- Payment & Fraud Editorials

First published on 13^th January, 2016

Ai Editorial: Account takeovers and frequent loyalty program miles fraud in addition to credit card fraud are now demanding stringent measures for fraud prevention, writes Ai’s Ritesh Gupta

Every piece of customer data and information is under scrutiny. One can put a price tag on stolen account info – Uber, Facebook etc. and air miles. Today fraud prevention isn’t just about credit cards.

According to Sift Science, account info can yield more money “on the dark web than simple credit card details”. The team indicates that the threat of account takeovers (ATO) needs to be negated.

In fact, findings from the soon-to-be-published Sift Science 2017 Fraud-Fighting Trends report reveal that 48% of respondents observed a rise in ATO last year.

Travel e-commerce – an attractive proposition

Travel e-commerce is a common vulnerable target for cybercriminals as most of their offerings are large ticket purchases. Other than digital goods, this similar mode of thought or reason for hacking can also be found when we look at luxury good providers (also big ticket purchases), or for products that have a high resale value in the black market. Also, since travel e-commerce entities offer digital goods, it requires instant approval delivery to satisfy customers, yet would also open the gates to more fraud. Furthermore, the volatility of the item prices (which changes every minute based on consumer demand) means that merchants cannot afford to deploy manual reviews. Most OTA players simply accept suspicious transactions, absorbing the chargeback losses, instead of declining transactions and risk tarnishing their brand and losing out to the heavy competition.

Too much information up for grabs

Before we delve deep into what threat today looks like, if one were to assess the vulnerability level of travel booking systems, then where do they today and has anything changed?

“Not much hacking is required, as there’s less vulnerability here!” This recent remark from experts, Karsten Nohl and Nemanja Nikodijevic, aptly sums the brittle nature of “global distribution systems” operated by the travel industry today. 

According to details shared at the 33rd Chaos Communication Congress (33C3) in Hamburg, Germany in late December (video available here), the industry suffers owing to brittle authentication and web services. The authenticator printed on boarding passes and luggage tags is up for grabs rather easily. “Any person able to find or take a photo of the pass or tag can access the traveller’s information – including e-mail address and phone number – through the GDS’s or airline’s website,  stated Security Research Labs. The company goes on to add: “…many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers’ last names, their bookings codes can be found over the Internet with little effort.” And, too, many people can access information when a booking is generated. For instance, staff the agency, travel providers, GDS involved in any part of the PNR etc. Fraudsters can travel for free, create havoc with one’s frequent flyer account, use payment info etc. Security Research Labs suggests there is a need for “brute-force protection in the form of Captchas and retry limits per IP address” to start off, and bookings need to be protected with appropriate authentication, at the very least with a changeable password.

The point here is how much is being given away to a fraudster.

New areas of concern

There are two relatively new areas of concerns for travel e-commerce entities, according to Justin Lie, Group CEO, CashShield:

·          Account takeovers; for example, when the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.

·          Frequent loyalty program miles fraud; similarly, a hacker can take over a user account, and if it has loyalty miles, sell the user account credentials on the black market to fraudsters to redeem the miles for tickets.

“As such, it is advisable for travel e-commerce entities to apply big data and real time machine learning not only on securing payments, but also for securing accounts and monitoring loyalty miles claims,” said Lie.

Tackling issues

Lie says companies should take control of their payment data, which should not be restricted by default. This data can be combined with big data (such as those data fields collected on their websites), so that they can derive a strong data strategy not only for fraud prevention, but also to get a better understanding of the user profiles that surf their website.

Also, fraud is becoming increasingly complicated and sophisticated very rapidly.

“This is especially so as credit card companies push for the adoption of the EMV chip, making it more difficult for card present fraud, thus forcing fraudsters to go online. Instead of implementing a fraud prevention strategy that requires long gaps in training machines with data sets, travel companies should shift towards real time machine learning (or real time automated) fraud systems to get ahead of the fraudsters,” said Lie.

Companies should also move fast to be ahead of the curve and protect themselves against account takeovers and loyalty fraud as well. 80% of all cyber attacks have a financial motive, and it is expected that more fraud syndicates will shift to online fraud, since it is so lucrative.

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

Follow Ai on Twitter: @Ai_Connects_Us

Payments in omni-channel environment – what to watch out for in 2016

Ai’s Ritesh Gupta takes a detailed look at 13 key issues and developments, including IT infrastructure, NDC, data strategy, fraud, security etc. that airlines need to keep a tab on.

Mobile wallets, wearables, QR codes, in-store, self-pay kiosk, PC, tablets, bitcoin…the list of existing and emerging touchpoints and encompassing technology that can facilitate a transaction continued to get prolonged in 2015.

On top of this, the possibility of identifying a passenger every time they get in touch with a brand is forcing airlines, OTAs and the travel sector on the whole to go for a flawless payments strategy.

And the story doesn’t end there.

Customer experience, backed by data and analytics, is just one aspect.  So if the choice of payment just the way a traveller needs is one side, evaluating legitimacy and tackling fraud in real-time is the other side.  

So in 2016, airlines would need to act swiftly to keep up with the pace of change in this arena. Here we explore top developments and issues that are important for offering a sublime experience and fraud management:

1. Being in control via ownership: Airlines need to own their own travel ecosystem. It’s important for airlines to look at the entire payment chain, from gateway to risk, to acquiring, and identify areas in which they can prioritize improvements. Airlines need an infrastructure that lets them manage complex payments ecosystems, passenger smart devices and other vendors, and not be managed by them.  Dealing with multiple channels, devices and operating systems, multiplied by the many payment methods and consumer digital wallets is difficult. With rising complexities, the industry needs to take control of the transaction, and they need the flexibility to add or remove payment service providers, depending on local market conditions, behavior of the traveller etc. Airlines need to gear up for an integrated solution for the entire payment chain, as well as support alternative payment methods, and look for a single line of reporting and reconciliation.

2. Airline IT set up: In case airlines are using legacy systems, there is a need to overcome limiting capabilities of such infrastructure. Importantly, it ends up being an investment decision. As specialists point out, airlines need an extraction layer that can orchestrate new payments methods, reduce time-to-market and reduce the costs of supporting those transactions and methods across the various digital channels including mobile. A mechanism is worked out taking into consideration all the sales channels and this layer deals with one or more payment service providers, and streamlines operations such as multi-acquiring switching, alternative forms of payment, reporting etc.

3. Gearing up for NDC: NDC is fine, but are airlines ready to offer a better payment experience? There are several dimensions that need to be considered as airlines move toward selling products in a different way. One of the most complicated aspects that need to be addressed is the authorization and settlement of a transaction, featuring multiple players (could be two airlines or even other suppliers such as hotels, car rental etc.). Considering the complex payments landscape, it isn’t going to be a straightforward process to optimize the payment experience.

