Ai Editorial: Scammers step up game with Coronavirus phishing emails

16th March, 2020

Ai Editorial: Cybercriminals are trying to capitalize on the outbreak of Coronavirus Disease 2019 (COVID-19) by sending a high volume of this disease-related phishing emails, writes Ai’s Ritesh Gupta


Are you about to open a Corona virus-related malicious file? Or have you already inadvertently opened one?

We all need to be aware of phishing emails that are being sent by scammers, fraudsters and hackers. These emails feature files in various formats that are being disguised as documents relating to the newly discovered Coronavirus. Fraudsters are counting on public fear as they design malicious email campaigns, hoping the same would lure users into clicking on a link or open an attachment. So avoid clicking on links in unsolicited emails.

Typically emails, featuring information about COVID-19, are being sent from seemingly legitimate organizations. For instance, a malicious email falsely claiming to be from the U.S. Centers for Disease Control and Prevention is in news. Such emails generally ask the user to open an attachment to see the latest statistics or are even offering online offers for vaccinations. Or scammers are coming up with recommendations or  medical advice to protect one against the coronavirus. If a user clicks on the attachment or embedded link, they end up downloading malicious software onto a device. The malicious software paves way for illegitimate access to, or damage, computers, and possibly lead to identity theft as well.

Cybercriminals have also targeted employees’ workplace email accounts. Plus, according to Norton, scammers have posted ads that claim to offer treatment or cures for the coronavirus. The ads often try to create a sense of urgency — for instance, “Buy now, limited supply.”

Verify before taking action   

We have to be suspicious of an email that creates a sense of urgency or an action on an immediate basis. Take your time, check who has sent the email – look at the email id, for instance. Do not open attachments without first making sure the request is authentic.

It is becoming increasingly difficult to identify malicious emails. Acknowledging the threat, The World Health Organization (WHO) has admitted that fraudsters are posing as representatives of the organization to steal money or sensitive information.  WHO has asserted that if one is being contacted by a person or organization that appears to be from WHO, then one must confirm their genuineness before responding. There are appeals for funding or donations that aren’t related to WHO.

WHO will:

  • never ask for your username or password to access safety information
  • never email attachments you didn’t ask for
  • never ask you to visit a link outside of 
  • never charge money to apply for a job, register for a conference, or reserve a hotel
  • never conduct lotteries or offer prizes, grants, certificates or funding through email.

How to prevent phishing  - a user would need to take extra steps, but these aren’t really tough things to do. They might take more time than usual to access information but then it is worth it if one can avoid being a victim to such phishing email scams:

  • Check senders’ details by verifying their email address (for instance, tally the official id of the organization and see if matches with the information in the email id)
  • Check the link before you click. Verify file extensions of downloaded files. Documents and video files don’t use the .EXE file format.
  • Be extra vigilant before sharing personal details (for instance, what’s the need to share username and password, why it is being asked for)
  • Do not click or act in a situation of urgency
  • Don’t be frightened (change credentials for a login in case you have participated/ given consent for something suspicious)
  • Ignore online offers for vaccinations

Ai Editorial: Dealing with fear associated with fraudulent transactions

11th March, 2020

Ai Editorial: There is much bigger loss in revenue when a merchant declines transactions without taking an initiative to dig deeper. One needs to learn how to manage risk and how the use of machine learning can contribute in the same, writes Ai’s Ritesh Gupta


The way travel merchants differentiate between a fraudulent and legitimate transaction is evolving, and one aspect that has stood out relates to managing the risk.

Rather than avoiding risk altogether, the approach is to pave way for more revenue based on a bigger risk appetite. A key learning: there is much bigger loss in revenue when a merchant simply declines transactions, rather than risking clearing a fraudulent one and learning from what all is being done. The time has come when the focus must be on managing false positives better.

Monica Eaton-Cardone, COO of Chargebacks911, asserts that the fear of fraud is a huge issue, and for merchants, it comes with a burden of  $118 billion every year.

“ That’s roughly 20% of total US e-commerce spending in 2019. But here’s the real shock: while $118 billion is an almost unbelievable figure, reports show merchants spend 10 times that much trying to prevent chargeback fraud,” Monica, wrote in a blog post recently.

Doing away with “rules”

Staying away from risk at any cost is reflected in rule-based fraud prevention systems. For instance, rules based on geo-location that could oppose all transactions from one area/ market. Traditional fraud prevention methodology impacted sales in an adverse manner. Fraud prevention specialists chose to avoid taking the risk of accepting a borderline transaction (which could be genuine), resulting in much greater false positives. At the same time, rules deployed (location based, amount based, time based, etc) limit genuine users from making transactions. But today merchants are finding ways to overlook rules when positive behaviour is identified.  

