1

Hot Topics in Payments

Northern Ohio AFPIdea ExchangeSept. 21, 2015

Matt Davies, CTP, AAPFederal Reserve Bank of Dallas

2

Business E-Mail Compromise “Faster Payments” EMV Update Mobile Payments/Mobile Wallets

Agenda

3

Business E-mail Compromise (BEC)◦ a.k.a., “Whale Phishing,”

◦ Masquerading, or

◦ “The CEO E-mail”

Criminals stole ~$750m from more than 7,000 U.S. businesses, Oct. 2013-Aug. 2015◦ Combined with international victims, FBI estimates

that more than $1.2b has been lost due to BEC scams

Majority of transfers going to banks in China and Hong Kong

Fraud: Business E-mail Compromise

4

May not be able to obtain insurance coverage for the loss

New version of BEC scam:◦ Fraudster contacts businesses via phone or e-mail

posing as a lawyer handling confidential or time-sensitive information.

◦ Pressures victim to act quickly, perhaps even secretly, in transferring funds.

◦ Typically at the end of the business day or work week, to coincide with the close of business of international FIs.

BEC

5

FBI best practices: ◦ Implement a detection system that flags e-mails with

extensions similar to the company e-mail.

E.g., if your legitimate company is e-mail is @company.com, the e-mail @c0mpany.com would be flagged.

Don’t rely solely on spam filters to catch these emails.

Krebs:

Spoofed emails used in BEC scams are unlikely to set off spam traps because the targets are not mass emailed.

And criminals sending them take the time to research the target organization’s relationships, activities, interests, and travel and purchasing plans.

Register all company domains that are similar to the actual company domain.

BEC

6

Verify changes in vendor payment locations by adding additional two-factor authentication.

◦ E.g., have a secondary sign-off by company personnel

Confirm requests for funds transfers.

◦ When using phone verification, use previously-known numbers, not the numbers provided in an e-mail request

Know the habits of your customers when it comes to payment habits and amounts; flag anything out of the ordinary.

Carefully scrutinize all e-mail requests for funds transfers to determine if the requests are legitimate.

BEC

7

If victimized:◦ Immediately contact your bank and request that

they contact the corresponding FI where the transfer was sent.

◦ Contact your FBI office if the transfer is recent. The FBI, working with FinCEN, might be able to help return or freeze the funds.

◦ File a detailed complaint with www.IC3.gov.

Be sure to identify the incident as a “BEC” scam.

BEC

SOURCE: “BEC Scams: A $1.2 Billion Threat to Treasury & Finance,” by Andrew Deichler, afponline.org, Aug. 31, 2015

8

Same-Day ACH (FRB, NACHA) The Clearing House Dwolla FiSync (& BBVA) Federal Reserve efforts

“Faster Payments”

NACHA Same-Day ACH RDFIs

◦ Required to be able to receive same-day items

◦ Mandated (in Phase 3) to make funds from same-day credits available to Receiver by 5 p.m. local time

ODFIs pay interbank fee of 5.3 cents per same-day item to RDFIs

◦ Attempt to facilitate cost recovery by RDFIs for investments made to enable acceptance of same-day items

NACHA Same-Day ACHSame Day ACH: The Phased Approach

Functionality Phase 1 (Sept. 23, 2016)

Phase 2(Sept. 15, 2017)

Phase 3(Mar. 16, 2018)

Transaction Eligibility

($25,000 limit;IAT not eligible)

Credits Only Credit and Debits Credits and Debits

New ODFI ACH File Transmission

Times

10:30 am ET3 pm ET

10:30 am ET3 pm ET

10:30 am ET3 pm ET

New Settlement Times

1 pm ET5 pm ET

1 p.m. ET5 pm ET

1 pm ET 5 pm ET

ACH Credit Funds Availability

End of RDFI’s processing day

End of RDFI’s processing day

5 pm (RDFIlocal time)

11

Company Descriptive Date field (5 record, field 8)

◦ Optional field with 6 positions available (positions 64-69).

