First Published on 9th March, 2017
Ai Editorial: One click payment for an airline ticket from the interface you prefer the most – say Facebook Messenger app, WeChat, WhatsApp etc. ? This is the sort of commerce infrastructure airlines need to prepare for, writes Ai’s Ritesh Gupta
What can lead to a conversion based on even one signal that a digital consumer today gives to go for a product or service? These signals aren’t mere search keywords or clicks on a website/ app. It’s about the interplay of context, location, interface as well as the device being used and payment facilitation.
For instance, a group of friends are interacting via Facebook messenger app, they decide on meeting at a particular venue location (exact location is shared via a link/ map), and all of them avail an on-demand service without leaving the chat or the interface. No app was downloaded. Similarly, a passenger starts the shopping journey with interaction with a chatbot or initiates a search for a flight via a digital assistant, moving on to a meta-search environment and eventually completing a transaction without leaving the conversation.
This is just a glimpse of how commerce is evolving.
What stands out is what’s working in the “background” to seamlessly process payments.
All of this is crucial for travel brands to assess, as one can’t ignore the prowess of ecosystems such as Facebook, Google, Apple, Alibaba etc. or the popularity of social and messaging apps.
Dealing with friction
The significance of letting a travel shopper wrap up a transaction without the friction of leaving a site or an app can’t be ignored.
Airlines need to make the most of tokenization offering that works in the “background” to ensure they are part of contextual experiences - search, social interactions etc. – and end up aiding a potential traveller to shop with them. Intermediaries like meta-search engines have been relying on APIs to ensure bookings are done within their environment, irrespective of the airline’s payment processor. APIs are playing a vital role in countering the intricacies of moving payment data between different stakeholders involved in the shopping journey, could be for retailing or travel-related buy. The end result here is the seamless movement towards buying an air ticket or an ancillary with an optimized checkout flow.
Travel may not be a frequent buy, but still a major plus is speedy checkout experience that customers expect as they don’t need to re-fill or share information again and again.
Skyscanner is reaping benefits related to better conversion rate. The team has been working on their direct booking offering that allows airlines to offer a fully localized booking experience, letting users to research, select and instantly book itineraries within their environment without having to re-direct to supplier sites. As for airlines, they process the requests and retain all of the passenger’s details.
Securely moving payment data
It is also imperative to assess the security of such initiatives. How secure is an RFID band that functions as both a ticket and a wallet? How Facebook is equipped to safely part with its own stored payment data with an entity like Uber and yet ends up ensuring Facebook Messenger users sustain control over their information? Specialists like PayPal have progressed swiftly, stating that sharing of customer, payment, and other data is done securely with PCI Level 1 compliant parties while keeping an entity vault protected, and also equally secure is sharing of data within their network of merchants.
But airlines still need to be wary of couple of issues.
Rather than rushing and joining the bandwagon, do look at risk mitigation.
As a specialist in this arena, Chargebacks911 explains that if the industry does not take basic safety measures before going for new technologies, then such initiatives can be more of a liability than a benefit.
For instance, referring to wearable payments, the team points out that it may turn out to be more secure when compared with standard payment options. “Wearable payments make use of the same kind of tokenization technology as other payment methods, like digital wallets and EMV chip cards, which may prove to function just as well on wearable devices,” says Chargebacks911’s COO, Monica Eaton-Cardone. She says one needs to be wary of family fraud and friendly fraud. In a recent blog post, she raised a pertinent point, “What will issuers accept as compelling evidence when merchants attempt to dispute chargebacks? The chargeback process is archaic—it can’t keep up with all the developing technologies. Networks will not have considered the different types of data that will be associated with these technologies and, therefore, will not recognize valuable information as valid forms of evidence. It will be years until the data associated with these wearable devices will be recognized by the card networks, leaving merchants liable for billions in losses from undisputable, illegitimate chargebacks.” She added that as of now, merchants already lose as much as $40 billion each year due to chargebacks.
So emerging technologies can augment the customer experience with seamless transactions, but areas like security and privacy, and chargebacks can also hamper the same.
Gain an insight into intriguing issues at Ai’s 11th Airline & Travel Payments Summit (ATPS) this year.
Date: 3 May - 5 May 2017
Location: Berlin, Germany
For more info, click here
Follow Ai on Twitter: @Ai_Connects_Us
First published on 24th February, 2017
Ai Editorial: Airlines need to move fast to be ahead of the curve and protect themselves against account takeovers, writes Ai’s Ritesh Gupta
The benchmark for completing a digital transaction – the moment when you are about to pay - is one click or swipe.
Of course, in order to deliver one-click checkout experience, travel e-commerce players have to garner personal information, store chosen payment method and keep it secure. This transaction-related information is a vital component of overall account personalisation that businesses are keenly looking at today.
But what needs to be noted is that account takeover is the latest fraud tactic that is troubling merchants, and airlines, too, can be victims as merchants.
Account takeover fraud happens when a fraudster/ hacker misuses a user’s personal details saved with a merchant in order to take control of an existing account. Fraudsters bank on stolen credentials and phishing schemes to hack into or take over legitimate user accounts. They are capable of gaining access to accounts via malware, SQL injection attacks, spyware etc. And this can surely have a detrimental impact on trust and loyalty among valued customers.
Being wary of fraud as account personalisation picks up
As we highlighted in one of our recent articles, account personalisation is on the rise. One area where progress is being made is speedy bookings and swift flight check-ins on airline-owned platforms. Ryanair took an exemplary initiative last year, one related to account personalisation. This way the carrier chose to enable passengers to share their travel preferences by setting up a personal profile, and saving passport details etc. The users can also store their payment information.
So if on one had such initiatives are bound to make trip planning, booking and even servicing simpler, more efficient, then on the other one needs to be wary of the situation where such data related to a user’s account gets stolen.
Data breaches are dreadful, and this trend can also end up in a massive threat for airlines.
It is becoming common for cyber criminals to hack data, and then reuse the list of email addresses and passwords they have obtained on multiple sites. So here is what would happen - when the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.
