partners say as of mid-2017, 63% of all cards are chip cards Credit cards: 81% Debit cards: 46% Visa says 67% of its cards are chip enabled as of YE 2017 96% of payment volume being conducted by chip cards Visa (December 2017) indicates: 2.7 million merchant locations accepting chip cards 59% of storefronts Visa claims that for merchants that have completed chip card upgrade, fraud from counterfeit cards has dropped 70% from YE2015 to September 2017 18
EMV Has Been Successful at Reducing Fraud ……BUT Domestic card present fraud rates greatly improved (EMV has been very good at doing what it was designed to do – preventing counterfeit and lost/stolen fraud). Card-Not-Present fraud is up. Hard to understand if the actual fraud rate is up, but EMV is not designed to prevent this type of fraud 19
CARD-NOT-PRESENT FRAUD AFTER EMV Card Fraud Shifted to Remote Merchants (Online, MOTO) CARD-NOT-PRESENT FRAUD AFTER EMV (local currency) Sources: Financial Fraud Action UK, The Observatory for Payment Card Security, Canadian Bankers Association, Australian Payments Clearing Association. 20
Merchant Perspectives on EMV Token 2.0 For merchants that use proprietary or third party “security” or internal tokens, concerns around payment tokens are ability to deliver a consistent consumer experience (number of issuers creates potential for inconsistent experiences) For merchants that have adopted payment tokenization Franchise merchants use a third party (terminal provider) and processor that handles integration Third party integration to expand to e-commerce is a challenge because PAN is needed for merchant fraud tools, so an alternative method is needed Surprisingly, little interest in Payment Account Reference (PAR) Also have not yet achieved full integration with loyalty program 12 21
Challenges to Expanded Use of Payment Tokenization Achieving scale will take time and requires partners Merchants and processors need to become more comfortable Tokenization will increase; however, not everything needs to be tokenized For example: Different security criteria: e.g., a prepaid card that already has its own domain restriction and can only be used to a restricted amount, so the issuer can decide not to tokenize this prepaid card Tokenization will expand but there is potential usage where it will never make sense and this is something that the industry is beginning to recognize – entirely removing PAN from ecosystem is not a reality Scale is more important, through issuer and acquirer base, as more people understand how it works Tokenization has created better decision-making on behalf of issuers for merchants resulting in less chargebacks and increased authorizations 22
Fraud Schemes 23
Fraud Schemes: criminals remain plenty busy Identity fraud increasing Business E-mail Compromise Fed Pays My Bills Ransomware ATM skimming / machine heists 2424 24
Defenses increased as attacks mount Payment Security Defenses increased as attacks mount Signature requirement at POS ending Biometric modalities being expanded 2525 25
Number and magnitude continue to grow Data Breaches Number and magnitude continue to grow Third party access Assume you have been compromised? 2626 26
Questions or Comments 28
THANK YOU Dave Lott Federal Reserve Bank of Atlanta Retail Payments Risk Forum http://takeonpayments.frbatlanta.org David.Lott@atl.frb.org