On the basis of calculated risks, the system passes the optimized number of transactions while ensuring that chargeback rates are still under control. As a result, borderline genuine transactions can be passed and unnecessary rules and bans are lifted, improving sales greatly. So merchants are drifting away from hard rules and relying on behavioural analysis – evaluating a combination of variables and patterns – a judicious way to obstruct fraudsters/ hackers and yet cut down on false positives at the same time. A more methodical tactic is to craft a risk engine. It blends rules and policies that are optimized through the use of machine learning. Along with this, other methods such as data signals for transactions, real-time behavioral analytics and device fingerprinting, too, are coming into play.

Working out a multi-disciplinary line of attack against fraudsters, featuring technologies - both supervised and unsupervised machine learning -  would better prepare merchants for fraud management. Unsupervised machine learning is useful to learn on the fly and spot deceptive patterns even without having been trained with past data, i.e. able to unearth anonymous fraud attacks. Thereafter, predictive analytics may still be used to run the probabilities of fraud, giving a risk score.

Machine learning systems are lending a new dimension to fraud prevention, one that over the years has largely revolved around the use of rule-based systems. This way the industry is gearing up to reduce reliance on hard rules and to filter out fraud while passing more genuine users. However, machine learning systems only provide probability scores - or fraud scores - and would still require a team of manual reviewers to make sense of the score and thereafter a decision to pass or reject a transaction.

Dynamic friction

Also, it is important to understand that merchants are battling with various types of fraud, and putting the best foot forward is about monitoring and evaluating each for risk. Clearly, the industry is counting on  behavioral and situational attributes to apply right friction to the right person at the right time. As Sift points out, it is vital to overlook legacy fraud-fighting solutions. All of this means a merchant is only applying friction in a blanket, indiscriminate way to all users, shoppers and fraudsters alike. With dynamic friction, risk level is assessed in real-time so that merchants can offer safe, convenient, and customized user journeys that only become more accurate and appropriate over time. In case a risk touches a given threshold, extra verification comes it play. If the interactions come across as reliable, that extra authentication is eradicated, providing the shopper a more rationalized experience.

Monica highlighted a couple of aspects related to dynamic friction:

1.       A dynamic friction system works out verification for an individual user and it learns as it goes. By assessing data on an ongoing basis, including the analysis of previous interactions, a blanket approach is avoided and such drilling eventually paves way for friction in only certain cases.

2.       A merchant’s best customers are subjected to the least amount of friction necessary for secure validation. Legitimate customers proceed with minimal friction.

(Read: How to leverage dynamic friction to only target dodgy shoppers?)

Dynamic friction cuts down the risk of alienating good users and causing false positives. The user journey needs to be evaluated holistically, from end to end; as a user moves through each stage of the journey, each interaction is evaluated for risk. The best part about dynamic friction: make it extremely tough for fraudsters to succeed, and at the same time not hampering the experience of genuine shoppers and them being unaware of the fraud detection mechanisms being used.


Ai’s 2020 conference dates:

Ai Editorial: Law enforcement agencies eye fraudsters and e-commerce fraud

26th February, 2020

Ai Editorial: Law enforcement agencies are looking at several areas – private and public sector partnership, capitalizing on data and high-tech crimes to curb fraudulent transactions, writes Ai’s Ritesh Gupta


The role of law enforcement agencies in combating a variety of cyberattacks is being tracked closely. Be it for private security and fraud prevention specialists or state-run agencies, no one organization is enough to deal with instances of cross-border cyber-attacks. But the role of law enforcement agencies in countering payment-related fraud and other ecommerce fraudulent can’t be undermined.

For instance, only a couple of months ago, Europol announced that its multidisciplinary initiative to derail illegal online transactions featuring flight tickets with compromised credit card data resulted in arrest of around 80 persons. These were suspected of traveling with airline tickets bought using stolen, compromised credit cards etc. Importantly, as also stated by Europol, some of the individuals were associated with unlawful immigration. For instance, some of the detained travelers had forged documents or IDs. At the time of this announcement, Europol also indicated that the airline industry’s losses hovered around $ 1 billion on annual, as a result of the fraudulent online purchases of flight tickets. Such illegitimate transactions are on top of the agenda of fraudsters/ online criminals and are often associated with more serious criminal activities including irregular immigration, trafficking in human beings, drug smuggling and terrorism.

Internet-enabled crimes and scams show no signs of letting up, according to data released by the FBI’s Internet Crime Complaint Center (IC3) in its 2019 Internet Crime Report. IC3 received 467,361 complaints in 2019—an average of nearly 1,300 every day—and recorded more than $3.5 billion in losses to individual and business victims.

