Fed, FDIC, OCC toughen up on FI cybersecurity
T he Federal Deposit Insurance Corp., Federal Reserve and Office of the Comptroller of the Currency co-authored a new set of guidelines designed to protect critical banking infrastructure. Escalating cyberattacks combined with increasing dependence on connected technologies have raised threat levels across the banking sector, the agencies stated.
Their recommendations, published Oct. 19, 2016, are detailed in Enhanced Cyber Risk Management Standards, an advance notice of proposed rulemaking (ANPR) that addresses cyber risk, internal dependency and external dependency management, as well as incident response, cyber resilience and situational awareness.
The ANPR recommends a tiered approach to implementing the new security guidelines, directing its strictest policies to large financial institutions with total consolidated assets of $50 billion or more.
"A cyber-attack or disruption at one or more of these entities could have a significant impact on the safety and soundness of the entity, other financial entities and the U.S. financial sector," the authors wrote. "The agencies are considering applying the enhanced standards to these entities on an enterprise-wide basis because cyber risks in one part of an organization could expose other parts of the organization to harm."
New threat landscape
Increasing reliance on connected technologies in commercial and private sectors has raised threat levels across depository institutions, particularly the seven largest and most complex financial institutions, according to recent reports.
"As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks," the ANPR authors wrote. "Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences."
The authors additionally noted the expanded role of third-party service providers in financial services. "Third parties that provide payments processing, core banking, and other financial technology services to these participants in the financial sector also provide services that are vital to the financial sector," they wrote. They also recommended that third-party service providers and nonbank financial companies be held to the same rigorous standards and scrutiny as the financial institutions they serve.
Enhancing existing rules
The three-party cybersecurity initiative is designed to enhance existing regulatory guidance and oversight, of which there is no shortage in the financial services sector. The ANPR cites the following government agencies and guidelines tasked with protecting U.S. banking infrastructure:
- Federal Financial Institutions Examination Council: The FFIEC has published a series of documents on cyber security, including the IT Handbook, which provides guidance to examiners on third party service providers. Its Cybersecurity Assessment Tool is a voluntary assessment resource widely used by financial institutions.
- National Institute of Standards and Technology: The NIST CSF is a voluntary framework designed to improve communications, awareness, and understanding among IT professionals and senior executives. Its five core functions are: Identify, Protect, Detect, Respond, and Recover.
- CPMI-IOSCO Principles for Financial Market Infrastructures: The existing guidelines, created in June 2016 by Committee on Payments and Market Infrastructures and International Organization of Securities Commissions, are further clarified in the ANPR by the original authors.
- Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System: Jointly created by The Federal Reserve, the Office of the Comptroller of the Currency and the Securities and Exchange Commission, this paper is used as a point of reference in the ANPR. The paper focuses on minimizing systemic effects of wide-scale disruptions in critical financial markets.
Public comments welcome
Enhanced Cyber Risk Management Standards is available for public review and commentary until Jan. 17, 2017. The agencies are considering a variety of approaches, from policy statements to detailed regulations, to beef up existing regulatory and compliance frameworks.
The authors are encouraging the public to respond to the proposal during the open review period. They plan to publish pertinent feedback in a broader, more detailed report, followed by a second round of public review and consideration prior to a final ruling.
For a copy of the ANPR and detailed instructions for submitting commentary, visit www.federalreserve.gov/newsevents/press/bcreg/bcreg20161019a1.pdf.
ATM industry shifts EMV into high gear
Friday, October 21, 2016
A global shipping crisis and other challenges have impeded ATM industry efforts to upgrade its U.S. fleet in accordance with mandated EMV (Europay, Mastercard and Visa) guidelines. The industry’s attempts to delay EMV liability shift deadlines due to supply chain issues have been unsuccessful: October 2016 deadlines for Pulse and Shazam networks (Oct. 1) and Mastercard (Oct. 21) are now in effect. The Visa Inc. liability shift is set for Oct. 1, 2017.
