- Payment & Fraud Editorials

Date: 30 Nov -0001 Location: Delegates:

8th May, 2019

Aer Lingus recently chose to implement the Apple Pay solution on its mobile app. This payment offering was delivered as a part of the airline's new payments hub platform. Ai's Ritesh Gupta assesses how Aer Lingus is strengthening its infrastructure.

Consumers are being offered the option to shop via vocal assistants, tapping of their phones, QR codes...the list of new options is enticing. Technology is increasingly making it simple for shoppers to wrap up their tasks. To make the shopping experience complete, retailers are also looking at secure payment acceptance.

In an era where the number of ways in which a customer can pay has risen tremendously, facilitating such a wide variety of payment methods can be an arduous task for airlines.

But airlines can't fall behind when it comes to embracing such trends in retail and commerce. A shopper doesn't differentiate between any product category. So be it for grocery, books or travel, they expect a similar experience. But a key question here is - are airlines nimble enough to facilitate a transaction via a mobile wallet in a specific market and or a new alternative form of payment?

"Airlines can’t easily support new payment methods because of the complexities of the systems while legacy systems are lacking robustness that would enable quick adoption of new payment methods," said Vojin Rakonjac, Head of Payment Solutions, Voyego.

Rakonjac asserted that there are several reasons behind airlines' lackadaisical approach when it comes to accepting new payment methods. It is owing to not aptly comprehending a shopper's expectations, not keeping pace with the current trends in mobile commerce/ e-commerce, and lack of technology readiness.

"Unlike other online merchants, airlines have a lot more systems and each performs its core tasks (inventory management, PSS, Reconciliation tools etc.) but there is no dedicated payment system," said Rakonjac. He further explained: to make things worse, not all of the airlines systems are owned by the airline, so there are many 3rd party vendors to deal with. Because of this complexity, when airlines intends to introduce a new payment method, they need to change a lot of internal systems to accommodate for the data/ flows that are specific to that new payment method. This requires a lot of synchronization with internal departments and 3rd party vendors, and a lot of time and resources to add a new payment method.

"As long as there is no dedicated payment system that is taking on the complexities of the payments, there cannot be an agile environment – because all the systems are impacted," said Rakonjac.

Setting up a robust payment infrastructure

Selling an itinerary featuring multiple destinations or cancelling the same tends to be a complicated scenario for airlines. And this does have its repercussions on the payment side as well.

Rakonjac acknowledged the same and mentioned that payments in airlines are a bit more complex than in other industries.

He said, "For example, if you are buying a book, worst that can happen is that you can issue a refund. With airline it is not that simple. When you go to airlines website, you can: make a booking, manage booking (and change a contents of your basket many times between then and departure (which can be one year from then and even make payments on Check-In (and still refund at the end if needed). So, for starters, payments in airlines are more complex than what you would find with typical merchant."

He further added, "However, the biggest issue is not in the complexity of payments, but rather in the complexity of the systems. In order to create a robust payments infrastructure, you will need to make sure that each of the airline systems performs its core competency and to dedicate a single system that will perform payment-related activities. Currently, because there is usually a lack of dedicated payment system, all of the systems in airlines infrastructure contribute to payment-related processes in one way or another."

To make robust payment infrastructure, dedicated payment system is required. This system needs to cater for all the channels (web, mobile, kiosk, PoS, chatbot, voice etc.) as well as for all the business processes (call centers, airport operations, revenue accounting etc.).

"Once you release rest of the systems from payment-related activities and delegate it to one system, all of the channels and processes can work on top of the same data making it consistent. Once change is needed, you make that change in one system and they are instantly available to everyone," said Rakonjac.

While infrastructure is important, it is just one piece of the puzzle. A tailored payment infrastructure and the structuring of team internally, where multiple teams working in sync within an agile environment, paves way for payment optimization.

Learning from Aer Lingus

Aer Lingus recently launched Apple Pay as a payment method on the Aer Lingus mobile app.

Sharing the experience on working with the airline, Rakonjac said, "Aer Lingus wants to lead in innovation when it comes to payments and follow the latest trends, so they bring more value to their customers. In order to do so, there were number of challenges to overcome in order to make a robust and future-proof system."

He added, "Firstly, it has to be made sure that one is not building a system that will cater for one payment method only – but rather think a bit into the future and predict possible scenarios. Secondly, one cannot overlook requirements of different departments. Knowing payments is one thing, but without knowing airline specific scenarios and needs of every department is completely different. Then, you don’t want to build a system that will be limited to a single PSP but to have a flexibility to work with any PSP if airline wishes to do so with minimum changes (and in some cases, you want to integrate directly with a specific Payment Method)."

Rakonjac also recommended dos and don'ts for introducing digital wallets or any new payment method:

Make sure you support right payment methods for the regions you operate so they are relevant for the customers you serve.

