Ai Editorial: Key to managing co-brands - interchange fees and mobile payments

First Published on 22nd June, 2017


Ai Editorial: It is imperative for the industry to assess how to manage co-brands in a challenging enviornment of regulated interchange and the evolution of card free mobile payments, writes Madeleine Anderson.

I recently had the pleasure of moderating a panel populated by some esteemed co-brand credit card industry experts at the Ai Co-brand Conference in Atlanta. 

Over recent years, interchange fees have become an increasingly controversial issue in the US, as a result of regulatory changes and antitrust investigations. The Durbin Amendment to the Dodd-Frank Wall Street Reform and Consumer Protection Act was implemented in 2011, capping debit card interchange fees for larger banks at 22 cents + 0.05%.  Credit card interchange is not covered by this ruling. 

Credit card interchange fees in the United States currently average approximately 2% of the transaction value.  This is amongst the highest in the world.  By contrast, in the European Union, fees are capped at 0.3% of the transaction value for credit cards and to 0.2% for debit cards.  (This cap does not apply to corporate cards).

Our initial discussion was around whether the panel anticipated any changes to regulated interchange within the credit card industry in the foreseeable future.  The response from the panel (and the audience) was a resounding no.  During his campaign, President Trump frequently stated that he has plans for regulatory financial reforms, including dismantling the Dodd-Frank Act.  The general consensus therefore was that the Trump administration is unlikely to introduce reforms around credit card interchange fees.

It would be remiss of us to focus purely on plastic.  We are gradually approaching the day when tapping your mobile phone or smartwatch on a retail terminal will replace the need to remove your credit card from your wallet. Whilst the threat to interchange is unlikely to come from regulation initially, it is highly likely that disruption will come from other sources:

1.     Large merchants’ ability to negotiate fees 

According to CMS Payment Intelligence, merchants have saved more than $8 billion annually as a result of the Durbin Amendment (excluding the effects of subsequent network fee increases and processor absorption of savings).  In addition, the legislation has provided merchants with a framework with which to reduce credit card interchange fees.

Merchant groups claim that interchange fees are much higher than necessary.  Whilst technology and overall efficiency improvements have been made, this has not led to a reduction of interchange fees.  Issuing banks have responded by suggesting that reduced interchange fees would result in increased costs for cardholders, and a potential loss of rewards on cards already issued.  In the co-brand world, interchange fees are frequently used to fund rewards.

Whilst significantly lower interchange fees have been implemented in other countries, such as Australia, savings enjoyed by merchants have not been passed through to consumers.  In Europe, this has resulted in rewards programmes closing down, or benefits being reduced.  

2.     Mobile wallets

The 5th Annual MasterCard Digital Payments Study found that digital wallets were mentioned in 75% of tracked conversations had by social media users regarding new payment methods.  Whilst awareness is high, mobile payment usage remains relatively low at present (about 1% of total retail sales in the US in 2016).

Barriers to usage include consumers' continued loyalty to traditional payment methods and patchy acceptance among merchants.  Consumers would like to both store their loyalty cards on their wallet and use their phone to make payments.   As loyalty programmes are integrated and more consumers rely on their mobile wallets for other features like in-app payments, adoption and usage are likely to grow.  Android Pay, Apple Pay and Samsung Pay  support loyalty card integration in their mobile wallets, but many major retailers appear to be resistant to loyalty and/or payments integration, to boost adoption of their own wallets.

3.     Emerging technologies

The study also highlighted that consumers are also thinking about what comes after mobile wallets.   Amongst emerging technologies, the use of wearables for payments attracted the highest amount of interest on social media, followed by the Internet of Things (IoT) and smart assistants (digital assistants  such as Amazon’s Alexa, chatbots  such as Facebook Messengers).

The panel believed that co-brand objectives are unlikely to change fundamentally, in light of any reduction in interchange fees.  What is likely to change is the blend of revenue streams, how customer benefits are funded, the introduction of new revenue streams and cost reductions.

Consumers have generally ended up worse off in other markets.  Costs have tended to shift from retailers to customers instead of card partners choosing to innovate. 

So, what might we expect to see in the future?  Amongst other things:

·       Changes to financial models for co-brands

·       Revenue streams from new sources/partners

·       New/alternative payment methods replacing plastic, with revenue flows coming from monetizing data

·       Increased focus on cost reduction – funding, servicing, bad debt and fraud costs

·       Security developments to overcome end-user adoption of emerging technologies, including biometric authentication and tokenization

Be complacent at your peril!

Ai Editorial: What is being done to avoid stealing of payment card data?

First Published on 19th June, 2017

Ai Editorial: Protection of payment card data is becoming a vital issue as businesses across various sectors, including travel, are facing such attacks, writes Ai’s Ritesh Gupta


How safe are you when you make payment at the airport? Is the credit card payment in a common-use environment at airports sturdy enough to avoid a breach as of today? Are airlines being guarded against the dreadful point-of-sale-based malware?

These are critical questions that airlines and other stakeholders in the travel sector need to delve into. The pace with which credit card-related data breaches are taking place and what is being done to curb the same is one intriguing race to watch out for in the world of payments, security and fraud. Hackers, fraudsters etc. need to be stopped and the damage needs to be minimized, as the malice of data breaches is everywhere, across various sectors.

In a recent post on their blog, cyber security specialist Foregenix, referring to the risk associated with credit card details, mentioned that average time it takes to discover such an attack or violation is around six months. Considering the impact of fines such as Visa imposing payment of up to 18€ per customer card lost, waging a battle against breaches can be an arduous task.

