- Payment & Fraud Editorials

First published on 15^th June, 2016

Ai Editorial: New payment options, especially 3^rd party mobile wallets are exciting. One needs to assess how all of this fits with the complex world of airline payments, writes Ai’s Ritesh Gupta

The buzz around some of the new ways in which one can pay for a transaction is unmistakable.

What is increasingly standing out is the ease with which we can pay.

Options like Apple Pay and Android Pay let travellers check-out with a single touch. Travellers can get going by adding their preferred debit or credit cards. And this means businesses gain instant access to an extensive user base potential.

And it’s not only Apple (which continues to make progress, for instance, Apple Pay in China) and Android, even Facebook and Amazon are making news. Plus, one can’t ignore other options such as Alipay that have become dominant for targeting a particular section of audience/ market. In fact, talking of Alipay, the fact that it is a part of Alibaba group (includes Alitrip and other divisions such as big data/ cloud computing), brands need to be a part of such shopping ecosystem. It offers content/ information and shopping environment in a seamless manner. The likes of Air France-KLM and Cathay Pacific already have Direct Connect agreements in place with Alitrip. As for Alipay, supported methods include standard web, web-to-mobile, and in-app transactions.

Embracing various mobile payment options are paying off. Early movers in mobile payments are already witnessing benefits. Transavia’s mobile payment share stands at 20%, which according to Adyen, is 65% higher than the airline average. The airline has benefited as it focused on crafting a mobile-optimized experience.

Dealing with constantly evolving payments ecosystem 

There are several areas that need to be looked upon as options increase:

-       Be realistic: The travel commerce ecosystem is complex, with many moving pieces. “I think airlines will always need to be in full control of the payment ecosystem. It’s something that an airline or OTA does very well, better than these (Facebook and Amazon) networks. Some brands like PayPal make total sense and work well within space, but when it comes down to it, managing payments needs to be owned entirely by the airline or OTA. Many of the reasons why to revolve around risk, bookings, issuer relationships, travel rewards and beyond. Getting from point A to point B on the map hinges on money moving from account A to account B. As travel itineraries change, upgrades, cancellations, and delays occur there’s a delicate dance that needs to happen,” explained CardinalCommerce’s VP, Consumer Authentication, Michael Roche.  

In case of airlines, “may be you will see little to no incremental sales lift from adding an alternative payment brand. Much of the time offering another brand is going to cannibalize your current card business, so you need to make sure that it’s going to be worth it: rates, risk, and operational overhead,” asserted a source.

Referring to the likes of Facebook and Amazon, a source said, “(I doubt) if it will ever make sense to outsource the full payment functionality that airlines and OTAs have today. I also don’t think these networks will have the capacity to handle it on the levels that would be required. There’s a big difference between buying and delivering a pair of shoes vs. booking an international trip with two layovers. Being a great airline or OTA means you have an efficient payment ecosystem.”

-       Adopting new options: Airlines are going to have challenges with any new payment types that don’t pivot on the credit/ debit. “Anything that doesn’t use the authorization and settlement model will cause additional work across the travel infrastructure. Most payment networks and brands are going to present a challenge. PayPal, however, has had adoption success within the travel industry since it ties closely with the network card model,” said Roche. When considering any new payment options, you will need to do your due diligence to ensure all entities within the supply chain can handle how it operates from authorization to settlement along with all other payment functions like refunds, reauthorization, split orders, and any other type of customer service use cases that you could imagine.

Airlines need to work with their respective acquirer or PSP when identifying a new payment type. They should also discuss it with all other entities which handle bookings, customer service, or any other function where payment is tied to action throughout the travel lifecycle.

A specialist like CellPoint Mobile highlights that when it comes to supporting Android Pay, it would only require a few tweaks to their existing configuration, and passengers will have access to Android Pay in less than one week. Option like Android Pay should work seamlessly across all the e-commerce channels deployed by airlines, and one also needs to ensure how passengers’ payment, loyalty, and transaction data would be protected.

-       Keep an eye on the future: What we’re going to see in the future would be a payment ecosystem that’s more secure, confident, and accountable. The risk is going to be mitigated across the supply chain, and the online payment channels will become as trusted as the Card-Present space. Experts recommend that airlines keep their eye on these concepts in the next couple of years:

-       Wallet Mobilization of the POS

-       Strengthened and streamlined acquiring relationships

-       EMV Online

-       3-D Secure 2.0

-       Payment Tokenization

How is the world of 3rd party mobile wallets shaping up? Hear from experts at the upcoming 5th Airline & Travel Payments Summit Asia-Pacific to be held in Kuala Lumpur (17-18 August, 2016).

For more, click here

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 14^th October, 2016

Ai Editorial:  The cloud security set up needs to be payment processor agnostic, tokenize and secure all data types plus manage data in an omnichannel environment, writes Ai’s Ritesh Gupta

Optimizing payments-related infrastructure requires one to excel on many fronts.

Be it for data privacy and data security challenges, the simplicity and speed at which an airline process their business payments and transactions, accepting varied form of payment methods or ensuring the entire set up doesn’t hamper the travel shopping experience by keeping everything under design control, a lot needs to be done. Every facet has its significance, and airlines can’t afford to slip on any account.

Cloud-based set up for processing of payments

Airlines, just like any organization in the arena of digital commerce, need to keep place with telling changes in the enterprise IT environment.

Talking of payments, cloud computing is an attractive proposition, and this is owing to several benefits – curtailing expenditure, cost cutting etc.

But is cloud secure for payment processing?

This is a vital conundrum to solve as no airline or any travel organization would imagine being a victim of any sort of fraud or even a data breach.  No matter how strong the infrastructure is for processing of payments, airlines and other travel merchants can always be jittery when it comes to trusting a 3rd party vendor with key details such as traveller’s credit card information, with the perception that data must be stored in-house in order to handle chargebacks etc. When one talks of drifting away from on-premise software solution for processing, there would always be some level of reluctance. There is a need to evaluate potential risks in a shared environment.  As observed over a period of time, cloud data-centre security is being labelled as more vigorous than that of on-premise legacy servers. As a result, cloud-based software is gaining prominence.

