Wednesday, August 12, 2009

What Causes Financial Fraud? It's the Stupid Typing!


PIN Debit Payments Blog






Aite Group asks the following questions:

1. Fraud is one of the main concerns of financial institutions today, but how should they go about preventing it? (Editor's Note: I say "eliminate" what causes fraud)

2. What technology or training should they put in place? (Editor's Note: HomeATM's PCI 2.x Certified 3DES DUKPT encryption enabled Internet Point of Sale Device. Don't need training. People already know how to "swipe" their card and "enter" their PIN. They've been doing it for years!)

3. What are some of the fraud schemes they need to guard against? (Editor's Note: Phishing, Keylogging, Counterfeit Cards, Cloned Bank Websites, DNS Hijacking, even Malware to an extent)

I ask one. Why in the heck are we "typing" our credit/debit card numbers into a box on a website?





It's obvious that "typing" is what has "empowered" the fraudsters. Fraudster's focus on "what is typed" " (username/password's and PAN's) and "THAT" is what they are "swiping!" There is only "ONE" way to prevent them from swiping what we are typing.

STOP (Eliminate)
"TYPING!"...& empower consumers to do their own "swiping."






Does this not make 100% complete sense to everybody reading this?
(if not, please leave a comment)




Again, I say stop trying to "prevent" it. It makes more sense to "eliminate" it. The most common fraud schemes used by the bad guys can be immediately eliminated by "eliminating" typing and replace it with "swiping." So what threats would swiping eliminate?








Phishing: Phishing is the act of luring consumers into "typing" their username/password or credit/debit card number into a box on a website which looks genuine. There is no way to prevent that if you don't eliminate the act of "typing" to begin with. If financial institution customers were mandated to access their online banking accounts the same way they access their money at ATM's (swipe and enter PIN) phishing would be eliminated.





Keylogging: If consumers stopped "typing" (key stroking) then what good is "keylogging"? Hint: It isn't.



Counterfeit Cards:
If consumers had to "swipe their card" and "enter their PIN" (two factor authentication) then the counterfeit cards being used by fraudsters would be useless. (where the fraudster doesn't have the PIN) Most counterfeit cards are enabled to be used online because all the user needs to do is "type" in the Primary Account Number (PAN) If they had to "swipe" the card and "enter the PIN" to conduct an online transaction, financial institutions would virtually eliminate the threat of counterfeit cards.





Cloned Bank Websites: A cloned bank website only works if the user is fooled into "typing" their username/password into the boxes provided by the bank for log-in. If users were instructed to "swipe their card" and "enter their PIN" then the encrypted data would mean nothing to the fraudsters. On the other hand, once they get a hold of your username and password, your bank account would be emptied faster than you can say..."What happened?"







DNS Hijacking:
What good would it do to hijack the DNS of a financial institution if consumers no longer "typed" their PAN or Username/Password into boxes? If consumers "swiped" and "entered their PIN" for log-in, and the encrypted packet was never in the clear, they wouldn't be able to see the information. No see...no phish!


Malware: Even the effects of malware would be vastly reduced. The purpose of malware is to infect the users PC so that when they visit financial institution websites, the malware can record pertinent information. Again, if users stopped "typing" in that "pertinent" information, it would become...well..imperinent. Right?

I did not view the video below but I did provide my take on what financial institutions can do to eliminate or vastly reduce fraud. I have a difficult time believing there are human beings on the face of this earth who actually think it is "safer to type" than to swipe. But I know they are out there.





I guess the more pertinent question is"
How did it come to be that they all chose to work in the ePayments Industry?








Want to hear what Aite has to say? "Click below:





About the speaker:
Nick Holland is a senior analyst at Aite Group. To view the video, click the link below:

http://link.brightcove.com/services/player/bcpid30897864001?bclid=30831326001&bctid=30983831001



Related Posts on the PIN Payments Blog:















Reblog this post [with Zemanta]

Visa, MasterCard Seek Growth Abroad...