4. Consistent experience: For a traveller, airlines need to focus on areas like cross-channel seamlessness and un-broken transactions. One can’t do without simplifying the pathway to purchase. The role of analytics and user experience design can’t be underestimated. If we talk of mobile, the shopper flow is often compromised at the payment stage by two key failures – a clunky look and feel, and multiple steps to complete the purchase. The user journey must have no barriers, and airlines must support seamless journeys by using one-click and simple-click functions for authentication and security measures that are handled in the internal environment

5. Data strategy: Combining external data with internal data gives airlines a much better view of the passenger – better security, better authentication, a better passenger journey and a big-picture understanding of what’s happening on a per-passenger basis. It is important for airlines to capture data across all payments channels through a single integration.
   
   Identifying travellers across payment channels, and thereby paving the way for a faster check out regardless of location or device they are using, is a clear benefit of an omni-channel approach.
   
   Once the infrastructure is in place, real-time API’s can deliver information about the payment preferences and behaviour. So be it for simplifying payment page, tailored options (for example, once it’s ascertained that the card user is a German, he or she could be offered a cheaper payment option suited for that nation), stored card details or optimizing for mobile, all can benefit a travel e-commerce brand.
   
   Also, this would ensure that airlines have the flexibility to switch payment service providers (PSPs) or change data on the outside without locking themselves into a particular provider. Because if payment data is stored with a particular PSP, the airline is ground-locked. Airlines should store data internally or store it with a trusted partner who’s independent from PSPs and other payment source providers, and who not only stores the data and treats it as internal data but also assumes the responsibility of not getting hacked.

6. Spreading the word: The lack of understanding of how a new payment option can be activated, and coordination between various departments for the same is a major issue. For instance, if we talk of bitcoin, there is curiosity about how this currency works. The only way to generate new bitcoin is by a process called mining, which simply means usage of computing power for validating bunch of bitcoin transactions (also known as blocks). Bitcoin protocol is designed in such a manner that it takes about 10 minutes to validate these blocks. Every 10 minutes a ‘miner’ successfully validates one of these blocks of bitcoin transactions and is awarded 25 bitcoins as incentive for contributing his/her computing power. Since bitcoin’s inception this validation process has been executed many times to produce 14.5 million. It is worth noting that the bitcoin award get halved every four years. This ensures predictable and decreasing rate of bitcoin production.

7. Local intricacies: An airline might be running operations smoothly, including acceptance of payments, in several markets, but a similar move may result in additional expenditure in a new one. A prime example is alternative form of payments (AFPs). These options have gained traction, and they generally tend to address a domestic economy. It’s a fragmented space, and airlines need to understand intricacies of each market. Consider India. Uber decided to introduce cash option to make it service more accessible in India. So customers can pay via prepaid wallet, debit/credit card or cash.  In case of China, it’s imperative for travel brands to offer options like Alipay and or let Chinese consumer pay via WeChat.
   
   Also, some local payment options in Asia may require the airline to have local registered entity, especially if the settlement goes directly to airline. A major challenge for accepting payments from customers is the low credit card penetration rate and acquiring bank charging cross border fees to customers.   
   
   Airlines need to adjust their operations, too. For instance, the settlement process of alternative payment methods can differ vastly. In case of SEPA Direct Debit, one of the preferred payment methods in Germany is asynchronous, meaning that there is no real time confirmation that the funds are guaranteed. As confirmation is given after several days, therefore this payment method should not be available with a short time to fly.

8. Studying AFPs in detail: Every market has its own requirements. In fact, even within one continent, too, the requirements might differ vastly across countries. Unlike most of the other countries in the Asia Pacific region, options for AFP are yet to take off in a big way in Australia. Carriers in Australia are only focusing on an online real time debit payment system as an option. It allows buyers to use their Internet banking to pay for their online transactions.

9. Avoiding revenue leakage: Airlines can’t afford to go overboard with 3D secure. Traditionally, online merchants have adopted a binary view to 3D Secure; implement it across all transactions, or don’t implement it at all. However, both of these approaches have problems. If you apply 3D Secure to all transactions, conversion will suffer, and if you don’t apply it at all, fraud will still be a factor. But there is a third possibility – selectively applying 3D Secure only to high-risk transactions, based on data customized to the airline.

10. Combating fraud: Managing online fraud is an ongoing initiative, one that needs constant improvisation for better results. If this is not the case, then a travel organization would end up being a soft target, leaking revenue that shouldn’t have slipped from its grasp. In fact, despite having a team in place, one can still suffer at the hand of fraudsters. Hackers/ cyber criminals way of functioning continues to evolve. So airlines need to make the most of APIs that can automatically feed threat indicator data into their own security systems. Also, in the current scenario, one must do the detailed review of the past and present transactions and identify in case if there is any suspicious activity happening around. Other recommendations include: Detailed analysis of payment failed transaction; Regular updation of negative and positive data base of the customer; Detailed verification of the high value transactions; More co-operation and collaboration with the fraud departments of airlines / banks and OTA to exchange the fraud trends.
    
    Also, airlines need to look at machine learning. It promises to combat fraud. One of the best things about using machine learning is that it automatically learns about new fraud patterns in real-time so you don’t have to keep close tabs on new tactics. When patterns of real-time fraud are mapped against examples of past fraud, merchants can accurately predict when they’re seeing a good shopper or a malicious one – so they can block the fraudsters, or make it easier for good customers to buy.
    
    As for avoiding chargeback debits, there is a need to improve upon dispute management processes for the entire merchant community.

11. Working with travel agencies: First of all, airlines should look at the weight of indirect distribution in their overall channel mix. Secondly, they must analyze how big of an impact fraud is on this channel – this is often hard to track for airlines because the information they receive in a chargeback may not include reservation details. The lack of automation and the long cycle of a travel agency sale often make it difficult to react quickly. So airlines need to gear up for real-time visibility of all transactions processed via a payment platform. This will allow airlines to have not only a single repository of payment and PNR details, but also enable them to easily take corrective actions on bookings, look at statistics and monitor performance.

12. Protecting customers: When an organization stores or even makes customers use their credit card details, it puts itself in a position of responsibility. Travellers need to trust that airlines and OTAs are handling their credit card details securely. Now there is an option to transform all credit card details into tokens.  This ensures even if a fraudster accesses stored tokens, there is no method of converting that data back into useful credit card details.The industry is also looking at new options such as biometric verification to prevent fraud as well as make it easier to pay securely.        

Changing payment landscape: In its recent report titled, Omni-Channel Banking The Digital Transformation Roadmap , Efma & Backbase referred to disruptive climate of banking.            

The report referred to what the likes of Apple (in possession of most consumer credit cards,  growing iTunes ecosystem and Apple Pay), Google (Android Pay, sending money via Gmail) and PayPal (handling more international transfers than the top five banks put together) are up to.

There is a need to keep an eye on the functioning of banks, too. It is being highlighted that these organizations are currently in the experimentation or deployment phase of their omni-channel strategy.

Follow Ai on Twitter: @Ai_Connects_Us


 

Accepting AFPs in Asia – it’s about handling intricate issues

Alternative form of payments (AFPs) is flourishing in Asia. Each has its own unique application and settlement process, language/ currency support, and is subject to domestic rules and regulations. Ai’s Ritesh Gupta reports.

It can be quite demanding for any travel e-commerce entity, be it for a mature business or a start-up, to finalize an apt payment strategy in the Asia Pacific region.

