A summary of the roundtable discussion on the risk and security involving retail payments over the Internet
The Federal Reserve System�s Payments System Development Committee (PSDC) has an ongoing program to discuss payments system developments and barriers to innovation with the payments industry and relevant payments system participants. As part of this program, the committee hosted a roundtable discussion with industry leaders on risk and security issues involving retail payments made over the Internet.1 The roundtable discussion was held at the Federal Reserve Bank of San Francisco on June 13, 2005. During the roundtable discussion, nine industry experts representing law enforcement, merchants, payment gateways, payment processors, networks, and banks provided the PSDC with insights into key risk and security issues associated with retail payments over the Internet.2Return to contents list
The roundtable participants generally agreed that while there are risks associated with retail payments over the Internet, these risks appear to be manageable. The participants reported that they see fraud as an ongoing challenge to be managed, and that current efforts to do so have been largely successful in keeping fraud at a reasonable level.
The participants� discussion of specific risk and security issues associated with retail Internet payments covered four overarching topics: 1) a law enforcement perspective, 2) fraud and fraud-prevention tools, 3) the security of payment card data, and 4) the legal and regulatory environment. This document summarizes the participants� discussion of these topics.Return to contents list
The roundtable discussion began with an invited overview presentation about Internet crimes related to retail payments along with recent law enforcement activities. The presentation also covered effective practices that industry participants and law enforcement have used to investigate and prosecute criminals for Internet-related fraud. Many participants added their perspectives on these issues. The following summary presents highlights of the discussion.
Several participants expressed concern that organized crime is becoming increasingly active in Internet payments fraud. One participant noted that fraud is often perpetrated by criminals who are organized into structured groups in which members have specialized roles and responsibilities. For instance, one group of criminals may obtain consumers� data, another group may test the validity of the data, and yet another may sell the data or use it to make high-value purchases that are easily converted into cash. One participant noted that criminals have even established web sites where other criminals buy and sell consumer information.
Another concern for industry participants is that the consumer continues to be the most vulnerable link in the payments chain. Through so-called social engineering, criminals continue to find ways to persuade consumers to reveal financial and identity information. Social engineering is the practice of tricking people into revealing confidential information, usually by employing behavioral influences that induce a person to divulge information. For example, a criminal may play on fears or relationships, using techniques such as sending an e-mail purportedly from a trusted company asking a person to update card information to avoid having a service cancelled. One participant cited phishing as an example of social engineering that is commonly used to obtain consumer information.3
Participants are also concerned about the difficult process of investigating and prosecuting Internet fraud cases. Participants explained that it can be difficult to obtain the resources necessary to investigate Internet fraud cases because they are not always a high priority for local law enforcement. Some prosecutors are also unwilling to investigate or prosecute cases that are below a certain dollar threshold. Individual incidents, however, may be part of a larger fraud scheme that, when uncovered, will justify significant investigation. One participant noted that the difficulties in investigating and prosecuting Internet fraud cases are often exacerbated in international cases because, at times, the necessary cooperation with foreign law enforcement agencies adds additional complexity to an investigation. This is a growing concern because of the international scale of the Internet and increasing amounts of fraud that originate outside of the United States.
The roundtable participants discussed some effective practices for, in the words of one participant, �disrupting and disabling fraudulent activities.� Participants highlighted the effectiveness of data sharing and collaboration between industry participants and law enforcement agencies. As an example, one participant described an initiative in which a law enforcement agency and a credit card issuer collaborated to allow a defined set of �dummy� card numbers to be obtained by criminals to follow the flow of funds from the cards back to the criminals who used them. Other participants provided examples of collaborative efforts between industry participants and law enforcement agencies that were successful in identifying and shutting down phishing web sites. One participant explained that the goal of collaboration is not to centralize control of the various fraud-detection approaches used by law enforcement and industry participants. Rather, the goal is to take advantage of the resources and competencies of all parties that are fighting fraud and allow collaboration to increase the effectiveness of existing efforts.