Reuters is running a story about how Visa and MC are looking to further penetrate emerging countries.  Makes sense, but it would make even more sense if one of them would step up to the plate and offer a "truly" secure way for consumers to make online purchases.  Debit has overtaken credit, Brick and Mortar is reeling in the wake of the economy...yet eCommerce is still growing.  PIN Debit is the most popular form of payment even though signature debit is being pushed.  So put it all together and what do you have?   A PCI 2.x Certified 3DES DUKPT encrypted solution designed for credit,  debit and PIN debit eCommerce transactions.  How do you get it into the hands of consumers?  Co-op distribution via your financial institutions who would benefit from Secure Two-Factor Authenticated log-on to their online banking sites and eliminate the threat of phishing, cloned bank websites and DNS hijacking.  Now you've got everything you need to put together a real-time bill payment program, secure P2P and B2B real-time money transfer platform and the most secure eCommerce transaction in the business.  Carpe Diem!



NEW YORK (Reuters) - Visa Inc (V.N) and MasterCard Inc (MA.N), the world's largest credit card networks, are counting on foreign markets for the growth that recession-bound U.S. consumers have been unable to provide.



Overseas markets have contributed to the bottom line at both Visa and MasterCard with double digit revenue growth rates in recent years, helped by a shift among consumers worldwide to using plastic where they once used cash and checks.



But foreign markets became truly crucial last year -- sustaining the revenue and earnings of both firms, despite a steep decline in credit card use in the United States -- still by far the largest market for both companies.



In comparison, emerging countries from Mexico to South Korea -- and even economies such as Japan and Germany that are developed, but are underpenetrated by credit and debit cards -- could become the engines of growth ahead.



"In Russia, in Brazil, in the United Arab Emirates, in Taiwan, even in China and Japan, while we see some good activity or strong activity, it's potentially much stronger when those economies start to do better," Visa's Chief Executive Joseph Saunders said in an interview.



"We are very entrenched in every one of those places and we are looking to get a lot more of attraction."


Continue Reading












Reblog this post [with Zemanta]

Visa, MasterCard Seek Growth Abroad...


Reuters is running a story about how Visa and MC are looking to further penetrate emerging countries.  Makes sense, but it would make even more sense if one of them would step up to the plate and offer a "truly" secure way for consumers to make online purchases.  Debit has overtaken credit, Brick and Mortar is reeling in the wake of the economy...yet eCommerce is still growing.  PIN Debit is the most popular form of payment even though signature debit is being pushed.  So put it all together and what do you have?   A PCI 2.x Certified 3DES DUKPT encrypted solution designed for credit,  debit and PIN debit eCommerce transactions.  How do you get it into the hands of consumers?  Co-op distribution via your financial institutions who would benefit from Secure Two-Factor Authenticated log-on to their online banking sites and eliminate the threat of phishing, cloned bank websites and DNS hijacking.  Now you've got everything you need to put together a real-time bill payment program, secure P2P and B2B real-time money transfer platform and the most secure eCommerce transaction in the business.  Carpe Diem!

NEW YORK (Reuters) - Visa Inc (V.N) and MasterCard Inc (MA.N), the world's largest credit card networks, are counting on foreign markets for the growth that recession-bound U.S. consumers have been unable to provide.

Overseas markets have contributed to the bottom line at both Visa and MasterCard with double digit revenue growth rates in recent years, helped by a shift among consumers worldwide to using plastic where they once used cash and checks.

But foreign markets became truly crucial last year -- sustaining the revenue and earnings of both firms, despite a steep decline in credit card use in the United States -- still by far the largest market for both companies.

In comparison, emerging countries from Mexico to South Korea -- and even economies such as Japan and Germany that are developed, but are underpenetrated by credit and debit cards -- could become the engines of growth ahead.

"In Russia, in Brazil, in the United Arab Emirates, in Taiwan, even in China and Japan, while we see some good activity or strong activity, it's potentially much stronger when those economies start to do better," Visa's Chief Executive Joseph Saunders said in an interview.

"We are very entrenched in every one of those places and we are looking to get a lot more of attraction."

Continue Reading




Reblog this post [with Zemanta]

Commerce Commission and Visa Reach Agreement on Interchange Fees



Commerce Commission and Visa reach agreement to settle credit card interchange fee proceedings
Release no 16, Issued 12 August 2009

The Commerce Commission has signed an agreement with the Visa International Service Association and Visa Worldwide Pte Limited (Visa) settling the Commission’s claims against Visa in relation to credit card interchange fees. The Commission’s proceedings allege that the rules of the Visa scheme providing for the payment of multilateral interchange fees, together with related rules, breached the restrictive trade practices provisions of the Commerce Act.