Wherever possible, pre-fill and automate processes so customer can have a seamless purchase experience and make sure that transition from different channels is as easy as possible.

Don’t use some new technology or introduce new payment methods just because other airlines did. Make sure you have a valid reason to do so given many processes become exponentially more complex with the introduction of each new payment method.

Don’t make any changes to the systems if you are thinking of a single wallet – always have a long-term strategy so you can make changes easier later down the road if needed.

Vojin Rakonjac, Head of Payment Solutions, Voyego is scheduled to speak at the ATPS about how airlines can transform the overall payment experience with their current infrastructure on 10th May, 2019.

Follow Ai on Twitter: @Ai_Connects_Us

19^th April, 2019

Ai Editorial: The PSD2 introduces strict security requirements for the initiation and processing of electronic payments, which apply to all payment service providers, writes Ai’s Ritesh Gupta

The impact of PSD2 on e-commerce payments is being probed. This payment services directive in Europe is being associated with a major change in payments and data protection.

Merchants and other stakeholders are evaluating a number of issues. One of the key requirements of PSD2 relates to Strong Customer Authentication (SCA) that will be required on all electronic transactions in the European Union from September this year.

Also a critical area from a consumer’s perspective is how their shopping experience is going to be impacted.

The PSD2 introduces strict security requirements for the initiation and processing of electronic payments, which apply to all payment service providers. Stakeholders are evaluating many areas: What exactly are SCA requirements under PSD2? How are acquirers and PSPs gearing up to respond? How can digital merchants, such as travel e-commerce players, deal with stepped-up authentication requests as a result of SCA? How transaction costs are going to evolve?

Impact on CX

For any merchant it isn’t easy to implement any move that results in friction in shopping. For instance, many fraud prevention methods introduce dilemmas between maximising revenue and minimising fraud – e.g. with more rules, implementation of 2FA or multi-factor authentication fraud rates can be lowered, yet more genuine customers will be blocked; on the other hand, with less rules and lax authentication to maximize revenue, merchants will be more vulnerable to fraud attacks. And now with PSD2, the SCA requirements will result in additional friction to the e-commerce payment process. A major question here is – how to cut down on cart abandonment? “Merchants have to be proactive in understanding implications. For instance, evaluate the efficacy of direct debits – understand the scope of the SCA requirements, in which cases it is needed, and what the associated credit risk is?” recommended a source.

Payment specialists also need to assess scenarios where exemption to SCA is permitted.

SCA will require shoppers to validate themselves with at least two out of the following three methods:

Something they know
Something they possess
Something they are

As explained by Worldpay, there’s no need to go through SCA for:

Trusted beneficiaries: merchants that are whitelisted by consumers
Recurring transactions: regular payments of the same amount to the same business
Low-value transactions: payments less than €30
Low-risk transactions: payments that have been assessed as low-risk in real-time

CardinalCommerce explains that the SCA requirement “is for transactions between cardholders whose payment cards have been issued in the EEA and merchants located in the EEA. To clarify, if a cardholder with a card issued in the U.S. buys from a merchant located in the EEA, SCA is not required (though an authentication solution is recommended). Conversely, if a cardholder’s payment card has been issued in the EEA and they make a purchase from a U.S. merchant, SCA is not required. These transactions are labeled “one-leg-out” and are out of scope for PSD2-SCA.” Another important aspect – the European Banking Authority “recommends exemptions for payment service providers (PSPs) that adopt risk-based requirements in lieu of strong customer authentication, which ensures the safety of the payment service user’s funds and personal data”.

Another area to assess is 3DSecure 2.0

From the industry’s perspective, 3-D Secure 2.0 will pave way for a real-time, protected, details-sharing channel that merchants can avail to send an unmatched number of transaction attributes that the issuer can use without looking for a static password. Overall, enhanced messaging with additional information for better decisions on authentication. As highlighted by specialists, enabling 3DS 2.0 is way to meet the SCA-related requirements. A payments integration that supports 3DS 2.0 is an industry standard approach to comply with the new EU laws.

The transaction risk analysis could be done in a couple of places: after the credentials have been supplied (to work out whether authentication was sufficient for the payment) or before prompting the user for credentials.

For shoppers, in many cases device information is enough to authenticate without an extra step for the customer. However, some transactions that have higher risk or regulations such as PSD2 require active approval. Specialists like Adyen have indicated that their respective 3D Secure SDKs help companies to set up build these flows and there are three primary types to consider: Passive (The SDK and servers exchange all necessary information in the background. The customer sees nothing); Two-Factor (the user is asked to provide a two-factor authentication code sent via email or SMS); Biometric (an app-switch to an issuing-bank app is facilitated by the SDK. The user can use their fingerprint or face in the issuing bank app).

