Podcast: Play in new window | Download
The following is a transcript of the episode
Ryan McEndarfer, Editor of PaymentsJournal
Welcome to the PaymentsJournal podcast. I’m your host Ryan Mac. On today’s episode we’re going to be talking about protecting account-based payments in the real world, and to help me with this conversation I have Dave Worthington, the VP of Payments at Rambus. David, welcome to the podcast.
Dave Worthington, VP Payments at Rambus
Ryan, pleasure to be here.
Ryan McEndarfer, Editor of PaymentsJournal
Excellent. Now to get things started, why don’t you give our audience a little bit of an introduction about Rambus?
Dave Worthington, VP Payments at Rambus
Yes, certainly. So, Rambus is a U.S. Nasdaq-coded company that came from a background in intellectual property, mainly securing things related to memory and serial buses going back far enough, and basically innovations all around making things better for most of the household names you know in terms of mobile handsets, PCs, and a number of other devices. The underlying the intellectual property that we license into them helps things work faster and more securely. Over the years we’ve moved out from just doing the very technical and intellectual property development into areas more related to actual security core services around those which now take us into the securing of the IoT space. And over the last few years, Rambus acquired some companies that make up the Rambus security division, which includes payments and ticketing, which in their own right have quite long-running heritages, which do lots of things around securing mobile payments, EMV cards, and ticketing–smart ticketing in various forms. So it’s a split between things in the data center and on the hardware level and then securing stuff out at the mobile edge, which is all of the applications of things around like payments and ticketing.
Ryan McEndarfer, Editor of PaymentsJournal
Excellent. Thank you very much for that. Now let’s dive into talking about the subject of fraud here. So how is fraud impacting account-based payments?
Dave Worthington, VP Payments at Rambus
Yeah. Well probably first clarifying in terms of the scope of the account-based payments: So effectively you’re looking at anything where it’s an account to another bank’s account transfer, and that can be anything from the large-value bank-to-bank transfers and corporate-related activities, payroll billing – credit card bills, for example, are charged to accounts – and any other form of interbank payment or transfer, whether you’re moving money between your accounts and different banks, paying small fees to other people, or even just transferring stuff to pay your children at college.
Secondly, there are number of fraud scenarios, but basically they boil down to substituting account numbers, so inserting an alternate false account number into the payroll, or into the biller direct debit list, or even the bank account system itself. And some of these have been for very significant published amounts, so certainly at larger end of the scale, highly published incidents in terms of frauds in the Bangladesh, Mexico markets. But for a lot of markets they’re just a normal part of this happens occasionally. On the second side in terms of that, you’ve also got the basically more the cunning fraud, where somehow somebody manages to get you to unwittingly change the number you’re paying to and then a while later you realize you haven’t paid the right person. Fake requests to pay to all sorts of consumers, which because it seems to have come through the right channel which you’ve reply to. And some quite complex business email compromises that have large corporates paying out significant fees to suppliers or even in terms of what they thought were taxes and then they disappear into somebody else’s account and the fraudsters have got it.
Ryan McEndarfer, Editor of PaymentsJournal
Excellent. You’ve heard the phrase here before in terms of real-time and faster payments. With faster payments, you’re going to have faster fraud. How does real-time or faster payments make it even more challenging?
Dave Worthington, VP Payments at Rambus
If you take the banking systems, they came from a background, particularly from check and then moving into automated clearing houses etcetera. They have multiday settlement period. And during that settlement period where in the past they could wait anything between 2 to 3 days before the money would actually finish transferring and you got it and could spend it. There were a number of checks that could be done. Even if that speeded up a little bit as has been the general policy for all the banks, you still had at least part of a business day in which large batch systems could run fraud and risk profiles, generate large lists of suspect transactions, and then manual intervention could happen where people could go in and even if it was only a half of business day, check some of those maybe even phone up the customer and say, “Do you really want to pay this money out of your account to this other person?”
Real-time payments, where you’re talking 15 seconds or so, those batch systems cannot run the checks, there’s no triggers, and there’s definitely no time for those manual checks to go. So you lose more in some countries where certainly a large proportion of what they relied on to weed out the more easily spotted suspect transactions. The other thing with real-time payments is it’s very much direct credits. So it’s a push transaction, so it’s basically an onus on if you said, “Pay this account,” if there’s something wrong with it, it’s your fault. So it makes it more difficult.
