Northern Ohio AFP
Idea Exchange
Sept. 21, 2015
Matt Davies, CTP, AAP
Federal Reserve Bank of Dallas
1




Business E-Mail Compromise
“Faster Payments”
EMV Update
Mobile Payments/Mobile Wallets
2

Business E-mail Compromise (BEC)
◦ a.k.a., “Whale Phishing,”
◦ Masquerading, or
◦ “The CEO E-mail”

Criminals stole ~$750m from more than
7,000 U.S. businesses, Oct. 2013-Aug. 2015
◦ Combined with international victims, FBI estimates
that more than $1.2b has been lost due to BEC
scams

Majority of transfers going to banks in China
and Hong Kong
3


May not be able to obtain insurance coverage
for the loss
New version of BEC scam:
◦ Fraudster contacts businesses via phone or e-mail
posing as a lawyer handling confidential or timesensitive information.
◦ Pressures victim to act quickly, perhaps even
secretly, in transferring funds.
◦ Typically at the end of the business day or work
week, to coincide with the close of business of
international FIs.
4

FBI best practices:
◦ Implement a detection system that flags e-mails with
extensions similar to the company e-mail.
 E.g., if your legitimate company is e-mail is @company.com,
the e-mail @c0mpany.com would be flagged.
 Don’t rely solely on spam filters to catch these emails.
 Krebs:
 Spoofed emails used in BEC scams are unlikely to set off
spam traps because the targets are not mass emailed.
 And criminals sending them take the time to research the
target organization’s relationships, activities, interests, and
travel and purchasing plans.

Register all company domains that are similar to
the actual company domain.
5

Verify changes in vendor payment locations by
adding additional two-factor authentication.
◦ E.g., have a secondary sign-off by company personnel

Confirm requests for funds transfers.
◦ When using phone verification, use previously-known
numbers, not the numbers provided in an e-mail request


Know the habits of your customers when it comes to
payment habits and amounts; flag anything out of the
ordinary.
Carefully scrutinize all e-mail requests for funds
transfers to determine if the requests are legitimate.
6

If victimized:
◦ Immediately contact your bank and request that
they contact the corresponding FI where the
transfer was sent.
◦ Contact your FBI office if the transfer is recent. The
FBI, working with FinCEN, might be able to help
return or freeze the funds.
◦ File a detailed complaint with www.IC3.gov.
 Be sure to identify the incident as a “BEC” scam.
SOURCE: “BEC Scams: A $1.2 Billion Threat to Treasury & Finance,” by
Andrew Deichler, afponline.org, Aug. 31, 2015
7

Same-Day ACH (FRB, NACHA)

The Clearing House

Dwolla FiSync (& BBVA)

Federal Reserve efforts
8

RDFIs
◦ Required to be able to receive same-day items
◦ Mandated (in Phase 3) to make funds from same-day
credits available to Receiver by 5 p.m. local time

ODFIs pay interbank fee of 5.3 cents per sameday item to RDFIs
◦ Attempt to facilitate cost recovery by RDFIs for
investments made to enable acceptance of sameday items
Same Day ACH: The Phased Approach
Phase 1
(Sept. 23, 2016)
Phase 2
(Sept. 15, 2017)
Phase 3
(Mar. 16, 2018)
Credits Only
Credit and Debits
Credits and Debits
New ODFI ACH File
Transmission
Times
10:30 am ET
3 pm ET
10:30 am ET
3 pm ET
10:30 am ET
3 pm ET
New Settlement
Times
1 pm ET
5 pm ET
1 p.m. ET
5 pm ET
1 pm ET
5 pm ET
ACH Credit Funds
Availability
End of RDFI’s
processing day
End of RDFI’s
processing day
5 pm (RDFI
local time)
Functionality
Transaction
Eligibility
($25,000 limit;
IAT not eligible)

Company Descriptive Date field (5 record, field 8)
◦ Optional field with 6 positions available (positions 64-69).
◦ Current NACHA Rules provide that the “Originator establishes this
field as the date it would like to see displayed to the Receiver for
descriptive purposes.”

