1
Hot Topics in Payments
Northern Ohio AFPIdea ExchangeSept. 21, 2015
Matt Davies, CTP, AAPFederal Reserve Bank of Dallas
3
Business E-mail Compromise (BEC)◦ a.k.a., “Whale Phishing,”
◦ Masquerading, or
◦ “The CEO E-mail”
Criminals stole ~$750m from more than 7,000 U.S. businesses, Oct. 2013-Aug. 2015◦ Combined with international victims, FBI estimates
that more than $1.2b has been lost due to BEC scams
Majority of transfers going to banks in China and Hong Kong
Fraud: Business E-mail Compromise
4
May not be able to obtain insurance coverage for the loss
New version of BEC scam:◦ Fraudster contacts businesses via phone or e-mail
posing as a lawyer handling confidential or time-sensitive information.
◦ Pressures victim to act quickly, perhaps even secretly, in transferring funds.
◦ Typically at the end of the business day or work week, to coincide with the close of business of international FIs.
BEC
5
FBI best practices: ◦ Implement a detection system that flags e-mails with
extensions similar to the company e-mail.
E.g., if your legitimate company is e-mail is @company.com, the e-mail @c0mpany.com would be flagged.
Don’t rely solely on spam filters to catch these emails.
Krebs:
Spoofed emails used in BEC scams are unlikely to set off spam traps because the targets are not mass emailed.
And criminals sending them take the time to research the target organization’s relationships, activities, interests, and travel and purchasing plans.
Register all company domains that are similar to the actual company domain.
BEC
6
Verify changes in vendor payment locations by adding additional two-factor authentication.
◦ E.g., have a secondary sign-off by company personnel
Confirm requests for funds transfers.
◦ When using phone verification, use previously-known numbers, not the numbers provided in an e-mail request
Know the habits of your customers when it comes to payment habits and amounts; flag anything out of the ordinary.
Carefully scrutinize all e-mail requests for funds transfers to determine if the requests are legitimate.
BEC
7
If victimized:◦ Immediately contact your bank and request that
they contact the corresponding FI where the transfer was sent.
◦ Contact your FBI office if the transfer is recent. The FBI, working with FinCEN, might be able to help return or freeze the funds.
◦ File a detailed complaint with www.IC3.gov.
Be sure to identify the incident as a “BEC” scam.
BEC
SOURCE: “BEC Scams: A $1.2 Billion Threat to Treasury & Finance,” by Andrew Deichler, afponline.org, Aug. 31, 2015
8
Same-Day ACH (FRB, NACHA) The Clearing House Dwolla FiSync (& BBVA) Federal Reserve efforts
“Faster Payments”
NACHA Same-Day ACH RDFIs
◦ Required to be able to receive same-day items
◦ Mandated (in Phase 3) to make funds from same-day credits available to Receiver by 5 p.m. local time
ODFIs pay interbank fee of 5.3 cents per same-day item to RDFIs
◦ Attempt to facilitate cost recovery by RDFIs for investments made to enable acceptance of same-day items
NACHA Same-Day ACHSame Day ACH: The Phased Approach
Functionality Phase 1 (Sept. 23, 2016)
Phase 2(Sept. 15, 2017)
Phase 3(Mar. 16, 2018)
Transaction Eligibility
($25,000 limit;IAT not eligible)
Credits Only Credit and Debits Credits and Debits
New ODFI ACH File Transmission
Times
10:30 am ET3 pm ET
10:30 am ET3 pm ET
10:30 am ET3 pm ET
New Settlement Times
1 pm ET5 pm ET
1 p.m. ET5 pm ET
1 pm ET 5 pm ET
ACH Credit Funds Availability
End of RDFI’s processing day
End of RDFI’s processing day
5 pm (RDFIlocal time)
11
Company Descriptive Date field (5 record, field 8)
◦ Optional field with 6 positions available (positions 64-69).
◦ Current NACHA Rules provide that the “Originator establishes this field as the date it would like to see displayed to the Receiver for descriptive purposes.”