As for its implications - 3DS 2.0 has put a lot of pressure on issuers. According to Emailage, the advent of 3-D Secure 2 globally and SCA in the EU will stop online merchants paying for most card frauds. Card issuers will be challenged to authenticate their clients using new transaction data to which they have previously not had access.

Hear from senior executives about PSD2 at the upcoming ATPS (21st Century Customer Experience for Payments & Fraud - Airline & Travel Payments Summit) to be held in London (Brighton), UK (7-9 May, 2019).

For more information, click here

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 6^th March, 2019

Ai Editorial: Pragmatic ways are emerging to cut down on drop-offs in the mobile booking funnel, and these aren’t just restricted to mobile design and UX.

How to ensure a fraction of a second isn’t wasted in delivering a sublime CX? How authentication of a shopper’s identity is being improved upon, and in the process ensuring that a user of a mobile device doesn’t end up being annoyed? How tokenization offering is being enhanced? How prudent is “guest checkout”?

These and other questions are being evaluated considering new features that are simplifying mobile shopping.

“Customers today want to pay how they want, where they want and they want it to be seamless and they are not willing to wait. In online payments it doesn’t matter if you are selling books or airline tickets – we are all in business of removing friction because in digital era, it is speed that sells,” said Vojin Rakonjac, Head of Payment Solutions, Voyego.

In addition to experimentation and testing that eventually shapes up the payment experience, including the check-out phase, there are other areas that are being focused upon:

Combination of tokenization and cloud: Tokenization facilitates new payment capabilities and enables to adapt quickly to changing market requirements. Another important aspect is protecting sensitive payment card data. To enhance the tokenization offering, specialists are looking at cloud support, and the plan is to accelerate the checkout phase and augment the payment experience. Retailers are going deep and assessing the utility of various cloud offerings. For instance, infrastructure-as-a-service might be for a e-commerce site, whereas platform-as-a-service layer on services such as threat detection.

Assessing emotional factors during shopping: Irritation is being linked to site navigation, one way in which fear surfaces and increases tends to be related to the transaction size, plus there are security fears. And then there are trust issues, too. Shoppers avoid using a payment method even if it is secure if they feel that the company is not wholly to be trusted, according to Klarna. As for coming up with emotionally intelligent online strategies, Klarna recommends nurturing of m-shopping habits, embedding ‘one touch pause’ functionality into online shopping experience to allow consumers to return to same place, incorporating payment choice by offering alternative options such as deferred payments, ensuring the checkout page isn’t different from the rest of the site/ app experience etc.

Payment options and behind-the-scenes transaction routing: There is a need to evaluate whether the new technology (or any payment method) would result in additional value for the customer as well as the merchant. It is the customer who decides how they wish to pay. Airlines need to design the integrated payment flow across payment options across channels and languages; implement integrated payment transaction and settlement reporting, gear up for multi-currency processing and conversion and opt for payment controls according to the difference of processing by payment types etc. In case of KLM, as reported by Ai, rather than having a payment functionality in each and every front-end, it was decided to set up an independent payment platform or a payment engine. It is connected to “internal” customers/ front-end for payments.

Adhering to regulatory requirements: The payment ecosystem continues to evolve, and one of the driving factors behind the same are the regulatory moves focused on streamlining digital payments. A development that is being closely followed is the PSD2 in Europe. It introduces strict security requirements for the initiation and processing of electronic payments. One mandatory aspect is to apply so-called strong customer authentication (SCA) when a payer initiates an electronic payment transaction. This would directly impact customer experience (CX) and fraud management. The main consequence for retailers would be around the regulatory changes to reduce fraud that will have a direct impact to the CX. Where SCA is required, biometrics is expected to play a big role, considering availability of features such as fingerprint sensors, voice or facial recognition on smartphones.

Curbing fraud: Merchants, along with payments specialists, are trying to capitalize on the evolution of the consumer technology to simplify authentication. One such move is enabling banks to count on biometric authentication into their respective apps so that users can avail their connected device and use their fingerprint, their voice their face to finish a transaction. The industry is also weighing ongoing improvements, for instance, EMV 3-D Secure Specifications, for a real-time, secure, information-sharing pipeline to authenticate buyers without adding any friction in the buying process.

Hear from senior executives about digital payments at the upcoming ATPS (21st Century Customer Experience for Payments & Fraud - Airline & Travel Payments Summit) to be held in London (Brighton), UK (7-9 May, 2019).

For more information, click here

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 2^nd March, 2019

Ai Editorial: The final stretch of the PSD2 timeline is few months away. Various stakeholders in the payment ecosystem have to advance their respective payments security systems so that they meet the regulatory technical standards’ requirement, writes Ai’s Ritesh Gupta.

