- Payment & Fraud Editorials

Ai Editorial by Christopher Staab, Managing Partner Americas, Airline Information

3-D Secure, also known as Verified by Visa, MasterCard Secure Code, JCB J/Secure, and American Express SafeKey, is a fraud prevention initiative launched by card schemes.  Its intention is to improve the security of Internet payments and provide a shift of liability in case of fraudulent transactions.

In the airline industry, 3-D Secure is causing a classic struggle between airline Finance Departments and Sales & Marketing Departments. Finance tends to like 3-D Secure due the liability shift and the lower merchant service charges (MSC), whereas Sales & Marketing tend to dislike 3-D Secure, as it is seen to have a negative impact on online conversion rates, decreasing sales.

However, most Airlines already know that not all transactions have the same risk. For example, most top tier elite frequent flyer members booking the same route can, generally, be relied upon to be genuine.

Research by the PSP Adyen also showed that 3-D Secure in the USA will lead to a decrease in conversion of 45%, whereas mandating 3-D Secure in India actually increases conversion by 30%.  More markets are shown in the graph below:

Adyen has therefore developed Dynamic 3-D Secure to apply 3-D Secure (or not apply it) based on the characteristics of each payment transaction! To find out more about Dynamic 3-D Secure, as well as other fraud prevention measures, we invite you to join the Airline & Travel Payments Summits.

The root of the problem appears to be the hotel franchise model, leading to a lack of credit card security and poor procedures. Maintaining brand-wide credit card security standards when there are thousands of franchises, many of whom have properties in multiple brands, has proved an impossible task to date. How often have you seen hotel front desks making physical copies of your credit card at check-in, as well as asking for a copy of your ID or passport? This information can then easily fall into wrong hands and is hardly PCI compliant. Combine this with low pay leading to the temptation for hotel staff to steal card and personal data and it's a card security nightmare! A particular target is the cards of American customers who don't have chip-and-pin (EMV), making them easily cloned for card present fraud. Corporate wide, hotel chains have also had a history of poor data security, having faced several well-publicized data breaches of card information.

I am a perfect example of this problem. In the last 5 years, I have been the victim of credit card fraud on half a dozen occasions- all stemming from the use of my card at hotels. Now when I travel to many countries, I use my card only at the hotel front desk, where it is required. Two years ago in Chile, I only used my card at check-in to a 5-Star major international hotel brand property and my card was compromised. The previous year, I fell victim to the well-publicized Wyndham hack and my card was used to purchase $10,000 in furniture in China. Unfortunately, I also had organized several events in Wyndham properties (including the Airline & Travel Payments & Fraud Summit!) around the time of this breach of security and many of our customers were also affected.

So, returning to my original question, for how long can hotels contribute more to global credit card fraud versus any other industry?

The issue may be resolved as hotels themselves are also increasingly becoming victims of fraud, which will hopefully result in better procedures. Hotels face friendly fraud in the form of charge-backs at very high rates, while online the problem is increasing quickly, as hotels are offering more and more prepaid rates via their own websites. This has made them increasingly the victims of the use of stolen credit cards. 

Hotels as both victims and contributors to fraud will be discussed at our upcoming ATPS & Fraud Events. You can find out more about all of these events at www.AirlineInformation.org/events. And, think twice the next hotel you check into a hotel about the security of your credit card details!

29th January, 2021 

Airlines can’t afford to slip up when it comes to offering a sublime payment experience and their overall payment strategy in the coming months.

Leveraging best payment-related practices will assist merchants to drive recovery, mentioned Pascal Burg during Ai’s "Redefining travel payments in the post-COVID era".

Top priority, as indicated by a recent report released by Nuvei, should be adoption of an approach that supports digital first and touchless travel to reassure customers. Merchants must implement new payment models to respond to the change in customer demand and limit risk or cash flow issues.

Roadmap

The report, produced in conjunction with Edgar, Dunn & Company and with participation from Visa, highlighted that merchants must initiate a detailed analysis to assess all payment-related aspects including internal payment organization, acceptance policies, operational processes and relationships with payment providers.

Philip Fayer, Nuvei’s chairman and CEO, mentioned that payment technology for travel is a strategic growth and recovery driver, “ensuring more customer journeys on their platforms end in bookings”.

As for the roadmap to support their post-COVID-19 growth, merchants need to put in place an automated process for refunds and chargebacks, gear up for SCA for intra EEA/ UK transactions and also identify the most relevant payment features depending on use cases (e.g. ‘hold my fare’, subscription model, installment payments or escrow account usage). 

In addition to payment acceptance, travel companies must look at other critical aspects such as fraud prevention as well as payment orchestration for a multi-acquirer strategy to spread the risk.  The COVID-19 crisis has also reduced the period between the time of booking and the departure date.

“Unfortunately, it is common practice for fraudsters to book last minute to avoid being caught and these changes in non-fraudulent customer behavior require updates to fraud tools used by travel merchants, such as fraud rules and machine learning. As a consequence, this has led to a complete review of existing fraud rules as well as an increase in manual reviews for some OTAs and airlines,” mentioned the report. Fraudsters are availing extra flexibility offered to passengers to their benefit such as the misuse of vouchers for alternate routings.

During the webinar, Charlotta Frohm referred to the significance of "flexibility" on various counts, whereas Yuval Ziv mentioned that merchants have to dig deep to sustain the best possible conversion rate. Travel merchants are also responding to the demand for new payment methods and swiftly introducing them.