Similarly, a hacker can take over a user account, and if it has loyalty miles, sell the user account credentials on the black market to fraudsters to redeem the miles for tickets.
Identifying suspicious behavior
Account takeover security comes into action from an early stage – keeping a vigil on new account creation and the way these accounts tend to be used. This helps in assessment of risk with certain level of accuracy. In term of prohibiting fraud from happening, a fraudulent activity say a transaction is stopped before it takes place. Here a flexible rules engine highlights a dubious activity based on users’ behaviour and device attributes. As CyberSource states – an organization can then choose to accept, reject, or challenge the users to authenticate themselves – before the event can occur. One can also spot valuable returning customers.
A user’s device and Internet connection information can prove handy in managing such fraud. The device-based customer authentication can add a layer of defence against account takeover. This is important when assessing whether the real account owner is accessing the account or not. A way to do it is via evaluating a cookie associated with the stored payment method. If the same is missing when the payment method is used, then this person can be asked to re-fill the card number or provide verification code. So if a fraudster is trying to skip recognition by masking their IP address or spoofing geolocation, one can verify the real IP address and compare that to the stated IP to detect risky activity.
Recently, when I forgot my Apple ID password, I was asked to share the ID, filled in a code twice, and then could retrieve password via registered email or by filling out answers to questions registered earlier. And eventually guided about how to work out a strong password. But is it enough for account protection? The best answer is to make sure there is enough human expertise within an organization. And do keep an eye on any new stringent way of security. Behavioral analysis is one area that is becoming increasingly sophisticated. Swipes, taps, cursor movements etc. are being analyzed for navigation flow, time spent etc. to understand the behavior. It is also being suggested that behavioral biometrics, which spots patterns in human activities, needs to be looked upon for continuous authentication, and looked beyond the two-factor authentication (2FA) method. So as airlines analyse more and more data (for example, device authentication, device ID, device fingerprinting etc.), fraudsters will struggle to fully to pass off as genuine. These new measures are must as hackers/ fraudsters are working on machines for getting around these security measures.
Are you bold enough to survive in the brave new world? Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).
Date: 03 May 2017 - 05 May 2017
Location: Berlin, Germany
For information, click here
Follow Ai on Twitter: @Ai_Connects_Us
Travel companies have survived a massive threat to their existence by learning to share sensitive data on a private cloud platform, writes our guest columnist JJ Kramer, Chairman of Perseuss Steering Group
A decade ago, airlines operated in the usual silos of secrecy. The competitor was always the enemy. The competitor was trying to eat the other airline's lunch. But gradually they realised they had a common enemy who was trying - and frequently succeeding - to eat everyone's lunch.
The fraudster
International fraud gangs, stealing and abusing credit card data, were repeatedly ripping off one airline after another. Profitability was plunging and the situation was getting worse. The need to share information about fraudsters, legally, became apparent to all operators.
Now in 2017, travel companies are in a much better place. They have identified that there are four key steps which industries must take to fight fraud. Curiously, they all involve trust.
1. Build trust in your peers
The fightback started with pairs of airlines sporadically meeting to swap experiences and known fraudster information. Personal relationships formed and the trust between them became the bedrock of further progress.
Among those pioneers was JJ Kramer, Chairman of Perseuss Steering Group. According to him, fraud thrives in an atmosphere of fear and mistrust. People have to start the fight against fraud by building a new atmosphere of cooperation and confidence in each other. Essential to building that trust was people meeting in person, not online. Face-to-face meetings were vital.
2. Build trust in your platform
But things soon begin to grow and it was obvious that the use of technology was also necessary. Who could be trusted to build the infrastructure? Who would govern it?
The airlines eventually selected an independent IT company with known competence to build the platform. The platform had high levels of security and the user community was 'members only'.
Airline fraud analysts were able to submit data about known fraudsters and check suspect data against the database. Fraud was being identified and reduced.
3. Build trust in your data
The airlines can now tackle the small, but important matter of the data. Who owned it? Who controlled it? Was shared data owned by everyone, once it was pooled? Chairman of Perseuss Steering Group stated that it was commonly agreed that fraud data is owned by the company who submitted it and it can be deleted by them at any moment. This decision increased the community's trust in the platform because they knew they controlled it, not the other way round.
4. Choose leaders you know and trust
As the user community grew to over 100 companies and welcomed in non-airline businesses (like online travel agencies, railway and retail companies), the management team adapted itself. A Steering Group was formed. People chose representatives they had met in person, regardless of the size of the company they worked in. Personal contact was, again, an important aspect that was taken into account. As Chairman of Perseuss Steering Group mentioned, the Steering Group channels and prioritizes the development process and that is the proof that the users are in charge, not anybody else.
About Jan-Jaap Kramer
JJ has been involved in the battle against airline card fraud for over 15 years. In his previous role as Manager Cashier Department/Credit Cards for Dutch airline Martinair (a subsidiary of KLM Royal Dutch Airlines) from 1999 to 2011 he was responsible for the security of the company's ecommerce and call centre passenger bookings. In 2011 he established his own consultancy company to help business and industry fight fraud. Soon after that he was elected chairman of Perseuss, the travel industry’s anti-fraud organization.
About Perseuss
Perseuss is the global travel industry’s own solution to the battle against fraud. It was founded in 2008 by a small group of airlines and soon became an industry standard for data-sharing. Today, the community has participants from around the globe including airlines, travel agents, railway, and retail companies. Its flagship offering is an online shared negative database, recently updated to include email age verification and artificial intelligence. It also operates FraudChasers, an online forum for anti-fraud professionals. Perseuss plays a major role in cross-border police Action Days to apprehend fraudsters.
First Published on 13th February, 2017
Ai Editorial: The quality of data as well as making the most of different types of machine learning are vital for fraud prevention, writes Ai’s Ritesh Gupta
Fraud prevention isn’t just about one algorithm being used or acting only on historical data. One can fall woefully short with an ill-conceived approach. Airlines need to check valuable pointers – are chargeback rates under control? Even if the fraud system is indicating very low fraud rate, is it still resulting in high abandonment and rejection rates of the users?