The payment ecosystem continues to evolve, and one of the driving factors behind the same are the regulatory moves focused on streamlining digital payments.

A development that is being closely followed is the PSD2 in Europe. This payment services directive is being associated with a major change in payments and data protection. The PSD2 legislation came into effect last year, with full operational compliance to technical standards required by August this year.

It is a vital step in the direction of complete Open Banking. This legislation has paved way for new payment options for shoppers. It extends the digital single market for payments going in and out of the European Economic Area (EEA).

The PSD2 requires banks to expose payments data and to provide the ability to transact (known as “read” and “write” privileges) to 3rd parties. The PSD2 introduces strict security requirements for the initiation and processing of electronic payments, which apply to all payment service providers, including newly regulated payment service providers. Payment service providers will be obliged to apply so-called strong customer authentication (SCA) when a payer initiates an electronic payment transaction. According to the European Commission, “exemptions include low value payments at the point of sale (to facilitate the use of mobile and contactless payments) and also for remote (online) transactions”. The use of SCA is to become mandatory 18 months after the entry into force of the RTS or regulatory technical standards, which also caters for the security of payments that are carried out in batches.

SCA is focused on ensuring attempted fraud goes down and merchants and issuers in the EEA are validating the consumer for all electronic payments.

Important facets of PSD2 are:

Stepping up the rights of the consumer and more confidence as they shop online. According to the European Commission, customers will have to give their consent to the access, use and processing of their data. 3rd parties providing payments-related services or TPPs will not be able to access any other data from the payment account beyond those explicitly authorised by the customer. Other areas - better management of complaints, implications on surcharging and currency conversion.
Improved security through the SCA criteria.
3rd party access to account details.

One of the major implications of this directive is that it will cut down on transaction costs. As Anthony Hynes, CEO and MD of eNett International, also pointed out in a company’s blog post, the introduction of this directive means companies have had to “absorb the additional cost from transactions or redirect the cost back to the consumer”. Also, from the travel industry’s perspective, Hynes mentioned that apprehensions were raised considering the fact that players were relying on surcharges, “particularly travel agents with big-ticket items and already slender margins”. As for the bearing on the transactions by travel shoppers, Hynes recommends that travel intermediaries must adhere to two-factor authentication (2FA), and at the same time make it a frictionless experience to encourage repeat purchases from shoppers.

Transition

The industry is currently preparing for the same. Various stakeholders in the payment chain have to advance their respective payments security systems so that they meet the RTS requirements. Talking of open banking, as defined by the RTS, there is a need to facilitate a sandbox setting by 14^th March to onboard 3^rd parties where testing can be done without exposing any sensitive information.

Other areas include customer experience (CX) and fraud management. Worldpay’s VP Global Retail, Maria Prados, recently underlined that the main consequence for retailers would be around the regulatory changes to reduce fraud that will have a direct impact to the CX. Where SCA is required, biometrics is expected to play a big role, considering availability of features such as fingerprint sensors, voice or facial recognition on smartphones. It is important for merchants to embrace a system that makes sure SCA is exempted in low-risk scenarios. Merchants have already starting working on systems that rely on machine learning for astute decision-making. Rather than using a blanket rule that forces every user to login with 2FA, real-time surveillance can be used to assess logins in the background, and only logins with borderline risks expected to go through 2FA. This would greatly improve the user experience on the whole, while ensuring that security for accounts is not taken for granted.

The directive mandates changes in how fraud review must be done on intra-EU transactions, pointed out Riskified. A majority of transactions will be reviewed by SCA. This is likely to be 3D Secure 2.0. One of the strengths of EMV 3DS is sharing refined data about the shopper and the transaction so the issuer can validate transactions without affecting the consumer’s checkout experience. At the same time, it is being recommended that merchants should still develop their own fraud tools that are able to tap on their own sources of data for greater efficiency and more accurate detection of fraud.

Payment specialists also need to assess scenarios where exemption to SCA is permitted.

For more information, click here

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 18^th February, 2019

Ai Editorial: Rather than relying on archaic methods, travel companies should look at dynamic multi-factor authentication, behavioral analytics and machine learning to combat loyalty fraud, writes Ai’s Ritesh Gupta

The threat of account takeover (ATO) is being keenly followed and one of the reasons is the overall damage that it can cause to loyalty programs.

No doubt the focus of fraudsters is now set on loyalty points/ miles. According to Connexions Loyalty, travel accounts make an attractive proposition on the dark web and airline loyalty accounts: $3.20-$208 each.

Fraudsters get access to stolen credentials from a number of sources:

• From data breaches, sold on the dark web

• Phishing with fake websites

• Malware, trojans, spyware

• Social engineering

• Hijacking a mobile device

Fraudsters can choose to either redeem the points for rewards for a travel product or sell the points for cash or transfer the points into a shell account. They can also use saved payment details if available.