As a result of the agreement, Visa will make changes to the way the Visa scheme rules will apply in New Zealand. Those changes are:


  • Credit
    card issuers will now be able to individually set the interchange rates
    that will apply to transactions using their credit cards, subject to
    maximum rates determined by Visa. These rates will be publicly
    available.



  • Merchants
    will no longer be prevented from applying surcharges to payments made
    by credit cards or by specific types of credit cards. Merchants will
    also be able to encourage customers to pay by other means.



  • Visa
    has confirmed that non-bank organisations or companies who might wish
    to provide acquiring services to merchants are permitted to join the
    Visa network as acquirers if they meet relevant financial and
    prudential criteria.





Figure of Flow of Payments in a Credit Card Transaction“The Commission considers that the agreed changes to the Visa rules will, over time, improve competition between companies that provide credit card services to retailers in New Zealand. Those changes are in the long-term best interests of both New Zealand consumers and retailers,” said Commerce Commission Chair Dr Mark Berry. “The Commission considers that this increased transparency will assist retailers and customers in making decisions about their payment choices.”

“The Commission welcomes Visa’s initiative in approaching the Commission with a forward looking resolution to the competition concerns that the Commission’s claim raised. This has enabled a resolution to be reached which supports the Commerce Act’s goal of promoting competition for the long term benefit of New Zealand consumers,” said Dr Berry. The agreement also reinforces the Commission’s stated approach to resolving issues in the most timely, cost-effective way.

Visa has agreed to contribute NZD 2.6 million towards the Commission’s costs to date in bringing these proceedings.

On the basis of the settlement agreement the Commission will be seeking leave to discontinue its proceedings against Visa in the High Court.

The Commission’s claims against ANZ National Bank Limited, Bank of New Zealand, Westpac New Zealand Limited, ASB Bank Limited, Kiwibank and TSB Bank Limited in relation to interchange fees in the Visa scheme continues, as does its claim against those banks, MasterCard and The Warehouse Financial Services Limited in relation to the MasterCard rules. The Commission’s remaining claims will be heard at the High Court in Auckland in October this year.

The Commission will be making no further comment at this time, due to the remaining claims yet to be heard.

A public version of the settlement agreement can be found attached to this media release on the Commission’s website.

International action on interchange fees. Interchange fees have been scrutinised by many international regulatory agencies. In 2003, the Reserve Bank of Australia moved to regulate the level of interchange fees, reducing the fees over time from 0.95 per cent of transaction value to less than 0.50 per cent. Public and private competition enforcement actions have also been brought in respect of interchange fee arrangements in numerous jurisdictions, including the United States and the UK.



Background


Interchange fees. Each
time a New Zealand Visa or MasterCard cardholder makes a purchase, the
card accepter (usually a retailer or service provider) pays a fee to
their own bank as part of the payment authorisation process. That fee
is comprised mainly of the interchange fee, which is paid to the
cardholder’s bank.




Visa and MasterCard purchases occur in a four-party card system, which operates as follows:


  • Cardholder purchases goods or services from a merchant;

  • Merchant sends the transaction details to its own bank (acquiring bank);

  • Acquiring bank sends the transaction details to the bank or financial institution that issued the card (card issuing bank);

  • Card issuing bank pays the acquiring bank the retail price of the goods or services less the interchange fee;

  • Acquiring bank pays the merchant the retail price less a merchant service fee;

  • Card issuing bank debits the retail price from the cardholder’s account.




The
retailer or service provider that has incurred the interchange fee is
not allowed to recover the fee from the cardholder, so must average out
the cost of that fee across all of their sales. This increases the cost
of every item or service sold by businesses which accept Visa or
MasterCard. All customers of those businesses bear that averaged fee,
regardless of whether the customer pays by credit card, cash, EFTPOS or
another payment method.




Figure of Flow of Payments in a Credit Card Transaction (see top of the page)




Credit card usage in New Zealand. Transactions
on New Zealand Visa and MasterCard cards totalled $19 billion in 2004.
(NB: This figure covers transactions made anywhere in the world, but
the Commission’s action concerns only payments made in New Zealand.) In 2004 there were approximately 2.1 million Visa cards and 900,000 MasterCard cards in use in New Zealand. In 2004 Visa had 61 per cent of the New Zealand credit card billings, and MasterCard had 29 per cent of the market.