NACHA recommends that, as desired, the content of this field be formatted using the convention “SDHHMM”
◦ “SD” in positions 64-65 denotes intent for same-day settlement
◦ Hours and minutes in positions 66-69 denote desired settlement time using a 24-hour clock.
◦ If using this convention, ODFI would validate that the field contains either “SD1300” for settlement desired at 1 p.m. ET, or “SD1700” for settlement desired at 5 p.m. ET.
NACHA Same-Day ACH
12
5/21/2015: Federal Reserve Board requests public comment on enhancements to same-day ACH service
NACHA Same-Day ACH
13
The Clearing House◦ Represents 24 largest commercial banks in the U.S.
◦ Building a real-time payments network
◦ Multi-year endeavor
◦ Relies on push credits
◦ “…the security, the protection of account data, and the enhanced messaging” [compared to Same-Day ACH
◦ Security: Payments will be routed using tokens to protect account information
Faster Payments: TCH
14
Will TCH’s RTP Network be…◦ The same as…
◦ Connected to…
ClearXchange?◦ BofA, Wells, Chase…
◦ Capital One…
◦ US Bank…
◦ First Bank (Denver-based)
Faster Payments: TCH
15
Dwolla
◦ Based in Des Moines
BBVA Compass Bank
◦ Houston-based unit of BBVA Compass Bancshares Inc., a wholly-owned subsidiary of Spain’s BBVA
◦ 672 U.S. branches; over half of them in TX
4/2015: BBVA announced it has gone live with Dwolla…
… allowing BBVA customers to make real-time payments (RTPs) to other BBVA customers...
…using Dwolla’s FiSync technical protocol
◦ [Note: RTPs can be made to other FiSync FI(s): Veridian CU, Waterloo, IA; others to come?]
Faster Payments: Dwolla
16
Payments “clear in seconds” Dwolla’s pricing:
◦ Payments under $10: free
◦ Payments over $10: recipient charged 25 cents per transaction
Dec. 2014: Dwolla introduced Dwolla Direct◦ Allows those without Dwolla accounts to receive
payments from Dwolla users
◦ These payments use ACH; clear in 1-3 days
Faster Payments: Dwolla
17
Security◦ For the service with BBVA, Dwolla began using
digital tokens that replace the user’s RTN and account number
User designates a funding source and authorizes the payment
BBVA generates a token, unique to the authorization
Token can be revoked by the user, BBVA, or Dwolla
Faster Payments: Dwolla
18
Faster Payments Task Force◦ www.fedpaymentsimprovement.org
Faster Payments: The Fed
EMV Update Merchant point-of-sale (POS) terminal
upgrades◦ Contact (“dipping”)
◦ Contactless
FIs issue new credit/debit cards containing chips◦ “Chip & PIN”
◦ “Chip & Signature”
◦ “Chip & Choice”
EMV Update Liability Shift: Oct. 1, 2015
◦ Fuel-selling merchants: Oct. 1, 2017
◦ How much will the liability shift drive merchants/card issuers?
Many community bank card issuers are in the queue with processors
Merchants lag, especially small businesses
Will even the “big-box” merchants wait to activate chip acceptance until after this year’s holiday season?
21
ATM Liability Shift
◦ MasterCard Oct. 2016;
◦ Visa Oct. 2017
◦ Most ATMs accept Visa and MC, so MC’s deadline will likely be the driver here
EMV Update
EMV – Where are we? Visa:
◦ About 16% of Visa’s 700m cards in the U.S. have been converted to EMV…
◦ Forecast: 63% of the cards will be EMV by the end of the calendar year.
◦ Recent Visa studies indicated 83% awareness of chip cards amongst consumers in May; 89% in July
Julie Conroy, Aite: “70% of all credit cards and 41% of debit cards will be EMV by the end of the year.”
SOURCE: “The State of EMV, by the Numbers,” by David Heun, PaymentsSource, August 12, 2015
EMV – Where are we?