WEX Travel, a provider of virtual payment solutions to the travel industry, in one of its recent blog postings, did refer to apprehensions about cloud specialists’ ability to “keep data secure” as a major roadblock that hinders shifting of processing to the cloud. As WEX also acknowledges, cloud providers “devote more resources to security”, but still there is need to verify the plans for storing data at the cloud.  

It needs to be highlighted that the utility of cloud computing is on the rise. Payment specialists are looking at delivering seamless omnichannel payment processing within a single payment solution. This week Adyen announced that for the first time, merchants “can enable credit card payments, manage complex alternative payments, offer fraud solutions and conduct EMV card-present solutions globally over a single interface delivered entirely in the cloud”. Adyen says with this move, one can avoid costly systems integration, data reconciliation is in real-time, and the offering is payment method agnostic.

Cloud-based payment tokenization

Cloud-based payment tokenization lays a strong foundation and ensures that an organization’s sensitive data doesn’t get stolen from their business systems.

Tokens can feature in transactions involving debit and credit cards, loyalty cards; cloud-based payments; e-commerce and m-commerce payments - card-on-file data.

By tokenizing sensitive data, you remove it from your environment, reducing scope and compliance.

Also, airlines can’t afford to work with specialists that only tokenize payment data, and leave other sensitive data streams.

Importantly, tokens (essentially results from a procedure in which a sensitive data field, Primary Account Number or PAN from a credit or debit card, is swapped with a proxy value named as token) can pave way for accomplishing compliance with requirements that specify how sensitive data needs to be handled and secured by companies in order to adhere to guidelines such PCI DSS.

The proxy value or tokens cannot be upturned to their primary values without retrieving the original set up that relates with their original values. Such key information is kept in a secure location inside a company’s firewall. Only cloud tokenization erases toxic data out of PCI, PHI, and PII scope. (In comparison, when we talk of encryption, the surrogate can be reversed to the original value via the use of a “key”).

Travel companies need to assess the efficacy of the chosen cloud security offering, especially in terms of taking care of most of the scope of PCI Compliance by eradicating payment details from enterprise systems and substituting it with surrogate value or token; capturing payment data prior to its entry into systems and storing the PANs in data vaults, returning tokens to systems; replacing tokens from systems and transmitting PANs to payment processors and service partners; batch processing PAN files into tokens and securely vaulting the PANs.

Speed is of essence, too.

In today’s fast paced shopping environment, microsecond latency counts.

The time taken to transforming PAN to token and back to PAN needs to be done in a swift manner, and this shouldn’t have any sort of negative impact on payment processing.

Being savvy

As WEX highlighted, airlines need to curtail the level of detailed information an entity needs to store. Plus, restrict staff’s access to such data.

Also, when it comes to paying vendors with Virtual Card Numbers (VCNs) one doesn’t need to be aware of bank account information and don’t need to protect their sensitive information. WEX stated that VCNs also mean that your own account information is safe whether you or the vendor tracks and processes payments in the cloud. “Because VCNs can be used only once, even if there’s a breach, as has happened with hotel chains including Hilton, Marriott, and others, there’s no risk of fraudulent transactions,” highlighted the company in its blog.

Follow Ai on Twitter: @Ai_Connects_Us

Today’s technological advancements present a dilemma for airlines. Carriers need to ensure they are in control of the passenger experience, not leaving it free for others, writes Ritesh Gupta, Airline Information Correspondent

Using fingerprint as a passcode, accessing a boarding pass or completing a transaction via mobile - all of it while on the move fascinates me. Managing a particular service or an app via a smartphone is getting simpler day by day. Whatever the likes of Apple and Google do is hard to ignore. The advent of Apple Pay, wearables technology, or even the emergence of Samsung Pay does garner our attention. The buzz is unmistakable, and the curiosity factor does take over.

But, as a traveller, I wonder can I really have a seamless experience today?  

So let’s say I access my flight itinerary via Gmail on the day of the travel, and Google smartly sends me a restaurant voucher when I am at the airport. But if I choose to pay via Apple Pay, would it be possible? Or do I end up paying via Google Wallet only in the future?

The mobile payment landscape is changing with many legacy players like PayPal and Stripe coming up against the newer challengers like Google Wallet and Apple Pay and whilst this is great for the movement it’s going to be a confusing time for the consumer as all these systems and payment methods start to cross over each other, it’s going to be especially confusing for iOS users as Google Wallet exists on Android and Apple devices, says Glenville Morris, Head of Consulting at Mobile Travel Technologies (MTT). 

Specifically referring to the scenario mentioned, Morris says it depends if the voucher covered the whole amount due, if not you could part pay with Google Wallet and then change your payment method to Apple Pay but moments like this will happen going forward so processes will need to put in place.

Google and Apple

Such issues are going to crop up. The talk of being in control by knowing the passenger better, letting them complete their task with whatever option they use is going to be the key. And coming to grips with what Apple and Google are up to is must.  

“Google and also Apple have without doubt brought enhancements to the travel experience. In particular Google Now has had a big impact - out of the 23 possible Google Now cards – 9 are directly related to the travel sphere,” says Morris. However, it presents a dilemma for airlines and they need to ensure they are in control of the passenger experience and not leaving it free for Google to handhold their passengers through their travel preparation and when they are actually travelling, says Morris.

He says airlines instead can work closely with Google to improve how they service passengers on their day of travel as well as before and after by using the data and the app functionality Google provides such as indoor mapping in airports and Google Wallet to enable app payments, rather than letting them step in and take control of the end-to-end passenger experience. Morris says for airlines to properly own and influence the passenger experience, having their own apps and cleverly managing all of the iOS and Android technology as it evolves is key.

“Mobile payments will really help to further the adoption and growth of mobile bookings for airlines so the introduction of Google Wallet and Apple Pay is a good development for airlines. In addition to growing mobile bookings, it will also open up new opportunities to drive ancillary sales via mobile,” adds Morris.

Making every touchpoint count

Airlines need to ensure various touchpoints of a traveller’s journey do not result in a disjointed experience. The biggest opportunity for airlines now is to shape and enhance a passenger’s journey at each one of those steps.

