- Payment & Fraud Editorials
Date: 30 Nov -0001 Location: Delegates:
-
Ai Editorial: Cash, mobile, cards, POS … not easy to deal with payments in Asia
Ai Video: How can airlines count on fintech for payment optimization?
Ai Editorial: How to stop fraud rings from using stolen or synthetic identities?
Ai Editorial: Managing legitimate transactions, curbing fraud – a balancing act
Ai Editorial: Controlling fraud via a blend of right data + right people
COVID-19 tipped to drive investment in payments space
Ai Editorial: Finding the right blend of data and machine learning for combating fraud
Ai Editorial: Stepping up authorization for digital transactions via 3D Secure 2.0
Ai Editorial: 3 ways airlines can sharpen their crusade against loyalty fraud
Ai Editorial: What is being done to avoid stealing of payment card data?
First Published on 26th August, 2017
Ai Editorial: Be it for cash for transactions or an ecosystem like WeChat or use of credit/ debit cards, payment in Asia remains wide and diverse. How are airlines gearing up for the same, explores Ai’s Ritesh Gupta
Any airline operating in the Asia Pacific region needs to diligently prepare for accepting payments. Working on such initiatives features many aspects that go beyond finalizing payment methods, and these include setting up processes and controls (currency management, currency heading, fraud prevention, and reconciliation and reporting), and compliance (PCIDSS, sensitive data protection, costs and reliability).
For instance, there are many markets such as cash-driven countries like Philippines where credit card acceptance simply cannot be compared with Singapore or Australia. And then China can be completely different, considering the popularity of payment options such as Alipay and WeChat Pay.
“Payment is quite wide and diverse (in the Asia Pacific region). Go back by five years there were only few forms of payment -cash, credit card, debit card…and that’s changed significantly over the last couple of years. Even if you consider just one country, say Singapore, where Scoot is based, it is a credit card, debit card-led market. And if one considers Philippines, more than 85% is via cash. For an international airline, with operations across Asia, one size doesn’t fit all,” says Trevor Spinks, Head of Sales and Distribution, Scoot-Tigerair.
Relying on local agents/ staff
So how an airline can gear up for Australia, a market which is credit card, debit card-led versus Philippines which is going to be different with cash being the preferred payment option?
“There is a need to remain close to your international markets. Do we have the correct strategy for payments in these countries? There are some countries where you need to cater to cash, there are some countries where an airline would need to take payment via 7-Eleven convenience stores. We have recently witnessed (the emergence of) Apple Pay, Samsung Pay coming in to the market, and expect Google Pay to available soon. So each market has a lot of different payment methods,” explained Spinks.
“So relying only on credit cards and debit cards as a method of payment as an international carrier is wrong. There is a need to work on a payment strategy for each country you are in. The best way to approach the same is seek feedback from GSAs (general sales agents) or country managers. They are ones who know their respective markets inside out and share popular payment methods and trends. So one can prioritize and be ready to accept payment via methods that are relevant, and can be fulfilled by airline websites or call centres.”
Special preparation
China is a unique market in the whole of Asia.
It’s almost that you can think of China as one area, and can segregate it from the rest. Facebook and Google aren’t really relevant or functional in China, and as Spinks, says payment methods are even more distinctive in this market.
“Scoot flies to 18 destinations in China, and that’s a significant part of our network. We will be offering WeChat as a payment option soon. The complexity for WeChat pay is huge. It doesn’t use normal software language. WeChat Pay have their own language. So one needs to work with WeChat or 3rd party experts,” says Spinks. It is important as a massive chunk of population uses WeChat. “So it is about using what they use every day to fly Scoot. But, yes, China has very specific requirements, and different rules and regulations.”
He further explained: “So in terms of how you manage and work around this diverse payments world in this region, consider an airline which flies to 10 countries and each country has 5 forms of payments. And if all forms of payments are different from all the other markets, then there would be 50 forms of payments. You do need payment providers and acquirers. We work with Worldpay. They are already work with a number of payment distribution capabilities in several countries, and when airlines reach a certain point, they can work with one specialist and this allows an airline to straightaway tick, say 30 out of 50 payment methods, at one go. At times, there is a need to work directly with 3rd party suppliers. WeChat is a great example. We might have to work directly with WeChat to work it out for us. So it is a very diverse and hard area to manage. There is a need for a dedicated person within the airline to look after this. Also, you need expertise within each of the market to understand, whether say is 7-Eleven convenience store a viable option or is the popularity decreasing and in two years time no one would be interested in paying via this option. So then no point in investing in that payment method.”
As for consumers, airlines need to study how smartphones are shaping up their payment choices. How age and gender play a role in payments and where does travel as a shopping category fits in.
As new payment types become culturally engrained, users initiate to count on them for higher value transactions such as travel.
