PCI's Leach on Fed's Fast Payment PlanSizing Up the Impact on Card Payments
The Federal Reserve System has revealed its plan for revamping the U.S. payments infrastructure to push the industry toward faster payments mechanisms that more closely resemble the models in other global markets.
But Troy Leach, chief technology officer of the PCI Security Standards Council, says that while the Fed's proposal for faster, and in some cases real-time, transactions sounds great for ACH and wire transactions, it may not translate so easily for credit and debit transactions. That's because not all payments are transacted in the same way.
The Fed's plan for faster ACH and wire transactions makes sense, he says, because those transactions are easier to authenticate and verify in real time.
But in the card space, real-time authentication and verification won't be that easy to accomplish, Leach says in an interview with Information Security Media Group. Credit transactions, by their nature, are not processed in real time, which offers a certain level of security for the cardholder, he says. Fraudulent transactions can be disputed or "charged back." In a real-time transaction-approval environment, that kind of transaction review would not be possible.
And while debit transactions may be faster than credit because funds for debits are typically withdrawn from a cardholder's account within 24 hours of the transaction being conducted, they are not approved in real time, which offers the bank or credit union additional time to review the transaction before it is approved.
"There is a reality that the methodology for securing payments in a much faster environment has its advantages, because you're going to be doing a lot more online authentication, and there'll be more rapid engagement of validating that authentication, which is a good thing for security," Leach says. "At the same time, obviously, we don't want to move so fast that the criminals find some sort of gap because we're moving so fast that we just can't keep up with the criminals."
The Fed has not issued any fast-payment mandates, Leach points out. And it's encouraging the private sector to spearhead many of the initiatives it has outlined, pushing for cross-industry collaboration to ensure that all parties' voices are heard, he says.
"If you look over the last 24 months or so, you see that we have had a very large increase in information sharing across the board, from the retailers and their ISAC, to the financial services and the FS-ISAC, to law enforcement."
Last year, a Payments Security Task Force, comprising leading banking institutions, payment networks and others, was established to drive information sharing about payment card security, Leach says. So the Fed's plans for more collaboration falls right in line, he says.
And cross-industry collaboration will address some of the problems the Fed did not tackle in its plan for real-time payments, Leach contends.
Emerging Payment Channels
Achieving real-time payments across varying payment channels will prove daunting, he explains. Toss in the challenges posed by emerging payment technologies, such as mobile, and the hurdles the industry has to jump become even more formidable, Leach says.
That's because not all payments transactions can be authenticated in the same way.
"They didn't address how we address new payments channels," he says. "We may not be able to accept credentials in the same way for all channels."
This is where standards, for authentication, tokenization and encryption, play a role, Leach notes. And the PCI Council can help to facilitate building a consensus about the standards that advance the Fed's efforts, he says.
"There is opportunity for us to bring all of the players together to find ways to target where criminal activity is happening, where fraud points are going to continue to be a problem, even after the adoption of EMV in the United States, and how the PCI Council can play a role."
In this interview, Leach also discusses:
- Why the industry doesn't need to create new standards for authentication and tokenization;
- How the PCI Council is ensuring it's updating security standards and recommendations more efficiently in the face of emerging threats; and
- What security challenges EMV chip-and-PIN transactions pose for mobile payments.
In his role as CTO and lead security standards architect for the PCI Council, Leach has developed and implemented a comprehensive quality assurance program. Before joining the council, he led the incident response program at American Express, where he reviewed more than 300 cases of account data compromises. Over the past 18 years, he has held positions in systems administration, network engineering, IT management, security assessment and forensic analytics.