Personalization, context and immediacy are all key to making each individual’s journey what it should be – individual to their needs. And as Morris says, mobile is a key driver to enable all three – the personalised experience, the real-time nature to address immediate needs and the contextual awareness of the stage of the individual’s journey.

He further explains: If your passenger always searches on his mobile, but books on his tablet then target them on that device with an abandoned basket email – if they always upgrade at check-in, then send them a mobile push notification as they walk in to the airport offering an upgrade – if they only ever hire a car in Barcelona when travelling with family then on arrival at BCN show an airport map guiding the passenger to Europa who are offering 25% off car seats for kids. “The age of sell, sell, sell is over, it’s about selling smarter using data from learned past behaviours and the passengers context while travelling to provide the most relevant and useful offerings at each touch point of the journey, asserts Morris.

The biggest trend in the industry right now is and should be ‘continuous engagement’, says Morris.

And it should be continuous engagement at all levels – at the customer service level for improved customer satisfaction and at the ancillary level by pushing personalized offerings to increase the overall ‘value’ of each passenger to the airline all while putting useful products in front of the passenger.

Mobile has taken the modern airline app beyond the simple ‘book flights’ and ‘check-in’ model of old. There is now the opportunity to engage with your passengers throughout the entire travel lifecycle. Not only till the point a journey is over, but also even as customers walk towards the exit door of the airport on their return home, engage with them again about that ‘next trip’, says Morris.

Proactive

Airlines are responding to the latest developments.

Disruption in an industry can be a great thing provided you’re ready for it, says Morris. “I used to work in the music industry many years ago and when Apple marched into our party in 2001 with iTunes, we were two things, completely unready and 100% arrogant. Well, we all know what happened there.” He adds, “Travel has changed so little, whilst all other industries around us have moved forward but I feel we have learnt from the mistakes of industries like music and now the travel industry is ready for the change Apple is bringing.”

He says it is important to understand how many airlines already have Apple Watch apps ready for launch (eight major airlines Emirates, easyJet, Qantas, American Airlines etc) and at least 5 more are rumoured or just about to announce soon.

JetBlue became the first U.S. airline to accept Apple Pay in the sky. The airline has chosen to facilitate onboard transactions, letting passengers pay for à la carte food options, premium beverages, onboard amenities etc.

“How many airlines had Passbook on day one three years ago, just two! Lufthansa and United Airlines,” reminisces Morris.

Adapt or die has never been truer in this case.

Follow us on Twitter: @Ai_Connects_Us and Checkout our Events at: www.AiConnects.us

Ai Editorial: General Data Protection Regulation or GDPR compliance is a complex journey. It demands enterprise-wide introspection, be it for keeping a tab on the use of personal data or breach prevention or training of employees, writes Ai’s Ritesh Gupta

Travel e-commerce companies have been assessing their existing level of data protection compliance, as GDPR comes into force on 25th May this year. The impact of this regulation would be extensive, as it applies not just to entities based in Europe, but to any organization that holds or processes personal data of individuals residing within the European Union (EU).

What makes meeting compliance challenging is the fact that there is no silver bullet and there is no shortcut to be GDPR compliant. For instance, security experts can help in ensuring the unprotected PII data is identified, whereas marketing technology specialists would ensure how personal data is being used and how to put in place registered consent when accessing customer data.

The travel industry will be impacted due to the large volume of personal and sensitive data it processes about travellers.

The regulation, which places greater emphasis on consumer consent and transparency in the collection and use of personal data, impacts those entities engaged in administering/ managing personal data within the EU or the European Economic Area (EEA). There are more aspects as for the impact of GDPR on travel organizations, including offering services to citizens in this area, scrutinizing the conduct/ behavior of people as part of data strategy etc. Going deeper, organizations within Europe that are associated with or avail the services of 3rd party companies based outside of the EU/ EEA have to ensure their partners/ vendors comply by the enforcement of GDPR or on behalf of these businesses. To summarize, this regulation impacts data controllers (garner data) and data processors (process data on behalf of a data controller). In November last year, law specialist firm Axiom indicated that that global companies had millions of contracts that needed to be identified and remediated by May 2018, at a cost of over more than $1.06 billion, referring to contracts between controllers and processors.

One way to evaluate the significance of the European Union’s GDPR is the failure on the part of an organization’s to meet the requisite compliance. It can result in bad PR plus a hefty penalty, too. It can touch an upper limit of €20 million or 4% of annual global turnover – whichever is higher. But more importantly, in terms of being data-centric and connecting the dots along a traveller’s entire journey, it offers an even bigger opportunity. Here are few aspects that are being discussed as of today:

• Impact on the ownership of data: Before delving into how the GDPR impacts companies focused on data, the definition of personal data needs to be understood. It isn’t only about conventional personally identifiable information, say a name or an email id. Rather it also features identifiers that may, when combined with other data, identify an individual. Of course, airlines are getting used to this definition of personal data. Businesses have been keen on counting on any signal or identifier that helps them to stitch a profile and know the preferences/ behavior of their customers. So this new ruling will definitely have an impact on how travel companies collect, manage, and store personal data. Considering that we are in the era of a single view of passengers/ travellers, one in which airlines are looking at what’s happening across a user’s every search, what they browse, their booking and journey, airlines need to re-examine  the way they manage data, and plan for new processes and technologies enabling the consumers right to “own” their data. GDPR is not only about winning the trust of customers, but it is also having an impact on enterprise-wide functioning. In fact, GDPR is fuelling drive towards the initiative of digital transformation. Also, better compete with data-rich ecosystems or companies, be it for Alibaba, Google, Facebook etc.

• Winning over the trust of customers: GDPR has come at a stage when there is a lack of trust among customers (concerns about privacy, lack of trust in brands among the most etc.). Plus companies are also pursuing personalization in a big way. But for this to work, data is of paramount importance and consumers won’t share data with companies they don’t trust. GDPR will raise awareness among customers about data collection and eventually would encourage them to trust brands. Expect competition to go down from companies that mishandle/ misuse data. Also, rather than considering security and customer experience separately, this development paves way for a more holistic view of the customer experience.

