First Published on 6th March, 2019
Ai Editorial: Pragmatic ways are emerging to cut down on drop-offs in the mobile booking funnel, and these aren’t just restricted to mobile design and UX.
How to ensure a fraction of a second isn’t wasted in delivering a sublime CX? How authentication of a shopper’s identity is being improved upon, and in the process ensuring that a user of a mobile device doesn’t end up being annoyed? How tokenization offering is being enhanced? How prudent is “guest checkout”?
These and other questions are being evaluated considering new features that are simplifying mobile shopping.
“Customers today want to pay how they want, where they want and they want it to be seamless and they are not willing to wait. In online payments it doesn’t matter if you are selling books or airline tickets – we are all in business of removing friction because in digital era, it is speed that sells,” said Vojin Rakonjac, Head of Payment Solutions, Voyego.
In addition to experimentation and testing that eventually shapes up the payment experience, including the check-out phase, there are other areas that are being focused upon:
Hear from senior executives about digital payments at the upcoming ATPS (21st Century Customer Experience for Payments & Fraud - Airline & Travel Payments Summit) to be held in London (Brighton), UK (7-9 May, 2019).
For more information, click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 2nd March, 2019
Ai Editorial: The final stretch of the PSD2 timeline is few months away. Various stakeholders in the payment ecosystem have to advance their respective payments security systems so that they meet the regulatory technical standards’ requirement, writes Ai’s Ritesh Gupta.
The payment ecosystem continues to evolve, and one of the driving factors behind the same are the regulatory moves focused on streamlining digital payments.
A development that is being closely followed is the PSD2 in Europe. This payment services directive is being associated with a major change in payments and data protection. The PSD2 legislation came into effect last year, with full operational compliance to technical standards required by August this year.
It is a vital step in the direction of complete Open Banking. This legislation has paved way for new payment options for shoppers. It extends the digital single market for payments going in and out of the European Economic Area (EEA).
The PSD2 requires banks to expose payments data and to provide the ability to transact (known as “read” and “write” privileges) to 3rd parties. The PSD2 introduces strict security requirements for the initiation and processing of electronic payments, which apply to all payment service providers, including newly regulated payment service providers. Payment service providers will be obliged to apply so-called strong customer authentication (SCA) when a payer initiates an electronic payment transaction. According to the European Commission, “exemptions include low value payments at the point of sale (to facilitate the use of mobile and contactless payments) and also for remote (online) transactions”. The use of SCA is to become mandatory 18 months after the entry into force of the RTS or regulatory technical standards, which also caters for the security of payments that are carried out in batches.
SCA is focused on ensuring attempted fraud goes down and merchants and issuers in the EEA are validating the consumer for all electronic payments.
Important facets of PSD2 are:
One of the major implications of this directive is that it will cut down on transaction costs. As Anthony Hynes, CEO and MD of eNett International, also pointed out in a company’s blog post, the introduction of this directive means companies have had to “absorb the additional cost from transactions or redirect the cost back to the consumer”. Also, from the travel industry’s perspective, Hynes mentioned that apprehensions were raised considering the fact that players were relying on surcharges, “particularly travel agents with big-ticket items and already slender margins”. As for the bearing on the transactions by travel shoppers, Hynes recommends that travel intermediaries must adhere to two-factor authentication (2FA), and at the same time make it a frictionless experience to encourage repeat purchases from shoppers.
The industry is currently preparing for the same. Various stakeholders in the payment chain have to advance their respective payments security systems so that they meet the RTS requirements. Talking of open banking, as defined by the RTS, there is a need to facilitate a sandbox setting by 14th March to onboard 3rd parties where testing can be done without exposing any sensitive information.
Other areas include customer experience (CX) and fraud management. Worldpay’s VP Global Retail, Maria Prados, recently underlined that the main consequence for retailers would be around the regulatory changes to reduce fraud that will have a direct impact to the CX. Where SCA is required, biometrics is expected to play a big role, considering availability of features such as fingerprint sensors, voice or facial recognition on smartphones. It is important for merchants to embrace a system that makes sure SCA is exempted in low-risk scenarios. Merchants have already starting working on systems that rely on machine learning for astute decision-making. Rather than using a blanket rule that forces every user to login with 2FA, real-time surveillance can be used to assess logins in the background, and only logins with borderline risks expected to go through 2FA. This would greatly improve the user experience on the whole, while ensuring that security for accounts is not taken for granted.
The directive mandates changes in how fraud review must be done on intra-EU transactions, pointed out Riskified. A majority of transactions will be reviewed by SCA. This is likely to be 3D Secure 2.0. One of the strengths of EMV 3DS is sharing refined data about the shopper and the transaction so the issuer can validate transactions without affecting the consumer’s checkout experience. At the same time, it is being recommended that merchants should still develop their own fraud tools that are able to tap on their own sources of data for greater efficiency and more accurate detection of fraud.