Most FIs issuing chip-and-signature Exception: See State Employees CU, NC
◦ $29.5b in assets; second largest CU in the country
◦ Issues all of its EMV credit cards with PINs
◦ Allows cardholders to authenticate with either the PIN or a signature.
◦ So far, less than ½ of 1% of all of SECU’s credit card transactions have been PIN-authenticated
EMV
Lost/stolen and card-not-received◦ EMV can address this, if “chip-and-PIN”
U.S. is “chip-and-choice”; most cards are being issued as “chip-and-signature”
With chip and signature, fraudster can steal mail and use card without knowing PIN
◦ Will EMV implementation in the US lead to a rise in instances of non-receipt of mail?
EMV Brian Krebs, KrebsonSecurity.com, Aug.
2015, reported a “shimmer” found on an ATM in Mexico◦ Shimmer: A thin device that sits between the
card’s chip and the chip reader when the cardholder inserts (“dips”) the card into the slot.
◦ Like a skimmer on a POS card readers, fuel pumps or ATM that steals mag-stripe payment card info
◦ The shimmer reported by Krebs was easily inserted into the ATM and reportedly could capture EMV card data.
SOURCE: “Does a ‘Shimmer’ on a Mexican ATM Portend a Fraud Threat to U.S. EMV Chip Cards?” by Jim Daly, Digital Transactions News, Aug. 13, 2015
Beyond EMV? Tokenization
◦ EMVCo
◦ Visa, MasterCard
◦ Apple Pay/Samsung Pay/Android Pay
Point-to-Point Encryption 3DSecure (online)
◦ EMVCo “overhaul” – specs to be published in 2016
◦ Replace static passwords with one-time passwords
Cell phone, smart phone, tablet, watch, etc.
Two types of mobile payments:
◦ Proximity Payment – Mobile device with technology embedded in/displayed on it is used to make payment at POS
e.g., using mobile phone to make payment at POS
◦ Remote Payment – Mobile device used to initiate payment regardless of proximity to payee/POS
e.g., using mobile phone to make payment via PayPal
Mobile Payments
Mobile Payments Evolving
2006-2008 2009-2010 2011 2012 2013-2015
28
Remote SMS & e-commerce Payments
PayPal Text to Buy
Amazon Text Buy It
Direct Carrier Billing
Mobile App Stores
Apple App Store
Android Market
RFID Contactless Cards
Mobile Web Payments
Amazon
Mobile Card Acceptance
Square
QR Code
Starbucks
LevelUp
NFCGoogle Wallet
Prepaid
AmEx
PayPal Here
Isis NFC Wallet[later Softcard, bought by
Google 2/2015]
Cloud Digital Wallet
PayPal In-store
Apple Passbook
NFC/Cloud Wallet
Google Wallet
Prepaid
AmEx Bluebird
Mobile Bank Account
Green Dot GoBank
Mobile Wallets
Square Wallet (discontinued)
Google WalletKitKat HCE
Beacon BLE
PayPal Beacon
FI/Card network tokenization
TCH, EMVCo, X9
Starbucks
◦ Bar codes
◦ Biggest success in mobile payments to date
◦ As of April 2015:
Approx. 8m mobile transactions/wk. at Starbucks’ registers;
About 19% of its US store sales
◦ Starbucks Claims its mobile payments accounted for 90% of the $1.3b mobile payments market in 2014
Mobile Payments
a.k.a., “digital wallets”
Mobile technology that functions like a physical wallet
Can hold credit and debit cards, reward/loyalty cards, etc.
◦ Eventually, medical records; digital driver’s licenses (e.g. initiatives in Iowa, Delaware)
Generally, consumer adoption of mobile wallets to date has been limited.
◦ Mobile wallets don’t necessarily solve a problem for consumers; swiping a credit card is not really that difficult!