◦ Current NACHA Rules provide that the “Originator establishes this field as the date it would like to see displayed to the Receiver for descriptive purposes.”

NACHA recommends that, as desired, the content of this field be formatted using the convention “SDHHMM”

◦ “SD” in positions 64-65 denotes intent for same-day settlement

◦ Hours and minutes in positions 66-69 denote desired settlement time using a 24-hour clock.

◦ If using this convention, ODFI would validate that the field contains either “SD1300” for settlement desired at 1 p.m. ET, or “SD1700” for settlement desired at 5 p.m. ET. 

NACHA Same-Day ACH

12

5/21/2015: Federal Reserve Board requests public comment on enhancements to same-day ACH service

NACHA Same-Day ACH

13

The Clearing House◦ Represents 24 largest commercial banks in the U.S.

◦ Building a real-time payments network

◦ Multi-year endeavor

◦ Relies on push credits

◦ “…the security, the protection of account data, and the enhanced messaging” [compared to Same-Day ACH

◦ Security: Payments will be routed using tokens to protect account information

Faster Payments: TCH

14

Will TCH’s RTP Network be…◦ The same as…

◦ Connected to…

ClearXchange?◦ BofA, Wells, Chase…

◦ Capital One…

◦ US Bank…

◦ First Bank (Denver-based)

Faster Payments: TCH

15

Dwolla

◦ Based in Des Moines

BBVA Compass Bank

◦ Houston-based unit of BBVA Compass Bancshares Inc., a wholly-owned subsidiary of Spain’s BBVA

◦ 672 U.S. branches; over half of them in TX

4/2015: BBVA announced it has gone live with Dwolla…

… allowing BBVA customers to make real-time payments (RTPs) to other BBVA customers...

…using Dwolla’s FiSync technical protocol

◦ [Note: RTPs can be made to other FiSync FI(s): Veridian CU, Waterloo, IA; others to come?]

Faster Payments: Dwolla

16

Payments “clear in seconds” Dwolla’s pricing:

◦ Payments under $10: free

◦ Payments over $10: recipient charged 25 cents per transaction

Dec. 2014: Dwolla introduced Dwolla Direct◦ Allows those without Dwolla accounts to receive

payments from Dwolla users

◦ These payments use ACH; clear in 1-3 days

Faster Payments: Dwolla

17

Security◦ For the service with BBVA, Dwolla began using

digital tokens that replace the user’s RTN and account number

User designates a funding source and authorizes the payment

BBVA generates a token, unique to the authorization

Token can be revoked by the user, BBVA, or Dwolla

Faster Payments: Dwolla

18

Faster Payments Task Force◦ www.fedpaymentsimprovement.org

Faster Payments: The Fed

EMV Update Merchant point-of-sale (POS) terminal

upgrades◦ Contact (“dipping”)

◦ Contactless

FIs issue new credit/debit cards containing chips◦ “Chip & PIN”

◦ “Chip & Signature”

◦ “Chip & Choice”

EMV Update Liability Shift: Oct. 1, 2015

◦ Fuel-selling merchants: Oct. 1, 2017

◦ How much will the liability shift drive merchants/card issuers?

Many community bank card issuers are in the queue with processors

Merchants lag, especially small businesses

Will even the “big-box” merchants wait to activate chip acceptance until after this year’s holiday season?

21

ATM Liability Shift

◦ MasterCard Oct. 2016;

◦ Visa Oct. 2017

◦ Most ATMs accept Visa and MC, so MC’s deadline will likely be the driver here

EMV Update

EMV – Where are we? Visa:

◦ About 16% of Visa’s 700m cards in the U.S. have been converted to EMV…

◦ Forecast: 63% of the cards will be EMV by the end of the calendar year.

◦ Recent Visa studies indicated 83% awareness of chip cards amongst consumers in May; 89% in July

Julie Conroy, Aite: “70% of all credit cards and 41% of debit cards will be EMV by the end of the year.”

SOURCE: “The State of EMV, by the Numbers,” by David Heun, PaymentsSource, August 12, 2015

EMV – Where are we?