The mayhem being created is multi-layered, and airlines are suffering on various counts.

Loyalty fraud isn’t just about an account being accessed or taken over illegitimately. A fraudster can complete a transaction via stolen credit card information, garner points/ miles for the transaction and eventually redeem the same for an airline ticket. On one hand, the airline has to face the chargeback process and loses out the transaction amount generated through the airline ticket transaction. They end up paying chargeback fees if purchases were made with fraudulent credit cards. On the other, the airline has to salvage the situation as it to ensure the loyalty currency accrued remains with the FFP member since it wasn’t used by them.

Also, as airlines look for more redemption options, the loyalty currency can be used for a variety of product categories. So ATOs and loyalty fraud are becoming more attractive for fraudsters.

With all this, trust the traveller has reposed breaks and it is extremely tough for any brand to salvage the association that has gone sour. Other than brand damage, the negative impact can also be measured in terms of revenue loss and operational costs.

Putting apt measures in place

According to CashShield, one of the reasons that ATO attempts are rising is not only due to the growing value of FFPs, but also because of lack of stringent security. The problem arises owing to the fact that a FFP isn’t checked frequently. Connexions Loyalty highlights that 1 out of 3 customers will log in to check their accounts once every few months. According to Kount, 34% of loyalty program consumers only log into their accounts every few months and 23% check account balances even once a month, providing a huge window of opportunity for fraudsters to operate undetected for weeks. So if it gets hacked, gets manipulated or misused, then the chances of the real owner raising an alarm are low.

Fraud prevention specialists are recommending several measures:

1. Username/ password combination isn’t enough. Imagine the number of data breaches that have taken place over the past few years. Since users don’t really change passwords and have same ones for multiple accounts, one hack means the combination of email ids and username/ password can be cracked for a loyalty program, too. Explaining how it works, Ravelin states that credential stuffing depends on ‘combo lists’ - lists of passwords and emails generally gathered from various data breaches. The combinations are then routinely run against a login with any successful attempts logged. This is usually referred to as account ‘cracking’.

It is vital to keep a vigil on accounts for anomalies to effectively notice the behavior of genuine and fraudulent customers. According to companies like CashShield and CyberSource, companies should analyze user behavior throughout the entire journey- including account creation and login, any account activity and also at the point of transaction such as redemption of points. Forter rightly points out that from the moment a customer logs onto a website, to redeeming loyalty points or entering a coupon code, their shopping journey is rich and simultaneously vulnerable to new methods of exploitation.

Ravelin recommends that targeting other tools that may indicate suspicious activity such as headless browsers, VPN, proxies etc. can be relied on as well.

2. Machine learning technologies are emerging as an astute option to secure accounts. The efficacy of machine learning, especially real-time machine learning, can be explored for account protection. Rely on both supervised and unsupervised machine learning to comprehend both the historical patterns of use, as well as identify anomalies. According to CashShield, behavioral analytics with pattern recognition will be able to accurately filter fraudsters away from genuine users.

3. Identity authentication: Technologies like behavioral biometrics, device fingerprinting etc. need to be focused upon for stringent screening. As Kount points out, these technologies allow a level of identify authentication to ensure that the person behind the screen is the real consumer. It is time to capitalize on options that enable a merchant to come into a situation where they can accept, reject, or challenge the users to authenticate themselves – before the event can occur.

4. Avoiding unnecessary friction: Merchants are relying on two-factor authentication (2FA), but 2FA is not completely foolproof (susceptible to SIM hacks, SIM swaps) and unnecessarily impacts the user’s experience. Rather than using a blanket rule that forces every user to login with 2FA, real-time surveillance can be used to assess logins in the background, and only logins with borderline risks expected to go through 2FA. This would greatly improve the user experience on the whole, while ensuring that security for accounts is not taken for granted. Companies like iovation recommend a dynamic, context-aware multi-factor authentication solution, which post integration with a mobile app, features multiple parallel authentication methods such as validating possession of a customer’s phone, pin codes, text verification, fingerprint scan etc. The focus is on deep analysis of the login device to make sure it is one that is registered to the account.

5. Beware of archaic methodologies: Sift highlights that measures such as putting a limit on how customers can earn points and spending requirements to accrue points shouldn’t be looked at. If an airline continues to deploy inefficient methods, then it would mean weak operational efficiency. This would result in a failure to ensure that more transactions can be processed without delay. Plus, a risk-averse manual reviewer, fearing increased chargeback rates, will reject borderline transactions as well. This is where the combination of humans and technology, for e. g., using machine learning to go through massive data sets and flag out potentially fraudulent behavior, is must. The call for full-machine automation can’t be ignored but it would depend upon the overall risk appetite of the merchant.

