- Payment & Fraud Editorials

First Published on 3^rd November, 2017

Ai Editorial: Specialists point out that if a merchant isn’t being able to accept payments via WeChat Pay and Alipay then the acquirer needs to be questioned, ensure they explain any barriers and how to fix the issue, writes Ai’s Ritesh Gupta

Is accepting payments via Alipay or WeChat Pay a smooth process?

Irrespective of the answer, it is imperative for any travel e-commerce player focused on Chinese travellers to come to grips with payment processing as far as Alipay or WeChat Pay are concerned. The adoption of e-wallets/ mobile wallets in China is being driven by the ubiquity of indigenous Internet giants – Alibaba (Operated by Ant Financial Services Group, Alipay currently has over 520 million active users) and Tencent (combined monthly active users of Weixin and WeChat app is already over 965 million). Merchants across the globe are looking at in-app web-based payment, QR Code payment, in-app payment and payment at a particular location, say onboard aircraft or at the airport.

Is it really tough or just wrong notion?

“Payment is quite wide and diverse (in the Asia Pacific region). And China is indeed a unique market in the whole of Asia. It’s almost that you can think of China as one area, and can segregate it from the rest,” Trevor Spinks, Head of Sales and Distribution, Scoot-Tigerair mentioned during one of our conferences in Singapore.

“Scoot flies to 18 destinations in China, and that’s a significant part of our network. We will be offering WeChat as a payment option soon. The complexity for WeChat pay is huge. It doesn’t use normal software language. WeChat Pay have their own language. So one needs to work with WeChat or 3rd party experts,” says Spinks. It is important as a massive chunk of population uses WeChat. “So it is about using what they use every day to fly Scoot. But, yes, China has very requirements, and different rules and regulations.”

Referring to a diverse region such as the Asia Pacific, Spinks mentioned that in terms of how an airline manages and works around a variety of options to pay in this region, consider an airline which flies to 10 countries and each country has 5 forms of payments. “And if all forms of payments are different from all the other markets, then there would be 50 forms of payments. You do need payment providers and acquirers. We work with a global specialist. They are already working with a number of payment distribution capabilities in several countries, and when airlines reach a certain point, they can work with one specialist and this allows an airline to straightaway tick, say 30 out of 50 payment methods, at one go.  At times, there is a need to work directly with 3^rd party suppliers. WeChat is a great example. We might have to work directly with WeChat to work it out for us. So it is a very diverse and hard area to manage. There is a need for a dedicated person within the airline to look after this. Also, you need expertise within each of the market to understand, whether say is 7-Eleven convenience store a viable option or is the popularity decreasing and in two years time no one would be interested in paying via this option. So then no point in investing in that payment method,” explained Spinks.   

As a specialist in this arena, Chargebacks911’s COO, Monica Eaton-Cardone says, Alipay and WeChat have authorized partners, and these entities specialise in managing cross border payments and dependent on your geographic location there are several options to provide partnership.

“Alipay works with a variety of financial institutions including MasterCard and Visa. Outside of China, WeChat will only accept credit cards to link to the account. As an e-commerce entity if you are already have the functionality to deal with cross border payments through other payment rails then you have the knowledge and experience to deal with WeChat and Alipay,” she said. “E-commerce companies already have numerous rails to accept payments. Accepting payments via WeChat and Alipay would not be challenging anymore than your existing network of payment channels. If you deal with Paypal you can deal Alipay and WeChat Pay. If payment isn’t accepted then your acquirer needs to be questioned, ensure they explain any barriers and how to fix the issue. Both Alipay and WeChat are a form of e-wallet which are funded via a variety of payment options including international payment/ credit cards as well as Chinese domestic bank cards/ accounts.”   

Issue of fraud

Spinks mentioned that fraud becomes a bigger problem, bigger the airline becomes.

“So when we were small, we weren’t worried about fraud, we had relatively bigger issues (to sort). But now we have around 40 aircraft, and flying to 18 different countries, fraud can be a big “number” annually. So a partner such as Adyen or Worldpay can also help with fraud solutions. But what you need here and what generally falls under the finance department, you need people would be measuring and tracking fraud. So if one country had a fraud value of 1% and the norm is 3%, then its fine. And another one had a value of 10%, so there are significant issues in that country and you have got to measure it. And the onus also lies on the 3^rd party partner to sort it out. And of course, fraudsters also find new way of cracking the system, so it is always a cat and mouse game,” he said.

Referring specifically to Alipay and WeChat Pay, Eaton-Cardone said as with any platform the prospect of fraud is real.

She said fraudsters target new payment channels or newly implemented processes as they are easier to exploit and find weaknesses until you plug the holes.

“However with effective fraud monitoring this can be managed. Review of transactions and fraudulent behaviors using reporting tools, analytics of customer spending, how transactions were initiated, time of day which device was used, analysis of chargebacks will all help mitigate fraud issues. If monitoring is done at every available stage you will manage fraud issues. This is where we come in as we can help provide these skills and products to help,” she said.

Eaton-Cardone also mentioned that if there is an effective fraud monitoring process in place, then the ecosystem, say Alipay or any other, wouldn’t matter as one can apply this to wherever the payments are being generated. “When reviewing mobile transactions check your order data: What was the device used? Was a mobile phone number provided? Is there a GPS location? Does the GPS location it differ than the shipping/billing address? Don't rely on IP geolocation. Review the time of usage, tablets tend to be used more in the evening and with higher spends. Know your customer, review their typical spending pattern? Do they have a history of denying transactions.”