AFPs have gained traction, and they generally tend to address a domestic economy. It’s a fragmented space, and airlines need to understand intricacies of each market.

In China, around 45% of online transactions are made using e-wallets, such as options offered by Alipay, China Unionpay and TenPay, and other emerging options include WeChat payment. 

A company needs to be spot on otherwise the conversion rate can take a dip. For instance, Uber, the mobile app-based transportation network, has worked out an effective zero-click payment mechanism. Users of the app simply register their card as card-on-file, request their drive, and their card is charged at the end of the ride. After registering, the payment will subsequently be made when you use the app, and there is no need for the customer to go through a payment process. But recently, Uber decided to introduce cash option to make it service more accessible in India. So customers can pay via prepaid wallet, debit/credit card or cash.

There are various factors airlines and travel e-commerce businesses need to consider while assessing which alternative form of payments to go for across the Asia Pacific region. A prime reason behind this is the variety of payment options that are available, which are as diverse as the region itself.

Low credit card penetration

Talking of the Asia Pacific region, Bangkok-based Mario Peng, ‎CFO at hotel mobile booking app HotelQuickly says a major challenge for accepting payments from customers is the low credit card penetration rate and acquiring bank charging cross border fees to customers. To reduce credit card acquiring fees, remove cross border fees charged to customers and to offer alternative payment solutions to reach non-credit card holders, merchants are required to set up local legal entities and/ or work with different payment service providers for markets in Asia.  

“It is quick and easy to setup global credit card acquiring. But there are many markets where credit card acceptance is relatively lower than say Hong Kong and Singapore,” says Peng. “So for markets like Indonesia, Vietnam, Philippines, Thailand etc. the team is looking at alternate payment methods – and for the same it evaluates both commercial and technical aspects of tying up with a payment gateway.” A local payment gateway fulfils certain legal requirements, and then airlines or OTAs assess the ability to facilitate payments for preferred payment channels. For instance, in Indonesia, as Peng told us the company is evaluating two payment service providers – while one can facilitate ATM transfer, convenience store (these are semi-digital payments - a consumer takes a code or a QR Code associated with a booking and pays), and online banking, the other isn’t able to offer online banking as an option.

Hong Kong-based Joseph Chan, CEO, AsiaPay says various non-credit card payment options have different rule sets. For example:

• Maximum payment limit cap;
• Mostly does not support pre-authorisation, void, partial capture and reversal;
• Refund could be offered online but only possible offline in some payment options;
• Settlement cut-off

Chan says an ePayment partner in Asia for airline can readily address the following challenges that airlines may face as they plan for added local payment options:

• Some local payment options in Asia may require the airline to have local registered entity, especially if the settlement goes directly to airline;

• Many different payment options are not readily designed for multiple channels and mobile response. Extra cross-channel payment interface design and development may be required if airline goes directly with local payment platform;

• Unlike credit card, each of the payment options in Asia has its uniqueness, e.g. transaction limit, availability of refund, no pre-authorization, chargeback rights. It will require airlines’ necessary effort to design and implement necessary payment interfaces and processing flows.

• Considerable effort may be required by airline to consolidate payment transaction especially for easier reconciliation and reportings of sales and settlements across payment options, and not to mention for CRM, payment analysis reference. 

• Apart from credit card, some of the Asian countries are still in cash market so local alternative payment such as netbanking, OTC, debit card, ATM payment as well as cash counters etc are the major payment methods practice in these countries like Thailand, Philippines, Indonesia, Vietnam etc.

Penetration of AFP

As for AFP, there isn’t any consistency across the market.

Unlike most of the other countries in the Asia Pacific region, options for AFP are yet to take off in a big way in Australia. Carriers in Australia have listed POLi, an online real time debit payment system, as an option. It allows buyers to use their Internet banking to pay for their online transactions. POLi is currently available within Australia and New Zealand. Among other carriers in the region, Air Asia added POLi as a fee free payment option on their website few months ago.

“There is no credit card fee, and the system results in instant booking. Of course, a major lure that works in favour of POLi is that it results in consumers saving significant amounts of money. So say, for a family of four, booking via POLi would end up in A$30 savings,” says a senior airline executive. As for facilitating one-click payment via mobile devices, the executive says the market is still “2-3” years far off. “There are certain legislative issues, too, that can hamper the growth of mobile payments. For instance, it isn’t allowed to store CVV in Australia. The privacy laws are quite strict at this juncture. So this can impede the implementation and the take-up for services that are burgeoning in other markets.” 

Gurgaon, India-based Jibby Jacob Kollanoor, director, South Asia, UATP, says consumers want to be able to pay with the local AFPs they are used to and comfortable with. “One of the most popular AFPs in this region is Alipay, an e-wallet in China that is also capturing a large percentage of the mobile wallet space,” he says.

Preparing for bitcoin

Airlines also need to gear up for emerging digital currencies like bitcoin. To initiate a bitcoin transaction, a consumer must have a bitcoin wallet. “The easiest way to get one is by choosing one of web based wallet services providers such as Coinbase, Blockchain.info etc. Once the wallet setup is complete consumers must fund their wallets with bitcoins purchased from either local bitcoin exchanges or by other means. These bitcoins can then be used to purchase tickets at airline websites,” says Shreyansh Durgesh, director of sales and business development, Asia Pacific, Bitnet Technologies.

According to experts, bitcoin simplifies airline payment by eliminating any risks and unnecessary costs associated with payments. But there is still lot of apprehension among airlines regarding bitcoin due to its price volatility, regulatory concerns etc.

For its part, Bitnet has simplified bitcoin acceptance for airline merchants.

“With Bitnet, an airline will not touch, store or process bitcoin. Airline will be able to price their tickets in local currencies. We will accept bitcoin payment on their behalf and pay the airline in local currency of their choosing,” shared Durgesh, who added that Bitnet has simplified airline bitcoin payments with its UATP partnership.

Finalizing plans for AFP

Kollanoor says a lot of factors need to be considered before finalizing which AFPs to go for:

1. Know the local requirements, such as whether they are required to partner with a local entity in order to start connecting with local consumers.
2. Understand what types of AFPs the consumers in that market are used to – do they prefer bank transfers, e-wallets, bitcoin, local credit card, etc.
3. One of the most important to consider is to understand the complexities of integrating with a particular AFP; the goal is to expand payment acceptance and to get to market as quickly as possible to generate new revenue.   

Each payment option has its own unique application and settlement process, language and currency support, and is subject to domestic rules and regulations. Kollanoor says airlines can use their existing UATP infrastructure and reporting solutions to quickly bring AFPs to market. 

Airlines need to understand the limitations of their systems. It needs to be assessed whether airline should build a direct connection from scratch that constantly needs to be maintained, or rather they can utilize their existing acceptance platform and back-office processes to enable the new payment methods. Also, reconciliation remains a big issue for the airlines; it can be rather labor intensive and be a long, tedious process if done manually.  There is a need to gear up for simplified daily reconciliation.    