Other factors that need to be considered are:
· Know the local requirements, such as whether airlines are required to partner with a local entity in order to start connecting with local consumers. What sort of benefits does a local payment gateway offer, other than meeting legal requirements? Can one partner facilitate different methods - convenience store (tend to be semi-digital payments - a consumer takes a code or a QR Code associated with a booking and pays), online banking etc.?
· What are the complexities of integrating with a particular alternative payment method? Is extra cross-channel payment interface design and development required if airline goes directly with local payment platform?
· Unlike credit card, each of the payment options in Asia has its uniqueness, e.g. transaction limit, availability of refund, no pre-authorization, chargeback rights. What is needed to design and implement necessary payment interfaces and processing flows?
· What is needed to consolidate payment transaction especially for more easier reconciliation and reporting of sales and settlements across payment options?
· Implement necessary payment controls according to the difference of processing by payment types (e.g. refund, void, capture).
· Implement fraud monitoring and prevention across payment options. “Fraud becomes a bigger problem, bigger the airline becomes. So when we were small, we weren’t worried about fraud, we had relatively bigger issues (to sort). But now we have around 40 aircraft, and flying to 18 different countries, fraud can be a big “number” annually. So a partner such as Adyen or Worldpay can also help with fraud solutions. But what you need here and what generally falls under the finance department, you need people would be measuring and tracking fraud. So if one country had a fraud value of 1% and the norm is 3%, then its fine. And another one had a value of 10%, so there are significant issues in that country and you have got to measure it. And the onus also lies on the 3rd party partner to sort it out. And of course, fraudsters also find new way of cracking the system, so it is always a cat and mouse game,” concluded Spinks.
Hear from experts at Ai’s 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali (29 – 31 August). For more info, click here
Follow Ai on Twitter: @Ai_Connects_Us
24th June, 2019
Regulations like PSD2 are paving way for new services and faster payments. PSD2 or the payment services directive in Europe is being associated with a major change in payments and data protection, and it is expected to fundamentally change the value chain.
"PSD2 is opening up the (payment) industry, and breaking the monopoly of certain players on accepting payments," said Simon Eve, Head of Travel, Trustly.
Banks are beginning to expose their data for use by third parties, in particular fintech companies, through open APIs. The use of open APIs to simplify back-and-forth messaging that takes place during the course of a transaction is coming to the fore. Other than authentication, another area to watch out for is improved security. It has to be guaranteed that data is secure, and external services have access only to the controlled data that the consumer has permitted and that the bank has assigned.
Simon, who was in Brighton, UK, for Ai’s ATPS (13th ATPS Worldwide Event), added that the fintech sector is looking at offering instant, real-time bank transfer to airlines.
Simon spoke in detail about the payment-related complexity and how the same is being taken care of when it came to dealing with multiple players, how airlines today are in a position to localize their payment options in a region like Europe, fraud prevention etc.
By Ritesh Gupta
Check upcoming Ai Conferences dates or
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 29th May, 2018
Ai Editorial: The issue of identity theft or payments fraud isn’t new. But the functioning of fraud rings, in which fraudsters band together in organized groups, continues to get sophisticated, writes Ai’s Ritesh Gupta.
Merchants are used to enticing online shoppers on their digital platforms, letting them select their preferred product via filters, visualize their shopping cart and eventually wrap it up via a frictionless check-out process. Now imagine the merchant being an illegitimate seller of stolen credit card details and extending the same shopping experience on the dark web! The nexus of fraud rings and their way of functioning is streamlining selling of credit cards and other associated information for $10 or so. Specialists point out that a sense of security is the worst possible sign that the likes of airlines and other travel merchants can hang on to.
Continuous and a bigger threat
The team at Riskified highlights two pertinent points related to fraud rings. First, at the end of the day no entity is safe from the assault of fraud rings. Second, these groups “tend to strike big, and have access to technology and resources that are unavailable to solo or less professional fraudsters”. From automated bot attacks to organized account takeovers, fraudsters are working out new ways to dupe and that too at a rapid pace.
As for one of the routes chosen to dupe genuine customers, these fraud rings find a way to verify fraudulent transactions by contacting phone/ mobile service provider to swap a victim’s phone number on to a new SIM card the scammers own. Criminal cases have indicated that fraudsters have spotted a major vulnerability in the way banks are using their customers’ mobiles to identify them. (A couple of days ago one such case emerged in the U. K. where a victim had his £17,000 mortgage deposit cleared out of his bank account as fraudsters managed to change his number on to a new SIM). Such incidents indicate fraud rings have access to detailed information about victims –could be via data breaches or from the dark web, gaining batches of credit card numbers, complete with CVV, expiration date etc. So the stakeholders involved need to go for a stringent authentication mechanism. As for how fraud specialists like Riskified are helping retail companies, they observed that such transactions feature first time customers and were initiated using a particular phone carrier and a relatively small and uncommon ISP. There is a way to turn down all resulting fraud bids without impacting authentic orders.