Follow Ai on Twitter: @Ai_Connects_Us

10^th November, 2020

“Keep talking, keep innovating” – this is what Kate Morgan, Head of International Partnerships, Auriemma Group recommended to those who are managing co-brand and loyalty initiatives, stressing on the significance of maintaining the existing credit card customer base in today’s environment.  

“Good news from our research – existing customers are still spending across verticals,” said Kate during Ai’s Co-brand & Travel Reward Cards Virtual Conference 2020.

Ref. to UK Finance’s recent figures, Kate shared that debit card spending in the UK reached a record high of £59.1 billion in July. Credit card spending has recovered slightly but continues to be impacted by ongoing economic uncertainty.

As for why consumers haven’t been using credit cards over the past month or so, Auriemma Group’s consumer research indicated that 69% prefer using debit cards and 46% mentioned that credit card is for “emergencies”.

“Very little behavior seems to be driven by the financial aspects of the credit card (for instance, interest rates, credit limit etc.),” said Kate. Outstanding balances on credit card accounts have contracted by 13% over 12 months to July, as a result of repayments outstripping new borrowing in the year.

Even as managing of co-brand and loyalty initiatives has become challenging, the focus must be on maintaining the existing customer base.

Also, referring to Auriemma’s recent research on cobrand spending patterns in the U. S., she said 54% of consumers used co-branded credit card for purchases outside the associated brand.

“Loyalty is a long-term play,” said Kate. She emphasized that airline and hotel redemptions are typically large-ticket items, which take time to accrue. Companies must evaluate:   

• How confident are you in your customer retention program?
• How have you managed to offer relevant rewards over the past few months?
• Is there any incentive to spend on new categories?
• What commercial partnerships are in the pipeline to support this?

Kate referred to certain offers/ initiatives resulting in more frequent use of cards. The list included discount delivery on food orders, increased cashback rewards in certain category, extended sign-up bonuses etc. are examples of the same. 

Kate also referred to few noticeable developments.  American Express has chosen to extend the period by additional three months (doubled it) to allow one to make eligible purchases to earn welcome bonus for certain cards issued earlier this year. In India, Amazon Pay and ICICI Bank have just shared that their credit card has become the fastest in the country to cross the milestone of one million, in less than 20 months of its launch. Highlights include issuance of reward points directly into Amazon Pay balance and contactless feature embedded in all cards.

By Ritesh Gupta

Ai  Team

First Published on 9th March, 2017

Ai Editorial: One click payment for an airline ticket from the interface you prefer the most – say Facebook Messenger app, WeChat, WhatsApp etc. ? This is the sort of commerce infrastructure airlines need to prepare for, writes Ai’s Ritesh Gupta

What can lead to a conversion based on even one signal that a digital consumer today gives to go for a product or service? These signals aren’t mere search keywords or clicks on a website/ app. It’s about the interplay of context, location, interface as well as the device being used and payment facilitation.    

For instance, a group of friends are interacting via Facebook messenger app, they decide on meeting at a particular venue location (exact location is shared via a link/ map), and all of them avail an on-demand service without leaving the chat or the interface. No app was downloaded. Similarly, a passenger starts the shopping journey with interaction with a chatbot or initiates a search for a flight via a digital assistant, moving on to a meta-search environment and eventually completing a transaction without leaving the conversation. 

This is just a glimpse of how commerce is evolving.

What stands out is what’s working in the “background” to seamlessly process payments.

All of this is crucial for travel brands to assess, as one can’t ignore the prowess of ecosystems such as Facebook, Google, Apple, Alibaba etc. or the popularity of social and messaging apps.

Dealing with friction

The significance of letting a travel shopper wrap up a transaction without the friction of leaving a site or an app can’t be ignored.

Airlines need to make the most of tokenization offering that works in the “background” to ensure they are part of contextual experiences - search, social interactions etc. – and end up aiding a potential traveller to shop with them. Intermediaries like meta-search engines have been relying on APIs to ensure bookings are done within their environment, irrespective of the airline’s payment processor. APIs are playing a vital role in countering the intricacies of moving payment data between different stakeholders involved in the shopping journey, could be for retailing or travel-related buy. The end result here is the seamless movement towards buying an air ticket or an ancillary with an optimized checkout flow.

Travel may not be a frequent buy, but still a major plus is speedy checkout experience that customers expect as they don’t need to re-fill or share information again and again.

Skyscanner is reaping benefits related to better conversion rate. The team has been working on their direct booking offering that allows airlines to offer a fully localized booking experience, letting users to research, select and instantly book itineraries within their environment without having to re-direct to supplier sites. As for airlines, they process the requests and retain all of the passenger’s details.

Securely moving payment data

It is also imperative to assess the security of such initiatives. How secure is an RFID band that functions as both a ticket and a wallet? How Facebook is equipped to safely part with its own stored payment data with an entity like Uber and yet ends up ensuring Facebook Messenger users sustain control over their information? Specialists like PayPal have progressed swiftly, stating that sharing of customer, payment, and other data is done securely with PCI Level 1 compliant parties while keeping an entity vault protected, and also equally secure is sharing of data within their network of merchants.

But airlines still need to be wary of couple of issues.

Rather than rushing and joining the bandwagon, do look at risk mitigation.

