How can real-time payments be secured?
By David Worthington, vice president of payments, Rambus
In today’s on-demand world, we expect to be able to spend, move and receive money instantly.
For this reason, real-time payments (RTP), also known as ‘faster payments’ or ‘instant payments’, are gaining momentum globally. Accenture estimates that there are now 35 countries with real-time payment schemes in operation or under development.
With account-based fraud on the rise, however, the move from standard to real-time transactions is causing significant security challenges for central banks and clearing houses.
Understanding account-based fraud
Most fraudsters will usually follow the path of least resistance.
The success of anti-fraud measures like EMV chip, EMV 3-D Secure and payment tokenization in mitigating card fraud in-store and online means fraudsters are turning elsewhere.
For various reasons, demand deposit account (DDA) credentials, which relate to current, savings or checking accounts that are used for direct credit transactions through automated clearing house processing, are an increasingly attractive target.
DDA credentials are already stored in their raw form across various locations, such as e-commerce websites, mobile and P2P wallets, invoices and payroll.
While the frequency and public awareness of ACH fraud is much lower than credit and debit compromises, the average value of unauthorized ACH transactions is actually much higher. This creates the potential for very large value frauds, and even systemic attacks against national payment systems.
Despite the threat, many central banks don’t actively monitor some of these types of fraud, with losses below a certain limit written off as a cost of doing business.
The move from standard to real-time transactions adds another layer of complexity and creates further opportunities for fraudsters. Quicker transaction times increase the chances of fraudulent transactions going undetected.
Faster payments = faster fraud?
This is because banks currently rely on a layered approach combining various techniques. But somewhat surprisingly in today’s automated world, checking payment mandates and unusual account activity manually remains a mainstay of the traditional clearance process.
The problem is, manual review is simply not feasible when the clearance time for account-to-account transactions is measured in seconds, not days.
Importantly, fraudsters recognize the challenges facing banks when transitioning and are ready to exploit any vulnerabilities as soon as a RTP scheme goes live.
Banks need to get ahead, be proactive and protect the account data itself, rather than simply be reactive and wait for the fraudsters to strike.
Securing real-time payments with tokenization
Tokenization has been hugely successful in safeguarding payments in-store and online by replacing the consumer’s primary account number (PAN) with a unique payment token that is restricted in its usage, for example, to a specific device, merchant, transaction type or channel.
By removing account numbers from the transaction process entirely, tokenization can significantly reduce the risk and impact of account-based fraud to support the development of a safe and secure instant payments framework.
The good news is that tokenization is easily transferable to account-based transactions, is complementary to other anti-fraud measures, and is easily compatible with existing systems.
Account data, faster and safer
For banks, ACH fraud represents a bigger financial risk than card fraud and is going to become harder to manage as real-time payments become the norm. The ecosystem must work to mitigate fraud before it has been attempted. Tokenization, therefore, is primed to play a pivotal role within the broader security mix.