> > > > >
On April 23 and 24, 2008, the Payment Cards Center and the Electronic Funds Transfer Association (EFTA) jointly hosted a conference titled "Maintaining a Safe Environment for Payment Cards: Examining Evolving Threats Posed by Fraud."* One goal of the conference was to provide a broad examination of card fraud by including a range of payment system players. Thus, there were panels representing consumers, issuers, networks, and merchant acquirers. The intent was to frame discussion of payment card fraud in such a way as to include these various perspectives. While the full conference summary is organized around these panels, this short synopsis focuses on key themes identified in the summary document.
The conference began with the cohosts, Peter Burns of the Payment Cards Center and Kurt Helwig of the EFTA, introducing keynote speaker Jon Greenlee, an associate director of the Division of Banking Supervision and Regulation with the Federal Reserve's Board of Governors. Specifically addressing regulation, Greenlee described how the Federal Reserve and other bank regulators have paid increasing attention to the issues of fraud and operational risk in retail payment systems. In response to the growing size and scope of retail payment systems, policymakers have moved beyond their traditional focus on wholesale payment systems. They want to ensure that there is continued confidence in the safety and integrity of payment systems, especially as payments move to electronic platforms. Greenlee argued that should data breaches and related fraud or identity theft threaten consumer confidence in electronic payments, the system as a whole could be threatened. Furthermore, he noted that innovations in payments that lead to greater consumer convenience may also create new risks. The growing involvement of third-party participants in consumer payments may also affect risk profiles as more sensitive information resides outside of a bank's "four walls" and thus creates new challenges for banks and their regulators.
After Greenlee's opening remarks, Burns introduced and moderated the conference's first panel, which offered an overview of key elements in the dialogue about payment card fraud and a context for the next day's panels. Already some of the main themes of the conference began to emerge. For example, Richard Parry of JPMorgan Chase argued that more holistic efforts are needed across the entire banking organization because of cross-channel fraud vulnerabilities. Paul Tomasofsky of Two Sparrows Consulting raised concerns about the vulnerability that may exist in the United States as other parts of the world adopt chip and PIN cards. Avivah Litan of Gartner Inc. emphasized the sophistication of today's payment card fraudsters. The changing nature of fraud, therefore, requires new and collaborative approaches in order to develop effective solutions.
The second day of the conference began with welcoming remarks from the Philadelphia Fed's president, Charles Plosser. Calling attention to the increasingly complex security challenges that exist in today's high-technology and electronic-data-intensive card payment environment, President Plosser observed that while advances in electronic payments enable efficiency and welfare-improving outcomes, these modern payment systems could expose sensitive data to theft "in quantities that would not have been available in previous eras." The data thieves are well organized and professional and are part of well-funded criminal groups. They operate domestically and internationally and use advanced technology in their efforts. Plosser emphasized the importance of consumer confidence in payment systems and its dependence on a secure and safe environment. Thus, it is the obligation of all who touch sensitive information to join in efforts to ensure its safety.
In order to secure such data, Plosser called for the cooperation of otherwise competitive market participants, in conjunction with law enforcement and data security experts. Historically, the industry has been effective at managing fraud because in large part to just such collaboration. Further encouraging cooperation, Plosser observed that "the card payment system's integrity relies upon a set of interdependencies and a shared responsibility." He added that the system's divergent constituencies cannot overcome the battle by operating independently. Since its inception, Plosser noted, the Payment Cards Center has provided such collaborative opportunities by bringing differing perspectives together in a search for common solutions. He concluded by challenging conference attendees to work together constructively during the day's dialogue on maintaining a safe environment for payments.
Setting the stage panel: James Brown, University of Wisconsin; Paul Tomasofsky, Two Sparrows Consulting; Richard Parry, JPMorgan Chase; and Avivah Litan, Gartner Inc.
The remainder of the conference consisted of four panel-led discussions, each focusing on one of the four players in the payment card structure: consumers, issuers, networks, and merchant acquirers. Several common themes that emerged from these discussions are highlighted below.
