13th November, 2019
Ai Editorial: Authentication of risky shoppers shouldn’t hamper the digital experience of all. Rather merchants must focus on finding ways to applying the right friction to right person at the right time, writes Ai’s Ritesh Gupta
Filling a form, verifying a payment method, registering for an account…when a shopper is presented with such options in the booking flow, it evokes resentment. No one likes to spend extra time or make that additional effort to verify their identity knowing that they are legitimate shoppers.
But travel merchants have to ensure that the least number of fraudulent transaction slip through. Key then lies in identifying that anomalous shopping behaviour in a more shrewd way that doesn’t screen every shopper!
As Sift’s Trust and Safety Architect, Kevin Lee points out; merchants can’t get away with their airport screening approach. Travel e-commerce players have to ensure trusted shoppers or consumers can sidestep added authentication, while potentially risky users undergo that further screening.
“They (merchants) need to focus on dynamic friction,” said Lee. “The concept means having the ability to apply the right friction to right person at the right time.”
The team at Sift describes it as the optimal application of friction to user journeys based on behavioural and situational attributes, applying it to the right person at the right time.
Many companies have this airport security approach where everybody has to go to two-factor authentication (2FA), enter CAPTCHA etc.
“Honestly that’s a terrible experience because 99% plus of consumers on a platform tend to be legitimate. They just want to move from A to B (or shop legitimately with any retailer),” said Lee.
So how to apply dynamic friction and what sort of signals can be used? Since there is so much of data from customers via the app usage, device usage etc. there is a need to use behavioural fiction or behavioural dynamics looking at the signals to identify normal behaviour for an authentic shopper on an app or an online platform. And then being in a position to spot an anomaly where certain behaviour doesn’t seem to be normal. Then only there is a need to introduce certain friction or additional check in the shopping process.
For example, looking at a certain security measures for a particular fraud, MFA is deemed to be an astute way of shielding user accounts, since hackers or fraudsters don’t often have access to the additional factor required to authenticate. But merchants fear that the introduction of MFA would cause friction. The way to go forward then is to capitalize on dynamic friction, because the judicious use of this authentication method doesn’t disturb the experience of authentic users and only those go through the MFA that fall in the category of risky users.
Also, the specialists ensure that as a shopper moves from the discovery process to the completion of the transaction, all interactions are assessed for risk. In case a risk touches a given threshold, extra verification comes it play. If the interactions come across as reliable, that extra authentication is eradicated, providing the shopper a more rationalized experience.
So in case of account takeover protection, the real-time risk evaluation suggests the level of authentication a particular shopper/ consumer should go through. Riskier actions with more red flags trigger MFA, while suitable actions pave way for a smooth interaction.
Dynamic friction in the travel sector
The application of dynamic friction in the travel sector, especially among airlines, is poor at this juncture, said Lee.
What tends to happen is that there are lots of legacy systems and rules in place to stop illegitimate shopping from happening. But 100% rules-based fraud prevention isn’t proving to be an ideal solution today. It’s not dynamic enough, it’s not fluid enough, said Lee. All of this is important since consumer today are very demanding when it comes to what they purchase, when, how and where they purchase. And that’s where machine running has contributed in terms of responding not only to new types of fraud but also to better recognising legitimate shopping behaviour.
Sift recommends an apt blend of risk and revenue decisions:
Ai’s new 2020 conference dates: http://www.airlineinformation.org/upcoming-events2/370-2020-conference-dates.html
4th October, 2109
The aspects that make mobile commerce attractive and convenient for consumers also result in complex hurdles for merchants when it comes to keeping a tab on fraud and authenticating mobile orders.
Fraudsters have been targeting mobile commerce owing to the fact a majority of businesses generally don’t differentiate between mobile and web-based transactions. What it essentially means that merchants need to be spot on with what is relevant for evaluation – rather than considering cellular IP addresses as unique identifiers, watch out for unique identification number associated with such devices; a new Wi-fi network doesn’t necessarily mean that the order is fraudulent etc.
Mobile experience is resulting in a richer set of data, and it is imperative for travel e-commerce players to focus on the right data points to deal with mobile commerce fraud, says Kevin Lee, Trust & Safety Architect, Sift.
