The Evolving Landscape of Payments Security

Transcription

1 The Evolving Landscape of Payments Security TMANY NYCE May 31, 2017 Matt Davies, CTP, AAP, CPP Federal Reserve Bank of Dallas 2017 Federal Reserve Banks. Materials are not to be used without consent. 1

2 Agenda Online Banking Same-Day ACH EMV Update Card Not Present Fraud Fed s Secure Payments Task Force Declaration Overview 2017 Federal Reserve Banks. Materials are not to be used without consent. 2

3 Citi: introduced a mobile app that protects transactions by requiring the user to establish biometric data Fingerprints Online Banking Evolution Facial recognition Voice authentication To gain access to your Citi accounts, you say the phrase: My identity is secure because my voice is my passport, verify me. BofA credit or debit cardholders can add card directly to Apple Pay within BofA s mobile banking app SOURCE: The Quest to Secure Payments Security, BAI Banking Strategies, April 2017; BofA s mobile plan: A small screen becomes a big channel, By John Adams, AmericanBanker.com, April

4 Online Banking Evolution Traditionally: Physical tokens Citi: New app allows clients to obtain digital tokens on their own smartphones to generate temporary passcodes part of a trend in banking toward developing high-tech services for businesses that mimic the conveniences already enjoyed by consumers without jeopardizing security. Don t have a smartphone? Get a text or a one-time code via voice call Citi s mobile users can also use other security factors; e.g., PIN, swipe and fingerprint ID SOURCE: Citi Broadens Mobile Services for Corporate Customers, by Bryan Yurcan, American Banker, March 14, 2017

5 Same Day ACH: Phased Approach Functionality Phase 1 (Sept. 23, 2016) Phase 2 (Sept. 15, 2017) Phase 3 (Mar. 16, 2018) Transaction Eligibility $25,000 limit (per ITEM) (IAT not eligible) Credits Only Credit and Debits Credits and Debits New ODFI ACH File Transmission Times 10:30 am ET 2:45 pm ET 10:30 am ET 2:45 pm ET 10:30 am ET 2:45 pm ET New Settlement Times 1 pm ET 5 pm ET 1 pm ET 5 pm ET 1 pm ET 5 pm ET ACH Credit Funds Availability End of RDFI s processing day End of RDFI s processing day 5 pm (RDFI local time) 6

6 6

7 Same-Day ACH: Future Considerations Sept. 2017: Debits Declaration Overview Banks who offer corporate customers ACH positive pay or debit block services These customers will now have to accommodate debit pay or return decisions multiple times per day. Increased opportunities for fraud? Will the $25k item limit remain in place? 2017 Federal Reserve Banks. Materials are not to be used without consent. 7

8 EMV Where Are We Now? Number of Visa Chip Cards (millions) As of 12/2016: Visa issuers have issued 408.1m chip cards in the U.S m credit cards m debit cards SOURCE: Visa.com Dec 2015 Feb 2016 Apr 2016 Jun 2016 Aug 2016 Oct 2016 Dec 2016 Mar

9 EMV Where Are We Now? Merchants Accepting Chip Cards (millions) As of 12/2016: 1.81m merchants now accept chip cards 39% of US storefronts accept chip cards 82% are SMBs 135% increase in the last year Dec 2015 Feb 2016 Apr 2016 Jun 2016 Aug 2016 Oct 2016 Dec 2016 Mar 2017 Mar 1716 SOURCES: Visa Reports More Than 800m U.S. EMV Transactions in Nov., by Jim Daly, Digital Transactions News, Dec. 23, 2016; VISA.com

10 Visa: EMV by the Numbers March 2017: 58% of all U.S. Visa cards are chip cards March 2016: Consumers made 303.3m Visa chip card transactions March 2017: Consumers made 1b Visa chip card transactions Counterfeit fraud decreased 58% in Dec compared with Dec SOURCE: Tripling in One Year, Visa Chip Card Transactions Surpass 1b in March, by Kevin Woodward, Digital Transactions News, April 21,

11 22 11

12 POS Liability Shift: Oct. 1, 2015 COMPLETE ATM Liability Shift: MasterCard: Oct. 1, 2016 COMPLETE Visa: Oct. 1, 2017 Fuel-selling merchants: Oct. 1, 2020 (DELAYED from 2017) Converting each pump to EMV: estimated $6K to $10,000 Online Liability Shift?:??? EMV Liability Shifts SOURCE: EMV s Delay at the Pump Could Greatly Improve Security, by David Heun, PaymentsSource, Dec 1,

13 April 2017: About 60% of ATMs can now accept EMV cards SOURCE: EMV at the ATM: By the Numbers Infographic, by Tim Schafer, Natasha Chilingerian, CU Times Magazine, Sept. 23, 2016; U.S. ATM EMV Conversion Well Past Halfway Point Halfway Between Network Liability Shifts, by Jim Daly, Digital Transactions News, April 18,