In contrast to previous compliance initiatives, the EMV mandates could have severe consequences for noncompliance that go beyond penalties and fines. Industry leaders are urging card brands for leniency while warning ATM owners and deployers of threats and vulnerabilities.
The National ATM Council Inc. asked Mastercard to push the EMV liability shift back to Jan. 2, 2017, citing the global shipping crisis, which impacted member companies and was caused by Korean shipper Hanjin Transportation Co. Ltd. NAC Executive Director Bruce Renard said, “We have many members who ordered EMV kits in August. It’s not that they don’t want to be compliant.”
George Sarantopoulos, incoming NAC Board Chairman and Chief Executive Officer of Access One Solutions/Access One ATM concurred. “The bankruptcy of South Korean shipping company Hanjin has disrupted the supply chain, leading to a massive backlog, unavailability and surge pricing of EMV kits in the market,” he said. “Mastercard should understand that and give some relief to the [ATM] ISOs who have bought into EMV and are doing their best to implement it. Additionally, processors are having a learning curve with integrating EMV with ATM terminals. It’s just a big mess.”
NAC panel probes issues
“Based on the numbers I’ve seen, one fourth of ATMs will be EMV-ready on Friday [Oct. 21, 2016],” stated Deborah Spidle, Director of EMV Solutions at Paragon Application Systems. “This is not like ADA or Triple DES [previous industry compliance mandates]. It will be self-enforced and the chargebacks will start.”
Spidle and Renard co-moderated a panel discussion on EMV implementation at NAC’s annual conference, held Oct. 17 to 20 in Orlando, Fla. The panel included executives from Visa, banks, equipment manufacturers and service providers. Executives who had weathered the POS liability shift that became effective Oct. 1, 2015, urged ATM owners and deployers to implement EMV quickly to avoid taking on additional liability.
Roger Myers, President, ATM Services at Switch Commerce said, “You’ve never experienced that before and can’t imagine the millions in fraud incurred by big banks. Update as quickly as you can. Don’t let them push fraud on you; don’t take their liability.”
Betsy Bohlen, Senior Vice President and Chief Payments Officer of Sponsorship Services at Pueblo Bank & Trust, has seen a spike in chargebacks since the October 2015 liability shift was instated. Some chargebacks were not even EMV-related, the bank’s reports indicated. “Get ready for it, and work on each chargeback to make sure they are what they say they are," she said. "Be diligent in what you see being debited. It was pretty bad the first 60 days. It’s not pretty."
Jason Kuhn, Vice President of Product Marketing and Product Planning at Nautilus Hyosung America, said his company is working with the South Korean government to free up product and has bumped up production in Korea and China to produce kits as quickly as possible. Kuhn noted the EMV kit shortage is only one of many challenges; installing and configuring the kits is no simple matter.
“The Hanjin crisis created a perfect storm,” Kuhn said. “Of the approximately 70,000 kits we’ve shipped, not all are installed; some are installed but not configured with the most current version of software. There’s a lot more involved to make sure [a kit] is properly configured.”
Shaun King, Vice President International Sales at Triton Systems of Delaware LLC, noted that stocking shelves based on anticipated volumes is not the norm for most manufacturers. “We’ve encouraged people to move quickly," he said. "Those who have already requested kits are covered, because we’ve ordered for them in advance."
LeRoy Huntimer, Director of ATMs and POS Sponsorships at MetaBank added, “Fraudsters are going around with fraudulent cards, draining your ATMs. The only way to protect yourself is to implement EMV.”
Mike Nelson, Vice President Business Development at Payment Alliance International, said criminals will focus on noncompliant ATM terminals. “Basically, the bad guys will figure out where the non-EMV compliant ATMs are and go get them,” he said, adding that location guides on many bank websites indicate which ATMs are ready to accept chip-enabled cards, creating a virtual roadmap for criminals.