Breaches all around

A major mishap is related to point-of-sale based malware.

It has resulted in maximum credit card-related breaches. In the last few weeks only, there have been several reports related to credit card-related breaches: US-based retailer Buckle has been in news for being a victim of a security incident in which a criminal entity accessed some guest credit card information following purchases at some of their retail stores. The company’s store payment data systems were infected with a form of malicious code. The company acknowledged that certain credit card numbers might have been compromised. In late May, Chipotle Mexican Grill identified the operation of malware designed to access payment card data from cards used on point-of-sale devices at certain restaurants.  According to the company, the malware searched for track data read from the magnetic stripe of a payment card as it was being routed through the POS device.

Earlier this year, InterContinental Hotels Group also acknowledged the case of a malware searching for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card. It was being routed through the affected hotel server.

These cases can prolong for years, and result in a hefty fine. Recently ,Target was involved in a settlement worth $18.5 million related to a data breach in 2013.

Stringent measures

Travel companies have to ensure that the cardholder data remains encrypted at all times and at every “hop” across the electronic transaction.

According to specialists, such code is generally set up via attack on remote administration tools. Once malware comes into action, hackers or fraudsters can remotely garner important details from each card swiped at that cash register. Then the same is sold to those who can encode the stolen data.

Airlines, airports and associated stakeholders are moving forward, facilitating commerce as well as putting measures in place.

A major highlight is use of point-to-point encryption to protect customer data.

This technology is capable of ensuring that account data cant be breached in any illegal way or suspicious parties. The payment card data is encrypted at the point of acceptance and is said to be safe even if stolen or until it reaches where it is supposed to.  Also, it can streamline compliance with PCI DSS necessities for airlines and airports by cutting down on addressable needs during a PCI security assessment.

Overall, encryption technology for chip, magnetic stripe and contactless card payment transactions is thoroughly tested to curtail the possibility of any breach.

All of this becomes important as airlines tend to accept payments at airports via a shared IT infrastructure.

There is a also need to look into developments such as General Data Protection Regulation.

New developments

As for airlines, security, based on latest industry standards and technology, is only one aspect of the whole initiative that needs to be taken. For instance, making it convenient for customers to buy any ancillary offering is a revenue generation-opportunity. This has remained a challenge for airlines since there are shared check-in desks and these cannot adjust to certain payment needs of multiple airlines and ground handlers. If we look at the infrastructure at the airport, airlines can end up accepting payments at common-use check-in desks, kiosks and bagdrop areas for baggage fees, upgrades and other ancillary charges.  Plus, airlines also seek better control over the process, that generally entails multiple stakeholders when one transaction is completed.

The industry is moving in the right direction going by two of the latest developments in the last month.

Recently, SITA came up with an offering point-to-point encryption technology, with EMV and PCI compliant chip card payment terminals, applications and processes. With this solution, as SITA says, there is provision for several merchants to avail the same terminal. The PCI compliance certification requires an end-to-end security review by each airline of its own full payment process.

Lufthansa Group, in conjunction with Amadeus and Ingenico, worked on a new option to allow passengers to pay for ancillary services with chip-cards (credit/debit cards), compatible digital wallets etc. at the check-in counter.   According to Amadeus, “airlines and ground handlers can now reach any passenger with an EMV chip card or an EMV-compliant mobile wallet in any airport worldwide, regardless of the check-in infrastructure”.

Other than being compatible with security standards, the new offering, Amadeus Airport Pay, that Lufthansa is using also gives the group control over its payment infrastructure. 

These are all positive developments that would ensure passengers can transact in a much more safer environment, plus they are also being given the flexibility of buying a travel-related offering within the airport environment.


Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year (29 – 31 August, 2017).

Follow Ai on Twitter: @Ai_Connects_Us




Ai Editorial: Paying via click, tap or touch is fine, but what about chargebacks?

First Published on 6th June, 2017

Ai Editorial: Completing a transaction via wearable devices or relying on biometric authentication for shopping is exciting. But airlines need to dig deeper to assess potential issues, writes Ai’s Ritesh Gupta


New technology, emerging ways to transact, biometric data for authentication…all of this is exciting indeed.

Say you are the airport, your wearable device guides you to your gate, a transaction can be done via an app or a platform featuring chatbots, in a way you are about to embrace 100% self-service passenger journey. This simplifies travel, a traveller is in more control than ever.

But it isn’t a straightforward process for airlines, as new technology or even payment methods need to be incorporated into their existing infrastructure.

Here is what airlines need to consider to avoid potential issues related to poor customer experience and chargebacks:

One mistake and a chargeback is a possibility: The adoption of wearable devices or the use of biometric technology like fingerprint scanning and facial recognition can’t be ignored. Speed and convenience are definitely major plus points. These develpoments have already showed signs of becoming a norm. Companies like Mastercard are counting on biometrics like fingerprints or facial recognition to verify a cardholder’s identity, simplifying online shopping. The digital check identifies users using unique individual characteristics, like fingerprint or face. Of course, when there is no need to remember a password, the chances of a conversion go up as there is speeding up of the digital checkout experience. According to Juniper Research, the number of OEM-Pay contactless users, including Apple Pay, Samsung Pay, and Android Pay, will exceed 100 million for the first time during the first six months of this year, before crossing 150 million by the end of 2017.


So keeping pace with such developments is a must for any travel e-commerce brand. But it shouldn’t be forgotten that the chargeback process is old-fashioned. It is vital to assess how to keep pace with disruption in payments. If there is claim for a chargeback and airlines attempt to dispute the same, then what will issuers accept as convincing proof needs to be ascertained.