NACHA recommends that, as desired, the content of this
field be formatted using the convention “SDHHMM”
◦ “SD” in positions 64-65 denotes intent for same-day settlement
◦ Hours and minutes in positions 66-69 denote desired settlement
time using a 24-hour clock.
◦ If using this convention, ODFI would validate that the field
contains either “SD1300” for settlement desired at 1 p.m. ET, or
“SD1700” for settlement desired at 5 p.m. ET.
11

5/21/2015: Federal Reserve Board requests
public comment on enhancements to sameday ACH service
12

The Clearing House
◦ Represents 24 largest commercial banks in the U.S.
◦ Building a real-time payments network
◦ Multi-year endeavor
◦ Relies on push credits
◦ “…the security, the protection of account data, and
the enhanced messaging” [compared to Same-Day
ACH
◦ Security: Payments will be routed using tokens to
protect account information
13

Will TCH’s RTP Network be…
◦ The same as…
◦ Connected to…

ClearXchange?
◦ BofA, Wells, Chase…
◦ Capital One…
◦ US Bank…
◦ First Bank (Denver-based)
14

Dwolla
◦ Based in Des Moines

BBVA Compass Bank
◦ Houston-based unit of BBVA Compass Bancshares Inc., a whollyowned subsidiary of Spain’s BBVA
◦ 672 U.S. branches; over half of them in TX

4/2015: BBVA announced it has gone live with Dwolla…

… allowing BBVA customers to make real-time payments
(RTPs) to other BBVA customers...

…using Dwolla’s FiSync technical protocol
◦ [Note: RTPs can be made to other FiSync FI(s): Veridian CU,
Waterloo, IA; others to come?]
15

Payments “clear in seconds”

Dwolla’s pricing:
◦ Payments under $10: free
◦ Payments over $10: recipient charged 25 cents
per transaction

Dec. 2014: Dwolla introduced Dwolla Direct
◦ Allows those without Dwolla accounts to receive
payments from Dwolla users
◦ These payments use ACH; clear in 1-3 days
16

Security
◦ For the service with BBVA, Dwolla began using
digital tokens that replace the user’s RTN and
account number
 User designates a funding source and authorizes the
payment
 BBVA generates a token, unique to the authorization
 Token can be revoked by the user, BBVA, or Dwolla
17

Faster Payments Task Force
◦ www.fedpaymentsimprovement.org
18

Merchant point-of-sale (POS) terminal
upgrades
◦ Contact (“dipping”)
◦ Contactless

FIs issue new credit/debit cards containing
chips
◦ “Chip & PIN”
◦ “Chip & Signature”
◦ “Chip & Choice”

Liability Shift: Oct. 1, 2015
◦ Fuel-selling merchants: Oct. 1, 2017
◦ How much will the liability shift drive
merchants/card issuers?
 Many community bank card issuers are in the queue
with processors
 Merchants lag, especially small businesses
 Will even the “big-box” merchants wait to activate chip
acceptance until after this year’s holiday season?

ATM Liability Shift
◦ MasterCard Oct. 2016;
◦ Visa Oct. 2017
◦ Most ATMs accept Visa and MC, so MC’s deadline
will likely be the driver here
21

Visa:
◦ About 16% of Visa’s 700m cards in the U.S. have
been converted to EMV…
◦ Forecast: 63% of the cards will be EMV by the end of
the calendar year.
◦ Recent Visa studies indicated 83% awareness of
chip cards amongst consumers in May; 89% in July

Julie Conroy, Aite: “70% of all credit cards and
41% of debit cards will be EMV by the end of
the year.”
SOURCE: “The State of EMV, by the Numbers,” by David Heun,
PaymentsSource, August 12, 2015