As a specialist in this arena, Chargebacks911 explains that if the industry does not take basic safety measures before going for new technologies, then such initiatives can be more of a liability than a benefit.

For instance, referring to wearable payments, the team points out that it may turn out to be more secure when compared with standard payment options. “Wearable payments make use of the same kind of tokenization technology as other payment methods, like digital wallets and EMV chip cards, which may prove to function just as well on wearable devices,” says Chargebacks911’s COO, Monica Eaton-Cardone. She says one needs to be wary of family fraud and friendly fraud. In a recent blog post, she raised a pertinent point, “What will issuers accept as compelling evidence when merchants attempt to dispute chargebacks? The chargeback process is archaic—it can’t keep up with all the developing technologies. Networks will not have considered the different types of data that will be associated with these technologies and, therefore, will not recognize valuable information as valid forms of evidence. It will be years until the data associated with these wearable devices will be recognized by the card networks, leaving merchants liable for billions in losses from undisputable, illegitimate chargebacks.” She added that as of now, merchants already lose as much as $40 billion each year due to chargebacks.

So emerging technologies can augment the customer experience with seamless transactions, but areas like security and privacy, and chargebacks can also hamper the same.

Gain an insight into intriguing issues at Ai’s 11th Airline & Travel Payments Summit (ATPS) this year.

Date: 3 May - 5 May 2017   

Location: Berlin, Germany

For more info, click here

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 27^th July, 2017

Ai Editorial: Many foreign companies, including travel technology entities, are looking at WeChat to serve Chinese travellers. There are 4 key areas they need to look at for the same – business licence, developer account set up and verification, payment issues and data privacy regulations, writes Ai’s Ritesh Gupta

“By integrating with WeChat, a technology company is just one step away from gaining access to a massive chunk of users in China.”

This remark from Maximilian Waldmann CEO of Berlin-based, conichi, aptly summarizes how important it is for airlines, hotels and other companies to capitalize on Tencent’s WeChat platform to serve users of this app. As per the first quarter results of the company, WeChat had 938 million monthly active users.

Before delving into what sort of effort is needed to integrate with WeChat, it must be underlined that being a part of this ecosystem, WeChat isn’t just about messaging. In addition to the communication layer for person to person, there is also a social layer, a media layer and also a connectivity layer (a rich set of API’s connects people to organizations, hardware to software, etc.).

As it turns out, travel companies are diligently finding ways to make the most of connectivity layer and be a part of this robust ecosystem. The user interface has emerged as a vital tool for service and support, whether human-powered, bot-powered or a combination of the two. For instance, in case of conichi, the company is working with hotels to either use a hotel’s app or WeChat to greet guests when they arrive at the hotel, and also focus on hyper local marketing, and GPS geo-fencing. This seems like a pragmatic move, as any message or visual that can add value to a guest/ passenger’s journey or even let them complete a transaction makes for a meaningful interaction with a traveller. And going by the popularity of WeChat, this platform can’t be ignored.

There are interesting developments on the anvil as far as WeChat is concerned.

Barcelona-based Inaki Uriz, co-founder and CEO at Caravelo says if an airline believes they can serve Chinese travellers just by translating or featuring a chatbot on Facebook platform, rather than the WeChat domain, then the effort wouldn’t be too fruitful. Uriz, whose team is working on a chatbot for WeChat for an airline in Europe, says it is important to move from being Chinese compatible to a Chinese friendly interface. “So this (developing a chatbot for WeChat) would mean analyzing what’s so popular about the interface, the use of buttons, the functionality of the entire platform, it is about being an integral part of the customer’s lifestyle etc. Mere translation won’t work,” highlighted Uriz.

But integrating with WeChat is challenging or at least demands preparation on several fronts.

Requirements

According to Beijing-based experienced Chinese entrepreneur George Cao, Co-founder/ CEO, Dragon Trail Interactive, there are 4 areas where one needs to focus on:

1.     Business licence: “There are a few restrictions on the platform. They are primarily related to meeting the requirements stipulated by the government. Any organization that intends to introduce any offering on WeChat or even as simple as opening an account on WeChat, it is must to possess a local licence. You can’t do it as a foreign company. So there are two ways to do the same – register a subsidiary in China and use that business licence to do business with Tencent. Or work with a local company, and use their credentials,” says Cao. This aspect can be time-consuming for any entity trying to leverage digital platforms, including WeChat, in China.

2.     Integration/ Verification: Post account creation or for integration, an organization needs to register as a developer. When this entity develops a “Mini-Program” (an initiative taken to deepen the services offering in low-frequency use cases, connect more offline services to online users and offer a way to sample functionalities offered by apps) or leverage the WeChat API, one has to go through the verification process (cross checking of licence). So in addition to setting up an account for publishing content and building dynamic services that run within WeChat, how challenging is it for hardware developers to enable their devices to send and receive information between their products and the user’s WeChat mobile app? How can a travel app let users of WeChat to share your app’s content to friends via chats and their Moments feed, as well as add your content to their “Favorites”?   

“Working on a conversational interface or message-based user interface isn’t challenging, its already happening here. These preferred platforms (where users are spending their time and are being offered functionalities such as search, voice messaging etc.) can help in engaging with a potential travel buyer and rather than sending them to a website and eventually them abandoning their purchase, companies can facilitate bookings here,” said Cao. “Like Facebook Messenger API, WeChat API’s can be worked upon for an offering. Companies can build HTML5 –based used interface that are embedded within WeChat. All these are possible and technically not a huge endeavour if one passes through the regulatory requirements.”