Concerted effort

  • Collaborative route:  Travel merchants, including airlines, need to take a collaborative route to combat fraudulent activities.

“I believe in collaboration (for fighting fraud) at every level,” Jan-Jaap Kramer, Founder and CEO of FraudGuard told Ai during an edition of ATPS, held in the U. K. last year. He mentioned that fraud prevention as a discipline has come a long way, considering that a fraud analyst used to be isolated from other departments within an airline. And now various sectors have realized the significance of jointly fighting fraud since one fraudster can have access to a customer’s credentials. And these can be used across a variety of retail sites or in other ways to commit a fraudulent activity. “So it is imperative for merchants to cooperate and fight in unison,” Kramer had said.

Europol’s operations have been featuring participation of airlines. Other stakeholders that work with the law enforcement agency feature executives from online travel agencies, payment card companies, the International Air Transport Association (IATA), Perseuss etc. This is in addition to law enforcement, and judiciary and border agencies. They work in unison with Europol’s experts to spot dubious transactions and confirm the same with law enforcement officers deployed in the airports. 

  • Counting on data: Law enforcement agencies are trying to ensure that their initiatives don’t compromise individual privacy for the sake of public security. They are looking at implementing privacy by design. The plan should be – to be in complete line with one’s fundamental rights. In addition to this, the focus is also on promotion of de-bureaucratised and efficient processes.
  • Keeping pace with cybercrime: Law enforcement agencies acknowledge that cybercrime is more confrontational than ever. Considering the use of botnets, setting up back doors on compromised devices, social engineering etc., there is a need to keep pace with such attacks.
  • Preparing for the dark web: Europol, in its Internet Organised Crime Threat Assessment 2019, asserted that more synchronized investigation and hindrance-related initiatives for the dark web are needed. This would send a strong signal from law enforcement entities. Plus, even better real-time assessment is required to respond to the activities on the dark web.  The capability “will enable the identification, categorization and analysis through advanced techniques including machine learning and artificial intelligence.”

It was also mentioned that an EU-wide framework is “required to enable judicial authorities to take the first steps to attribute a case to a country where no initial link is apparent due to anonymity issues, thereby preventing any country from assuming jurisdiction initiating an investigation”.


Keen on exploring fraud prevention, data privacy and protection issues?

Check-out Ai’s conferences scheduled for 2020:


Ai Editorial: Biometric authentication – keeping it safe from hackers

21st February, 2020

Ai Editorial: Security safeguards and privacy-related initiatives are becoming stronger. Biometric authentication is an interesting tussle, and the industry is looking at negating fraudsters/ hackers’ moves, writes Ai’s Ritesh Gupta


Biometric authentication has numerous applications, and one of them is verifying/ authorizing a transaction.

Among all the options, facial recognition has gained traction because it is non-intrusive, easy to use and fast. It has gained prominence as it is being facilitated by our smartphones.

Since biometric authentication is about recognizing an individual without friction, rather than doing the same via a password or PIN, it stands out for augmenting the user experience with speed, ease of use and option to pay anywhere. But there are aspects that still need to be looked into. Be it for security-related risks, user privacy concerns or fraudulent transactions, repercussions are being probed at this juncture.

Plus, there are industry-related issues as well. For instance, this form of authentication does indicate that a cardholder himself or herself validated a transaction, but if the card network has no provision to use such data as the main proof, then that knowledge is useless.


According to Gemalto, the efficacy of facial recognition systems is based on: false acceptance, false rejection and  true positive (this describes when an enrolled user is correctly matched to his or her profile. This number should be high.)

As for concerns, artificial intelligence (AI)-based identity fraud is emerging as a serious issue. What is coming under inspection is the efficacy of biometric security measure such as facial recognition. A primary concern that a section of the industry is highlighting is hackers/ fraudsters managing to steal people’s faces.  Recognition of one’s voices and face as a way to validate a person’s identity is under scrutiny with the rise of synthetic media and deepfakes. How damaging deepfakes can be, as they can perfectly imitate features of a person. Deepfakes are powered by deep learning AI. The algorithms behind this AI are fed large amounts of data. Eventually, by capitalizing on such data, “deepfake” videos manipulate audio and video using AI to make it appear as though someone did or said something they didn’t. It does pose a challenge to validating the legitimacy of information presented online.

As highlighted in one of Ai’s recent articles, initiatives are in the pipeline, focusing on automated deepfake detection. Identity verification specialist, Jumio emphasized that it is “vitally important to embed 3D liveness detection into identity verification and authentication processes”. The company is working on plans to combat advanced spoofing attacks including deepfakes. (It is important to know that not all liveness is created equal and many un-certified liveness detection solutions fall prey to deepfakes). Among the others, Facebook, too, last year was in news for working on a ‘de-identification’ technology to morph a person’s face so that they remain unrecognisable to facial recognition technology. Also, specialists are focusing on a certain kind of machine learning. In this type patterns in image data are spotted. It features a system of artificial neurons that copy the functioning of the human brain.