Relevant sections of the Commerce Act. The
proceedings are brought under sections 27 and 30 of the Commerce Act
1986. Section 27 prohibits contracts, arrangements or understandings
that substantially lessen competition. Section 30 prohibits price
fixing, which is when people or businesses that are in competition with
each other agree to control, fix or maintain the prices for the goods
or services that they supply. Price fixing is deemed to substantially
lessen competition under section 27 of the Commerce Act.




Penalties.
The Commerce Act provides for penalties for price-fixing of up to the
higher of $10 million per breach, or either three times the commercial
gain resulting from the breach or 10 per cent of a company’s turnover.



Commerce Commission and Visa Reach Agreement on Interchange Fees

Commerce Commission and Visa reach agreement to settle credit card interchange fee proceedings
Release no 16, Issued 12 August 2009

The Commerce Commission has signed an agreement with the Visa International Service Association and Visa Worldwide Pte Limited (Visa) settling the Commission’s claims against Visa in relation to credit card interchange fees. The Commission’s proceedings allege that the rules of the Visa scheme providing for the payment of multilateral interchange fees, together with related rules, breached the restrictive trade practices provisions of the Commerce Act.

As a result of the agreement, Visa will make changes to the way the Visa scheme rules will apply in New Zealand. Those changes are:

  • Creditcard issuers will now be able to individually set the interchange ratesthat will apply to transactions using their credit cards, subject tomaximum rates determined by Visa. These rates will be publiclyavailable.

  • Merchantswill no longer be prevented from applying surcharges to payments madeby credit cards or by specific types of credit cards. Merchants willalso be able to encourage customers to pay by other means.

  • Visahas confirmed that non-bank organisations or companies who might wishto provide acquiring services to merchants are permitted to join theVisa network as acquirers if they meet relevant financial andprudential criteria.
Figure of Flow of Payments in a Credit Card Transaction“The Commission considers that the agreed changes to the Visa rules will, over time, improve competition between companies that provide credit card services to retailers in New Zealand. Those changes are in the long-term best interests of both New Zealand consumers and retailers,” said Commerce Commission Chair Dr Mark Berry. “The Commission considers that this increased transparency will assist retailers and customers in making decisions about their payment choices.”

“The Commission welcomes Visa’s initiative in approaching the Commission with a forward looking resolution to the competition concerns that the Commission’s claim raised. This has enabled a resolution to be reached which supports the Commerce Act’s goal of promoting competition for the long term benefit of New Zealand consumers,” said Dr Berry. The agreement also reinforces the Commission’s stated approach to resolving issues in the most timely, cost-effective way.

Visa has agreed to contribute NZD 2.6 million towards the Commission’s costs to date in bringing these proceedings.

On the basis of the settlement agreement the Commission will be seeking leave to discontinue its proceedings against Visa in the High Court.

The Commission’s claims against ANZ National Bank Limited, Bank of New Zealand, Westpac New Zealand Limited, ASB Bank Limited, Kiwibank and TSB Bank Limited in relation to interchange fees in the Visa scheme continues, as does its claim against those banks, MasterCard and The Warehouse Financial Services Limited in relation to the MasterCard rules. The Commission’s remaining claims will be heard at the High Court in Auckland in October this year.

The Commission will be making no further comment at this time, due to the remaining claims yet to be heard.

A public version of the settlement agreement can be found attached to this media release on the Commission’s website.

International action on interchange fees. Interchange fees have been scrutinised by many international regulatory agencies. In 2003, the Reserve Bank of Australia moved to regulate the level of interchange fees, reducing the fees over time from 0.95 per cent of transaction value to less than 0.50 per cent. Public and private competition enforcement actions have also been brought in respect of interchange fee arrangements in numerous jurisdictions, including the United States and the UK.


HomeATM Can Solve Your PCI Compliance Problem









National Retail Federation Poll: Small Retailers Struggling To Understand PCI

Nearly 86 percent are familiar with PCI, but nearly half can't demonstrate their compliance with the payment card standard




Aug 11, 2009 | 03:46 PM By Kelly Jackson Higgins

DarkReading



First the good news: Most small retailers say they know about the Payment Card Industry's Data Security Standard (PCI DSS). But the bad news is they don't necessarily understand it, nor can many of them prove their compliance with it, a new study by the National Retail Federation (NRF) says.