Cao also recommends that brands should look at multiple layers of WeChat. “So, for instance, during a conversation with users, companies can send a link to complete a booking. Or one can leverage the content publishing platform – send users information that is already prepared, related to products, or aid the decision-making of users. If you just focus on messaging via chat, and not push contextual content that matches the intent of the users, then you are missing out on opportunities,” asserted Cao.

3.     Payments: As for WeChat Pay, options include scaning a one-time transaction code displayed on the user’s phone, scanning a QR code that users scan using WeChat to complete payment, and letting users pay via WeChat Pay within a mobile app, the last one being only available in Mainland China. As for cross-border settlement, users can pay in Chinese Yuan but have the transaction settled in a foreign currency when remitted to the vendor. “Receiving payments from China is more flexible now for foreign companies, as long as there is a local bank in a market or that country that can work with Tencent (money transfer being worked out). So Chinese customers pay in their currency, and the beneficiary can receive payment in a specific country in local currency. In case, a developer is keen on building payment functionality and intend to get the money transferred outside of China then again local licence is needed to do that,” explained Cao.

4.     Data-related restrictions: Not specific to WeChat or Tencent, there is one legal issue every foreign company has to deal with and even be wary considering the repercussions that an organization can face in case of not following the law. As widely reported, the country’s new Cybersecurity law introduced last month, is a major initiative in data privacy regulations. It has also been mentioned that authorities haven't provided enough information about how the wide-reaching law will be implemented. And any failure to comply would result in a penalty of US$150,000 etc. The law has been drafted to shield “personal information” and individual privacy.

Personal information – recorded in electronic form or otherwise, which can be used, solely or together with other information, to determine the identity of a natural person, including but not limited to the name, date of birth, ID card number, personal biometric information, and address and phone number of the nature person. Similarly, foreign organizations also need to understand areas – like what does “network operators” and “critical information infrastructure” stand for.

 “All customer data or information a non-Chinese travel company collects needs to stay in China – if you are collecting customer contact information, payment-related details etc.,” shared a source. Of course, for travellers going outside of China, name, their address, and other requisite information is forwarded to various airports to make it possible to check them in at airports. So what sort of restriction is being referred to?

As highlighted by CNBC, illegal collection, disclosure and receipt of a citizen’s personal information now constitutes a criminal offense.

 “Practically how it (collection and transfer of data) is being done, whether the law is being followed or not as of now – it is tough to say and probably not. It is a complicated issue, lots of brands are struggling right now with what it means.” There is no case as of now, and there are ways to work around this.  

Now take the case of a traveller interacting with a foreign brand via WeChat. This traveller shares some information that is related to a trip with an airline, and while interacting with the chatbot, this passenger shared some information about the ground transportation or car rental in China, and intends to carry on with the airline to offer an ancillary product. Can the airline act on this data that is being generated in China and match it with historical purchase behavior stored outside China? Or how to collect and act on data that is being garnered from touchpoints within and outside China? “So the airline could use an identifier of the data stored in China, and use some sort of a key to match with data stored in the central database…to access Chinese customer data, you can access storage in China, it’s possible. The key is to where the law in China stands when it comes to accessing and usage of customer data,” pointed out the source, referring to the current complexity. “It could become an issue if you don’t take the government’s stance seriously.

Questions have been raised about what it means for the foreign companies and is China facilitating free trade and an open global Internet with their new data privacy initiative. For their part, the government has already stated that the new law safeguards national cyberspace sovereignty and security.

Hear from Matt Brennan, WeChat Expert, China Channel at the upcoming Airline & Travel Payments Summit (ATPS) Asia-Pacific 2017 conference, to be held in Bali, Indonesia.

For more, click here

Follow Ai on Twitter: @Ai_Connects_Us

21st December, 2020

It is always fascinating to read into a description of fraudsters’ activity. Fraud prevention specialists use interesting analogies or context to denote what fraudsters are up to.

Here are some of them made during Ai’s online events or interviews in 2020:

1. “Fraudsters are taking less shots (fraud attempts) but going for home run”: Kevin Lee, Sift

2. Merchants must act to avoid having “satisfied” fraudsters: Hubert Rachwalski von Rejchwald, Nethone

3. “Most fraud prevention solutions fail because they don't think like a fraudster”: Lior K., SecuredTouch

4. “The fear of unknown has got bigger”: Stuart Barwood, Forter

5. There has been a rise in the number of “professional refunders": Sandra (Sondra) Feinberg, Microsoft

By Ai Team 

First Published on 9^th January, 2018

Ai Editorial: Merchants and fraud prevention specialists need to evaluate several areas such as data breaches, phishing, malware etc. to make it tough for fraudsters to gain access to a loyalty account, writes Ai’s Ritesh Gupta

Airlines need to prepare diligently for the threat of account takeover or ATO, especially considering their business falls in the “high ticket value, with a low margin” category.   

Why ATO is proving to be lucrative for fraudsters at this juncture?

There are multiple reasons behind this. First, this type of fraud can be more valuable than credit card fraud. Second, organizations don’t have stringent measures in place to fight against ATO. As the team at Sift Science points out, the time available to exploit the information before detection is typically longer. Third, this type of cheating isn’t easy to detect. Since the account already exists and is related to a genuine customer, the fraud is relatively tougher to spot and the fraudster has more time to operate before they are caught.

