Trends & Tactics

Plastic: High Growth, High Risk

More than ever, plastic dominates the business of electronic payments in the United States, with two-thirds of all noncash transactions in 2012 occurring on a card, up substantially from 60% just three years earlier. That’s according to the Federal Reserve System’s triennial payments study, released just before Christmas.

But the study also shows that, of all forms of payment, cards by far carry the highest risk of unauthorized use.

The sweeping research report, which covers payments by check and the automated clearing house as well as by credit, debit, and prepaid card, also unearthed a number of more granular results, including a rapid runup in card-not-present volume and a count of total chip-based card transactions.

Overall, “The 2013 Federal Reserve Payments Study” estimates there were 122.8 billion noncash transactions in 2012, up 14% from 2009, the last year for which the Fed released similar research. Card-based payments grew 28% in that brief span, to 82.3 billion, while the ACH accounted for 22.1 billion transactions, up 16%, and checks paid plunged 25%, to 18.3 billion.

“The growth picture is with cards, debit, credit, and prepaid,” says James M. McKee, senior vice president in the Atlanta Federal Reserve’s Retail Payments Office.

Growing at a torrid pace are general-purpose and private-label prepaid cards, which registered a 56% jump in transactions in just three years, from 5.9 billion to 9.2 billion. Roughly two-thirds of these transactions occur on private-label prepaid cards, which include electronic benefit transfer cards and gift cards, according to the report.

Credit cards have resumed an upward growth path after languishing during the sharp downturn that started in late 2007 and extended into 2009. Transactions on general-purpose cards grew 22% over the three years through 2012, to 23.8 billion, while even store-issued charge cards saw volume increase a healthy 60%, from 1.5 billion to 2.4 billion transactions.

By contrast, the two types of credit card combined had dropped to 21 billion transactions from 21.7 billion over the three years from 2006 to 2009.

“Last time [in 2009], we were in the throes of the Great Recession, and credit card growth had leveled off or was slightly negative,” notes McKee. “But credit cards did return to a steady growth pattern.”

As for the ACH, check conversion is in decline along with the volume of checks, according to the report. The business of converting paper checks to ACH e-check codes peaked in 2009 at 3.3 billion transactions, declining to 2.7 billion in 2012. As a fraction of all ACH traffic, check conversion peaked in 2006 at 18%. That’s now down to 12%.

Direct-deposit activity, transactions that are electronic from start to finish, such as Web-based bill payments, and other ACH flows account for the other 88% of the network’s transaction volume.

U.S. consumers and businesses wrote 21 billion checks last year, the report estimates, but because 2.7 billion were converted to ACH e-checks, some 18.3 billion were paid as checks. That volume of paid checks is slightly less than half the volume measured in 2003, the first year for which the Fed conducted its payments study.

The impact of Check 21, a 2003 law that encouraged the exchange of check images rather than the original paper, continues to be felt. Nearly all paying banks now are capable of receiving check images rather than paper, but what is less well-documented is how many checks actually arrive at the bank of first deposit as an image. The answer: 17% of all checks, compared with 13% in 2009, the report says.

For this latest edition of its payments report, the Fed includes data on unauthorized transactions, which is fraud committed when a payment instrument is used without the authorization of its owner.

These data show that, while card transactions are the growth champion among payment types, they also carry the most risk (chart, page 6). Some 3.6 out of every 10,000 general-purpose credit card transactions are unauthorized, compared to rates of 0.72 and 0.45 for ACH and checks, respectively.

The report also includes numbers for card-present vs. card-not-present (CNP) transactions, of particular interest as battles over interchange continue, and for chip-based transactions, again of interest as the industry struggles to introduce chip cards on the EMV standard in the U.S.

CNP transactions now account for nearly one-quarter of all general-purpose credit card transactions, up from 19% in 2009, or 5.8 billion vs. 3.8 billion transactions. Merchants pay higher interchange rates for CNP transactions because they are seen as posing higher fraud risk.

As for cards embedded with contactless chips, there were 29.8 million chip-based general-purpose debit transactions last year, along with 13.4 million general-purpose credit card transactions with a chip. Prepaid cards with chips generated 50,000 transactions.

The Fed report, the fifth produced so far, is based on two surveys covering financial institutions, networks, processors, and issuers, and a third survey that looks at check samples from 11 banks that use the bank-owned Viewpointe image archive. A more detailed report is expected to be released in the spring.

—John Stewart

EMV: The Antidote to Data Breaches?

Target Corp.’s recent massive data breach along with one at upscale department-store chain Neiman Marcus Group—and possibly other retailers—introduced many Americans to the term “EMV” and the likelihood that more secure Europay-MasterCard-Visa chip cards will replace vulnerable magnetic-stripe credit and debit cards in the United States.