Thierry Stucker underlined progress has been made in several areas, be it for the risk profile of #airlines, activity in certain markets or adjustment of fleet and resources to improve performance on key metrics. He also shared that #contactless travel is a key elem. of IATA Travel Pass, expected to be introduced in the coming months.

Ai’s upcoming events: https://www.aiconnects.us/events/upcoming-events/

Alternative payment methods are attractive, but don’t forget to assess key issues. There are specific challenges, be it for system integration or fraud management that airlines need to address as they go for alternative payment methods. Airline Information’s Ritesh Gupta assesses 5 key issues.

A seamless buying experience is one that offers a travel shopper convenience, ease of use, and security. And an integral part of such experience is the preferred mode of payment. Merchants are trying to simplify transactions, for example, eradicating the need for usernames and passwords each time one pays. The industry is moving toward single touch payment experience via apps. While a passenger may have plenty of choices today to complete a transaction, it also means that airlines can’t afford to slip of any new mode of payment.

For instance, consider the talk about Apple Pay transactions and a consumer wallet experience for native iOS apps. The buzz is unmistakable, and airlines need to swiftly assess how to remove the friction from the mobile buying experience. In fact, travel suppliers have to be prompt enough to inform consumers about any new payment, be it for value of electronic currency, bitcoin, or Apple Pay transactions.

During the 3rd edition of ATPS APAC 2014 conference, held recently in Singapore, it emerged that global e-transaction payment mix is evolving considerably in the airline sector. According to Linus Goh, business development director, Asia Pacific at WorldPay, spend on alternative payments and cards is expected to trade places by 2017. Alternative payment methods will account for 59% of all transactions by 2017!

Here we explore 5 key issues pertaining to alternative payment methods: 

• Speed - every second counts: Smartphones are part of our lives and any mechanism that facilitates payment via such devices is of prime importance. “Increased used of affordable smartphones have made the life easier. People can decide and take action on their travel plans while on move. As such, mobile app is a boon to the consumer,” says Waqas Mohammad Riaz Hakim, Supervisor Web Support & Fraud Prevention, Gulf Air - Web Support & Fraud Prevention.

One of the major impacts of smartphones in the payment arena is speed with which can pay. The promise of completing a transaction in less than a minute has been around for a while. This is exerting pressure on airlines, hotels and intermediaries as no one can afford to drop their conversion rates.

In case of HotelQuickly, a mobile specialist intermediary based in Hong Kong, the processing time for a payment came down from 7 seconds to 3 seconds when the company switched over to PayPal instead of another payment service provider. “The main reason (behind the switch) is that the previous merchant bank slowed down the process,” shared Mario Peng, co-founder and CFO, HotelQuickly.
 

• Specific payment challenges:  A payment solution also needs to address several other options other than processing speed.

From a company’s perspective that specialises in transactions via a mobile app, Peng mentioned that entities can face several mobile inbound payment challenges. These include: payment outside of app, network stability, and speed. The team not only looked at associated costs as it attempted to find a solution. It also considered several factors such as currencies, and faster processing. At the same time, HotelQuickly also sorted out several outbound payment complexities (pertaining to dealing with hotels), such as administrative costs, human errors and fraud. Peng referred to a chained payment solution: Immediate and automated payment to PayPal account of hotel, and no follow-up for failed card, wrong amount charged, double charging, or fraud.

• Weighing options: It’s always advisable for any organization to assess the value and weak points of an emerging payment option.

Both OTAs and airlines have been news for accepting crypto-currency bitcoin. OTA CheapAir.com, which crossed the $1.5 million mark for sales of flights and hotels in bitcoin a couple of months ago, acknowledges that Bitcoin is in its nascent stages and it’s subject to all of the fluctuations in value. But it is a promising option, working in favour of consumers for several reasons.

CheapAir.com recently mentioned in one of its blog postings: “We think the online legacy payment systems are ridiculously unwieldy – customers must fill out long forms, sharing personal information like their address and credit card security codes just to make a simple purchase and all of this complexity does not eliminate fraud.”

As for a bitcoin transaction, this method is being considered to be hassle free. It also paves way for transparency by removing hidden fee, such as 3% cost to process credit card transactions.

• System integration: Airlines also need to consider complexity of system integration that needs to be taken care of - different gateways for different channels, multiple integrations required into a variety of business systems etc.

As Waqas explains, for any airline, the transactions happen globally from various sources- own offices, agents, BSPs etc. “ Having different gateway channels and multiple integrations create problems in maintenance, duplication of efforts and complexities in tracking the transactions. (It is) preferred to have one gateway wherein all channels can be routed through. There will be a need to develop one integration,” he says.

• Fraud management: Airlines not only need to look at fraud from credit card transactions, but also digital wallet payments. Of utmost important is to understand and prepare for doubtful actions that are usually associated with fraud. Say developments such as demand for a change in account details, or activity from a non-account contact number or email id.

The sector needs to look at how shift of fraud to mobile channel is shaping up. This is clear need for stronger inspection and tailored fraud rules. One needs to look at fraud implications due to issues pertaining to 3DS authentication. Also, fraud varies by channel web, mobile and phone. Organizations today have to plan for fraud data and act on all available data when implementing fraud rules.

If you are keen on learning and debating about the latest developments in the arena of travel payments and fraud, then join us at Airline Information’s 8th Global Airline & Travel Payments Summit - ATPS 2014 scheduled to take place in San Francisco (3-4 December, 2014).