One breach - eventually key to many accounts

ATO in the loyalty space (featuring airlines, hotels etc.) is coming under scrutiny owing to data breaches, says Kevin Lee, Trust & Safety Architect, Sift Science, a speaker at the recently held Loyalty Fraud Workshop in Palm Springs, California.

Highlighting how one data breach can impact several verticals, Lee says, “Let’s say a customer has an account in both Uber and United Airlines. And if there is a data breach at Uber, and although United Airlines hasn’t faced any attack and are safe from that perspective, but if a user happens to use the same login credentials for both the companies, then the credentials are vulnerable for illegitimate use at other places. And about 55% of the people in the U. S. re-use passwords.” So in today’s password driven economy, if users are spending majority of their time in using 10-12 apps on their smartphones, it would be unreasonable to expect them to use different passwords for all the apps. “People tend to take a short-cut (when it comes to passwords) and won’t have unique passwords. So this makes them vulnerable to ATO.”

So everyone’s credentials have already been compromised? Is it the case?

As Google also pointed in November, account takeover is sadly already a common challenge for users across the web. The company also acknowledged that password stealing tactics pose a risk to all account-based online services. Key findings from a study (analysis spanning over one year till March last year, featuring study of numerous black markets that traded 3rd party password breaches as well as 25,000 blackhat tools used for phishing and keylogging):

·          It was found 788,000 credentials were lifted via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by 3^rd party breaches.

·          Password stealing ways mean all account-based online services are under a threat. According to Google, in the case of 3^rd party data breaches, “12% of the exposed records included a Gmail address serving as a username and a password; of those passwords, 7% were valid due to reuse. When it comes to phishing and keyloggers, attackers frequently target Google accounts to varying success: 12-25% of attacks yield a valid password”.

·          Also, considering the fact, a password alone is hardly enough for securing access to a Google account, gradually more fraudster plan for garnering sensitive data that is requested when verifying an account holder’s identity. Google underlined that 82% of blackhat phishing tools and 74% of keyloggers tried to obtain a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model.

According to Sift Science, fraudsters get access to stolen credentials from a number of sources:

·          From data breaches, sold on the dark web

·          Phishing with fake websites

·          Malware, trojans, spyware

·          Social engineering

·          Hijacking a mobile device

Lee says, “My general assumption is that every one’s credentials have already been compromised.” He added, “We have actually reached the point of no return.” It might not be a straightforward task to gain access to everyone’s account, but just like solving a puzzle or putting several pieces together, fraudsters can sneak through the defence. So from one data beach one can get a vital piece of information about users. And then another breach sharing more details about users and so eventually cracking all details of one account. “So that’s how an entire identify of a user could be worked out,” said Lee.

Certainly organizations can look at preventing “own” credentials from being stolen. So, working in unison with the IT team, it can be ensured that information stored in servers and people accessing them is secure. “Unfortunately your consumers have become your weak spot. If they reuse their credentials and passwords then it remains a big issue (for organizations).

Be as strong as possible in authentication

Airlines need to look for more protections beyond just passwords. The claim for owning an account needs to be handled carefully. Machine learning comes in to understand the user behavior. Advancements in computing and big data power, as well as the gaining prominence of API-based machine learning solutions, mean that machine learning is emerging a scalable method to grow without increasing risk. It identifies patterns in data that aren’t spotted by humans. So this can result in lesser number of false positives and false negatives.

So let’s say a user booked a flight and then after a month is redeeming miles from the same device. So from a machine id or device fingerprinting standpoint, that would be a good signal from the authentication perspective.  Also, consistency in the timing of redeeming miles or points could be another indicator. Another area is behavior on the digital interface – the way redeeming is being done, the time taken to reach the checkout stage etc. Such actionable intelligence from all possible data inputs can help in curbing loyalty fraud. Machine learning evaluates massive volumes and varieties of data to deliver real-time decisions. “With enough data it can be observed that the average person – when they redeem gift cards or loyalty points, most likely that’s not their first time. People tend to take their loyalty program or points/ miles seriously. Even before the transaction takes place, with machine learning one can map the holistic behavior. So one keeps on checking a particular redemption option and when they have enough currency, they go for it. It might take them months to complete this. So these are all good indicators. On the other hand these are missing in account takeover (instances).

So even as credentials have been stolen, it is imperative for organizations to bolster the authentication process. This way the risk of loyalty fraud can be minimized. So it comes to down to authentication and one of the tools is machine learning, sums up Lee.

(We will take a detailed look at the role of machine learning in curbing loyalty fraud in the upcoming articles). 

For Ai’s 2018 Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us

21st January, 2020

Ai Editorial: Travel merchants are prioritising speed, trust and security when it comes to the payments-related experience. This, along with balancing CX and fraud prevention, and responding to regulatory requirements, are some of the priorities for 2020, writes Ai's Ritesh Gupta

There are several prevailing trends that today make payments a fascinating discipline to follow. Merchants and other stakeholders are keenly following the evolving payment economics, new standards set up to govern the flow of money, what's paving way for cost reduction and revenue optimization, dealing with fraud attacks etc.

For travel e-commerce players, their main priority is to simplify the checkout experience. Cart abandonment remains an issue, and losing out on a conversion is a huge painpoint. In addition, to this there are several other aspects.

