Rippleshot Blog

Just a few short months ago, NACHA put in motion a multi-year multi-phase plan to make ACH payments settle in the same day they’re originated. This past September, ACH credits were first made available for same day settlement, with the receiving depository financial institution (RDFI) making the funds available by the end of their processing day. In phases two and three of this rollout, debits will also be settled same day, and funds made available at 5:00pm local time for the RDFI. It goes without saying that as the time available to settle payments decreases, the opportunity for fraud increases, but it’s also important to understand what exactly “same day” means, what opportunities for fraud detection are available, and what the landscape for ACH fraud looks like moving forward.

This article was first published in Let's Talk Payments on January 5th.

The year 2016 saw the aftermath of EMV implementation impacting financial institutions, merchants and consumers across the US. Though many expected to see a number of positive benefits from EMV, those benefits didn’t include a reduction in the number of merchant compromises or fraudulent activity.

As 2017 kicks off, we’ve taken a look back at the key trends in the fraud and data breach space over the past year – what we learned and what’s to come in 2017.

The continued rise in e-commerce fraud as an expected result of the EMV implementation has put a laser focus on existing fraud solutions in the industry - and their shortcomings. 3D Secure was created over fifteen years ago as a way to increase security for online payments, but has seen its fair share of criticism from all parts of the payment spectrum. In October, EMVCo released the long awaited updated specifications for 3D Secure 2.0. Follow along as we highlight what’s new, important and noteworthy in this much anticipated release.

Although version 3.2 of the PCI Data Security Standard (PCI DSS) was released over half a year ago, its impact will stretch much further into the future. In a way, the strategic introduction of the standard is the most noteworthy element about it. There are a few essential changes, but the projected runway provides more than enough time for organizations to brace themselves. As Payment Card Industry Security Standards Council's CTO Troy Leach stated in an interview, he believes the postponed update will give organizations the time they need to effectively implement security processes that help mitigate against cyberattacks. However, this does not mean that companies are off the hook, as today’s “most advanced” security technology can become a vulnerability to exploit for tomorrow’s cyber criminals. Follow along as the Rippleshot Team looks at The Key Highlights of PCI DSS 3.2.

It’s safe to say that 2016 has been a year of heightened turmoil for the payments and security industry. With the aftermath of EMV implementation, a sharp rise in data breaches, and unprecedented fraud losses by issuers, we know that this year has kept you busy. The good news is, we’re here to help. In order to save you time, we have compiled a list of key statistics that paint the bigger picture of the industry as a whole. Follow the Rippleshot Team as we take you through the Top 11 Stats of 2016.

A hidden gem, the Monthly Complaint Report by the Consumer Financial Protection Bureau (CFPB) helps uncover problem areas impacting the financial products and services industry in the eyes of the consumer. Whether it be consumer loans, bank accounts/ services, payment cards, debt collection, payday loans, or fraud, the CFPB has handled over 930,700 consumer complaints as of July 2016, including 24,500 in June itself. Through a careful compilation and analysis of such consumer complaints, the CFPB has been able to discern a “high-level snapshot of trends in consumer complaints”. Follow the Rippleshot Team as we review highlights from the report and discuss customer sentiments surrounding financial products and services.

We knew this was coming when the Federal Reserve issued guidance applying the Customer Identification Program (CIP) to prepaid cards in March of this year. Customers are able to reload prepaid cards, use direct deposit and in some cases, receive overdraft protection, which the federal agency determined enough for it to be considered an account relationship. And now that reloadable prepaid cards are considered an account relationship, it’s not surprising that the Consumer Financial Protection Bureau recently issued new rules requiring fraud protection support for those using them.

We know it’s hard to believe, but sometimes even your beloved customers have malicious intentions. According to a newly published whitepaper by Radial, the majority of eCommerce fraud originates from cyber criminals, who use compromised payment data to make unauthorized transactions, and make managing eCommerce fraud extremely challenging. Merchants are forced to constantly balance risk exposure with customer disturbances, heavily invest in fraud detection technologies, and dedicate resources to preventing fraud. However, what happens when the customer is the one committing fraud? Commonly known as “friendly fraud”, this type of first party fraud is when customers transact online, and then claim their purchase was unauthorized. Follow the Rippleshot Team as we quantify how much friendly fraud has been costing merchants (quick teaser- billions), and the steps merchants should take to avoid it.