Airlines are acknowledging the limitations of traditional rule-based fraud solutions, one of them being overly focused on bringing down the fraud rate as close to zero as possible. This tends to be a risk-averse approach, and one needs to negate rules when positive behaviour is detected. So how can big data and machine learning contribute?
Here we assess some of the critical aspects related with data strategy and machine learning that can contribute in fraud prevention:
· Only predictive analytics isn’t enough: Predicting future fraud based on historical data isn’t enough. For instance, when transactions with no historical data are submitted into the system, the possibility of missing out on suspicious behavior is there.
Unsupervised machine learning manages to seek patterns and correlation amidst the new data collected, which helps to identify positive and negative behaviour.
With pattern recognition, even without any prior historical data, the machine is able to discover patterns across various transactions and establish if the transaction showed bot behaviour or human behaviour. Information collected from big data is vital here. It is initially used to garner information about the user’s behaviour on the website and these details are blended with machine learning, which uses pattern recognition to chart the pattern of this user’s behaviour to match it either with positive (genuine) or negative (fraudulent) behaviour, as well as predictive analytics that records the positive/ negative behaviour and uses that on future transactions for potential signs of fraud. Also, behavioral analysis is one area that is becoming increasingly sophisticated. Swipes, taps, cursor movements etc. are being analyzed for navigation flow, time spent etc. to understand the behavior. Specialists are tracking mouse movements and clicks in context and meaning while becoming increasingly more accurate over time.
· Relevant data: While data is important, what is more important is the quality and relevance of the data. Big data is receiving greater popularity and used more widely than ever, but it is not about how big the data is. Relevant data is necessary to improve fraud prevention, as well as to improve the machine. For instance, if the machine is regularly receiving non-relevant data, the resultant output will be non-relevant decisions.
In addition, the way the data is processed must also be relevant when making probabilities of fraud risk. Algorithms are designed with biases. If the fraud system’s algorithm is centred towards eliminating fraud entirely, the decisions will compile results of a very low fraud rate, but also high abandonment and rejection rates of the users. Instead, if the fraud system is focused on maximising revenue per risk of fraud, it is possible that a slight allowance of letting the fraud rates up by 0.1% could increase acceptance rates by 10%.
· Keeping pace with technological developments: Airlines, just like any other e-commerce business, need to cater to a variety of payment methods, currencies and devices. Each new technological development introduces new venues for this fraud, meaning detection and prevention efforts need to be just as agile. Expect more creative modes of fraud to appear. So there is a need to shift to active surveillance by deploying big data user and entity analytics to understand the user behaviour behind each transaction. Considering that most fraud attacks come as a coordinated attempt from a single script, automated to maximize the number of hits in the least amount of time possible, they will leave behind a pattern that can only be detected by understanding user behaviour. Even as new forms of payments become popular and mainstream, active surveillance will be more relevant (rather than static defence) and effective in dealing with fraudsters.
· Airline-centric approach: As we highlighted in one of our recent articles, the e-commerce set up of airlines is distinctive, and it would be highly desirable to have a tailored data strategy.
For instance, how to capitalize on custom data fields be it for flight details, loyalty miles claims (to detect abnormalities) etc.
With more and more data analysed, it is harder for hackers to hide their tracks fully to pass off as genuine.
· Assess liability shift: Airlines must expect better results at this juncture, considering that machine learning has evolved. For instance, improving fraud management doesn’t only mean lowering fraud rates, but it also about ensuring that the system does not hinder revenue growth. So better technology (big data, machine learning) is important, but how these systems are designed, and the KPI it keeps to is more important.
If we talk of liability shift, specialists point out that with pattern recognition, deep learning and stochastic optimization – seek an optimized yes or no decision in real time.
Based on calculated risks, the system passes the optimized number of transactions while ensuring that chargeback rates are still under control. As a result, borderline genuine transactions can be passed and unnecessary rules and bans are lifted, improving sales greatly. The efficacy of these “calculated risks” need to be scrutinized by airlines. It is being asserted that switch from predictive models of machine learning towards real-time machine learning is few years away.
Are you bold enough to survive in the brave new world? Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).
Date: 03 May 2017 - 05 May 2017
Location: Berlin, Germany
For information, click here
Follow Ai on Twitter: @Ai_Connects_Us
First published on 13th January, 2016
Ai Editorial: Account takeovers and frequent loyalty program miles fraud in addition to credit card fraud are now demanding stringent measures for fraud prevention, writes Ai’s Ritesh Gupta
Every piece of customer data and information is under scrutiny. One can put a price tag on stolen account info – Uber, Facebook etc. and air miles. Today fraud prevention isn’t just about credit cards.
According to Sift Science, account info can yield more money “on the dark web than simple credit card details”. The team indicates that the threat of account takeovers (ATO) needs to be negated.
In fact, findings from the soon-to-be-published Sift Science 2017 Fraud-Fighting Trends report reveal that 48% of respondents observed a rise in ATO last year.
Travel e-commerce – an attractive proposition
Travel e-commerce is a common vulnerable target for cybercriminals as most of their offerings are large ticket purchases. Other than digital goods, this similar mode of thought or reason for hacking can also be found when we look at luxury good providers (also big ticket purchases), or for products that have a high resale value in the black market. Also, since travel e-commerce entities offer digital goods, it requires instant approval delivery to satisfy customers, yet would also open the gates to more fraud. Furthermore, the volatility of the item prices (which changes every minute based on consumer demand) means that merchants cannot afford to deploy manual reviews. Most OTA players simply accept suspicious transactions, absorbing the chargeback losses, instead of declining transactions and risk tarnishing their brand and losing out to the heavy competition.
Too much information up for grabs
Before we delve deep into what threat today looks like, if one were to assess the vulnerability level of travel booking systems, then where do they today and has anything changed?