Readiness

GDPR compliance is a complex journey. A couple of areas that demand attention include keeping a close tab on the use of personal data and breach prevention.

• Personal data: According to NGDATA (conducted a webinar this week, titled “Maximize the value of customer data within the boundaries of GDPR”), there is a need to be aware of registered consent when accessing customer data (so data coming from any touchpoint and system, the related computation or processing of data is to be done in sync with consent, assess how the data is being used, what data is being used and for how long that data can be used), address data audits in a speedy, exhaustive manner (say who has been accessing data) and ensure there is consent across all touchpoints (including integration with consent registration databases).

• Breach prevention: It becomes extremely important for airlines to come to grips with their technical and organizational security measures, and appraise their respective cyber insurance policies to ensure they sufficiently cover the costs of a data breach. It is also being highlighted that the regulation requires data controllers to inform their national regulator of a data breach within 72 hours of discovering it, “if the breach is likely to result in a risk to the rights and freedoms of individuals.” As highlighted by Foregenix, the potential fines suggest that “any form of negligence or poor governance where data breaches are concerned is likely to prove extremely costly. And that's without factoring in the cost of legal representation to defend your position”.

• Being responsible: It is vital to train and educate employees about the new regulations and impacts on data handling and breach notification, and every individual has a responsibility to ensure their role doesn’t contribute to the leakage of PII. According to Foregenix, being aware of what data a business requires, how it is used and how it flows around the organization will be essential for achieving and maintaining compliance with GDPR. Also, security awareness training modules including one for GDPR can help in preparing the whole team.

Hear from experts about GDPR at the upcoming Ancillary Merchandising Conference, to be held in Edinburgh, Scotland this year (9-11 April, 2018).

For more info, click here

For Ai’s 2018 Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Fighting fraud can’t be a competitive issue since criminals are not “brand loyal”. Just the way airlines are fighting card payment fraud, there is a need to combat loyalty fraud in a similar manner, writes Ai’s Ritesh Gupta

Revenue leakage, clean fraud, fresh fraud, criminal fraud…if you are part of an airline, then you would have probably heard of all of these. But there is one more type of fraud – loyalty fraud - that is now entrenched on this list as well.

Yes, loyalty fraud isn’t atypical phenomena anymore.

In fact, nothing is more dreadful than the fact airlines, as an industry on the whole, haven’t come to grips with this menace. 

This is exemplified by the fact that not only hackers, but current employees or ex-staff are also currently indulging in illegitimate activities related to FFPs. Not only there is claiming or awarding of miles fraudulently, but the brand value as well as the trust of the customers takes a beating.

A couple of months ago Air India was embroiled in one such controversy. If we type “Air India loyalty” on Google UK or Google India, then on the first page itself there is a news link about theft of passengers’ frequent flyer miles. This means any search about Air India’s loyalty program can have a detrimental impact on the brand, and negative impact on the association of a passenger with the airline or their FFP.

As it turned out, in case of Air India, FFP accounts were hacked and the bunch of fraudsters also featured an ex-employee. He apparently had access to Air India’s intranet and Internet-based systems.

“This is completely unacceptable (ex-staff gaining access even after not being associated with the organization),” stated Peter Maeder, Co-Founder & Secretary, LFPA or Loyalty Fraud Prevention Association, a new entity set up to fight loyalty fraud.

Stealing of points/ miles is attractive

FFPs worldwide continue to face capacity, regulatory, accounting and liability pressures, notwithstanding the fact that we compete for “share of mind” in an over-crowded loyalty environment.

FFPs have evolved, and as a result the earning and redemption options today are more than ever. Maeder says because of the new accounting rules introduced in 2008/ 2009, loyalty program manager are seeking more ways for their customers to redeem their points and miles. “Therefore, cash-like redemption programs are on the increase. As a result, stealing points/ miles have become much more interesting for the criminal fraternity. Furthermore, so called “friendly fraud” - we should not talk about “friendly” fraud , fraud is a criminal act and can’t be friendly! - is very simply done by all people involved in loyalty programs (staff, but also travel agents or other third party organizations),” explained Maeder.     

Simple measures first

Maeder says its imperative airlines comprehend all possibilities of fraud - fraud by members, staff, travel agents, partners, data breaches/ hacks/ malware etc. and accordingly train relevant teams and find ways to forge reliability and security across the organization. “Rather than just dwelling on costly initiatives from the beginning, a solid foundation needs to be in place – enforcing certain values and creating awareness. Airlines owe it to their loyal members – protecting data of passengers, and shield their reputation. This is absolutely mandatory at this juncture,” said Maeder. For example, a tendency to keep simple passwords is still there and this can result in a compromise of any IT system if the staff goes ahead with say “123456” as a password.

“Fighting fraud requires resources, both human (trained and dedicated staff) and technical (secure IT infrastructure). Many loyalty programs are being run on legacy IT systems, which are prone to hacking. 

Fighting fraud requires a professional organization - few airlines have so far invested in developing teams and systems to respond adequately to the rapidly increasing threat, which costs them not only money, but above all their reputation! Does it require media pressure, until the loyalty industry is waking up and starts taking the necessary steps to fight the phenomena?” questioned Maeder.

Airlines need to take simple measures first to ascertain the danger of cyber security and gradually move on to  embracing high-level risk-based rule engines to monitor accounts for suspicious or unusual activity, and establishing automatic alerts for questionable activities.

For instance, Maeder referred to penetration tests. This evaluates the effectiveness of information security controls implemented in the real-world. Advantage of penetration testing: Knowing a system’s vulnerability before an invader gets to know it. This way areas susceptible to attack are exposed. Accordingly, remedial initiatives can be taken to foster a secure environment. Other than evaluating threat from outsiders, an internal assessment, too, can be done with the assistance of specially designed plug-computers to replicate an attack from within the client’s network.

Collective improvement

Maeder referred to an important point when we talk of collective improvement.