As Ravelin asserts, fraud never stays still. So merchants need to make swift progress to shield themselves from loyalty fraud.

6. Dealing with intricate data environments: Airlines are scrutinizing and even executing plans to embrace cloud transformation, banking on open-source offerings rather being bogged down by proprietary technology. Enterprises must take on responsibility for ensuring data protections like encryption, tokenization, and masking within their environments or ensuring its protection when the data moves between SaaS applications or migrates to another application.

Hear from senior executives about loyalty fraud at the upcoming ATPS (21st Century Customer Experience for Payments & Fraud - Airline & Travel Payments Summit) to be held in London (Brighton), UK (7-9 May, 2019).

For more information, click here

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 5^th February, 2019

Ai Editorial: Pretexting, baiting, email spoofing… these and many more are malicious acts of manipulating human psychology to gain access to personal or financial information to commit fraudulent transactions. Ai’s Ritesh Gupta finds out more about social engineering

As much as consumers today are being alerted not to share their personal information that can eventually result in a fraudulent transaction, the fact that it continues to happen means fraudsters tend to win in this battle of psychological one-upmanship.

Manipulating human psychology is often referred to as social engineering. Merchants and fraud prevention specialists are continuously looking at ways to combat social engineering. It is a tactic used by fraudsters to lure consumers to download malware or provide their confidential information for identity theft (seeking personal information, login details, passcode for online banking etc.). Another methodology is - internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike.

Also, since the situation is already precarious as fraudsters have considerable access to emails, phone numbers, and other PII credentials, it is time further damage is curtailed by keeping a tab on social engineering.

According to INTERPOL, social engineering fraud can be divided into two main categories: mass frauds, which use basic techniques and are aimed at a large number of people; and targeted frauds, which have a higher degree of sophistication and are aimed at very specific individuals or companies. While the scams themselves differ, the methods used by criminals generally follow the same four steps: Gathering information; Developing a relationship; Exploiting any identified vulnerabilities; Execution.

Attacks include vishing (telephone fraud), smishing (text message fraud), phishing (email fraud seeking a password or sending an email attachment that is infected with malware or spyware. Fraudulent emails that claim to be from your bank, credit card provider or an established website) etc. Attackers usually send well-crafted emails with seemingly legitimate attachments that carry a malicious payload. Phishing is mainly used for emails, but it can be used in text messages, social media posts and instant messages, too. Another way is intentionally leaving behind USB sticks or other storage medium. They contain malware. Also, by hacking email accounts, a cybercriminal accesses an individual’s e-mail account and sends messages to their friends, relatives or colleagues claiming to be in trouble, for example, and needing money.

Being watchful

Social engineering may involve much more work for the fraudster. But these types of fraud are not easy to spot since it features a real person participating in the transaction or any other activity. Experts point out that consumers can play their part in curbing such attacks by being alert or responding with vigilance. With due diligence, one can make it tough for social engineers to get what they are seeking illegitimately.

Certain areas to watch out for:

· If the offer is too luring or incredibly unusual, then don’t take action. For example, don’t share bank details to buy a free London-Chicago ticket!

· Do check the spellings. Generally - the subject or the sender of an email – they aren’t correct in such cases. Poor grammar and spelling in email correspondence and letters sent by fraudsters.

· Don’t download any attachments or click on any links, unless it is from a known sender.

· Don’t share personal information that is generally not shared or is meant to be protected.

· Don’t lose control over your device - a fraudster can impersonate and offer free anti-virus software. Once the user installs the software, the fraudsters can take over their device.

· Beware of even unsual offers – free servicing of a computer or any promotional offer for your mobile device.

· Do not send identification documents – not even copies in response to an unknown person.

· Avoid putting all details on open social media pages

Other than simply being careless, there are instances, where consumers react in a certain situation, where an emotion takes over – could be due to fear, curiosity, desire etc. For instance, malware campaigns in social networking sites (could be an enticing video on Facebook ), gambling-related scams, cancer fraud etc.

A social engineer will always find a new way to do what they do. So controlling social engineering isn’t a straightforward task, but a lot can be done via education. Also, a mixed tactic of simulated social engineering attacks combined with interactive training modules is a way to prepare for such situations. Intermittent cyber security appraisals are also essential, because as organizations evolve, they change — and the information flow, too, changes within the company.

Upcoming Webinar: The Loyalty Fraud Prevention Association (LFPA) is set to host a webinar featuring a short presentation from SEON on what is social engineering and how it can be used to improve fraud prevention capabilities. Date: 14th February. For more, click here

7^th June, 2019

Ai Editorial: CyberSource has highlighted that effective fraud management requires the careful balance of three interdependent dimensions, reports Ai’s Ritesh Gupta

Payment and fraud executives have to be crafty enough to ensure that genuine customers aren’t denied an opportunity to complete a transaction or even face hiccups with added friction. At the same time, merchants can’t afford to be a victim of fraud owing to weak authentication or fraud prevention mechanism.

