- Payment & Fraud Editorials

8th May, 2019

Aer Lingus recently chose to implement the Apple Pay solution on its mobile app. This payment offering was delivered as a part of the airline's new payments hub platform. Ai's Ritesh Gupta assesses how Aer Lingus is strengthening its infrastructure.

Consumers are being offered the option to shop via vocal assistants, tapping of their phones, QR codes...the list of new options is enticing. Technology is increasingly making it simple for shoppers to wrap up their tasks. To make the shopping experience complete, retailers are also looking at secure payment acceptance.

In an era where the number of ways in which a customer can pay has risen tremendously, facilitating such a wide variety of payment methods can be an arduous task for airlines. 

But airlines can't fall behind when it comes to embracing such trends in retail and commerce. A shopper doesn't differentiate between any product category. So be it for grocery, books or travel, they expect a similar experience. But a key question here is - are airlines nimble enough to facilitate a transaction via a mobile wallet in a specific market and or a new alternative form of payment?

"Airlines can’t easily support new payment methods because of the complexities of the systems while legacy systems are lacking robustness that would enable quick adoption of new payment methods," said Vojin Rakonjac, Head of Payment Solutions, Voyego.

Rakonjac asserted that there are several reasons behind airlines' lackadaisical approach when it comes to accepting new payment methods. It is owing to not aptly comprehending a shopper's expectations, not keeping pace with the current trends in mobile commerce/ e-commerce, and lack of technology readiness.

"Unlike other online merchants, airlines have a lot more systems and each performs its core tasks (inventory management, PSS, Reconciliation tools etc.) but there is no dedicated payment system," said Rakonjac. He further explained: to make things worse, not all of the airlines systems are owned by the airline, so there are many 3rd party vendors to deal with. Because of this complexity, when airlines intends to introduce a new payment method, they need to change a lot of internal systems to accommodate for the data/ flows that are specific to that new payment method. This requires a lot of synchronization with internal departments and 3rd party vendors, and a lot of time and resources to add a new payment method.

"As long as there is no dedicated payment system that is taking on the complexities of the payments, there cannot be an agile environment – because all the systems are impacted," said Rakonjac.

Setting up a robust payment infrastructure

Selling an itinerary featuring multiple destinations or cancelling the same tends to be a complicated scenario for airlines. And this does have its repercussions on the payment side as well.

Rakonjac acknowledged the same and mentioned that payments in airlines are a bit more complex than in other industries.

He said, "For example, if you are buying a book, worst that can happen is that you can issue a refund. With airline it is not that simple. When you go to airlines website, you can: make a booking, manage booking (and change a contents of your basket many times between then and departure (which can be one year from then and even make payments on Check-In (and still refund at the end if needed). So, for starters, payments in airlines are more complex than what you would find with typical merchant."

He further added, "However, the biggest issue is not in the complexity of payments, but rather in the complexity of the systems. In order to create a robust payments infrastructure, you will need to make sure that each of the airline systems performs its core competency and to dedicate a single system that will perform payment-related activities. Currently, because there is usually a lack of dedicated payment system, all of the systems in airlines infrastructure contribute to payment-related processes in one way or another."

To make robust payment infrastructure, dedicated payment system is required. This system needs to cater for all the channels (web, mobile, kiosk, PoS, chatbot, voice etc.) as well as for all the business processes (call centers, airport operations, revenue accounting etc.).

"Once you release rest of the systems from payment-related activities and delegate it to one system, all of the channels and processes can work on top of the same data making it consistent. Once change is needed, you make that change in one system and they are instantly available to everyone," said Rakonjac.

While infrastructure is important, it is just one piece of the puzzle. A tailored payment infrastructure and the structuring of team internally, where multiple teams working in sync within an agile environment, paves way for payment optimization.

Learning from Aer Lingus

Aer Lingus recently launched Apple Pay as a payment method on the Aer Lingus mobile app.

Sharing the experience on working with the airline, Rakonjac said, "Aer Lingus wants to lead in innovation when it comes to payments and follow the latest trends, so they bring more value to their customers. In order to do so, there were number of challenges to overcome in order to make a robust and future-proof system."

He added, "Firstly, it has to be made sure that one is not building a system that will cater for one payment method only – but rather think a bit into the future and predict possible scenarios. Secondly, one cannot overlook requirements of different departments. Knowing payments is one thing, but without knowing airline specific scenarios and needs of every department is completely different. Then, you don’t want to build a system that will be limited to a single PSP but to have a flexibility to work with any PSP if airline wishes to do so with minimum changes (and in some cases, you want to integrate directly with a specific Payment Method)."

Rakonjac also recommended dos and don'ts for introducing digital wallets or any new payment method:

1. Make sure you support right payment methods for the regions you operate so they are relevant for the customers you serve.

2. Wherever possible, pre-fill and automate processes so customer can have a seamless purchase experience and make sure that transition from different channels is as easy as possible.

3. Don’t use some new technology or introduce new payment methods just because other airlines did. Make sure you have a valid reason to do so given many processes become exponentially more complex with the introduction of each new payment method.

4. Don’t make any changes to the systems if you are thinking of a single wallet – always have a long-term strategy so you can make changes easier later down the road if needed.

Vojin Rakonjac, Head of Payment Solutions, Voyego is scheduled to speak at the ATPS about how airlines can transform the overall payment experience with their current infrastructure on 10th May, 2019.

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 22nd June, 2017

Ai Editorial: It is imperative for the industry to assess how to manage co-brands in a challenging enviornment of regulated interchange and the evolution of card free mobile payments, writes Madeleine Anderson.

I recently had the pleasure of moderating a panel populated by some esteemed co-brand credit card industry experts at the Ai Co-brand Conference in Atlanta. 

Over recent years, interchange fees have become an increasingly controversial issue in the US, as a result of regulatory changes and antitrust investigations. The Durbin Amendment to the Dodd-Frank Wall Street Reform and Consumer Protection Act was implemented in 2011, capping debit card interchange fees for larger banks at 22 cents + 0.05%.  Credit card interchange is not covered by this ruling. 

Credit card interchange fees in the United States currently average approximately 2% of the transaction value.  This is amongst the highest in the world.  By contrast, in the European Union, fees are capped at 0.3% of the transaction value for credit cards and to 0.2% for debit cards.  (This cap does not apply to corporate cards).

Our initial discussion was around whether the panel anticipated any changes to regulated interchange within the credit card industry in the foreseeable future.  The response from the panel (and the audience) was a resounding no.  During his campaign, President Trump frequently stated that he has plans for regulatory financial reforms, including dismantling the Dodd-Frank Act.  The general consensus therefore was that the Trump administration is unlikely to introduce reforms around credit card interchange fees.

It would be remiss of us to focus purely on plastic.  We are gradually approaching the day when tapping your mobile phone or smartwatch on a retail terminal will replace the need to remove your credit card from your wallet. Whilst the threat to interchange is unlikely to come from regulation initially, it is highly likely that disruption will come from other sources:

1.     Large merchants’ ability to negotiate fees 

According to CMS Payment Intelligence, merchants have saved more than $8 billion annually as a result of the Durbin Amendment (excluding the effects of subsequent network fee increases and processor absorption of savings).  In addition, the legislation has provided merchants with a framework with which to reduce credit card interchange fees.

Merchant groups claim that interchange fees are much higher than necessary.  Whilst technology and overall efficiency improvements have been made, this has not led to a reduction of interchange fees.  Issuing banks have responded by suggesting that reduced interchange fees would result in increased costs for cardholders, and a potential loss of rewards on cards already issued.  In the co-brand world, interchange fees are frequently used to fund rewards.

Whilst significantly lower interchange fees have been implemented in other countries, such as Australia, savings enjoyed by merchants have not been passed through to consumers.  In Europe, this has resulted in rewards programmes closing down, or benefits being reduced.  

2.     Mobile wallets

The 5^th Annual MasterCard Digital Payments Study found that digital wallets were mentioned in 75% of tracked conversations had by social media users regarding new payment methods.  Whilst awareness is high, mobile payment usage remains relatively low at present (about 1% of total retail sales in the US in 2016).

Barriers to usage include consumers' continued loyalty to traditional payment methods and patchy acceptance among merchants.  Consumers would like to both store their loyalty cards on their wallet and use their phone to make payments.   As loyalty programmes are integrated and more consumers rely on their mobile wallets for other features like in-app payments, adoption and usage are likely to grow.  Android Pay, Apple Pay and Samsung Pay  support loyalty card integration in their mobile wallets, but many major retailers appear to be resistant to loyalty and/or payments integration, to boost adoption of their own wallets.

3.     Emerging technologies

The study also highlighted that consumers are also thinking about what comes after mobile wallets.   Amongst emerging technologies, the use of wearables for payments attracted the highest amount of interest on social media, followed by the Internet of Things (IoT) and smart assistants (digital assistants  such as Amazon’s Alexa, chatbots  such as Facebook Messengers).

The panel believed that co-brand objectives are unlikely to change fundamentally, in light of any reduction in interchange fees.  What is likely to change is the blend of revenue streams, how customer benefits are funded, the introduction of new revenue streams and cost reductions.

Consumers have generally ended up worse off in other markets.  Costs have tended to shift from retailers to customers instead of card partners choosing to innovate. 

So, what might we expect to see in the future?  Amongst other things:

·       Changes to financial models for co-brands

·       Revenue streams from new sources/partners

·       New/alternative payment methods replacing plastic, with revenue flows coming from monetizing data

·       Increased focus on cost reduction – funding, servicing, bad debt and fraud costs

·       Security developments to overcome end-user adoption of emerging technologies, including biometric authentication and tokenization

Be complacent at your peril!

First Published on 12^th September, 2018

Ai Editorial: Having a resilient and centralized data governance tool that can provide requisite information readily when needed will go a long way to comply with data regulations like GDPR, writes Ai’s Ritesh Gupta

It is imperative for businesses today to not only manage, understand and act on data, but also to ensure security and regulatory compliance.

Also, how to respond to strict regulatory environment, for instance, GDPR, where organizations could end up in a situation where they would need to adhere to a request regarding deletion of one’s personal data.

One key aspect pertaining to the whole initiative is data governance.

”Data governance is a key part of a robust and responsible data strategy that modern organizations cannot ignore,” says Kelvin Looi, Global Sales Executive, Unified Governance & Integration, IBM Analytics.

“Profiling each data to answer who, what, where, when and how, and to make this metadata available is fundamental. Basically, for each data, you need to understand what is the data all about, who owns it, where did it originates, where is it kept, when did it get there, and how the same is being processed,” said Looi, who was recently in Phuket for Ai’s 7th Annual ATPS Asia-Pacific.  

Compliance with a regulation like GDPR 

Having a robust and centralized data governance tool that can provide such information readily when needed will go a long way to comply with data regulations, like GDPR, to provide greater transparency of processing to data subjects on how data concerning them is collected, used, consulted and processed, asserted Looi.

Explaining further, he said ,”The `right to be forgotten’ article in GDPR is another requirement that will be difficult to achieve without a robust and centralized data governance tool. Basically, in many cases, data subjects have the right to request the deletion of their data and not to be contacted again. This request is almost impossible to comply with, without a tool to indicate where their data resides, and whether this data can actually be deleted without violating another regulation.

Data governance strategy 

E-commerce companies, including airlines, need to evaluate their data governance strategy to suit their organizational objectives.

“Forming a unit that is responsible for data governance would be a good start if you haven’t got one,” recommended Looi.

IBM has worked on a methodology for the same, and it goes through five phases:

1.     Assess,

2.     Design,

3.     Transform,

4.     Operate, and

5.     Conform

In the first phase, the focus is on conducting an assessment across governance, people, process, data and security. “From this assessment, we develop a target operating model that encompasses technical and organizational roadmaps,” said Looi. “In the second phase (design), we produce standards that cover governance, training, communication, privacy, data management and security management. During the transform phase, we conduct detail data discovery and embed standards, procedures, and tools to enhance existing processes. We also conduct the necessary training to ensure skills transfer.”

“In Operate, we ensure all relevant business processes and security control are executed. In Conform, we monitor, assess, audit, report and evaluate adherence to data governance target operating model,” mentioned Looi.

Managing availability and security 

On data availability and security, Looi recommended that profiling existing data environment and understanding where all the data is a meticulous way to start.

It is important to assess where all the data resides and how the data is connected to each other. Other considerations include what to protect and related accessibility (storing locally or in the cloud, encryption levels for data with different sensitivities, access rights etc.).

“When it comes to customer personal data, a few industries have implemented a customer hub, typically using a master data management solution to provide a “single source of truth” to customer data,” shared Looi. “This typically contains a registry to provide directory services to point to where customer data resides in different systems in a company. Industries like banks, insurance and healthcare are leading in this front. Industries such as airlines are far behind on this. The good news is some have started. Key GDPR requirements, like consent management, can be centrally managed in this customer hub. Companies who have implemented this customer hub will find an easier time to manage customer data availability and security, hand-in-hand with centrally managed customer consents and preferences. Many airlines still try to drive their customer centricity strategy off their loyalty system. But, a big portion of their passengers are not their loyalty club members,” shared Looi.

As for GDPR obligations, Looi, during his presentation referred to 5 areas:

1.     Rights of EU Data Subjects: enhanced rights for data subjects in the EU including notice, access, rectification, erasure, restriction, portability and objection; easier access to personal data with more information on processing available both clearly and understandably.

2.     Security of Personal Data: obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk; includes 72-hour breach reporting to regulatory authorities and without undue delay to individuals in high risk scenarios.

3.     Lawfulness and Consent: processing only lawful if one of: consent, necessity, legal obligation, protection, public or legitimate interest or official authority; consent must be freely given, specific, informed, unambiguous and if a special category or certain other scenarios, explicit.

4.     Accountability of Compliance: need to demonstrate compliance with the principles relating to personal data processing pervades throughout the GDPR; include lawfulness, fairness, transparency, purpose/storage limitation, minimisation, accuracy, integrity and confidentiality.

5.     Data Protection By Design and By Default: Data controllers must implement technical and organisational measures demonstrating compliance with GDPR core principles; ensure the rights of data subjects are met and that only data necessary to the specific purpose are processed.

Follow Ai on Twitter: @Ai_Connects_Us

1^st August, 2019

A report released by the Emerging Payments Association has highlighted that the implementation of Strong Customer Authentication is a cause of concern at this juncture.

The purpose of the new Strong Customer Authentication (SCA) rules is to make online payment more secure and to cut down the risk of fraud. Even as the readiness for the same is being assessed, a report has highlighted that 75% of issuers said they would be ready by the 14th September deadline, from a compliance standpoint, but that they would not be operationally ready. New requirements for authenticating online payments will be introduced in Europe as part of the second Payment Services Directive (PSD2).

The PSD2 Regulatory Technical Standards (RTS) specify these SCA requirements. SCA is based on the use of two or more of the following elements: knowledge (something only the user knows); possession (something only the user possesses); and inherence (something the user is).

The report, released by Emerging Payments Association (EPA) and Chargebacks911, features companies that issue over 107 million cards (comprising 61% of all cards issued in the UK). It is being recommended that more time is required. The enforcement of SCA at this pace is “likely to be extremely high and painful”. Rather, a managed rollout is needed.

Some of the key findings:

• The payment experience is going to be adversely impacted. More than half (58%) of the 13 UK issuers surveyed believe the new regulations are going to add friction. The SCA requirements are going to impact the speed of consumer transactions and the number of steps to be completed when paying. One of the major concerns has been the inclusion of additional authentication into the checkout flow, since it introduces an extra step that can add friction and increase customer drop-off.

• The number of transactions that are not going to be accepted is set to rise from today’s 3% to between 20-30%, according to what is being projected by issuers. While the number of step-up authorisation requests is expected to range between a third and half of all online transactions.

• The top three authentication methods being studied by issuers include; One Time Passwords (OTP) (SMS to a mobile device), authentication within a mobile banking app, and 3DS. Among these, OTP and 3DS authentication are expected to adversely impact the user experience.

• There is limited support of 3DS v2.1 today. Despite this, 66% of surveyed issuers expect to be ready by the end of 2019. 3DS v2.1 has an advantage over 3DS v1 because it has a surety of satisfying SCA legal requirements.

In an interview in April with Ai, Laurie Gablehouse, Global Head of Travel Solutions, Ingenico ePayments, did mention that it is a challenging phase for the entire payment ecosystem. Laurie pointed out that the standards are still evolving, with grasp over “80% - 90% of what needs to happen”. “(So) the timing is quite late from a technical perspective for everybody to be ready by September.” 

A major development in the recent past featured the European Banking Authority (EBA) as it published an opinion on the elements of SCA and accepted authentication in June. The report acknowledged the same, and shared that considering the recent EBA ruling on compliant SCA elements issuers are required to accelerate their support for biometrics merchants are advised to implement 3DS v2.1 now and then migrate to v2.2 once solutions are fully tested and available.

In its list of recommendations, the report emphasised that 3DS technology must be implemented as a priority. Rather than being bogged down by feeble v1.0 implementations, gear up for v2.2 as early as possible with v2.1 as a practical interim step. A couple of other suggestions:

• Actively engage with collaboration tools offered by Visa (VMPI) and Mastercard’s upcoming MDRI (Mastercard Dispute Resolution Initiative), which help combat fraud in realtime and maintain TRA exemptions.

• Make sure you correctly flag transactions and apply the right indicators and exemption requests. This may also require support for updated authorisation message formats.

Hear from senior executives about how the regulatory environment is impacting the world of payments at the 8th Annual ATPS Asia-Pacific to be held in Penang, Malaysia (27-29 August, 2019).

First Published on 13^th March, 2018

Ai Editorial: Be it for having a bigger say in the inspiration phase or coming up with relevant recommendations on a mobile device in real-time or improving the conversion rate, machine learning is playing a bigger role than ever, writes Ai’s Ritesh Gupta

Airlines are finding ways to have a bigger say in the booking funnel, and one critical way to bolster the same is via machine learning, a technology where computers identify patterns in data.

What it essentially means is airlines are taking a comprehensive look at all user activity on their digital assets and then acting on the resulting data to eradicate hurdles in the shopping journey. For instance, how to single out a real shopper who is about to complete a transaction from a fraudster who is trying to trick the system and commit a fraudulent activity? Another area is how to come up with a recommendation about a trip that in all probability would garner the attention of the traveller and get them close to completing a booking on airline.com. So be it for early part of the booking funnel to closing stages of a transaction, machine learning is playing its part in a deeper way than ever.

Here we look at couple of areas that can result in better control over the passenger experience:    

Inspiration phase: It is being highlighted that inspiration leads to conversion. As LikeWhere states, airlines facilitating travellers in the inspiration and planning phase will be best positioned at the booking phase. So rather than offering loads of content, build on a layer of intelligence and display destination images, videos etc. as per the trip motive, lifestyle preferences etc.

Of course, for this airlines need to focus on 1^st party data. Carriers, too, realize that they can capitalize on the richness and size of data sets quite unique to their own organization. The ideal situation would be to generate enough data within your own user ecosystem to truly understand where and why people are planning to travel. “Once you have a user-specific data, you can understand the purchase journey and also what to recommend. Once you work on a profile of a user, you can understand travel habits and accordingly recommend something relevant, contextual,” points out Gillian Morris, CEO, Hitlist. When it comes to recommending, a way to build affiliation is by focusing on personalizing destination discovery. Here machine learning contributes by letting airlines to match locations with the lifestyle preferences of their customers. The key here is to deliver a nuanced recommendation, to “humanise” the available data.  As for what to recommend or what to consider before offering something to the traveller, Morris says, “People aren’t going to a destination, they’re going on a trip. In addition to destination and price, equally important are timing (say weekend vs. weekdays) and social context (family, individual, colleagues etc.).”

If airlines don’t act fast (on their own or by integrating their interface with a machine learning specialist), then they are bound to lose. Why? Because Google, Facebook etc. are in an advantageous position, just like Alibaba and Tencent in China. And then online travel groups like Ctrip.com are getting sophisticated with every passing day. For instance, the team at Trip.com, the Palo Alto, California-based company acquired by Ctrip late last year, is counting on their predictive artificial intelligence (AI) to understand various traits of a traveller - personality, interests, style and budget. So what attracted Ctrip in Trip.com? Travis Katz, Trip.com’s co-founder and CEO, referred to – predictive AI technology behind recommendations for travel, based around a bunch of contextual signals, and an engaged community, which has contributed content that complements the core technology.

(Read how JetBlue is capitalizing on artificial intelligence for trip planning (via partnership with Utrip, a destination discovery and planning platform that helps in crafting a personalized, hour-by-hour vacation itinerary) and lot more).

Monetization: Companies like LikeWhere assert that by engaging right from the inspiration phase, airlines can go for a fruitful association in the form of monetizing clicks. “Once we establish certain parameters with a customer we use machine learning to add value, through informing more contextual recommendations. Our product (recommendation engine) enables airlines to begin their customer lifecycle earlier in the inspiration phase which positions them for the booking/ancillaries – that’s where the monetization is,” says Matt Walker, Chief Storyteller at LikeWhere.

By preparing to serve content in an earnest manner, airlines can also benefit to have deeper association that goes beyond air and air-ancillaries. For instance, if an airline knows a traveller is in the middle of a trip (better if the passenger booked the flight itinerary with them), then they can use contextual signals provided by a mobile device to come up with recommendations. So for example, at 8AM the app knows you are most likely looking for breakfast or coffee, and can show you things nearby versus 9PM where it understands you are either looking to go out or plan your next adventure, and adapts the content accordingly. Similarly, if it’s raining where you are, the app understands this, and recommends things to do indoors. These are all signals that are taken into the account. And the ideas are offered in real-time.

Improving the conversion rate and managing fraud: If airlines adopt a risk-averse approach to managing card-not-present fraud, then sales can suffer tremendously. Limitations of the traditional rule-based fraud offerings and reliance on manual reviews are coming to the fore. With machine learning, the system understands when to skip rules when positive behaviour is detected. Moving towards machine learning allows airlines to remove all these unnecessary rules that would have otherwise blocked genuine customers. The combination of big data and machine learning allows more effective fraud prevention.

With data, including a set that is garnered from airlines, specialists focus on signals that aren’t just related to transactions, but also related to buying pattern, post booking behavior etc. Specialists churn the data through various permutations and combinations to identify potential fraud patterns that may be left behind by fraudsters, who have made micro-changes between transactions in one coordinated fraud attack to trick the system. Using real time pattern recognition, even micro-changes can be proactively identified and tagged to the same fraud pattern group. The data that Sift Science leverages includes attributes associated with the identity of a user, behavorial (browsing patterns, keyboard preferences etc.), location data, device and network data, transactional data, decisions (business actions taken), 3rd party data (geo data, currency rates, social data etc.) plus custom data that is specific to a particular merchant. So the purpose of maximizing legitimate transactions as well as avoiding fraudulent transactions is being served by machine learning.

Hear from experts about machine learning and e-commerce at the upcoming Ancillary Merchandising Conference, to be held in Edinburgh, Scotland this year (9-11 April, 2018).

For more info, click here                    

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 21^st March, 2018

The uproar about the reported “data breach”, featuring Facebook and Cambridge Analytica, a political data analytics entity, has raised concerns around the handling of “personal data”, writes Ai’s Ritesh Gupta  

Trust around the way personal data is being managed has taken a beating over the few days, post reports about how data featuring “Facebook users” was used for targeting of political ads mainly to aid then-U.S. presidential contender Donald Trump to forecast and tilt choices in one’s favour at the ballot box. According to a report by Reuters, Scott Vernick, a partner and an expert in privacy and data security at the Philadelphia law firm Fox Rothschild, said that Facebook “lost control of the data and wasn’t adequately monitoring what third-parties were doing”. Facebook stated that people knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked. Even though Facebook has defended their position, the impact of GDPR or General Data Protection Regulation on organizations of Facebook’s stature as well as the way personal data is collected and managed is coming to the fore. This regulation places greater emphasis on consumer consent and transparency in the collection and use of personal data.  

As we highlighted in one of our recent articles, travel e-commerce companies have been assessing their existing level of data protection compliance, as GDPR comes into force on 25th May this year.

Data being illegally acquired and used

The impact of this regulation would be extensive, as it applies not just to entities based in Europe, but to any organization that holds or processes personal data of individuals residing within the European Union (EU).

The fact that the ICO (Information Commissioner Office), the UK’s independent body set up to uphold information rights, is looking at investigating the use of personal data for political campaigns (with reference to the acquisition and use of Facebook data by Strategic Communication Laboratories, psychology professor at the University of Cambridge named Dr. Aleksandr Kogan and Cambridge Analytica), shows the organizations need to ensure that they don’t get embroiled in any controversy pertaining to data being illegally acquired and used. Elizabeth Denham, Information Commissioner stated that it is important that the “public are fully aware of how information is used and shared in modern political campaigns and the potential impact on their privacy”.

Considering that businesses have to keep a vigil on possible criminal and civil enforcement actions owing to any irregularity, it is better to gear up for a regulation like GDPR in an earnest manner. So it would be better to study budgetary, IT, personnel, governance and communications implications of GDPR at this juncture. This would mean businesses not only defend themselves against any potential fine or penalty, but they also ensure the trust of their customers doesn’t get broken.

Time to embrace accountability

There is a checklist for data controllers and data processors.   

Certain companies are going to process personal information as both a controller and a processor. So in such cases it is recommended that they complete the required assessments, both for a controller as well as a processor.

According to the ICO, organizations might as well get into the details of the new regulation, and how the same would potentially affect their business model and accordingly work on the planning process.

Some of the areas that travel e-commerce companies can dwell on are:

·          Senior management needs to be aware that the law is changing to the GDPR and by preparing in a diligent manner it could help them to be accountable possibly for other regions, too.

·          Be in control of what personal data an organization holds, the source and if it is going to be disclosed to other parties/ partners, who they are.

·          Clarify and account for basis for processing the data, and the period for which the same is going to be retained.

·          Be aware of an individual’s rights. According to the ICO, in case of the GDPR, rights for individuals include the right to be informed; the right of access; the right to rectification; the right to restrict processing etc.

·          Be ready to effectively detect, report and investigate a personal data breach.

Before organizations commit any error, knowingly or unknowingly, better would be to dig deeper into the way personal data is being collected, the source, the processing etc. to ensure they are in control of the situation. And a regulation such as GDPR could well prove to be a new benchmark in areas such as training employees about the new regulations and impacts on data handling and breach notification.  GDPR has come at a stage when there is a lack of trust among customers (concerns about privacy, lack of trust in brands among the most etc.). It is also expected to raise awareness among customers about data collection and eventually would encourage them to trust brands.

Hear from experts about GDPR at the upcoming Ancillary Merchandising Conference, to be held in Edinburgh, Scotland this year (9-11 April, 2018).