“The credit card industry has long recognized that fraud is a significant cost facture to all parties involved in card payments. Therefore, they have set-up standards, guidelines and rules that have to be adhered to when accepting or transmitting credit card data (the Payment Card Industry Data Security Standards or PCI DSS). 

To date, there is no body/organization that seeks to support the loyalty industry in a similar way,” pointed out Maeder. “Some airlines have invested significant time and money to make their card payment infrastructure more secure and have been able to reduce their losses due to fraud. Unfortunately, similar efforts have not yet been undertaken so far and the hackers are clearly taking advantage of these “opportunities”.”

Hackers, who are usually a step ahead of the “good guys” have started to switch their activities to loyalty programs, which are not as well protected as card programs. Also, the airline industry is working together in fighting card payment fraud – work groups, data sharing, chat forums etc. “Nothing similar is available so far in the loyalty area,” said Maeder, who added that the objective of the LFPA is to provide guidelines, share best practices, offer training and exchange ideas about fighting loyalty fraud.

Collaboration is definitely going to be an important weapon in the armoury of airlines. Maeder made an important remark.

“Fighting fraud can’t be a competitive issue – the criminals are not “brand loyal”,” he said.  

The LFPA will allow and encourage collaboration among industry professionals by running chat forums (open to registered members only), providing a data base of data elements that have been used in confirmed fraudulent transactions, workshops where best practices are being discussed and developed, webinars, conferences. “We are not reinventing the wheel, but are using the experience gaining in fighting credit card fraud. Membership is open to all parties in running loyalty programs. However, participation in work groups, chat forums, etc. is limited to registered members only,” he said.

A two-day event, Annual General Meeting - Loyalty Fraud Prevention Association (LFPA), is scheduled to take place in London (Nov 9-10) this year. The agenda: Is your loyalty program protected?

For any query, email - cstaab@aiconnects.us

Or click here

First Published on 4^th May, 2018

Ai Editorial: The level of awareness about hacking and data breaches has gone up, but a feeble approach towards password management is paving way for hackers to steal confidential information, writes Ai’s Ritesh Gupta

Coming to grips with the issue of account takeover (ATO) isn’t a straightforward task, and a major reason behind the same is poor password hygiene.

Consumers are proving to be the weakest link in the fight against ATO fraud. According to the findings of a recent analysis, initiated by password management specialist LogMeIn’s LastPass, nothing much has changed over the last two years when it comes to creating and handling of passwords. This is important as password stealing means all account-based online services are under a threat.

The level of awareness about hacking and data breaches has gone up, but a feeble approach towards password management is paving way for hackers to steal confidential information. In their Psychology of Passwords research, LogMeIn has referred to following traits of individuals representing society at large and explains why people are falling short of taking action:

The issue of same passwords: Majority of 2000 respondents have between one and 20 online accounts for work and personal use. When it comes to password creation, nearly half indicate there is no difference in passwords created for these accounts. This attribute is dangerous and helpful for hackers in doing their job. Let’s say a customer has an account in both Starbucks and Lufthansa. If there is a data breach at Starbucks, and although Lufthansa hasn’t faced any attack and are safe from that perspective, but if a user happens to use the same login credentials for both the companies, then the credentials are vulnerable for illegitimate use at other places. The fear of forgetfulness is the major reason behind using the same password for multiple accounts. Despite being aware of the security risks owing to weak passwords or even breaches, people tend to avoid any action. They stick to the same passwords and don’t change them often. Even the millennials, a group supposedly well-versed with technology, mostly reuse passwords because of fear of forgetting and commonly use a variation of 1-2 passwords they can remember. 

On the positive side, according to the same study, more users are opting for more secure password storage and automated password resets to overcome the anxiety of failing to recall.

Onus on merchants 

The scale and sophistication of breaches is ascending, and this is resulting in more ATOs. These takeovers are increasingly performed at scale by bots, as well as manually. Hackers work on scripts that try out different groupings of stolen usernames plus probable passwords across numerous websites and apps, until they find a way in. Travel e-commerce companies suffer owing to chargebacks, loyalty fraud, resources spent on resolving issues etc. Companies like Google highlight that enterprising hijackers are persistently looking for, and are able to gain access to, a plethora of platforms’ usernames and passwords on black markets.

Specialists such as Sift Science recommend that airlines and other travel companies need to be proactive, especially considering that “every one’s credentials have already been compromised”. The company recommends following measures:

Ø  Work out planned evaluation of models and rules to ensure they are updated once bad signals are uncovered.

Ø  Keep on informing and educating customers about the significance of passwords. There might not be anything new in these instructions but nevertheless the importance of strong passwords can help. For instance, constructing unique passwords that include a sequence of upper and lowercase letters, numbers and special characters. Directing users not re-use same passwords. The database of passwords needs to be secure, too.

Ø  Create awareness about the root cause of ATOs: Fraudsters get access to stolen credentials from a number of sources. These include:

·          From data breaches, sold on the dark web

·          Phishing with fake websites

·          Malware, trojans, spyware

·          Social engineering

·          Hijacking a mobile device

Ø  Stringent verification: Keep a vigil on aspects like IP, cookie, device ID, session history, event velocity, and key-logging. In case there is a sign-in from a device a user hasn’t used or a location that isn’t associated with an account, companies need to seek additional information before allowing access to accounts. Verification is a blocking event: once sent, the respective activity (login or another) cannot proceed until with the verification is successfully completed. Dynamic challenges feature two-factor authentication on all doubtful logins, while allaying the danger of account lockout.

Ø  Looking beyond passwords: Airlines need to look for more protections beyond just passwords. The claim for owning an account needs to be handled carefully. Machine learning comes in to understand the user behavior. Advancements in computing and big data power, as well as the gaining prominence of API-based machine learning solutions, mean that machine learning is emerging a scalable method to grow without increasing risk. It identifies patterns in data that aren’t spotted by humans. So this can result in lesser number of false positives and false negatives.

For Ai’s 2018 Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us

28^th October, 2020

How vulnerable is your critical data? How to respond to a data breach?

Organizations must delve into new risks and repercussions of a data breach with insecure home networks and strained security resources.