According to Monica Eaton-Cardone, co-founder and COO of Chargebacks911, and the CIO of its parent company, Global Risk Technologies, referring to wearable payments, networks will not have considered the different types of data that will be associated with these technologies and, therefore, will not recognize valuable information as valid forms of evidence.

In a way, card network regulations are stuck in the past, and haven’t made any significant progress.

“It will be years until the data associated with these wearable devices will be recognized by the card networks, leaving merchants liable for billions in losses from undisputable, illegitimate chargebacks,” Monica mentioned. Even in case of biometrics, she underlines that it can be identified that a cardholder “almost definitely authorized a transaction, but if the card network won’t accept biometric data as proof, that information is of no use. She points out that biometric approval is part of a coherent antifraud plan, not a answer on its own.

Even Visa last year acknowledged that one of the challenges for biometrics is scenarios in which it is the only form of authentication.

“Biometrics could result in a false positive or false negative because, unlike a PIN which is entered either correctly or incorrectly, biometrics are not a binary measurement but are based on the probability of a match. Biometrics work best when linked to other factors, such as the device, geolocation technologies or with an additional authentication method,” stated Visa.

Monica is certain that in the absence of a flexible infrastructure that can facilitate options such as wearable payments, the problem of chargebacks will only swell.

Also, payments via chatbots (say on Facebook Messenger) can be integrated in a simple way. Brands need to make the most of such interactions, considering the popularity of messaging apps.

But the team at Chargebacks911 also cautions against poor execution of chatbots, in case they aren’t proficiently managed then there can be user frustration and more chargebacks.

Being aware of new avenues for fraud: A major hurdle with emerging technologies lies in evaluating how they will be implemented and what the response will be.

Visa does recommend that new forms of authentication must reach a balance between speed and security.

Specialists recommend that making judicial use of “friction” during the booking flow or checkout isn’t a bad option.

So friction can result in careful consideration of the booking process. In case a shopper doesn’t take that fraction of second to be in control of the situation, it can result in a buy they weren’t completely sure of or they may even complete a transaction without thinking through it properly.  

Do remember that unauthorized transactions by family members are one of the primary causes of chargebacks.

As for being realistic with 3DS 2.0, Chargebacks911cautions that this new development is an effective tool for targeting criminal fraud, but it has little impact on friendly fraud, which is ultimately responsible for most chargebacks.

Being prepared

Airlines, as merchants, can't do away with the need to go for multiple layers of technology such as tokenization, biometrics etc. to protect each and every transaction.

Yes, as much as digital payments strategy is going to revolve around choice, there is also a need to ensure the same meets not only a shopper’s preferences, but also ends up meeting issuer and merchant’s needs, too.


Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year (29 – 31 August, 2017).

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: 3 ways airlines can sharpen their crusade against loyalty fraud

First Published on 18th May, 2017

Ai Editorial: Awareness among loyalty program members, avoiding data breach and fraudulent loyalty transactions, and being a part of a strong merchant community can bring down the risk of loyalty fraud, writes Ai’s Ritesh Gupta


Airlines need to assiduously take initiatives on several fronts in order to safeguard their loyalty programs. The threat of loyalty fraud can’t be ignored as a fraudulent activity via use of miles would denote a write-off on the balance sheet. This eventually affects margins. So airlines must assess their defence against loyalty fraud. 

It is time airlines comprehend how loyalty fraud can involve customers, employees, travel agents, partners, and what can result in data breaches, malware etc. and accordingly train relevant teams and find ways to forge reliability and security across the organization. A recent research by Ai revealed that 72% of airline loyalty programs have an issue with fraud. Additionally, 30% of airline programs reported the problem was growing rapidly year-on-year. However, surprisingly, 10% of airline loyalty programs didn’t know if they had a fraud problem or didn't know that it was possible for loyalty fraud to occur.

In one of Ai’s conferences, it was highlighted that airlines can be attacked from unexpected quarters.

For instance, the case of “registered users fraud”. It was highlighted that it is a common scenario that a registered user is considered to be a “loyal” or “positive” user.  But it is time revisits such notion. Why? As one of the speakers stated, “Because a registered user after an account takeover and without identifying it, could be the most dangerous account in an airline’s user base. The fraudster could use this account to steal any personal details and book via methods with lower friction and probably less fraud analysis. How many of you checking your registered users?”


There are 3 areas where airlines can focus on to combat loyalty fraud:

1.     Creating awareness among loyalty progam members: Members need to know how to protect their loyalty accounts. This is even more critical today as the loyalty earning and burning lifecycle has opened new avenues for fraud. Of utmost importance is the realization that loyalty programs are being hacked and what can be done to avoid this? Do members of a frequent flyer program treat their respective loyalty accounts as credit card information? This type of fraud is similar to card-not-present fraud. An account can hacked by capitalizing on weak passwords, stealing of identity etc. So it must be highlighted that if fraudsters gains access to an account, they can seize points/ miles and rob loyal members by availing redemption options (other threat is data breach). As Michael Smith, Managing Partner, Airline Information and Co-Founder, (Loyalty Fraud Prevention Association (LFPA) says passengers (or customers at large) should be wary about which Wi-Fi they are connecting to, and also as FFP members they must be cautious about sharing name and account number. “With those two bits of information, fraudsters just need to guess your password and they are in to your account,” he says. Smith asserts that a flyer shouldn’t share or post the picture of a boarding pass, as it features vital information.