Most FIs issuing chip-and-signature

Exception: See State Employees CU, NC
◦ $29.5b in assets; second largest CU in the country
◦ Issues all of its EMV credit cards with PINs
◦ Allows cardholders to authenticate with either the
PIN or a signature.
◦ So far, less than ½ of 1% of all of SECU’s credit card
transactions have been PIN-authenticated

Lost/stolen and card-not-received
◦ EMV can address this, if “chip-and-PIN”
 U.S. is “chip-and-choice”; most cards are being issued
as “chip-and-signature”
 With chip and signature, fraudster can steal mail and
use card without knowing PIN
◦ Will EMV implementation in the US lead to a rise in
instances of non-receipt of mail?

Brian Krebs, KrebsonSecurity.com, Aug. 2015,
reported a “shimmer” found on an ATM in
Mexico
◦ Shimmer: A thin device that sits between the card’s
chip and the chip reader when the cardholder
inserts (“dips”) the card into the slot.
◦ Like a skimmer on a POS card readers, fuel pumps
or ATM that steals mag-stripe payment card info
◦ The shimmer reported by Krebs was easily inserted
into the ATM and reportedly could capture EMV
card data.
SOURCE: “Does a ‘Shimmer’ on a Mexican ATM Portend a Fraud Threat to U.S.
EMV Chip Cards?” by Jim Daly, Digital Transactions News, Aug. 13, 2015

Tokenization
◦ EMVCo
◦ Visa, MasterCard
◦ Apple Pay/Samsung Pay/Android Pay

Point-to-Point Encryption

3DSecure (online)
◦ EMVCo “overhaul” – specs to be published in 2016
◦ Replace static passwords with one-time passwords

Cell phone, smart phone, tablet, watch, etc.

Two types of mobile payments:
◦ Proximity Payment – Mobile device with technology
embedded in/displayed on it is used to make
payment at POS
 e.g., using mobile phone to make payment at POS
◦ Remote Payment – Mobile device used to initiate
payment regardless of proximity to payee/POS
 e.g., using mobile phone to make payment via PayPal
2006-2008
Remote SMS & ecommerce Payments
2009-2010
Mobile Web
Payments
Amazon
Amazon Text Buy It
Mobile App Stores
Apple App Store
QR Code
Mobile Card
Acceptance
2012
2013-2015
PayPal Here
Mobile Wallets
Isis NFC Wallet
Starbucks
PayPal Text to Buy
Direct Carrier Billing
2011
[later Softcard, bought by
Google 2/2015]
LevelUp
NFC
Google Wallet
Cloud Digital Wallet
Apple Passbook
Square
PayPal In-store
Prepaid
Square Wallet
(discontinued)
Google Wallet
KitKat HCE
Android Market
Beacon BLE
AmEx
RFID Contactless
Cards
NFC/Cloud Wallet
PayPal Beacon
Google Wallet
Prepaid
AmEx Bluebird
Mobile Bank Account
28
Green Dot GoBank
FI/Card network
tokenization
TCH, EMVCo, X9

Starbucks
◦ Bar codes
◦ Biggest success in mobile payments to date
◦ As of April 2015:
 Approx. 8m mobile transactions/wk. at Starbucks’ registers;
 About 19% of its US store sales
◦ Starbucks Claims its mobile payments accounted for 90% of
the $1.3b mobile payments market in 2014

a.k.a., “digital wallets”

Mobile technology that functions like a physical wallet

Can hold credit and debit cards, reward/loyalty cards,
etc.
◦ Eventually, medical records; digital driver’s licenses (e.g.
initiatives in Iowa, Delaware)

Generally, consumer adoption of mobile wallets to date
has been limited.
◦ Mobile wallets don’t necessarily solve a problem for
consumers; swiping a credit card is not really that
difficult!