Companies like Apple acknowledge that much of our digital lives are stored on their devices, and it's important to protect that information . While technology in these devices can automatically alter modifications in one’s appearance, such as wearing cosmetic makeup or growing facial hair, the industry is also looking at areas like not unlocking with a sleeping face.  Also, these companies are using smarter technologies. For instance, Apple has highlighted that the camera of its devices captures accurate face data by projecting and analyzing over 30,000 invisible dots to create a depth map of face and also captures an infrared image of face. Also, each time a user unlocks their device, the camera identifies by securing precise depth data and an infrared image. This information is matched against the saved mathematical version to verify.

Earlier this year, Apple asserted that a random person looking at a user’s iPhone or iPad Pro and unlocking it using Face ID is approximately 1 in 1,000,000 with a single enrolled appearance. For more, read here.


Keen on exploring fraud prevention, data privacy and protection issues?

Check-out Ai’s conferences scheduled for 2020:


Ai Editorial: Are acquirers becoming stronger allies for merchants?

18th February, 2020

Ai Editorial: Travel merchants, including airlines, are expecting their respective acquiring banks to contribute more than just processing payments, writes Ai’s Ritesh Gupta


Travel merchants, including airlines, have to focus on several aspects in order to streamline their cross-border payment acceptance.

Of utmost important is the shopper experience - from letting a travel shopper pay via their preferred payment method to ensuring their checkout experience isn’t disturbed with a unified approach to curbing fraud and disturbing even those transactions that shouldn’t be checked for authentication. Other than stepping up the authorization rate, businesses also need to keep the overall transaction fees in check. Plus, they need to prepare for better business decisions based on astute payments data, for instance, comprehending why transactions are being approved or declined with global coverage and granular reporting.

The role of the acquirer

The introduction of invisible payments or one-click transactions are experiences shoppers are increasingly getting used to, and every business needs to find ways to incorporate the same. And accordingly, the onus is on various stakeholders, including the acquirer, to chip in and facilitate the same for travel merchants. The entity, also known as the acquiring bank, is the financial institution that maintains the merchant’s bank account. It passes the merchant’s transactions along to the applicable issuing banks to receive payment. For airlines, hotels, OTAs etc., especially those operating in various countries, factors such as adding local payment options, too, are key to sustaining the desired conversion rate. It doesn’t come as a surprise when acquirers are being expected to support all payments types through all channels. 

And the acquirer is also expected to contribute in other areas. A core of area of expertise is managing processing of cross-border payments in an adept manner. An established acquirer is expected to contribute in terms of “local acquiring” and bring down the rate of bank declines. And they key lies in working with only a few, or maybe one acquirer even for multiple markets. This tends to make reconciliation less complex for travel merchants. Another area is the settlement aspect. Also, the ecosystem has witnessed certain players doing away with the blended pricing model. There are benefits, for instance, when the interchange fees goes down, the overall costs also go down. There is now more transparency in terms of the cost of the processing, what is charged for the interchange, the processing cost etc. As for the future, one can only expect an increased level of standardization on a European level and globally, too.

As for dealing with card payment conversion, there are ongoing improvements that merchants are looking for. For instance, credit card decline codes are not standardized; they differ from one payment gateway to the next. Details pertaining to why a payment tends to get rejected can be provided by an acquirer and this in turn can boost the conversion rate. Even though the rejection or response codes offered by acquirers may appear dauntingly technical, it’s extremely useful to understand what they mean.

Travel merchants are assessing the prowess of payment analytics and evaluating key metrics pertaining to the overall payment flow. Primarily, the focus is on the associated cost with each transaction, the rate of authorization, and the chargeback ratio. Delving deeper, payment specialists are counting on analytics for assessment of the risk profile, the relevance and performance of the acquirer, fee for alternative payment solutions etc. It is worth following how data and algorithms are shaping up to contribute both in terms of cost reduction and revenue optimization.

An acquirer is also expected to respond to the regulatory requirements. For instance, the PSD2 Strong Customer Authentication (SCA) migration completion deadline for online payments in Europe continues to be a weighty issue, with concerns about the preparedness and compliance still coming to the fore. Again, acquirers (and other stakeholders have to support EMV 3DS 2.1 and 2.2 by the end of this year) need to enable merchants prepare for the same and contribute in terms of the overall authorization success. Another area that is worth following is how this regulation is going to impact multisided platforms, or marketplace businesses, and some other areas such as licensing.