Mobile Wallets
Short-range wireless RFID technology
◦ As opposed to longer range used for toll tags, for example
Credit/debit card info “provisioned to” the mobile wallet
◦ Credit/debit card information are encrypted and stored in a secure element (SE) in the phone (as opposed to “in the cloud”)
◦ SE is often an embedded chip controlled by the handset manufacturer, or the SIM card, which is controlled by the mobile carrier
Less than 14% of all merchant locations are enabled for NFC transactions today
◦ Some big merchants have turned NFC off entirely (e.g., Best Buy)
◦ Potential drivers of NFC upgrade at merchant POS: EMV; Apple Pay
Near Field Communication (NFC)
iPhone 6 (Sept. 2014)
Apple Pay (Oct. 2014)
Apple Watch (Apr. 2015)
Uses NFC technology to facilitate contactless payments at point of sale (POS)
Also allows in-app payments
NFC antenna across the top of the phone◦ NFC protocol has encryption built into it
Uses Passbook app (will be renamed “Wallet” in iOS 9)
Mobile Wallets:
Image credit: Apple Inc.
Uses iPhone’s TouchID fingerprint scanner as a form of authentication◦ introduced in the previous iPhone model, 5s
◦ built into iPhone’s home button
iPhone 6 has a new chip, a secure element (SE), in the phone handset◦ Stores the cardholder’s payment information…
◦ …though not the actual card number
Apple Pay
Image credit: Apple Inc.
Automatically uses consumer’s card on file with iTunes as default payment account
Users add additional cards by scanning them with the phone’s camera, or typing card details into Passbook app
Apple verifies card account data with card issuer and places a digital rendering of the card in Passbook
Apple Pay
Apple Pay Apple provides card issuing FI with information to help
validate a new card:
◦ Potential customer’s device name
◦ Current location
◦ Whether or not the customer has a long history of transactions within iTunes
Issuing FI decides if additional verification is needed
◦ Apple iOS Security Guide. “Depending on what is offered by the card issuer, the user may be able to choose between different options for additional verification, such as a text message, email, customer service call, or a method in an approved third-party app to complete the verification.”
Apple Pay – Card Validation An FI might:
◦ Ask cardholder to enter additional data to confirm his identity.
◦ Require cardholders to log into their online accounts to authorize Apple Pay.
◦ Asked cardholder to call customer-service rep to set up the card
e.g., Wells Fargo:
◦ Requires some customers to provide additional verification to add a card.
◦ Customers are directed to call in to verify or to download the Wells Fargo Verify app.
◦ The app guides the customer through the verification process.
Apple Pay uses tokenization to remove payment card numbers from the transaction process.
◦ When a user adds a card, Apple does not store the actual card number
◦ Instead, creates a “device-only” account number for each card and stores it in the phone’s SE
◦ Each time Apple Pay is used, Apple uses a one-time payment number, along with a dynamic security code
Essentially, creates a one-time card use system, and
Eliminates the need for static security code (CVV/CVC) on the plastic card
◦ Merchant never sees the cardholder’s name, card number or security code
Apple Pay
To make a payment using his default card, user does not need to open an app or “wake” the phone, because of the NFC antenna
Holds iPhone near merchant’s contactless card reader
Uses Touch ID (home button) to authenticate by fingerprint
A subtle vibration and beep indicate payment information has been sent
If user wants to pay with a card other than his default card, he must first open the Passbook app and select an alternate card
Apple Pay
Card-issuing FIs pay a per-transaction fee to Apple to be included in Apple Pay◦ 15bps on credit cards transactions
◦ $.005 on debit card transaction
Apple Pay Fees
2,500 FIs have signed on to Apple Pay; 400+ live (8/2015)
◦ Security Service FCU (San Antonio)
425,000 credit and debit cardholders
“We are fighting a fierce battle for the hearts, minds and eyeballs of our members so we want to be relevant and exciting for them.”—Jim Laffoon, president/CEO, Security Service FCU
◦ See Apple’s list at http://support.apple.com/en-us/HT6288
◦ See Visa’s list at http://usa.visa.com/clients-partners/technology-and-innovation/apple-pay/financial-institutions/index.jsp
Apple Pay – Banks/CUs
Not ubiquitous; many retailers won’t accept Apple Pay
8m POS in the U.S.