Fraud prevention specialists should take note of not only financial aspects, but also associated “soft costs” or hidden cost of data breaches, asserted  Tom Madden, Sr Partner Client Succes + Growth, ICFNext, and Matt Silverman, Sr Partner Corporate Communications and Brand Strategy, ICFNext during the LSA Fall Virtual Conference 2020.

A data breach results in a sweeping impact, bringing about not only financial losses but also damages reputation, decreased trust and changed perceptions of organizational strength.

Silverman explained that reputation issues shouldn’t be overlooked. Customers want to feel safe, and since fraud is growing, the probability of an organization’s data assets getting stolen should be brought down.

“Planning is critical,” said Madden.

It is vital for loyalty executives to assess – are they ready to deal with a breach? When it comes to security and transparency – how to communicate? In case a data breach happens, then what to share and what not to share? Timing of communication – within a day or a week? 

“All of this and more has to be a part of a thoughtful decision-making, it can’t be spontaneous,” said Silverman.

Focus on limiting access to data 

Data security isn’t a “set it and forget it” exercise and an ongoing effort is need to address threats to data privacy, data leakage etc.

Experts highlight that within a company,  one cannot misuse or leak what they don’t have access to. So either limit access by default or control the size of the potential leak.

By Ritesh Gupta

Ai Team 

First published on 21st December, 2016

Ai Editorial: Real-time automated fraud prevention means that the fraud solution is fully automated to make real time decisions, without any need for manual reviews at all. How far are we from attaining this, explores Ai’s Ritesh Gupta

Commerce today is about seamless movement between devices, and this also means one-click or no-checkout options in an omni-channel environment.

With all this, security is certainly the issue, and in an increasingly global world, so is the ability to accept a variety of payment methods, currencies and devices. Customers want to be able to shop and buy, no matter where they are or which channel they're on – offline, online, mobile, app. Airlines and brands must position their products, goods and services for all channels – keeping in mind that customers of tomorrow will increasingly be interacting primarily or solely from mobile devices.

On the fraud front, improvements in biometrics, authentication, verification and identification will gradually reduce the risk of fraud. The blockchain process, developed for cryptocurrency verification and authentication, holds a lot of promise for increased payment protection in the mobile environment.

Better fraud management

The workload on financial institutions has risen with the advent of real-time payments.

Key components of real-time transactions include certification of payment, availability of funds, instant settlement and confirmation of the transaction. The industry has had to figure out configuration for inter-bank settlement, and also core processes should be available in an unbroken manner. As Accenture points out, considerations include real-time settlement of every payment or deferred net settlement, loss-sharing agreements or prefunding of settlement accounts etc. Global payment infrastructure has been moving toward faster payments and real-time settlement. So considering new ways in which transactions are happening, say via mobile, how this demands better fraud management effort?

Justin Lie, Group CEO, CashShield, a SaaS based self-learning fraud prevention solution for ecommerce, says a decade ago, the payment landscape was largely dominated by banks, and these banks set in place industry security standards and protocol to protect merchants and themselves from breaches and hacks. “However, with the rise of financial technology or FinTech, so has the number of FinTech companies. With more than 9000 companies currently around, and with the number expected to grow, the number of points of breaches have grown as well, since these FinTech companies do have to deploy or adhere to the same security and safety protocol that the banks stick to for protection. Here, the entire payment ecosystem on the whole has weakened with a larger number of fail points,” says Lie.

In addition, traditional rule based fraud solutions require manual reviews to be done before the settlement period (normally the next day after the transaction is processed).

“Real time settlement will greatly hinder these conventional solutions since they will have to either auto accept or reject these manual reviews to process payment,” says Lie.

He says to deal with this, merchants have to either accept almost all transactions (thus increasing chargeback rates) or reject seemingly risky transactions quickly (thus lowering conversion rates). This traditional fraud management is seen as static defence, but it has become evident that such traditional methods are falling behind newer methods that fraudsters are designing to launch their attacks.

“With new channels of payments such as mobile or NFC, more creative modes of fraud are expected to appear. It is important for us to transit then, instead, to active surveillance by deploying big data user and entity analytics to understand the user behaviour behind each transaction. Considering that most fraud attacks come as a coordinated attempt from a single script, automated to maximize the number of hits in the least amount of time possible, they will leave behind a pattern that can only be detected by understanding user behaviour. Even as new forms of payments become popular and mainstream, active surveillance will be more relevant (rather than static defence) and effective in dealing with fraudsters,” explained Lie.

Mobile fraud

Mobile as a platform for transactions is facilitating new ways of payments.

But mobile fraud is relatively more challenging to handle.

“It is so (mobile fraud is challenging to merchants) as transactions that are made through mobiles collect less information than web transactions, and therefore look much more similar. Without the appropriate technology or expertise, it is difficult for merchants to be able to differentiate between the real or fraudulent orders. As a result, higher costs are incurred, which includes the greater chargeback rates, lengthier time for manual reviews and bad service rendered to users,” said Lie.

Even though, the risk of fraud is greater as there are additional hindrances when it comes to cardholder and device authentication, apps like Apple Pay and Samsung Pay could actually help deter fraud. Both of these apps rely on biometric fingerprint technology in order to authorize a transaction. Therefore, in order for the user to authorize a transaction, the cardholder needs to provide a fingerprint. Not only is this a strong deterrent against unauthorized transactions, but the customer’s fingerprint attached to a transaction is very compelling evidence in the merchant’s favor in the event of friendly fraud.

Real-time automated fraud prevention

Lie says most existing fraud solutions around are still quite far away from achieving real time automation.  

 While more and more solutions on the market are currently using machine learning to detect fraud, these types of machine learning rely heavily on training data sets to predict probabilities (as opposed to real time automated decisions). These data sets are based on new fraud trends from either

(1)    filed chargeback information as historical data (which could be at least 30-90 days old) or

(2)    from human intelligence of the large risk analyst team to manually provide inputs.

“The way these machine learning algorithms are designed forces the solution to rely on these training data sets, requiring at least 10-30 days (or even months) of training. As a result, the long training gap and the reliance on training data sets prevents the solution from making decisions instantly, but rather only allows it make predictions of the probability of fraud,” says Lie.