Managing passwords isn’t an easy thing to do considering so many accounts all of us manage. But having one simple password for all log-ins can probably result in worst nightmare – more than one account getting hacked. When the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.   

So airlines need to inform about passengers about seemingly simple mistakes that can unknowingly create havoc with FFP accounts.

2.     Taking internal measures to avoid data breach and fraudulent loyalty transactions: As an industry, airlines have made rapid progress in dealing with card-not-present transactions. There is no reason why the same can’t be replicated for loyalty fraud, as pointers are quite similar. Airlines have to sharpen their real-time decision making, customize as per their current risk engine and workflow. Lot of organizations are adding multiple layers (of course, not at the expense of shopping experience), for instance, how intelligence behind the email addresses of customers can yield better results? Accertify, in a blog post, underlined that email address is being “highly under-utilized” by many companies as a vital tool in an overall risk assessment strategy. Referring to limitations of a device ID or a phone number in case of global companies, Accertify highlighted that every time email is used it leaves a trail of sorts, and this is strong enough to evaluate to the level of risk associated with a transaction. As a specialist, Emailage points out that email addresses have the same convention globally: user-name, “@” sign and domain. This makes the email address a perfect data point for robust risk assessment.  The way that fraudsters use email addresses fall into patterns that are identifiable based on velocity and structure.  

In addition to data from 3rd party sources, the fraud specialists within an airline must be supported to speed up the pace and precision of fraud detection – reduction in manual reviews, how to screen for loyalty fraud, access to real-time custom reports etc. Overall, organizations must gear up for login behavior, account changes and evaluation of purchase behavior. CyberSource recommends tracking of user account creation and login behavior, as well as screening for fraud at purchase and redemption of points.

3.     Being a part of a strong merchant community: Airlines, as seen in the case of payments fraud, have been a part of a strong merchant community to jointly wage a battle against fraudsters. New organizations and tools are coming up. The Loyalty Fraud Prevention Association, set up last year, is focused on using the experience gained in fighting credit card fraud to deal with loyalty fraud. Also, Perseuss, as merchant community’s answer to the problem of fraud, has developed Theseuss. This new platform gathers loyalty fraud intelligence, and features an active and collaborative community of loyalty fraud experts using the system. Theseuss would enable the exchange of fraud intelligence and evidence to allow the identification of loyalty fraud patterns. One of the highlights is the use of machine learning algorithms to discover potential fraudulent loyalty transactions.

Follow Ai on Twitter: @Ai_Connects_Us








Press Release: What has Facebook got to do with loyalty fraud?

                                                                                                              PRESS RELEASE
Glasgow, 11th May 2017

Your credit card or loyalty account was compromised, Facebook might be the reason, says newly formed Loyalty Fraud Prevention Association.

Compromised credit card accounts, and now more than ever compromised loyalty program accounts, are an ever-growing problem for consumers. Fraudsters hack, breach or otherwise steal accounts and then often sell them online. This may be done in plain site via Facebook. The Loyalty Fraud Prevention Association (LFPA) calls on Facebook to police this issue to protect consumers. This problem, among others related to loyalty fraud, will be discussed at the LFPA Conference in Atlanta on May 24th and 25th.

Peter Maeder, Secretary of the Loyalty Fraud Prevention Association says: 

“Any quick search for pages in Facebook for stolen credit cards will yield many pages and users selling stolen account data. These fraudsters are now finding loyalty program accounts to be an easier target. Our members, which include some of the largest travel companies in the world, have reported this issue to Facebook, but have had little or no success removing the pages.” 

The result is that loyalty programs and their members are becoming the victims of fraud costing tens of millions of Dollars annually. To address the growing phenomenon, the Loyalty Fraud Prevention Association (LFPA) will be gathering executives from loyalty programs from throughout North America and the world in Atlanta on May 24th and 25th of May, 2017. In addition to acting as an industry to stop Facebook and other Social Media sites from spurring fraud, issues to be discussed in this conference will include: Employee-driven loyalty frauds; Bot attacks on loyalty programs; Stopping fraud on the Dark Web; and the latest IT-solutions that combat loyalty fraud.

More information about the conference can be found at

About the Loyalty Fraud Prevention Association (LFPA)
The Loyalty Fraud Prevention Association was founded in 2016. Its mission is to support the loyalty industry in its fight to reduce and eliminate fraud. Members consist of airlines, hotels, IT providers, financial services companies and others who operate loyalty programs from around the world.

For more information, visit or find us on Linkedin.

LFPA / Press
Christopher Staab
Co-Founder, Loyalty Fraud Prevention Association
+1 305 542 9901


Ai Editorial: Stepping up authorization for digital transactions via 3D Secure 2.0

First Published on 8th May, 2017

Ai Editorial: 3D Secure 2.0 is a data-driven initiative that supports digital payments and features expanded capabilities in terms of security and user experience, writes Ai’s Ritesh Gupta


The experience of searching for a flight and trip essentials can be a laborious one. In an era when travel e-commerce brands are jostling for winning “micro-moments”, losing out a conversion owing to an additional authentication layer at the time of checkout isn’t good news.

We all dread those few extra seconds, or the need for entering a password (which aren’t easy to remember) for a transaction to pass through.   

Even for airlines, as merchants, it isn’t easy to verify the authenticity of transaction as one can pay via a browser, mobile app, or connected device. So being in control of the purchase experience as well as controlling the chargeback level or fraud is always a tricky situation for airlines. 

