Consumers and organizations have a variety of options for making and receiving payments. While these payment types share the ultimate goal of transferring funds from payer to payee, the path those funds travel and the approaches employed for safely and securely completing transactions vary. The Secure Payments Task Force developed the Payment Lifecycles and Security Profiles as an educational resource and to provide perspectives related to:

  • The lifecycles of the most common payment types, covering enrollment, transaction flow and reconciliation
  • Security methods, identity management controls and sensitive data occurring at each step in the payment lifecycles
  • Relevant laws and regulations, and other references, as well as challenges and improvement opportunities related to each payment type

The profiles employ a consistent format for describing the lifecycle of each payment type. The lifecycle template is not designed to represent the nuances of specific payment transaction flows, but as a broad taxonomy that can be applied across different payment types for understanding and comparing controls and risks. The profiles are not all-encompassing in describing the layered security strategies that may be employed by specific networks, providers or businesses and shouldn’t be considered an assessment of overall security of different payment types. The improvement opportunities noted in the profiles highlight areas for further industry exploration and are not intended as guidance or specific solutions to be implemented.

These valuable resources were developed through the collaborative efforts of more than 200 task force participants with diverse payments and security expertise and perspectives. It is the hope of the task force that by helping industry stakeholders better understand these payments processes, the security and risks associated with these processes, and potential improvement opportunities, they will be well positioned to take action to strengthen their payment security practices.

Note: These materials were created by the Secure Payments Task Force and are intended to be used as educational resources. The information provided in the Payment Lifecycles and Security Profiles does not necessarily reflect the views of any particular individual or organization participating in the Secure Payments Task Force. The document is not intended to provide business or legal advice and is not regulatory guidance. Readers should consult with their own business and legal advisors.

Feedback and/or questions related to the Payment Lifecycles and Security Profiles can be submitted by using the “provide feedback” form.

Wire Definition: A wire payment (or funds transfer as specified in UCC 4A) is the transfer of funds from the payer’s account at one financial institution to the payee’s account at another financial institution.

Enrollment

Payer ID / Enrollment

Enrollment of a payer includes identity (ID) proofing, management of users (enrollment, de-enrollment, and changes) and determination of authority based on role

Payment Type Operation

Wire

Note: payment flow may be bidirectional to include reverse wire transactions

The originator’s financial institution validates the originator’s identity at the time of onboarding an account.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Payee ID / Enrollment

Enrollment of a payee includes identity (ID) proofing, management of users (enrollment, de-enrollment, and changes) and determination of authority based on role

Payment Type Operation

Wire

Note: payment flow may be bidirectional to include reverse wire transactions

Originator provides the information identifying the beneficiary and the beneficiary’s financial institution. The originator’s financial institution is obligated to adhere to compliance requirements (e.g. AML/BSA) prior to the wire being released.

Overview of Security Methods and Associated Risks

Expand

Transaction*

Payer Authentication

Verification of the payer when originating payments

Payment Type Operation

Wire

Note: payment flow may be bidirectional to include reverse wire transactions

Determined by the originator’s financial institution and may be in-person, phone, internet banking or email to confirm it’s an authorized individual.

Call-back procedure using phone number on record and/or authentication code may be used.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Initiation: Access Mode / Network

Environment in which the payment origination is requested

Payment Type Operation

Wire

Note: payment flow may be bidirectional to include reverse wire transactions

Financial institution may take a request in-person, over the phone, via internet banking, etc.

May include recurring wire agreements.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Initiation: Device / Method Used to Initiate Payment

Type of interaction or device used to enter payment account information

Payment Type Operation

Wire

Note: payment flow may be bidirectional to include reverse wire transactions

In-person, phone, fax, email or internet- accessible device (desktop, laptop, mobile)

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Initiation: Funding Account for Payment

Entry and/or identification of the funding account (with format checks)

Payment Type Operation

Wire

Note: payment flow may be bidirectional to include reverse wire transactions

Cash, debit to an account, or any other means acceptable by the participating financial institution.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Initiation: Payment Initiation Mechanism

Payment network, system and/or third-party accessed

Payment Type Operation

Wire

Note: payment flow may be bidirectional to include reverse wire transactions

Connection to a proprietary network, SWIFT, correspondent bank, Fedwire Funds Service, CHIPS, or funds transfer processors.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Payer Authorization: Payment Network Traversed

“Rails” used to route authorization requests to the holder of the funding account

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Payer Authorization: Transaction Authorization

Determination of whether to approve or decline a transaction including authorization time-frame, obligations, and any recourse decisions

Payment Type Operation

Wire

Note: payment flow may be bidirectional to include reverse wire transactions

Every receiving financial institution in the wire payment flow is responsible for authenticating and authorizing its originator.

Originator’s financial institution verifies cash or balance is sufficient for transmission. Once transmitted, the originator’s financial institution has little to no recourse and the beneficiary’s financial institution may give immediate cash credit for funds received.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Format Exchange

Payment instructions, rules, and formatting

Payment Type Operation

Wire

Note: payment flow may be bidirectional to include reverse wire transactions

Proprietary formats for wire are used but mapping mechanisms are well-established to help facilitate straight-through processing.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Receipt: Acknowledgement / Guarantee

Notification and confirmation of payment completion including terms for use

Payment Type Operation

Wire

Note: payment flow may be bidirectional to include reverse wire transactions

Receiving financial institution does not necessarily provide acknowledgement of receipt to originating financial institution.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Payee Authentication

Mode of access to funds (or accounts)

Payment Type Operation

Wire

Note: payment flow may be bidirectional to include reverse wire transactions

Every receiving FI in the wire payment flow is responsible for authenticating and authorizing its originator.

Beneficiary is verified by the beneficiary’s financial institution, either through on-site verification or through an established account at the beneficiary’s financial institution.

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Clearing and Settlement: Settlement / Exchange of Funds

Actual movement of funds to settle funding arrangements and applicable fees

Payment Type Operation

Wire

Note: payment flow may be bidirectional to include reverse wire transactions

Each payment obligation that arises between financial institutions in the funds transfer chain settles according to the laws and funds transfer rules that govern the transfer. While settlement is generally final at the time it occurs, if the overall funds transfer is not completed, a financial institution that has settled a payment obligation is entitled to get its money back.

Settlement occurs between the originator’s financial institution and the beneficiary’s financial institution in accordance with established agreements. .

Overview of Security Methods and Associated Risks

Expand

Inventory of Sensitive Payment Data and Associated Risks

Expand

Reconciliation

Reconciliation / Exception Handling

Process and responsibilities associated with reconciling and handling any exceptions or problems with a payment

Payment Type Operation

Wire

Note: payment flow may be bidirectional to include reverse wire transactions

A funds transfer is completed when the beneficiary’s bank accepts. Acceptance by the beneficiary’s bank cannot occur as a matter of law if no person has rights as a beneficiary (i.e., neither name nor account number identify a person entitled to payment). In such a case all prior payment obligations are excused and each party in the funds transfer is entitled to a refund of any amount paid. The beneficiary’s bank may not know that the instructions refer to a nonexistent or unidentifiable beneficiary until after it has received the payment order. Similar outcome for a closed account.

Overview of Security Methods and Associated Risks

Expand

User Protection / Recourse

Applicable rules, regulations, and legal means of recourse

Payment Type Operation

Wire

Note: payment flow may be bidirectional to include reverse wire transactions

UCC 4A contains rules that allocate loss for errors and fraud

Overview of Security Methods and Associated Risks

Expand

 

Last Updated: 02/21/2018

Footnotes

* Generally wire payments flow in one direction