Payment specialists also need to assess scenarios where exemption to SCA is permitted.
CardinalCommerce explains that the SCA requirement “is for transactions between cardholders whose payment cards have been issued in the EEA and merchants located in the EEA. To clarify, if a cardholder with a card issued in the U.S. buys from a merchant located in the EEA, SCA is not required (though an authentication solution is recommended). Conversely, if a cardholder’s payment card has been issued in the EEA and they make a purchase from a U.S. merchant, SCA is not required. These transactions are labeled “one-leg-out” and are out of scope for PSD2-SCA.” Another important aspect – the European Banking Authority “recommends exemptions for payment service providers (PSPs) that adopt risk-based requirements in lieu of strong customer authentication, which ensures the safety of the payment service user’s funds and personal data”.
Hear from senior executives about PSD2 at the upcoming ATPS (21st Century Customer Experience for Payments & Fraud - Airline & Travel Payments Summit) to be held in London (Brighton), UK (7-9 May, 2019).
For more information, click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 18th February, 2019
Ai Editorial: Rather than relying on archaic methods, travel companies should look at dynamic multi-factor authentication, behavioral analytics and machine learning to combat loyalty fraud, writes Ai’s Ritesh Gupta
The threat of account takeover (ATO) is being keenly followed and one of the reasons is the overall damage that it can cause to loyalty programs.
No doubt the focus of fraudsters is now set on loyalty points/ miles. According to Connexions Loyalty, travel accounts make an attractive proposition on the dark web and airline loyalty accounts: $3.20-$208 each.
Fraudsters get access to stolen credentials from a number of sources:
• From data breaches, sold on the dark web
• Phishing with fake websites
• Malware, trojans, spyware
• Social engineering
• Hijacking a mobile device
Fraudsters can choose to either redeem the points for rewards for a travel product or sell the points for cash or transfer the points into a shell account. They can also use saved payment details if available.
The mayhem being created is multi-layered, and airlines are suffering on various counts.
Loyalty fraud isn’t just about an account being accessed or taken over illegitimately. A fraudster can complete a transaction via stolen credit card information, garner points/ miles for the transaction and eventually redeem the same for an airline ticket. On one hand, the airline has to face the chargeback process and loses out the transaction amount generated through the airline ticket transaction. They end up paying chargeback fees if purchases were made with fraudulent credit cards. On the other, the airline has to salvage the situation as it to ensure the loyalty currency accrued remains with the FFP member since it wasn’t used by them.
Also, as airlines look for more redemption options, the loyalty currency can be used for a variety of product categories. So ATOs and loyalty fraud are becoming more attractive for fraudsters.
With all this, trust the traveller has reposed breaks and it is extremely tough for any brand to salvage the association that has gone sour. Other than brand damage, the negative impact can also be measured in terms of revenue loss and operational costs.
Putting apt measures in place
According to CashShield, one of the reasons that ATO attempts are rising is not only due to the growing value of FFPs, but also because of lack of stringent security. The problem arises owing to the fact that a FFP isn’t checked frequently. Connexions Loyalty highlights that 1 out of 3 customers will log in to check their accounts once every few months. According to Kount, 34% of loyalty program consumers only log into their accounts every few months and 23% check account balances even once a month, providing a huge window of opportunity for fraudsters to operate undetected for weeks. So if it gets hacked, gets manipulated or misused, then the chances of the real owner raising an alarm are low.
Fraud prevention specialists are recommending several measures:
1. Username/ password combination isn’t enough. Imagine the number of data breaches that have taken place over the past few years. Since users don’t really change passwords and have same ones for multiple accounts, one hack means the combination of email ids and username/ password can be cracked for a loyalty program, too. Explaining how it works, Ravelin states that credential stuffing depends on ‘combo lists’ - lists of passwords and emails generally gathered from various data breaches. The combinations are then routinely run against a login with any successful attempts logged. This is usually referred to as account ‘cracking’.
It is vital to keep a vigil on accounts for anomalies to effectively notice the behavior of genuine and fraudulent customers. According to companies like CashShield and CyberSource, companies should analyze user behavior throughout the entire journey- including account creation and login, any account activity and also at the point of transaction such as redemption of points. Forter rightly points out that from the moment a customer logs onto a website, to redeeming loyalty points or entering a coupon code, their shopping journey is rich and simultaneously vulnerable to new methods of exploitation.
Ravelin recommends that targeting other tools that may indicate suspicious activity such as headless browsers, VPN, proxies etc. can be relied on as well.