Of course, 3D Secure has been around for a while, but airlines can’t go ahead with a binary view to such payer authentication; implement it across all transactions or don’t implement it at all. Travel e-commerce brands have been diligently looking at ways to choose the authenticate type and avoid unnecessary checkout issues, and getting better with “liability shift”.

3D Secure 2.0

3D Secure sets up an authentication data link between online merchants, payment networks and financial institutions to assess and share more intelligence about transactions. It has been widely acknowledged that the specification 1.0 was set up for PCs, and there wasn’t enough to deal with friction in the customer experience. A major issue with the traditional approach of 3D Secure today is transactions via mobile. 

Among the latest developments, 3D Secure 2.0 is being termed as a potential boost for digital commerce with quick, secure authentication, propelled by robust fraud-related intelligence. It strengthens the quality of real-time predictive risk scoring for both merchants and issuers. The new specification that would support app-based authentication and there would be integration with digital wallets, too.

Early adoption of the new specification is scheduled to begin in the second half of this year.

The two versions will run in parallel at this juncture. So support for both the versions would be critical as adoption rates of the updated specification among card issuers and merchants will vary.

For their part, EMVCo, a company which is collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa, introduced specifications for 2.0 in the last quarter of last year.

The industry is gearing up for 3D Secure 2.0. Merchants and issuers are already working on their implementations.

For their part, Visa has stated that in order to ensure issuers and merchants “have time to test, pilot, refine and fully roll out solutions, current Visa rules for merchant-attempted 3-D Secure transactions will extend to 3-D Secure 2.0 beginning April 2019”.  




There are several areas, encompassing the shopping experience, mobile transactions, support for digital payments, cutting down false positives etc. that are being addressed with this new specification.

This new messaging protocol elevates the buying experience by facilitating intelligent risk-oriented decisioning that would result in frictionless authentication. Also, it lists use of numerous choices for step-up authentication, including one-time passcodes as well as biometrics.

The 3D Secure 2.0 is a data-driven initiative, and it means that passing data earlier offers merchants the ability to decide whether to authenticate a transaction or not. There would be a streamlined authentication, based on data elements shared through the protocol. The requirement of having to authenticate via static passwords would be done away with. The data available includes transaction related information as well as details about the device being used for the transaction. In fact, the 2.0 protocol will make extensive use of device data. This update also comes with the possibility to use token-based and biometric authentication, instead of passwords. So in the future a 3D Secure authentication will take place entirely in-app, with the touch of a finger.

There is a need to ensure a simple integration for additional data fields. The update paves way for a real-time, safe, information-sharing pipeline that merchants can pass on transaction attributes that the issuer can avail to validate users more precisely without asking for a static password or cutting down the pace of shopping experience. By supporting additional data during transactions, risk-based decisions will be possible on whether to authenticate or not.

As we highlighted in one of our recent articles, rigidity due to pre-constructed rules can now be combated with data sharing and data intelligence. And the release of 3D Secure 2.0 specifications, too, needs to be followed for the same. One way to ensure the decline rate is relatively lower could be via availability of quality data. Giving issuers a chance to interject themselves into the checkout can improve upon the risk assessment. So what was being done sporadically can be done in a widespread manner i. e. enabling issuers to amend their authorization risk settings and tie the authorization to the authentication. Enriched data flow with stakeholders with a better ability to approve “good” transactions.

The need to come up with 3D Secure 2.0 also grew owing to the prominence of non-browser-based, card-not-present payments used in-app, mobile and digital wallets. So as for mobile-related focus, one of the objectives of the new specification is to make the message interface and authentication flows amenable to mobile platforms.

As highlighted by Adyen, customer pain points are expected to be sorted out. For instance, the authentication will take place within a website’s environment, removing the need for a redirect. Also, importantly, it will feature SDKs that make it possible to set up authorization flows in-app, greatly enhancing the mobile experience.

Specialists have already underlined the significance of an analytics-driven approach to risk-based authentication, and issuers need to gear up for the highest granularity of control over the risk decision featuring advanced analytical methods.


Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Chargebacks a cost of doing business, not an apt assessment

First published on 7th April, 2017

Ai Editorial: A meticulous approach needs to be attempted to target every source of chargeback. The role of data along with human expertise needs to be optimized, writes Ai’s Ritesh Gupta


Fraud threats are constantly changing and expanding. As fraud detection technology evolves, criminals alter their tactics—what worked for them in the past might not work today.

When it comes to fraud and chargeback management, agility is one potent weapon.

Be it for counting on new technology or human expertise or ensuring earning potential isn’t being curbed, airlines, like any merchant, need to be spot on with their moves.  

The consolidated figure for airline chargebacks is estimated to be $1.5 billion on annual basis. The financial consequences include dealing with fraudulent orders, expenditure incurred on fighting fraud and turning down valid orders. What’s typically the chargeback rate for an airline or a travel e-commerce entity that processes millions of card-not-present transactions on annual basis? Is it 0.8%, how can it be brought down to 0.7%? What’s the timeline and how can it improve the financial situation? This way travel e-commerce organizations not only keep the rate in control, but they are also striving to improve with pragmatic goals.

Here we assess some of the initiatives that can help in prevention of chargebacks.

Addressing the real issues: Airlines need to rely on technology, machine learning, and human forensics, or the blend of all to ensure one knows the real source of each chargeback. Otherwise one can never get to the core of the problem. The reason being a customized action, as part of a robust prevention strategy, is required to combat each chargeback source. Otherwise airlines won’t be able to target the right problem at an opportune time.

