Digital Transactions Authoritative, insightful and timely information for payments professionals
Part I of this three-part series outlined the development of the realization by the Fed’s payments task forces that payments are complicated, difficult, and expensive to change in order to make them safer and more efficient. This installment deals with the growing concern about security threats that are shaping the options for what CAN be done to make things better.
During the more than one-and-a-half years the Fed task forces have been convened, cybersecurity threats have continued to escalate. Hackers—some of whom may be state-subsidized—are stripping the shelves bare of user credentials in Web site after Web site, shutting down portions of the Internet, and disrupting national elections. Some experts suggest that an estimated 1 billion signature card credentials have been offered for sale on the Dark Web. And venerable networks like Swift have had their vulnerable user endpoints exposed to fraud.
So it was no surprise that both the Faster Payments and the Secure Payments task forces stressed the need for real solutions to these threats—not just tweaks in existing payment modes and processes. One thing nearly all participants agreed on was the foundation for an integrated national approach to cybersecurity.
Efforts by NIST (the National Institute for Standards and Technology) to promulgate a Cyber Security Framework (CSF) offer a baseline for identifying and addressing exposure to and vulnerabilities of sensitive data, and how to secure that data (especially using collaboratively developed standards). With industry momentum building, the CSF is driving for integration with similar security efforts by other industry groups and agencies.
Information sharing to augment cyber-threat protection is being pursued by the industry—notably extending the FS-ISAC (Financial Services Information Security and Control) model for alerts, notifications, and reporting. But these initiatives are so far focused on how to shut the door more quickly when the horse is already out of the barn. True sharing of fraud-detection data to prevent or stop fraud from actually happening is still embryonic, slowed by regulations and laws focused on privacy and liabilities for public exposure of user data.
There is widespread agreement on replacing account credentials in the clear with digital identity proofing and management, and a host of technologies and approaches have been identified for that purpose, but real movement has not been evident in the proceedings so far.
Participants such as card networks and their big issuers support tokenization as an expedient means to protect the vulnerable primary account numbers (PANs). But that solution—in its many forms—presents additional complications (e.g., merchant identification of transactions and accounts when something goes wrong, or for offering rewards), and simply passes the risk of compromise and exposure to cloud-based data centers—which have yet to convince security experts they are ready for payments prime time.
As well, networks and banks don’t seem to relish encryption—perhaps because they would have significant requirements to upgrade their processing plants to adopt it. On the other hand, security experts in the task forces note that while encryption does take computation time at several points in the payment flow, it’s the only convincing solution today. Both tokenization and encryption solutions need to be vetted and tested at scale to avoid the problems EMV chip card deployment has produced.
In fact, deliberations over whether an objective arbiter is needed to vet and rationalize digital identity, authentication, encryption, and other data-protection technologies and approaches ultimately revealed underlying and fundamental divisions between the banking side of payments, which relies on proprietary controls and programs that reinforce the status quo, and the users of the system (merchants, consumers, and providers) that are searching for open solutions that are crafted and deployed for the benefit of the entire ecosystem.
The Fed, to its lasting credit, has refereed the ensuing debates with great aplomb and negotiability, searching for common ground and consensus on the need to make some progress on material change. As such, the Fed’s ultimate role in faster, secure, and efficient payments has come increasingly into focus—not the least indication of which was the dependence of many of the solution proposals on the Fed for development and management of user directories, settlement, integration among networks, and even payments governance.
In Part III on Wednesday, we will explore how the longstanding divisions in the industry have the potential to limit what solutions and fixes SHOULD be embraced, as well as how the Fed’s most needed role—seeding the market with independently vetted standards-based security solutions as quickly as possible—could be the catalyst for making sure free-market developments of faster payments over the next three to five years don’t leave the nation even more exposed to cyber threats and fraud than it is today.
