Digital Transactions Authoritative, insightful and timely information for payments professionals
This article is the first installment of a three-part series this week on what the Federal Reserve’s Faster Payment Initiative means to the payment economy in the U.S., and how the payments ecosystem might get to “yes” on fixing what’s broken and deploying what’s possible. This part deals with the implicit mandate to create substantive improvements in payment security and efficiency. On Tuesday, Part II will examine the Fed’s efforts to determine what can be done to make improvements to the U.S. payment system. Then, on Wednesday, Part III will assess what should be done—and how the Fed might help move the industry forward.
When the Federal Reserve published its “Strategies for Improving the U.S. Payments System” in early 2015, security and efficiency in payments had reached a critical juncture—prompting the Fed to reach out to the industry to encourage participants to take advantage of the conditions that are now in place to initiate favorable change. Two years later, after the extensive ministrations of two task forces comprised of 500 representatives of the payments ecosystem, the industry—now challenged by dynamic, persistent, and rapidly escalating threats to security—is poised to finally decide what to do about it.
After reviewing nearly two dozen proposals for faster payments systems, the Fed Faster Payments Task Force (FPTF) is readying a final report for public release mid-year. It will contain a clinical and objective assessment of the current situation facing payments, and propose a number of recommendations to address it.
Meanwhile the Secure Payments Task Force (SPTF) continues its work on payment-identity management, information sharing to reduce fraud, data protection, and legal/regulatory re-calibration, and plans to publish its assessments and recommendations in the summer.
As a member of both task forces (and of the Steering Committee of SPTF), I have found the learnings from these collaborative efforts to be abundantly clear: 1) payments (and security) are really complicated; 2) the existing payment infrastructure is ancient and cannot easily accommodate the necessary fixes; 3) the security threats are very real and escalating quickly; and 4) it will take additional efforts—probably not on a volunteer basis going forward—to define, size, and prioritize what, when, and how the fixes should occur.
The task forces comprised industry participants from novices to deep experts in security and standards. The span of subjects addressed and analyzed ranged from payment modes and use-cases to virtual currencies and blockchains. The deeper the analysis got, the more the task forces realized how complex the U.S. payments system had become. And the harder the task of implementing needed changes became.
For example, most of the card world operates on a global standard for formatting and passing authorization, clearing, and settlement messages—ISO 8583. Just about all big issuers, networks, acquirers, processors, and technology providers use a modified form of it, but predominantly from the original 1987 version. ISO 8583 was updated in 1993 and again in 2003 to collect more and different types of data—especially risk-management data—as debit and chip cards emerged, but few industry participants have migrated to the newer, safer versions. As a result, if in a payment-processing chain of five entities, one is using the 1987 version, the entire transaction “dumbs down” to the lowest common denominator. Thus, when EMV was deployed in the U.S., much of the data that would have helped avoid the chargeback mess wasn’t always able to be processed.
Other challenges appeared in the discourse. The automated clearing house system, which is already moving to same-day settlement windows to move payments faster, uses formats that are four decades old, making them difficult and expensive to migrate to some new applications. The wire-transfer system appears to be safe from a network standpoint, but slower than many thought, and does not make judicious use of strong access controls.
PIN debit was acknowledged to be the safest mode of card transacting, but is available at only about 35% of point-of-sale merchants, and hardly at all online. Despite the PIN’s being the closest thing to a near-term form of user identification, the card networks appeared determined to replace it with something else (e.g., one-time passwords, dynamic PINs, etc.) as soon as they can.
Spending $12 billion to deploy the 20-year-old EMV chip card protocol might result in what appears to be temporary reductions in counterfeit fraud, but no permanent fraud reduction from cards overall. It is likely that users would be better off spending that kind of money on solutions such as end-to-end encryption instead of expensive attempts to protect transactions when account credentials remain in the clear.
In Tuesday’s article, we’ll look at how the realities of the security threats faced today affect the options the task forces are considering for what CAN be done to fix payments in the U.S.