Marc Cleven, Senior Director, Global Chip Operations at Visa, said operators want customers, particularly those who travel internationally, to know which ATMs accept their chip cards. “Visa came under pressure to add the [ATM] locator,” he pointed out.
Cleven additionally noted that Visa relies on self-reporting to determine if an ATM supports chip card acceptance. The card brand estimates 25 percent of ATMs have properly installed, configured and activated EMV card readers. “By the end of Q1 2017, the United States will be a chip card nation,” he said. “The U.S. is currently the largest chip card issuer in the world.”
AmEx gives early holiday boost to small businesses
Wednesday, October 19, 2016
A s the holiday shopping season approaches, several programs are underway to help small businesses end the year profitably. In advance of Small Business Saturday, which will be celebrated on Nov. 26, 2016, American Express Co. ramped up its support of the national retail campaign it founded in 2010 to promote independently owned businesses.
Building upon past successes – 95 million consumers were reported to have flocked to small businesses last year on Small Business Saturday – AmEx created the Shop Small Studio, a new resource center that offers tools to create customized print and digital store campaigns. The AmEx ShopSmall.com multimedia hub also features how-to guides to help small businesses prepare for the holiday season.
"Our ultimate goal is to help small businesses do more business – and for Small Business Saturday, that includes arming them with the tools to help make the day a success," said Amy Marino, Vice President and Head of Small Business Saturday at AmEx. She noted that the company collaborated with small business experts, entrepreneurs and influencers to create digital content and easy-to-customize marketing materials for small businesses.
AmEx also hosted a Small Business Saturday Boot Camp in Chicago on Oct. 18. Additional boot camps are slated for New York and San Francisco, on Oct. 20 and 27, respectively. These feature strategic planning workshops and panel discussion led by experts, community leaders and retailers who have participated in previous Small Business Saturday retail campaigns.
To further support Small Business Saturday and merchants for the duration of the holiday season, AmEx also launched the Shop Small for 2X Rewards campaign for select U.S. consumer and OPEN Small Business American Express cards. Card members can enroll at www.amex.co/shopsmalloffer to earn rewards at participating merchants through the end of this year.
According to AmEx, the first-of-its kind offer builds on each eligible card's specific rewards program. When card members use an eligible card to shop at qualifying small merchants, they can earn 2X rewards, from points to miles to cash back. For example, Hilton HHonors hotel rewards program members who enroll in the AmEx rewards campaign can earn three additional Hilton HHonors Bonus Points per dollar of purchases.
Easing merchant cash flow, integrations
Another way AmEx hopes to bolster small business activity is through short-term, low-cost financing. In partnership with Intuit Inc., AmEx OPEN Business Card Members who are also QuickBooks Online users can take advantage of this program to pay vendors, thus easing cash flow constraints that sometimes occur.
"We've heard time and again from small business customers that cash flow is a key area of concern when it comes to managing day-to-day business expenses," said E-Bai Koo, Executive Vice President of Global Product Management at American Express Global Commercial Payments. Koo added that because AmEx Working Capital Terms' digital loans are directly embedded into QuickBooks, account management is greatly simplified.
AmEx stated the program allows small businesses to request a term, as well as a loan amount from $1,000 to $750,000, and receive approval in as little as 60 seconds. It can also help streamline vendor management by making and tracking vendor payments, consolidating payment and accounting transactions in one central location, and reconciling accounting ledgers with up-to-date cash flow insights readily available, the company said.
In addition, to further simplify small business network integrations, AmEx recently unveiled Amex for Developers, a portal that provides single-point access to company application programming interfaces (APIs) and developer resources to provide an end-to-end approach to integrating payments, data intelligence, fraud prevention and other business applications.
"American Express has long used APIs to enable selected merchant partners to grow their businesses by engaging their customers who are Card Members in innovative ways," said Marc Gordon, Executive Vice President and Chief Information Officer at AmEx. "With the launch of Amex for Developers, we are expanding access to our APIs to additional partners, creating new opportunities for business growth, both for our partners and for American Express."