Last minute mobile orders or even any conversion from mobile devices needs to be viewed as a testimony of appropriate experience being delivered. More importantly, the risk team or the one that is looking into the acceptance rate, they need to evaluate how that transaction came to be, from which channel and also the related user data, recommends Lee.
In this video, Lee spoke about mobile authentication and ensuring the acceptance rate doesn’t take a beating.
14th September, 2019
Ai Editorial: The behaviour of consumers when they shop via mobile and what makes such devices risky has to be ascertained. It is must to focus on the right data points to keep a tab on fraudulent transactions originating via mobile devices, writes Ai’s Ritesh Gupta
E-commerce players, including ones from the travel sector, are evaluating ways to keep a tab on fraudulent transactions emanating from mobile devices.
It is being acknowledged that merchants must drift away from those data points that aren’t astute pointers in identifying such type of fraud. The behaviour of consumers when they shop via mobile and what makes such devices risky has to be ascertained. When specialists point out that mobile fraud is different from traditional e-commerce fraud, it is owing to the fact that unlike browsing and accessing via a PC, mobile devices result in novel characteristics that obscure the user verification process.
Security measures for a mobile device
E-commerce players must dwell on ways to validate and authorize a purchase as quickly as possible.
For this, there has to be a mechanism for real-time mobile device detection and the journey for mobile orders. All of this isn’t easy. As Riskified points out, the aspects that make mobile commerce attractive and convenient for consumers also result in complex hurdles for merchants when it comes to keeping a tab and authentication mobile orders. Citing an example, the fraud prevention specialist shared that its team ended up unearthing a major botnet fraud ring by evaluating data garnered from consumers’ interaction with merchants’ e-commerce sites and mobile apps. For this, the team delved deep into the journey, starting from whether the order was placed on a mobile device or elsewhere. The team further explained: If mobile, note what type of device — was it an Android device or an iPhone? From here on, assess the starting point for mobile-related orders. Did the shopping originate on a PC and eventually finished the transaction via a mobile device? And was it via a mobile site or an app? Or did the shopper finish it via a traditional site only? If checkout was on a mobile device, it’s vital to identify whether the shopper was accessing the site through a mobile web browser, or the mobile app. By following these steps, a travel retailer can effectively spot the origin, and then plan and executive precise safety measures to combat fraud.
Riskified also asserts that merchants “need to discern what is relevant for analysis”. The team refers to few crucial areas:
It all boils to verification of the legitimacy of the user, but considering the usage of today’s devices for shopping and the tricks of fraudsters, merchants need to evolve as well.
For Ai’s upcoming events: click here
9th September, 2019
The travel industry at large isn’t ready for the implementation of Strong Customer Authentication (SCA), required for all online transactions in Europe from 14 September 2019.
A study initiated by Amadeus has indicated that only one in three travel merchants are expected to be SCA-ready by the deadline. The report featured 50 large travel firms (€1billion+ revenue).
Merchants will have to adapt to SCA, which aims to increase payment security and protect sensitive consumer payment data. The preparedness of the travel e-commerce sector in dealing with the anticipated negative impact is being assessed since SCA poses risks for travel merchants, not to mention implementation challenges. This requirement is being introduced as part of the second Payment Services Directive (PSD2).
A couple of issues that have been highlighted in Amadeus’ report, ‘Strong Customer Authentication in travel payments: preparing for two-factor authentication’ are:
The SCA requirements are going to impact the speed of consumer transactions and the number of steps to be completed when paying. One of the major concerns has been the inclusion of additional authentication into the checkout flow, since it introduces an extra step that can add friction and increase customer drop-off.
If one considers the growing prowess of mobile devices for shopping in general, it means that there could be even larger customer drop-off. So is the impact of SCA likely to be even higher on mobile devices?
“…requiring travellers to undergo additional checks, such as providing a one-time passcode sent to their mobile device, introduces some friction to the digital experience. This may sound like a small price to pay but our research shows the industry expects this additional friction to increase abandonment rates by 10-20%,” mentioned Jean-Christophe Lacour, Head of Merchant Services, Payments, Amadeus. The company expects any drop in abandonment rates to be a short-lived phenomenon as travellers get accustomed to the new steps needed, which they’re actually already performing for mobile banking for example.