Despite the successes of some data sharing initiatives, participants noted that many organizations are reluctant to share data regarding fraud incidents or data breaches with competitors or law enforcement agencies. Some participants pointed out that companies would be willing to share data if their anonymity could be maintained, but noted that it is sometimes difficult for agencies to maintain confidentiality. These companies prefer anonymity for a number of reasons. In some instances, companies wish to avoid negative publicity from a fraud incident or data breach. In other instances, companies worry that they may be sued for sharing information that may implicate another company. Some noted that more can be done as attorneys for companies refined their analysis of companies� rights and obligations relating to data protection.Return to contents list
Several of the participants expressed concern about misleading information in the public domain about identity theft and fraud. Several participants believe that the 2003 Federal Trade Commission�s (FTC�s) �Identity Theft Survey Report,� which is widely quoted in the mass media, is creating a misperception about the risk of providing information over the Internet.4 These participants believe that the FTC report used an overly broad definition of identity theft, which has led to an overestimate of the specific problem of identity theft in the media.5 Because many people associate identity theft with the Internet, the concern of some participants was that an overestimate of the problem of identity theft could create excessive fears about conducting transactions over the Internet. A related concern is that the public may overestimate the frequency with which financial and identity data are stolen using the Internet. Several participants noted that a recent study found that consumer information is largely obtained from sources not associated with the Internet, including lost or stolen wallets.6
Participants expressed concern that exaggerated fears about using the Internet could lead consumers to curtail shopping, banking, and payment transacting over the Internet. One participant noted that it is difficult to discern whether such fears are really causing consumers to avoid shopping on the Internet. The participants generally agreed, however, that consumers are losing some level of confidence in the safety of shopping online. The participants also shared the opinion that while identity theft is a serious problem, it is not as prevalent as the unauthorized use of payment cards.7 Many participants believed that the unauthorized use of payment cards is the source of most Internet payments fraud.
As a general matter, most of the participants believed that, to date, fraud over the Internet has been a manageable problem.8 Some participants stated that their respective organizations are experiencing low rates of Internet payments fraud. Other participants noted that while the rate of fraud has been relatively low and manageable, overall losses stemming from Internet payments fraud has been rising recently. One participant attributed the recent rise in fraud losses to an increase in the overall number of consumers shopping online. Other participants thought that the recent rise in fraud losses is a manifestation of the cyclical nature of fraud. Criminals� techniques periodically outpace industry and law enforcement efforts to curb fraud, and the losses resulting from fraud rises as a consequence. Law enforcement and industry participants then make strides to bring fraud under control. One participant said that the current pattern has been seen before and believed that the current rise in fraud can be controlled.
The roundtable participants also discussed the effectiveness of tools available to merchants and banks to detect and prevent unauthorized card use. The participants generally agreed that tools used to detect and prevent fraud at the point-of-purchase, such as card verification numbers and address verification tools, have thus far been effective in keeping fraud rates for Internet transactions at an acceptable level.9 The participants also emphasized the need for balance with respect to the use of fraud-prevention tools. One participant suggested that the technical tools currently available could stop all fraudulent transactions, but would do so at the expense of stopping all legitimate transactions. A key challenge for industry participants is to limit fraud losses while providing consumers with a positive online shopping experience.
Some participants expressed concern that although fraud-prevention tools have been generally effective thus far, not all merchants use them. One participant said the failure to use fraud-prevention tools creates risk for both individual merchants and the industry in general. For example, a criminal may test the validity of illegally obtained card data by making many low-value purchases through online merchants who do not use fraud tools to monitor the type and amount of transactions on their web site. Once the card data have been validated, the criminal then can use the card information for transactions elsewhere, generally to make higher-value purchases that can more easily be converted to cash.
The participants discussed the effectiveness of the card networks� efforts to establish password-based authentication programs.10 One participant noted that these programs have, to date, seen limited consumer and merchant adoption. Another participant said that the shift in liability for fraud losses stipulated in these password-based authentication programs may actually reduce merchants� incentives to use fraud-prevention tools because in many instances the merchants are no longer liable for fraudulent transactions.11 The participant argued that this type of behavior increases the overall risk to the payments system.
The participants also discussed two-factor authentication techniques.12 One participant argued that two-factor authentication programs are needed for consumers to address the weaknesses of one-factor authentication and other current fraud-prevention tools. Another participant added that social engineering schemes and data security breaches are increasingly providing criminals with more complete consumer information, thereby reducing the effectiveness of authentication tools such as card verification numbers and address verification. Other participants noted that while two-factor approaches have the potential to prevent fraud, the cost of deploying and maintaining physical tokens as the �second factor� to a large customer base may be cost-prohibitive. These participants said that because current fraud levels are sufficiently low, few industry participants will be likely to incur the cost of two-factor authentication until the business case is stronger.Return to contents list
Several roundtable participants stated that unsecured databases containing consumer and payment card information are the most significant problem associated with retail electronic payments. If a business has a connection to the Internet for any reason, consumer and payment card information is at risk whether it is obtained from consumers over the Internet or at a brick-and-mortar location. The participants expressed concern that recent highly publicized breaches of confidential consumer data may lead to a lack of consumer confidence in specific card brands, and more generally in the Internet as a channel for commerce.13 One participant also noted that there has been a dramatic increase in the past year in the number of databases compromised that contained detailed payment card data.