CyberSource ( https://www.cybersource.com/), in its latest report – the 2019 Global eCommerce Fraud Management Report Asia Pacific Edition, has highlighted that effective fraud management requires the careful balance of three interdependent dimensions –

· Delivering a positive experience for genuine customers and maximising the acceptance of genuine orders - The balancing act, as highlighted by Ai previously, is about being proficient in validating a buyer and such verification shouldn’t interrupt the manner in which they interact and transact with a business. Merchants need to look at new regulations, what sort of action is required and its impact on the user experience, and also the flexibility of consumes when it comes to additional measures that are being taken for authentication. One way to differentiate between transactions is the risk associated with them.

· Accurately detecting and rejecting fraudulent orders to minimise fraud losses - Merchants need to leverage the prowess of data-driven, artificial-intelligence powered offerings for combatting fraud. Rules-based systems are in general reactive and probabilistic solutions, which is why they are unable to prevent fraud before it happens. Rather than using a blanket rule that forces every user to login with 2FA, real-time surveillance can be used to assess logins in the background, and only logins with borderline risks expected to go through 2FA. Merchants should still develop their own fraud tools that are able to tap on their own sources of data for greater efficiency and more accurate detection of fraud.

Real-time machine learning can help against blanket blacklists and whitelists by focusing on the customer’s behaviour instead. It works with real-time live data collected on the merchant’s website, where the system trains itself with each incoming transactions to identify fraud patterns instead. Deploying a multidisciplinary approach combining different technologies - both supervised and unsupervised machine learning - would better equip merchants for fraud management. Unsupervised machine learning can be used to learn on the fly and identify fraudulent patterns even without having been trained with historical data, i.e. able to identify unknown fraud attacks. Thereafter, predictive analytics may still be used to run the probabilities of fraud, giving a risk score.

CyberSource indicated that in particular, enterprise organisations tend to more proactive with their fraud strategies because the financial and reputational ramifications of fraud can be far reaching.

· Efficiently managing the operational costs of fraud management activities – The report also shared that as in other regions, minimising operational costs is generally a lower priority for businesses in Asia Pacific.

The report also highlights that it takes “constant recalibration and fine-tuning of fraud management controls and processes to keep achieving the best balance”.

6 characteristics of the masters of balance, according CyberSource:

1. Have a lower chargeback rate

2. Are more likely to rate ecommerce fraud management as extremely important to their business strategy

3. Find it less challenging to respond to emerging fraud attacks

4. Have a greater range of capabilities that give them agility to respond to the dynamic landscape they operate in

5. Have a greater capability to use data effectively for fraud management

6. Are less likely to conduct manual review, and spend less in this area

Hear from senior executives about the balancing act at the 8th Annual ATPS Asia-Pacific to be held in Penang, Malaysia (27-29 August, 2019).

Click here for more information

Follow Ai on Twitter: @Ai_Connects_Us

24th June, 2019

Regulations like PSD2 are paving way for new services and faster payments. PSD2 or the payment services directive in Europe is being associated with a major change in payments and data protection, and it is expected to fundamentally change the value chain.

"PSD2 is opening up the (payment) industry, and breaking the monopoly of certain players on accepting payments," said Simon Eve, Head of Travel, Trustly.

Banks are beginning to expose their data for use by third parties, in particular fintech companies, through open APIs. The use of open APIs to simplify back-and-forth messaging that takes place during the course of a transaction is coming to the fore. Other than authentication, another area to watch out for is improved security. It has to be guaranteed that data is secure, and external services have access only to the controlled data that the consumer has permitted and that the bank has assigned.

Simon, who was in Brighton, UK, for Ai’s ATPS (13th ATPS Worldwide Event), added that the fintech sector is looking at offering instant, real-time bank transfer to airlines.

Simon spoke in detail about the payment-related complexity and how the same is being taken care of when it came to dealing with multiple players, how airlines today are in a position to localize their payment options in a region like Europe, fraud prevention etc.

By Ritesh Gupta

Check upcoming Ai Conferences dates or

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 31^st January, 2019

Organizations need to reassess their respective data security and encryption strategy as they embrace cloud propositions and gear up for regulatory and compliance mandates, according to a new report.

Digital transformation today is being equated to an enterprise-wide, cross-functional undertaking, with key drivers being enhancing the customer experience, cutting down on operational costs and creation of new services or revenue streams.