Most FIs issuing chip-and-signature Exception: See State Employees CU, NC

◦ $29.5b in assets; second largest CU in the country

◦ Issues all of its EMV credit cards with PINs

◦ Allows cardholders to authenticate with either the PIN or a signature.

◦ So far, less than ½ of 1% of all of SECU’s credit card transactions have been PIN-authenticated

EMV

Lost/stolen and card-not-received◦ EMV can address this, if “chip-and-PIN”

U.S. is “chip-and-choice”; most cards are being issued as “chip-and-signature”

With chip and signature, fraudster can steal mail and use card without knowing PIN

◦ Will EMV implementation in the US lead to a rise in instances of non-receipt of mail?

EMV Brian Krebs, KrebsonSecurity.com, Aug.

2015, reported a “shimmer” found on an ATM in Mexico◦ Shimmer: A thin device that sits between the

card’s chip and the chip reader when the cardholder inserts (“dips”) the card into the slot.

◦ Like a skimmer on a POS card readers, fuel pumps or ATM that steals mag-stripe payment card info

◦ The shimmer reported by Krebs was easily inserted into the ATM and reportedly could capture EMV card data.

SOURCE: “Does a ‘Shimmer’ on a Mexican ATM Portend a Fraud Threat to U.S. EMV Chip Cards?” by Jim Daly, Digital Transactions News, Aug. 13, 2015

Beyond EMV? Tokenization

◦ EMVCo

◦ Visa, MasterCard

◦ Apple Pay/Samsung Pay/Android Pay

Point-to-Point Encryption 3DSecure (online)

◦ EMVCo “overhaul” – specs to be published in 2016

◦ Replace static passwords with one-time passwords

Cell phone, smart phone, tablet, watch, etc.

Two types of mobile payments:

◦ Proximity Payment – Mobile device with technology embedded in/displayed on it is used to make payment at POS

e.g., using mobile phone to make payment at POS

◦ Remote Payment – Mobile device used to initiate payment regardless of proximity to payee/POS

e.g., using mobile phone to make payment via PayPal

Mobile Payments

Mobile Payments Evolving

2006-2008 2009-2010 2011 2012 2013-2015

28

Remote SMS & e-commerce Payments

PayPal Text to Buy

Amazon Text Buy It

Direct Carrier Billing

Mobile App Stores

Apple App Store

Android Market

RFID Contactless Cards

Mobile Web Payments

Amazon

Mobile Card Acceptance

Square

QR Code

Starbucks

LevelUp

NFCGoogle Wallet

Prepaid

AmEx

PayPal Here

Isis NFC Wallet[later Softcard, bought by

Google 2/2015]

Cloud Digital Wallet

PayPal In-store

Apple Passbook

NFC/Cloud Wallet

Google Wallet

Prepaid

AmEx Bluebird

Mobile Bank Account

Green Dot GoBank

Mobile Wallets

Square Wallet (discontinued)

Google WalletKitKat HCE

Beacon BLE

PayPal Beacon

FI/Card network tokenization

TCH, EMVCo, X9

Starbucks

◦ Bar codes

◦ Biggest success in mobile payments to date

◦ As of April 2015:

Approx. 8m mobile transactions/wk. at Starbucks’ registers;

About 19% of its US store sales

◦ Starbucks Claims its mobile payments accounted for 90% of the $1.3b mobile payments market in 2014

Mobile Payments

a.k.a., “digital wallets”

Mobile technology that functions like a physical wallet

Can hold credit and debit cards, reward/loyalty cards, etc.

◦ Eventually, medical records; digital driver’s licenses (e.g. initiatives in Iowa, Delaware)

Generally, consumer adoption of mobile wallets to date has been limited.

◦ Mobile wallets don’t necessarily solve a problem for consumers; swiping a credit card is not really that difficult!