2. Machine learning technologies are emerging as an astute option to secure accounts. The efficacy of machine learning, especially real-time machine learning, can be explored for account protection. Rely on both supervised and unsupervised machine learning to comprehend both the historical patterns of use, as well as identify anomalies. According to CashShield, behavioral analytics with pattern recognition will be able to accurately filter fraudsters away from genuine users.
3. Identity authentication: Technologies like behavioral biometrics, device fingerprinting etc. need to be focused upon for stringent screening. As Kount points out, these technologies allow a level of identify authentication to ensure that the person behind the screen is the real consumer. It is time to capitalize on options that enable a merchant to come into a situation where they can accept, reject, or challenge the users to authenticate themselves – before the event can occur.
4. Avoiding unnecessary friction: Merchants are relying on two-factor authentication (2FA), but 2FA is not completely foolproof (susceptible to SIM hacks, SIM swaps) and unnecessarily impacts the user’s experience. Rather than using a blanket rule that forces every user to login with 2FA, real-time surveillance can be used to assess logins in the background, and only logins with borderline risks expected to go through 2FA. This would greatly improve the user experience on the whole, while ensuring that security for accounts is not taken for granted. Companies like iovation recommend a dynamic, context-aware multi-factor authentication solution, which post integration with a mobile app, features multiple parallel authentication methods such as validating possession of a customer’s phone, pin codes, text verification, fingerprint scan etc. The focus is on deep analysis of the login device to make sure it is one that is registered to the account.
5. Beware of archaic methodologies: Sift highlights that measures such as putting a limit on how customers can earn points and spending requirements to accrue points shouldn’t be looked at. If an airline continues to deploy inefficient methods, then it would mean weak operational efficiency. This would result in a failure to ensure that more transactions can be processed without delay. Plus, a risk-averse manual reviewer, fearing increased chargeback rates, will reject borderline transactions as well. This is where the combination of humans and technology, for e. g., using machine learning to go through massive data sets and flag out potentially fraudulent behavior, is must. The call for full-machine automation can’t be ignored but it would depend upon the overall risk appetite of the merchant.
As Ravelin asserts, fraud never stays still. So merchants need to make swift progress to shield themselves from loyalty fraud.
6. Dealing with intricate data environments: Airlines are scrutinizing and even executing plans to embrace cloud transformation, banking on open-source offerings rather being bogged down by proprietary technology. Enterprises must take on responsibility for ensuring data protections like encryption, tokenization, and masking within their environments or ensuring its protection when the data moves between SaaS applications or migrates to another application.
Hear from senior executives about loyalty fraud at the upcoming ATPS (21st Century Customer Experience for Payments & Fraud - Airline & Travel Payments Summit) to be held in London (Brighton), UK (7-9 May, 2019).
For more information, click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 5th February, 2019
Ai Editorial: Pretexting, baiting, email spoofing… these and many more are malicious acts of manipulating human psychology to gain access to personal or financial information to commit fraudulent transactions. Ai’s Ritesh Gupta finds out more about social engineering
As much as consumers today are being alerted not to share their personal information that can eventually result in a fraudulent transaction, the fact that it continues to happen means fraudsters tend to win in this battle of psychological one-upmanship.
Manipulating human psychology is often referred to as social engineering. Merchants and fraud prevention specialists are continuously looking at ways to combat social engineering. It is a tactic used by fraudsters to lure consumers to download malware or provide their confidential information for identity theft (seeking personal information, login details, passcode for online banking etc.). Another methodology is - internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike.
Also, since the situation is already precarious as fraudsters have considerable access to emails, phone numbers, and other PII credentials, it is time further damage is curtailed by keeping a tab on social engineering.
According to INTERPOL, social engineering fraud can be divided into two main categories: mass frauds, which use basic techniques and are aimed at a large number of people; and targeted frauds, which have a higher degree of sophistication and are aimed at very specific individuals or companies. While the scams themselves differ, the methods used by criminals generally follow the same four steps: Gathering information; Developing a relationship; Exploiting any identified vulnerabilities; Execution.
Attacks include vishing (telephone fraud), smishing (text message fraud), phishing (email fraud seeking a password or sending an email attachment that is infected with malware or spyware. Fraudulent emails that claim to be from your bank, credit card provider or an established website) etc. Attackers usually send well-crafted emails with seemingly legitimate attachments that carry a malicious payload. Phishing is mainly used for emails, but it can be used in text messages, social media posts and instant messages, too. Another way is intentionally leaving behind USB sticks or other storage medium. They contain malware. Also, by hacking email accounts, a cybercriminal accesses an individual’s e-mail account and sends messages to their friends, relatives or colleagues claiming to be in trouble, for example, and needing money.