The list is as follows:

·          Letting travel shoppers being in control: A recent study commissioned by PayPal to evaluate key trends related to mobile shopping habits and merchant readiness indicated that merchants must offer mobile optimized experiences if they are interested in attracting and maintaining younger consumers, such as GenZ and GenY. According to Amadeus,  24% of travelers still abandon their purchase because there are too many steps in the checkout experience.

In a recent blog post, Jeremy Dyball, Head of Commercial, Payments, Amadeus, mentioned that with the rapid pace of payments innovation, "a number of advances from simplified foreign exchange, to a raft of new payment methods and easily accessible instant credit are combining to make a smooth and hassle-free payment experience tantalizingly close". According to him, it's time to embrace the new era of frictionless airline payments.

·          Balancing CX and fraud prevention: Security and trust are significant considerations in consumers’ mobile purchasing decisions. Globally, 51% of consumer respondents would be less likely to engage with mobile commerce due to security concerns, according to the same PayPal study.

As LexisNexis Risk Solutions highlights, a frictionless customer journey “doesn’t equate to an absolutely friction-free experience. It’s about having the right type of friction, with the right action, at the right time. You have to figure out where and what that is”. From a shopper’s perspective, friction could be any feature or requirement that hinders their path through the sales funnel. It could be a compulsory registration, wearing form-filling and time-consuming authentication processes. For a seamless and secure experience, airlines need to embrace dynamic friction.

As Sift’s Trust and Safety Architect, Kevin Lee points out; merchants can’t get away with their airport screening approach. Travel e-commerce players have to ensure trusted shoppers or consumers can sidestep added authentication, while potentially risky users undergo that further screening. Since there is so much of data from customers via the app usage, device usage etc. there is a need to use behavioural fiction or behavioural dynamics looking at the signals to identify normal behaviour for an authentic shopper on an app or an online platform. And then being in a position to spot an anomaly where certain behaviour doesn’t seem to be normal. Then only there is a need to introduce certain friction or additional check in the shopping process. 

Highlighting e-commerce fraud trends in 2020, Riskified asserts that realistically, merchants can address fraud by leveraging the best fraud management solution: one that evolves to adapt to the latest attack vectors, with technology that can both register and analyze the vast amount of e-commerce data flows.

·          Payment flow: Other than counting on data for spotting fraudulent transactions or anomaly in behaviour, travel merchants are assessing the prowess of payment analytics and evaluating key metrics pertaining to the overall payment flow. Primarily, the focus is on the associated cost with each transaction, the rate of authorization, and the chargeback ratio. Delving deeper, payment specialists are counting on analytics for assessment of the risk profile, the relevance and performance of the acquirer, fee for alternative payment solutions etc. It is worth following how data and algorithms are shaping up to contribute both in terms of cost reduction and revenue optimization.

·          Regulatory environment: Regulations like PSD2 are paving way for new services and faster payments. PSD2 or the payment services directive in Europe is being associated with a major change in payments and data protection, and it is expected to fundamentally change the value chain. "PSD2 is opening up the (payment) industry, and breaking the monopoly of certain players on accepting payments," Simon Eve, Head of Travel, Trustly, told Ai in an interview last year.

The SCA requirements were originally planned for the 14th of September last year (with new migration completion deadline being 31st December 2020), but still concerns pertaining to PSD2 making online shopping more difficult and the same negatively impacting cart abandonment rates in the initial years of implementation are being highlighted.

·          Technology and digital commerce: Emergence of new technology or devices along with Internet connectivity means the need for payments to be processed automatically is already there. Overall, there is a need to keep an eye on options available for completing a transaction. So be it for things of IoT, which essentially refers to any kind of device, appliance or vehicle that can connect to the Internet, or the role of cloud services, merchants need to explore the emerging commerce features in a proactive manner. At the same it is vital to ensure that measures are in place for basic security and authentication.

Keen on exploring fraud prevention and payment-related issues?

Check-out Ai’s conferences scheduled for 2020: https://lnkd.in/fE7UK_T

First Published on 23^rd November, 2018

Ai Editorial: As more fraud-related solutions get introduced, the promise of protection against chargebacks is getting stronger. What needs to be evaluated before opting for the same, probes Ritesh Gupta

Managing fraud liability and availing chargeback (a forced transaction reversal initiated by the cardholder’s bank) guarantee on every transaction approved at first go comes across as an attractive option when considered from a merchant’s perspective.

Whether there can be 100% prevention of chargebacks remains an interesting discussion, still merchants such as airlines have to work on a risk mitigation plan to cut down on the same.

According to Chargebacks911, chargebacks are caused by criminal fraud (1-10%), friendly fraud (50-80%), or merchant error (20-40%).

Liability shift 

As more fraud-related solutions get introduced, the promise of protection against chargebacks is getting stronger.

But is there any hidden factor that needs to be considered? What needs to be evaluated before opting for the same?

One of the factors is cost vs. chargeback protection.

“Some fraud solutions in the market today offer a guaranteed chargeback protection, which means that they will take financial responsibility for any approved order that turns out to be fraudulent. This shifts the liability away from merchants and onto these fraud specialists,” says Justin Lie, CashShield’s CEO. “However, not all e-commerce merchants will choose to take up the chargeback protection service, depending on their existing chargeback rates and business goals. For example, some solutions factor in the chargeback protection by increasing the cost of service, and a merchant with low chargeback rates may consider their fraud cost lower than the cost of deploying a chargeback protected fraud serviced.”