In preparing for the Airline and Travel Payment Summit in Toronto on the 12/13th of October 2011, one of the themes that keeps emerging is payment surcharging.  In the UK, where I am based, this practice very advanced, but it's also one which the regulators are also looking at closely.

Although Ryanair is registered in Ireland, it does a lot of business in the UK and it's at the forefront of surcharging here.  However, they are not alone. You might be surprised to learn that Lufthansa and American Airlines are also surcharging on their own UK websites for credit card payments.

Here is a chart of airlines charging credit card surcharges in the UK market:

Outsmarting a fraudster with machine learning  

Machine learning automatically learns about new fraud patterns in real-time. Can it help in combating fraud? Ai’s Ritesh Gupta finds how it deals with fraudsters 

Travel brands are keenly looking at fighting fraud, revenue leakage and also curtailing associated costs.

In the era of omni-channel commerce, where airlines and OTAs need to embrace various forms of payment methods, companies face fraud on multiple fronts: on top of credit card fraud, merchants must deal with fraudulent accounts, abuse of promotional codes, and spammy content on their websites, like fake reviews or phishing messages. So how to keep a tab on such bad online behavior?

As a specialist, Jason Tan, CEO, Sift Science says machine learning is supremely suited to catching all of this.

“Think about how much customer data travel companies have access to: email addresses, billing and shipping addresses, phone numbers, device fingerprints. You also have behavioral data: the actions a user takes on your site, like where they click and what selections they make,” says Tan, who presented during Ai’s The Airline & Travel Payments & Fraud Summit, held recently in Fort Worth, Texas.

Awareness

Machine learning can quickly and efficiently digest information to identify patterns, so you can start to tell a story about who your users are and what their intent is. When patterns of real-time fraud are mapped against examples of past fraud, merchants can accurately predict when they’re seeing a good shopper or a malicious one – so they can block the fraudsters, or make it easier for good customers to buy.

For example, as Tan says, Amazon uses machine learning to identify its good users and offer them 1-click checkout – a completely frictionless experience.  

Missing the bus

Tan categorically says if travel companies aren’t embracing machine learning for identifying the profile of fraudsters, then they're missing out on effective fraud prevention.

“Travel companies that resist implementing machine learning could instead be experiencing increased sales and better conversion rates by taking advantage of automation. You can use machine learning to create smart and dynamic checkout flows, where known good users can fly through purchasing, while additional friction points (in the form of cardholder verification) can be added for suspicious users,” he says.

Machine learning enables companies to automate aspects of fraud detection and make quicker decisions. Less time spent on manually reviewing orders means that companies reduce their overhead costs and can pass those savings along to their customers.

Consumers booking travel online expect their reservations to go through immediately. Travel companies don’t have the luxury of time; they need to automate parts of their fraud-detection process to stay competitive.

The team at Sift Science referred to several examples:

• When TravelMob, a member of the HomeAway family of companies, started to notice credit card fraud on their site, their first approach was to manually review new booking requests. Not only was this time-consuming, but it was difficult to scale as their business grew. However, once they implemented a machine learning fraud solution, the TravelMob team became much more efficient. They automated aspects of the fraud prevention process, so the team ould focus only on the bookings that weretruly risky.

• HotelTonight, on the other hand, experienced a 50% reduction in chargebacks after implementing a smart machine learning solution.

• OpenTable reduced their manual reviews by over 80% and saved thousands of dollars in analyst man-hours by blocking fraudulent transactions automatically, before they lost any money.

Dealing with a fraudster

The most effective machine learning applications can take in and return information instantaneously, says Tan.

He adds, “For example, say I’m a fraudster that uses an email address like jason123@gmail.com, and the business figures out that I’m bad because they get a chargeback. Through real-time offerings, jason123 is identified as a fraudster and the system immediately learns that people with 3 digits in their email address are more likely to be fraud. It doesn’t have to be jason123, it could be jason234, jason945, or fred579, but chances are good that those users are suspicious. So when I come back to that company’s site with jason945@gmail.com or another fake email address, I would immediately be flagged as “probably a fraudster”.”

Sift Science’s “secret sauce” is its network of customers that send terabytes of data to its servers.

“That means all of our customers can benefit from the same learnings – for example, if we detect a fraudster on one site, that user’s Sift Score (a measure of riskiness) will instantly update across the entire network, so other businesses can block him. This feature enables companies of all sizes and of all locations not only get an individually tailored fraud prevention system, but also stay ahead of new and changing fraud patterns as their customer base grows,” explained Tan.

The data that companies choose to share should be based on their unique businesses and needs. There will be some common fields like departure destination that whole industries share, but there may also be company-specific data.

Global players like Airbnb and HotelTonight are able to use any data points that they already collect in order to benefit from machine learning for fraud. Details like stay length, airplane seat selection, and travel route can offer insights on top of more obvious ones gained from personal traveler information. A flexible machine learning system can take any data you throw at it.

As for visualizing fraud connections, Tan says a bad user might be testing hundreds of credit card numbers or have thousands of fake accounts on your site. “Using the data pulled from every order or transaction sent to Sift Science, we map out the suspicious signals that any given user or order shares with others.”

These connections help to identify why a user might be fraudulent, as well as allow merchants to proactively block users linked to past bad behavior.

Protecting data

It is imperative for travel companies to ensure that attacks don’t affect credit card data as well as any other personal passenger data.              

Unfortunately, it’s getting harder and harder for companies to “ensure” that data stays secure.