For the past two decades, the common wisdom has been that smart cards are "a solution in search of a problem." Based on opinions voiced at the conference, there seems to be a recognition that fraud may well be the problem solved by chip- and PIN-based smart cards. As more of the world becomes chip-card enabled, fraud has migrated to regions dependent on magnetic stripe technology. In addition, a participant suggested that the divergence of mag-stripe technology in the U.S. and chip cards in other parts of the world poses challenges to global interoperability. Despite the enthusiasm of many for a chip and PIN solution, others pointed to the perhaps prohibitive cost of such an overhaul of system infrastructure. In addition, some questioned whether, instead, a new approach that addresses card-not-present and other chip and PIN limitations is needed. While not discussed in detail, end-to-end encryption was noted as one such possibility.
Merchants have accelerated their compliance with PCI requirements for data security that were established by the major card networks. There was a general consensus that this was a critical measure that calls for common sense data security practices. At the same time, some argued that requirements should reflect the differing risk profiles of large and small merchant categories. Lastly, a participant contended that PCI compliance is not a "one and done" solution but is instead an ongoing process requiring continual vigilance and adaptation.
Network panel: Ron Congemi, EFTA; Russell Schrader, Visa Inc.; Jodi Golinsky, MasterCard Worldwide; and Mark O'Connell, Interac Association and Acxsys Corporation.
A number of panelists emphasized that the changing nature of fraud and the technologies employed have heightened the threat level for industry participants. Today, fraudsters are often organized professionals using much of the same technology employed by legitimate industry. They frequently employ variations of models used in the legitimate business world to carry out their activity. They use databases that mimic credit bureaus, match and append data elements in ways that emulate legitimate data aggregators and sell the stolen information, and employ time-sharing techniques used by lawful enterprises. One participant observed that these sophisticated fraud rings operate in a kind of illegal "parallel universe" that mirrors the legitimate payment industry.
A related theme highlighted throughout the discussion was that fraud mitigation is a reactive process, with criminals learning to avoid secured access points and targeting weaker products, channels, and geographies. While this dynamic has always been a reality in payment fraud, a number of participants argued that the proliferation of products, access channels, and the globalization of electronic payments have dramatically increased the mitigation challenges. Also, because thieves maneuver across products and channels to perpetrate fraud, and multiservice households expect protection against fraud across the entire relationship, the nature of mitigation strategies is changing. Instead of traditional silo approaches, a number of full-service financial institutions are altering their fraud management structures to cross internal product, channel, and platform silos.
Payment card usage has become both more ubiquitous and more complex. Ecommerce and electronic banking have generated a proliferation of end points. The increased electronification of information makes the capturing of data vulnerable while the information is "in transit" or "at rest." As these and other factors were discussed, a general conclusion arose that we must avoid assuming that there is a "magic bullet" that will ameliorate the problem. Rather, the industry must continue to mitigate fraud with multifaceted and dynamic solutions and the cooperation and collaboration of all parties handling vulnerable information.
In recent years, identity theft and retailer data breaches have been highly publicized in the press. This has raised awareness among the general public about the risks that can affect individuals and, some argued, could lead to a loss of consumer confidence in electronic payments. A participant noted that, while consumers often indicate that they want to be involved in securing their information, they do not always act in their own best interests; for example, they may respond to phishing attacks by providing their personal information. Networks, acquirers, and card issuers would all welcome consumers taking part in fraud-prevention strategies, but zero liability protections and other factors pose challenges to achieving this goal. While there was general agreement that enlisting consumers in fighting fraud is an important goal, participants acknowledged that little progress has been made to date.
Suggestions for research and experimentation that might encourage consumer involvement included more effective education, development of positive incentives for proactive behavior, and more emphasis on technological applications such as text message alerts and other real-time information flows.
Merchant acquirer panel: Marc Abbey, First Annapolis Consulting; Robert Carr, Heartland Payment Systems; Michael Herman, Chase Paymentech Solutions; and Donald Boeding, Fifth Third Bank.
While discussion at the conference did not center on specific proposals, it did explore a number of critical insights and identify new directions for further research. As several participants noted, an element key to a productive exchange of views was the conference's inclusion of the multiple perspectives represented by payment system participants. This reflected a general conclusion that successfully combating fraud in the modern payment card system cannot be accomplished in separate silos across the payment chain. Ultimately, successful solutions will come only when the needs and requirements of all participants are recognized and costs are appropriately shared.