The participant also noted that there are several challenges to safeguarding consumers� payment card data. For instance, there are a significant number of �touch points� in any card transaction, and a record of the transaction, including some card data, may be stored at each point. The participants generally expressed concern about the amount of information that was being stored by some organizations and the level of security around that information. One participant voiced concern that some merchants may not be aware of exactly what data they are storing. Another participant raised the issue that software provided by some vendors automatically stores significant amounts of card data. However, Visa and MasterCard network rules and security standards, for example, prohibit the storage of some elements of these data.
Another challenge to protecting consumer and payment card information is the number of access points that a business may have to the Internet�such as corporate e-mail, instant messaging, and web pages. Any organization that stores consumer or payment card information and is connected to the Internet for any reason must secure all of these access points to avoid unauthorized access to stored data. One participant expressed concern that �brick-and-mortar� merchants may not be fully aware of the vulnerabilities inherent in connecting to the Internet for services, such as corporate e-mail, and therefore may not take the steps necessary to mitigate their exposure. Several participants added that Internet merchants may be more diligent than brick-and-mortar merchants in securing their access points because Internet merchants are more aware of the risks associated with Internet-related activities and the need to address security in a holistic manner.
In response to concerns about the proper handling of card data, Visa and MasterCard jointly developed the Payment Card Industry (PCI) Data Security Standards.14 The participants� discussion of the PCI standards focused primarily on the progress of merchants and payments service providers (payment gateways and processors) in complying with the PCI requirements as well as the overall effectiveness of the standards in securing payment card information. The deadline to demonstrate compliance with the PCI requirements was June 2005.
Many participants noted that the payments service providers have generally done a good job of complying with the PCI requirements but that relatively few merchants are yet in compliance. The participants discussed why they think it is taking merchants significant time to comply with the PCI standards. One explanation offered was that the costs to merchants to become compliant can be quite high. Participants noted that barring any system or infrastructure changes, the cost to perform the basic requirements, including self assessments and scans of access points for security vulnerabilities, is relatively low. The costs, however, can dramatically increase if a merchant needs to adapt systems or upgrade infrastructure to comply with specific PCI standards. For example, PCI standards require an organization to render card data unreadable anywhere they are stored (that is, to encrypt all stored card data). The cost to encrypt retroactively all stored payment card data could be substantial. Another explanation related to risk one participant noted is that merchants, especially smaller merchants, often do not realize the risks associated with accepting and storing payment card data, and until they are victimized, they may be unwilling to spend the money to become PCI-compliant.
Some participants also discussed the effectiveness of the PCI standards in securing payment card data. Some participants stated that while the PCI standards are not perfect, they are a good beginning and should be viewed as a framework for ensuring that industry participants appropriately secure stored payment card data. Another participant noted that many of the recently publicized data breaches could have been prevented if those storing the data had been compliant with PCI security standards.
Other participants, however, discussed possible limitations in the PCI standards. Some participants believed that the group of merchants subject to the most rigorous level of PCI compliance requirements (level 1 merchants) is too narrowly defined.15 These participants said that they favor expanding the number of merchants required to comply with the level 1 requirements. One participant stated that the PCI standards should apply to all organizations that store payment card data and have an Internet connection. This participant also strongly favored simplifying the standards to facilitate broad adoption. Another participant pointed out that compliance with the PCI requirements can be challenging because acquirers, who are generally responsible for ensuring that their merchants comply with the standards, often have different interpretations of specific standards. As a result, any organization that works with multiple merchants may be challenged in implementing the various interpretations of the PCI standards.
The participants also discussed the desirable characteristics of standards in general. Several participants proposed that standards regarding data security should focus more on defining high-level goals and less on specifying actions or technologies necessary to meet those goals. These participants said that standards need to be flexible and adaptable in order to address a changing security environment. One participant stated that specific security requirements have a very short effective life because such specificity provides criminals with the information necessary to search for software vulnerabilities.16 Other participants believe that strictly defined standards can stifle industry participants� ability to develop innovative ways to safeguard consumer and payment card information. Some participants, however, countered that some minimum level of specific standards is necessary and that without some specific standards many innovations, such as the Internet itself, would not exist.Return to contents list
In conjunction with the discussion of securing payment card data, several participants voiced concern that the data security requirements in the Gramm-Leach-Bliley Act (GLB) apply only to financial institutions.17 Many participants believed that the GLB requirements should be extended to all entities that store consumer information and that the type of information stored is more important than the type of company storing it. Some participants suggested that the Congress revise GLB by first defining the type of data that should be covered by the GLB requirements and then expanding the scope of coverage beyond financial institutions.