Data breaches will soon be the new normal, says Tan.

“Although machine learning can’t stop hackers (yet), it can help travel companies ensure that stolen data isn’t successfully used on their sites. Employing a machine learning solution can actively identify suspicious behavior, and prevent a chargeback for the merchant, and a painful fraudulent purchase for the victim,” said Tan, answering a vital question.

Real-time aspect

One of the best things about using machine learning is that it automatically learns about new fraud patterns in real time so you don’t have to keep close tabs on new tactics. Travel brands rely heavily on online transactions, so there is also a need to watch out for new travellers from new locales. Travel brands need to be mindful that new geographies come with different types of fraudsters and fraud patterns. A pattern may be normal in one region but fraudulent in another, said Tan. Of course, you can’t just block every new traveler; that would be a quick way to lose legitimate business. But leveraging big data to weed out the bad users wielding stolen credit card numbers is key.

11th January, 2021

Interview with Hubert Rachwalski von Rejchwald, CEO, Nethone

The expertise of fraudsters in committing a fraud is what merchants/ ecommerce specialists need to be wary of at this juncture.

Experts believe that fraudsters not only act as an organized group and learn fast from their own errors but they are also well aware of which platforms are using which security measures.

Ai’s Ritesh Gupta spoke to Hubert Rachwalski von Rejchwald, CEO, Nethone about the same. Excerpts:

What would you term to be the biggest challenge in managing fraud today – would it be false positives?

Hubert: It’s not that fraudsters stopped pursuing their activities during COVID. In fact, we have actually witnessed an increase in signals that indicate fraud attempts. So it becomes an issue of riskiness of traffic. But at the same time, the volumes are down. False positives cost a lot in such a scenario. Fraudsters have evolved their technology rapidly over the last year, making it more difficult to keep false positives to a minimum. 

How to fight fraud with scalable and flexible infrastructure?

Hubert: We recommend cloud-based infrastructures and cloud-based solutions. From an operating cost perspective, on-premise implementation is way too time consuming and costly. We hope to see that all of the merchants that are thinking about implementing these solutions will be more inclined to go with cloud-based systems.

It allows them to be effective because if there are changes in traffic, they don’t need to worry about server capacity. The latest features are added to their solution with minimal cost.

Fraudsters continue to evolve. What new methodology would you like to highlight as far as e-commerce fraud is concerned?

Hubert: There is currently a big offensive among the most sophisticated and organized fraudsters to leverage more and more professional tools. These days it’s actually becoming less about the manual setups and configurations organized by individual fraudsters. It has become a problem of dealing with sophisticated, sometimes ML-based, scalable solutions that were specifically designed for “frauding”.

The barrier to entry to this space is merely having the financial resources to subscribe to these tools; there is less training needed, fraudsters just purchase access, generate credentials, go through basic configuration of parameters, and they’re ready to go. And it’s difficult to detect these tools. We’re happy to share some of the names of the tools that are available in private meetings, but we don’t want to promote them in publicly accessible content. In order to stand a chance in this fight, you need profiling capability that is able to recognize that you’re not dealing with a normal user, but instead an excellent imitation. Just to put in perspective how quickly the evolution happened, 12-18 months ago, these tools just started to appear. The majority of fraud was conducted with easier tactics and less advanced tools.

Just as with any innovation, it’s a matter of convenience and ROI. If you’re a fraudster and  have the financial resources, why not go for tools that will automate your work, supported by SaaS organizations that provide professional, 24/7 customer support complete with YouTube tutorials. It’s an arms race. So much innovation is being poured into methods to extract money from the system. It needs to be met with comparable investment on the merchant side.

Considering that mobile plays a pivotal role in commerce today, how are fraudsters finding ways to commit mobile commerce fraud?

Hubert: The reality is that most of the biggest anti-fraud solutions on the market today were built in the late 1990’s and early 2000’s. The newest ones are from the 2010s. Back then, the share of transactional traffic going through web browsers was dominant. And then in 2012, mobile began to grow. In growing markets like Asia/Africa/LATAM, mobile is dominant.

Merchants who use legacy systems now have a hole in their security. When we were starting in 2016, we saw the future growth in e-commerce, and predicted that the bulk of the growth would come from the mobile channel. So we invested in research and development to find data that will help us fight mobile fraud, such as extracting data from gyroscopes and accelerometers in devices. The R&D helped us build a richer risk profile of a given mobile session. And now the investment is paying off.

Fraudsters are perfectly aware of which platforms are using which security measures. They know which ones are leaky with regards to mobile data. Fighting fraud in native mobile is a whole different game.

There have been interesting discussions around improvising on both traditional/ rules driven as well as machine learning to combat fraud. What’s your advice to merchants when it comes to working out a solid defense mechanism?

Hubert: This is a discussion that we’ve participated in for the last 4 years. We actually understand why fraud prevention managers are in favor of rules. Rules are easy to understand. If something happens, then you can rebuild the logic in your mind and find what triggered an event. With ML the complexity is much larger, hence the hesitation for moving to an automated setup. It becomes difficult for an analyst to grasp what’s happening without some additional help.

That’s why we decided to invest in Explainable AI. It’s a machine learning setup that allows for granular explanation of why a particular prediction is being made. We are able to leverage the analytical potential of the most powerful tools out there, including deep learning where applicable, but still be able to precisely understand why a particular decision and recommendation has been made. We’ve expanded on the ELI5 (Explain Like I Am Five) library/ methodology to be able to provide more context for what an ML model was sensitive to. For each transaction there is a recommendation, and we can provide a prioritized list of arguments why a particular recommendation was made. This is important for both regulatory and adoption reasons. The analysts on the fraud managers’ team are now feeling more in the loop.

