COVID-19 grabs the headlines in payments these days because of the high levels of risk credit card issuers will bear as unemployment peaks, and the lack of an antidote looms, but there are also other issues to consider in credit cards. So, as we await a decision on how the U.S. unemployed will have their benefits resolved, and the latest set of Federal Reserve numbers to publish, here is an opportunity to consider a long-range credit card topic which has been on the table for years.
When a card transaction is captured at any payment acceptance device, data will flow from that device to the payment acquirer, then to the network, and on to the issuing bank. After accepting or declining the transaction, a message will return to the payment acceptance device in reverse order. This allows the transaction to complete, then clear and settle.
The long-standing format is defined in ISO standard 8583, or more in industry parlance, “financial transaction card originated messages -interchange message specifications.” However, as Europe continues to modernize its payments infrastructure, there is a move towards ISO standard 20022.
There are nuances between the two standards, but the quickest way to differentiate is that ISO 8583 is card-specific, and ISO 20022 is a universal standard. In other words, 20022 would apply to any transaction, whether it be a $10 billion corporate payment or a €1 transaction for a newspaper made with a credit card. ISO 8583 would only cover the later transaction.
What brings this geeky topic to mind is a recent article in Infosecurity magazine where they cover the Blackhat USA 2020 virtual conference, titled “How Public Standards Help to Enable Financial Fraud.” An expert from Citi suggests that ISO 8583 does not bring incremental risk, and that recent malware attacks do not mean the format should be discarded.
- The so-called FASTCash malware was first publicly disclosed back in 2018 and has remained active in the years since. Perlow noted that FASTCash is a subset of malware created and executed by threat actors from North Korea, sometimes referred to as the Lazarus Group.
- The way that FASTCash works is the attackers inject it into a payment switch and fraudulently approves what appear to be legitimate ISO 8583 messages from the attackers sitting at bank machines, allowing them to withdraw money. During his presentation, Perlow described how ISO 8583 messages are constructed in a way that the FASTCash attackers have been able to emulate.
The risk assessment seems well thought out, but where we disagree is in the future of ISO 8583.
- He said that he would never recommend changing the ISO 8583 standard, and it would also be impossible to do so, even if he thought it was a good idea.
- “The ISO 8583 standard is the card payment standard for absolutely everything,” he emphasized.
The reason we think ISO 8583 will not be around in 2030 is that with the European standard driving the change, coupled with the move towards open banking and faster payments, U.S. financial institutions (and the rest of the world) will need to comply if only for interoperability. Conversion is a massive effort, but mapping strategies are already in place, even though credit cards add trillions to the mix of payments, they are simply a part of a much larger transaction picture. Interoperability and real-time payments will likely drive the shift.
Overview by Brian Riley, Director, Credit Advisory Service at Mercator Advisory Group
