Monday, August 18, 2008

2008 Debit Issuer Study Released by Pulse

Debit Rewards on the Increase, Increased Interest in Alternative Payments...

PULSE is pleased to make available to its participating financial institutions an executive summary of the 2008 Debit Issuer Study. The study, conducted by Oliver Wyman, is the third comprehensive debit industry analysis commissioned by PULSE.

The 2008 Debit Issuer Study explores debit card issuer performance in a variety of areas, including transactions, interchange, rewards, fraud, ATMs and prepaid cards. In addition to these performance metrics, issuers commented on key opportunities and challenges anticipated for 2008.

Access to proprietary research such as this is one of the important benefits of PULSE participation. To obtain your copy of the 2008 Debit Issuer, click here. (login is required).

Here's an overview:

"Surcharge-free ATM access is gaining in popularity among debit card issuers as they explore new ways to better serve cardholders, according to the 2008 Debit Issuer Study, commissioned by PULSE. Financial institutions also are increasingly offering debit rewards.

The 2008 Debit Issuer Study, conducted by Oliver Wyman, provides new data and comparisons to the results of the 2007 Debit Issuer Study, released in February 2007. This comprehensive survey offers a revealing look at debit issuer performance, debit card trends and the latest debit technologies and service offerings.

“Although growth in debit use remains strong, debit card issuers are broadening their electronic payment services to include new payment devices, targeted cardholder perks such as surcharge-free programs, and greater levels of service,” said Cindy Ballard, PULSE executive vice president. “Based on survey responses, we expect this trend to continue over the coming years.”

A total of 62 financial institutions participated in the study, including large banks, community banks and credit unions that collectively issue more than 74 million debit cards, or 28 percent of U.S. debit cards. The institutions also represent 46,000 ATMs and are balanced across institution size, type, geography and network participation.


Among issuers surveyed, 56 percent have cards that participate in a surcharge-free ATM network, while 84 percent of credit union respondents offer surcharge-free ATM service to their members for certain “off-us” transactions (transactions made by an issuer’s debit cardholders at ATMs owned by other issuers or organizations). Additionally, many financial institutions (48 percent of respondents) offer reimbursement of ATM surcharges, but usually to only a portion of their cardholders. Of the institutions that reimburse ATM surcharges, 45 percent limit total monthly per-cardholder reimbursements.

Other findings related to ATM programs included:

ATM transaction activity is increasingly “on-us” (transactions made by an issuer’s debit cardholders at the issuer’s ATMs), further limiting cardholders’ exposure to surcharges.
“Active” debit cardholders (most commonly defined by respondents as those that have made a signature debit transaction within the past 30 days) perform an average of 3.4 ATM transactions per month.

Heavy ATM users also tend to be heavy debit card users, implying that cardholders do not consider the “cash back” option often available with PIN debit transactions at the point of sale as a substitute for ATM withdrawals.

Debit Rewards

Offering a debit rewards program can have a variety of benefits for card issuers, including an increase in transaction volumes, differentiation from competitors and promotion of debit card use.

The availability of debit rewards has increased significantly since the previous PULSE study, with 51 percent of respondents now offering rewards, compared to 37 percent in 2006. An additional 23 percent of issuers surveyed say they are considering adding a rewards program.

The increase in debit rewards is driven mainly by a growing interest in cash rewards, which are now offered by 42 percent of respondents that have debit rewards programs, compared to 16 percent in 2006. Points-based rewards are the most common program type, offered by 58 percent of the institutions that have programs. Merchant-funded rewards programs are gaining in popularity and far out-pace other program types in terms of cardholder engagement (83 percent).

“Cardholder engagement remains a key challenge for debit rewards,” said Tony Hayes, an Oliver Wyman partner, who served as project lead on the study. “A sizeable portion of institutions we surveyed are planning to revamp their rewards programs in 2008 to generate greater customer participation and increased return.”

Emerging Payments

The 2008 survey is the first Debit Issuer Study to address emerging payments technologies. Although all emerging payments options have benefits, each faces significant growth challenges, says Hayes:

Contactless cards – Ten percent of respondents currently offer contactless debit cards (cards equipped with a device enabling the user to tap the card rather than swipe it). Another 35 percent say they plan to introduce this capability in the future. Of those that offer contactless, only 24 percent of their cardbase is contactless, on average. Key barriers to contactless adoption are low merchant acceptance, unfavorable cost/benefit ratios and low demand.

Mobile banking – Fifteen percent of respondents currently support mobile banking, and another 28 percent say they are planning to introduce it “soon.” With the technology still in a state of development, most issuers are taking a measured approach.

Mobile payments – Mobile payments (the technology includes mobile phones equipped with payments-enabled chips, as well as message-based payments) is largely in the research phase, with 56 percent of issuers exploring the possibility of implementing it.

“The 2008 Debit Issuer Study offered intriguing insights into financial institutions’ interest in and adoption of emerging payments technologies,” said Ballard. “In the coming years, increased use of such technologies will play a key role in helping issuers grow their electronic payments businesses.”

Sorry Charlie...The Cat's Outta the Bag

Last week I wrote in a post entitled "Sorry Charlie...You've Been Hacked" I talked about the two MIT engineering students who were hit with a restraining order which prevented them from delivering their talk on vulnerabilities that they found in Boston’s subway fare card system.

The Massachusetts Bay Transit Authority took legal action just before the students were going to discuss generating fare cards, reverse-engineering magnetic stripes, and hacking the RFID technology in the cards.

the very same presentation, including the sordid details of their hack ended up leaking (in a prime example of how things sometimes don't work out the way you envision them)...through the very same public court filings the MBTA submitted in an effort to keep them sequestered. Here are the presentation slides

Now, I'm no techie/tekkie? (see I don't even know how to spell it) but I know a little bit about magnetic stripes and RFID, and I found the presentation to be most interesting, so take a look if you wish. I don't know how long they'll be up there.