◦ As of 3/9/2015: Accepted at nearly 700,000 U.S. merchant locations, acc. to Apple
◦ 7/2015: Anticipate 1.5m+ locations by EOY 2015
How does Apple define a “location”? Acceptance terminal?
Many of those are vending machines
Number of iPhones in consumers’ hands
◦ Originally only iPhone 6 and iPhone 6+, but now…
◦ Apple Watch enables payments (must be paired with the iPhone to do so).
Will extend Apple Pay to iPhone 5, 5c, and 5s
“opens up Apple Pay to over 69% of devices on its OS” (Javelin)
Apple Pay - Issues
Image credit: Apple Inc.
Will “a rising tide lift all boats”?◦ Will uptake of Apple Pay also encourage merchant
acceptance of Google Wallet and MCX/CurrentC?
What role for community banks and CUs?◦ Cards loaded to Apple Pay are accessed through
Passbook, which selects the first card enrolled as the default card.
◦ How will an FI stand out; provide a compelling app so members will choose their card for mobile payments?
Interchange?
Apple Pay – Future?
Apple Pay – Future? As Apple Pay grows, will Apple be content w/
15bps per credit card transaction/5c for debit transaction?
As Apple Pay grows, will Apple be content to not collect/ monetize customer transaction data?
As we continue to move away from plastic cards; will FIs be able to instantly issue card accounts into Apple Pay?,
◦ “…that will move the market for us.”—Jason Tinurelli, U.S. Bank’s SVP retail payment solutions, digital strategy and innovation Quoted in “Mobile Makes Headlines, But Plastic Makes
Progress,” by David Heun, PaymentsSource, Apr. 13, 2015
Mobile Wallets: Samsung Pay
44
“Samsung Pay” will be available on the Galaxy S6 and S6 Edge in September
2/2015: Samsung announced purchase of LoopPay
◦ “Magnetic Secure Transmission”
◦ Users able to pay for purchases at 90% of mag-stripe payments terminals, as well as NFC terminals
◦ Could help Samsung Pay gain merchant acceptance quickly compared to Apple Pay
Samsung Pay Participants:
◦ Visa, Mastercard
◦ US Bank, Synchrony Financial (formerly GE Capital)
◦ In discussions with AmEx, BofA, Citi, JPMC, others...
Security:◦ Fingerprint reader
◦ Tokenization
“Samsung won’t charge banks and credit-card issuers transaction fees.”
SOURCE: “Samsung Pay Could Win Over Banks Faster than Apple Did,” Bloomberg News, Aug. 14, 2015
Mobile Wallets: Android Pay
5/28/2015: Google announced Android Pay Available “this summer” Will be the Android solution for in-store and
in-app payments◦ Google Wallet will be a dedicated person-to-
person (P2P) app for Android and iOS
Will come pre-loaded on new Android smart phones from Verizon, AT&T, and T-Mobile
Android Pay
Like Apple Pay…◦ Near-Field Communication (NFC)
…but Host Card Emulation (HCE) variant of NFC
◦ Tokenization
◦ Fingerprint authentication
Merchant Customer Exchange (MCX)/ CurrentC
◦ Merchant-driven
7-Eleven, Southwest Airlines, Wal-Mart, Target, etc.
Merchants don’t like interchange infrastructure
View much of the innovation in mobile payments as simply maintaining the current credit card/interchange model
◦ In development for more than 2 years; now testing
◦ No launch date announced, but perhaps 2015?
◦ QR code not NFC, but few details have been provided as to how its technology will work.
◦ Paydiant technology [3/2015: PayPal acquired Paydiant]
◦ FIS (Fidelity Natl. Information Svcs.) will provide payment processing, routing and settlement
◦ Piloting in Columbus, OH
Mobile Wallets: MCX
Follow us on:
@DallasFed DallasFed
Matt Davies, AAP, CTP, CPPPayments Outreach Officer
Federal Reserve Bank of DallasPhone: 214-922-5259
E-mail: [email protected]
Questions?