Short-range wireless RFID technology
◦ As opposed to longer range used for toll tags, for example

Credit/debit card info “provisioned to” the mobile wallet
◦ Credit/debit card information are encrypted and stored in a
secure element (SE) in the phone (as opposed to “in the cloud”)
◦ SE is often an embedded chip controlled by the handset
manufacturer, or the SIM card, which is controlled by the mobile
carrier

Less than 14% of all merchant locations are enabled for
NFC transactions today
◦ Some big merchants have turned NFC off entirely (e.g., Best Buy)
◦ Potential drivers of NFC upgrade at merchant POS: EMV; Apple Pay

iPhone 6 (Sept. 2014)

Apple Pay (Oct. 2014)

Apple Watch (Apr. 2015)

Uses NFC technology to facilitate contactless
payments at point of sale (POS)

Also allows in-app payments

NFC antenna across the top of the phone
◦ NFC protocol has encryption built into it

Uses Passbook app (will be renamed “Wallet” in
iOS 9)
Image credit: Apple Inc.

Uses iPhone’s TouchID fingerprint scanner as
a form of authentication
◦ introduced in the previous iPhone model, 5s
◦ built into iPhone’s home button

iPhone 6 has a new chip, a secure element
(SE), in the phone handset
◦ Stores the cardholder’s payment information…
◦ …though not the actual card number
Image credit: Apple Inc.



Automatically uses consumer’s card on file
with iTunes as default payment account
Users add additional cards by scanning them
with the phone’s camera, or typing card
details into Passbook app
Apple verifies card account data with card
issuer and places a digital rendering of the
card in Passbook

Apple provides card issuing FI with information
to help validate a new card:
◦ Potential customer’s device name
◦ Current location
◦ Whether or not the customer has a long history of
transactions within iTunes

Issuing FI decides if additional verification is
needed
◦ Apple iOS Security Guide. “Depending on what is offered
by the card issuer, the user may be able to choose
between different options for additional verification,
such as a text message, email, customer service call, or
a method in an approved third-party app to complete
the verification.”

An FI might:
◦ Ask cardholder to enter additional data to confirm his identity.
◦ Require cardholders to log into their online accounts to authorize
Apple Pay.
◦ Asked cardholder to call customer-service rep to set up the card

e.g., Wells Fargo:
◦ Requires some customers to provide additional verification to add
a card.
◦ Customers are directed to call in to verify or to download the
Wells Fargo Verify app.
◦ The app guides the customer through the verification process.

Apple Pay uses tokenization to remove payment
card numbers from the transaction process.
◦ When a user adds a card, Apple does not store the actual
card number
◦ Instead, creates a “device-only” account number for each
card and stores it in the phone’s SE
◦ Each time Apple Pay is used, Apple uses a one-time
payment number, along with a dynamic security code
 Essentially, creates a one-time card use system, and
 Eliminates the need for static security code (CVV/CVC) on
the plastic card
◦ Merchant never sees the cardholder’s name, card
number or security code





To make a payment using his default card, user does not
need to open an app or “wake” the phone, because of the
NFC antenna
Holds iPhone near merchant’s contactless card reader
Uses Touch ID (home button) to authenticate by
fingerprint
A subtle vibration and beep indicate payment information
has been sent
If user wants to pay with a card other than his default card,
he must first open the Passbook app and select an
alternate card

Card-issuing FIs pay a per-transaction fee to
Apple to be included in Apple Pay
◦ 15bps on credit cards transactions
◦ $.005 on debit card transaction

2,500 FIs have signed on to Apple Pay; 400+
live (8/2015)
◦ Security Service FCU (San Antonio)
 425,000 credit and debit cardholders
 “We are fighting a fierce battle for the hearts, minds and
eyeballs of our members so we want to be relevant and
exciting for them.”—Jim Laffoon, president/CEO, Security
Service FCU
◦ See Apple’s list at
◦ See Visa’s list at
http://support.apple.com/en-us/HT6288
http://usa.visa.com/clients-partners/technology-andinnovation/apple-pay/financial-institutions/index.jsp