Mobile Wallets

Short-range wireless RFID technology

◦ As opposed to longer range used for toll tags, for example

Credit/debit card info “provisioned to” the mobile wallet

◦ Credit/debit card information are encrypted and stored in a secure element (SE) in the phone (as opposed to “in the cloud”)

◦ SE is often an embedded chip controlled by the handset manufacturer, or the SIM card, which is controlled by the mobile carrier

Less than 14% of all merchant locations are enabled for NFC transactions today

◦ Some big merchants have turned NFC off entirely (e.g., Best Buy)

◦ Potential drivers of NFC upgrade at merchant POS: EMV; Apple Pay

Near Field Communication (NFC)

iPhone 6 (Sept. 2014)

Apple Pay (Oct. 2014)

Apple Watch (Apr. 2015)

Uses NFC technology to facilitate contactless payments at point of sale (POS)

Also allows in-app payments

NFC antenna across the top of the phone◦ NFC protocol has encryption built into it

Uses Passbook app (will be renamed “Wallet” in iOS 9)

Mobile Wallets:

Image credit: Apple Inc.

Uses iPhone’s TouchID fingerprint scanner as a form of authentication◦ introduced in the previous iPhone model, 5s

◦ built into iPhone’s home button

iPhone 6 has a new chip, a secure element (SE), in the phone handset◦ Stores the cardholder’s payment information…

◦ …though not the actual card number

Apple Pay

Image credit: Apple Inc.

Automatically uses consumer’s card on file with iTunes as default payment account

Users add additional cards by scanning them with the phone’s camera, or typing card details into Passbook app

Apple verifies card account data with card issuer and places a digital rendering of the card in Passbook

Apple Pay

Apple Pay Apple provides card issuing FI with information to help

validate a new card:

◦ Potential customer’s device name

◦ Current location

◦ Whether or not the customer has a long history of transactions within iTunes

Issuing FI decides if additional verification is needed

◦ Apple iOS Security Guide. “Depending on what is offered by the card issuer, the user may be able to choose between different options for additional verification, such as a text message, email, customer service call, or a method in an approved third-party app to complete the verification.”

Apple Pay – Card Validation An FI might:

◦ Ask cardholder to enter additional data to confirm his identity.

◦ Require cardholders to log into their online accounts to authorize Apple Pay.

◦ Asked cardholder to call customer-service rep to set up the card

e.g., Wells Fargo:

◦ Requires some customers to provide additional verification to add a card.

◦ Customers are directed to call in to verify or to download the Wells Fargo Verify app.

◦ The app guides the customer through the verification process.

Apple Pay uses tokenization to remove payment card numbers from the transaction process.

◦ When a user adds a card, Apple does not store the actual card number

◦ Instead, creates a “device-only” account number for each card and stores it in the phone’s SE

◦ Each time Apple Pay is used, Apple uses a one-time payment number, along with a dynamic security code

Essentially, creates a one-time card use system, and

Eliminates the need for static security code (CVV/CVC) on the plastic card

◦ Merchant never sees the cardholder’s name, card number or security code

Apple Pay

To make a payment using his default card, user does not need to open an app or “wake” the phone, because of the NFC antenna

Holds iPhone near merchant’s contactless card reader

Uses Touch ID (home button) to authenticate by fingerprint

A subtle vibration and beep indicate payment information has been sent

If user wants to pay with a card other than his default card, he must first open the Passbook app and select an alternate card

Apple Pay

Card-issuing FIs pay a per-transaction fee to Apple to be included in Apple Pay◦ 15bps on credit cards transactions

◦ $.005 on debit card transaction

Apple Pay Fees

2,500 FIs have signed on to Apple Pay; 400+ live (8/2015)

◦ Security Service FCU (San Antonio)

425,000 credit and debit cardholders

“We are fighting a fierce battle for the hearts, minds and eyeballs of our members so we want to be relevant and exciting for them.”—Jim Laffoon, president/CEO, Security Service FCU

◦ See Apple’s list at http://support.apple.com/en-us/HT6288

◦ See Visa’s list at http://usa.visa.com/clients-partners/technology-and-innovation/apple-pay/financial-institutions/index.jsp

Apple Pay – Banks/CUs

Not ubiquitous; many retailers won’t accept Apple Pay

8m POS in the U.S.