During March, the Rippleshot Team covered the top locations and trends of e-commerce fraud in a previous blog post, outlining where both the fraudsters and victims of fraud were located. Much of our focus was on warning financial institutions that EMV implementation was not the cure-all to fraud, as fraud, and its impact of customers, was not going anywhere. Some listened, while some countered that their “fraud losses were lower than ever because of EMV”. So although we don’t like to say we told you so…we told you so. Experian’s latest report, published right around the 1-year anniversary of the EMV liability shift, projects 2016 e-commerce fraud attack rates to be at least 15% higher than last year’s total. Learn the Top 10 Riskiest Zip Codes for shipping and billing fraud in our latest blog- “The Where and What of E-Commerce Fraud”.

Bad news. Ransomware is back with a newfound vengeance. Many of us know ransomware to be a notorious form of malware that prevents users from accessing their own systems, either by locking a user from a system entirely (locker ransomware), or encrypting user files on an affected system (crypto-ransomware). In either case, users are forced to pay a ransom in order to restore functionality and access, many times to the tune of thousands of dollars. Although ransomware dates back to 1989, its practice has ebbed and flowed in its prevalence over the years. However, it is clear that 2016 has seen a marked increase in the frequency, cost, and effectiveness of ransomware incidents. Follow the Rippleshot Team as we document the return of ransomware and its impact on the cybersecurity landscape of 2016.

The CFPB’s wide-ranging jurisdiction over the consumer financial industry has had banks and credit unions worried about potential punishment and fines for years. Up until this point, the vast majority of their enforcements have focused around credit card policies, lending and debt collection. But this summer’s enforcement against payment processor Intercept Corp. is the agency’s second big lawsuit against an entity for ignoring “clear signs of brazen fraud,” sending a clear signal that turning a blind eye to these practices is unacceptable.

Quite a bit, it turns out. According to PYMNTS’ Global Fraud Index, from the first quarter of 2015 to the first quarter of 2016, the dollars at risk per every $100 in online sales rose from $1.89 to $7.30, an increase of nearly 400%. Countless publications predicted an increase in fraud in 2016 due to the impact of the messy and slow implementation of EMV, but few, if any, predicted a jump quite like this.

No surprise here. Pulse Network’s 2016 Debit Issuer Study cites an across the board increase in fraud losses for all types of financial institutions from 2014 to 2015. But where’s it all coming from? How will mobile payments impact the debit market? And what sort of growth is expected over the coming years? We cover it all ahead:

“Those who cannot remember the past are condemned to repeat it”.

This quote couldn’t hold more true when it comes to the EMV liability shift in America. Cybersecurity experts are perplexed regarding the future, scrambling to find clues in order to predict the who, what, when, and why of the EMV roll-out. What they don’t know is that the answers may actually lie within the past, or across the Atlantic Ocean. Most Americans are quick to forget that we were actually one of the latest to adopt the EMV standard, following suit after Africa, the Middle East, Asia, Latin America, and almost all of Europe. So when it comes to painting a picture of the aftermath that will result from widespread adoption of EMV protocols, why don’t we examine our international counterparts more closely? Join us as we discuss European history surrounding EMV adoption, fraud trends that will carry over to America, and the implications of widespread EMV implementation in our latest infographic: The Evolution of European Card Fraud.

Chip-card hacking has most likely been around longer than you think. Commonly known as the EMV standard, which represents the card network consortium of Europay, Mastercard, and Visa, the chip-based card technology has been widely adopted in virtually every global market (except for the U.S. until recently). EMV was born in 1994, when the three international payment systems sought to develop a global chip specification for payment systems, and the first production version was released in 1996. By embedding a secure chip into a plastic payment card, EMV technology enhances the overall security of debit/credit cards, overshadowing the effectiveness of the traditional magnetic stripe-and-swipe. In addition to replacing the outdated signature with a more secure PIN (personal identification number), the chip card utilizes cryptographic processing to create an ID that is unique to every transaction, as opposed to displaying sensitive account and payment information. However, the common misconception is that EMV is the “be all, end all” of payment security- this couldn’t be further from the truth. Find out how chip-card hacking has evolved from a replacement of internal hardware to sophisticated ATM shimming software as the Rippleshot Team explores the history of chip-card hacking.