Synthetic identity fraud
Another alarming trend as far as fraud rings are concerned is related to the issue of synthetic identity fraud. This type of fraud doesn’t feature taking over existing identities and emerged since financial institutions improved how they prevent and detect traditional identity fraud. This forced fraudsters to nurture synthetic identity fraud. It is initiated by using a blend of fake information, such as a fictitious name, along with real data, to set up fraudulent accounts. For instance, “Social security numbers” (in the U. S.) that get targeted most are ones infrequently used or ones those are less likely to use their credit actively. So scammers set up such fake identities using potentially valid social security numbers with wrong personally identifiable information (PII). So there could be a real address and the social security number may seem authentic, but the number, name, and date of birth sequence do not match with any one person.
A major problem is the fact that it often is not identified as fraud and the crime can go undetected for an indefinite period. Criminals and other fraudsters rely in large part on the credit reporting system to create and use these synthetic identities.
The account can remain active, and possibly fraudsters capitalize on credit line increases and enhanced credit standing. Finally they max out the credit line and vanish without a hint. For those who get or potentially could get impacted, synthetic identify fraud isn’t easy to identify and prevent. According to a last year’s report released by the United States Government Accountability Office, banks can lose an estimated $50-$250 million in a year from synthetic identity fraud -related unpaid debt. The report also highlighted that fraudsters also exploit credit bureau procedures to improve their credit history by getting legitimate credit users to act as accomplices and add synthetic identities as “authorized users” on accounts in good standing. Over a period that can span months and years, identity thieves may make small charges and clear them, too. This way they set up a decent credit score and gain higher credit limits. In the end, they typically they charge the maximum amount on credit cards for transactions such as airline tickets and this stage is known as the “burst out”.
The industry is on look-out for astute detection tools to detect and prevent such type of fraud. Advanced data analytics and biometrics are being recommended as solutions for the same.
Key takeaways to curb the activity of fraud rings:
· Focus on how devices and accounts are connected in order to competently unearth the activity of fraud rings. Device behavior analytics includes transactions from TOR, high-risk locations, IPs, and ISPs, geo-location, IP address, and time zone mismatches etc.
· Investigate anything that seems unusual or suspicious.
· Explore how collaboration such as a cross-industry approach or contributing in fraud intelligence can help law enforcement identify, investigate and prosecute fraud.
· How can unsupervised machine play its part in ascertaining correlations and linkages to find fraud rings? How can the combination of unsupervised and supervised machine learning help? How are specialists evaluating unconventional data points, integrating different data streams that were structured, unstructured, real time etc. and relying on machine learning models to curb the threat of fraud rings?
· Insert analytical details around uncommon conduct and usual trends as features in technical fraud discovery procedure.
Hear from airlines and other industry executives about travel fraud at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).
For more click here
Follow Ai on Twitter: @Ai_Connects_Us
7th June, 2019
Ai Editorial: CyberSource has highlighted that effective fraud management requires the careful balance of three interdependent dimensions, reports Ai’s Ritesh Gupta
Payment and fraud executives have to be crafty enough to ensure that genuine customers aren’t denied an opportunity to complete a transaction or even face hiccups with added friction. At the same time, merchants can’t afford to be a victim of fraud owing to weak authentication or fraud prevention mechanism.
CyberSource ( https://www.cybersource.com/), in its latest report – the 2019 Global eCommerce Fraud Management Report Asia Pacific Edition, has highlighted that effective fraud management requires the careful balance of three interdependent dimensions –
· Delivering a positive experience for genuine customers and maximising the acceptance of genuine orders - The balancing act, as highlighted by Ai previously, is about being proficient in validating a buyer and such verification shouldn’t interrupt the manner in which they interact and transact with a business. Merchants need to look at new regulations, what sort of action is required and its impact on the user experience, and also the flexibility of consumes when it comes to additional measures that are being taken for authentication. One way to differentiate between transactions is the risk associated with them.
· Accurately detecting and rejecting fraudulent orders to minimise fraud losses - Merchants need to leverage the prowess of data-driven, artificial-intelligence powered offerings for combatting fraud. Rules-based systems are in general reactive and probabilistic solutions, which is why they are unable to prevent fraud before it happens. Rather than using a blanket rule that forces every user to login with 2FA, real-time surveillance can be used to assess logins in the background, and only logins with borderline risks expected to go through 2FA. Merchants should still develop their own fraud tools that are able to tap on their own sources of data for greater efficiency and more accurate detection of fraud.
Real-time machine learning can help against blanket blacklists and whitelists by focusing on the customer’s behaviour instead. It works with real-time live data collected on the merchant’s website, where the system trains itself with each incoming transactions to identify fraud patterns instead. Deploying a multidisciplinary approach combining different technologies - both supervised and unsupervised machine learning - would better equip merchants for fraud management. Unsupervised machine learning can be used to learn on the fly and identify fraudulent patterns even without having been trained with historical data, i.e. able to identify unknown fraud attacks. Thereafter, predictive analytics may still be used to run the probabilities of fraud, giving a risk score.
CyberSource indicated that in particular, enterprise organisations tend to more proactive with their fraud strategies because the financial and reputational ramifications of fraud can be far reaching.
· Efficiently managing the operational costs of fraud management activities – The report also shared that as in other regions, minimising operational costs is generally a lower priority for businesses in Asia Pacific.
The report also highlights that it takes “constant recalibration and fine-tuning of fraud management controls and processes to keep achieving the best balance”.
6 characteristics of the masters of balance, according CyberSource:
1. Have a lower chargeback rate
2. Are more likely to rate ecommerce fraud management as extremely important to their business strategy
3. Find it less challenging to respond to emerging fraud attacks
4. Have a greater range of capabilities that give them agility to respond to the dynamic landscape they operate in
5. Have a greater capability to use data effectively for fraud management
6. Are less likely to conduct manual review, and spend less in this area
Hear from senior executives about the balancing act at the 8th Annual ATPS Asia-Pacific to be held in Penang, Malaysia (27-29 August, 2019).
Click here for more information
Follow Ai on Twitter: @Ai_Connects_Us
29th October, 2019
St. Petersburg, Tampa Bay
Ai Editorial: Amidst all the talk around use of machine learning and artificial intelligence (AI), and overall transaction analysis, the industry tends to forget that the human element is vital, too, in preventing various types of e-commerce fraud.
A well-balanced approach, one that encompasses an apt blend of a proficient anti-fraud team and data/ tools expertise, is must to protect travel e-commerce businesses against fraudulent transactions, account takeovers (ATOs), data breaches etc.
Speaking at the 2019 LFPA Fall Conference in St. Petersburg, Tina Burgess, Senior Manager of Risk and ePayments, Points, mentioned that amidst all the talk around use of machine learning and AI, and overall transaction analysis, the industry tends to forget that the human element is vital, too. She underlined the significance of hiring the right people as organizations try to curb various forms of fraud. "Diversity (while recruiting people), specialized knowledge/ skills, and training and support (is key to curbing fraud)," mentioned Tina. Citing an example, she said pattern analysis and the ability to identify certain patterns/ links is a way in which a skilful team contributes is important, and that's where diverse background of the specialists in the team comes into play.
Right type of data
Tina also asserted that acting on the right type of data, related to payment authorization, membership data and transactional history is another aspect that needs to looked into.
In addition to human expertise, organizations are also looking at machine learning technologies to secure accounts and prevent fraudulent transactions. Rely on both supervised and unsupervised machine learning to comprehend both the historical patterns of use, as well as identify anomalies. Specialists like Sift and CyberSource emphasise that airlines should analyze user behavior throughout the entire journey- including account creation and login, any account activity and also at the point of transaction such as redemption of points. Overall, favourable results come from the ability to experiment with various machine learning-based methods, trying variations on them and testing them with a variety of data sets. It is fascinating to assess how machine learning automates the extraction of known and unknown patterns from data.
Not comprising CX
IBM Security's Shaked Vax highlighted the role of real-time fraud detection across digital channels.
Travel merchants are evaluating ways to quickly and transparently establish digital identity trust. This can allow them to create a more seamless customer experience.
Vax said that digital trust top use cases include establish trust during initial on-boarding, frictionless and password-less login, and continuous trust validation.
He stated that it is going to be critically important for businesses to authenticate users in a way that’s less intrusive than multifactor authentication.
"Silent security means using risk – your users’ background information and contextual data – instead of the password to authenticate, and letting your good users right in without bothering them. Great, successful digital businesses will differentiate based on this kind of smooth experience and they’ll know their users are who they say they are," said Vax.
Balancing act
As highlighted previously by Ai, travel merchants need to be proficient in validating a buyer and such verification, it shouldn’t interrupt the manner in which they interact and transact with a business. Merchants need to look at new regulations, what sort of action is required and its impact on the user experience, and also the flexibility of consumes when it comes to additional measures that are being taken for authentication. Plus, merchants need to leverage the prowess of data-driven, artificial-intelligence powered offerings for combating fraud. And lastly, businesses also need to efficiently manage the operational costs of fraud management activities.
Follow Ai on Twitter: @Ai_Connects_Us
4th November, 2020
Payment specialists are taking vital initiatives to meet merchants’ local and global needs by strengthening their competency across a spate of key areas including digital payment capabilities, cybersecurity and fraud prevention.
This week Worldline has welcomed Ingenico . The group has expanded the coverage of its payment value chain and its expertise in cross-border acquiring with Ingenico’s global exposure to online commerce.
Also, Nuvei has completed the previously announced acquisition of Smart2Pay Global Services to expand its geographic footprint.
COVID-19 is being tipped to remain an active driver for investment, particularly in the fintech segment.