Regulations impose strong obligations on the merchant or institution especially if there are disputes, if a transaction was rejected, to provide arguments why an end customer wasn’t accepted. Being able to just go to the panel, search the ID of the transaction attempt and extract a list of features with their weights from the model that suggested the decision, that’s super helpful and powerful.

One of our engineers recently wrote a piece that illustrates the topic well---how studying connections in networks built from transactional, tabular data helps us uncover relationships that are hard to extract when keeping the data flat.

At the end of the day, a client wants to understand why a decision was made. We can pinpoint that this particular model made this particular decision.

My recommendation to merchants: there are so many tools out there, so think about your priorities. I suggest thinking about false positives and the cost of rejection given difficult times. Think about having a setup that allows you to leverage powerful tools while having transparency and control. It’s difficult to jump into unknown waters, and a “black box” ML solution isn’t reassuring. But if you can use a solution that is heavily automated, allows you to maintain some rules logic if your processes require it, then you can take advantage of the most sophisticated tools out there while having the option to see and extract explanations---that sounds pretty compelling to me.

Shopping patterns have evolved – for instance, order during day-time as people mostly worked from home this year. How to ensure there is a balance between security and CX?

Hubert: It’s true, shopping patterns have evolved. That’s why you cannot use rules. If you have a rule that it’s unlikely for a user of a particular card value to make purchases during typical working hours from a certain geography, then you will reject or at the very least send to manual review very legitimate users. The internal cost of modifying dozens of rules is a killer. That’s why we advise our partners (and anyone who asks, really) to leverage as many data points as possible. Save all of the data points of what is being bought and when, which time stamps, etc. and use models that will be retrained periodically. Rules are very aggressive, they like to discriminate right away. With ML we can be much more subtle and look at shades of gray.

It’s good to remember that fraudsters know what might be confusing to merchants right now, because they know what’s changed in the world. It’s all about discerning what is typical and what is not. If they know that the hours of shopping have changed, then they will blend into crowds that are relatively new to confuse the merchants. So we recommend that merchants use all of the available sophisticated techniques to extract information value from this data that the organization possesses.

We hope to see increased adoption of unsupervised and supervised ML. We recently resolved the velocity rules functionality with unsupervised ML. We created a group of models that compare a session against the previous 10,000 session using 5,500 distinct attributes.  With that scope you’re able to spot a lot of similarities, and you can identify a fraud attack as it happens without having to wait for the feedback. The historical way of dealing with this was velocity rules. For example, if a user has the same BIN number that was used in many other transactions in the last 30 min or 30 hours, then the transaction is stopped with velocity rules. What if there are a lot of legitimate users with the same BIN that want to buy from your portal because they’re responding to an adwords campaign? It doesn’t mean it’s a fraud attack. If you can compare 5,500 attributes at the same time, and act on it automatically, then that is power.     

Ai Events | Airline Information: Overview | LinkedIn

Airlines need an infrastructure that lets them manage complex payment ecosystems, passenger smart devices and other vendors, writes Ritesh Gupta, Airline Information Correspondent

Airlines today do acknowledge the significance of setting up a converged payment architecture, but at the same time they also intend to refrain from inviting any sort of complexity. More than incurring new expenditure, and handling complexity of system integration that needs to be taken care of with different gateways for different channels, airlines can’t afford to slip up on the customer experience issue.

Gearing up for change

Today an entity has to deal with numerous back-end systems supporting several channels, all of which have to interact seamlessly with multiple consumer devices, and transaction initiation points.

Kristian Gjerding, CEO of Cell Point Mobile, says the challenge for airlines is to extract themselves from the rapid changes and various ways that alternative payment methods (APM’s) are handled within the payments ecosystem. The entire system is rapidly expanding and becoming increasingly complex, and it needs to be put at arm’s length from the airline. “Therefore, the airline industry needs to gear its infrastructure to manage this rapid change and fragmentation, and not rely on any one provider and channel,” he says.

According to Gjerding, the airline needs a buffer in the form of an extraction layer between the external payment methods and consumer e-wallets such as Apple Pay, MasterPass and Google Wallet, and the digital transactions they support.

This extraction layer can orchestrate and integrate how these various payment methods and data sources become available within the airline’s own channels without compromising control, independence and cost of service.

The bottom line is that airlines need to own their own travel ecosystem, says Gjerding.

“They (airlines) pay a premium for every passenger they get, and once they have passengers in that universe, they should be relentless about ensuring that passengers remains, because that’s where loyalty, repeat business, ancillary revenue and all of the other revenue opportunities happen,” emphasizes Gjerding. Airlines need an infrastructure that lets them manage complex payments ecosystems, passenger smart devices and other vendors, and not be managed by them. “If they own and manage the travel universe - and thereby the user journey - then they can make the payment experience secondary to the overall experience with the airline, process payments more cost-effectively, negotiate better rates with payment providers and focus instead on making everything seamless for the passenger. But do to this, they need control of the payments universe,” states Gjerding.