Rather than just modernizing IT infrastructure, organizations are going deeper – right from the ownership to banking on cross-functional, collaborative groups for the entire organization to eventually gear up for playing an “infinite game”.

At the same time, as organizations plan to take advantage of cloud, mobile, social, and the Internet of Things, the rush to digital transformation is putting sensitive data at risk for organizations worldwide, according to the 2019 Thales Data Threat Report.

The report, based on a survey of 1,200 executives with responsibility for or influence over IT and data security, has stressed that shielding “sensitive data” is becoming increasingly complicated.

Dealing with intricate data environments

The decision to focus on the cloud or multi-cloud environments is a part of the transformation being planned. Airlines are scrutinizing and even executing plans to embrace cloud transformation, banking on open-source offerings rather being bogged down by proprietary technology. Considering the complexity of the IT set up that this industry has, there are options available to integrate applications, data and processes across both on-premises and cloud environments. There are 3 models for cloud computing - Infrastructure as a Service, Platforms as a service and Software as a Service. Managing infrastructure and domain-specific IT systems for retailing, real-time data intelligence, running a digital asset on purpose-built, multi-cloud set up, payment optimization etc. are among the initiatives that airlines are undertaking to keep pace with their customers in digital economy.

But this shift is also being referred as a hurdle to working out apt data security action. This complexity is listed over other issues such as employee needs, budget issues and ensuring organizational go ahead.

The situation demands a thorough introspection. For instance, in order to ensure not even a single second of a shopper is wasted during the check-out phase, progress in this arena is being made in the form of regional cloud support, an initiative that can bridge the gap between an airline and a passenger irrespective of the location. So how such initiative would help? The fact that every second counts, payment specialists are curbing any delay in mobile load times. So it means every aspect of modern commerce needs to be studied in detail.

Recommendations from the report:

· Cloud security must be seen as a shared security model between the enterprise customer and the PaaS, IaaS, or SaaS provider.

· Enterprises must take on responsibility for ensuring data protections like encryption, tokenization, and masking within their environments or ensuring its protection when the data moves between SaaS applications or migrates to another application.

Other key findings listed in the report:

· Concerns related to mobile payments include fraudsters using mobile payment apps for account takeover, new account fraud, exposure of PII, weak authentication protocols, and potential exposure of payment card information.

· The main data security concerns around IoT include attacks on IoT devices, lack of frameworks and controls, and protecting sensitive data through encryption and tokenization.

· Leading data security concerns regarding big data include sensitive data residing throughout the environment, data quality concerns, and privacy violations from internationally-originated data.

Hear from senior executives about data breaches at the upcoming ATPS (21st Century Customer Experience for Payments & Fraud - Airline & Travel Payments Summit) to be held in London (Brighton), UK (7-9 May, 2019).

For more information, click here

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 24^th January, 2019

Payments are going digital and the increased speed of adoption is being driven by multiple factors. These include an abundance of new electronic payment methods—many of which are layered on top of existing payment methods—focused on convenience, speed and the overall consumer experience.

According to a recent report, Key Trends in Digital Payments Markets and Strategic Infrastructure, developed by The Initiatives Group and sponsored by Equinix, the key trends currently shaping digital payments markets around the world are:

· Real-time payments (To date, discussions about real-time payments have been dominated by the core functionality—speed, availability and rails on which money is moved, together with the challenges associated with their implementation. However, conversations are now shifting towards value-added products and services that an enhanced infrastructure will allow financial institutions (and others) to bring to market);

· Regulatory interventions—often focused on streamlining digital payments (regulators are seeking to capture the economic efficiencies embedded in electronic transactions, and to drive increased competition and innovation by opening up customer banking data to third parties. Regulators are also continuing to scrutinize and assert control around the costs associated with electronic payments, to ensure that their widespread adoption is not hindered (and related efficiencies gained), and there is transparency in pricing (with consumers and businesses able to make valid comparisons);

· Open banking—potentially bringing new players into the arena (As with real-time payments, open banking will facilitate the creation of new products and services, driven by regulation and enabled by advances in technology. While this will continue the commoditization of transaction banking, it also brings new opportunities to add value through data).

The study highlights that the handling of the payment, the ability to recognize returning customers and cross-linking potential offers need to happen fast, securely, and efficiently be delivered locally to users. It is critical to choose an interconnection and co-location provider based on its ability to reach all target users, interconnect the required cloud and payment partners, and integrate the required payment rails and governance controls.

Download the report – click here

Follow Ai on Twitter: @Ai_Connects_Us

Page 9 of 22

- Payment & Fraud Editorials

Date: 30 Nov -0001 Location: Delegates:

Sponsors

Upcoming Events

Airline & Travel Payments Summit Latinoamérica

ATPS Payouts & B2B Payments Update

Airline & Travel Payments Summit Fraud Virtual