For more info, click here

For Ai’s 2018 Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us

13^th November, 2019

Ai Editorial: Authentication of risky shoppers shouldn’t hamper the digital experience of all. Rather merchants must focus on finding ways to applying the right friction to right person at the right time, writes Ai’s Ritesh Gupta

Filling a form, verifying a payment method, registering for an account…when a shopper is presented with such options in the booking flow, it evokes resentment. No one likes to spend extra time or make that additional effort to verify their identity knowing that they are legitimate shoppers.

But travel merchants have to ensure that the least number of fraudulent transaction slip through. Key then lies in identifying that anomalous shopping behaviour in a more shrewd way that doesn’t screen every shopper!

As Sift’s Trust and Safety Architect, Kevin Lee points out; merchants can’t get away with their airport screening approach. Travel e-commerce players have to ensure trusted shoppers or consumers can sidestep added authentication, while potentially risky users undergo that further screening.

“They (merchants) need to focus on dynamic friction,” said Lee. “The concept means having the ability to apply the right friction to right person at the right time.”

The team at Sift describes it as the optimal application of friction to user journeys based on behavioural and situational attributes, applying it to the right person at the right time.

Many companies have this airport security approach where everybody has to go to two-factor authentication (2FA), enter CAPTCHA etc.

“Honestly that’s a terrible experience because 99% plus of consumers on a platform tend to be legitimate. They just want to move from A to B (or shop legitimately with any retailer),” said Lee.

So how to apply dynamic friction and what sort of signals can be used? Since there is so much of data from customers via the app usage, device usage etc. there is a need to use behavioural fiction or behavioural dynamics looking at the signals to identify normal behaviour for an authentic shopper on an app or an online platform. And then being in a position to spot an anomaly where certain behaviour doesn’t seem to be normal. Then only there is a need to introduce certain friction or additional check in the shopping process. 

For example, looking at a certain security measures for a particular fraud, MFA is deemed to be an astute way of shielding user accounts, since hackers or fraudsters don’t often have access to the additional factor required to authenticate. But merchants fear that the introduction of MFA would cause friction. The way to go forward then is to capitalize on dynamic friction, because the judicious use of this authentication method doesn’t disturb the experience of authentic users and only those go through the MFA that fall in the category of risky users.

Also, the specialists ensure that as a shopper moves from the discovery process to the completion of the transaction, all interactions are assessed for risk. In case a risk touches a given threshold, extra verification comes it play. If the interactions come across as reliable, that extra authentication is eradicated, providing the shopper a more rationalized experience.

So in case of account takeover protection, the real-time risk evaluation suggests the level of authentication a particular shopper/ consumer should go through. Riskier actions with more red flags trigger MFA, while suitable actions pave way for a smooth interaction.

Dynamic friction in the travel sector

The application of dynamic friction in the travel sector, especially among airlines, is poor at this juncture, said Lee.

What tends to happen is that there are lots of legacy systems and rules in place to stop illegitimate shopping from happening. But 100% rules-based fraud prevention isn’t proving to be an ideal solution today. It’s not dynamic enough, it’s not fluid enough, said Lee. All of this is important since consumer today are very demanding when it comes to what they purchase, when, how and where they purchase. And that’s where machine running has contributed in terms of responding not only to new types of fraud but also to better recognising legitimate shopping behaviour. 

Sift recommends an apt blend of risk and revenue decisions:

• Rather only looking at shielding the bottom line, also evaluate how to deliver a superlative UX while mitigating risk.

• Embrace a growth mindset - Customer data is leveraged across all teams to make decisions that balance growth initiatives with risk policies.

• Machine learning fraud prevention leverages customer data to assess risk in real time and route users to the appropriate experience based on that risk.

Ai’s new 2020 conference dates: http://www.airlineinformation.org/upcoming-events2/370-2020-conference-dates.html

First Published on 3^rd December, 2018

Ai Editorial: One question that organizations need to dig deep into is – how to go for end-to-end protection for the sensitive data an organization has and how to prevent a data breach? Ai’s Ritesh Gupta looks into it.  

It’s frightening. The number as well as the scale of data breaches is now large enough to scare possibly every organization. Marriott acknowledging Starwood guest reservation database security incident exemplifies the precarious situation pertaining to cybersecurity today.  

The list of post data breach initiatives is a laborious task. Right from analyzing how it happened to what all was stolen to data breach disclosure and informing customers to implementing security measures after the attack, it is a rough ride for many.

One question that organizations need to dig deep into – how to go for end-to-end protection for the sensitive data an organization has and how to prevent a data breach? Even as one might think over whether data could ever be 100% secure, organizations can’t halt and have to assess how to inch closer to it or bridge a possible loophole? For instance, what’s the weakest point that hackers can go for? Common ways are malware infiltration and phishing.

Stronger protection

This year’s list of impacted airlines includes British Airways and Cathay.

Be it for Marriott/ Starwood or any travel company, what is at stake is possibly what an organization is all about – customers and their data. According to Marriott, the database:

“…contains information on up to approximately 500 million guests who made a reservation at a Starwood property.  For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.  For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).  There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”

Encryption for personal information

Clearly the days of relying on a simple encryption method are over. In encryption, data is hidden using a coding system that swaps one number or letter for a dissimilar one using a refined encryption algorithm. Encryption of personal data is must and this should span at all possible points where it exists. For this, be aware of where data resides and evaluate cloud settings, big data as well as web storehouses, file systems databases and virtualization implementations.

Companies need to assess latest developments pertaining to database and file encryption.

·          It is imperative to assess what field-level encryption stands for, and once data is encrypted, how systems in a company’s architecture only end up viewing the Ciphertext (it is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher to decrypt it).