In this context, getting into details related to criminal fraud (how to cut down on unauthorized transactions that get processed?), friendly fraud (difficult to detect at time of purchase and issuers usually accept a customer’s assertion) and merchant error (it could be that even up to 40% of chargebacks could be cause by the merchant’s own mistakes, oversights, or shortcomings) is must. Also, airlines can’t only consider basic tools. At the same time, one can’t also feature every offering available for managing risk exposure. For instance, any merchant who uses Address Verification Service along with card security codes or 3D Secure is technically using multiple solutions to prevent fraud. Other options include card security codes, geo-location, device authentication, proxy piercing, biometrics etc. So airlines need to work out a meticulously constructed fraud mitigation plan.



Experts recommend that a move such as enforcing blacklists (featuring fraudsters) post an attack (rather than preventing the unauthorized transactions) isn’t an ideal move. Rather look at non-technical and API integration options, and act “faster”. Look out for the real source of each chargeback. Sort out areas like uncertain merchant error.

Coming to grips with the problem in time: The industry today is improving the acceptance rate with an integrated system for pre-authorization fraud scoring/ screening and post-authorization chargeback mitigation/ fraud recovery.

The travel industry is also relying on the efficacy of a machine learning engine that evaluates fraudulent users in real-time. Data is analyzed instantly, linking seemingly unconnected signs left behind by fraudsters. Other than detecting fraud, data is also playing its part in ensuring “genuine” orders do not get declined owing to any uncertainty around the transaction.

Alerts have emerged as a viable, faster alternative to the chargeback process. It is about how to do away with the need for a chargeback. And the key here is to stop processing of a chargeback in time.  As shared by ethoca during one of our conferences, upon notification from issuers, the company transmits an alert to the merchant. For their part, airlines can refund the passenger to avoid chargeback. Alert outcome is passed on to the issuer. Result: merchant and issuer liable losses recovered by card issuer on first contact. What this also means is companies can be in better control of things to come, preventing instances of fraud in the future. And companies can also use link analysis to eradicate related fraudulent orders.

Making the most of human expertise: Artificial intelligence or AI can extract anomalies and identify patterns from real-time data but human intelligence is still needed. According to Kount, it’s not just quality of data, its accuracy or the number of datasets that only matters, but human capabilities, too, are needed to communicate, strategize, and guide machines to the optimum business result.

Working in unison: There are multiple stakeholders at risk when it comes to chargebacks. 

Fraudulently filed chargebacks affect each stakeholder in the payment chain.

·          For merchants, a multi-layered approach is best. Today’s solution must be agile and diverse, coupling an evolving defence with effective representment strategies. 

·          Acquiring banks can help reduce the effects of fraud by establishing internal blacklists and developing chargeback triggers for advanced alert notifications.

·          Processors who undergo the most stringent underwriting procedures to maximize their KYC (Know Your Customer) compliance will ultimately reap the benefits through helping to ensure their merchants are following best practice methods that work alongside operational efforts to prevent friendly fraud.

·          For issuers, additional due diligence is key.  Despite the temptation to rapidly resolve a cardholder dispute, additional effort will pay off in the long run for those who consciously work to prevent bad habits from forming in the first place.


Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: New weapons for combating false positives – are airlines ready?

First Published on 29th March, 2017

Ai Editorial: False positives have never been easy to identify. But with machine learning, 3D Secure 2.0 and data intelligence, airlines can be in better control of the situation, writes Ai’s Ritesh Gupta    


The denial of a digital service that is routine or legitimate is annoying.

For instance, as a credit card user, if I intend to access my statement on  bank’s website, and if even after filling of details and password (which most users tend to detest), the access to the same is denied then it disappoint us in a big way. Similar is the experience of a genuine digital transaction that either gets denied or takes longer than expected duration to finish due to seemingly stringent security measures.  

Airlines need to invest in apt user experience strategy and an integral part of the same is to work out right acceptance gap for payments so that revenue generation doesn’t get impacted in a negative away. Conversion rate in commerce isn’t just about getting traffic to digital platforms, but what also matters is not turning away authorized orders and how companies deal with false positives.

Also, from a business perspective, any travel company can’t afford to have a poor profile i. e. being bracketed as a high-risk merchant. Any business with low transaction volumes needs to be wary, as even a single chargeback will be termed as a significant development to the issuing bank than it would for an airline with relatively higher transaction volumes.

So airlines need to be vigilant of the new developments, and make incisive moves to deal with this problem.

·          Finding ways to distinguish real buyers from fraudsters: It is time digital enterprises evaluate the limitation of automated responses from rule-based filters. KPIs for authentication for CNP transactions include historic chargeback data, card acceptance rates, cart abandonment, issuer declines, merchant reversal declines, interchange cost etc. But areas like how online anti-fraud technology impacts false positives need to be assessed. Airlines can dig deeper into the efficacy of rules-based authentication, seeking control over their transactions, and also sort out the manual review problem as human analysis can’t be done away with.

Today negative attributes are being assessed in a dynamic manner and this is where machine learning can contribute when it comes to dealing with constantly evolving patterns. At the end of the day, the list of potential offenders can’t be too restrictive, and at the same time, airlines can be lenient with fraud prevention as well. Machine learning can cut down on unauthorized transactions while also reducing the risk of denying a genuine payment. Key here is the fact that the model keeps training through regular feedback. How? With information about traffic (based on behavioral, identity, and network patterns), and more of the same being garnered, more precise predictions can be. This results into fewer false positives. Also, this analysis can also pave way for customized checkout experience with lesser number of fields or even the fastest possible processing for authentic travellers.