The traditional merchant-acquirer model has evolved, and today’s payment facilitator model has made the chain a lot more fragmented. For instance, certain entities are an extension of the acquiring bank and provide merchant processing services on the acquirer’s behalf.  As for the external factors, it is worth following how acquirers, post the merger activity, are going to respond to the rising competition.  


Keen on exploring fraud prevention and payment-related issues?

Check-out Ai’s conferences scheduled for 2020:


Ai Editorial: Stepping up card payment conversion via deeper introspection

3rd Februrary, 2020

Ai Editorial: Dealing with credit card decline codes is a daunting task. Ai’s Ritesh Gupta explores how a deeper analysis of these codes and collaborative approach can help in payment authorization.


Evaluating ways to improve upon approval rates for online card payments is always high on the agenda of travel merchants.

Independently travel e-commerce players are looking at ways to seamlessly authenticate users across the omnichannel customer journey. The role of cloud-based intelligence, backed by artificialintelligence and machinelearning, is coming to the fore. Assessment of both risk pointers and positive identity indicators is the way to go. This way travel merchants can better comprehend the context of a shopper, their behavior, and their score in terms of digitalidentity trust and risk. Other than ensuring that a legitimate shopper shouldn’t suffer owing to a wrong decline of a card, travel merchants also need to be in control of processing costs as well as focus on fraud prevention. There is no secret sauce for all this in the payment landscape, but crafting an astute authorization strategy is an ongoing effort that demands continuous introspection. Working with other stakeholders holds key here.

When it comes to authorization and acquiring for more than one market or cross-border transactions, a merchant can assess options such as  working with a payment services provider, setting up a local legal entity and entering into merchant agreements with local acquiring banks etc.

Coming to grips with soft and hard declines

Technically, credit card rejection happens when a card payment cannot be processed and the transaction is declined by the payment gateway, the processor, or the bank issuing the money. A credit card decline code is a message issued in response to a request for authorization during a transaction.

It is here dealing with the travel shopper in an apt way – via a simple and transparent communication – can help.

According to Chargebacks911, the issue is credit card decline codes are not standardized; they differ from one payment gateway to the next. They also tend to be rather unclear, as this helps in shielding the cardholder’s privacy and avoid giving away sensitive information in the event of a genuine fraud attack. Details pertaining to why a payment tends to get rejected can be provided by an acquirer and this in turn can boost the conversion rate. As Ingenico points out, even though the rejection or response codes offered by acquirers may appear dauntingly technical, it’s extremely useful to understand what they mean.

Adyen recommends that  profile of each transaction needs to be considered based on its amount, if it’s recurring, local regulations, issuers' authentication preferences, your relationship to your shopper, and more.

Some declines may be the direct result of the cardholder's actions while others are the result of external factors. The most important distinction is between “hard” and “soft” declines. A hard decline happens  when the issuing bank or processor denies the processing of the transaction and retrying the card won’t help at all. Hard declines are not recoverable at the time of the transaction. Whereas soft declines are generally a temporary issue. Retrying the provided payment method information may be successful.  One way to deal with such scenario is to automatically route selected failed transactions to a secondary acquirer for a “retry”. This can increase authorization with virtually no impact on the customer experience, asserts Ingenico. Essentially merchants need to constantly explore ways to salvage such situations.  A partner should be adept at analysis of past declines, transparent data, ongoing analysis of global transaction types etc. Also, developments like PSD2 are all about more carefully processing and managing data, including payment transactions.

PSD2 SCA 2020 - how to go about it as a travel merchant?

Not just merchants

And it’s not just merchants, but even other stakeholders, including card schemes and issuers, too, are focusing on sorting some common issues that tend to block transactions that simply should not have failed in the first place.

Traditional companies are stepping up their efforts  in the wake of increasing competition from alternative form of payments plus new developments that are fueling emergence of fintech digital payment specialists. For instance, it is being acknowledged that as a vital link in the payment chain issuers need to share relevant details regarding why the transaction has been declined. Many tend to supply response codes that are ambiguous and tough to comprehend. And in certain cases such codes cannot be interpreted at all. Effective fraud prevention and detection requires real-time collaboration and data sharing. In fact, with a collaborative approach where data on fraudulent and suspicious transactions is shared (and keeping it anonymous, too, where required), details are out on new fraud attempts no matter where they first appear.  But all of this demands a diligent effort. For instance, considering the case of passing SCA or Strong Customer Authentication  messages through complex transaction flow in the travel e-commerce sector.  

It is imperative for merchants to work collectively internally (fraud and risk management, customer service, operations, technology and product management teams) to optimize authorization and fraud strategies, and work with various external stakeholders as well for the same.