But some executives caution that EMV cards and point-of-sale terminals alone would not have prevented a Target-style breach, and that point-to-point data encryption is the answer. EMV supporters, however, claim encryption ignores EMV’s biggest security benefits.

Security experts say data still can be transmitted unencrypted, or in plain text, during an EMV transaction. Much of the data is the same information fraudsters intercept from mag-stripe cards, including the primary account number (PAN), card expiration date, and cardholder name. But EMV proponents say any such data would be useless to hackers.

“The whole thing EMV is attempting to cut out is the ability to make a new card,” says Bob Lowe, vice president of business development at Shift4 Corp., a Las Vegas-based gateway provider.

But connect a POS terminal to the Internet and you introduce the possibility of hackers capturing card data unless the information is encrypted immediately upon swipe (or tap or “dip” with chip cards) and not decrypted until arriving at a secure place outside the merchant environment.

Although the links in the payment-processing chain where data move unencrypted have shrunk over the years, vulnerable plain-text points remain, say Lowe and others.

“The same controls that would keep the data safe in an EMV world would also keep the data safe in a non-EMV world,” said Branden R. Williams, executive vice president of strategy in the U.S. office of Dublin, Ireland-based security-technology provider Sysnet Global Solutions, in a recent blog post. “So, the stock answer is no, EMV by itself would not have prevented the Target breach.”

“It’s not a security panacea,” adds Mike English, executive director of product development at merchant acquirer Heartland Payment Systems Inc., Princeton, N.J. “As the mag stripe does, it needs encryption at the earliest possible point, and tokenization.”

Heartland should know. The data breach it reported in January 2009 remains the biggest ever, with 130 million cards compromised. As part of its recovery strategy, Heartland developed its own line of end-to-end encrypting terminals and peripherals called E3.

More than 50,000 Heartland merchants use E3 equipment, says English. Heartland will cover an E3 merchant’s full costs should it sustain a data breach.

The tokens included in Heartland’s system provide merchants with one-time-use data strings that stand in for real card information during chargebacks or sale reversals, and multiuse tokens for recurring payments and loyalty programs.

Where and why some data still move in plain text is complicated. The terminal may need to decrypt card information in order to pass it to a store’s POS controller or workstation, the next link in the chain, in a format the workstation can read, according to Lowe. Most formats are non-encrypted, he says.

Farther down, encrypted data might be decrypted for submission to the switch linking the merchant to its processor. For true security, “the point is that decryption is not done in the merchant environment,” says Lowe.

But Randy Vanderhoof, executive director of the Princeton Junction, N.J.-based Smart Card Alliance trade group and director of the EMV Migration Forum, says by email that “EMV data is not the same data that fraudsters intercept from mag-stripe cards.”

He says mag stripes contain a static card-verification value (CVV, also known as a card-verification code, or CVC), while the EMV card replaces those codes with a dynamic (changing) security code known as the iCVV.

“If this information were copied and cloned onto a counterfeit card, it would not clear the online authorization process,” says Vanderhoof. “Once the majority of merchant transactions … are EMV, there will be little value to be gained by such a data breach because the data would have little value to criminals.”

POS encryption adds some security against stolen payment data being used in card-not-present channels where retailers aren’t using currently available fraud controls such as the CVV2 code printed on the card, which is different from the one on the mag stripe, and the card networks’ address-verification services, says Vanderhoof.

But he continues: “Encryption adds no security benefit to prevent counterfeit fraud. It is another security feature, but it comes with added cost and complexity for retailers. It is not a substitute for EMV.”

—Jim Daly

Mobile Devices Capture Remote Deposit Capture

The number of consumers using the mobile variant of remote deposit capture (RDC) nearly doubled in 2013, and the user base will triple by 2016 to 61 million, according to a new research report from Celent.

The report also says remote capture is sustaining more losses. While these losses are mostly in line with the increase in usage, they are a sign that financial institutions need to keep tight reins on risk control.

Report author Bob Meara, an Atlanta-based senior analyst at Celent, a unit of Oliver Wyman, says RDC clearly has overcome the early skeptics at banks and credit unions and still has a lot of room for growth. “There aren’t any scoffers any more,” says Meara.

In mobile capture, a consumer with a smart phone snaps a picture of the front and back of a check with the phone’s camera and uploads the images for deposit through a financial institution’s mobile-banking application.

Meara attributes mobile capture’s recent growth to the increasing base of smart phones in the U.S. and marketing moves by early-adopting banks such as USAA and JPMorgan Chase & Co. a few years ago, seeding the market for future growth.

According to estimates and predictions derived from a Celent survey of remote-capture vendors about financial-institution demand for their services, some 20 million consumers used mobile RDC last year compared with 10.9 million in 2012 and only 2.2 million in 2011 (chart).