·          Counting on data intelligence: Rigidity due to pre-constructed rules can now be combated with data sharing and data intelligence. And the release of 3D Secure 2.0 specifications, too, needs to be followed for the same. One way to ensure the decline rate is relatively lower could be via availability of quality data. Giving issuers a chance to interject themselves into the checkout can improve upon the risk assessment. So what was being done sporadically can be done in a widespread manner i. e. enabling issuers to amend their authorization risk settings and tie the authorization to the authentication.

Enriched data flow provides stakeholders with a better ability to approve “good” transactions.

As indicated by CardinalCommerce, in the past, merchants and issuers relied on “relatively simple data points in making authentication decisions”. But by relying on emerging sources of data and data intelligence, there is a chance to cut down on fraud and false positives. Legitimacy can be verified via purchase history, device and behavioral information, relevant social media details etc. So airlines better lookout for extra authentication data elements that are available at the time of the transaction so that both the merchant and the issuer can make a more informed and precise decision as whether or not to complete or deny a card-not-present transaction.

(Related article: How Amtrak worked out 99.85% acceptance rate, significantly better than the airline industry 96.3% acceptance rate).

·          Impact of 3D Secure 2.0:  The new specification when officially launched is being tipped to contribute in a big way. 3D Secure 2.0, with plans for early adoption in mid-2017, supports new transaction attributes, and this is expected to curb the level of false positives.  

The objective of new specifications is to aid verification on the basis of data elements pooled through the protocol with focus on a frictionless shopping experience for card users. Also to make the message interface and authentication flows agreeable to mobile platforms.

3-D Secure 2.0 will enable increased use of risk-based and dynamic authentication.

The risk-oriented outcome will be shaped up by uniform and extended set of data elements.

Owing to risk-based authentication method, issuers relying on static or partial passwords have to mull the improbability that consumers will memorize or easily use their passwords if these are only used for 3D Secure and are occasionally called for.

So be prepared for abandonment and failure rate. Accordingly issuers need to find ways for authentication.  


Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here


Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Protecting a passenger’s identity in a connected world

First Published on 24th March, 2017

Ai Editorial: Operationalizing digital identity assessments is one initiative that every e-commerce enterprise needs to manage diligently, writes Ai’s Ritesh Gupta


Airlines, like any merchant, need to safeguard their users’ personal details saved. Imagine a situation where flyers open a personal account on an airline’s digital platform to access speedy bookings and swift flight check-ins, and at some point such data gets stolen, forces breakage in access to digital services and even results in negative publicity. This is indeed going to be a dreadful situation.

E-commerce entities require data to serve personalised offerings, but if they become a victim of a data breach then even a project like digital transformation receives a major setback. No airline can fathom breach of loyalty miles, and hacker selling account credentials to redeem the miles for tickets!

While e-commerce entities like Ryanair are looking at account personalization in a big way, this also means fraudsters can count on user identities to access personal and payment details. The reason being: use a trusted credit card saved in a valid customer account.

There is no scope for traditional ways of securing accounts or fraud prevention, for instance, savvy digital entities, focused on enrolling customer details in new ways to personalise their offerings, now consider static information being stored as a potential threat to being breached. The level of security or layers needs to be evaluated as fraudsters can hijack legitimate login sessions. Do seek a tighter measure against malware or social engineering attacks.

In fact, the threat of being breached can have detrimental impact on a bunch of airlines at one go. How? Experts don’t rule out multiple airlines systems being breached at the same time: when the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.

Bigger threat with “connected” world

Today’s intricately connected world means airlines have to work on their IT infrastructure, data management, digital interfaces etc. to ensure there is consistency in interactions. But this digital first approach also calls for stringent protection.

For instance, the Internet of Things (IoT) assumes that information and data will flow seamlessly and securely from one device or one party to another, where it can be accessed and used immediately. If the IoT keeps tracks of the items you intend to purchase, it can automatically tally the payment and process the payment as soon as it connects to the nearest payment terminal or app and verifies the customer's information and data. But wouldn’t this call for a stronger protection?

Fraudsters can work out near perfect identities from the digital detritus that digital entities and consumers are providing.  As ThreatMetrix aptly states: “It is identity, not passwords or payment details, that is the cybercrime currency of 2017: near perfect, yet terrifying, simulacrums of you and I that can be used to open new accounts, hack into existing ones, and monetize fraud attacks.”

According to ThreatMetrix’s Q4 Cybercrime Report, few of the alarming trends that need to be watched out for include:

·      New account originations continue to be the riskiest transactions with nearly 1 in 10 rejected.

·      Considering a spate of data breaches,  organizations can’t rely on static data elements. Dynamic information featuring a user’s digital identity will be critical in distinguishing “good customers from bad”. 

·      Fresh assaults will target collection of more details to strengthen stolen identities, rather than immediate monetization.

Attack from several quarters

Airlines need to consider the fact that one doesn’t distinguish between identities penetrated from behind a network/ firewall or via an account compromise. It is a big blow, one that, propelled by convincing identities as formulated by fraudsters, can fuel large-scale attacks. 

Organized crime

This stolen data is traded by organized and networked crime networks via certain websites, apparently made accessible via specialized encryption software and browser protocols that conceal the location of cybercriminals who are part of such sites.

Recently, a cybercriminal was reportedly sentenced to 50 months in prison for identity theft. This fraudster was caught selling personal data of victims on a cybercrime platform, AlphaBay.

