As electronic payments become more widespread throughout the United States and the world, threats to payment confidentiality and integrity escalate, and payment security challenges continue to grow. Data breaches, phishing attacks, spoofed websites, payment card skimming, fraudulent ATM withdrawals, computer malware and infiltration of retail point-of-sale systems are all becoming more prevalent and costly.
The scale and sophistication of cyber threats–along with the proliferation in points of vulnerability–make protecting payment systems and transactions a key priority for central banks, financial institutions, payment network operators, merchants, technology solution providers and regulators around the world. Over the years, cooperation between the Federal Reserve and the private sector on payment issues has contributed to a more robust U.S. payment system, providing significant benefits.
As the central bank of the U.S., the Federal Reserve is uniquely positioned to facilitate the collaboration required, across a very diverse set of stakeholders, to improve payment system security. The Federal Reserve believes the initiative and energy evident in the private sector is critical to long-term payment system improvement. Quite frankly, the key to enhanced security going forward depends on continued public-private partnerships to facilitate industry collaboration and encourage the development of robust security protocols and technologies.
"The security challenges facing the payments industry require broad cooperation and coordination across the payments ecosystem"
Several payment industry stakeholders have already focused significant resources on mitigating current and emerging risks by:
• Placing high priority on improving authentication of transactions, parties and devices in the payment process.
• Actively pursuing ways to protect sensitive information and limit its use and availability.
• Seeking to share fraud and cyber threat information and analyze data to mitigate the adverse impact of threats.
But important challenges remain. These include inconsistent adoption of security controls, barriers to sharing fraud and threat information among stakeholders, and uncertainty about whether evolving standards will be complementary or competing substitutes.
With all this in mind, a 160-member Secure Payments Task Force has been convened by the Federal Reserve to advance the payment system’s safety and security. Various work groups have been meeting to document the current environment, the attributes of a more effective environment, the desired outcomes in each area, and the barriers to implementing solutions. Here are some important take-aways gathered so far in three key areas:
Payment Identity Management
Increases in fraud–such as ongoing compromises of consumer information, corporate/retail account takeovers, and “card not present” fraud–highlight inherent limitations and weaknesses in the existing payment systems. Fraud affects everyone, and fighting it is a constant challenge, given the many technologies and processes used to authenticate a payment being made from different sources. While there are no quick fixes, sound practices and innovative technologies exist that allow payment system participants to better manage risk.
One example is aligning authentication methods to risk. Risk-based authentication techniques can reduce customer friction and increase security. Authentication can be dynamic and continually evolve, based on the increasing risk and the sequence of events between the payment channel and the user.
But solutions can’t be static. As new products and services are introduced, they should be integrated with existing tools and an organization’s risk assessment framework. Identification and adoption of stronger and more universally accepted payment identity management practices will help mitigate existing and anticipated fraud threats, making participation with or entrance into the payment system less difficult, expensive, and risky.
High-profile data breaches continue to make headlines. Whether personal or financial, data is a valuable commodity for hackers looking to leverage the stolen information for financial gain. As the scope of data to be protected continues to evolve, the challenge is how it should be protected in the end-to-end payments process. The payment industry must remain vigilant and incorporate practices that safeguard sensitive payment data at rest and in transit. An industry framework that provides a common understanding among payment industry participants about how to identify and appropriately protect sensitive payment data associated with different payment types would benefit a diverse set of payment stakeholders. The framework should also define how to protect data across end-to-end payment transaction processes and include a security baseline that can be universally applied to sensitive payment data.
The nature of fraud and data breaches has changed considerably over the past few years. Criminals have established extensive networks to share tactics and techniques for how to carry out coordinated attacks, yet it remains difficult for the good guys to share data to mitigate these attacks.
The Cybersecurity Information Sharing Act of 2015 and subsequent guidance released in 2016 establish opportunities for information-sharing to take place among industry participants as well as between private and public sector organizations. However, barriers continue to prevent much of the intelligence from being communicated. They include a lack of baseline knowledge about available resources, limited trust amongst parties, misaligned incentives and a lack of infrastructure required to make information available to all payment stakeholders. These barriers limit the amount of information shared within the payments industry and, thus, reduce the ability to prevent fraud and data breaches.
Now is the time to eliminate these barriers and expand communication channels. One possible outcome would be standardized fraud metrics and reporting and more sharing of actionable information across payment industry participants, which would make it easier and quicker to identify fraud risks and take action.
The security challenges facing the payments industry require broad cooperation and coordination across the payments ecosystem. Collaboration is the key to success. The Secure Payments Task Force is a forum for such collaboration, allowing a wide variety of industry participants to work together to reduce fraud risk and advance the safety and security of the national payment system.