Time for airlines to minutely scrutinize Bitcoin as an option for commerce 

Bitcoin is an attractive option for airlines, be it for lower transaction fees, relatively quicker money transfer or even the sheer experience of using a digital currency. Ritesh Gupta, Airline Information Correspondent finds out more about this emerging option

Technology and devices continue to surprise us, delight us. Be it for the paucity of time, convenience or pure indulgence, travellers are embracing alternative payment methods. And Bitcoin is definitely one such emerging option that gained traction last year. The idea of mobile bitcoin wallet sounds cool, with info including transactions getting updated in real-time.

Travel companies, including airlines and OTAs, are today accepting Bitcoin and other digital currencies. The biggest development is the rise of payment processing platforms that make it simple for airlines and OTAs to accept Bitcoin in a simple and risk-free manner, says Reading, UK-based Akif Khan, VP Solutions Strategy, Bitnet Technologies.

Strengths

There is a definite trend for airlines and OTAs to be exploring non-card payment types. Be it for lower transaction fees, expanding reach or combating fraud, there are several aspects that are proving to be promising for Bitcoin.

As Khan says, the drivers for this will vary depending on the airline and OTA. “For some, the driver is cost, as they seek to encourage travellers to pay with payment types that charge less than the 1-3% typical of cards.  For others, it is about expanding into new and emerging markets, where card penetration may not be high. Finally, for some, it is about brand differentiation, and offering new avenues to pay for travellers that differentiate the airline and OTA from competitors,” he explains.

Even as there are some concerns about this currency’s volatility, accessibility, creating right awareness (especially the perception of Bitcoin being meant for buying illicit drugs) and the uncertainty surrounding regulation, there are clear benefits too.

One shouldn’t ignore the prowess of Bitcoin especially when it comes to the economic inclusion of those underserved by the current banking system.

Bitcoin has multiple benefits for an airline or OTA compared to more traditional payment methods such as cards, says Khan. He explains: First, it is typically cheaper to process a bitcoin payment than it is a card payment. Second, unlike cards there is no chargeback risk when accepting a payment in Bitcoin, which leads to further cost savings for the airline or OTA. Third, there is no cross-border friction when accepting bitcoin, since it is a truly borderless global payment type. 

“From a traveller’s perspective, paying with bitcoin can be quicker and simpler than keying in a card number.  In addition, due to the elimination of chargeback risk, airlines and OTAs can accept your payment with confidence,” he says. This eliminates the many situations where travellers are inconvenienced when an airline or OTA rejects their card transaction because they suspect it might be fraudulent – for example if the traveller is making the card payment whilst in a foreign country. “Finally, over 2.5 billion in the world do not have access to traditional financial services like credit cards. However, if they have Internet access via their phone, they can get bitcoin.  So many travellers will actually be able to book online for the first time, benefitting both them and the airline/OTA,” says Khan.

Where are savings going?

One critical question as a traveller I would like to know is - are travellers going to save any money, or is it only airlines who are going to benefit in this regard?

Khan says some airlines or OTAs may choose to keep the cost savings entirely for themselves, but the smarter ones will use the cost saving to incentivise travellers to pay with bitcoin. 

The huge cost savings for airlines and OTAs not only in processing fees but also in not having to apply costly fraud management checks, mean it is in the interest of the airline or OTA to encourage the travellers to pay with bitcoin. This could be done by offering discounts when paying with bitcoin (the opposite of surcharging for credit card use, in fact) or offering frequent flyer bonus awards for example when Bitcoin is used.

Key considerations

Khan recommends that airlines should think carefully about whether they want to implement bitcoin processing themselves, which would likely involve them having to process or store bitcoin, or whether they want to use a processing gateway which converts the bitcoin to local currency on behalf of the airline or OTA.  In addition, if a processing gateway is being used, the airline or OTA needs to consider whether the gateway is optimized for use in the travel industry with respect to reporting, reconciliation, security, high availability, and connectivity to the appropriate travel ecosystem platforms.

As for the volatility of Bitcoin, Khan says the same can be abstracted away from the airline or OTA if they select the right payment processing partner. Such entities take on any volatility risk, and guarantee the airline their ticket price when a purchase is made.  The bigger challenge is that consumer adoption is still relatively modest, albeit growing rapidly.  However, since the implementation costs are modest, it makes financial sense for airlines and OTAs to accept bitcoin even if only for a subset of their transactions, as this will further drive consumer awareness and adoption, leading to even greater cost savings for airlines and OTAs accepting bitcoin.

Bitcoin and Virtual currencies will be on the agenda of the 9th Airline & Travel Payments Summit on the 29th & 30th of October 2015 in Forth Worth, Texas. Details at: www.AirlineTravelPayments.com.

First Published on 15th August, 2017

Airlines need to make the most of industry data and unique merchant data to combat fraud. It’s time their data strategy deployed must be diverse and tailored, writes Ai’s Ritesh Gupta

Travel e-commerce players, including airlines, are trying to cut down on the margin of error in case of accepting or declining a transaction. So as they review an order they decide appropriately on what action to take.

In this context, the role of data that can help in combating fraud is coming to the fore. Data is being relied upon for answering key questions, for instance, why genuine customers are being blocked. Or how historical data can be used to improve the accuracy of any prevention strategy? How is transactional data being capitalized upon via one system and analysis model? How merchants are gearing up for automated, scalable fraud prevention?

Another area is how airline-specific data, be it for the activity on their respective websites or other digital assets or transactional data from direct and indirect channels, can result in better fraud prevention.

Collecting data from airlines

As for the sort of data that can be collected, it boils down to two types - industry data and unique merchant data, according to Justin Lie, who has built CashShield, a SaaS based self-learning fraud prevention solution for ecommerce.

Lie further explained:

·          Industry data includes information on coordinated fraud attacks, which may be shared across different airlines as all airlines are equally vulnerable to coordinated hackers.

·          Unique merchant data would vary from airline to airline, based on the individual information each airline collects or is able to provide.

When it comes to collecting more data, unique merchant data from Airline A may not be useful for information on the fraud risks Airline B would be exposed to.

“For unique merchant data, we will guide airlines to look for useful custom fields that can increase the accuracy of fraud detection. Also, we will allow airlines to data dump whatever data that may be collected, as more relevant data points can strengthen our real-time pattern recognition technology. Industry data on existing or current fraud attacks can also be useful information to share from airline to airline, but both types of data should be collected for analysis of anomaly detection,” shared Lie.

Airline-specific plan of action

As Lie pointed out in one of our previous interactions, a majority of fraud offerings have been worked out for mass markets, where most carriers are mainly required to garner data based on a template that evaluates only a restricted number of fields. He added that this isn’t enough. It also restricts an airline’s ability to craft an optimal data strategy and reporting for their performance/ return on investment. Unfortunately, not much useful data is returned to the merchant by default. Rather airlines need to go for better control of their data, including one related to a transaction.

“As each airline’s ecommerce website is unique, the data strategy deployed must be diverse and tailored,” asserts Lie. “It is vital to work with airlines and help them make use of all the data that is there on their respective websites.”

Lie says airlines can tap on smarter solutions that can customised unlimited data collection to maximize its fraud prevention, automation and false positive reduction capabilities.