Social engineering may involve much more work for the fraudster. But these types of fraud are not easy to spot since it features a real person participating in the transaction or any other activity. Experts point out that consumers can play their part in curbing such attacks by being alert or responding with vigilance. With due diligence, one can make it tough for social engineers to get what they are seeking illegitimately.
Certain areas to watch out for:
· If the offer is too luring or incredibly unusual, then don’t take action. For example, don’t share bank details to buy a free London-Chicago ticket!
· Do check the spellings. Generally - the subject or the sender of an email – they aren’t correct in such cases. Poor grammar and spelling in email correspondence and letters sent by fraudsters.
· Don’t download any attachments or click on any links, unless it is from a known sender.
· Don’t share personal information that is generally not shared or is meant to be protected.
· Don’t lose control over your device - a fraudster can impersonate and offer free anti-virus software. Once the user installs the software, the fraudsters can take over their device.
· Beware of even unsual offers – free servicing of a computer or any promotional offer for your mobile device.
· Do not send identification documents – not even copies in response to an unknown person.
· Avoid putting all details on open social media pages
Other than simply being careless, there are instances, where consumers react in a certain situation, where an emotion takes over – could be due to fear, curiosity, desire etc. For instance, malware campaigns in social networking sites (could be an enticing video on Facebook ), gambling-related scams, cancer fraud etc.
A social engineer will always find a new way to do what they do. So controlling social engineering isn’t a straightforward task, but a lot can be done via education. Also, a mixed tactic of simulated social engineering attacks combined with interactive training modules is a way to prepare for such situations. Intermittent cyber security appraisals are also essential, because as organizations evolve, they change — and the information flow, too, changes within the company.
Upcoming Webinar: The Loyalty Fraud Prevention Association (LFPA) is set to host a webinar featuring a short presentation from SEON on what is social engineering and how it can be used to improve fraud prevention capabilities. Date: 14th February. For more, click here
First Published on 31st January, 2019
Organizations need to reassess their respective data security and encryption strategy as they embrace cloud propositions and gear up for regulatory and compliance mandates, according to a new report.
Digital transformation today is being equated to an enterprise-wide, cross-functional undertaking, with key drivers being enhancing the customer experience, cutting down on operational costs and creation of new services or revenue streams.
Rather than just modernizing IT infrastructure, organizations are going deeper – right from the ownership to banking on cross-functional, collaborative groups for the entire organization to eventually gear up for playing an “infinite game”.
At the same time, as organizations plan to take advantage of cloud, mobile, social, and the Internet of Things, the rush to digital transformation is putting sensitive data at risk for organizations worldwide, according to the 2019 Thales Data Threat Report.
The report, based on a survey of 1,200 executives with responsibility for or influence over IT and data security, has stressed that shielding “sensitive data” is becoming increasingly complicated.
Dealing with intricate data environments
The decision to focus on the cloud or multi-cloud environments is a part of the transformation being planned. Airlines are scrutinizing and even executing plans to embrace cloud transformation, banking on open-source offerings rather being bogged down by proprietary technology. Considering the complexity of the IT set up that this industry has, there are options available to integrate applications, data and processes across both on-premises and cloud environments. There are 3 models for cloud computing - Infrastructure as a Service, Platforms as a service and Software as a Service. Managing infrastructure and domain-specific IT systems for retailing, real-time data intelligence, running a digital asset on purpose-built, multi-cloud set up, payment optimization etc. are among the initiatives that airlines are undertaking to keep pace with their customers in digital economy.
But this shift is also being referred as a hurdle to working out apt data security action. This complexity is listed over other issues such as employee needs, budget issues and ensuring organizational go ahead.
The situation demands a thorough introspection. For instance, in order to ensure not even a single second of a shopper is wasted during the check-out phase, progress in this arena is being made in the form of regional cloud support, an initiative that can bridge the gap between an airline and a passenger irrespective of the location. So how such initiative would help? The fact that every second counts, payment specialists are curbing any delay in mobile load times. So it means every aspect of modern commerce needs to be studied in detail.
Recommendations from the report:
· Cloud security must be seen as a shared security model between the enterprise customer and the PaaS, IaaS, or SaaS provider.
· Enterprises must take on responsibility for ensuring data protections like encryption, tokenization, and masking within their environments or ensuring its protection when the data moves between SaaS applications or migrates to another application.
Other key findings listed in the report:
· Concerns related to mobile payments include fraudsters using mobile payment apps for account takeover, new account fraud, exposure of PII, weak authentication protocols, and potential exposure of payment card information.
· The main data security concerns around IoT include attacks on IoT devices, lack of frameworks and controls, and protecting sensitive data through encryption and tokenization.
· Leading data security concerns regarding big data include sensitive data residing throughout the environment, data quality concerns, and privacy violations from internationally-originated data.