All this means that specialists are gearing up to support merchants in several areas - transaction routing, authorisation rates and the ability to roll out new payment methods quickly and seamlessly.
Last year witnessed a couple of mega-mergers in this arena. One was the US$42.5b acquisition of WorldPay by FIS. And the other one was the US$22 billion acquisition of First Data by Fiserv.
First Published on 13th February, 2017
Ai Editorial: The quality of data as well as making the most of different types of machine learning are vital for fraud prevention, writes Ai’s Ritesh Gupta
Fraud prevention isn’t just about one algorithm being used or acting only on historical data. One can fall woefully short with an ill-conceived approach. Airlines need to check valuable pointers – are chargeback rates under control? Even if the fraud system is indicating very low fraud rate, is it still resulting in high abandonment and rejection rates of the users?
Airlines are acknowledging the limitations of traditional rule-based fraud solutions, one of them being overly focused on bringing down the fraud rate as close to zero as possible. This tends to be a risk-averse approach, and one needs to negate rules when positive behaviour is detected. So how can big data and machine learning contribute?
Here we assess some of the critical aspects related with data strategy and machine learning that can contribute in fraud prevention:
· Only predictive analytics isn’t enough: Predicting future fraud based on historical data isn’t enough. For instance, when transactions with no historical data are submitted into the system, the possibility of missing out on suspicious behavior is there.
Unsupervised machine learning manages to seek patterns and correlation amidst the new data collected, which helps to identify positive and negative behaviour.
With pattern recognition, even without any prior historical data, the machine is able to discover patterns across various transactions and establish if the transaction showed bot behaviour or human behaviour. Information collected from big data is vital here. It is initially used to garner information about the user’s behaviour on the website and these details are blended with machine learning, which uses pattern recognition to chart the pattern of this user’s behaviour to match it either with positive (genuine) or negative (fraudulent) behaviour, as well as predictive analytics that records the positive/ negative behaviour and uses that on future transactions for potential signs of fraud. Also, behavioral analysis is one area that is becoming increasingly sophisticated. Swipes, taps, cursor movements etc. are being analyzed for navigation flow, time spent etc. to understand the behavior. Specialists are tracking mouse movements and clicks in context and meaning while becoming increasingly more accurate over time.
· Relevant data: While data is important, what is more important is the quality and relevance of the data. Big data is receiving greater popularity and used more widely than ever, but it is not about how big the data is. Relevant data is necessary to improve fraud prevention, as well as to improve the machine. For instance, if the machine is regularly receiving non-relevant data, the resultant output will be non-relevant decisions.
In addition, the way the data is processed must also be relevant when making probabilities of fraud risk. Algorithms are designed with biases. If the fraud system’s algorithm is centred towards eliminating fraud entirely, the decisions will compile results of a very low fraud rate, but also high abandonment and rejection rates of the users. Instead, if the fraud system is focused on maximising revenue per risk of fraud, it is possible that a slight allowance of letting the fraud rates up by 0.1% could increase acceptance rates by 10%.
· Keeping pace with technological developments: Airlines, just like any other e-commerce business, need to cater to a variety of payment methods, currencies and devices. Each new technological development introduces new venues for this fraud, meaning detection and prevention efforts need to be just as agile. Expect more creative modes of fraud to appear. So there is a need to shift to active surveillance by deploying big data user and entity analytics to understand the user behaviour behind each transaction. Considering that most fraud attacks come as a coordinated attempt from a single script, automated to maximize the number of hits in the least amount of time possible, they will leave behind a pattern that can only be detected by understanding user behaviour. Even as new forms of payments become popular and mainstream, active surveillance will be more relevant (rather than static defence) and effective in dealing with fraudsters.
· Airline-centric approach: As we highlighted in one of our recent articles, the e-commerce set up of airlines is distinctive, and it would be highly desirable to have a tailored data strategy.
For instance, how to capitalize on custom data fields be it for flight details, loyalty miles claims (to detect abnormalities) etc.
With more and more data analysed, it is harder for hackers to hide their tracks fully to pass off as genuine.
· Assess liability shift: Airlines must expect better results at this juncture, considering that machine learning has evolved. For instance, improving fraud management doesn’t only mean lowering fraud rates, but it also about ensuring that the system does not hinder revenue growth. So better technology (big data, machine learning) is important, but how these systems are designed, and the KPI it keeps to is more important.
If we talk of liability shift, specialists point out that with pattern recognition, deep learning and stochastic optimization – seek an optimized yes or no decision in real time.
Based on calculated risks, the system passes the optimized number of transactions while ensuring that chargeback rates are still under control. As a result, borderline genuine transactions can be passed and unnecessary rules and bans are lifted, improving sales greatly. The efficacy of these “calculated risks” need to be scrutinized by airlines. It is being asserted that switch from predictive models of machine learning towards real-time machine learning is few years away.
Are you bold enough to survive in the brave new world? Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).