“For instance, passive biometrics data including mouse cursor movements, keystrokes, words per minute or activity data including wishlists, purchase history or even seemingly insignificant data points like whether or not the user has chosen to subscribe to the newsletter can all be relevant information collected and used.

With the data collected, airlines can churn the data through various permutations and combinations to identify potential fraud patterns that may be left behind by fraudsters, who have made micro-changes between transactions in one coordinated fraud attack to trick the system. Using real time pattern recognition, even micro-changes can be proactively identified and tagged to the same fraud pattern group,” explained Lie.

“We should not be overly concerned about how each data point may contribute to the fraud analysis on its own, or with collecting as much data as possible, but rather on how the data collected may be used in a relevant manner. After the point of data collection, airlines have to amplify and triangulate the data, analysing the data through multiple permutations and combinations so as to better understand the fraud patterns left behind by fraudsters in their attempt to brute force the system.”

Counting on data for new types of fraud

It is imperative for airlines to sharpen their fraud prevention strategy, as it is just not about credit card fraud or payment-related anymore. So rather than only securing payments, there is also need to protect accounts and monitoring loyalty miles claims.

So how should an airline go about allocating resources for overall fraud management? Where do airlines tend to fall short?

Travel e-commerce entities need to apply big data and real time machine learning not only on securing payments, but also for securing accounts and monitoring loyalty miles claims.

“Using the same real-time machine learning techniques and behavioural analysis, the core fraud screening technology used for securing payments can be applied to securing accounts and monitoring loyalty miles claims as well. Similarly, data about the user can be collected from the airline’s website, including his/ her behaviour on the website or what he/ she does on the website,” mentioned Lie. “With an effective automated fraud management solution that eliminates the need for manual reviews and thus the need for heavy human labour, airlines can in fact save much more resources on fraud management.”

Lie said considering that airlines have a very low profit margin per transaction made, each fraud loss impacts the airlines significantly. Yet most airlines continue to rely on human labour, which contributes to overall costs to the business on top of fraud losses from ineffective fraud solutions. Airlines should seek to automate their fraud screening processes for greater efficiency as well as to concentrate their focus on other parts of the business. Adopting risk-averse tactics (such as keeping fraud to an absolute minimum) also eats away at an airline’s revenue. Instead, airlines must adopt an optimal risk management approach to its e-commerce strategy to fully maximise its revenue potential.

Data definitely has a role to play, and while data is important, what is more important is the quality and relevance of the data.

Relevant data is necessary to improve fraud prevention, as well as to improve the machine. For instance, if the machine is regularly receiving non-relevant data, the resultant output will be non-relevant decisions.

In addition, the way the data is processed must also be relevant when making probabilities of fraud risk. Also, instead of implementing a fraud prevention strategy that requires long gaps in training machines with data sets, travel companies should shift towards real time machine learning (or real time automated) fraud systems to get ahead of the fraudsters.

How can data help in combating fraud? Hear from industry experts at Ai’s 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali (29 – 31 August). For more, click here

Follow Ai on Twitter: @Ai_Connects_Us

First published on 14^th November, 2016

Ai Editorial: What can reduce an airline’s liability when we talk of chargebacks? Various stakeholders need to jointly improve the situation as there can be instances where airlines and merchants at large can be clueless.

There are multiple stakeholders at risk when it comes to chargebacks.  Fraudulently filed chargebacks touch each party in the payment industry.  

But is the functioning of the industry in its entirety falling short and ironically rendering most harm to the very consumers it was invented to protect?

The industry cumulatively needs to combat the issue of chargebacks.

As for airlines, today’s solution must be agile and diverse, coupling an evolving defence with effective representment strategies.  Do remember - chargeback prevention is much easier than chargeback representment. So plan prevention diligently. If a mistake is legitimate, then disputing the same will be futile. Airlines need to focus on a multi-layer fraud management plan. It should feature complimentary tools for all-inclusive protection, rather than counting on just the basic tools. It doesn’t mean that there is a need to use every product available. Neither strategy will effectively minimize risk exposure. For example, any merchant using Address Verification Service along with card security codes or 3D Secure is technically using multiple solutions to prevent fraud. Other options include card security codes, geo-location, device authentication, proxy piercing, biometrics etc.  Airlines need to carefully consider a plan that will address their individual threats.  

Other stakeholders, too, need to improve:

·         Acquiring banks can help reduce the effects of fraud by establishing internal blacklists and developing chargeback triggers for advanced alert notifications.

·         Processors who undergo the most stringent underwriting procedures to maximize their KYC (Know Your Customer) compliance will ultimately reap the benefits through helping to ensure their merchants are following best practice methods that work alongside operational efforts to prevent friendly fraud.

·         For issuers, additional due diligence is key.  Despite the temptation to rapidly resolve a cardholder dispute, additional effort will pay off in the long run for those who consciously work to prevent bad habits from forming in the first place.

Industry issues

It is pointed out that the problem of chargeback fraud has worsened due to operations of banks that offer both issuing and acquiring services.

“There are various entities involved in the chargeback process and each impacts the outcome differently. Some parties help while others hinder. But more often than not, the individual entity isn’t to blame, rather the policies and regulations set forth for the entire industry,” says Chargebacks911’s COO, Monica Eaton-Cardone.  Citing an example, she says, ecommerce wouldn’t exist if card networks and issuers hadn’t taken steps to boost consumer confidence when it comes to payment card use and liability. By abating cardholder’s fears about potential losses tied to fraud, networks and issuers have enabled millions of businesses around the world to experience optimum profitability via card-not-present transactions. However, by advertising zero liability, issuers have inadvertently incentivized friendly fraud. On the other hand, cardholders and merchants are both, technically, customers of the card networks. “As you can imagine, appeasing both sets of customers would be a challenge! Unfortunately, regulations often benefit the cardholder while too much onus is put on the merchant. However, networks have made strides in recent years to slightly lessen the merchants’ liability—for example, accepting flight manifests as compelling evidence and MasterCard’s reason code modernization efforts,” explained Monica.

Being meticulous

Despite the hundreds of reason codes used by card networks to categorize chargeback causes, there are actually only three sources of chargebacks: criminal fraud, merchant error, and friendly fraud.

First, merchants need to reduce their exposure to criminal fraud. With the proper technology, customized rule sets, and expert analysis, merchants can significantly reduce the number of unauthorized transactions that get processed. Next, eliminate merchant error. As much as 40% of chargebacks could be cause by the merchant’s own mistakes, oversights, or shortcomings. Ensuring the business’s actions or inactions haven’t actually caused the transaction dispute is essential. An objective and unbiased review of policies and operations can help create an exemplary customer experience and flawless payment processing.

If merchants can eliminate the first two sources of chargebacks, all that’s left is to manage is friendly fraud.

“Nearly all reason codes can be used to mask friendly fraud; cardholders disguise their unscrupulous behavior by claiming a variety of falsehoods. Because merchants don’t have any other way to determine the real motivation, they are forced to take reason codes at face value,”  says Monica. “Until there is a reason code labeled ‘friendly fraud,’ merchants will forever be engaged in a guessing game—is this claim legitimate or friendly fraud? This uncertainty is what drives merchants’ inaction. Unless merchants couple professional assistance with chargeback management technology specifically designed to identify the true source of the transaction dispute, they’ll only be able to address the obvious cases of cyber shoplifting.”  

Issue of legitimacy

If the case isn’t obviously friendly fraud, merchants are left with the great debate of legitimacy. In these situations, many merchants assume it is better to err on the side of caution, as making an incorrect response could inflict severe consequences. Letting friendly fraudsters slip by is better than mistakenly challenging legitimate criminal activity or an error on the merchant’s part. Moreover, the resources demanded of friendly fraud mitigation is usually more than merchants are willing to sacrifice—especially since in-house teams see such limited ROI. Bottom line: merchants aren’t taking great enough strides towards effective friendly fraud mitigation. However, there are numerous factors outside their control that influence their reluctance to make a more substantial effort.

There are countless examples of how friendly fraud is executed.  As Monica explains, airlines can suffer from the equivalent of ‘return fraud’ that is perpetrated in any other ecommerce industry. For example, a cardholder buys tickets but later realizes she must change her travel plans. Because she doesn’t qualify for a full refund from the airline, she’ll file a friendly fraud chargeback and claim the purchase wasn’t authorized—when in fact, it was. Card networks have announced they’ll accept the flight manifest as compelling evidence against friendly fraud. However, there are a very limited number of situations where this documentation can actually help. For example, a cardholder buys a ticket so his girlfriend can come visit at Christmas. While she’s there, the two get in a big fight. Grieved that he paid so much money for such a lousy trip, the cardholder disputes the original purchase. Because the cardholder’s name doesn’t match the flight manifest—because the boyfriend bought the girlfriend’s ticket—there is little the airline can do.

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 2^nd January, 2017

Ai Editorial: Airlines need to create their own fraud mitigation strategy, set up customized KPIs in conjunction with detailed data analysis to protect themselves, writes Ai’s Ritesh Gupta

Are merchants, acquirers, issuers etc. equipped with necessary arsenal to combat card fraud? Is the card-not-present environment still susceptible to fraud?

As a specialist in this arena, Chargebacks911’s COO, Monica Eaton-Cardone says payment card fraud will always be an issue—it will never be completely mitigated. “Wherever there is a chance for profitability, there will be criminal activity. And, each new technological development introduces a new avenue for fraud, meaning detection and prevention efforts need to be just as agile,” she says. Despite all this, she believes current security situation is the best we’ve seen it since the inception of payment cards. “Our society in general is well aware of the threat and is eager to address it. We aren’t denying the danger—which I think is an important step. The real challenge is to ensure attention to security spans all channels and all sales methods. Unfortunately, to date, security efforts have been inconsistently applied. EMV technology effectively mitigates card-present risks. Biometrics make mobile wallets virtually fraud-proof. But very little effort has been made to protect the card-not-present environment.”   

Improving upon traditional way of securing payments

Just a month back, a research by the Newcastle University in the U. K., indicated that working out the card number, expiry date and security code of any Visa credit or debit card “can take as little as six seconds”.  

For their part, Visa stated that this study didn’t consider other layers of security such as its Verified by Visa system.

Michael Roche, Vice President, Consumer Authentication, CardinalCommerce mentioned that Visa does have mechanisms that track frequency of payments across Card-Present (CP) and Card-not-Present (CNP) orders. “Unfortunately it’s limited by the information within the ISO8583 authorization spec. What Visa is doing though is exposing a whole host of risk and authentication capabilities. You can get to all of these through Visa Checkout right now. In the future you should be able to get direct access. (Checkout Visa Developer). Visa also supplements all their network data through the 3DS protocol. The 3DS protocol provides visibility into all the important info that the ISO8583 spec does not. CVV2 and AVS are antiquated solutions and once you deploy 3DS you’re reliability on them will be reduced. I do agree that these checks are past their prime,” said Roche. He added, “If you have a Rules Based Authentication (RUBA) 3DS solution and you are transacting with a Risk Based Authentication (RIBA) issuer you only need to rely on that RIBA issuers authentication response and it’s yes or no. Doesn’t get any better than that online.”

It’s every ecommerce player for themselves

Monica says it is not advisable for merchants to rely exclusively on card schemes for a safe and secure payment processing environment. “Just like everyone else in the industry, the card networks were initially caught off guard with the explosion of ecommerce growth and were ill-equipped to handle emerging threats,” she says. “Unfortunately, right now, it’s every ecommerce player for themselves. Retailers, airlines, OTAs, PSPs, banks—everyone needs to critique their own individual risk exposure and create a customized mitigation plan. Fortunately, there is an abundance of effective products and services available to choose from that will help ensure success.” In doing so, it is important to consider a few necessities. First, individual tools or solutions need to be incorporated into a comprehensive strategy and evaluated against a profitable level of risk exposure. Second, risk mitigation needs to be dynamic—what worked yesterday might not work tomorrow.   

Hackers are getting better

In the advent of greater tech advances, hackers themselves are also relying on machines to write algorithms to hack systems and crack codes, and they are getting better and quicker at it, Justin Lie, Group CEO, CashShield, a SaaS based self-learning fraud prevention solution for ecommerce, says. Other than capitalizing on vulnerabilities of a credit card or a debit card, hackers are also creating fake accounts on e-commerce sites to run hacks on the stolen credit cards. Therefore, much greater effort is needed to strengthen the current infrastructure, and it will have to be a combined effort between card schemes, PSPs and merchants to prevent cybercriminals from getting away too easily. Currently, there is a lack of information and transparency between merchants, PSPs and card schemes, while merchants receive almost no protection against fraud losses, since they have to bear the cost whenever unauthorized chargebacks are filed. “This broken line of communication should be fixed, while each stakeholder must understand the fragility of payment card security and where they stand in the ecosystem, or it would be difficult for the situation to improve. In the meantime, merchants themselves should also invest in identity management in authenticating fraudulent accounts (or hacked accounts) to protect themselves,” says Lie.

What to fix?

Monica admits that merchants definitely suffer from the industry-wide lack of transparency. “But I’d actually argue everyone involved in card-not-present transactions experiences consequences. I’ve been saying this for years: a lack of consistently applied standards and compliance with those standards is increasing costs and causing needless revenue loss. This is the problem we need to fix.”

Airlines and OTAs absolutely need to create their own fraud mitigation strategy.

Fortunately, the travel industry has a distinct advantage over many other industries, says Monica. “There is an abundance of personal information available for data analysis. Everything from frequent flyer accounts and past itineraries to in-flight purchases and travel companions can make fraud detection much more successful. Establishing and monitoring customized KPIs in conjunction with detailed data analysis can produce significant results.”

Ai is set to conduct the 11th Airline & Travel Payments Summit (ATPS) this year.

Date: 3 May - 5 May 2017; Location: Berlin, Germany

For more info, click here

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 11^th November, 2016

Ai Editorial: Be it for identifying areas of vulnerability, acting on identified risk or acting swiftly when attack happens, gearing up for website security is of paramount importance, writes Ai’s Ritesh Gupta

Why do websites get hacked and what to do when it happens?

Being ready for the same is an ongoing exercise, and it needs to be an integral part of any crisis management plan today.

Travel brands have been at the receiving end, so it’s important to keep a tab on areas of vulnerability. Specialists label forms, login pages and dynamic content are soft targets.

One needs to assess the modus operandi behind web application attacks.

They can happen over free open-source software and commercial or custom-built applications.

One can evaluate the sturdiness of web applications such as Joomla, PHPbb, and threats such as unvalidated or unencoded user input within the output generated (running a vicious JavaScript code), performing of malicious SQL statements that control a web application’s database server etc.

Areas of vulnerability

Today it’s mandatory for every organization to comprehend aspects of an application’s information security.  

Airlines need to gear up for penetration tests. This evaluates the effectiveness of information security controls implemented in the real-world. Advantage of penetration testing: Knowing a system’s vulnerability before an invader gets to know it.

Access is considered to be a critical aspect when one talks of hacking.

One needs to have a detailed look at how does one log into hosting panel, server, website, a device etc. A detailed study of how a fraudster/ attacker tends to evade a web application’s authentication and authorization process and ends up gaining access to content of an entire database is must.

Injection errors emanate from a failure to sort out untrusted input. Other than SQL injection, other common mistakes are sensitive data not being encrypted at all times and Cross-site Scripting (XSS) attack (a web application makes use of unvalidated or unencoded user input within the output it generates). An XSS vulnerability results when malicious script that one inserts eventually get parsed in the victim’s browser. Today there are automated web vulnerability scans that are available for guarding one against XSS attacks. The pace with which new code gets deployed today, it is imperative to automate security of a web application.

There is also need to guard against manipulation of software vulnerability, featuring crooked Uniform Resource Locator (URL) or POST Headers. One also can’t ignore instances where a malicious website, email etc causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

Once a vulnerability surfaces, an organization needs to tackle the risk associated.

As Acunetix, a web application security software specialist, recommends, the level of risk can be ascertained from numerous data points – “the severity of the vulnerability, the consequence should the vulnerability be abused, and threats the application faces.” So a Stored Cross-site Scripting (XSS) vulnerability in the authenticated area of a business-critical application hosting sensitive information may appear as a bigger risk than a Blind SQL Injection vulnerability in an internal application that does not pile up sensitive data.

As for new technology, ecommerce sites are relying on analytics and machine learning for real-time cognitive fraud detection. For instance, IBM has come up with new behavioral biometric capabilities that incorporate the use of machine learning to help understand how users interact with banking websites. Fraudsters have a cognitive behavior just like users and it is quite different than a real user. Suspicious behavior is being tracked in new ways to detect new account fraud for online banking and eCommerce sites and malware/ bot activity.

What if attack happens?

Travel brands have faced situations where severe attacks have happened, and it’s a dreadful situation.

Foregenix, a specialist in digital forensics and information security, recommends that organizations need to take compressed backup of the entire web root, and export any database associated with the website. So if payment card data has been stolen then this back-up will needed when there is an investigation by card brands and/or law enforcement. Again, in order to support any inspection, rather than eliminating suspect files from a website, store a copy in a secure, compressed, offline location, recommends Foregenix. Inform processor and acquiring bank. This is in turn will help in dealing with Visa, Mastercard, Amex and the other brands if payment card data has been stolen.  

Spot the IP addresses used during the attack. This will help in identifying attack patterns inside of web server logs and other system logs.

Acunetix suggests that companies need to identify accounts that have been compromised. Change the credentials for these accounts. Also, check for malware, malicious software that is developed with the intention of infiltrating a computer or website without the consent of the owner. Check how it works. Viruses, worms, and Trojan horses are examples of malicious software. This is important as most malware are designed to infect other systems. There have been cases where companies have worked with forensic experts and swiftly removed the offending malware.

Being accountable: A leading hotel brand, when its credit card data was breached around a year back, chose to address the question from a consumer’s perspective - How do I know if my credit card has been compromised? The answer from the chain – “If you suspect any unauthorized activity on your card, we recommend you contact your credit card provider directly”. The group also acknowledged that despite having leading data security systems in place, the malware was “undetectable” by all anti-viral systems.  Brands are expected to be answerable at all times by customers, and organizations need to be prepared for all external communication related to any such attack.

Follow Ai on Twitter: @Ai_Connects_Us

What would it take to facilitate transactions via wearable tech devices?

Airlines are trying to make the most of wearable computing. Ai’s Ritesh Gupta assesses what would it take to develop apps for smartwatches that are ready to facilitate transactions

How can wearable tech devices be tapped for revenue generation?

The travel sector responded swiftly to the launch of Apple Watch with a spate of tailored apps, but a lot more is being expected from wearable computing.

The promise of augmenting the overall payment experience, propelled by data pulled together by smartwatches, (such as location and behavioral information) is luring. The past six months or so have been quite exciting, even though battery life remains one of the major drawbacks of these devices.  

Today there is talk of an option, bPay band, in the UK to wear a contactless wristband, add money from debit or credit card and then avail contactless payments, up to £20 wherever one comes across the contactless symbol.  

As the travel industry digs deeper to ascertain what can be done in this arena, it is clear that the immediate attention is on smartwatches, especially with the unveiling of Apple Watch. The device features contactless payments and integration with Apple Pay for the user account. This can be used for payments independently of the airline.

Coming to grips with reality

Talking of “in the moment” technology,  Kevin O’Shaughnessy, CEO, Indigo, says the day-of-travel content is key here. He refers to security fast-track passes, gate upgrades, ground transport - all fitting the bill.

Using geo-fencing, itineraries and other data sources can build these to a value-added experience that add great consumer value, says O’Shaughnessy, who spoke at the Ancillary Merchandising Conference, a part of 2nd Annual Mega Event Asia-Pacific (previously held in Singapore, 31st Aug 2015 – 2nd September 2015). 

Comparing existing platforms with the new wearable e-commerce segment, O’Shaughnessy says there are new limitations that need to be handled. “Instead of vast or curated choices, we must predict specific product needs: a new application for big data. Also, where once customers would browse, (it should be noted that) small screens support “triggered” purchases.”

Explaining in detail, O’Shaughnessy says, “If you track the evolution of interactive devices from desktop web to mobile to wearable, we are facing one of the biggest interaction design challenges than we’ve seen before. We have learned that the larger the screen, the easier it is to browse and to comparison-shop. Wearable interactive devices takes this to an extreme: we’re literally down to “quick yes/ no decisions”. This means that the retail opportunity needs to be heavily targeted and contextually relevant.

“To date, airlines have focused on “wearable boarding cards” which is a pity — it has created a new “palm-reading gesture” which we now have to learn (O’Shaughnessy refers to an example - placing your wrist the wrong way around on a barcode scanner). We think the retail opportunity is much more exciting than this,” he says.

What can work and what can’t

He points out that the travel timeline is well-modelled and relatively finite, in spite of some internal complexity.

“We all have a solid understanding of “planning, booking, pre-departure, day-of-travel...”. Taking this into finer detail will expose natural purchase occasions which we can capitalize on. For example, booking an unknown hotel on mobile won’t work, however, booking your local Sheraton or a familiar hotel would. The key differentiator is trust and advance knowledge. Wearable ecommerce doesn’t have time for a new tab, extensive searching and browsing and an elaborate review of TripAdvisor reviews - the 5-dot score is a good idea however.” 

“The examples we see working in the short-term are actionable notifications (class upgrades moments before departure), security line passes (popular in Europe), ground transport (disclosure: Indigo is a GT provider), some onboard purchases, some push offers in the airport, room service and so on,” he says.

Trials in progress

O’Shaughnessy says the trialling of concepts such as contactless wristband is a positive development.

“The rule for any innovation like this, I suppose, is that when you think of a transaction, there are two parties involved. Both must evolve at the same speed,” he says. The average wallet now contains a bunch of “contactless” cards, every one of which can be used for access control, payment, loyalty and more, as long as there is some expression of consent from the holder and, if necessary, people on the other side of the counter start working together.

“The real innovation in wristbands is that it removes the last barrier to adoption for payments — its more easily used than the card lost at the bottom of a handbag or pocket. If added to a smart device, such as Pebble, Android Wear or Apple Watch, there may be some more consumer value which can evolve over time,” says O’Shaughnessy. “Current payment cards - stuff from your corner bank, issued by Visa, Mastercard etc. - can easily be upgraded to securely carry documents such as boarding cards which passengers could use at the boarding gate. It doesn't necessarily have to be on your wrist. In my view, this isn’t a step change, but it's nice to see the payment guys innovating.”

Facilitating transactions

So how challenging is to develop apps for smartwatches that are ready to facilitate transactions?

O’Shaughnessy says the same can be summarized into three key points

• No checkout and strictly yes/ no decisions: “Searching” and “Form filling” is the current interaction metaphor of ecommerce and online shopping carts — whether Amazon or airline. There are no forms that you can fill out from a watch. This means that any retailer has to, effectively, guess what a customer will require in advance of presenting a triggered sale (via notification). “Think Personal Shopper, not Bazaar,” says O’Shaughnessy.

• User accounts and Pre-clearance for Terms and Conditions: Users cannot read and accept terms and conditions as part of the checkout process; this implies a pre-existing relationship with the user (they have signed up to your service beforehand).

• Payment: No credit card details, no secure code/ verified by visa/ CVV checks. Payment details must be ready and on standby for that spur of the moment decision.

These create an imperative to create rich, deeply-integrated ecommerce experiences. The good news is that this effort can improve retail across all devices too, says O’Shaughnessy.

He says by focusing on the three key challenges, the solutions are actually closer to ecommerce platforms than device capability. “There are about five competing platforms for smart devices today across two major smartphone platforms. They are not compatible, but the differences required to support, for example, Pebble and Apple Watch are trivial in comparison to the changes required in the backoffice to support both,” he points out. 

The imperative for airlines is to choose carefully when to engage with the customer; the offer must be highly focused and relevant and to distill this into a snap “yes/no” decision. Bear in mind, any watch interactions are interruptions — you only have half a second of attention.

Follow Ai on Twitter: @Ai_Connects_Us and Checkout our events at: www.AiConnects.us

Tokenization, yellow path authentication…impossible to ignore all of this

When one hears that no Apple encryption has been broken yet it comes as a big relief considering the level of fraud that is happening today. Ritesh Gupta, Ai Correspondent takes a closer look at tokenization.

No one likes to waste time on routine tasks that hamper the experience of shopping. One always feels like completing a transaction as soon as possible. The world of mobile commerce has made significant progress in this context, with travel e-commerce entities besotted by the idea of one-click payment.

All of this means no one wants to fill up mundane information again and again. Understandably then a lot is being said and evaluated when it comes to tokenization of payment data.

Going by the spate of fraud incidents in the recent past, more than how PCI compliance requirements shift from the merchant to the payment associate, relatively more important issue is the security of tokenized data. As much as the industry is contemplating about how to modify existing systems to accept tokenization, airlines and other travel companies are also keenly looking at its prowess in terms of combating fraud. Topics like data protection, user authentication and device authentication are valid discussion points in today’s travel shopping environment.

Are consumers savvy enough?

So what is tokenization – just in case one needs to know how it works. It is all about shielding consumer’s data, replacing the payment account information found on a plastic card with numbers that can be utilized to authenticate payment without revealing real account details. When uses a mobile device to complete a contactless transaction, a token is submitted. So customers only need to register their cards once.

Even though Apple didn’t come up with any new payment security standard, the introduction of Apple Pay has aroused immense interest in the arena of mobile commerce. The promise of paying via Apple Pay is enticing enough, considering the popularity of whatever Apple does, but do consumers understand the repercussions of something going awry with their data.

“Absolutely, cardholders are very savvy,” says Melissa Santora, product strategist - Card Services, Fiserv.    

She adds, “In fact, security concerns have been one of the top inhibitors to mobile payments adoption. Consumers are being educated by their financial institution and the industry that their card number is not stored on their connect device nor is it seen by the merchant. It’s a powerful differentiator to how mobile payments were introduced to consumers in the past.”

What does Apple Pay support?

Before we understand what Apple Pay is supporting, it is important to know more about dynamic and static tokenization. 

Santora explains dynamic tokens change with each transaction whereas a static token remains as one token per connected device. Therefore if you happen to lose your device, you can suspend or delete your token rather than reissuing your card. Additionally, this token can be found on your device as the ‘device account number’. This information can be found on your connected device by either flipping over the card within the wallet or by accessing the Settings portion of the device.

“It’s important to note that tokenization through Apple Pay and the EMVCo. specifications support static tokens only,” says Santora.

Here are some other key aspects about tokenization that are worth knowing:

· HCE: Host Card Emulation or HCE is another flavor of tokenization. When asked about this, Santora mentioned: “We do not have enough information to comment on HCE and the impact/ role that it may have on tokenization however we are actively understanding how HCE may play into tokenization and mobile payments.”

· Benefits and drawbacks associated with tokenization: Just as EMV solves for fraud in the card present space, tokenization is part of offering to mitigate fraud in card-not-present space and digital payments, says Santora. “It’s important for consumers to know that their card number is not stored in their connected device. Also, someone cannot take your phone and use your phone for payments. Touch ID or your Passcode is also required for a tokenized transaction to be completed,” elaborated Santora.  

· Definition: It is being highlighted that as per EMVCo specification on tokenization, the definition of token is alternate PAN, which is not the same as one-time use data. Santora says this refers to dynamic vs. static token discussion. The token is considered an alternate PAN or the device account number which is just a surrogate value for the real PAN.

· Not broken yet: It is being emphasised that no Apple encryption has been broken, it’s more to do with how the banks themselves issue credit cards and verify the identities connected to those cards. Santora says, “We have not seen fraud related to Apple Pay and have adhered to the standards and regulations set by the networks for yellow path authentication. We do offer call-center services for yellow path authentication and are thorough in our questions to ensure that cardholder is the rightful owner of that card and provision that cardholder and card with a token.”

When passengers and airlines are confident enough about the role of tokenization, then one can expect a spurt in the use of mobile payment services such as Apple Pay and others.

Follow us on Twitter: @Ai_Connects_Us and Checkout our Events at: www.AiConnects.us