Keen on exploring fraud prevention and payment-related issues?

Check-out Ai’s conferences scheduled for 2020:


Ai Editorial: Why uncovering patterns of fraud with one approach won't work?

23rd January, 2020

A study, by Sift, has shared that fraudsters are moving freely from one fraud type to another. With data breaches, it is easy for hackers and fraudsters to gain additional information and plan other types of fraud beyond payment fraud.


A unified or a blanket approach to dealing with various types of frauds that exist in the e-commerce sector isn't going to work anymore.

The travel e-commerce sector, being a lucrative proposition for fraudsters, remains a prime target. Fraudsters are always looking at new methods to discover an  enterprise's vulnerabilities. So travel merchants not only need to be vigilant of the types of fraud but also be prepared to deal with them discretely.

Fraudsters are becoming better at what they do. They are increasingly going after more than one type of fraud. Plus, fraudsters commit fraud in more than one industry. According to an analysis by Sift, fraudsters are moving freely from one fraud type to another.

As for the types of fraud, the list includes payment-related fraud (unauthorized payment transactions, featuring stolen credit cards, debit cards etc.); new account or fake account (created by a fake identity, a fraudster or bot signing up for an account using another person’s real identity/credentials) and account takeover (a genuine user creates an account, and a fraudster later gains access to it and uses it for fraud). Sift also referred to fake content and fraudsters abuse promotions by redeeming coupons multiple times, or by creating fake accounts to redeem additional promotional offers.   

Looking beyond payment-related fraud

The latest analysis, based on the team's study of over 34,000 sites and apps in Sift’s customer base, with "data breaches making users’ credentials readily available on the dark web, it’s easy for bad actors to obtain additional information and attempt other types of fraud beyond payment fraud".  

Some of the other key findings:

  • Highlighting the way fraudsters continue to move ahead and pose new threats, the study indicated that various verticals are targeted concurrently. And whether those verticals are connected or not, doesn't matter. While digital e-commerce is the industry most plagued with fraud, fraudsters move fluidly from one industry to another, attempting multiple types of fraud. Fraud is not linear, but rather an interconnected web.

- 78% of fraudsters who start in digital e-commerce are also likely to commit fraud in another industry.

- 86% of fraudsters commit fraud in more than one industry.

  • In the list of the "fraudiest" industries, the travel sector is at the third spot. The top two sectors are digital e-commerce and physical e-commerce.

With such cross-industry focus of fraudsters, it is must for stakeholders to find out how the culprits find ways to hide or execute malicious tactics. Merchants and fraud prevention specialists acknowledge the significance of the same. For instance, spoofing has become more commonplace. Fraud is more complex than ever, and the only way to battle it out with fraudsters is to comprehend the perpetually evolving fraud landscape.


Keen on exploring fraud prevention and payment-related issues?

Check-out Ai’s conferences scheduled for 2020:


Ai Editorial: Payments - a fascinating discipline to follow in 2020

21st January, 2020

Ai Editorial: Travel merchants are prioritising speed, trust and security when it comes to the payments-related experience. This, along with balancing CX and fraud prevention, and responding to regulatory requirements, are some of the priorities for 2020, writes Ai's Ritesh Gupta


There are several prevailing trends that today make payments a fascinating discipline to follow. Merchants and other stakeholders are keenly following the evolving payment economics, new standards set up to govern the flow of money, what's paving way for cost reduction and revenue optimization, dealing with fraud attacks etc.

For travel e-commerce players, their main priority is to simplify the checkout experience. Cart abandonment remains an issue, and losing out on a conversion is a huge painpoint. In addition, to this there are several other aspects.

The list is as follows:

·          Letting travel shoppers being in control: A recent study commissioned by PayPal to evaluate key trends related to mobile shopping habits and merchant readiness indicated that merchants must offer mobile optimized experiences if they are interested in attracting and maintaining younger consumers, such as GenZ and GenY. According to Amadeus,  24% of travelers still abandon their purchase because there are too many steps in the checkout experience.

In a recent blog post, Jeremy Dyball, Head of Commercial, Payments, Amadeus, mentioned that with the rapid pace of payments innovation, "a number of advances from simplified foreign exchange, to a raft of new payment methods and easily accessible instant credit are combining to make a smooth and hassle-free payment experience tantalizingly close". According to him, it's time to embrace the new era of frictionless airline payments.

·          Balancing CX and fraud prevention: Security and trust are significant considerations in consumers’ mobile purchasing decisions. Globally, 51% of consumer respondents would be less likely to engage with mobile commerce due to security concerns, according to the same PayPal study.