Date: 03 May 2017 - 05 May 2017
Location: Berlin, Germany
For information, click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 8th May, 2017
Ai Editorial: 3D Secure 2.0 is a data-driven initiative that supports digital payments and features expanded capabilities in terms of security and user experience, writes Ai’s Ritesh Gupta
The experience of searching for a flight and trip essentials can be a laborious one. In an era when travel e-commerce brands are jostling for winning “micro-moments”, losing out a conversion owing to an additional authentication layer at the time of checkout isn’t good news.
We all dread those few extra seconds, or the need for entering a password (which aren’t easy to remember) for a transaction to pass through.
Even for airlines, as merchants, it isn’t easy to verify the authenticity of transaction as one can pay via a browser, mobile app, or connected device. So being in control of the purchase experience as well as controlling the chargeback level or fraud is always a tricky situation for airlines.
Of course, 3D Secure has been around for a while, but airlines can’t go ahead with a binary view to such payer authentication; implement it across all transactions or don’t implement it at all. Travel e-commerce brands have been diligently looking at ways to choose the authenticate type and avoid unnecessary checkout issues, and getting better with “liability shift”.
3D Secure 2.0
3D Secure sets up an authentication data link between online merchants, payment networks and financial institutions to assess and share more intelligence about transactions. It has been widely acknowledged that the specification 1.0 was set up for PCs, and there wasn’t enough to deal with friction in the customer experience. A major issue with the traditional approach of 3D Secure today is transactions via mobile.
Among the latest developments, 3D Secure 2.0 is being termed as a potential boost for digital commerce with quick, secure authentication, propelled by robust fraud-related intelligence. It strengthens the quality of real-time predictive risk scoring for both merchants and issuers. The new specification that would support app-based authentication and there would be integration with digital wallets, too.
Early adoption of the new specification is scheduled to begin in the second half of this year.
The two versions will run in parallel at this juncture. So support for both the versions would be critical as adoption rates of the updated specification among card issuers and merchants will vary.
For their part, EMVCo, a company which is collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa, introduced specifications for 2.0 in the last quarter of last year.
The industry is gearing up for 3D Secure 2.0. Merchants and issuers are already working on their implementations.
For their part, Visa has stated that in order to ensure issuers and merchants “have time to test, pilot, refine and fully roll out solutions, current Visa rules for merchant-attempted 3-D Secure transactions will extend to 3-D Secure 2.0 beginning April 2019”.
Objectives
There are several areas, encompassing the shopping experience, mobile transactions, support for digital payments, cutting down false positives etc. that are being addressed with this new specification.
This new messaging protocol elevates the buying experience by facilitating intelligent risk-oriented decisioning that would result in frictionless authentication. Also, it lists use of numerous choices for step-up authentication, including one-time passcodes as well as biometrics.
The 3D Secure 2.0 is a data-driven initiative, and it means that passing data earlier offers merchants the ability to decide whether to authenticate a transaction or not. There would be a streamlined authentication, based on data elements shared through the protocol. The requirement of having to authenticate via static passwords would be done away with. The data available includes transaction related information as well as details about the device being used for the transaction. In fact, the 2.0 protocol will make extensive use of device data. This update also comes with the possibility to use token-based and biometric authentication, instead of passwords. So in the future a 3D Secure authentication will take place entirely in-app, with the touch of a finger.
There is a need to ensure a simple integration for additional data fields. The update paves way for a real-time, safe, information-sharing pipeline that merchants can pass on transaction attributes that the issuer can avail to validate users more precisely without asking for a static password or cutting down the pace of shopping experience. By supporting additional data during transactions, risk-based decisions will be possible on whether to authenticate or not.
As we highlighted in one of our recent articles, rigidity due to pre-constructed rules can now be combated with data sharing and data intelligence. And the release of 3D Secure 2.0 specifications, too, needs to be followed for the same. One way to ensure the decline rate is relatively lower could be via availability of quality data. Giving issuers a chance to interject themselves into the checkout can improve upon the risk assessment. So what was being done sporadically can be done in a widespread manner i. e. enabling issuers to amend their authorization risk settings and tie the authorization to the authentication. Enriched data flow with stakeholders with a better ability to approve “good” transactions.
The need to come up with 3D Secure 2.0 also grew owing to the prominence of non-browser-based, card-not-present payments used in-app, mobile and digital wallets. So as for mobile-related focus, one of the objectives of the new specification is to make the message interface and authentication flows amenable to mobile platforms.
As highlighted by Adyen, customer pain points are expected to be sorted out. For instance, the authentication will take place within a website’s environment, removing the need for a redirect. Also, importantly, it will feature SDKs that make it possible to set up authorization flows in-app, greatly enhancing the mobile experience.
Specialists have already underlined the significance of an analytics-driven approach to risk-based authentication, and issuers need to gear up for the highest granularity of control over the risk decision featuring advanced analytical methods.