Hear from senior executives about data breaches at the upcoming ATPS (21st Century Customer Experience for Payments & Fraud - Airline & Travel Payments Summit) to be held in London (Brighton), UK (7-9 May, 2019).
For more information, click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 24th January, 2019
Payments are going digital and the increased speed of adoption is being driven by multiple factors. These include an abundance of new electronic payment methods—many of which are layered on top of existing payment methods—focused on convenience, speed and the overall consumer experience.
According to a recent report, Key Trends in Digital Payments Markets and Strategic Infrastructure, developed by The Initiatives Group and sponsored by Equinix, the key trends currently shaping digital payments markets around the world are:
· Real-time payments (To date, discussions about real-time payments have been dominated by the core functionality—speed, availability and rails on which money is moved, together with the challenges associated with their implementation. However, conversations are now shifting towards value-added products and services that an enhanced infrastructure will allow financial institutions (and others) to bring to market);
· Regulatory interventions—often focused on streamlining digital payments (regulators are seeking to capture the economic efficiencies embedded in electronic transactions, and to drive increased competition and innovation by opening up customer banking data to third parties. Regulators are also continuing to scrutinize and assert control around the costs associated with electronic payments, to ensure that their widespread adoption is not hindered (and related efficiencies gained), and there is transparency in pricing (with consumers and businesses able to make valid comparisons);
· Open banking—potentially bringing new players into the arena (As with real-time payments, open banking will facilitate the creation of new products and services, driven by regulation and enabled by advances in technology. While this will continue the commoditization of transaction banking, it also brings new opportunities to add value through data).
The study highlights that the handling of the payment, the ability to recognize returning customers and cross-linking potential offers need to happen fast, securely, and efficiently be delivered locally to users. It is critical to choose an interconnection and co-location provider based on its ability to reach all target users, interconnect the required cloud and payment partners, and integrate the required payment rails and governance controls.
Download the report – click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 16th January, 2019
Ai Editorial: The role of chatbots, be it for facilitating transactions or servicing during any phase of a traveller’s journey, is being strengthened. Ai’s Ritesh Gupta evaluates the lessons learned.
Is a chatbot astute enough to serve a traveller?
The overall experience based on interactions with chatbots till last year was mixed. The travel booking funnel is a prolonged one, and one of the areas where chatbots have struggled pertains to understanding the context of the query. A case in point is when an established OTA chose to revive an abandoned shopping cart via a chatbot interface (by sending a link for the same through email). What if a user has already finished a hotel booking, reaches the chatbot interface, asks a question about a local activity in the destination chosen and the chatbot is seemingly unaware of the booking funnel! The OTA failed to deliver the desired experience.
Specialists acknowledge such issues and assert that ongoing improvements are refining the messaging app user experience.
Today a top-notch airline-run transactional chatbot can understand over 60%-70% of inquiries on Facebook, and analysis is being done to understand the intent.
“The re-botulution is here now,” highlighted Jonathan Newman, Commercial Director at Barcelona-based caravelo, during one of Ai’s conferences in Bangkok, in August last year. The company has worked with approximately 10 airlines for their bots. Airlines are either moving their existing web-chats to bot interfaces or directly launching on messenger. The type of chabots, as specialists point out, are FAQ chatbots, transactional ones, initiating a conversation via a chatbot and keeping a user engaged till a human customer care executive takes over etc.
Chabots turn messaging platforms into a new channel for servicing and retail. “Since (now nearly two years) we first connected airline inventory to messenger platforms and in the last 12 months of our launching, training and iterating airline chatbots, we’ve gotten a much clearer picture of the purpose of bot technology,” mentioned Newman.
Newman referred to seven key lessons when it came to improving bots:
· Be reasonable
· Make it easy
· Be helpful
· Be connected
· Open your mind
· Be a team player
· Expect unexpected
Among the other companies, Ingenico Group this week launched its enhanced messaging bot offering, featuring artificial intelligence (AI) services from IBM.
According to Ingenico, Watson capabilities allow the group’s chatbot to better comprehend users’ requests once shared, “whatever they may be”.
It is being promised that the bot can better interpret nuances in language and phrasing, handling natural variations in the manner in which individuals communicate. As a result, the bot can respond quickly and effectively enabling it to meet each user’s specific needs, in a wide range of different languages. The group asserts that the new AI component will play a part in stepping up the conversion rate. A major aspect is Ingenico’s payment API. On Ingenico’s chatbot’s payment capability, Gabriel de Montessus, SVP Global Online (Retail BU) for Ingenico Group, said: “This new AI-powered capability enhances user experience and improves conversion significantly. Thanks to IBM Watson AI services, users simply tell the bot their desired purchase and submit payment and delivery information – achieving a truly seamless payment experience for consumers.”