The participants also discussed their observations regarding recent state laws that require businesses to notify consumers following a breach in data security. Recently, legislatures in Arkansas, Florida, Georgia, Indiana, Montana, North Dakota, and Washington have passed laws requiring notification when consumer information is compromised through a security breach.18 Similar bills are also being considered in several states. Although the participants were not opposed to notification requirements as a general matter, many saw room for improvement with the existing notification requirements.
Some participants discussed their reservations about the increasing number of states that are enacting notification requirements regarding security breaches of consumers� data. Some participants expressed concern about the ability of businesses to comply with a variety of different state laws mandating consumer notification following data breaches. Some participants indicated that the federal government could create national legislation that preempts state laws to create a consistent set of notification requirements, which would reduce the administrative burden on businesses needing to comply with the increasing number of state laws.
At the same time, some participants questioned the value to consumers of these notification requirements in some situations. One participant said that notification is useful only if it gives consumers information that allows them to take action. Businesses are often unable to advise consumers regarding definitive steps to mitigate their exposure because in many instances there is no evidence that the stolen information is being used. In such cases, the notification may only serve to scare consumers. One participant noted that banks already take steps to detect and prevent fraud on accounts that have been compromised. For instance, if a bank learns that a specific group of card accounts has been compromised, the bank will increase its monitoring of those accounts for suspicious purchasing activity. Another participant indicated that only a small percentage of data breaches actually lead to fraud. Another participant was concerned that if banks are required to notify consumers of data breaches regardless of their severity, consumers will begin to ignore them, even when the consumer needs to take immediate steps to mitigate his or her exposure.
Other participants were concerned with the costs associated with notification requirements. Some participants pointed out that to notify all affected consumers of breaches, regardless of the circumstances surrounding the breach, can be very costly, particularly for large organizations. One participant noted that when a data breach becomes public, many consumers who are potentially at risk immediately request a new credit or debit card. The cost to replace a large number of cards can be significant, and is not a cost-effective way to address the risks of stolen card data. The participants emphasized that legislators need to understand the effectiveness of these notifications for consumers, along with the burdens these requirements place on industry participants and ultimately on consumers.Return to contents list
The Internet is an expanding channel for communication and for commerce, but it also raises a number of challenges for the payments industry in the areas of risk and security management. The committee noted that the payments industry must continue to be vigilant and aware of the evolving risks that the Internet poses. As a general matter, however, it does not appear that the payments industry is currently facing fundamental problems in controlling these risks. Fraud has been rising recently, but it has been rising from relatively low levels reflecting the growing volume of Internet transactions. The challenge will be to keep pace with rapid changes in technology, the demand for online transactions, and criminal ingenuity. The committee pointed out the importance of effective communication between affected parties, incentives to increase the use of fraud tools, reasonable standards for safeguarding confidential data, and appropriate responses following a data breach.
The committee specifically emphasized the value of educating consumers regarding the importance of protecting their financial and identity information. The committee raised the potential for the Federal Reserve to play a larger role in promoting financial literacy. The committee also specifically mentioned that it would be prudent for the private sector to have appropriate standards to address unauthorized access to consumer information. In addition, the committee stressed the importance of maintaining confidence in the payments system. Although confidence in the payments system is generally high, if consumers have concerns about making payments over the Internet, it is important for the industry to take these concerns seriously and to act appropriately.Return to contents list
1. The Board of Governors of the Federal Reserve System established the Payments System Development Committee in July 1999. The committee serves as a forum for the analysis of technological and market trends, provides a mechanism for consultation with payments system providers and users, and advises the Board and other Federal Reserve System officials on medium- and long-term public policy issues relating to consumer, government, and corporate payments. In particular, the committee seeks to work collaboratively with the private sector to help identify barriers to innovation in the payments system, identify strategies to enhance the long-term efficiency of existing U.S. payments systems, and develop strategies for transition to the next generation of electronic payments. The members of the committee are Roger Ferguson (co-chair), Vice Chairman of the Board of Governors of the Federal Reserve System, Gary Stern (co-chair), President of the Federal Reserve Bank of Minneapolis, Michael Moskow, President of the Federal Reserve Bank of Chicago, Christine Cumming, First Vice President of the Federal Reserve Bank of New York, and Patrick Barron, First Vice President of the Federal Reserve Bank of Atlanta. Return to text.