Managing complexity

Airlines need to consider complexity of system integration and handle different gateways for different channels, multiple integrations required into a variety of business systems etc.  Airlines need to take into consideration a couple of issues:

• As the complexity of the payments ecosystem increases, airlines need to take control of the transaction, and they need the flexibility to add or remove payment service providers, depending on local market conditions, consumer behaviors and the ever-evolving ecosystem. “What they don’t want is an arrangement that land-locks them or gives away control of their external channels to an outside vendor. If they do it will drive up cost and reduce competitiveness,” says Gjerding.

• Secondly, airlines need external fraud solutions, as well as an internal last line of defense against fraud and security breaches. They need fraud mitigation and management tools that can look into the systems that are under attack from the inside and can monitor transactions from the inside out, not just from the outside in. If airlines miss one or the other, they open themselves to vulnerability, stresses Gjerding.

And as end-to-end digital commerce shopping becomes a reality, airlines need to not only orchestrate, translate and manage the complex external payments ecosystem but also manage all of the rest of the internal travel-related activities that occur – the issuing of boarding cards, ticketing, and ancillary revenue – anything that is going to be serviced through self-service channels as well as call centers.

• Airlines also need to cope up with associated costs for mobile payments, e-wallets etc. The cost of adding these can be pretty high just from an implementation point of view. “Airlines are often forced to adapt their systems to support various payment forms and the ways the payment service provider’s deal with them; this also goes for consumer digital wallets. However, the cost of adding new payment methods might be punitive, because the airline might not have a high enough volume of transactions to justify the cost,” says Gjerding. He says airlines  need an extraction layer that can orchestrate new payments methods, reduce time-to-market and reduce the costs of supporting those transactions and methods across the various digital channels including mobile. An extraction layer gives them a competitive edge and more flexibility to handle new forms of payments and to negotiate better rates with vendors and providers as they become less dependent on the payment service providers etc.

Airlines need to relook at their digital commerce infrastructure today to streamline transactions in the multi-channel, multi-device shopping environment.

It’s critical that airlines create a uniform, omni-channel experience. The airline needs a smart infrastructure that can manage the transaction in a way that creates a predictable, recognizable user journey, no matter which channel the passenger chooses, says Gjerding. He adds, “Furthermore, the infrastructure needs to make it easy to continue a transaction if a passenger’s Internet connection dies or the phone line cuts out, without having to start over. The front-end environment also needs the capability to deploy new vendor functions and new payments features simultaneously across channels, maintaining competitiveness and increase passenger satisfaction.”

It’s all about cross-channel seamlessness and un-broken transactions, simplifying the pathway to purchase which is what the digital passenger expects and demands. Getting it right will increase revenues, margin and passenger loyalty.

Follow us on Twitter: @Ai_Connects_Us

Managing 3D Secure- it’s a balancing act

Be it for optimizing security or sustaining favorable conversion rates, airlines need to plan for 3D Secure as part of their customer payment experience initiative, says Ritesh Gupta, Airline Information Correspondent

How to counter mobile fraud? How to make sure the conversion rate doesn’t go down owing to checkout abandonment? These are two key questions that airlines often mull over as they review the performance of their mobile portfolio.

In this context, one needs to careful with traditional 3D Secure, considering that fact that an extra step during the online payment process is added to ensure that the real user is using the card.

Traditionally, online merchants have adopted a binary view to 3D Secure; implement it across all transactions, or don’t implement it at all.

However, both of these approaches have problems. If you apply 3D Secure to all transactions, conversion will suffer, and if you don’t apply it at all, fraud will still be a factor, says Sander Maertens, VP Airlines and Travel, Adyen.

No doubt 3D Secure offers solid protection, however it does add a complication into the checkout for the consumer. As it emerges, experience on a desktop is sub-par and on a mobile it’s even worse. There are other issues that need to be addressed - very slow reaction from schemes and banks to address problem; some merchants live with the poor experience to maintain liability shift enjoyed from 3D Secure transactions; and many merchants have requested that 3D Secure be disabled for all mobile transactions.

It also needs to be considered that there are markets – like India – where 3D Secure is the norm, and so consumers expect it, says Madrid, Spain-based Celia Pereiro, head of payments at Amadeus.

“In these markets, and specifically in India, 3D Secure actually increases adoption. However, in the majority of markets the additional security can have a negative impact on conversion so airlines should be pragmatic about implementing 3D Secure; it may make sense, for example, to direct transactions which have been identified as suspect by the airline’s fraud management system to 3D Secure as a final check before rejecting the transaction outright. In this way, 3D Secure could be used to increase the conversion rate,” says Pereiro.

Optimal approach

Airlines and travel e-commerce companies need to assess their data by evaluating the value of transactions plus closely evaluate chargebacks. Accordingly, the transaction value limit can be finalized above which 3D Secure can be utilized as an extral layer of security to prevent fraud. As for RoI, positive results can be viewed as hike in revenue and reduction in chargebacks over a period of time.

Also, airlines can  integrate with fraud management tool to organize and work out the 3D Secure arrangement, lets say for local markets, in the backoffice. As for the customer experience, one can opt when to authenticate,   manage what a user sees, and embed authentication in the checkout.

Rather than having a binary view – either being in favour of preventing fraud or not hindering the customer payment experience by avoiding 3D Secure altogether, there is a third possibility.  

“(One can) selectively apply 3D Secure only to high-risk transactions, based on data customized to the airline. The way to do this is to dynamically assess and rank a transaction’s risk score on a scale from low to high, and then trigger 3D Secure only for the high-risk transactions,” recommends Maertens.