Much to the relief of the industry, many local regulators across Europe have introduced a grace period for SCA compliance for e-commerce transactions over recent weeks.
According to the report: “…with 65% of airlines and agents expecting SCA to negatively impact sales, how travel companies prepare has implications for the bottom line. There are steps firms can take to mitigate the impact of SCA, with 70% of respondents to our research intending to work with their acquirer and payments partners to apply the various exemptions provided for within the regulation and more than half signalling a move to the latest authentication technology (3D Secure 2.X).”
Specialists recommend that merchants should use exemptions where possible.
Also, by using fingerprints or facial recognition, one can combat fraud while also increasing convenience for consumers.
Amadeus surveyed payments leaders from 50 large travel merchants regarding their approach to achieving SCA readiness. The majority of responding organizations generate more than €1 billion in annual revenue with respondents drawn from airlines (60%) travel sellers (30%) and hotels (10%). The survey was carried out in August 2019 with industry conference and media company ‘Airline Information’ providing support with respondent recruitment.
26th August, 2019
Airlines need to proactively monitor their loyal shoppers’ membership accounts since the problem of loyalty fraud is on the rise. If on one hand airlines are offering more earning and redemption choices than ever, it also means that the overall loyalty earning and burning lifecycle has opened new avenues for fraud.
“From a loyalty fraud standpoint, there is a lot of demand (for stolen loyalty currency among the fraudsters or in a marketplace on the dark web),” says Kevin Lee, Trust & Safety Architect, Sift.
This is because over a period of time, prices for such items (stolen credentials, miles, points etc.) even though they fluctuate a bit still they are going up in value. Data breaches are a big issue, and a lot of sensitive information is being sold.
There is a motivated seller out there plus there is a motivated buyer there too to cash in on the stuff, said Lee, who added that airlines or the originators of miles or the loyalty currency tend to suffer a lot in such cases.
A risk-averse mindset for controlling fraud, be it for fraudulent transactions or loyalty fraud, is commonly associated with rule-based systems. Machine learning technologies are emerging as an astute option to secure accounts. The efficacy of machine learning, especially real-time machine learning, can be explored for account protection. Rely on both supervised and unsupervised machine learning to comprehend both the historical patterns of use, as well as identify anomalies.
It is vital to keep a vigil on accounts for anomalies to effectively notice the behavior of genuine and fraudulent customers. Airlines should analyze user behavior throughout the entire journey- including account creation and login, any account activity and also at the point of transaction such as redemption of points.
15th August, 2019
It is imperative for travel e-commerce companies to be ready for bots, emulators, malware etc. and be precise with their fraud prevention plan.
As a specialist in behavioral biometrics, SecuredTouch asserts that the days of static biometric techniques are numbered. Rather merchants now need to dwell upon continuous authentication that features device intelligence, behavioral anomalies. All of this becomes even more important as mobile-related fraud is on the rise, and the behaviour of consumers when they shop via mobile and what makes such devices risky needs to be ascertained.
Going deeper into the complexity of the mobile commerce fraud, it needs to be understood that there might be one actor in the whole chain, says Lewis Duker, SecuredTouch. “It could be that one fraudster is testing the credentials, and another one monetizing the credentials,” he says. Referring to the threat of bots, he said the malicious activity needs to be trapped as it is happening.
In this context, the limitations of static fraud detection methodology via CAPTCHAs, blocking known hosting providers and proxy services or static biometrics are coming to the fore.
It all boils to verification of the legitimacy of the user, but considering the usage of today’s devices for shopping and the tricks of fraudsters, merchants need to evolve as well.
Hear from senior executives about mobile commerce fraud at the 8th Annual ATPS Asia-Pacific to be held in Penang, Malaysia (27-29 August, 2019).
12th August, 2019
Ai Editorial: In an era where anything around personal information handling practices is being given a priority, the future plans for Libra are being probed, writes Ai’s Ritesh Gupta
It was in the second quarter of this year when Mark Zuckerberg reportedly mentioned: transferring money online needs to be as simple as sending photos.
Ever since the related news i. e. the launch of Libra has emerged, it has created uproar for sure.
Politicians, regulators, data privacy specialists…the list is a long one, but they all have shared concerns or asked for a deeper probe into the plans behind Libra. For the record, Libra isn’t Facebook's cryptocurrency. It is an initiative of The Libra Association. It is an independent, not-for-profit membership organization, headquartered in Geneva, Switzerland.