◦ As of 3/9/2015: Accepted at nearly 700,000 U.S. merchant locations, acc. to Apple

◦ 7/2015: Anticipate 1.5m+ locations by EOY 2015

How does Apple define a “location”? Acceptance terminal?

Many of those are vending machines

Number of iPhones in consumers’ hands

◦ Originally only iPhone 6 and iPhone 6+, but now…

◦ Apple Watch enables payments (must be paired with the iPhone to do so).

Will extend Apple Pay to iPhone 5, 5c, and 5s

“opens up Apple Pay to over 69% of devices on its OS” (Javelin)

Apple Pay - Issues

Image credit: Apple Inc.

Will “a rising tide lift all boats”?◦ Will uptake of Apple Pay also encourage merchant

acceptance of Google Wallet and MCX/CurrentC?

What role for community banks and CUs?◦ Cards loaded to Apple Pay are accessed through

Passbook, which selects the first card enrolled as the default card.

◦ How will an FI stand out; provide a compelling app so members will choose their card for mobile payments?

Interchange?

Apple Pay – Future?

Apple Pay – Future? As Apple Pay grows, will Apple be content w/

15bps per credit card transaction/5c for debit transaction?

As Apple Pay grows, will Apple be content to not collect/ monetize customer transaction data?

As we continue to move away from plastic cards; will FIs be able to instantly issue card accounts into Apple Pay?,

◦ “…that will move the market for us.”—Jason Tinurelli, U.S. Bank’s SVP retail payment solutions, digital strategy and innovation Quoted in “Mobile Makes Headlines, But Plastic Makes

Progress,” by David Heun, PaymentsSource, Apr. 13, 2015

Mobile Wallets: Samsung Pay

44

“Samsung Pay” will be available on the Galaxy S6 and S6 Edge in September

2/2015: Samsung announced purchase of LoopPay

◦ “Magnetic Secure Transmission”

◦ Users able to pay for purchases at 90% of mag-stripe payments terminals, as well as NFC terminals

◦ Could help Samsung Pay gain merchant acceptance quickly compared to Apple Pay

Samsung Pay Participants:

◦ Visa, Mastercard

◦ US Bank, Synchrony Financial (formerly GE Capital)

◦ In discussions with AmEx, BofA, Citi, JPMC, others...

Security:◦ Fingerprint reader

◦ Tokenization

“Samsung won’t charge banks and credit-card issuers transaction fees.”

SOURCE: “Samsung Pay Could Win Over Banks Faster than Apple Did,” Bloomberg News, Aug. 14, 2015

Mobile Wallets: Android Pay

5/28/2015: Google announced Android Pay Available “this summer” Will be the Android solution for in-store and

in-app payments◦ Google Wallet will be a dedicated person-to-

person (P2P) app for Android and iOS

Will come pre-loaded on new Android smart phones from Verizon, AT&T, and T-Mobile

Android Pay

Like Apple Pay…◦ Near-Field Communication (NFC)

…but Host Card Emulation (HCE) variant of NFC

◦ Tokenization

◦ Fingerprint authentication

Merchant Customer Exchange (MCX)/ CurrentC

◦ Merchant-driven

7-Eleven, Southwest Airlines, Wal-Mart, Target, etc.

Merchants don’t like interchange infrastructure

View much of the innovation in mobile payments as simply maintaining the current credit card/interchange model

◦ In development for more than 2 years; now testing

◦ No launch date announced, but perhaps 2015?

◦ QR code not NFC, but few details have been provided as to how its technology will work.

◦ Paydiant technology [3/2015: PayPal acquired Paydiant]

◦ FIS (Fidelity Natl. Information Svcs.) will provide payment processing, routing and settlement

◦ Piloting in Columbus, OH

Mobile Wallets: MCX

Follow us on:

@DallasFed DallasFed

Matt Davies, AAP, CTP, CPPPayments Outreach Officer

Federal Reserve Bank of DallasPhone: 214-922-5259

E-mail: matt.davies@dal.frb.org

Questions?