·          Also, cybersecurity-savvy organizations are looking at automating encryption deployment and management. Specialists point out that data needs to be encrypted even when it is processed by databases or cached in memory. This can be a critical step as it also cuts down on the risk of access to data owing to the staff’s credentials getting compromised, as data would only be available via authentic applications. (As explained by Microsoft Azure, the state of data at “rest” refers to all information storage objects, containers, and types that exist statically on physical media, whether magnetic or optical disk; in “transit” when data is being transferred between components, locations, or programs). A key is to encrypt application data sent to the database and decrypt query results when it is returned by the database to the application.

Other measures

The role of tokenization, too, needs to be looked at. Even if tokens were to be hacked, it promises to shield credit card numbers or any other critical customer data as none of it would be available for access.

Organizations aren’t only looking at shielding sensitive data, but also to meet regulatory or compliance responsibilities that entail implementation of precise key management controls. It is important to focus on key management process and plan for control of keys that access and encrypt data.

Other than encryption, do plan for a robust user management system. Put in place an incisive access control-mechanism to ensure that only authorized accounts and processes can view the data. Also, gear up for supervision of authorized accounts accessing data, to make sure the same have not been compromised.

The issue of breaches happening due to stolen and/or weak passwords can’t be ignored, too.

The approach needs to be sophisticated. Focus on developing capabilities that can stop attackers at each step of the way to help prevent the theft of data in a breach. Other than investment in cybersecurity technologies, organizations have to hire and retain skilled personnel to form a robust end-to-end protection strategy for sensitive data. Otherwise, it could end up being yet another horrendous data breach story.

Follow Ai on Twitter: @Ai_Connects_Us

Interview with Erika White, Affirm’s Head of Communications and Corporate Marketing

1^st September, 2020

Retailers, fintech and payment specialists are digging deep to understand how each generation of consumers is going about personal finances and overall finance management at this juncture. This is being done in order to evaluate what can trigger a buy, the chosen payment method etc. for various product categories. And considering that the travel industry has been hit hard merchants from this sector too must look at how all of this can play a part in reviving the situation.

The surge in “Buy Now Pay Later” (BNPL) option for transactions has stood out in the recent past, and travel retailers have already responded by activating the same on their digital assets.

Fintech specialists are expanding their operations across the globe, they are coming up with new products, going deeper into the lives of shoppers plus there are indications of consolidation, too.

Ai’s Ritesh Gupta spoke to Erika White, Affirm’s Head of Communications and Corporate Marketing, about consumer spending during the pandemic, evaluating risk associated with installment payments etc.

Ai: Can you explain how the spending habit has evolved in the last year or so, more so during the pandemic? 

Erika White: Consumers are increasingly looking for more flexible, transparent ways to pay that help them manage their finances. A recent study from Ascent found that over a third of U.S. consumers have used a buy now, pay later service like Affirm.

And, our recent report about back to school shopping trends showed that pay over time is growing in popularity among parents -- 78% of the parents aware of pay over time solutions used one to buy at-home school supplies in spring 2020. 

Ai: How does paying via credit card equate with using a debit card or option of installments? 

Erika White: Affirm is a more simple, transparent, and consumer-friendly alternative to credit cards. We provide consumers payment flexibility, without a risk of hidden fees, at the point of sale. Consumers can split the total cost of their purchase, selecting repayment terms such as 3, 6, or 12 months, with interest as low as 0% APR. And Affirm never charges deferred interest or late fees so the number a consumer agrees to upfront never changes. 

Ai: The pandemic has witnessed people losing jobs. How are you evaluating risks associated with people failing to make payments over a period of time?

Erika White: Affirm supports consumers by lending fairly and responsibly. Affirm doesn’t extend loans that we don’t believe can and will be repaid. We're able to do this through our home-grown proprietary credit scoring system that subverts the FICO monopoly and takes a greater quality and quantity of information into account, such as transaction history and credit usage. We use machine learning to make smart, ongoing adjustments to our credit models that enable people to spend in a way that’s responsible and wise. 

Ai: What trends in payments would you like to highlight? 

Erika White: Millennial and Gen Z consumers, having experienced the 2008 financial crisis and seeing credit card debt at an all-time high, are wary of traditional banking services and are opting for flexible payment options. Having grown up with subscription models like Netflix and Rent the Runway, these generations often prefer predictable monthly payments over traditional lines of credit, which can include deferred interest and hidden fees. 

Ai: The travel industry has been hit hard this year. How do you think airlines and travel brands can associate themselves with BNPL or personal finance specialists to propel their recovery plans? 

Erika White: Affirm is a great way for merchants to accelerate growth. Offering Affirm at check out drives overall sales, increasing average order value by 85%. Trusted by 5.6 million customers, Affirm approves on average 20% more customers than its competitors and 67% of its loans are from repeat customers. We’ve helped over 6,000 businesses, including Delta Vacations, Expedia, and Priceline, increase overall sales, reach new customers, and drive customer loyalty. 

Ai: Affirm indicated that consumers have been saving their money during the pandemic and travel is expected to benefit once the consumer is ready to spend the same saved amount. Do you think by being there on personal finance apps, travel merchants can capitalize on the same? 

Erika White: According to a survey conducted by Affirm, 40% of people who cancelled a trip this year, opted to save the money for the same trip in the future.

We believe that just as consumers look for flexibility in making travel plans, they expect the same flexibility in how they pay for those plans. Merchants partnering with Affirm are giving travelers the option to book now and pay over time, while never paying more than what they see up front, so they can feel more confident about their purchase. And by partnering with Affirm, merchants can reach our rapidly growing network of millions of customers.  

Ai: What are your expansion plans? Any specific ones for the travel sector?