“Not much hacking is required, as there’s less vulnerability here!” This recent remark from experts, Karsten Nohl and Nemanja Nikodijevic, aptly sums the brittle nature of “global distribution systems” operated by the travel industry today.
According to details shared at the 33rd Chaos Communication Congress (33C3) in Hamburg, Germany in late December (video available here), the industry suffers owing to brittle authentication and web services. The authenticator printed on boarding passes and luggage tags is up for grabs rather easily. “Any person able to find or take a photo of the pass or tag can access the traveller’s information – including e-mail address and phone number – through the GDS’s or airline’s website, stated Security Research Labs. The company goes on to add: “…many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers’ last names, their bookings codes can be found over the Internet with little effort.” And, too, many people can access information when a booking is generated. For instance, staff the agency, travel providers, GDS involved in any part of the PNR etc. Fraudsters can travel for free, create havoc with one’s frequent flyer account, use payment info etc. Security Research Labs suggests there is a need for “brute-force protection in the form of Captchas and retry limits per IP address” to start off, and bookings need to be protected with appropriate authentication, at the very least with a changeable password.
The point here is how much is being given away to a fraudster.
New areas of concern
There are two relatively new areas of concerns for travel e-commerce entities, according to Justin Lie, Group CEO, CashShield:
· Account takeovers; for example, when the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.
· Frequent loyalty program miles fraud; similarly, a hacker can take over a user account, and if it has loyalty miles, sell the user account credentials on the black market to fraudsters to redeem the miles for tickets.
“As such, it is advisable for travel e-commerce entities to apply big data and real time machine learning not only on securing payments, but also for securing accounts and monitoring loyalty miles claims,” said Lie.
Tackling issues
Lie says companies should take control of their payment data, which should not be restricted by default. This data can be combined with big data (such as those data fields collected on their websites), so that they can derive a strong data strategy not only for fraud prevention, but also to get a better understanding of the user profiles that surf their website.
Also, fraud is becoming increasingly complicated and sophisticated very rapidly.
“This is especially so as credit card companies push for the adoption of the EMV chip, making it more difficult for card present fraud, thus forcing fraudsters to go online. Instead of implementing a fraud prevention strategy that requires long gaps in training machines with data sets, travel companies should shift towards real time machine learning (or real time automated) fraud systems to get ahead of the fraudsters,” said Lie.
Companies should also move fast to be ahead of the curve and protect themselves against account takeovers and loyalty fraud as well. 80% of all cyber attacks have a financial motive, and it is expected that more fraud syndicates will shift to online fraud, since it is so lucrative.
Are you bold enough to survive in the brave new world? Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).
Date: 03 May 2017 - 05 May 2017
Location: Berlin, Germany
For information, click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 2nd January, 2017
Ai Editorial: Airlines need to create their own fraud mitigation strategy, set up customized KPIs in conjunction with detailed data analysis to protect themselves, writes Ai’s Ritesh Gupta
Are merchants, acquirers, issuers etc. equipped with necessary arsenal to combat card fraud? Is the card-not-present environment still susceptible to fraud?
As a specialist in this arena, Chargebacks911’s COO, Monica Eaton-Cardone says payment card fraud will always be an issue—it will never be completely mitigated. “Wherever there is a chance for profitability, there will be criminal activity. And, each new technological development introduces a new avenue for fraud, meaning detection and prevention efforts need to be just as agile,” she says. Despite all this, she believes current security situation is the best we’ve seen it since the inception of payment cards. “Our society in general is well aware of the threat and is eager to address it. We aren’t denying the danger—which I think is an important step. The real challenge is to ensure attention to security spans all channels and all sales methods. Unfortunately, to date, security efforts have been inconsistently applied. EMV technology effectively mitigates card-present risks. Biometrics make mobile wallets virtually fraud-proof. But very little effort has been made to protect the card-not-present environment.”
Improving upon traditional way of securing payments
Just a month back, a research by the Newcastle University in the U. K., indicated that working out the card number, expiry date and security code of any Visa credit or debit card “can take as little as six seconds”.
For their part, Visa stated that this study didn’t consider other layers of security such as its Verified by Visa system.
Michael Roche, Vice President, Consumer Authentication, CardinalCommerce mentioned that Visa does have mechanisms that track frequency of payments across Card-Present (CP) and Card-not-Present (CNP) orders. “Unfortunately it’s limited by the information within the ISO8583 authorization spec. What Visa is doing though is exposing a whole host of risk and authentication capabilities. You can get to all of these through Visa Checkout right now. In the future you should be able to get direct access. (Checkout Visa Developer). Visa also supplements all their network data through the 3DS protocol. The 3DS protocol provides visibility into all the important info that the ISO8583 spec does not. CVV2 and AVS are antiquated solutions and once you deploy 3DS you’re reliability on them will be reduced. I do agree that these checks are past their prime,” said Roche. He added, “If you have a Rules Based Authentication (RUBA) 3DS solution and you are transacting with a Risk Based Authentication (RIBA) issuer you only need to rely on that RIBA issuers authentication response and it’s yes or no. Doesn’t get any better than that online.”
It’s every ecommerce player for themselves
Monica says it is not advisable for merchants to rely exclusively on card schemes for a safe and secure payment processing environment. “Just like everyone else in the industry, the card networks were initially caught off guard with the explosion of ecommerce growth and were ill-equipped to handle emerging threats,” she says. “Unfortunately, right now, it’s every ecommerce player for themselves. Retailers, airlines, OTAs, PSPs, banks—everyone needs to critique their own individual risk exposure and create a customized mitigation plan. Fortunately, there is an abundance of effective products and services available to choose from that will help ensure success.” In doing so, it is important to consider a few necessities. First, individual tools or solutions need to be incorporated into a comprehensive strategy and evaluated against a profitable level of risk exposure. Second, risk mitigation needs to be dynamic—what worked yesterday might not work tomorrow.
