Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
May 2, 2022
Taking the Long View: A Visit with Retail Payments Risk Forum Founder Rich Oliver
Rich Oliver, the founder of our Retail Payments Risk Forum (RPRF), paid a visit to our team recently and shared his vision when creating the forum, the challenges facing the payments industry, and the future direction our team could consider as the payments landscape continues to evolve.
In addition to founding our RPRF, Rich's payments expertise goes back to the 1970s when he led the effort to utilize the fledgling US Automated Clearing House (ACH) system to electronically deliver the first government payrolls and social security payments.
Drawing on his expertise, Rich wrote a book with George Warfel Jr. about the payments industry, The Story of Payments: How The Industrialization of Trust Created the Modern Payments System, that "tells the story of how payments—between people, merchants, employers, and governments—emerged from the ancient system of barter and grew, through various technological implementations ranging from coins and paper money to checks, wire transfers, and credit cards, to today's entirely electronic local and international payment systems."
In a wide-ranging conversation about the history of payments and Rich's role in many areas with the Fed, each of us in the RPRF took away some highlights to share with you.
Scarlett Heinbuch: Rich reminded us of the need to be bold in our thinking about the future of payments. We discussed advances in biometrics and how these initiatives could address identity and security concerns and make payments easier for all while also presenting other risks and challenges.
Nancy Donahue: One comment that made me go "hmm" was: "Do we have too many retail payments products that are trying to solve the same problem? Do they all make money? Do they all need to?"
Catherine Thaliath: What resonated with me was when Rich talked about potential risks of Buy Now Pay Later (BNPL). While viewed as a credit offering, it is nevertheless using a payment instrument in ways not previously done.
Claire Greene: "When it comes to product design, you can't assume you know what someone wants without doing the work." This was a humble statement from an innovator that applied in the 1970s and remains relevant today.
Dave Lott: Rich discussed the evolution of the current consumer banking product market where many of the explicit services (on-us ATMs, online banking, mobile banking, pay wallets, etc.) are provided free of charge.
Sally Martin: It resounded with me how much collaboration went on with the payments players in the industry. Also, the amount of time spent brainstorming on what the needs were and how to fill them, and in moving toward new offerings rather than replays of existing products. Rich's talk focused on moving into new territory—he was "agile" before it was cool.
Jessica Washington: We still need to collaborate on fraud mitigation at the strategic level. In the United States, we implemented chip credit cards but not so much chip-and-pin, plus we still have the magstripe, which is a major source of weakness, and we still have much work to do on card-not-present transactions.
As the RPRF founder, Rich challenged each of us to remember its mission: to be a source for non-biased thought leadership, to do original research, challenge norms, and push the envelope to move the payment system forward. Sometimes looking back at history can bring the future into sharper focus, which is what our chat with Rich did for us. As you look to the future of payments and payments risk, what stands out to you?
By the Retail Payments Risk Forum Team: Jessica Washington, Dave Lott, Scarlett Heinbuch, Claire Greene, Nancy Donahue, Catherine Thaliath, and Sally Martin.
March 14, 2022
Thumbs Up: Smartphone Apps versus Websites
Sitting in front of my computer, I recently picked up my smartphone and unlocked my banking app with my thumbprint to see if a check I had written had cleared my account. Before going any further, let me acknowledge that, yes, this payment professional still writes checks every now and again! I learned the check had cleared, logged off the app, and resumed my day in front of my computer. This got me thinking about a change in my behavior that has occurred over time. Even when I am right in front of my computer, I find myself using my smartphone apps almost exclusively instead of visiting the full-function websites from my laptop or desk computer. Why?
The answer is simple: ease of access. I can get to my information through apps on my smartphone using just my thumbprint but accessing that same information from my computer through a website requires me to remember and type in my username and password. In fact, every app on my smartphone that requires a log-in allows me to authenticate using my thumbprint. Truthfully, I’m not so good at remembering my passwords even using the methods I teach others to use: create difficult yet supposedly easy-to-remember passwords. Perhaps this is why password managers remain so popular. I continue to hold out from using a password manager with hopes that biometric authentication will become more common on websites and remembering passwords will be a thing of the past (except when biometric authentication fails). If smartphone apps authenticate me with my fingerprint or face, then why don’t websites do that when my laptop has a fingerprint reader and camera just as smartphones do?
While the same biometric functionality is currently available on my computer, the main barrier is that websites struggle to support and accept biometric validation due to different implementations across various web browsers and operating systems. Several organizations and standards bodies are considering this issue. The FIDO (Fast Identity Online) Alliance was formed in 2013 to produce stronger authentication standards and reduce password reliance. The FIDO2 Project, a joint effort between FIDO and the World Wide Web Consortium (W3C), released specifications in 2019 for W3C’s Web Authentication (WebAuthn) product that allows a website to use the FIDO authentication through a standard API implemented in a browser using public key cryptography and biometric authentication. Unfortunately, its uptake has been slow primarily because of the inconsistent user experience from website to website.
I should note that biometric authentication for apps on phones has not necessarily eliminated passwords, though it certainly feels like it, at least until the biometric authentication fails. Rather, biometrics serve as an alternative method of accessing the app’s username and password combination. The fingerprint and facial recognition is a template algorithm stored in a highly secure location on our phones. When an app requests my thumbprint and the stored algorithm confirms a match, the equivalent of a password manager opens on my phone and I am authenticated.