Ryan McEndarfer, Editor of PaymentsJournal
Great. Now, Rambus is a tokenization expert, so what role can this technology play?
Dave Worthington, VP Payments at Rambus
At the theoretical level what you’re taking is you’ve got a unique sensitive piece of data – the bank account – that’s very difficult to change. It might be relatively simple to change something like a credit card by saying, “It’s been breached, and send me a new one. And in the intervening 3 to 10 days, I’ll probably start using something else in my wallet.” If you walk into a bank and say, “There’s been a fraud on my account. Please give me a new account number,” you’re going to get a very strange look from the person on the other side of the desk because they’re just not built to do that kind of thing. So what happens is you replace that sensitive, unique piece of data, the account number, with multiple tokens, which look just like accounts and process like accounts without the underlying sustaining systems being impacted. But those tokens are each relation specific. So I have a token between me and whoever is paying my salary on their payroll system. I have another token for each of the billers who are accessing my direct debit accounts for me to pay all of my different monthly bills. And then different tokens I can use – for me to use to randomly send money to different members of my family at various stages and other people I might know from a purely one-off relationship of having to pay my half of a business dinner or something. Not only are those tokens unique to relationships, so if you have any form of breach, then it’s only that relationship that’s impacted. That token can’t be really used for anything else, but the token can have attributes, or what we call the main controls, that you can actually check systemically as part of any transaction that goes through the system and say, “Okay, this is the token used to pay government for taxes, and the account that’s being paid to from this specific thing isn’t a government account, so that’s not right.”
Ryan McEndarfer, Editor of PaymentsJournal
Keeping with the tokenization subject, how does tokenization fit into a bank’s fraud prevention measures?
Dave Worthington, VP Payments at Rambus
You’ve got a number of different areas. At the base level, you can just systematically have each transaction going through the system a little bit like in the card world what’s happened in e-commerce and replacing card on file with tokens on file for those properties of making them relationship specific, You can start to push through each time a regular billing occurrence happens or anything, a replacement account number to go in that system, so tokens to propagate around it. You can then also more proactively say, “Okay, I want to be able to have my banks and their consumers through the business banking clients or the consumers’ mobile banking application actively say, “I want a token for this” and then give it to whomever the third party is for any new payment relationship. And consumers and certainly corporates are much happier if they understand that there’s a level of security that then in some countries being forced in order to pay for a mobile person-to-person transaction, reciting to some other person their 27- to 29-digit International banking account number for a $2 Starbucks order or whatever it might be.
It’s really about just basically pushing out what services people would like and enabling those tokens to get into the space. For the most part, where it is account to account, it looks like a bank account number, but when you then get into the directory services and enabling new things such as mobile person-to-person, or it could be some form of corporate system for dealing with suppliers, you can potentially use other formats that only get translated back to accounts of the form when they touch the directory service.
Ryan McEndarfer, Editor of PaymentsJournal
Great. Now I think that you briefly touched upon this, but I’d like to kind of go a little bit deeper into it. Now is security and fraud prevention really the only benefit of tokenization?
Dave Worthington, VP Payments at Rambus
No. I mean there’s a couple more benefits. One of them is to some extent that you’re protecting your credential by giving it a relationship-specific one. If you treat the account as being part of your personally identifiable information, by replacing it with tokens in all of the different databases that have your payment information, there’s a level of privacy that’s going in there. And certainly from the directory services point of view, tokenization is a strategic tool to let national initiatives or even bank-specific initiatives using that solution for enabling new services. So, we talked about mobile P2P. There’s a number of countries that don’t currently have some of the major players in that space, whether it’s the various OEM pays or some of the prepaid schemes that either don’t want to wait until they come or the banks have said: “We’d like to offer some services ourselves,” and to do that if we’ve got a directory service on the underlying account-to-account basis, we can start doing mobile person-to-person and use that for whenever we need to fund money into the system or pay money out into a bank account. And certainly for corporates and other areas, there’s a whole level of new services that we could offer that fit right on top of the rails for just doing account-to-account payments.
Ryan McEndarfer, Editor of PaymentsJournal
From the view the central banks’ payments infrastructure, where does this fit in and who benefits?