Hackers are getting better
In the advent of greater tech advances, hackers themselves are also relying on machines to write algorithms to hack systems and crack codes, and they are getting better and quicker at it, Justin Lie, Group CEO, CashShield, a SaaS based self-learning fraud prevention solution for ecommerce, says. Other than capitalizing on vulnerabilities of a credit card or a debit card, hackers are also creating fake accounts on e-commerce sites to run hacks on the stolen credit cards. Therefore, much greater effort is needed to strengthen the current infrastructure, and it will have to be a combined effort between card schemes, PSPs and merchants to prevent cybercriminals from getting away too easily. Currently, there is a lack of information and transparency between merchants, PSPs and card schemes, while merchants receive almost no protection against fraud losses, since they have to bear the cost whenever unauthorized chargebacks are filed. “This broken line of communication should be fixed, while each stakeholder must understand the fragility of payment card security and where they stand in the ecosystem, or it would be difficult for the situation to improve. In the meantime, merchants themselves should also invest in identity management in authenticating fraudulent accounts (or hacked accounts) to protect themselves,” says Lie.
What to fix?
Monica admits that merchants definitely suffer from the industry-wide lack of transparency. “But I’d actually argue everyone involved in card-not-present transactions experiences consequences. I’ve been saying this for years: a lack of consistently applied standards and compliance with those standards is increasing costs and causing needless revenue loss. This is the problem we need to fix.”
Airlines and OTAs absolutely need to create their own fraud mitigation strategy.
Fortunately, the travel industry has a distinct advantage over many other industries, says Monica. “There is an abundance of personal information available for data analysis. Everything from frequent flyer accounts and past itineraries to in-flight purchases and travel companions can make fraud detection much more successful. Establishing and monitoring customized KPIs in conjunction with detailed data analysis can produce significant results.”
Ai is set to conduct the 11th Airline & Travel Payments Summit (ATPS) this year.
Date: 3 May - 5 May 2017; Location: Berlin, Germany
For more info, click here
Follow Ai on Twitter: @Ai_Connects_Us
First published on 21st December, 2016
Ai Editorial: Real-time automated fraud prevention means that the fraud solution is fully automated to make real time decisions, without any need for manual reviews at all. How far are we from attaining this, explores Ai’s Ritesh Gupta
Commerce today is about seamless movement between devices, and this also means one-click or no-checkout options in an omni-channel environment.
With all this, security is certainly the issue, and in an increasingly global world, so is the ability to accept a variety of payment methods, currencies and devices. Customers want to be able to shop and buy, no matter where they are or which channel they're on – offline, online, mobile, app. Airlines and brands must position their products, goods and services for all channels – keeping in mind that customers of tomorrow will increasingly be interacting primarily or solely from mobile devices.
On the fraud front, improvements in biometrics, authentication, verification and identification will gradually reduce the risk of fraud. The blockchain process, developed for cryptocurrency verification and authentication, holds a lot of promise for increased payment protection in the mobile environment.
Better fraud management
The workload on financial institutions has risen with the advent of real-time payments.
Key components of real-time transactions include certification of payment, availability of funds, instant settlement and confirmation of the transaction. The industry has had to figure out configuration for inter-bank settlement, and also core processes should be available in an unbroken manner. As Accenture points out, considerations include real-time settlement of every payment or deferred net settlement, loss-sharing agreements or prefunding of settlement accounts etc. Global payment infrastructure has been moving toward faster payments and real-time settlement. So considering new ways in which transactions are happening, say via mobile, how this demands better fraud management effort?
Justin Lie, Group CEO, CashShield, a SaaS based self-learning fraud prevention solution for ecommerce, says a decade ago, the payment landscape was largely dominated by banks, and these banks set in place industry security standards and protocol to protect merchants and themselves from breaches and hacks. “However, with the rise of financial technology or FinTech, so has the number of FinTech companies. With more than 9000 companies currently around, and with the number expected to grow, the number of points of breaches have grown as well, since these FinTech companies do have to deploy or adhere to the same security and safety protocol that the banks stick to for protection. Here, the entire payment ecosystem on the whole has weakened with a larger number of fail points,” says Lie.
In addition, traditional rule based fraud solutions require manual reviews to be done before the settlement period (normally the next day after the transaction is processed).
“Real time settlement will greatly hinder these conventional solutions since they will have to either auto accept or reject these manual reviews to process payment,” says Lie.
He says to deal with this, merchants have to either accept almost all transactions (thus increasing chargeback rates) or reject seemingly risky transactions quickly (thus lowering conversion rates). This traditional fraud management is seen as static defence, but it has become evident that such traditional methods are falling behind newer methods that fraudsters are designing to launch their attacks.
“With new channels of payments such as mobile or NFC, more creative modes of fraud are expected to appear. It is important for us to transit then, instead, to active surveillance by deploying big data user and entity analytics to understand the user behaviour behind each transaction. Considering that most fraud attacks come as a coordinated attempt from a single script, automated to maximize the number of hits in the least amount of time possible, they will leave behind a pattern that can only be detected by understanding user behaviour. Even as new forms of payments become popular and mainstream, active surveillance will be more relevant (rather than static defence) and effective in dealing with fraudsters,” explained Lie.
Mobile fraud
Mobile as a platform for transactions is facilitating new ways of payments.
But mobile fraud is relatively more challenging to handle.
“It is so (mobile fraud is challenging to merchants) as transactions that are made through mobiles collect less information than web transactions, and therefore look much more similar. Without the appropriate technology or expertise, it is difficult for merchants to be able to differentiate between the real or fraudulent orders. As a result, higher costs are incurred, which includes the greater chargeback rates, lengthier time for manual reviews and bad service rendered to users,” said Lie.
Even though, the risk of fraud is greater as there are additional hindrances when it comes to cardholder and device authentication, apps like Apple Pay and Samsung Pay could actually help deter fraud. Both of these apps rely on biometric fingerprint technology in order to authorize a transaction. Therefore, in order for the user to authorize a transaction, the cardholder needs to provide a fingerprint. Not only is this a strong deterrent against unauthorized transactions, but the customer’s fingerprint attached to a transaction is very compelling evidence in the merchant’s favor in the event of friendly fraud.
Real-time automated fraud prevention
Lie says most existing fraud solutions around are still quite far away from achieving real time automation.
While more and more solutions on the market are currently using machine learning to detect fraud, these types of machine learning rely heavily on training data sets to predict probabilities (as opposed to real time automated decisions). These data sets are based on new fraud trends from either
(1) filed chargeback information as historical data (which could be at least 30-90 days old) or
(2) from human intelligence of the large risk analyst team to manually provide inputs.
“The way these machine learning algorithms are designed forces the solution to rely on these training data sets, requiring at least 10-30 days (or even months) of training. As a result, the long training gap and the reliance on training data sets prevents the solution from making decisions instantly, but rather only allows it make predictions of the probability of fraud,” says Lie.
He says real time machine learning is required for real time automated fraud prevention. Real time machine learning means that the fraud system is able to learn instantly on the fly with each new incoming transaction, and requires no lag time or historical training data sets to provide information on the new transaction. Consequently, the system is able to make optimized decisions instantly, without the need for manual reviews.
However, it seems like it will still take 2-3 years for the industry to switch from predictive models of machine learning towards real time machine learning, due to the rarity of such solutions.
Are you bold enough to survive in the brave new world? Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).
Date: 03 May 2017 - 05 May 2017
Location: Berlin, Germany
For information, click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 14th December 2016
Ai Editorial: Retail automation, frictionless checkout, invisible payments etc. are developments that are set to redefine shopping. As commerce evolves, airlines, too, need to respond to such exciting initiatives, writes Ai’s Ritesh Gupta
“No line. No checkout.” This is what the retail sector is inching towards.
Being “made to wait” at any stage of shopping, be it offline or online, can be a dampener. So the retail sector is steadfastly doing away with what can be the bane for conversion or the overall shopping experience.
If we go by what Amazon has come up with (Amazon Go is a new kind of store with no checkout required) or even what Panasonic is testing (convenience-store checkout machines that can scan and bag items on their own), then you don’t really worry about waiting for paying. In case of Amazon Go, the company says you never have to wait in line. Consumers can avail the Amazon Go app to enter the store, shop and leave. In case of Panasonic, the system is retailer agnostic, so one won’t necessarily need Amazon credentials or a specific ecosystem, says Apple or Google. This all needs to be considered as the bar for delighting a customer gets raised. Comparison between retail and travel would be inevitable at some stage, as one would expect travel e-commerce to respond too. So if I am moving straight out of a supermarket without having to wait for my turn to pay, then why wouldn’t I expect the same say during any stage of my journey?
Isn’t it relieving when you move out of a cab, say Uber, and all you need to do is focus on luggage rather than paying for the ride? It might not take more than a couple of minutes to pay, but when technology saves your time, we start falling for it. We start expecting it in other areas, too.
Technology – the driving force
Technology is driving automation, and it can overlap for different sectors. For instance, Amazon Go’s checkout-free shopping experience features similar technologies as used in self-driving cars: computer vision, sensor fusion, and deep learning.
The Internet of Things (IoT) is also lending a new dimension to convenience.
So as machines take over and manage certain decisions, say ordering grocery, consumer behavior is likely to alter drastically.
This definitely is going to affect e-commerce merchants, including airlines, across the globe.
As we highlighted in one of our recent articles, IoT thinking and increasingly smartphones are leading to more sophisticated digital wallets and mobile payments – which will lead to personalized mobile wallets or payment technologies with predictive capabilities built in. IoT might extent to other transaction or authentication technologies, and some banks or companies are already experimenting with voice recognition, facial recognition, various kinds of chips, even pulse recognition as the identification-verification step needed for payments.
As for facilitating payments, as Ingenico points out, the IoT payment solution will need an infrastructure based on cloud architecture and connectivity. This would call for standardization in the payments process.
Gap between retail and travel
Despite the unique and inherent attributes that have shaped travel into a silo industry, airlines and OTAs alike are coming to the conclusion that the gap between travel and traditional retail is reducing. This is due in part to the growth of ecommerce and evolutional demands of today’s consumers. As a result, a competitive advantage will be given to those companies that think outside the box when it comes to payment acceptance.
Conversion has always been a hot topic, but with the transformational changes in payments, gaining a competitive advantage takes a lot more than layout and price. Similar to what has transpired with big box e-tailers, the changes in consumer behavior today foretells significant innovation requirements for travel and airlines, as asserted by Chargebacks911’s COO, Monica Eaton-Cardone. In a recent interaction, she pointed out that e-commerce leaders such as Amazon and Apple have pioneered efforts that will forever change the way buyers and sellers view commerce, but even before the hype of today’s frictionless frenzy, payment methods and options were evolving. Loyalty programs advanced to store credit, financing options such as “Bill Me Later” became a popular contender, and a variety of monthly recurring options with the addition of new value add-ons helped curb profit requirements in order to support price wars—which are still going on today.
When it comes to airlines, the breadcrumb trail has already been laid. Loyalty programs offer dwindling promises as airlines are forced to follow the footsteps of other industry pioneers that faced similar issues.
The could be fraud risk with emerging payment options and passengers do worry about security and privacy of their information, especially when it is stored in the cloud or available online databases. The good news is that travel isn’t the first industry to test out these emerging options. Effective management strategies, first designed for the pioneering retail sector, are available and scalable for travel. Solutions are derived from rule-based service policies and intelligent feedback.
As for payments, the real challenge is that each payment method has its own risk factors. It’s necessary to plan accordingly—for each different payment method you accept or new technology you embrace, carefully research any security vulnerabilities, and have a solution in-place to mitigate that risk.
But airlines would need to respond swiftly to emerging developments in the retail sector.
The fact is, today’s customer is a very different consumer than those of the past, and the gap between travel and retail is closing quickly. In order to compete, conversion is king. This means being able to identify your customer’s wants and needs, then serving up options that meet or exceed those expectations.
Follow Ai on Twitter: @Ai_Connects_Us
First published on 8th December, 2016
Ai Editorial: As the devices that can be connected to the Internet expand, wrapping up a shopping experience by paying on these devices would be a logical progression. So airlines need to gear up for what all IoT can do to facilitate a transaction, writes Ai’s Ritesh Gupta
Technology that augments your decision-making is enamouring.
Imagine this – a family is in a car, and one of the member’s smartphone is connected to it. The family decides to go on a holiday. A digital assistant (could be a smartphone service or an app) is being posed questions, and itineraries are getting flashed on the screen in the car. And the screen is also displaying things to do, weather-related information etc. Five itineraries are short-listed. The user sees these options in the smartphone app, and ends up booking.
Going by what all is being talked about – seamlessly moving between connected devices and turning any Internet connection into a commerce experience – this makes technology enticing.
IoT and seamless experience
Between the Internet of Things and emergence of concepts such as wearable technology, the travel booking funnel is getting split and fragmented – marked by a number of sessions across devices. There is huge pressure to understand the profile, intent, context/ booking phase, location, device etc.
The IoT assumes that information and data will flow seamlessly and securely from one device or one party to another, where it can be accessed and used immediately, says Kristian Gjerding, CEO of CellPoint Mobile.
“If the IoT keeps track of the items you intend to purchase, it can automatically tally the payment and process the payment as soon as it connects to the nearest payment terminal or app and verifies the customer's information and data,” says Gjerding. “The IoT will remove even more layers and more steps that are now involved in shopping and paying for goods and services – such as the IoT-connected refrigerator that senses the absence of baby formula and orders it automatically.”
The value of IoT commerce is that it can make our lives smarter and simpler.
So how can airlines evaluate the potential of IoT commerce at this juncture?
“Everyone knows how frustrating modern air travel can be, and any technology that simplifies that experience for passengers will be a welcome phenomenon,” says Gjerding.
In the airline environment, IoT can:
- connect a passenger’s baggage to his/ her mobile device for real-time tracking and updates.
- create verified IDs from distributed documents, speeding the process of passing through security, customs or boarding a plane.
- be used to provide real-time alerts about flight changes, status updates or emergency notifications.
“The potential of IoT commerce, however, requires airlines to embrace mobility, connectivity and IoT thought processes and strategies now. Because passengers, consumers and technology innovators are moving faster than airlines and retailers when it comes to technology and expectations, and the travel industry needs to play catch-up,” stated Gjerding.
Transactional capabilities of IoT Commerce
The fundamental transaction model is similar to that of a customary one featuring – a customer, a merchant, an issuer, and an acquirer.
The technologies that are required to process transactions does not change with the IoT – payments still have to go through the usual verification, authentication and security checks that are already in place, says Gjerding.
A traveller transacts, the issuer authorizes the same and the flow of payment runs through to the acquirer and merchant.
“The IoT comes into action because of the role it can play in making transactions and commerce much more seamless, connected and transparent in peoples’ lives,” says Gjerding.
He says airlines should prepare for IoT commerce in the same way that they must prepare for mobile commerce: They must make conscious, tangible commitments to modernizing and streamlining their legacy systems around payments, data collection, data integration, security and other activities. Instead of storing data in separate silos or divisions, the IoT assumes that data can be accessed and acted upon in real time, regardless of where it originates. For airlines, the first order of business is to embrace mobile-first and IoT technologies, and then to make sure that airlines have the right internal expertise, third-party vendors and innovators in place to create real change.
“Instead of thinking about payment processes as a cost center, airlines need to embrace these new technologies and capabilities for their revenue-creating potential. As payments, shopping, travel booking and buying move rapidly away from cash and credit to the mobile and digital environment, airlines need to follow them there in order to capture the revenues that they’re already creating – revenues that will continue to grow as more consumers make the shift to mobile-first payments and as more “things” become connected to each other via the Internet,” explained Gjerding.
Issues related to security and privacy
All customers and passengers worry about security and privacy of their information, especially when it is stored in the “cloud” or available online databases.
Cyber security specialists have been working on roadmaps and architecture of IoT security.
Gjerding says airlines and all businesses must ensure that their payment and security processes meet or exceed the current industry standards, and they must also be open to ongoing security innovation. According to him, blockchain processes, for example, are just one new type of technology that can be used for improving security, verifying identities and authenticating passengers and payments. “No doubt other new technologies, apps and IoT-enabled capabilities will emerge, and all companies – airlines or otherwise – must have their ears to the ground about what’s coming next so that they’re not caught off guard and are fully capable of leveraging and benefitting technology to their advantage,” says Gjerding.
Main challenges in progressing with IoT commerce
The main challenges involve technology and actual implementation.
Gjerding says for IoT capabilities to work, modern devices need to connect to the broader IoT network, and older devices need to be updated or replaced. And even more importantly, the private companies and public agencies involved in collecting and leveraging IoT information need to embrace IoT strategies directly into their organizations and operations, and they need to make sure that policies around data collection and privacy are modern, secure and foolproof.
“Nothing can put the damper on a new technology or bold new idea like lack of consumer trust. There's a balancing act involved – moving quickly enough to stay in touch with the market, revenue streams and travellers’ expectations, but not moving so quickly that critical precautions are overlooked,” he says.
Gestation period
There’s certainly a lot of innovation around the IoT, but broader implementation will take time as the rest of the world catches up to IoT innovation. IoT thinking and increasingly smartphones are leading to more sophisticated digital wallets and mobile payments – which will lead to personalized mobile wallets or payment technologies with predictive capabilities built in. IoT might extend to other transaction or authentication technologies, and some banks or companies are already experimenting with voice recognition, facial recognition, various kinds of chips, even pulse recognition as the identification-verification step needed for payments. Blockchain, a verification-authentication process developed for virtual currencies like Bitcoin, has the potential to evolve and grow as an underlying process for other types of virtual payments, peer-to-peer payments and other transactions.