In a related matter, now that Defcon 16 has come and gone, I thought I'd share this story from talking a little bit about the event:

All it takes is one look at the Defcon 16 hackable attendee badge to understand the difference between the world’s largest hacker convention and other security conferences.

The hard plastic badge includes its own microprocessor, SD card slot, USB ports, and an LED that can remotely turn off a TV. Defcon attendees could use their badge to hack other peoples’ badges or just wear it as bling. It’s such a hot item that on the first day of the Las Vegas show, the conference session rooms nearly emptied when it was announced that the badges had finally arrived at the registration desk after a shipment delay that morning.

While Defcon and its sister conference Black Hat USA share some of the same organizers, themes, and research hacks, Defcon's emphasis on hands-on hacking and its hardcore hacker culture set it apart. Defcon 16 featured multiple hacking contests, including one run by seasoned hackers who set traps and challenges for the masses trying to infiltrate a server, phone phreaking, and a $5,000 prize for being the last person left awake (and aware) after sitting through 30 hours of vendor pitches.

Interestingly, one of the more compelling research presentations never saw the light of day at Defcon: The MIT Charlie Card, Massachusetts Bay Transit Authority WarCarting Presentation) (see picture on right for what it takes to "warcart")

And for hackers or penetration testers who were feeling a little stagnated in their work, or who are operating on more of a shoestring budget these days, researchers from Errata Security shared some tricks of the trade they have come up with for doing more (hacking) with less. (See 'Bringing Sexy Back' to Hacking.)

Errata’s Robert Graham and David Maynor outfitted an Apple iPhone with WiFi-sniffing tools that they FedEx to their clients’ sites to conduct remote WiFi security audits. They may even up the ante by adding fuzzing and the Metasploit hacking tool to the iPhone as well for more advanced remote penetration tests.

A former Federal Trade Commission (FTC) official gave Defcon attendees tips for what to do (and not to do) after suffering a security breach, as well as how to make nice with law enforcement, which can smooth the way for that day when you have to go public about a breach your organization has suffered. (See What to Do After a Breach.)

Kelly Jackson Higgins, Senior Editor, Dark Reading

Retailers Told How to Stop Scams at the Register

Merchants looking to hold on to their sales have to help protect their customers’ financial information, a fraud expert told a gathering of businesspeople yesterday. Losing that information to data thieves “can be pretty catastrophic, especially for smaller merchants,” said Visa Inc. security expert Lauren Holloway.

Holloway is traveling the country this month and next to review data-security basics with merchants around the country. Her presentations are part of a joint effort by the U.S. Chamber of Commerce and the credit-card giant to help staunch the data breaches that are plaguing businesses and ruining the finances of some Americans.  Electronic payments passed paper checks in usage in 2003 and continue to outstrip the age-old payment method.

“It’s one of those issues that can reach out and hit anyone at any time,” said Laurie White, president of the Greater Providence Chamber of Commerce, which cosponsored yesterday’s presentation with the U.S. Chamber and Visa Inc.  Yesterday’s presentation is a timely one, coming a week after 11 people, including a U.S. Secret Service informant, were charged in connection with the hacking of nine major retailers and the theft and sale of more than 41 million credit- and debit-card numbers. 

The data breach is believed to be the largest hacking and identity theft case ever prosecuted by the Department of Justice, which charged the suspects with conspiracy, computer intrusion, fraud and identity theft. The indictment returned last week by a federal grand jury in Boston alleges that the suspects hacked into the wireless computer networks of retailers including TJX Cos., BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW and set up programs that captured card numbers, passwords and account information.

In the case of TJX Cos., which operates TJ Maxx, Marshalls and other chains, hackers stole data on at least 45.7 million credit- and debit-card customers. A banking group that has filed suit against TJX Cos. alleges that more than 94 million accounts were affected.  Attorney General Patrick C. Lynch noted the breach at Framingham, Mass.-based TJX Cos. Inc., which occurred last year, and two others that affected Rhode Islanders — last year’s Stop & Shop PIN pad case and the ChoicePoint data loss in 2005.  Ross-Simons and CVS Corp. also have dealt with data-security issues in the last three years.

In the Stop & Shop case, four men diverted $132,000 from 1,100 bank accounts, using information stolen from the supermarket chain’s stores in Coventry and Cranston.  The 2005 breach at ChoicePoint Inc. compromised the financial data of as many as 145,000 Americans. In the scam, thieves posing as small-business customers gained access to the company’s database and at least 750 people were defrauded, authorities said at the time. According to the data-warehousing company, 1,122 Massachusetts residents and 203 Rhode Island residents may have been victims. The breach led to a change in Rhode Island law, which now requires businesses to disclose breaches to the public in a timely manner.

Small-business merchants accounted for more than 80 percent of the data-security breaches in 2007, according to an analysis by Visa (V:NYSE), the San Francisco-based company which operates the world’s larges retail electronic-payments network. The incidents are worrying consumers, Lynch and Holloway said. The consumer protection unit in his office handles about 40,000 questions from people annually, Lynch noted. “Never before, until this year, was identity theft in the top 10 — it shot right up,” Lynch.  Holloway agreed. “Consumers are definitely concerned; they’re more cautious about how they use [payment cards],” she said.

One simple way to protect customer data is to make sure checkout registers and electronic-payment pads are collecting only that data needed to process a payment and deleting any customer personal data as soon as it’s no longer needed, which could be instantaneously in most instances. The storage of full magnetic stripe information, security codes and PIN data is prohibited by industry agreement. Also, merchants need to train their salespeople to spot suspicious purchases, whether the transactions are made in person, over the phone or online.

Disqus for ePayment News