U.S. Supreme Court to rule on credit card surcharging
Monday, October 17, 2016
T he contentious battle over credit card surcharges has escalated to the U.S. Supreme Court, giving hope to retailers in 10 states that currently ban the practice of adding a fee to credit card transactions. A court challenge brought by five retailers in Expressions Hair Design v. Schneiderman, 15-1391, made its way through New York courts, initially winning in September 2013, only to be overturned on appeal two years later by New York's 2nd U.S. Circuit Court of Appeals.
The retail petitioners allege surcharge laws violate their First Amendment rights to free speech and due process under the U.S. Constitution. These claims became the basis for the Supreme Court review.
The New York court disagrees that surcharge laws violate free speech, calling its measures "price-control laws" that "regulate economic conduct rather than speech." New York Attorney General Eric Schneiderman and Manhattan District Attorney Cyrus Vance noted these price-control laws do not control pricing for goods and services, but only "how those prices are communicated ‒ that is, which of the two prices the merchant may frame as the 'regular' price on the label, and which the merchant may convey through a separate sign."
The New York attorneys compared surcharging credit card transactions to "bait-and-switch" tactics that reportedly occur at gas stations. Restricting surcharge practices protects consumers by maintaining price consistency and preventing surprises during the checkout process, they said.
Banned in 10 states
Retailers filed similar complaints in Florida and Texas in May and June 2016, petitioning courts to "resolve a direct and acknowledged circuit split over whether state no-surcharge laws violate the First Amendment, and they have been filed from each of the three circuits that have thus far divided on the issue," the plaintiffs stated.
Surcharging is restricted in New York, California, Colorado, Connecticut, Florida, Kansas, Maine, Massachusetts, Oklahoma and Texas. In New York, retailers found guilty of adding fees to credit card transactions can face a $500 fine and up to a year in prison. New York U.S. District Judge Jed Rakoff issued a preliminary injunction against the law in September 2013, siding with complainants by stating the law violates the First Amendment and "perpetuates consumer confusion by preventing sellers from using the most effective means at their disposal to educate consumers about the true costs of credit card usage."
Court to decide state rights
The Supreme Court's stated purpose is to clarify "whether and to what extent the Constitution limits state-imposed restrictions on the manner by which merchants can frame and convey truthful pricing information."
David Leppeck, President and Chief Executive Officer of Transaction Services LLC, said, "The Supreme Court will not decide on the legality of surcharging, but on whether or not individual states have the right to ban the practice. Federal restrictions against credit card surcharging can be traced back to the 1980s, when card brands tried to make credit card transactions equivalent to cash. These campaigns were done relatively quietly, with little fanfare. Consequently, very few states can recall why surcharging was banned in the first place."
Surcharging compliance guidelines became effective Jan. 27, 2013, following a class action settlement by retailers against Visa Inc. and Mastercard. The guidelines specify criteria for qualifying transactions, including mandatory signage and disclaimers for participating merchants. For example, merchants may surcharge credit cards, but not debit or prepaid transactions. Merchants are also required to post point-of-entry and point-of-transaction signage and specifically worded disclaimers on credit card receipts.
Varying state-by-state guidelines and restrictions can make surcharge compliance a daunting process for merchants doing business in multiple states, which has prompted some ISOs and acquirers to explore ways to simplify the practice
"Transaction Services has automated the compliance process, confirming that transactions originate in states that allow it and that it meets all criteria," Leppeck said. "The solution can be implemented at the POS, a hosted payment page or as a direct integration tool. Surcharged transactions are flagged at auth and settlement, routed directly to card brands and settled with our processor."
One year in, reviews mixed for EMV in U.S.
Tuesday, October 11, 2016
P ayments industry stakeholders met the one-year anniversary of chip card implementation in the United States with a mixture of celebratory messages and class action lawsuits, revealing a fractured payments landscape.