Not ubiquitous; many retailers won’t accept Apple Pay

8m POS in the U.S.
◦ As of 3/9/2015: Accepted at nearly 700,000 U.S. merchant locations, acc. to
Apple
◦ 7/2015: Anticipate 1.5m+ locations by EOY 2015
 How does Apple define a “location”? Acceptance terminal?
 Many of those are vending machines

Number of iPhones in consumers’ hands
◦ Originally only iPhone 6 and iPhone 6+, but now…
◦ Apple Watch enables payments (must be paired with the iPhone to do so).
 Will extend Apple Pay to iPhone 5, 5c, and 5s
 “opens up Apple Pay to over 69% of devices on its OS” (Javelin)
Image credit: Apple Inc.

Will “a rising tide lift all boats”?
◦ Will uptake of Apple Pay also encourage merchant
acceptance of Google Wallet and MCX/CurrentC?

What role for community banks and CUs?
◦ Cards loaded to Apple Pay are accessed through
Passbook, which selects the first card enrolled as
the default card.
◦ How will an FI stand out; provide a compelling app
so members will choose their card for mobile
payments?

Interchange?



As Apple Pay grows, will Apple be content w/
15bps per credit card transaction/5c for debit
transaction?
As Apple Pay grows, will Apple be content to not
collect/ monetize customer transaction data?
As we continue to move away from plastic cards;
will FIs be able to instantly issue card accounts
into Apple Pay?,
◦ “…that will move the market for us.”—Jason Tinurelli,
U.S. Bank’s SVP retail payment solutions, digital strategy
and innovation
Quoted in “Mobile Makes Headlines, But Plastic Makes Progress,”
by David Heun, PaymentsSource, Apr. 13, 2015


“Samsung Pay” will be available on the Galaxy
S6 and S6 Edge in September
2/2015: Samsung announced purchase of
LoopPay
◦ “Magnetic Secure Transmission”
◦ Users able to pay for purchases at 90% of magstripe payments terminals, as well as NFC terminals
◦ Could help Samsung Pay gain merchant acceptance
quickly compared to Apple Pay
44

Participants:
◦ Visa, Mastercard
◦ US Bank, Synchrony Financial (formerly GE Capital)
◦ In discussions with AmEx, BofA, Citi, JPMC, others...

Security:
◦ Fingerprint reader
◦ Tokenization

“Samsung won’t charge banks and creditcard issuers transaction fees.”
SOURCE: “Samsung Pay Could Win Over Banks Faster than
Apple Did,” Bloomberg News, Aug. 14, 2015

5/28/2015: Google announced Android Pay

Available “this summer”

Will be the Android solution for in-store and
in-app payments
◦ Google Wallet will be a dedicated person-to-person
(P2P) app for Android and iOS

Will come pre-loaded on new Android smart
phones from Verizon, AT&T, and T-Mobile

Like Apple Pay…
◦ Near-Field Communication (NFC)
 …but Host Card Emulation (HCE) variant of NFC
◦ Tokenization
◦ Fingerprint authentication

Merchant Customer Exchange (MCX)/ CurrentC
◦ Merchant-driven
 7-Eleven, Southwest Airlines, Wal-Mart, Target, etc.
 Merchants don’t like interchange infrastructure
 View much of the innovation in mobile payments as simply maintaining the
current credit card/interchange model
◦ In development for more than 2 years; now testing
◦ No launch date announced, but perhaps 2015?
◦ QR code not NFC, but few details have been provided as to how its
technology will work.
◦ Paydiant technology [3/2015: PayPal acquired Paydiant]
◦ FIS (Fidelity Natl. Information Svcs.) will provide payment processing,
routing and settlement
◦ Piloting in Columbus, OH
Matt Davies, AAP, CTP, CPP
Payments Outreach Officer
Federal Reserve Bank of Dallas
Phone: 214-922-5259
E-mail: matt.davies@dal.frb.org
Follow us on:
@DallasFed
DallasFed