Is the end drawing any closer for manually entering online passwords, and are you looking forward to that day? Taking it further, will the day ever come when passwords are eliminated? Personally, I hope so and am very much looking forward to that day. If it doesn’t happen, then, based on my own habits, the days of visiting my financial institution’s website and others’ sites might be altogether forgotten.
February 28, 2022
5G and 3DS: A Perfect Pair?
Not that long ago, when you heard the term "5G," you would probably mentally translate it to "five grand" or "five thousand dollars." Today, 5G refers to the fifth generation of mobile network wireless communications technology. Network operators promise that 5G technology will deliver much faster data transmission speeds, lower latency, and greater signal reliability, which consumers may not truly realize on the mobile front for several years as operators upgrade their cell tower networks. But are there benefits on the payments side we're likely to see?
My colleague Doug King first raised this question in a Take On Payments post in September 2018, when the industry thought 5G was on the cusp of becoming a reality. While the pandemic and regulatory concerns about security and safety have slowed implementation, it is now underway.
We have also previously written about the evolution of 3DS (short for "three-domain secure"), which was developed in 2000 to improve the authentication of a legitimate consumer's payment transaction with a merchant. The first version of 3DS was unsuccessful in the United States for a variety of reasons centered on poor consumer experiences that resulted in high shopping cart abandonment rates. However, as the share of digital transactions of overall retail sales continued to grow, the payments industry knew that new tools were needed to combat increasing fraud.
Recognizing that the 3DS process needed an overhaul to meet consumer, issuer, and merchant requirements, EMVCo released EMV 3DS 2.0 specifications in 2016. While this version results in a more complex transaction and was slow to gain traction in the marketplace until recently, its strength relies on the merchant's ability to send additional data to the payment card issuer. This additional information includes transaction, method of payment, and payment device information and is intended to help the issuer to run fraud mitigation tools more effectively, better detecting the fraudulent transactions and not denying the legitimate ones. The issuer, if still concerned about a transaction's legitimacy, can perform stepped-up authorization with the customer, including out-of-band confirmations. An out-of-band confirmation is authentication occurring on a different channel than the one initiating the transaction, such as when a banking app sends an email or text with a password the customer must enter in the app to carry out the transaction. A recent report indicates that 10 percent or less of transactions require this stepped-up authorization, and merchant adoption increased 50 percent during Q4 2021 compared to Q4 2020.
So how will 5G and 3DS work together? Transmitting and handling payment authorization messages with the additional data the EMV 3DS 2.0 specifications require can increase transaction time. Slow response time (latency) is a major factor in a consumer abandoning a shopping cart and the merchant losing a sale. The mobile network benefits of 5G will be realized over time, but many operators have already begun to support local 5G networks for small to mid-sized businesses requiring fast data speeds.
Such networks will allow these businesses to handle the additional message data, as well as additional payment devices, while providing better service levels. While the GSMA (Global Systems for Mobile Communications Association) estimates it will take until 2025 before half of the mobile communications in North America will be on a 5G network, the uptake in the United States is expected to be faster.
I believe that the further adoption of EMV 3DS will be enhanced with the continued implementation of 5G technology in the United States. We will continue to monitor both technologies as well as when their expected benefits start to come about.
July 6, 2021
Think Like a Genius for Payments Innovation
Ron Klein filed the patent for the magnetic strip used on credit cards in 1966, and it was awarded in 1969. His invention revolutionized the payments industry, increased efficiency, and reduced fraud. I was fortunate to meet Ron, known as "The Grandfather of Possibilities", at an entrepreneur's conference several years ago. Being in the payments world, I wanted to know how he got the idea for the magnetic strip that is still on the back of credit and debit cards today.
Ron, an engineer by training, said department stores came to him with two problems. It took too long for customers to make charge purchases, and the burden of proof was on the merchant. For example, prior to the magnetic strip and online authorizations, the customer's name and account number were embossed on credit cards. Lost, stolen, canceled or past due accounts were listed in a monthly printed bulletin sent to merchants. Clerks at the point of sale waded through thousands of numbers to see if the card was not listed, and therefore acceptable. A merchant accepting a card listed in the bulletin was liable for the transaction.
Ron's first solution: He compiled the monthly records of negative accounts and stored the information on magnetic drums. The merchant then had a keypad that was connected to the stored data to look up numbers. While that expedited the POS process, it didn't go far enough to solve the problem. Keying in the card number was time-consuming.
Ron said he decided to "put some smarts in that piece of plastic" by applying reel-to-reel tape recorder technology. His idea? Record the account number on the tape, build a device that reads it like a tape recorder, connect it to the stored data, and voila! The credit card validity checking system is born!
At 85, Ron continues to mentor, coach, and inspire others to solve challenges. This requires, he said, a certain mindset: Be smart, daring, and different, and don't be afraid of making mistakes. If you want to solve a problem, you need to take some time to think about it in a certain way. Simply put, Ron said there is a gift behind every challenge that, if explored with an inquisitive mind, can bring forth innovations that can make things better for people.
I was thinking about Ron in the context of today's payments innovations, or the challenges we currently face, such as the chip shortage or fraud. What problems do you think need to be solved? By thinking like a humble genius, we see that every challenge brings an opportunity for advancing innovation.