Dave Worthington, VP Payments at Rambus
Well, in terms of benefits, it’s one of those things that it’s a national or industry benefit because at the moment your central processor might say, “If you give me valid account numbers and tell me to push a transaction from here to here, I will do it.” And if it processes ticking the box. And when you later find out that the account holder that’s pushed the money out, or conversely for direct debit, expected all that money to come in, hasn’t got it and it has gone somewhere else, well the system’s not failed, but somehow the wrong account’s been paid. And those kinds of frauds can be all sorts of things, but the issue for that nation, that system, and the different ways it can be impacted. If you take some of the large fraud where nationally where tens if not hundreds of millions have suddenly disappeared out of the banking system – (a) that’s a lot of money going to criminals for various purposes, (b) somebody’s got to pay for that in some way, and it might end up being the end account holders; it could be the banks, and those banks may well have reserves of money and or insurance. And for some of the frauds, if it’s under the certain value where it’s basically too expensive to investigate, they just write it off. It becomes a cost of business. Well, if you take the parallel with EMV for payment cards, where that cost of business starts becoming noticeable to the central regulators, they’re going to turn around and say, “You need to make this better.”
One of the issues has certainly been that with EMV in the card payment space, some related mechanisms in terms of card-not-present payments for e-commerce etc., fixing those areas – more and more of the fraud is moving into the account-to-account based payment space, fraud will migrate to the areas where it’s easiest to operate. And the values that goes through those systems are significantly higher in nearly all countries than go through the card networks. As I said, the issue from the point of view is it’s the whole industry, so you then have to come back with a national mandate to fix this, or do the banks own the process, or do the bank say, “We’re losing money directly because of this so we need the processors to fix this.” In terms of where it might lie, you’re then getting to analogous to what happens in terms of the card payments, you have these islands of processing. Usually there will be a central system for a country that does the ACH or real-time payment transactions. And it makes most economic sense for the tokenization to be sent to a service as part of what it’s doing anyway. That’s the least cost in terms of the banks and the most effect. If the individual banks do it, then they can protect themselves with all the bank-to-bank and still process the same issues. So holistically, the industry tends to be better if it’s essentially based around the central processor for those.
Ryan McEndarfer, Editor of PaymentsJournal
Excellent. Now is anyone doing this already?
Dave Worthington, VP Payments at Rambus
We are implementing this with some of the providers who provide those in some countries. We’re not aware of anybody else who’s implemented it as part of any real-time payments or other initiatives that have been done recently in the batch-based ACH space. And we’re not aware of any competitors who are advertising a similar capability. So yes, it’s happening, but so far as we know, it’s only us that’s doing this for the industry at this stage.
Ryan McEndarfer, Editor of PaymentsJournal
All right. Before we wrap things up here, one final question: As we look up 2018 and beyond, what would you say you’re the most excited about seeing in the payments industry?
Dave Worthington, VP Payments at Rambus
I think there’s a lot going on in the account-to-account based payment space anyway. We’ve got a growing trend for some of the payments in each country starting to be moved to the real-time payments space. And one of the advantages of that is you can then offer instead of, in today’s settlement types, slow processes, you can offer mobile person-to-person transactions. You can offer more real-time payments services based on it but using the underlying rails to do it. And there’s certainly a lot of demand in a number of countries for doing that where the banks either don’t yet have the support of the various players who are trying to enable that four-party card schemes or some of the players in that market decided the card-based market is too expensive for people moving money between themselves for small values and not wanting to pay large merchant service commission fees. There’s a lot of requirements for doing more account-to-account and more strategic and more exciting and faster ways where with that and the necessity to be done securely. And it’s been nice, we’ve got existing customers from the card side in terms of our token service provider software that they run for various national and international schemes that have come back to us where they all, say, do account-to-account base payments and said, “It doesn’t make sense to only do one side of the house, and they’ve decided the other side of the house has a lot more value to it. So it’s really exciting in terms of the acceleration of people saying we need to do more with tokenization and you’ve got the capabilities, so we want to do it with you.”
Ryan McEndarfer, Editor of PaymentsJournal
Excellent. Well David, thank you very much for taking the time today for speaking to us about protecting account-based payments in a real-time world, and we hope to have you back on the podcast real soon.
Dave Worthington, VP Payments at Rambus
My pleasure Ryan.