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 18th May, 2017
Ai Editorial: Awareness among loyalty program members, avoiding data breach and fraudulent loyalty transactions, and being a part of a strong merchant community can bring down the risk of loyalty fraud, writes Ai’s Ritesh Gupta
Airlines need to assiduously take initiatives on several fronts in order to safeguard their loyalty programs. The threat of loyalty fraud can’t be ignored as a fraudulent activity via use of miles would denote a write-off on the balance sheet. This eventually affects margins. So airlines must assess their defence against loyalty fraud.
It is time airlines comprehend how loyalty fraud can involve customers, employees, travel agents, partners, and what can result in data breaches, malware etc. and accordingly train relevant teams and find ways to forge reliability and security across the organization. A recent research by Ai revealed that 72% of airline loyalty programs have an issue with fraud. Additionally, 30% of airline programs reported the problem was growing rapidly year-on-year. However, surprisingly, 10% of airline loyalty programs didn’t know if they had a fraud problem or didn't know that it was possible for loyalty fraud to occur.
In one of Ai’s conferences, it was highlighted that airlines can be attacked from unexpected quarters.
For instance, the case of “registered users fraud”. It was highlighted that it is a common scenario that a registered user is considered to be a “loyal” or “positive” user. But it is time revisits such notion. Why? As one of the speakers stated, “Because a registered user after an account takeover and without identifying it, could be the most dangerous account in an airline’s user base. The fraudster could use this account to steal any personal details and book via methods with lower friction and probably less fraud analysis. How many of you checking your registered users?”
There are 3 areas where airlines can focus on to combat loyalty fraud:
1. Creating awareness among loyalty progam members: Members need to know how to protect their loyalty accounts. This is even more critical today as the loyalty earning and burning lifecycle has opened new avenues for fraud. Of utmost importance is the realization that loyalty programs are being hacked and what can be done to avoid this? Do members of a frequent flyer program treat their respective loyalty accounts as credit card information? This type of fraud is similar to card-not-present fraud. An account can hacked by capitalizing on weak passwords, stealing of identity etc. So it must be highlighted that if fraudsters gains access to an account, they can seize points/ miles and rob loyal members by availing redemption options (other threat is data breach). As Michael Smith, Managing Partner, Airline Information and Co-Founder, (Loyalty Fraud Prevention Association (LFPA) says passengers (or customers at large) should be wary about which Wi-Fi they are connecting to, and also as FFP members they must be cautious about sharing name and account number. “With those two bits of information, fraudsters just need to guess your password and they are in to your account,” he says. Smith asserts that a flyer shouldn’t share or post the picture of a boarding pass, as it features vital information.
Managing passwords isn’t an easy thing to do considering so many accounts all of us manage. But having one simple password for all log-ins can probably result in worst nightmare – more than one account getting hacked. When the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.
So airlines need to inform about passengers about seemingly simple mistakes that can unknowingly create havoc with FFP accounts.
2. Taking internal measures to avoid data breach and fraudulent loyalty transactions: As an industry, airlines have made rapid progress in dealing with card-not-present transactions. There is no reason why the same can’t be replicated for loyalty fraud, as pointers are quite similar. Airlines have to sharpen their real-time decision making, customize as per their current risk engine and workflow. Lot of organizations are adding multiple layers (of course, not at the expense of shopping experience), for instance, how intelligence behind the email addresses of customers can yield better results? Accertify, in a blog post, underlined that email address is being “highly under-utilized” by many companies as a vital tool in an overall risk assessment strategy. Referring to limitations of a device ID or a phone number in case of global companies, Accertify highlighted that every time email is used it leaves a trail of sorts, and this is strong enough to evaluate to the level of risk associated with a transaction. As a specialist, Emailage points out that email addresses have the same convention globally: user-name, “@” sign and domain. This makes the email address a perfect data point for robust risk assessment. The way that fraudsters use email addresses fall into patterns that are identifiable based on velocity and structure.
In addition to data from 3rd party sources, the fraud specialists within an airline must be supported to speed up the pace and precision of fraud detection – reduction in manual reviews, how to screen for loyalty fraud, access to real-time custom reports etc. Overall, organizations must gear up for login behavior, account changes and evaluation of purchase behavior. CyberSource recommends tracking of user account creation and login behavior, as well as screening for fraud at purchase and redemption of points.
3. Being a part of a strong merchant community: Airlines, as seen in the case of payments fraud, have been a part of a strong merchant community to jointly wage a battle against fraudsters. New organizations and tools are coming up. The Loyalty Fraud Prevention Association, set up last year, is focused on using the experience gained in fighting credit card fraud to deal with loyalty fraud. Also, Perseuss, as merchant community’s answer to the problem of fraud, has developed Theseuss. This new platform gathers loyalty fraud intelligence, and features an active and collaborative community of loyalty fraud experts using the system. Theseuss would enable the exchange of fraud intelligence and evidence to allow the identification of loyalty fraud patterns. One of the highlights is the use of machine learning algorithms to discover potential fraudulent loyalty transactions.