Airlines are digging deep, and keen on expanding capabilities. At the time of the launch of Asian airline Scoot’s transactional chatbot in July last year, the airline indicated that other than supporting a full transaction flow, the plan was also to accept promo codes, assist customers to manage and make changes to their bookings, purchase ancillary products such as preferred seats and travel insurance, make interline bookings involving flights by partner airlines, and accept more payment modes
Companies like caravelo point out that retailing for airlines aren’t only about inventory + seat+ bag anymore. With a broadened catalog, airlines need to rethink the touch-points and engagement methodologies in making that catalog meaningful. The focus needs to be on micro moments of retailing engagement, in the channels where customers are. And considering the penetration of messaging apps, the role of chabots can’t be undermined. But the level of sophistication needs to step up to match the expectations of travellers.
Interesting questions that are being probed from e-commerce perspective include:
· The role of chatbots in stepping up the mobile conversion rate
· Role in targeting the second wallet
· Security of chatbots – what if they get hacked or the sort of attacks that can be carried out with them
Hear from experts about the role of chatbots, their performance and how they are being improved upon at this year’s Airline & Travel Payments Summit (ATPS), scheduled to take place in London (Brighton), UK (7-9 May, 2019).
For more info about ATPS, click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 14th January, 2019
Ai Editorial: The new version of 3D Secure is being counted upon for supporting additional payment channels - in-app, mobile, and digital wallet payment methods, stronger authentication possibilities for a better checkout experience, and enhanced security, writes Ai’s Ritesh Gupta
A lot can happen in a fraction of a second when a shopper agrees to wrap up a digital transaction. In this context, the role of 3-D Secure 2.0 or EMV 3-D Secure in improving payments security and increasing authorizations is expectedly under the scrutiny. The purpose of the new protocol is to facilitate the data exchange between the merchant, cardholder and issuer.
The problem with 3D Secure (3DS) is that it has been compromised more than once in the past, and can be easily bypassed by fraudsters who develop fake, yet similar-looking pop-up windows used for 3DS authentication. But, as specialists point out, the new version is going to feature token-oriented and biometric validation, in place of static passwords. It introduces the risk-based authentication, which enables issuers to get additional data from both transaction context and merchant’s and cardholder’s risk profiles. Refined datasets for better verification features email, billing and shipping address, cardholder behaviour information, etc. By supplementing added data during transactions, it is being highlighted that risk-based verdicts will be possible on whether to authorize or not. The shopper experience would be improved upon with the eradication of the early sign-up procedure and taking out the need for cardholders to use static passwords.
Also, there is going to be support of non-browser-based “card not present” payments (so in both application and browser-based solutions, on mobile and other consumer connected devices).
From the industry’s perspective, 3-D Secure 2.0 will pave way for a real-time, protected, details-sharing channel that merchants can avail to send an unmatched number of transaction attributes that the issuer can use without looking for a static password. Overall, enhanced messaging with additional information for better decisions on authentication. Plus, other benefits include better datasets for risk-based authorization, and curbing illegitimate/ dubious transactions, even if a cardholder’s card number is stolen or cloned. Issuers gain from being back in control of their costs with this version. A bigger data set enables the issuer to step up the accuracy of their risk-based probe.
Impact on merchants
With this development, merchants need to garner and disclose high-quality, significant data (email id or device details) in order to process transactions where previously a card number, expiry date and CVC code were enough. The issuer will use such information, plus its own information about the cardholder and the merchant, to assess the transaction’s risk.
As explained recently by Ingenico ePayments in one of its blog posts, “…it’s important to see this as the foundation of using behavioural analysis to fight payment fraud. It’s part of a general sea change: for instance, the European Banking Authority (EBA) shared its opinion in June (last year) that CVV numbers cannot be a second authentication factor in the “knowledge” category (visible on the card), eventually passing to the “possession” category. Guidance from the EBA and EU central banks is needed on what SCA methods are RTS-compliant. Eventually we may see the payment page changing drastically.” It added, “For merchants, the response has varied country by country, but the more data they share, the better their authorization rate will be (up to 10% according to the card network). What’s more, if merchants do share data, and issuer authorization rates are still low, then card schemes will have the power to impose fines, which puts pressure on issuers to step up. They have an obligation to get results.”
For its part, Mastercard has set up a framework called Mastercard Identity Check. The program offers merchants and their banks a way to upgrade and enhance current security solutions to assess possible risks and authenticate legitimate transactions in a seamless way. The company shared that by relying on Identity Check’s AI and machine learning, EMV 3D-Secure can now take into account over 150 different variables of a transaction to help the issuer make a more accurate, insight-based decision whether to approve a transaction or decline it. These variables include such factors as screen brightness, device owner gestures and, shopping purchase history. They are used alongside insights from the merchant and issuer to authenticate a payment.