As LexisNexis Risk Solutions highlights, a frictionless customer journey “doesn’t equate to an absolutely friction-free experience. It’s about having the right type of friction, with the right action, at the right time. You have to figure out where and what that is”. From a shopper’s perspective, friction could be any feature or requirement that hinders their path through the sales funnel. It could be a compulsory registration, wearing form-filling and time-consuming authentication processes. For a seamless and secure experience, airlines need to embrace dynamic friction.

As Sift’s Trust and Safety Architect, Kevin Lee points out; merchants can’t get away with their airport screening approach. Travel e-commerce players have to ensure trusted shoppers or consumers can sidestep added authentication, while potentially risky users undergo that further screening. Since there is so much of data from customers via the app usage, device usage etc. there is a need to use behavioural fiction or behavioural dynamics looking at the signals to identify normal behaviour for an authentic shopper on an app or an online platform. And then being in a position to spot an anomaly where certain behaviour doesn’t seem to be normal. Then only there is a need to introduce certain friction or additional check in the shopping process. 

Highlighting e-commerce fraud trends in 2020, Riskified asserts that realistically, merchants can address fraud by leveraging the best fraud management solution: one that evolves to adapt to the latest attack vectors, with technology that can both register and analyze the vast amount of e-commerce data flows.

·          Payment flow: Other than counting on data for spotting fraudulent transactions or anomaly in behaviour, travel merchants are assessing the prowess of payment analytics and evaluating key metrics pertaining to the overall payment flow. Primarily, the focus is on the associated cost with each transaction, the rate of authorization, and the chargeback ratio. Delving deeper, payment specialists are counting on analytics for assessment of the risk profile, the relevance and performance of the acquirer, fee for alternative payment solutions etc. It is worth following how data and algorithms are shaping up to contribute both in terms of cost reduction and revenue optimization.

·          Regulatory environment: Regulations like PSD2 are paving way for new services and faster payments. PSD2 or the payment services directive in Europe is being associated with a major change in payments and data protection, and it is expected to fundamentally change the value chain. "PSD2 is opening up the (payment) industry, and breaking the monopoly of certain players on accepting payments," Simon Eve, Head of Travel, Trustly, told Ai in an interview last year.

The SCA requirements were originally planned for the 14th of September last year (with new migration completion deadline being 31st December 2020), but still concerns pertaining to PSD2 making online shopping more difficult and the same negatively impacting cart abandonment rates in the initial years of implementation are being highlighted.

·          Technology and digital commerce: Emergence of new technology or devices along with Internet connectivity means the need for payments to be processed automatically is already there. Overall, there is a need to keep an eye on options available for completing a transaction. So be it for things of IoT, which essentially refers to any kind of device, appliance or vehicle that can connect to the Internet, or the role of cloud services, merchants need to explore the emerging commerce features in a proactive manner. At the same it is vital to ensure that measures are in place for basic security and authentication.


Keen on exploring fraud prevention and payment-related issues?

Check-out Ai’s conferences scheduled for 2020:


Ai Editorial: Establishing a proactive data protection mechanism

17th January, 2020

Ai Editorial: Data security and privacy-related initiatives are now a priority, and travel merchants have to embrace proactive and appropriate tools for the entire organization, writes Ai’s Ritesh Gupta


It is imperative for organizations to capitalize on personal data, and at the same time address concerns pertaining to privacy and misuse of such data.

So if on one hand, travel merchants are sharpening their initiatives associated with collecting, sharing, analyzing and processing data, on the other it has to be ensured that data is secure and complies with the latest data privacy regulations. The arena continues to evolve with relatively new regulations, including the General Data Protection Regulation (GDPR), which came into force in May 2018, and the California Consumer Privacy Act (CCPA).

Some crucial topics that are being discussed are how to protect data at the source level, how to avoid heavy data exfiltration,  what does constant modernization of data operations entail etc. Also, what are the requirements of privacy laws- opt-in and opt-out options?

Gearing up for data privacy challenges

Certain areas that demand attention are:

  • Data governance: As IBM Analytics recommended in a presentation at one of Ai’s conferences in the past, working out a robust data governance tool is must. Profiling each data to answer who, what, where, when and how, and to make this metadata available is fundamental. Basically, for each data, you need to understand what is the data all about, who owns it, where did it originates, where is it kept, when did it get there, and how is it processed. Only via such tool, a merchant can deal with vital components such as the "right to be forgotten" article in GDPR since data subjects have the right to request the deletion of their data and not to be contacted again. A registry that provides directory services to point to where customer data resides in different systems in a company is must, too.

