A Report from the Federal Reserve Bank of Chicago’s 2008 Payments Conference
I’ve just returned from the Chicago Federal Reserve Banks’ 2008 Payments Conference where this year’s topic was Payments Fraud: Perception versus Reality. The conference had good presentations on fraud perspectives in payments ranging from check processing to PayPal, mobile commerce, and contactless card technology.
It was interesting to see the divergent points of view depending on the speaker’s place in the payments value chain. In spite of the perspectives which influenced each speaker’s views about criticality, there was good consistency in the overall themes.
A few of the more noteworthy themes included:
- ACH was built for recurring transactions between parties who know and trust one another, not for ad-hoc transactions which are being moved to it today for new payment types. There is widespread belief that fraud prevention, detection, and mitigation will need to be augmented in this environment.
- Credit card fraud is dropping and is below some historical levels. However, PINed Debit card fraud is higher than it has been before and is an area of concern.
- Fraud programs are most effective when they are composed of measures for prevention, detection, and mitigation, which requires a number of efforts in each phase of a payment lifecycle, from account opening through authentication and authorization for a transaction to application of back office analysis and customer service.
- Fraud approaches and levels are not yet well documented for emerging payments approaches including check imaging, prepaid cards, and contactless cards.
There was ample discussion of PCI data security programs, their costs and benefits, and the status of PCI standards as a near-default standard for data security in all participants in a payments service, whether or not that service is actually a subscriber to the PCI group. However, I was troubled by an apparent rush to equate payments fraud prevention with adherence to PCI data standards. An entire panel seemed to use the terms ‘payments fraud’ and ‘data security’ as interchangeable. When participants began to discuss data security, they seemed to lose sight of other important characteristics of fraud and of fraud measures:
- The segmentation of fraud measures across the payments lifecycle, and the approach of using layered approaches to fraud protection and mitigation which most attendees espoused.
- Fraud sources include at least three causes which create far more fraud than data breaches:
- Insider fraud committed by employees of institutions within the payments value chain
- Friendly fraud committed by friends, relatives, roommates, and ex-spouses of the victim
- Fraud committed with instruments obtained through physical theft (of wallets, handbags, etc) and intercepting mail of instruments and account information
- Personally identifiable information is available through many sources without ever trying to penetrate merchant, issuer, or processor databases, and those databases are relatively easy to access for a fee, or through unconventional channels including:
- Data provisioning services such as Targus Info, Acxiom, and others
- Credit rating agencies
- Various non-payment industry databases, such as those available to realtors
This brings me to one of the most perceptive comments of the entire conference; a comment made by Jeff Schmidt, an independent consultant who used to manage key pieces of security testing for Microsoft. Jeff reminded the crowd that the data is out there, it will be acquired by the ‘bad actors’, so what we really need to do is make that data useless to fraudsters.
Carol Coye Benson of Glenbrook Partners has been making this same point at conferences for years. That statement is the key to fraud prevention in an age of pervasive data stores which are out of our control, and in a world full of very crafty fraudsters.