Major developments are in store, starting in April this year.
As shared by CardinalCommerce, for Visa, April is going to mark as the initiation period for EMV 3-D Secure in Europe. In the same month, American Express is expected to recommend issuers to shun using static authentication ways while concurrently pushing issuers who are leveraging the EMV 3-D Secure to use risk-based authentication. Also, Mastercard is working on putting in place specific measures related to PSD2 and EMV 3-D Secure.
There have been issues, too, that have been raised. It is being asserted that the new version is privacy invasive for the shopper. The merchant in all probability would need to handle data with precision (in order to adhere to privacy regulations) and the impact on the issuer, too, has been under the scrutiny. Also, counting on 3-D Secure 2.0 or EMV 3-D Secure is just one piece of the fraud prevention puzzle for merchants. It is being recommended that merchants should be seeking a fraud solution that is able to act as a filter for fraud, rather than only relying on 3DS. A multi-disciplinary approach, that combines machine learning and other techniques to make sense of the score automatically, is required to fully automate the fraud screening process.
Check upcoming Ai Conferences dates or
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 9th January, 2019
Ai Editorial: IATA has completed first Open Banking live transaction this week. There are more developments to watch out for in 2019, writes Ai's Ritesh Gupta
Streamlining the payment experience isn't about offering the most convenient option to pay, but also ensuring security around the same. Pressure is mounting on airlines and other merchants in the travel sector. Rather than introducing verification processes that delay the transaction experience, airlines must plan frictionless on-boarding and authentication methods.
2019 is expected to witness progress on this count, as airlines continue to focus on offering a simple and frictionless payment procedure - a seamless check-out, being spot on with the choice and personalisation, and eventually managing payment and settlement of transactions seamlessly.
This week IATA has completed its first “IATA Pay” ticket purchase transaction in a live test environment. It is a new payment method for travellers when buying a ticket directly from an airline website. IATA has stated that this method is not only worked out for convenience of shoppers, but also to offer a cheaper payment option compared to other alternatives. The association also termed IATA Pay as highly secure, for faster cashflow with instant/near instant payment to the merchant, and a simpler payment process resulting in fewer lost sales. The live test was done under the UK’s Open Banking framework with IATA Pay pilot airlines, including Cathay Pacific Airways, Scandinavian Airlines and Emirates.
IATA is also working with Deutsche Bank on a prototype for Europe (excluding the UK), starting with the German market, which is expected to undergo testing in early 2019. Following this, IATA will validate the concept with the intention to expand to other regions, stated the association in a release.
Frictionless + Secure Environment
Among technology trends to watch out for in 2019, one can expect artificial intelligence to play a bigger role in fraud detection and cyber defence, security via biometrics, and the role of chatbots and voice-based digital assistants in shopping.
A couple of areas that are worth following include identity verification and how tokenization is shaping up in order to protect payment data.
Considering the pace with which mobile commerce has shaped up and continues to grow, it is vital for merchants to:
Airlines also need to find ways to understand a shopper's behaviour, including purchase behaviour across specific devices and also enhancing fraud detection.
This is where the use of tokenization is being followed closely. A token replaces sensitive account information, such as the 16-digit primary account number, with a unique digital identifier.
According to CyberSource, tokenization facilitates new payment capabilities and enables to adapt quickly to changing market requirements. Another important aspect is protecting sensitive payment card data. Visa Token Service helps shoppers to connect their cards to merchants of their choice within banking apps, and also comes into play when a customer opts for a new payment card and it gets updated seamlessly, rather than recurring payments and other card-on-file situations spoiling the payment experience. Also, to enhance the tokenization offering, specialists are looking at cloud support, and the plan is to accelerate the checkout phase and augment the payment experience.
Another area that is going to be crucial for merchants is the significance of latency and response time when it comes to fraud detection. The time taken by a bank to respond to an illegitimate transaction “translates directly to how much financial loss can be prevented”. The response time window or detection needs to happen in mere two seconds. "This means less than two seconds to process an incoming mobile activity, build a behavioral profile, evaluate the transaction for fraud, and determine if an action needs to be taken," as highlighted by Microsoft Azure in one of its blog posts regarding mobile bank fraud.
Lastly, fraud prevention specialists recommend that the time has come for merchants to become smarter. Merchants should still develop their own fraud tools that are able to tap on their own sources of data for greater efficiency and more accurate detection of fraud. Real-time machine learning can help against blanket blacklists and whitelists by focusing on the customer’s behaviour instead. It works with real-time live data collected on the merchant’s website, where the system trains itself with each incoming transactions to identify fraud patterns instead.