For its part, Facebook, a founding member of the Libra Association, also announced the creation of its subsidiary, Calibra, which would participate in the Libra Blockchain.
The association has underlined that its goal is to pave way for a “simple global currency and financial infrastructure that empowers billions of people”.
Libra is made up of three parts that will work together to create a more inclusive financial system:
Room for a new, secure and trusted framework
Highlighting the issues faced by consumers, Libra Association says people with less money pay more for financial services. Hard-earned income is eroded by fees, from remittances and wire costs to overdraft and ATM charges, it adds. The association states that blockchains and cryptocurrencies “have a number of unique properties that can potentially address some of the problems of accessibility and trustworthiness. These include distributed governance, which ensures that no single entity controls the network; open access, which allows anybody with an Internet connection to participate; and security through cryptography, which protects the integrity of funds".
Acknowledging that the current blockchain systems have yet to reach mainstream adoption, it explains that mass-market usage of existing blockchains and cryptocurrencies has been hindered by their volatility and lack of scalability, which have, so far, made them poor stores of value and mediums of exchange. “Some projects have also aimed to disrupt the existing system and bypass regulation as opposed to innovating on compliance and regulatory fronts to improve the effectiveness of anti-money laundering. We believe that collaborating and innovating with the financial sector, including regulators and experts across a variety of industries, is the only way to ensure that a sustainable, secure and trusted framework underpins this new system. And this approach can deliver a giant leap forward toward a lower-cost, more accessible, more connected global financial system,” it adds.
Facebook is just one partner in this global payments system.
Some of the members that are behind the initial stages include: Mastercard, PayPal, Stripe, Visa, Booking Holdings, eBay, Facebook/ Calibra, Vodafone Group, Anchorage, Bison Trails, Coinbase etc. In addition to these, there are firms (venture capital firms, and non-profit and multilateral organizations, and academic institutions).
Media reports and news clips featuring established media organizations have indicated that the going hasn’t been easy for Libra over the past two months. Questions that have emerged are:
Some of the issues were jointly raised by the representatives of the global community of data protection and privacy enforcement authorities, collectively responsible for promoting the privacy of earlier this month. The list included Information Commissioner United Kingdom, Commissioner of the Federal Trade Commission USA, Privacy Commissioner Canada among the others.
A report by bbc.com has indicated that Facebook “would need to apply for a licence in any country where it wants to offer Libra as a payment tool”. It would be on the company to ensure that there is a provision to “stop money laundering, and the financing of terrorism…”
Hear from senior executives about the blockchain technology at the 8th Annual ATPS Asia-Pacific to be held in Penang, Malaysia (27-29 August, 2019).
1st August, 2019
A report released by the Emerging Payments Association has highlighted that the implementation of Strong Customer Authentication is a cause of concern at this juncture.
The purpose of the new Strong Customer Authentication (SCA) rules is to make online payment more secure and to cut down the risk of fraud. Even as the readiness for the same is being assessed, a report has highlighted that 75% of issuers said they would be ready by the 14th September deadline, from a compliance standpoint, but that they would not be operationally ready. New requirements for authenticating online payments will be introduced in Europe as part of the second Payment Services Directive (PSD2).
The PSD2 Regulatory Technical Standards (RTS) specify these SCA requirements. SCA is based on the use of two or more of the following elements: knowledge (something only the user knows); possession (something only the user possesses); and inherence (something the user is).
The report, released by Emerging Payments Association (EPA) and Chargebacks911, features companies that issue over 107 million cards (comprising 61% of all cards issued in the UK). It is being recommended that more time is required. The enforcement of SCA at this pace is “likely to be extremely high and painful”. Rather, a managed rollout is needed.
Some of the key findings:
In an interview in April with Ai, Laurie Gablehouse, Global Head of Travel Solutions, Ingenico ePayments, did mention that it is a challenging phase for the entire payment ecosystem. Laurie pointed out that the standards are still evolving, with grasp over “80% - 90% of what needs to happen”. “(So) the timing is quite late from a technical perspective for everybody to be ready by September.”
A major development in the recent past featured the European Banking Authority (EBA) as it published an opinion on the elements of SCA and accepted authentication in June. The report acknowledged the same, and shared that considering the recent EBA ruling on compliant SCA elements issuers are required to accelerate their support for biometrics merchants are advised to implement 3DS v2.1 now and then migrate to v2.2 once solutions are fully tested and available.
In its list of recommendations, the report emphasised that 3DS technology must be implemented as a priority. Rather than being bogged down by feeble v1.0 implementations, gear up for v2.2 as early as possible with v2.1 as a practical interim step. A couple of other suggestions:
Hear from senior executives about how the regulatory environment is impacting the world of payments at the 8th Annual ATPS Asia-Pacific to be held in Penang, Malaysia (27-29 August, 2019).
29th July, 2019
Ai Editorial: The role of new technologies in the world of payments can’t be undermined but that’s not enough. In its new analysis, WorldPay has stressed upon the significance of having the right organizational mindset.
Travel merchants can’t afford to slip at a time when a customer is about to pay for their order. All that matters is the way a traveller wishes to pay – their preferred payment method, preferably not letting them fill any details on the device they are using etc.
A Chinese customer is likely to opt for scanning a QR Code and deduction of the final payment from their app, whereas an Indian might opt to pay via Google Pay or Paytm mobile wallet considering the increasing popularity of such options. Facilitating such transactions today is imperative and merchants need to keep pace or even gear up for the future. But it is clear that intricacies of applications and systems within payments continue to rise, mainly owing to use of alternate payment methods such as wallets and mobile commerce. So there is a need to put in a mechanism in place that not only streamlines back office and customer support processes, but also paves way for a smooth addition for any new payment method in the future.
The role of new technologies can’t be undermined but that’s not enough.
In its new analysis, WorldPay has stressed upon the significance of having the right organizational mindset.
This is required for making the most of following technologies:
2. Test-driven infrastructure (TDI) - the developer creates tests before writing code
3. Event-driven architecture (EDA) - a producer-consumer model, where an event producer broadcasts a message that one or more event consumers capture
4. Hypermedia APIs - a sophisticated style of REST API (Representational State Transfer Application Programming Interface) that can simplify client integrations and improve resilience to change.
WorldPay has explained the benefits of these technologies and also what is required internally to leverage them.
For instance, in case when one is focusing on the microservices model to amend and modernize particular services without affecting the rest of the system, it is vital that to have an apt team structure is in place. This model can result in an increment in complexity of day-today tasks, such as operations and security. Organizations have to do away with conventional monolithic-related ways and related control that they are used to for software development. Rather companies have to get ready for an environment that revolves around a sense of ownership and accountability from product engineering teams. The philosophy here is: to garner greater value from software to adopt the fail and learn fast attitude, quicker product cycles based on constant feedback from customers. And, this also means that certain tough questions are asked, for e. g. who owns the data in a microservices architecture—the database team or the application team? Teams must be structured and managed in a way that enables them to own what they’re responsible for, end to end.
WorldPay recommends a vigilant balance of autonomy and collaboration, with ongoing coordination and
monitoring from organizational leads. The study states: This balancing act starts with a shared understanding of some non-negotiable principles that act as a compass for ways of working. It continues with cross-team
discussions about product vision, design standards, and ways to improve, for example. It also means sharing specific decisions, solutions, and components. This requires time and investment but the return on investment is worth it. Ultimately, a smart organization will find ways to delegate as much decision-making as possible to smaller teams. But a truly successful one ensures teams work together coherently so their collective output is greater than the sum of its parts.
Another technology, Hypermedia, in its most basic sense is an extension of hypertext. Explaining the significance of the same, WorldPay points out that Hypermedia simplifies integrations between companies and provides a much more stable service than that offered by other REST APIs. Hypermedia includes images, video, audio, text, and links. In a REST API, it means API manages to operate similarly to a webpage, offering users with direction on what sort of content they can retrieve, or what they can do, as well as the apt links for the same. As MuleSoft explains, the simplest method to take advantage of hypermedia in API is to offer valuable information to direct the user or client to the next possible actions they can take based on the object (whether it be a collection, or item within the resource) or “page” they are on via links.
For mCommerce, hypermedia APIs allow merchants to conduct identity and risk checks with ease.
WorldPay highlighted that today’s mainstream API documentation and design approaches need to focus on their connectedness as a key part of the API and resource design process.
As explained by Kevin O’Shaughnessy, CityHook, during a workshop conducted by Ai in Long Beach, California late last year:
WorldPay recommends that organizations need to design hypermedia APIs with a UX mindset. The study states: We often only think of UX in terms of the consumer experience. However, hypermedia APIs make integrating with complex payment services a simple, stable, and intuitive process for merchant developers. Enhancing the UX for developers has knock-on benefits for customers, including faster access to up-to-date payment services like new APMs. Overall, if APIs are designed with developers in mind from the outset, it’s possible to create a web of functionality that results in a more powerful, more efficient, and more useful service for all.
Hear from senior executives about the role of tech and organizational mindset in optimizing payments at the 8th Annual ATPS Asia-Pacific to be held in Penang, Malaysia (27-29 August, 2019).
19th July, 2019
Ai Editorial: How travellers transact has changed, and merchants can't ignore the role of e-Wallets and bank transfers while deciding on their payment acceptance mix, writes Ai's Ritesh Gupta.
Alternative ways to pay for travel, such as e-Wallets and bank transfers, are being used more often than cards and cash combined, according to a new report released by Amadeus and PPRO. This growth is occurring across the world with e-Wallets now twice as popular as cards in China, accounting for 49% of the country’s $155B digital travel spend.
Merchants like airlines, especially those operating in multiple countries, are looking at alternative payment methods because of several reasons:
In this context, digital wallets have become popular owing to the fact users can avail preloaded credentials and this fastens the online checkout experience. And China has stood out for the usage, since payment is one part of an app. What makes an app like WeChat more compelling than just invisible payments or scanning QR Codes for completing a payment is the fact an ecosystem manages transactions along with ID management and many other aspects holistically.
Companies like Union Pay, Alibaba and Tencent chose to capitalize on the fact that the card usage wasn't as penetrative as one would expect in a populous market like China, so they came up with a payment method that proved to be convenient and ubiquitous. It was available to anyone with a mobile phone or an Internet connection. It was also driven by necessity, since Chinese travellers moving outside their country needed to have an alternative to using a standard credit card. "That is total freedom for the Chinese traveller as they no longer have to rely on cash as their only form of payment while abroad," pointed out Eric Liebman, Global Head of Travel, Ingenico ePayments.
What works in favour of these payment methods is reduced friction. In today's world of instant gratification, as acknowledged by Ingenico ePayments, travellers "demand things now". "...customers want to be able to pay without any friction and with the method they prefer. They don’t want us dictating how they pay, it’s the other way around. That means things like Amazon Alexa, Apple’s Siri, e-wallets or even Uber-like experiences where experience is key, but payments are invisible," mentioned Liebman in a blog post.
Plus, for a merchant, one factor that goes in the favour of this form of payment is seamless convenience and built-in security. Encryption, tokenisation, and device authentication result in additional security.
"Ubiquity is one of the main key takeaways from Chinese companies. Chinese users are at a point where they are using their mobile wallet for anything. Alipay and WeChat Pay are present in online and offline stores alike, in use in China, and outside. It is an ‘all-in-one’ payment transforming solution, showing non-Chinese companies where innovation and an intimate consumer-knowledge can take them," says Rodrigo Sánchez Prandi, VP Product at payments technology specialist dLocal. "Simplicity will go a long way and it will always attract users. If you give your users ease-of-use by adding their preferred payment method, such as paying with one click, one tap, or even one smile, you are a step ahead in today’s payments’ world."
China leading the charge
According to WorldPay, this growth in China along with a surge of adoption in North America will propel eWallets to become the leading eCommerce payment method globally within five years.
With a validated business model, Chinese technology companies are taking their expertise to other markets as well. As indicated by Amadeus' report, Ant Financial, the owner of Alipay, is currently expanding beyond China. The company now has interests in Dana in Indonesia, Asceno in Thailand, Pi Pay in Cambodia, and Mynt in the Philippines, among others. It is expected that in these regions, accelerated transformation in payments will occur as a consequence, stated the report.
Hear from senior executives about eWallets in China and other Asian markets at the 8th Annual ATPS Asia-Pacific to be held in Penang, Malaysia (27-29 August, 2019).