Definition of being safe

When we talk of digital first for a seamless, personalised experience, the safety of identity or account data to needs to be prioritized as well.  Also, considering the lightening speed with which consumers expect every digital interaction to shape up,  airlines need to validate customer identities without any friction.

Bot detection, ID verification, device check, cookie erasing etc. are coming into use.

Specialists assert that it is critical to evaluate every digital identity, one shaped up by dynamic, shared intelligence unearthed from a variety of sources rather a specific organization a user transacts with. Time one looks at blending static identity data with dynamic, real-time intelligence from current and historical transactions. In order to gain better results and minimize friction, specialists are counting on behavioral biometrics , analytics and a predictive model based on past behavior and transaction data to authenticate transactions. The plan is to relate user and device interactions in the present session to past user and device interactions, and look at the gamut of attributes associated with the user, device and connection.


Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

Follow Ai on Twitter: @Ai_Connects_Us


Ai Editorial: Assessing exploitation of connected devices for DDoS attacks

First Published on 15th March, 2017

Ai Editorial: DDoS or distributed denial of service are damaging for all e-commerce entities, and IoT-based botnets are only adding to the threat of disruption to services, writes Ai’s Ritesh Gupta


Businesses need to gear up for the era of Internet of Things (IoT), make the most of tokenization offering for contextual commerce, realign the flow of work across the business to service customers better…pressure is immense on organizations, including airlines, to evolve and embrace digital disruption.

But an inherent weakness in a technology or devices can result in a cyber assault, and airlines need to be wary of the same.  

A prime example is IoT continuously being exploited and used in cyber criminal activity. It is important to assess how to counter concerns such as IoT fuelling future DDoS (distributed denial of service - a host of compromised systems launch an assault on one target, thereby triggering denial of service for users of the targeted system) attacks.

This point is being raised as the number of attacks, the severity of such strikes and even the revelation of vulnerabilities can throttle a move towards change. This is not to discourage what an airline needs to do to embrace digital transformation, but rather prepare for any move in a meticulous manner.

Be it for online banking, retail or travel, e-commerce as a sector has to counter such malicious moves.

Relatively easier to hack now

At a time when passengers expect a real-time answer or action on their feedback, what airlines need to be wary of is a break in any of the touchpoints and tighten their security.

The more devices an airline connects to the Internet, the more exposed this carrier would be to potential attacks.

It is being highlighted that the technical proficiency needed to perform cyber attacks is on the decline. Malware and services such as DDoS are easily acquired on the dark web. Other than DDoS, ransomware on connected watches, fitness trackers and TVs is expected to pose another challenge.

In their recently released report, National Cyber Security Centre (NCSC), the national technical authority for cyber security in the UK, stated that the degree of cyber threat varies from technical skills being “bought” to persistent threats involving custom-built malware designed to compromise specific targets.

Being digital first also means tighter security

If we talk of mobile-first engagement, attacks such as the one reportedly featuring Tesco Bank in the UK (it was reported that either Tesco’s internal systems or their mobile application were breached) put a question mark over the security of mobile apps. There are steps that airlines definitely need to focus on – additional layer of security in the form of biometric recognition or facial recognition, end-to-end encryption, working on mobile app security testing as part of the software development lifecycle etc. As for mobile-related threats, specialists point out organizations need to be wary of elevated permissions to install further malware such as keyloggers which could be used to steal login credentials, SMishing often proving to be more effective than traditional PC phishing campaigns etc.

But even as mobile malware is growing (surely can’t be ignored), it is the IoT that is proving to be a bigger concern. It has expanded the risk to all customer devices becoming compromised or attacked. Poor security practices in connected devices is coming to the fore. With feeble security, IoT devices are resulting in DDoS attacks. Not surprisingly, the list of vulnerable areas now features attacks on building blocks on which the Internet runs.  

For instance, the looming threat from the Mirai botnet. This botnet is being monetized today by cyber criminals for a large DDoS. It scan IP addresses across the internet looking for insecure devices. As per the information available, Mirai, a malware infecting vulnerable, connected devices, scans for 68 user name and password mishmash when attempting to infect and control a connected device.

The emergence of botnets means cyber attacks are only getting sophisticated. If we talk of “threat actors”,  there is this trend of learning from, hiring and working with one another. Akamai recently highlighted that the largest DDoS attack in their network came from Spike, a malware that has been around for over 24 months. This points to the fact that botnet operators take the emergence of Mirai botnet as a challenge, and try to compete and prove more hazardous with their next attack!  

What to consider?

Protecting the disparate components of the IoT ecosystem is vital.

Such devices need to be protected considering that they are operating in a digital environment. Equally important is the security of data transfer featuring the IoT devices and the platform. Data and privacy breaches continue to be on the rise. Also, a secure API platform is must.

Specialists also have been clarifying some of the misconceptions. According to Imperva, a data and application security specialist, even high bandwidth won’t shield a site from concentrated packets-per-second (PPS) and application layer attacks (no amount of bandwidth can guarantee 100 percent uptime), and there in no point in relying on a pre-existing appliance to block an incoming DDoS assault.

E-commerce entities, be it for airlines or online travel agencies, need to look beyond common vulnerabilities such as SQL injections or Local File Inclusions. So be it for working out scalable threat prevention security for any cloud - public, private and hybrid or trained staff or to working out right security architecture as well as documenting all networks with known traffic flows and shielding all disparate components of the IoT ecosystem, a detailed preparation is needed to protect the digital assets.


Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here


Follow Ai on Twitter: @Ai_Connects_Us