The cost of the chargeback protected service will be one of the important considerations - if the merchant ends up losing more on cost with the liability shift, then perhaps the merchant would be better off without the chargeback protection.

Second factor is the risk appetite of an e-commerce organization.

A shift in liability might also mean that the merchant would be open to accepting more risk, and therefore more fraud. With that in mind, the travel merchant must consider their risk appetite, whether or not accepting more risk is possible, or if their main goal is to minimize fraud as much as possible. At the same time, fraud rates must still be kept at an acceptable level and not be left too high, or the merchant may be left with warnings and suspensions from card issuers.

Focus shouldn’t be only on “guarantee” 

One can’t ignore the significance of accurately detecting fraud attempts and stopping fraudsters from succeeding in whatever they intend to do.

As specialists at Chargebacks911 point out, merchant errors which can be rather simple and inadvertent need to be curbed. For friendly fraud, a key option for merchant is to strategically argue unlawful chargebacks when they're issued. Each chargeback dispute conveys a powerful message to the issuing bank, asserts Chargebacks911. It also points out by doing so merchants end up restoring their innocence and also improving their association rapport with the issuer. Eventually a merchant freed of any apparent fault are subjected to lesser friendly fraud chargebacks.

In case of criminal fraud, the blend of machine learning with human forensics needs to deliver.

Deploying a multi-disciplinary approach combining different technologies - both supervised and unsupervised machine learning -  would better equip merchants to deal with fraud management. Unsupervised machine learning can be used to learn on the fly and identify fraudulent patterns even without having been trained with historical data, i.e. able to identify unknown fraud attacks. 

Machine learning systems are meant to be an improvement from rule-based systems, to reduce reliance on hard rules and to filter out fraud while passing more genuine users. However, machine learning systems only provide probability scores - or fraud scores - and would still require a team of manual reviewers to make sense of the score and thereafter a decision to pass or reject a transaction.

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 23^rd November, 2017

Ai Editorial: Big data and real-time machine learning is being counted upon for securing payments as well as protecting user accounts and monitoring loyalty miles claims, writes Ai’s Ritesh Gupta

The role of data in stepping up the conversion rate and curbing fraud is coming to the fore.

The traditional ways of removing pain points of shopping as well as managing fraud have largely been reactive measures. But, with the availability of relevant, real-time data, a more proactive approach is improving efforts in this arena.

1.     Sector-specific analysis: As e-commerce entities, airlines need to dwell on sector-specific data analysis, for instance, gaining understanding of the user profiles that shop on airline.com. Specialists recommend that specific data fields such as loyalty miles claims can be assessed to check for any irregularity. Similarly, the words per minute typed, the movement of the cursor around the site etc. is being evaluated, rather than only focusing on the card blacklist. Real-time data from airline.com can also help in curbing fraud. Blacklists rarely work because hackers will never use the same credit card information twice, while white-lists are inaccurate since white-listed customers can be compromised anytime. Real-time machine learning can help against blanket blacklists and white-lists by focusing on the customer’s behaviour instead. It works with real-time live data collected on the merchant’s website, where the system trains itself with each incoming transactions to identify fraud patterns instead.

2.     Authorization rates: Among the other areas, data is being relied upon for improving upon the authorization rates.

As highlighted by Adyen, on average, 5%-15% of ecommerce credit card transactions are rejected by issuing banks, and out of these, a quarter don’t work due to shortage of convincing reasons, mostly due to old and inefficient systems. And in certain markets, authorization rates across issuers take a dip because of suspicion of fraud. In this context, it is imperative to bank on data to evaluate the main reasons behind those declines and take appropriate initiatives. For instance, one areas that could be looked upon is - issuer-specific authorization rate trends. These actions may include optimizing the type of data submitted or identifying optimal routing for a given transaction.

3.     Evaluating the next buy: Adyen has also indicated that it is gearing up for shopper-centric reporting and this would help in analysing the next buy, and when and how the purchase will be made.

4.     Data from multiple sources: Other than unique merchant data for airline-specific analysis, travel e-commerce players can also capitalise on industry-level data. This could be details about synchronized fraud incidents, which may be shared across various carriers as all of them are equally susceptible to coordinated hackers/ fraudsters. Industry data on existing or current fraud attacks can also be useful information to share from airline to airline, but both types of data should be collected for analysis of anomaly detection. In fact, the way various sectors have shared data to control payments fraud, the same is gaining traction for a relatively new malice - loyalty fraud. This is important as hackers or cyber criminals have shifted their focus to loyalty fraud. The plan is to spot loyalty fraud patterns and potential fraudulent loyalty transactions. The fraudsters are leveraging loopholes as seen in the case of data breaches featuring even established airlines. So be it for loyalty or any fraudulent transaction, the more data that is collected, analyzed and linked, the more likely airlines and other merchants can avert the danger. It is quite possible for offenders to use stolen credentials across multiple merchants.

5.     Only historical data isn’t enough: It is time to look beyond traditional machine learning that tends to only rely on historical data for training the system. So limitations of acting on previous attacks have to be ascertained. Since supervised machine learning creates probability scores for each transaction, this means this method results in manual reviews as well. Due to the need for manual reviews, rules-based systems also start to show cracks at high volumes, and curtail an airline’s ability scale on demand.  On the other hand, the promise of unsupervised machine learning, too, needs to be scrutinised closely. It lets the system learn on the fly with real time data collected. 