For example, on Sept. 29, 2016, Visa Inc. reported that counterfeit card fraud is down and EMV (Europay, Mastercard and Visa) usage is up. However, on Sept. 30, 2016, a California Federal judge supported anti-trust proceedings concerning chargeback liability brought by a group of small retailers against Visa Inc., Mastercard, Discover Financial Services and American Express Co., denying the card brands' motion to dismiss the lawsuit.
Visa's client financial institutions processed more than half a billion EMV transactions during August 2016, an increase of more than 1,000 percent, Visa representatives stated. The company additionally noted that chip-enabled merchant establishments with EMV accounting for at least 80 percent of transaction volumes reported a 47 percent reduction in counterfeit fraud during May 2016, compared with the same period during the previous year.
Visa set three objectives for U.S. chip card implementation: prevent counterfeit card fraud, accelerate mobile payments adoption, and improve convenience and security for international travelers. Executing on all three goals has resulted in a considerable uplift across the United States, with more than 1.46 million chip-enabled businesses and 363 million chip-enabled Visa cards, making the United States the largest Visa chip card market, according to company sources.
"Thanks to efforts across the ecosystem, we're seeing a positive impact on counterfeit fraud," said Stephanie Ericksen, Vice President of Risk and Authentication Products at Visa. "We're focused on continuing that momentum to bring counterfeit steadily down and simplifying the way businesses can adopt chip technology."
Payments analysts who have been tracking the progress of EMV implementation in the United States, however, have observed its impact on the small merchant community, many of whom were unprepared for the liability shift due to lack of instruction, equipment or processor readiness. As a result, numerous noncompliant retailers are being held responsible for more chargebacks, regardless of whether the chargebacks had anything to do with counterfeit fraud, which is the basis for the California court filing.
Plaintiffs Milam's Market and Grove Liquors reportedly installed EMV readers but were unable to activate them due to delays in certification. The retailers were subsequently found liable by Mastercard and Visa for 88 chargebacks totaling $9,196.22 that began in October 2015 and continued until March 2016, when the lawsuit was filed. Plaintiff counsel Patrick J. Coughlin stated, "In the end, our hope is to secure some relief for the millions of merchants ‒ many of them small businesses ‒ who have suffered and continue to suffer enormous losses from this conspiracy."
As EMV implementation continues, retailers and card brands have launched new payment schemes aimed at reducing contact chip card transaction time at the POS. Visa's Quick Chip, reportedly reduces transaction times to two seconds or less. Mastercard's M/Chip Fast is designed for high-volume environments such as quick serve restaurants, where transaction times are at a premium. These and similar enhanced chip card methods have decreased processing time and waiting time in checkout lanes.
Ongoing delays in processor and device certifications and widespread complaints by small to midsize merchants have prompted card brands to relax penalties and regulations related to the liability shift. Card brands have tried to improve outreach, resources and support for merchants who are trying to implement EMV technology. Visa's recent move to restrict the number of fraudulent transactions that issuers can charge back to noncompliant merchants and card issuing banks has cut reported chargebacks in half since March 2016, Visa representatives stated.
Despite numerous setbacks and legal confrontations, U.S. payments industry stakeholders remain committed to implementing chip card technology to improve security and provide a consistent payment experience worldwide. Visa reported that foreign banks approved nearly 97 percent of U.S. Visa chip transactions overseas, compared with about 87 percent non-chip cards.
"Chip is an important investment in the payment system, not only in security but also in driving future innovation and making payments easier for consumers," Visa's Ericksen stated. "The U.S. is clearly well on its way, and we're looking forward to many more advancements ahead."
Ajay Bhalla, President of Enterprise Risk and Security at Mastercard said, "Ultimately, we all want to deliver great experiences for consumers and merchants. That's why we believe that M/Chip Fast or any similar product should be implemented in consultation with the industry."
View prior breaking news