When it comes to Internet technology and commerce – the sky is the limit, summed up Gjerding.
Follow Ai on Twitter: @Ai_Connects_Us
First published on 14th November, 2016
Ai Editorial: What can reduce an airline’s liability when we talk of chargebacks? Various stakeholders need to jointly improve the situation as there can be instances where airlines and merchants at large can be clueless.
There are multiple stakeholders at risk when it comes to chargebacks. Fraudulently filed chargebacks touch each party in the payment industry.
But is the functioning of the industry in its entirety falling short and ironically rendering most harm to the very consumers it was invented to protect?
The industry cumulatively needs to combat the issue of chargebacks.
As for airlines, today’s solution must be agile and diverse, coupling an evolving defence with effective representment strategies. Do remember - chargeback prevention is much easier than chargeback representment. So plan prevention diligently. If a mistake is legitimate, then disputing the same will be futile. Airlines need to focus on a multi-layer fraud management plan. It should feature complimentary tools for all-inclusive protection, rather than counting on just the basic tools. It doesn’t mean that there is a need to use every product available. Neither strategy will effectively minimize risk exposure. For example, any merchant using Address Verification Service along with card security codes or 3D Secure is technically using multiple solutions to prevent fraud. Other options include card security codes, geo-location, device authentication, proxy piercing, biometrics etc. Airlines need to carefully consider a plan that will address their individual threats.
Other stakeholders, too, need to improve:
· Acquiring banks can help reduce the effects of fraud by establishing internal blacklists and developing chargeback triggers for advanced alert notifications.
· Processors who undergo the most stringent underwriting procedures to maximize their KYC (Know Your Customer) compliance will ultimately reap the benefits through helping to ensure their merchants are following best practice methods that work alongside operational efforts to prevent friendly fraud.
· For issuers, additional due diligence is key. Despite the temptation to rapidly resolve a cardholder dispute, additional effort will pay off in the long run for those who consciously work to prevent bad habits from forming in the first place.
Industry issues
It is pointed out that the problem of chargeback fraud has worsened due to operations of banks that offer both issuing and acquiring services.
“There are various entities involved in the chargeback process and each impacts the outcome differently. Some parties help while others hinder. But more often than not, the individual entity isn’t to blame, rather the policies and regulations set forth for the entire industry,” says Chargebacks911’s COO, Monica Eaton-Cardone. Citing an example, she says, ecommerce wouldn’t exist if card networks and issuers hadn’t taken steps to boost consumer confidence when it comes to payment card use and liability. By abating cardholder’s fears about potential losses tied to fraud, networks and issuers have enabled millions of businesses around the world to experience optimum profitability via card-not-present transactions. However, by advertising zero liability, issuers have inadvertently incentivized friendly fraud. On the other hand, cardholders and merchants are both, technically, customers of the card networks. “As you can imagine, appeasing both sets of customers would be a challenge! Unfortunately, regulations often benefit the cardholder while too much onus is put on the merchant. However, networks have made strides in recent years to slightly lessen the merchants’ liability—for example, accepting flight manifests as compelling evidence and MasterCard’s reason code modernization efforts,” explained Monica.
Being meticulous
Despite the hundreds of reason codes used by card networks to categorize chargeback causes, there are actually only three sources of chargebacks: criminal fraud, merchant error, and friendly fraud.
First, merchants need to reduce their exposure to criminal fraud. With the proper technology, customized rule sets, and expert analysis, merchants can significantly reduce the number of unauthorized transactions that get processed. Next, eliminate merchant error. As much as 40% of chargebacks could be cause by the merchant’s own mistakes, oversights, or shortcomings. Ensuring the business’s actions or inactions haven’t actually caused the transaction dispute is essential. An objective and unbiased review of policies and operations can help create an exemplary customer experience and flawless payment processing.
If merchants can eliminate the first two sources of chargebacks, all that’s left is to manage is friendly fraud.
“Nearly all reason codes can be used to mask friendly fraud; cardholders disguise their unscrupulous behavior by claiming a variety of falsehoods. Because merchants don’t have any other way to determine the real motivation, they are forced to take reason codes at face value,” says Monica. “Until there is a reason code labeled ‘friendly fraud,’ merchants will forever be engaged in a guessing game—is this claim legitimate or friendly fraud? This uncertainty is what drives merchants’ inaction. Unless merchants couple professional assistance with chargeback management technology specifically designed to identify the true source of the transaction dispute, they’ll only be able to address the obvious cases of cyber shoplifting.”
Issue of legitimacy
If the case isn’t obviously friendly fraud, merchants are left with the great debate of legitimacy. In these situations, many merchants assume it is better to err on the side of caution, as making an incorrect response could inflict severe consequences. Letting friendly fraudsters slip by is better than mistakenly challenging legitimate criminal activity or an error on the merchant’s part. Moreover, the resources demanded of friendly fraud mitigation is usually more than merchants are willing to sacrifice—especially since in-house teams see such limited ROI. Bottom line: merchants aren’t taking great enough strides towards effective friendly fraud mitigation. However, there are numerous factors outside their control that influence their reluctance to make a more substantial effort.
There are countless examples of how friendly fraud is executed. As Monica explains, airlines can suffer from the equivalent of ‘return fraud’ that is perpetrated in any other ecommerce industry. For example, a cardholder buys tickets but later realizes she must change her travel plans. Because she doesn’t qualify for a full refund from the airline, she’ll file a friendly fraud chargeback and claim the purchase wasn’t authorized—when in fact, it was. Card networks have announced they’ll accept the flight manifest as compelling evidence against friendly fraud. However, there are a very limited number of situations where this documentation can actually help. For example, a cardholder buys a ticket so his girlfriend can come visit at Christmas. While she’s there, the two get in a big fight. Grieved that he paid so much money for such a lousy trip, the cardholder disputes the original purchase. Because the cardholder’s name doesn’t match the flight manifest—because the boyfriend bought the girlfriend’s ticket—there is little the airline can do.
Follow Ai on Twitter: @Ai_Connects_Us