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 19th June, 2017
Ai Editorial: Protection of payment card data is becoming a vital issue as businesses across various sectors, including travel, are facing such attacks, writes Ai’s Ritesh Gupta
How safe are you when you make payment at the airport? Is the credit card payment in a common-use environment at airports sturdy enough to avoid a breach as of today? Are airlines being guarded against the dreadful point-of-sale-based malware?
These are critical questions that airlines and other stakeholders in the travel sector need to delve into. The pace with which credit card-related data breaches are taking place and what is being done to curb the same is one intriguing race to watch out for in the world of payments, security and fraud. Hackers, fraudsters etc. need to be stopped and the damage needs to be minimized, as the malice of data breaches is everywhere, across various sectors.
In a recent post on their blog, cyber security specialist Foregenix, referring to the risk associated with credit card details, mentioned that average time it takes to discover such an attack or violation is around six months. Considering the impact of fines such as Visa imposing payment of up to 18€ per customer card lost, waging a battle against breaches can be an arduous task.
Breaches all around
A major mishap is related to point-of-sale based malware.
It has resulted in maximum credit card-related breaches. In the last few weeks only, there have been several reports related to credit card-related breaches: US-based retailer Buckle has been in news for being a victim of a security incident in which a criminal entity accessed some guest credit card information following purchases at some of their retail stores. The company’s store payment data systems were infected with a form of malicious code. The company acknowledged that certain credit card numbers might have been compromised. In late May, Chipotle Mexican Grill identified the operation of malware designed to access payment card data from cards used on point-of-sale devices at certain restaurants. According to the company, the malware searched for track data read from the magnetic stripe of a payment card as it was being routed through the POS device.
Earlier this year, InterContinental Hotels Group also acknowledged the case of a malware searching for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card. It was being routed through the affected hotel server.
These cases can prolong for years, and result in a hefty fine. Recently ,Target was involved in a settlement worth $18.5 million related to a data breach in 2013.
Stringent measures
Travel companies have to ensure that the cardholder data remains encrypted at all times and at every “hop” across the electronic transaction.
According to specialists, such code is generally set up via attack on remote administration tools. Once malware comes into action, hackers or fraudsters can remotely garner important details from each card swiped at that cash register. Then the same is sold to those who can encode the stolen data.
Airlines, airports and associated stakeholders are moving forward, facilitating commerce as well as putting measures in place.
A major highlight is use of point-to-point encryption to protect customer data.
This technology is capable of ensuring that account data cant be breached in any illegal way or suspicious parties. The payment card data is encrypted at the point of acceptance and is said to be safe even if stolen or until it reaches where it is supposed to. Also, it can streamline compliance with PCI DSS necessities for airlines and airports by cutting down on addressable needs during a PCI security assessment.
Overall, encryption technology for chip, magnetic stripe and contactless card payment transactions is thoroughly tested to curtail the possibility of any breach.
All of this becomes important as airlines tend to accept payments at airports via a shared IT infrastructure.
There is a also need to look into developments such as General Data Protection Regulation.
New developments
As for airlines, security, based on latest industry standards and technology, is only one aspect of the whole initiative that needs to be taken. For instance, making it convenient for customers to buy any ancillary offering is a revenue generation-opportunity. This has remained a challenge for airlines since there are shared check-in desks and these cannot adjust to certain payment needs of multiple airlines and ground handlers. If we look at the infrastructure at the airport, airlines can end up accepting payments at common-use check-in desks, kiosks and bagdrop areas for baggage fees, upgrades and other ancillary charges. Plus, airlines also seek better control over the process, that generally entails multiple stakeholders when one transaction is completed.
The industry is moving in the right direction going by two of the latest developments in the last month.
Recently, SITA came up with an offering point-to-point encryption technology, with EMV and PCI compliant chip card payment terminals, applications and processes. With this solution, as SITA says, there is provision for several merchants to avail the same terminal. The PCI compliance certification requires an end-to-end security review by each airline of its own full payment process.
Lufthansa Group, in conjunction with Amadeus and Ingenico, worked on a new option to allow passengers to pay for ancillary services with chip-cards (credit/debit cards), compatible digital wallets etc. at the check-in counter. According to Amadeus, “airlines and ground handlers can now reach any passenger with an EMV chip card or an EMV-compliant mobile wallet in any airport worldwide, regardless of the check-in infrastructure”.
Other than being compatible with security standards, the new offering, Amadeus Airport Pay, that Lufthansa is using also gives the group control over its payment infrastructure.
These are all positive developments that would ensure passengers can transact in a much more safer environment, plus they are also being given the flexibility of buying a travel-related offering within the airport environment.
Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year (29 – 31 August, 2017).
Follow Ai on Twitter: @Ai_Connects_Us