Only an estimated 2.1 million consumers used the older desktop (scanner-based) form of RDC last year, not quite 10% of the total consumer user base of 22.2 million. The mobile and desktop user bases were equal at 600,000 apiece in 2010.

Meanwhile, based on a survey of 266 financial institutions in October, Celent detected an increase in RDC losses, though it says the increase is mostly in line with growing usage. Some 77% of financial institutions said they suffered no RDC losses in 2013, down from 89% in both 2012 and 2011.

Nine percent of respondents said they had only one loss incident last year, up from 5% in 2012, while 12% said they had “several loss incidents,” double the 6% reporting so in 2012.

Consumers accounted for 48% of RDC losses, up from only 16% in 2012, while the share of losses from small and larger businesses declined.

Some 70% of last year’s losses arose from duplicate presentment of the same check, the only loss mechanism truly unique to RDC, Meara says.

While only about 5% of banks and credit unions said losses last year exceeded their risk thresholds, institutions still need to stay on top of risk control, says Meara. “There’s a lot more they could be doing,” he says. In addition to carefully watching for duplicate deposits, he says RDC risk management should include parameters for customer eligibility, enforcement of deposit limits, and a number of related controls on endorsements and amounts.

Vendors are responding with a new emphasis on risk control in their products, according to Meara. “There will be a lot of upgrades of existing solutions … and new ones,” he says.

—Jim Daly

Transactors

Online Merchants Are Shopify’s Secret Weapon

Shopify Inc.’s recent move to offer its merchants a mobile point-of-sale application marks yet another entry in a market that has filled up fast with competitors ranging from PayPal Inc. to Square Inc. and dozens in between.

“You would think we’d reached everybody [with mobile POS products], but we haven’t,” says James Wester, a senior analyst who follows mobile payments at IDC Financial Insights, Framingham, Mass.

But Ottawa-based Shopify could have a built-in advantage: a fast-growing base of merchant clients looking for mobile-acceptance capability consolidated with existing online services.

Eight-year-old Shopify, which provides an e-commerce platform for about 80,000 merchants, introduced the mobile POS service last month as part of a new app for Apple Inc.’s iPhone. It’s early, but so far about 1,800 merchants have ordered it, the company says. An Android version is expected next.

The product includes a free card reader made for Shopify by Boston-based Roam Data Inc., which manufactures its distinctive half-moon-shaped dongles for a number of mobile-acceptance providers, including Groupon. Transactions flow through Shopify Payments, a platform the company introduced in August to process payments and link transaction data to clients’ inventory-management and other functions. Online payment processor Stripe provides settlement.

Though Shopify serves online sellers, it found a wide range of these merchants wanted a face-to-face processing capability, both for routine business and for occasional use at trade fairs and the like, says Carson Brown, product manager for Shopify Mobile. “We knew we wanted to get into that space,” he says.

There was a sense of urgency behind the new service. The company found through polling its clients that a “large portion” had already turned to competitive mobile products, he says. “We thought we could provide a better experience,” he adds.

That’s because the mobile service ties into the same database as the online service, allowing merchants to run reports and track information on the same platform. That simplifies bookkeeping, inventory control, and marketing and avoids having to reconcile a Shopify online account with transactions run on an outside system, Brown says. “We’re taking away a lot of that complexity,” he adds.

Indeed, while dozens of providers have crowded into the mobile POS market since 2009, when Square and Intuit Inc. launched their services, Shopify may have an edge with its rapidly growing base of online merchants. The company’s client count is doubling annually, says Louis Kearns, director of payments, implying it will have about 160,000 merchants signed up by year’s end.

At the same time, if many of those clients were turning to other services, Shopify had little choice but to offer its own, says Wester. These days, with the availability of application programming interfaces and code libraries, “it’s relatively easy for an online retailer to switch over to another gateway if you’re not providing everything they need,” he says.

Shopify offers more or less competitive pricing. There are three tiers, depending on the overall e-commerce service level the merchant signs up for. The top tier, which costs $179 a month, offers the POS service for 2.1% plus 30 cents per transaction. The middle tier, at $79 per month, levies a fee of 2.3% plus 30 cents, while the last tier carries a price of 2.5% plus 30 cents for a $29 monthly fee. Square, by contrast, charges a flat 2.75% per transaction.

The new iOS application adds to Shopify’s thrust into the business of processing card-present transactions that began last August with the introduction of Shopify POS, a service that lets merchants that have physical stores run their registers on Apple’s iPad tablet.

This, too, is a crowded market, and becoming increasingly so, but Shopify may have another key advantage. In December, it raised $100 million in a Series C funding round, with the money earmarked for its move into physical-world services.

—John Stewart