Erika White: We’re focused on best serving our customers and merchants in the travel sector and beyond and will continue to explore expanding the number and variety of merchants we serve. 

Explore payment-related trends at the upcoming Airline Travel Payment Summit - ATPS Virtual Conference 2020

Date: 20 - 22 Oct 2020  

http://www.airlineinformation.org/upcoming-events2/607-atps-virtual-conference-2020.html

First Published on 14th June, 2018

Ai Editorial: Deploying a multi-disciplinary approach combining different technologies - both supervised and unsupervised machine learning (ML) -  would better equip merchants to deal with fraud management, writes Ai's Ritesh Gupta

The travel industry needs to dig deeper to understand the efficacy of machine learning and its role in curbing payment fraud as well as the rising issue of account takeovers.

Machine learning often encompasses different types, and simply using one type (predictive analytics) is insufficient.

Supervised machine learning is considered to be a reactive approach to treat fraud. It has contributed in combating fraud to a certain extent – automating some processes, garnering more data to evaluate, but the industry has to capitalize on real-time machine learning as well.

Without real-time learning, supervised machine learning is unable to forecast and offset unfamiliar fraud attacks, since it is dependent only on the data on previous fraud attacks. Also, these systems can only generate probability scores for each transaction, therefore still involving manual reviews.

Many fraud solutions on the market are built with machine learning, but they are built with only one machine learning model (e.g. Random Forest) and the belief that relying on one model will be sufficient in allowing them to detect and prevent coordinated fraud attacks, says Justin Lie, CashShield’s CEO.

"Most travel e-commerce merchants still rely on this single disciplinary approach, requiring historical data to make correlations detect anomalies. However, as fraudsters become increasingly sophisticated, using machine learning for their attacks, they can get ahead by flooding systems with so much fake data that they pass through undetected," cautioned Lie.

Lie added, "As such, deploying a multi-disciplinary approach combining different technologies - both supervised and unsupervised machine learning -  would better equip merchants to deal with fraud management. Unsupervised machine learning can be used to learn on the fly and identify fraudulent patterns even without having been trained with historical data, i.e. able to identify unknown fraud attacks. Thereafter, predictive analytics may still be used to run the probabilities of fraud, giving a risk score."

Unsupervised machine learning is able to seek patterns and correlation amidst the new data collected, which helps to identify positive and negative behaviour, and is effective in identifying genuine customers as much as identifying fraudsters. Specialists recommend that pattern recognition, deep learning and stochastic optimization are also necessary for an optimized yes or no decision in real-time.

Making it work

Lie explained how the combination of unsupervised machine learning and supervised machine learning can work best in curbing fraud. He mentioned:

• Supervised machine learning relies on historical data to predict and prevent further possibilities of fraud based on past fraud. The data set is labelled based on previous observations of fraud, and is described as either fraudulent or genuine. With this data set, there is a historical representation of fraud and transactions can then be determined if they are fraudulent based on these labels. If a fraudster uses a known attack, fraudulent patterns can be identified and stopped before it happens.

• As for unsupervised machine learning, the data is unlabelled and the machine looks out for transactions which deviates from the norm. These transactions are classified into clusters and patterns across this are tracked, then determined if they are indicative of fraud. This new data is then labelled as either fraudulent or genuine. By learning on the fly, unsupervised machine learning is able to detect new forms of fraud and does not rely on historical examples. By analyzing millions of patterns in real-time, it is able to self learn and recognize new attack techniques, stopping fraud before it happens.

Blend of big data and machine learning

The combination of big data and machine learning allows more effective fraud prevention.  Big data is first used to garner details about the user’s behaviour on the website (for e. g. the movement of the mouse) which  is combined with machine learning. There is use of pattern recognition to configure this user's behaviour to tally it either with authentic or fraudulent behaviour. Along with this predictive analytics comes into play to record the positive/ negative behaviour and avail that on future transactions for probable signs of fraud. Finally, an optimized fraud risk algorithm needs to be counted upon to make decisions on whether or not to accept a transaction based on calculated risks to best optimize sales while controlling fraud and chargeback rates.

"Big data allows for more data collected - but relevant data is more important than collecting more data. Collecting data from the merchant’s website and behavioral data beyond payment data will be useful for analysis on the user’s behavior - whether good or bad," mentioned Lie.

A transaction may be sliced into multiple data points, where it may then be combined with real-time machine learning to match patterns through the permutations and combinations of the data points, as well as to identify when fraudsters make micro-changes between transactions (such as changing the device from iOS to Android between transactions to seem like the transactions come from a different source). As it turns out, most systems are still relying on a single disciplinary approach, and a multi-disciplinary approach that combines big data, predictive analytics and real-time machine learning would be more effective in detecting coordinated fraud attacks, recommended Lie.

Act and take charge

Travel merchants need to defend themselves adequately by using machine learning, and at the same time there needs to be reliance on rules and the human component (intervention and feedback) as well.

Merchants should learn to discern and understand the different types of machine learning, and be sure to know if the fraud solution uses only predictive analytics or covers more bases with more than one kind of machine learning. Machine learning technologies are yet to be deployed commonplace to secure accounts, even though machine learning, especially real-time machine learning can be applied on account protection.

Lie concluded with a word of caution for merchants: Many merchants are also still reliant on manual reviews, which means that even if they were able to improve their machine learning algorithms and systems, they would always still be held back by the end process of manual reviews and human errors.

Hear from airlines and other industry executives about travel fraud at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).

For more click here

Follow Ai on Twitter: @Ai_Connects_Us