He says real time machine learning is required for real time automated fraud prevention. Real time machine learning means that the fraud system is able to learn instantly on the fly with each new incoming transaction, and requires no lag time or historical training data sets to provide information on the new transaction. Consequently, the system  is able to make optimized decisions instantly, without the need for manual reviews.

However, it seems like it will still take 2-3 years for the industry to switch from predictive models of machine learning towards real time machine learning, due to the rarity of such solutions.

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

Follow Ai on Twitter: @Ai_Connects_Us

First published on 21st October, 2016

Ai Editorial: In an era in which we are talking of winning over “micro-moments”, ‘OS-Pay’ can propel consumers’ purchasing behavior. And it can help in controlling fraud, too, writes Ai’s Ritesh Gupta

No marketer likes to get locked in a particular data ecosystem. But, marketers at large, also can’t do without Facebook, Apple, Google, and if we talk of China, then Alibaba, Tencent, and Baidu.

Be it for brand awareness or completing a transaction on such 3rd party platforms, if there is no provision to get data out of an ecosystem, then it inhibits optimisation of the overall marketing initiative. The repercussions vary from wastage of ad expenditure to annoying a customer – say serving an ad repeatedly even if the customer isn’t interested!

So if we talk of Facebook, Google, Apple etc., then making the most of data from each ecosystem is must.

One might excel in search and the other could be sharp in the arena of apps or social. The challenge crops up when one tries to work on customer profiles or assess the overall customer experience.

On the positive side, ad tech companies like Bitly are looking at this conundrum, and offering trackable links in every channel for a unified view.

Lure of OS-Pay – conversion plus lower fraud risk

No doubt cross device tracking and attribution can be a tough task, but airlines need to go with the flow. The direction in which Google or Apple move, airlines, too, need to capitalize and assess where they can step up conversion, more so when transactions can be facilitated by that ecosystem only. In this context, the recent move by Apple Pay and Android Pay to enable users to use OS-Pay through a web browser is an important development.

This is what Android platform promises - be it your chosen app or checking out on Chrome, one just need to rely on Android Pay at checkout and leave the rest to “Android”.

Chargebacks911’s COO, Monica Eaton-Cardone asserts ‘OS-Pay’ can propel consumers’ purchasing behavior and merchants’ fraud management.

Not only “mobile consumers” are much more likely to complete a transaction, but fraud risk is minimized, too.

“With mobile payments, though, the risk of fraud is greater. There are additional hindrances when it comes to cardholder and device authentication. However, this fraud risk is minimized when transactions are processed with ‘OS-Pay’ mobile wallets; apps like Apple Pay and Samsung Pay could actually help deter fraud,” says Monica. She says no actual credit card information is exchanged between the cardholder and the merchant in the process of conducting the transaction. Moreover, sensitive information isn’t stored on the device or shared with the service provider. “Not only that, but Apple Pay and Samsung Pay employ biometric technology as a means of validating the cardholder’s identity.”

 “Both of these apps rely on biometric fingerprint technology in order to authorize a transaction. Therefore, in order for the user to authorize a transaction, the cardholder needs to provide a fingerprint. Not only is this a strong deterrent against unauthorized transactions, but the customer’s fingerprint attached to a transaction is very compelling evidence in the merchant’s favour in the event of friendly fraud.”

Being swift

Airlines need to support popular wallets and payment apps quickly. Imagine there are two customers - one has downloaded an airline app, whereas the other is keen on using 3rd party app/ wallet. Both are accessing same trip essentials, including an airline seat. So how should airline look at their own digital offerings, and also capitalizing on 3rd party mobile wallet payment platforms?

“Airlines are well positioned to capitalize on the earning potential associated with mobile wallets and branded apps. With the addition of up-sell options and full-service concierge, direct retail apps create an ample opportunity for savvy airlines to leverage current demands. Not only that, but by adapting tokenized technology, airlines can enhance security and reduce overall friction while simultaneously improving conversions,” says Monica. Traffic is key, and giving consumers a one-stop shop has proven to be the most winning solution.

Preparing for fraud

As Monica points out, there are 3 primary strategies for understanding and mitigating fraud, and the same holds true for up-and-coming technologies:

1.     Enriched data sources: Data analysis is one of the most important components of a successful fraud detection solution, says Monica. When it comes to new methods or technologies, there are additional elements required in order to perform a relevant analysis. Without knowing these elements and understanding how they relate to the overall picture, fraud exposure is apt to increase.

2.     Improved human intelligence: New technology also means new and unknown opportunities for fraud. “However, human intelligence in the form of manual review processes, improved quality control, and customer service checkpoints can help negate the threats that frequently accommodate these emerging payment techniques. Human forensics should be a top priority and aligned with any plans to implement a new method or payment strategy,”  says Monica.

3.     Collaboration and communication: Airlines servicing multiple countries with many departments are challenged with the task of maintaining continuity while implementing new initiatives. Establishing a feedback loop for fraud suspicions will help keep fraudsters at bay and prevent repeat attacks from happening. There are several types of evolving fraud—friendly fraud, for example. A large percentage of these risks can only be detected through communication and collaboration.

Closer to seamless experience

Today, we are talking about winning over “micro-moments”, and a key factor in same is enabling customers to shop and pay in an omni-channel environment. The ability to use Apple Pay and Samsung Pay for online purchases could streamline the process, considering the prowess of their parent companies. If the customer elects to use one of these methods, they wouldn’t have to worry about typing-in all of their cardholder information for each purchase; that data could simply be stored and recalled at will. As a result, customers would be less likely to abandon a transaction. Of course, as Monica says, this could also be a double-edged sword. There is a kind of balance between streamlining the process and encouraging customers to buy without first thinking through a purchase. As a result, this could lead to buyer’s remorse, which could mean returns or even chargebacks at a later date. Another point of friction could be recalling data smoothly across channels. “If a customer begins a transaction on one device but decides to switch to a different channel, that information will need to be immediately recallable. With even minor points of friction, the likelihood that a customer will abandon a transaction increases dramatically, so it would be wise to try and make the process as efficient as possible,” concluded Monica.