Check upcoming Ai Conferences dates or
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 14th December, 2018
Ai Editorial: Data is going to be a key weapon in the arsenal of airlines as the industry attempts to fight emerging fraud threats, writes Ai’s Ritesh Gupta.
Airlines acknowledge that they need to be in a position to probe as many data source as possible in order to improve the probability of uncovering and combatting fraudulent activities and transactions.
Going forward, airlines not only need to focus on their own unique data, but they also have to count on external data plus be open to collaborating with other stakeholders to stop fraudsters’ malicious moves.
1. Tracking and consolidating own data: Blending all the available transactional data into a single system and analysis model is critical considering where the industry stands today with CNP purchases and e-commerce sales. In addition to ticket-related revenue generation, keeping a vigil on frequent flyer miles, loyalty points, gift cards etc. is must. Considering the way fraud evolves, airlines can’t ignore options like e-gift cards. Fraudsters are capable of breaking through gift card codes through various methods such as phishing or social engineering. Airlines’ own data, especially on their own channels like a website, is important to refine analytics around it.
Big data is first used to collect information about the user’s behaviour on the website (for instance, how the mouse moves, words per minute etc.), and this information is combined with machine learning, which uses pattern recognition to map the pattern of his behaviour to match it either with positive (genuine) or negative (fraudulent) behaviour, as well as predictive analytics that records the positive/ negative behaviour and uses that on future transactions for potential signs of fraud. After the point of data collection, airlines have to amplify and triangulate the data, analysing the data through multiple permutations and combinations so as to better understand the fraud patterns left behind by fraudsters in their attempt to brute force the system.
Real-time data from airline.com can also help in curbing fraud. Blacklists rarely work because hackers will never use the same credit card information twice, while white-lists are inaccurate since white-listed customers can be compromised anytime. Real-time machine learning can help against blanket blacklists and white-lists by focusing on the customer’s behaviour instead. It works with real-time live data collected on the merchant’s website, where the system trains itself with each incoming transactions to identify fraud patterns instead.
2. Blending data from other sectors for the benefit of airlines: Specialists serving the travel industry state that the fraud-related issues must be confronted collectively. There is strength in numbers and insight in data—and help is available to leverage them both. Specialists like Accertify are working on airline-specific offerings, and their machine learning technology aggregates and transforms information from a diverse set of sources to identify emerging fraud risks and attacks. External data can complement and lend a new dimension to internal data sources, offering a better view of shoppers and the authenticity of transactions. Evaluating IP addresses, credit card data, and email addresses can enhance a carrier’s interpretation of who is doing what—and from where they are doing it.
3. Accuracy of machine learning: The collection of more and relevant data would help to improve the accuracy of the machine learning models by churning the data through various permutations and combinations to identify potential fraud patterns. However, ultimately a multi-disciplinary approach, that combines machine learning and other techniques to make sense of the score automatically, is required to fully automate the fraud screening process. Machine learning models are only able to provide a fraud score, of which a bulk of transactions are automated but humans are still required to review a good number of transactions that are considered borderline.
4. Authorization rates: Among the other areas, data is being relied upon for improving upon the authorization rates. As highlighted by Adyen, on average, 5%-15% of ecommerce credit card transactions are rejected by issuing banks, and out of these, a quarter don’t work due to shortage of convincing reasons, mostly due to old and inefficient systems. And in certain markets, authorization rates across issuers take a dip because of suspicion of fraud. In this context, it is imperative to bank on data to evaluate the main reasons behind those declines and take appropriate initiatives. For instance, one areas that could be looked upon is - issuer-specific authorization rate trends. These actions may include optimizing the type of data submitted or identifying optimal routing for a given transaction.
5. Collaboration: A shared database or working together with relevant partners is going to be the biggest factor in combating fraud. IATA Perseuss allows members to check suspect transactions against a community database holding records from around the world. Still there is plenty to learn from other industries or law enforcement in a particular market that has managed to control fraud to an extent. With a partnership featuring different players from the industry, the government and law enforcement agencies, fraudsters are being punished. For instance, the Banking Protocol scheme in the U. K. allows bank branch staff to immediately alert police and Trading Standards if they suspect fraudulent activity. The Dedicated Card and Payment Crime Unit (DCPCU), backed by the finance industry, made 84 arrests and interviews under caution in the first half of 2018, which led to 26 fraudsters being convicted. As for capitalizing on data, intelligence is also shared with law enforcement including the National Crime Agency. A campaign is being led by Financial Fraud Action UK to help everyone protect themselves from preventable financial fraud and is being delivered with and through a range of partners in the UK payments industry, financial services firms, law enforcement agencies, telecommunication providers, commercial, public and third sector organizations.
Follow Ai on Twitter: @Ai_Connects_Us