This means airlines can avoid routing genuine customers through 3D Secure, ensure a smoother payment flow, and minimize the potential conversion impact. By making 3D Secure a dynamic part of the payment flow, it becomes an asset rather than a conversion killer.

There are offerings that allows airlines to flexibly route transactions according to an intelligent set of business rules which is defined with the customer; these business rules allows airlines to avoid the authentication based on specific parameters, for example, frequent flyer passengers. So airlines can control which transactions are authenticated via a specific rules engine.  This can be categorized depending on the total sum of transaction, SKUs, IP or device used etc.

Travel companies cant really abandon 3D Secure, rather they need to plan diligently.

As Adyen recommends, airlines should evaluate aspects that are quite risky for operations, and contemplate automating 3D Secure as an additional security layer only for such transactions.

Also, as witnessed in the past, one can come across a lofty drop-off rate on 3D Secure transactions in case buyers are worried, considering is a security threat. So airlines should engage buyers on the security benefits wherever they can.

Follow us on Twitter: @Ai_Connects_Us and Checkout our Events at: www.AiConnects.us

First Published, 1^st April 2016

Ai Editorial: Amtrak took a cautious, slow approach to 3D Secure deployment due to wide industry perception of negative customer impact. Ai’s Ritesh Gupta understands how the company eventually succeeded in its endeavour.

How can one astutely balance the benefits of 3D Secure and at the same curtail the risk of checkout abandonment?

In order to understand how Amtrak, the U. S-based passenger rail service provider with the reputation of carrying more than 30 million passengers for each of the past five years, has gone about embracing 3D Secure, we spoke to Amtrak’s Payment Security Manager, Rick Ziolkowski. He was joined by CardinalCommerce’s VP, Consumer Authentication, Michael Roche for a detailed insight into the journey and experience of handling 3D Secure.

Ai: Can you share the experience of deploying 3-D Secure? What did you discover, learn and how you ended up having a desired control over the situation?

Rick Ziolkowski: The one thing I learned to appreciate about 3D Secure is that it is unlike other payment fraud prevention solutions. Its code is embedded in the authorization message all the way through settlement. The process transits across multiple parties and servers. It’s imperative to have a vendor with deep experience in overseeing the development, troubleshooting and monitoring of the service and as an advocate between various third parties.

Michael Roche: The data elements retrieved from the authentication are sent across the networks to the Issuer. This allows Issuers to adjust their authorization risk settings and tie the authorization to the authentication. Issuers who have deployed a Risk Based Authentication (RIBA) system will challenge transactions that seem suspect. This allows them to flush out fraudsters and avoid false-positive declines. What this means is that before authorization they can identify risk. Based on the risk level they are then able to challenge the consumer with knowledge based questions or one-time pin numbers sent via SMS.

Fraud isn’t the biggest problem online. Just ask yourself, how many times has your card been stolen to make online purchases. Now, compare that to the times your card was declined incorrectly and maybe even locked while trying to buy online. The fraud problem is causing the false positive problem at astronomical levels. Merchants, Acquirers and Issuers decline far more good transactions than bad. The end to end interoperability of 3D Secure eliminates the speculation once associated with CNP commerce.

No industry is affected more by false-positives than the travel industry. High ticket items along with the high potential for fraud results in the highest false-positives averages online. Amtrak was able to lean on this new found component of the 3D Secure protocols to not only cut fraud but also increase sales. There’s a way to do this, but you need to have the right tools. You can't just go to market with a vanilla 3-D Secure MPI provider and expect it to work.

Ai: So can you talk about Amtrak’s approach?

Rick Ziolkowski: Amtrak took a cautious, slow approach to 3-D Secure deployment due to wide industry perception of negative customer impact. Unlike most fraud service solutions that focus on risk, we focused primarily on the customer impact as our deployment model.

We used the BIN behavior model from CardinalCommerce to identify those issuers who would never challenge (roughly 30% of volume). We expanded to risked based authentication issuers who rarely challenge (increasing to around 60%). The results were so compelling that we eventually phased in 100% processing after our first year.

Michael Roche: Amtrak was an early adopter of our Cardinal Consumer Authentication (CCA) Services+ system. With a phased approach we slowly introduced Cardinal Consumer Authentication (CCA) and the 3-D Secure protocols to their consumer base. Using advanced analytics we were able to hone in and the optional rule sets which would result in the best possible consumer experience, highest levels of liability shift, and the maximum net/net increase in sales. That increase in sales was a result of increased authorizations at the issuers and fewer declines within their internal risk systems.

We recently hit our goal of complete roll out.

Unfortunately even many of our travel clients are going at a much slower pace because of infrastructure problems within the legacy travel booking systems.

Rick Ziolkowski: The key to full 3D Secure optimization and effectiveness is to take advantage of the liability shift rule and to front load 3D Secure into your risk model.

Michael Roche: Correct. There are vanilla 3D Secure MPI providers out there, they promote a RIBA approach at the merchant. This means they advise their merchants only to send through high-risk traffic they flag to the 3D Secure networks. RIBA is a useful approach with issuers but an ineffective approach with merchants.

Our Cardinal Consumer Authentication (CCA) product runs on a Rules Based Authentication (Merchants) backbone where merchants only send us all their traffic to us before any fraud screening has been done. We then take each transaction and compare it to a predetermined rule set created by the merchant based on the issuer and what authentication approach being used.