The big surprise was the high number of small businesses that are aware of PCI -- 86 percent -- and those that say PCI compliance makes them more secure -- 80 percent, according to Heather Foster, vice president of marketing for ControlScan, a PCI compliance vendor that conducted the survey along with the NRF and the PCI Knowledge Base. "A year ago, most of the small businesses we were talking to had never heard of PCI," Foster says. "We were pleasantly surprised with the [level] of awareness out there now."




"One of the first simple steps merchants can take on the road to
card data security is to check that they are using a secure payment
application or PED terminal that has been validated by an approved
laboratory and is listed on our Website
," Leach says.






Editor's Note:  Which simply means that any merchant who uses our PCI 2.x certified device is good to go.  One of the benefits of utilizing the HomeATM PED Terminal is that it costs less than half of it's closest competitor AND is encryption enabled.  It was designed to encrypt the Track2 data for Zones 1-4 and the PIN is encrypted for Zones 1-5 meaning that the cardholders data is NEVER in the clear.  This "clears" you from the ramifications that may be imposed by PCI.





But there's a gap between small businesses' PCI awareness and their perception of risk, the study found: Among the small merchants who had never suffered a breach, 72 percent said they think their risk of data hack is "low" or "not possible." Small merchants that had experienced data breaches not surprisingly saw things much differently, with 67 percent saying they are at a high or medium risk of attack.



"My biggest concern is that while these merchants [who haven't been breached] are at least making progress thinking that PCI is a good thing to do, they're not thinking they're at risk. They think they're invulnerable," Foster says.



The study, which surveyed 220 small retailers in ecommerce, retail stores, and mail/order telephone order businesses, also found that many of these enterprises are perplexed about PCI when it comes to better understanding it, implementing it, and the cost complying with it.






"Either make things easier to understand or offer more help for businesses to get compliant," one respondent commented in the survey. Another asked for PCI to have a "better understanding of how much small businesses can afford. Most solutions available are for large businesses and are expensive."











Editor's Note:  HomeATM already made it easy.  Our "SafeTPIN " would remove your business from the scope of PCI.  You would not only be compliant, but you would be compliant at a "fraction of the cost" of other solutions...for more information on how we can do that, email us.



David Hogan, chief information officer for the NRF, says small retailers are understandably overwhelmed with compliance. "Until industry service providers and the PCI Security Standards Council make compliance easier to understand and less complex to implement, many small merchants will likely continue to be frustrated and bewildered, causing some of them to abandon the idea of compliance altogether," Hogan said in a statement.



The PCI Security Standards Council, meanwhile, is working on better educating small retailers about PCI and its implementation, says Troy Leach, technical director of the PCI Security Standards Council. Aside from working with the PCI vendor, payment, and small business community, the PCI Council also offers a priority approach framework, self-assessment questionnaires, and other PCI other resources.



"One of the first simple steps merchants can take on the road to card data security is to check that they are using a secure payment application or PED terminal that has been validated by an approved laboratory and is listed on our Website," Leach says.



Continue Dark Reading







Reblog this post [with Zemanta]

HomeATM Can Solve Your PCI Compliance Problem



National Retail Federation Poll: Small Retailers Struggling To Understand PCI

Nearly 86 percent are familiar with PCI, but nearly half can't demonstrate their compliance with the payment card standard


Aug 11, 2009 | 03:46 PM By Kelly Jackson Higgins
DarkReading

First the good news: Most small retailers say they know about the Payment Card Industry's Data Security Standard (PCI DSS). But the bad news is they don't necessarily understand it, nor can many of them prove their compliance with it, a new study by the National Retail Federation (NRF) says.

The big surprise was the high number of small businesses that are aware of PCI -- 86 percent -- and those that say PCI compliance makes them more secure -- 80 percent, according to Heather Foster, vice president of marketing for ControlScan, a PCI compliance vendor that conducted the survey along with the NRF and the PCI Knowledge Base. "A year ago, most of the small businesses we were talking to had never heard of PCI," Foster says. "We were pleasantly surprised with the [level] of awareness out there now."

"One of the first simple steps merchants can take on the road tocard data security is to check that they are using a secure paymentapplication or PED terminal that has been validated by an approvedlaboratory and is listed on our Website," Leach says.

Editor's Note:  Which simply means that any merchant who uses our PCI 2.x certified device is good to go.  One of the benefits of utilizing the HomeATM PED Terminal is that it costs less than half of it's closest competitor AND is encryption enabled.  It was designed to encrypt the Track2 data for Zones 1-4 and the PIN is encrypted for Zones 1-5 meaning that the cardholders data is NEVER in the clear.  This "clears" you from the ramifications that may be imposed by PCI.


But there's a gap between small businesses' PCI awareness and their perception of risk, the study found: Among the small merchants who had never suffered a breach, 72 percent said they think their risk of data hack is "low" or "not possible." Small merchants that had experienced data breaches not surprisingly saw things much differently, with 67 percent saying they are at a high or medium risk of attack.

"My biggest concern is that while these merchants [who haven't been breached] are at least making progress thinking that PCI is a good thing to do, they're not thinking they're at risk. They think they're invulnerable," Foster says.

The study, which surveyed 220 small retailers in ecommerce, retail stores, and mail/order telephone order businesses, also found that many of these enterprises are perplexed about PCI when it comes to better understanding it, implementing it, and the cost complying with it.

"Either make things easier to understand or offer more help for businesses to get compliant," one respondent commented in the survey. Another asked for PCI to have a "better understanding of how much small businesses can afford. Most solutions available are for large businesses and are expensive."




Editor's Note:  HomeATM already made it easy.  Our "SafeTPIN " would remove your business from the scope of PCI.  You would not only be compliant, but you would be compliant at a "fraction of the cost" of other solutions...for more information on how we can do that, email us.

David Hogan, chief information officer for the NRF, says small retailers are understandably overwhelmed with compliance. "Until industry service providers and the PCI Security Standards Council make compliance easier to understand and less complex to implement, many small merchants will likely continue to be frustrated and bewildered, causing some of them to abandon the idea of compliance altogether," Hogan said in a statement.

The PCI Security Standards Council, meanwhile, is working on better educating small retailers about PCI and its implementation, says Troy Leach, technical director of the PCI Security Standards Council. Aside from working with the PCI vendor, payment, and small business community, the PCI Council also offers a priority approach framework, self-assessment questionnaires, and other PCI other resources.

"One of the first simple steps merchants can take on the road to card data security is to check that they are using a secure payment application or PED terminal that has been validated by an approved laboratory and is listed on our Website," Leach says.

Continue Dark Reading

Reblog this post [with Zemanta]

Retail Payments Risk Forum Collaborate to Fight Payment Fraud




Retail Payments Risk Forum Collaborates to Fight Payments Fraud
 



The Atlanta Federal Reserve Bank’s anti-fraud
cooperative is designed to bring together thought leaders in the
payments space to improve security.
(from the Portals and Rails Blog)  Portals and Rails, a blog sponsored by the Retail Payments Risk Forum
of the Federal Reserve Bank of Atlanta, is intended to foster dialogue
on emerging risks in retail payment systems and enhance collaborative
efforts to improve risk detection and mitigation. We encourage your
active participation in Portals and Rails and look forward to
collaborating with you.











Collaboration to address payments risks and fraud


In the world of payments, all players share an interest in seeing
that risks are detected and mitigated quickly and effectively. However,
when threats emerge, is it everyone for themselves? How does the
variety of interests and goals among all the players converge? In a
private marketplace mixed with government actors, how can we work
better together?




Participants at a 2008 conference hosted by the Retail Payments Risk Forum discussed these issues

and described the challenges and potential solutions. A year later, the findings of this forum are worth revisiting.




Information sharing

Real or perceived
information-sharing limitations among financial institutions,
regulators, law enforcement, and others can substantially impede
addressing retail payments risks on a timely and effective basis.
Examples include inconsistent or incomplete payments data, varying
success levels of intra- and interagency collaborations, varied and
overlapping jurisdictions, an incomplete network of memoranda of
understanding (MOUs), privacy restrictions, perceived barriers beyond
legal restrictions, competitive interests, costs, and trust.
Suggestions for improvement in this area focused on:


  • collection, consistency, and commonality of payments
    data, better understanding of its utility, and analysis tools. While
    data needs vary, a first step would be to focus on data elements of
    shared interest. A working group could facilitate ongoing payments data
    compilation and analysis efforts;

  • formal and informal dialogue among various agencies and others, including simple measures such as shared contact lists;

  • development
    of a “matrix” of various roles/responsibilities/information sources for
    shared use to facilitate more timely location of information and
    expertise available; and

  • a more systematic, organized mechanism for information
    sharing, perhaps by establishing “brokers” for relevant information
    such as payments data.


Policing bad actors


Many noted that communication about bad actors is often ad hoc
and that information is too widely dispersed to be useful and timely.
Individual agency efforts, published enforcement actions, SAR filings,
interbank collaborations, and industry self-regulatory efforts, while
all worthwhile, have not fully promoted effective information gathering
and sharing among all the parties who can have an impact. Suggestions
for improvement in this area included:


  • better understanding of risks across payment
    channels, both for front-end access point(s) and back-end processing,
    to mitigate fraudster arbitrage of vulnerabilities;

  • publishing enforcement actions and related settlements more effectively as a deterrent;

  • establishing a central “negative list” or “watch list” of bad actors;

  • extending
    registration requirements for third parties participating in payments
    networks beyond existing targeted voluntary efforts;

  • strengthening and clarifying regulatory guidance, such as that for counterfeit checks and consumer account statements;

  • better educating consumers and banks regarding common issues;

  • a more direct means of compensating victims;

  • mining specific activity reports and other existing agency databases such as consumer complaints data; and

  • potential new SEC codes within ACH to better track risks.


Collaboration

Participants identified collaborative efforts to help detect and/or
mitigate retail payments risk issues and identified benefits and gaps.
Examples included bank regulatory groups (intra- and interagency),
national and regional law enforcement partnerships, interstate
collaboration, federal-state working collaborations, joint
investigative task forces, examination- or case-driven ad hoc efforts, and industry data-sharing efforts. Potential avenues for improved collaborative action included:




  • a law enforcement/regulatory payments fraud working group;

  • a virtual collaborative forum via Web sites, e-mail lists, or regular phone calls;

  • greater attention paid to requests for comments on proposed NACHA rules;

  • examiner and law enforcement training opportunities;

  • participation in and/or support for industry database sharing efforts;

  • engagement with industry groups to improve best practices;

  • a Web-based resource for consumers supported by all (“fraud.gov”);

  • implementation of further MOUs among agencies; and

  • efforts to identify fraud patterns across agencies, such as the federal government’s Eliminating Improper Payments Initiative.


Substantive areas of concern

Participants were asked to describe substantive retail payments risk
issues that keep them up at night. Some common themes emerged,
including:


  • strengthening the oversight of third-party payments processors and others not covered by the Bank Service Company Act;

  • quantifying and better managing the misuse of remotely created checks;

  • understanding and mitigating risks associated with “cross-channel” fraud;


  • “Know Your Customers’ Customer” due diligence, compliance, and
    associated risks and potential liabilities for fraud
    detection/mitigation purposes;

  • establishing a common means of redress for consumers regardless of the payment channel; and

  • improving the clarity of consumer account statements by instituting standards and reducing jargon.


Progress has been made on a number of these ideas in the past year,
including the formation of new working groups and other collaborations.
The Retail Payments Risk Forum continues to explore opportunities and
implement solutions to help foster collaborative action to address
these and other industry concerns. Your input in the form of comments
to Portals and Rails on these or other topics is welcomed!



By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed.






Reblog this post [with Zemanta]

Retail Payments Risk Forum Collaborate to Fight Payment Fraud

Retail Payments Risk Forum Collaborates to Fight Payments Fraud 
The Atlanta Federal Reserve Bank’s anti-fraudcooperative is designed to bring together thought leaders in thepayments space to improve security. (from the Portals and Rails Blog)  Portals and Rails, a blog sponsored by the Retail Payments Risk Forumof the Federal Reserve Bank of Atlanta, is intended to foster dialogueon emerging risks in retail payment systems and enhance collaborativeefforts to improve risk detection and mitigation. We encourage youractive participation in Portals and Rails and look forward tocollaborating with you.




Collaboration to address payments risks and fraud

In the world of payments, all players share an interest in seeingthat risks are detected and mitigated quickly and effectively. However,when threats emerge, is it everyone for themselves? How does thevariety of interests and goals among all the players converge? In aprivate marketplace mixed with government actors, how can we workbetter together?