Specialists recommend that airlines should take control of their payment data, which should not be restricted by default. So closely look at the country, industry, and type of device that is used, and cater their payment offering accordingly.

This data can merged with big data, so that organisations can work out a robust data strategy for curbing of fraud, analysing user behavior to assess the overall shopping pattern etc. Also, by working on their own fraud tools that are able to capitalize on their own sources of data, airlines can even challenge the efficacy of existing mechanisms. For instance, being realistic with Dynamic 3DS, the same is controlled by card issuers and is therefore still working with the same set of data as before. They are unable to tap on the merchants’ data for more information on fraud. But armed with their own data, airlines as merchants can improve upon their situation. Airlines need to update their fraud management systems with information from both internal and external sources, including chargeback data, information traded on the dark web etc.

Follow Ai on Twitter: @Ai_Connects_Us

First Published on August 16, 2016

Ai Editorial: Airlines need to dig deeper, be it for taking advantage of the liability shift rule for full 3D Secure optimization or being savvy with fraud detection on their platforms, writes Ai’s Ritesh Gupta

How is the travel industry dealing with the issue of transactions wrongly declined due to suspected fraud?

It is a serious issue as an indifferent customer experience can result in customers cutting down on their card usage or even abandoning it altogether. Yes, merchants are more liable for card-not- present (CNP) transactions today but they also need to be wary of the repercussions of a purchase decline that isn’t a fraudulent one.

Of course, the first major impact is the value of the order. Now all the money spent on getting a customer close to completing a transaction is also wasted. So be it for a print ad or remarketing campaign, the cost of acquisition is negatively affected. Then one should also consider the probable lifetime value that is lost when a genuine traveller’s order is erroneously declined.

Working in tandem

In this context, all stakeholders need to work on apt card authorisation strategies.

So when we talk of stakeholders working in tandem, there is a need to constrict your acceptance gap. It is pointed out that there tends to be a gap in acceptance as banks today are more wary of remote/ card not present transactions. Plus, there have been data violations/ incidents of fraud and also merchants have the tendency to deny transactions from particular geographical areas.  So by cutting down on this gap, one can benefit by authenticating those transactions, which have a higher likelihood of being authorized.

Making the most of what we have

So if we talk of what can be done, there is a need to make the most of what is available.

For instance, a travel company I spoke to referred to 3D Secure, and how this offering is different from other payment fraud prevention solutions.

3D Secure’s code is rooted in the authorization message from beginning to end when we consider settlement. This spans multiple parties and servers. One can reap benefits by focusing on troubleshooting and monitoring of the service, and linking various 3rd parties involved.  The data elements obtained from the authentication are shared with the issuer. The same enables issuers to amend their authorization risk settings and tie the authorization to the authentication.

Issuers who have deployed a risk based authentication mechanism will contest or assess transactions that seem doubtful. This way they can flush out fraudsters and cut down on false-positive declines. So before authorization they can spot danger. Based on the risk level they are then able to challenge the consumer with knowledge based questions or one-time pin numbers sent via SMS.

Here it needs to be mentioned that as per the real experience of those of who have benefited from 3D Secure,  it is being indicated that the end to end interoperability of 3D Secure eradicates the speculation once associated with CNP commerce.

As we learnt from Amtrak, the key to full 3D Secure optimization and effectiveness is to take advantage of the liability shift rule and to front load 3D Secure into your risk model. The company was able to lean on this new found component of the 3D Secure protocols to not only cut fraud but also increase sales. “Issuers have lower decline rates because they have better data across the lifecycle of the card. By giving the issuer the ability to silently interject themselves into the checkout make a risk determinant will allow you to expand your risk systems beyond your walls,” shared a source.

As for being realistic, one needs to ensure that the right tools are in place, too. You can't just go to market with a vanilla 3D Secure MPI provider and expect it to work.

Being savvy with algorithms

The fraud problem is boosting the false positive issue. Merchants, acquirers and issuers decline far more good transactions than bad.

“No industry is affected more by false-positives than the travel industry,” highlighted one executive.

Its true indeed as high ticket items along with the high potential for fraud results in the highest false-positives averages online.  So every travel company needs to identify how to implement static rules, ones related to behavior of a user, and also device fingerprinting.

Multi-factor authentication is also being counted upon to bring down false positives. For instance, this way one can step up approvals for new account openings, as they say, across thin-file leads with limited credit histories. Some of the options include commonly used one-time passwords (logging on to a network or service using a unique password which can only be used once or 1-time passcode based on the token’s secret to ensure authentication); certificate-based authentication (blends a public and private encryption key unique to each device; context-based authentication (optimizes a layered approach to access security by assessing user login attributes and matching them against pre-defined security policies).

Talking of Chip and PIN versions of EMV cards, one needs to be careful as it has both positive and negative sides to it. Airlines need to build trust and strengthen security. Today there are ID checking services available that use online and social media identity data, ID documents and facial biometric checks to prove that a person is who they say they are.

Lastly, whatever move is made it needs to be checked minutely. For instance, it is being stressed that one shouldn’t use biometrics in client-server architectures (not suitable for use as a factor in two-factor authentication). This is because credentials are sent over the wire (both LAN/WAN and the Internet). Since such authentication can’t be taken off,  it needs to be assessed in which situations it can be potentially compromised.

Follow Ai on Twitter - @Ai_Connects_Us