 Follow Ai on Twitter: @Ai_Connects_Us

First published on 20^th June, 2016

Ai Editorial: Be it for shielding customers’ information or nullifying fraudsters’ move to grab funds, OTAs have to be alert all the time, writes Ai’s Ritesh Gupta  

Online travel agencies (OTAs), even the established global intermediaries, tend to be vulnerable when it comes to online fraud.

There are a couple of issues. One of them is fraudsters gaining access to contact details of customers. OTAs frequently receive complaints from customers about unauthorized credit card transactions. Plus there are areas where OTAs can be at the receiving end. Of course, nobody would like to face implications in case they end up with excessive fraud and chargeback rates.

Merchants are expected to adapt their risk settings and business practices accordingly to ensure fraud and chargeback levels are at an acceptable level.

The likes of Booking.com have had problems in the past as far as customer data is concerned. Also, fraud today is as an organized crime. I spoke to a couple of OTAs in the Asia Pacific to gain insight into 5 key areas/ trends:

-       Protecting customer’s data

It is imperative to shield customers’ personal and financial information. Otherwise it can severely impact a brand’s image. Travel companies need to understand how hackers are gaining access to system data or server functionality. The breach of data is happening and it could be owing to a web application getting manipulated and a fraudster tricks that application into performing commands and accessing data. Another way is to get hold of an authorized account via focus on session IDs, and eventually stealing them.

Experts recommend that additional steps can be implemented to curtail risk of credit card and personal data exposure, such as compartmentalization and tokenization on the inside of the company’s DMZ (Demilitarized zone. Network added between a private and a public network to provide additional layer of security). This is being considered to be a vital add-on to firewalls and external fraud measures. Such mechanism keeps a tab, acts and reports on dubious activity and can feature configurable fraud-alert rule sets, data- profiling modules, and other validation methods. Also, at another level, it is important to know how to strike a balance while focusing on stringent fraud rules. Otherwise this can result in reduced acceptance and revenue.                                                       

-       Going beyond passwords

It is being highlighted that password is no longer the best way to authenticate users. In fact, there is a need to go beyond conventional passwords and PIN based approach.

As highlighted by Visa, biometrics offer “the only way to link” a person’s physical identity to his or her digital identity. Biometric authentication features fingerprints, facial recognition to authenticate one’s identity. This is something that cannot be replicated with ease. Also, from a user experience perspective, there is no need to remember a password. However, an OTA executive mentioned that biometric authentication is still in its nascent stages as far as intermediaries in the region are concerned.

Also, Visa is working with EMVCo to develop an updated and enhanced version of 3D Secure, paving way for more consistent UX across various payment channels, including mobile web, in-app etc. The company has asserted that 3DS version 2.0 will offer a more seamless checkout experience via intelligent risk-based decisioning.

This sort of authentication features data to assess genuine user behaviour, device, location and other well-known characteristics, so there’s less need to ask for a password. 

-       Sudden spurt in dubious activity from one region

A senior executive from Mumbai-based OTA Cleartrip.com shared that there tends to be sudden spurts in fraudulent activity from one market/ country. For instance, last year it related to “seemingly Russian citizens” booking itineraries featuring a particular LCC in the Middle East. “The bookings featured destinations like Moscow, Kiev, Bishkek etc. Most of the passengers booked through these transactions sounded like Russian citizens (female names ending with “ova” or male ones ending with “ev”.” The carrier had strict policies, and before the OTA could verify and reach out to the airline, fraudsters were cancelling those flights, and gaining credit vouchers for future bookings. “We eventually decided to cancel the sector.” And this year, the same executive referred to “Indonesia fraud”, where fraudsters are using cards issued in the U. K., US and Australia, and booking same day check-in hotels and non-refundable/ non-cancellable airlines. Lot of activity is related to travel and booking of hotels in Indonesia.

There are tools in place that can differentiate between threats and genuine transactions by pinpointing the buyer’s location.

-       Reviewing cancellations

Cleartrip.com also shared that it has been working on plans to curb virtual wallet fraud. “In this case, a fraudster does the fraud transaction using international card and cancels the trip to obtain the refund in a virtual wallet. The same can then be used for future booking. It also surpasses all the fraud conditions due to payment mode.” So rather than funds going back to the original instrument after cancellation, when fraudsters decide to cancel a booking they put into a private closed wallet. So Cleartrip.com reviews such cancellations, and nullifies the action taken by a fraudster. Rather the money is sent back to the credit card or the original instrument. “We revert in quick time,” shared the executive, who also referred to discount coupon fraud (the fraudster finds out a loophole in the system and uses the code to obtain false cashback).

-       Relying on machine learning

While the moments between when a shopper clicks “buy” and when a merchant must deliver a reservation seems fast to us, it’s plenty of time for a computer to recognize a bad user or reward a good one with a smooth, easy buying experience. A flexible and online (instead of offline) machine learning system can start learning the second a user lands on your site, gathering behavioral data so you can spot a suspicious user long before he enters a stolen credit card number and you get hit with the inevitable chargeback. Armed with actionable machine learning findings, a business can create an adaptive checkout flow, that is tailored based on how risky each user is.

One of the best things about using machine learning is that it automatically learns about new fraud patterns in real time so you don’t have to keep close tabs on new tactics.

Moving on

Fraudsters always move on. Managing online fraud is an ongoing initiative, one that needs constant improvisation for better results. If this is not the case, then a travel organization would end up being a soft target.

Here it needs to be mentioned that the booking experience of a customer shouldn’t be jeopardized.

I know of an instance where an airline called up my colleague in the U. S. past mid-night, who had booked me for a trip in Asia. The airline had concerns about the itinerary, considering that the booker was in the U. S. But my colleague felt the check needed to be more vigilant, considering that the airline had information about him, and disturbed his sleep by calling at 3am!   

Hear from experts at the upcoming 5th Airline & Travel Payments Summit Asia-Pacific to be held in Kuala Lumpur (17-18 August, 2016).

For more, click here

Follow Ai on Twitter: @Ai_Connects_Us