14 Evolution at ATMs: Cardless Cash 3/27: Wells Fargo, first major U.S. bank to offer a cardfree option at all of its ATMs (13,000 of them) Customer downloads and logs into Wells Fargo app on her smartphone Requests an 8-digit code, which she types into an ATM instead of inserting her debit card Enters her PIN The 8-digit code expires in 30 minutes

15 Evolution at ATMs: Cardless Cash Alternate flavor : Other FIs offering cardless ATM withdrawals have the app display a QR code, which is scanned by a reader on the ATM Pre-staging cash withdrawals to combat fraud Use phone in place of debit card to bypass skimmers and shimmers 546% increase in ATM skimming attacks from 2014 to 2015 (FICO ATM Fraud Study)

16 Farewell to the Mag Stripe? Still used as a backup on an EMV chip card As part of its migration to EMV, Target is making all of its retail cards chip-and-pin and removing the mag stripe from its debit and store-only credit cards (REDcards) FRB Boston Getting Ahead of the Curve: Assessing CNP Fraud in the Mobile Payments Environment Conclusion: 6 recommendations including development of a strategy to eliminate the backup mag stripes on EMV chip cards in 3-5 years 29 SOURCE: Getting Ahead of the Curve: Assessing Card-Not-Present Fraud in the Mobile Payments Environment, Federal Reserve Banks of Boston and Atlanta, Nov. 10, 2016

17 Evolution at ATMs: Windows Most ATMs currently run Microsoft s Windows 7 Jan. 2020: Microsoft will discontinue support for Windows 7 Will no longer provide patches for Windows 7 security flaws Solution: Deployers move to Windows 10 Lower-end cash dispensers run Windows CE 2023: Microsoft will discontinue support for Windows CE SOURCE: Nonstop Upgrades, by Jim Daly, Digital Transactions, May 2017

18 Combatting Rising CNP Fraud Increasing # of FIs offering Fraud Alerts/Card Controls 3DSecure Online liability shift? PIN Debit on the Web (e.g., Acculynk) Biometric Authentication E.g., Apple Pay on the Web 18

19 Fraud Alerts/Card Controls Trend: Deputizing the customer/member Fraud Alerts (during online experience) Card Controls e.g., Ally Bank s Card Controls app On/off feature Ability to set weekly or monthly spending limits Location awareness: Card can be made operable only in a specific region or when active near the owner s smartphone Ability to choose specific merchant types or disable online shopping SOURCE: Ally Bank Marries Mobile App to Plastic Card Controls, by David Heun, PaymentsSource, March 3,

20 Three Domain Secure (3DSecure) Visa created Three Domain Secure ( 3DSecure ), circa 2000 Branded as: Verified by Visa MasterCard SecureCode AmEx SafeKey Discover ProtectBuy

21 Original offering: Cardholder prompted to enter a password in a pop-up window when checking out on a retailer s Web site Upside for retailers: Shifted the liability for a chargeback from the retailer to the bank Downside: Friction 3DSecure Consumers don t like being asked for more information. Pop-up window: Could this be a potential phishing attack? First-time user is prompted to enroll in the service at checkout if not already enrolled. Result: High abandonment rate; low merchant uptake

22 3DSecure Visa turned over the spec to EMVCo Oct. 2016: EMVCo released EMV 3-D Secure Protocol and Core Functions Specification v2.0.0 In addition to browser-based e-commerce channels also supports app-based purchases on smart phones and other mobile devices Specifies use of multiple options for step-up authentication (e.g, one-time passcodes, biometrics via out-of-band authentication) Improves consumer experience: Enables intelligent riskbased decisioning to encourage frictionless consumer authentication

23 3DSecure Liability Shift? Oct. 14, 2016: Discover implemented liability shift for disputed CNP transactions for merchants participating in ProtectBuy Issuers will be held responsible for fraudulent CNP transactions if merchant is a certified ProtectBuy user and has submitted or obtained an authenticated or attempted ProtectBuy response from the issuer Discover now enrolls all its cardholders in ProtectBuy Issuers can challenge cardholders on suspicious transactions by sending a one-time password to confirm the transaction

24 e.g., Acculynk s PaySecure PIN Debit on the Web Allows buyers to use PIN-debit cards when purchasing on the Web using laptops or smart phones Floating PIN pad displays on screen. To prevent keylogging, the numerical arrangement on the PIN pad varies each time a key is pressed. Acculynk has connections to several debit networks: e.g., Accel/Exchange [Fiserv], NYCE, Shazam, Star [First Data] PIN Debit on the Web has been a slow grind over the years, but 3/2017: First Data will acquire Acculynk SOURCE: First Data Agrees to Acquire Acculynk, a Pioneer in PIN Debit for Web-Based Transactions, by John Stewart, Digital Transactions News, March 16, 2017

25 Screenshot from Acculynk s demo:

26 Strategies for Improving the U.S. Payment System Stakeholder Engagement Faster Payments Payment Security Payment Efficiency Enhanced Federal Reserve Services 2017 Federal Reserve Banks. Materials are not to be used without consent. 26

27 Strategy 3: Payment Security Reduce fraud risk and advance the safety, security and resiliency of the payment system 2017 Federal Reserve Banks. Materials are not to be used without consent. 27

28 Current Task Force Participants Secure Payments Task Force 170* Large FI, 8% Govt End-User, 5% Medium FI, 11% Consumer Interest, 1% Non-Bank Providers, 32% Business End- User, 4% Small FI, 13% Other Stakeholders, 33% *As of December 2016 Task Force Registration Remains Open To All Interested 2017 Federal Reserve Banks. Materials are not to be used without consent. 28

29 Mission and Objectives of the Secure Payment Task Force Provide a forum for stakeholders to advise the Fed in its leader/catalyst and operator roles on payment security matters, and identify and promote actions that can be taken by payment system participants collectively and/or by the Federal Reserve System. Determine Areas of focus for payment security and priorities for action Advise the Fed on payment security matters Coordinate with the Faster Payments Task Force 2017 Federal Reserve Banks. Materials are not to be used without consent. 29

30 Activities that Supported Identification of Areas of Focus Segment Calls Polling Surveys Steering Committee Meetings Task Force Meetings Areas of focus and priorities for action were determined by considering viability and potential impact Payment Security Focus Areas 2017 Federal Reserve Banks. Materials are not to be used without consent Federal Reserve Banks. Materials are not to be used without Federal Reserve consent. 30

31 Accomp Secure Payments Task Force Areas of Focus Payment Identity Management Identification and adoption of payment identity management practices to mitigate existing and anticipated fraud vectors Information Sharing for the Mitigation of Payment Risk / Fraud Payments industry fraud and risk data can be interpreted and acted upon by industry participants Data Protection Identification and adoption of frameworks / methodologies for protecting sensitive payment data at rest and in transit Law and Regulation Coordination Identify opportunities for more consistent interpretation and application of payment laws and regulations to enhance payments system security Standards Assessment Team 2017 Federal Reserve Banks. Materials are not to be used without consent Federal Reserve Banks. Materials are not to be used without Federal Reserve consent. 31

32 Value to the Industry: Resources Expected to be Released throughout Federal Reserve Banks. Materials are not to be used without Federal Reserve consent. 32

33 85% of Survey Respondents Confirmed that Work Group Efforts and Solutions will Bring Value to the Payments Industry Payment Identity Management Information Sharing for the Mitigation of Payments Risk / Fraud Data Protection Tackling today s security challenges will require the commitment of all payment system participants 2017 Federal Reserve Banks. Materials are not to be used without consent Federal Reserve Reserve Banks. Banks. Materials Materials are are not not to be to used be used without without Federal Federal Reserve Reserve consent. consent

34 Payment Use Cases: Serve as an Educational Reference Guide for Payments and Security Practitioners Contactless Payment Flows ACH Card PIN Controls Check Wire Card Signature Wallet Card-Not- Present Sensitive Data Risks Draft released for stakeholder comment: April 2017 Applicable Standards 2017 Federal Reserve Banks. Materials are not to be used without consent Federal Reserve Banks. Materials are not to be used without Federal Reserve consent. 34

35 Payment Security Framework: Contains practical, risk-based guidance and advice on payment identity management and data protection practices Payment Security Principles Baseline Security Requirements Recommended Security Requirements Stakeholder Perspectives Look Forward on Payment Security Draft released for stakeholder comment: Mid Federal Reserve Banks. Materials are not to be used without consent Federal Reserve Banks. Materials are not to be used without Federal Reserve consent. 35

36 Information Sharing Data Sources: Designed to improve awareness and implementation of inclusive cybersecurity and fraud information sharing List of known information sharing data sources Relevant data sources across payment types and payment system participants Categorized the data sources as freely available, subscriptionbased or proprietary Draft released for stakeholder comment: April Federal Reserve Banks. Materials are not to be used without consent Federal Reserve Banks. Materials are not to be used without Federal Reserve consent. 36

37 Standard Fraud Reporting Requirements: Creates a structure to standardize fraud metrics and reporting by payment type across the industry Enhancements to Existing Reports Standard Fraud Reporting Proposal Draft released for stakeholder comment: Mid Federal Reserve Banks. Materials are not to be used without consent Federal Reserve Banks. Materials are not to be used without Federal Reserve consent. 37

38 Join the Community at FedPaymentsImprovement.org! Receive information on task forces and work groups, invitations to live/virtual events, surveys and other online feedback FedPayments Improvement 2017 Federal Reserve Banks. Materials are not to be used without consent. 38