Participants at a 2008 conference hosted by the Retail Payments Risk Forum discussed these issues and described the challenges and potential solutions. A year later, the findings of this forum are worth revisiting.

Information sharing

Real or perceivedinformation-sharing limitations among financial institutions,regulators, law enforcement, and others can substantially impedeaddressing retail payments risks on a timely and effective basis.Examples include inconsistent or incomplete payments data, varyingsuccess levels of intra- and interagency collaborations, varied andoverlapping jurisdictions, an incomplete network of memoranda ofunderstanding (MOUs), privacy restrictions, perceived barriers beyondlegal restrictions, competitive interests, costs, and trust.Suggestions for improvement in this area focused on:
  • collection, consistency, and commonality of paymentsdata, better understanding of its utility, and analysis tools. Whiledata needs vary, a first step would be to focus on data elements ofshared interest. A working group could facilitate ongoing payments datacompilation and analysis efforts;
  • formal and informal dialogue among various agencies and others, including simple measures such as shared contact lists;
  • developmentof a “matrix” of various roles/responsibilities/information sources forshared use to facilitate more timely location of information andexpertise available; and
  • a more systematic, organized mechanism for informationsharing, perhaps by establishing “brokers” for relevant informationsuch as payments data.
Policing bad actors
Many noted that communication about bad actors is often ad hocand that information is too widely dispersed to be useful and timely.Individual agency efforts, published enforcement actions, SAR filings,interbank collaborations, and industry self-regulatory efforts, whileall worthwhile, have not fully promoted effective information gatheringand sharing among all the parties who can have an impact. Suggestionsfor improvement in this area included:
  • better understanding of risks across paymentchannels, both for front-end access point(s) and back-end processing,to mitigate fraudster arbitrage of vulnerabilities;
  • publishing enforcement actions and related settlements more effectively as a deterrent;
  • establishing a central “negative list” or “watch list” of bad actors;
  • extendingregistration requirements for third parties participating in paymentsnetworks beyond existing targeted voluntary efforts;
  • strengthening and clarifying regulatory guidance, such as that for counterfeit checks and consumer account statements;
  • better educating consumers and banks regarding common issues;
  • a more direct means of compensating victims;
  • mining specific activity reports and other existing agency databases such as consumer complaints data; and
  • potential new SEC codes within ACH to better track risks.
Collaboration
Participants identified collaborative efforts to help detect and/ormitigate retail payments risk issues and identified benefits and gaps.Examples included bank regulatory groups (intra- and interagency),national and regional law enforcement partnerships, interstatecollaboration, federal-state working collaborations, jointinvestigative task forces, examination- or case-driven ad hoc efforts, and industry data-sharing efforts. Potential avenues for improved collaborative action included:
  • a law enforcement/regulatory payments fraud working group;
  • a virtual collaborative forum via Web sites, e-mail lists, or regular phone calls;
  • greater attention paid to requests for comments on proposed NACHA rules;
  • examiner and law enforcement training opportunities;
  • participation in and/or support for industry database sharing efforts;
  • engagement with industry groups to improve best practices;
  • a Web-based resource for consumers supported by all (“fraud.gov”);
  • implementation of further MOUs among agencies; and
  • efforts to identify fraud patterns across agencies, such as the federal government’s Eliminating Improper Payments Initiative.
Substantive areas of concern
Participants were asked to describe substantive retail payments riskissues that keep them up at night. Some common themes emerged,including:
  • strengthening the oversight of third-party payments processors and others not covered by the Bank Service Company Act;
  • quantifying and better managing the misuse of remotely created checks;
  • understanding and mitigating risks associated with “cross-channel” fraud;
  • “Know Your Customers’ Customer” due diligence, compliance, andassociated risks and potential liabilities for frauddetection/mitigation purposes;
  • establishing a common means of redress for consumers regardless of the payment channel; and
  • improving the clarity of consumer account statements by instituting standards and reducing jargon.
Progress has been made on a number of these ideas in the past year,including the formation of new working groups and other collaborations.The Retail Payments Risk Forum continues to explore opportunities andimplement solutions to help foster collaborative action to addressthese and other industry concerns. Your input in the form of commentsto Portals and Rails on these or other topics is welcomed!
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed.

Reblog this post [with Zemanta]

Disqus for ePayment News