There is still massive problem globally with many issuers who have not implemented the RIBA approach being pressured from the networks. Our solution eliminates these from the merchant domain. In essence, what many vanilla MPI providers are doing is only reducing the historical problems with the 3D Secure protocols to a smaller set of high-risk transactions. This is evident in their numbers as their travel merchants get less and less benefit and are sending fewer transactions to the networks.

Our merchants “front-end” load 3D Secure and use its result within their risk engines, to create superior risk assessment because we can ascertain the risk level from a RIBA issuer. This yields the highest amount of benefits minus the historical problems associated with cart abandonment that has plagued the protocols courtesy of less advanced issuers.

Ai: What would you like to highlight in terms of performance metrics with 3D Secure?  

Rick Ziolkowski: Traditional fraud prevention solutions are evaluated on a balance between fraud reduction, at the cost of customer friction (also known as the insult rate). The fraud department was in a constant battle with the sales department over finding the right balance to the company’s risk tolerance. The more that the fraud solution expanded into overall sales volume, the more that valid customer insults would typically occur.

That all changed in 2012 when the card brands provided full liability protection on fraud chargebacks for successful 3D Secure transactions. As a result, the fraud prevention rate became a known constant at 100%. This allowed us to focus solely on the customer friction area and control this tolerance level.

CardinalCommerce has developed a BIN behavior profile on how issuers react to 3D Secure transactions. They have developed several behavior ranges from “never challenge, no friction” to “new activation, high friction”. Amtrak deployed its 3D Secure service in a phased approach from lowest to highest customer friction.

A key tool to our success was the development of a fraud rule bypass when we received full 3DS authentication. Taking advantage of the full fraud liability protection, we simply ignored all legacy fraud rules. The result was a 99.85% acceptance rate, significantly better than the airline industry 96.3% acceptance rate.

And the fraud prevention results? We are now below one basis point of fraud to sales when using 3D Secure. 

Michael Roche: Essentially Amtrak outsources their fraud screening to issuers and by doing so, they get full liability shift from fraud, higher authorizations levels with that issuer, and a superior data set that allows them to reduce their friction they expose to the consumer. All of this results in eliminating the massive false-positive problem. In the US especially there are several antiquated friction-inducing fraud tools like AVS and CVV2 checks. For certain traffic, merchants remove these checks and lean on issuers to screen the transactions. Amtrak did this, and their fraud rates didn't increase, they went down even further. Far below any other travel merchant globally.

Ai: How did Amtrak chose to deploy 3D Secure differently?

Rick Ziolkowski: Front loading 3D Secure into the risk model and creating a fraud rule bypass were the two critical elements of our success. Using the BIN behavior model also allowed us to carefully manage and evaluate the program’s deployment cycle. Additionally, we developed some customized Key Performance Indicators (KPI) reporting to provide more detail into both the chargeback and the customer impact areas.

Ai: So why many merchants are not seeing a certain level of success?

Rick Ziolkowski: Merchants need to recognize that 3D Secure is unlike any other fraud prevention tool in the merchant’s arsenal. They need to fully take advantage of the 100% fraud liability shift and front load it into their overall fraud risk modeling ecosystem. There is no need to apply any additional friction to a fully authenticated 3DS transaction. The benefits realized are a low cost, streamlined and low maintenance process for merchants. Legacy rules and their costs can be greatly reduced or eliminated, adding further value to 3D Secure. Challenge units, analysts and risk model areas can have staff migrate to other areas of fraud prevention.

Merchants also need to ensure that their KPI accurately reflects only 3D Secure service results. There is opportunity for KPI results to become cross pollinated with other fraud screening tools or rules, especially if the service is only being utilized based on risk rules. We take great care to ensure that all risk rules are evaluated independently via A/B testing and detailed reporting.

Ai: How can 3D Secure be applied only to high-risk transactions, based on data customized to the airline?

Rick Ziolkowski: The traditional fraud risk management model was to apply various fraud rules and solutions from the highest risk transactions down to a level of acceptable risk tolerance versus customer friction. These would generally be applied in a waterfall/cascading design from the most effective solutions downward. The assumption being that what might have been missed by the first pass would be detected in preceding ones. At some point, you reach a point of diminishing return in which the rule has less effective and more harmful to card acceptance.  3D secure turns that traditional concept on its head.  Due to the 100% liability shift for merchants, there is no need to incorporate other fraud prevention tools or rules. Also, the expanded customer data provided to issuers during authentication makes many of these legacy tools redundant.

I want to emphasize that if a merchant is only applying 3D Secure to high risk transactions, or applying after other fraud screening tools, they will not see the full benefit of reducing customer impact. In turn, they will never achieve full optimization of 3D Secure because their legacy model will be holding it back from reducing customer friction.

Ai: It is said that 3D Secure is not a complete fraud management program. Your comments on this?

Rick Ziolkowski: Although an e-commerce merchant using a fully optimized 3D Secure will see industry leading results on both fraud reduction and card acceptance, there is still the need for robust monitoring, detection and prevention. Merchants should always look at fraud risk in a holistic, enterprise wide view. Criminals will always exploit the weakest link. Where 3D Secure protects transaction fraud and should be considered a cornerstone of any payment security program, a merchant still needs to focus on other aspects of revenue abuse such as refunds, loyalty rewards, coupons, gift certificates, etc.

Learn more about the latest developments in the arena of digital payments at the upcoming 10th Annual Airline & Travel Payments Summit, scheduled to place in Barcelona, Spain (26-27 April, 2016)

For more information, click here