Plus, IBM also recommends an operating model – starting with an assessment across governance, people, process, data and security, then finalizing standards that cover governance, training, communication, privacy, data management and security management. Post this, there is provision for  detail data discovery and embed standards, procedures, and tools to enhance existing processes. And there is also necessary training to ensure skills transfer. Finally, all relevant business processes and security control are executed.

  • Understanding consent requirements: With various privacy laws that exist today, organizations need to comprehend consent requirements. What does consent entail? That’s the first step. For aspects such as the “right-to-be-forgotten” one, companies need to rationalize the entire process, especially considering that data is distributed in several ways and tends to be hosted in cloud-based and on-premises environments.  Being in control of what and where (in terms of deployments)  data is stored become critical. A privacy-by-default approach to data storage becomes must.
  • Protection teams: Organizations also need staff with expert knowledge of data protection law and practices, risk assessment evaluation (data breaches and cyber attacks) etc.  

This approach is becoming a necessity, considering that fact merchants not only need to counter the threat of a breach via a risk-adaptive defense mechanism, but also for ease of operations for any entity operating in the connected digital landscape. Projecting how the cybersecurity strategy is going to shape up in 2020, Forcepoint indicated that the same will move from “indicators of compromise to indicators of behavior” and will focus on comprehending risks that lie within and the importance of preventing data theft no matter the user, device, transfer medium or cloud application.


Keen on exploring data privacy and protection issues?

Check-out Ai’s conferences scheduled for 2020:


Ai Editorial: PSD2 SCA 2020 - how to go about it as a travel merchant?

10th January, 2020

Ai Editorial: The PSD2 Strong Customer Authentication (SCA) migration completion deadline for online payments in Europe continues to be a weighty issue, with concerns about the preparedness and compliance still coming to the fore, writes Ai’s Ritesh Gupta


The SCA requirements were originally planned for the 14th of September last year (with new migration completion deadline being 31st December 2020), but still concerns pertaining to PSD2 making online shopping more difficult and the same negatively impacting cart abandonment rates in the initial years of implementation are being highlighted.

As for the travel sector, a study by Amadeus in September had indicated that only one in three travel merchants were expected to be SCA-ready for the September-2019 deadline. The report featured 50 large travel firms (€1billion+ revenue).  


All the stakeholders acknowledge the complexity of the payments markets across the EU and the hurdles resulting from the amendments that are needed.

As per the findings of a survey in December last year, (commissioned by Riskified, featuring 2,000 consumers and 200 retailers evenly split across the UK, Germany, France, and Spain):

  • A third of shoppers would leave a site/app when asked to verify their identity.
  • 80% of European retailers expect that PSD2 will negatively impact cart abandonment rates. Nearly 50% expect a significant increase (of 20% or more) in shopping cart abandonment rates.
  • Almost 40% of European merchants are pessimistic about PSD2’s ability to curb fraud.

The top three authentication methods being studied by issuers include; One Time Passwords (OTP) (SMS to a mobile device), authentication within a mobile banking app, and 3DS. Among these, OTP and 3DS authentication are expected to adversely impact the user experience. Specialists recommend that merchants should use exemptions where possible. Also, by using fingerprints or facial recognition, one can combat fraud while also increasing convenience for consumers.  

PSD2 SCA 2020 plan   

Even as the European Banking Authority asserted that the definition of SCA had been set out in PSD2 when it was published in 2015, a section of the industry states that the authority has failed with PSD2 at least in the short-term.  Moving on the industry clearly needs to make fraud prevention and compliance efforts a priority. In terms of how the roadmap is going to shape up this year, the extension offers various players (issuers, acquirers, PSPs and merchants) extra time to entirely support EMV 3DS 2.1 and 2.2 by the end of this year. One can expect an incremental EMV 3DS execution with the new deadline.

Merchants need to test, preferably a flexible offering that can set up both 3D Secure 1 and 2 authentication protocols. This way if a specific issuer isn’t ready to support 3DS2, then the offering will by default redirect transactions to 3DS1.

Ingenico ePayments recommends following steps to prepare for the authority’s deadline:

By March 2020: integrate 3DS in your payment flow

  • For merchants who have not implemented 3D yet, recommendation is to go straight to EMV 3DS 2.1 (skipping the implementation of version 1).
  • For merchants who already have 3DS version 1, recommendation is to start implementing EMV 3DS 2.1.

By July 2020: use EMV 3DS 2.1 in your payment flow or be ready to do Step Up with EMV 3DS 2.1

By September 2020: SCA exemptions are available with EMV 3DS 2.2, if exemptions are not supported than all transactions will require 3D.

With this incremental approach, merchants will fully support EMV 3DS 2.2 by the 31st of December 2020.


Keen on exploring fraud prevention and payment-related issues?

Check-out Ai’s conferences scheduled for 2020: