According to the research, the increase in the mobile biometrics market represents a CAGR of nearly 67% with

Global mobile biometric market

total forecast period revenues exceeding $117 billion.

The report segments the mobile biometrics market into three major sectors, including biometric sensors embedded in smart mobile devices; biometric apps offered by biometric vendors, mobile service providers and online identity providers downloaded to smart devices; and biometric authentication for payment and non-payment transactions provided via secure cloud-based services linked to smart device.

Acuity projects that by 2020, biometrics will be a standard feature on 100% of the nearly 3 billion consumer smart mobile devices sold each year. With an installed base of 4.8 billion, more than 89% of all smart devices in use will be biometrically enabled.

Meanwhile, more than 5.5 billion biometric apps will be downloaded annually, and more than 800 billion transactions that require some level of biometric authentication will be processed on mobile devices each year.

The post Mobile biometrics market to reach $35 billion appeared first on Accourt Payments Specialists.

Chip and signature is a joke!

Author:  Vaughan Collie, Partner, Accourt – Payment Specialists.

“The fact that we didn’t go to PIN is such a joke,” says Mike Cook, Walmart’s assistant treasurer and a senior vice president, in reference to the USA’s current migration to EMV where chip and PIN or chip and signature are equally acceptable. “Signature is worthless as a form of authentication,” continues Cook, with Walmart preferring a Chip and PIN mandated approach similar to the UK and most of Europe. Not so says Visa Inc. vice president of risk products Stephanie Ericksen, “we don’t see a need for it; [chip and PIN] will have a shorter shelf life. We’re moving to new technologies and innovation.”

So who is correct, Visa or Walmart?

To answer this question it is most instructive to very briefly revisit the origins of EMV.

EMV in its ‘chip and PIN’ incarnation was ultimately designed for effective use in a predominantly offline card authorisation ecosystem (e.g. the UK at that time), thereby enabling issuers to delegate significant ‘authorisation authority’ to the chip without requiring an online authorisation from the issuer’s host system. Interestingly, the UK and most other European geographies are currently in the final stages of moving to a fully online ecosystem.

Back in 2002, following a number of years of unacceptable growth rates in various fraud types, the UK card industry formally began its migration to EMV chip and PIN. Significantly elevated levels of counterfeit fraud was one of the primary drivers of this decision and EMV chip, coupled with PIN as the cardholder verification method (CVM), was seen as the most effective approach given the predominantly offline nature of the UK authorisation ecosystem and the technology and commercial landscape at the time.

A centrally managed, UK-wide migration programme not only addressed the technical considerations and decisions, but arguably more importantly, the challenges that were likely to be faced by the various sets of stakeholders (e.g. industry, merchants, consumers, etc.). These challenges included the significant societal and cultural move away from signatures as the prevalent form of cardholder verification at the point of sale to the ‘high-tech’ PIN alternative already found in ATM transactions (although not chip-based PIN at that time).

The UK chip and PIN programme was ultimately regarded as an industry success and it certainly achieved one of its objectives: reduce counterfeit and lost and stolen fraud numbers significantly. However, this was not without some fairly harsh lessons being learned at the time and since then, for example:

• A credible industry business case was extremely difficult to develop due to varying approaches to risk appetite and management across the industry. Ultimately the view was that there was enough of a case to continue and that it was the right thing for the industry to do at the time (coupled with the ‘do nothing’ option being utterly unpalatable for all).
• Carefully consider the consequences – by effectively mitigating against certain fraud types (e.g. skimming/counterfeit), are you incentivising criminals to supercharge their efforts and focus on other fraud types (e.g. cardholder not present – CNP)? And will these subsequent fraudulent activities lead to a greater problem (e.g. increased CNP fraud) than the one you are solving with chip and PIN?
• A card scheme liability shift mechanism (effective from October 2015 for POS transactions in the US) is critical to drive appropriate and timely actions across the card payments value chain and industry as a whole. The general EMV liability shift rule-of-thumb is that those stakeholders that implement and enable the highest level of EMV capability/technology within their environments will enjoy the lowest risk of fraud loss (e.g. if a merchant implements a fully EMV capable terminal, that merchant will benefit from the liability shift if a magstripe card is presented).
• ATMs should have been one of the first channels to convert. ATMs were a primary card skimming enabler (and still suffer today notwithstanding various mitigating measures and technologies that have been developed over the years).
• Upfront agreement to the phasing out/cessation of CAM (chip) fall-back to magstripe and CVM fall-back is critical to drive desired behaviours and ensure that, for example, cardholders don’t continually ‘forget’ their PINs and therefore continue to rely on signatures. This is of course an extremely difficult and fraught journey for stakeholders to embark upon, especially merchants and consumers, but it has proven time and time again to be the appropriate course of action to support achievement of desired outcomes for EMV migrations.

Surely then, being mindful of these and other learnings, EMV chip and PIN is a must in the US? As ever, it’s not as straightforward as that. There are many factors to consider, not least of which is the cost – financial, operational, customer, social and cultural – of this decision. And apart from cost, are the reasons for deciding for chip and PIN historically still the same today?

Let’s deal with cost first. It is widely established (e.g. UK, Australia, Europe) that implementing EMV chip (typically CDA) is one of the most effective mitigants to skimming/counterfeit fraud. The addition of the PIN element generally mitigates against fraud types such as lost/stolen fraud.

The diagram below provides a perspective on the 2014 card fraud loss landscape in the US. Clearly the predominant fraud types are counterfeit ($3.0bn pa) and cardholder not present ($2.9bn pa), with lost and stolen fraud a not insignificant $0.8bn pa.

Bearing in mind that the US is almost entirely an online authorisation ecosystem and EMV chip and PIN was designed for a predominantly offline ecosystem – does it make sense to invest significantly in infrastructure to support offline PIN?

From purely a financial cost perspective, given significant current economic pressure from all quarters to reduce and manage costs, surely it makes sense to prioritise and focus limited resources on the areas of greatest exposure and impact? In the case of the US, this appears to be counterfeit and CNP fraud losses with lost/stolen appearing as the third priority. Therefore, based on current experience and relatively predictable outcomes, it appears most likely that chip and signature would be the most balanced, cost-effective immediate solution to the skimming/counterfeit fraud issue.

Furthermore, in a world where high-profile data breaches are too common for comfort, this would be a significant step towards rendering card data obtained from these breaches useless in geographies where EMV chip is the only acceptable form of face-to-face card payment type. The caveat however, is that as long as a magstripe exists on today’s payment cards, there is still a risk that, without the application of additional mitigating measures by value chain stakeholders, this data can still potentially be used to commit fraud in online environments (as can EMV cards without additional risk management controls in the online environment – EMV in and of itself does not reduce/remove CNP fraud risk).

One of the next questions is whether the payments ecosystem has changed to the extent that chip and PIN is no longer valid. Clearly the ecosystem has changed dramatically in many respects since the early days of EMV, not least of which is the phenomenal pace of technology advancement in the fraud and risk management space. Much has been written about a multi-layered approach to fraud management (this article will not seek to replicate that discussion) – at this time, EMV should be one component of that multi-layered approach. There are numerous other components such as advanced KYC, real-time behavioural analytics and transaction scoring (with the new breed of self-learning Bayesian modelling beginning to threaten the incumbent neural network based solutions), geographically aware location-based solutions, etc. Many of these solutions did not exist at the time that EMV PIN versus signature decisions were being made in the non-US EMV migrations – needless to say, their existence today significantly influences the considerations that underpin such decisions.

A further, oft-cited justification for ‘ignoring’ PIN is the argument that a large proportion of the general American population is likely to be unable to remember and use their PINs as required. This article cannot support that argument – Americans have been successfully using PIN-based debit card products for many years. For consumers, the EMV PIN experience is identical.

Perhaps a less obvious, but potentially important consideration is how chip and signature cards will be treated outside of the US. Most non-US implementations of EMV have been chip and PIN. US chip and signature cards being presented for payment in geographies that expect chip and PIN are likely to cause significant confusion and friction at the POS.

It is therefore valid to argue that, given the nature of the face-to-face payments ecosystem today and, in the absence of anything else (e.g. removing payment card data from the ecosystem entirely), perhaps chip and PIN is relatively the most appropriate solution. However, when implemented in a predominantly online authorisation ecosystem and in conjunction with a multi-layered fraud and risk management approach, compromising with chip and signature is unlikely to pose the same level of risk it may have done in the past. To Visa’s point, there are other innovations being driven into the market in this space and, while it will take some considerable time for some of these to gain the global ubiquity that is essential to their success, it probably makes sense to balance limited resources, i.e. industry investment, across these innovations in parallel with investment in today’s toolbox for fraud and risk management – of which EMV is definitely a part.

The Walmart position is both valid and unsurprising for a number of reasons – for example, having your till-based check-out staff carrying the burden of authentication, i.e. deciding whether a signature matches the version on the back of the payment card, is entirely unrealistic and has been proven to fail as an effective risk management measure time and again (e.g. there are many examples of ‘Mickey Mouse’ signatures being successfully used in face-to-face transactions…). PIN helps to address this issue, although effective online authorisation screening (e.g. context-aware, dynamic authentication) can be an even more powerful tool in both the face-to-face and online transaction ecosystems. Walmart is also in the position of having already made the investment in a PIN-based strategy – something a number of their competitors are not keen to do.

So, back to our original question, is Visa or Walmart correct. Both actually. There can be no doubt that signature has long been a very poor form of authentication, however, given the US context, implementing PIN where there are more advanced and effective methods of authentication available probably makes less sense today than historically. Value chain stakeholders with potentially significant exposure to fraud risk must consider investing in a sophisticated, multi-layered approach to fraud and risk management. With or without PIN, EMV is not and was never designed to be a standalone silver bullet solution to all payment fraud.

The post Chip and signature is a joke! appeared first on Accourt Payments Specialists.

First, the headline successes. Fraud conducted in the face-to-face retail environment continues to show a healthy decline trend (down 14% on the previous year) with card ID theft (down 19%) and cheques (down 35% off a rapidly decreasing base) also showing notable declines.  These figures show an industry that continues to tackle some of the key fraud issues head-on, however, there are still significant challenges that need to be addressed, writes Vaughan Collie, Partner, Accourt – Payments Specialists.

On the downside, e-commerce and online banking continue to be areas of material concern.

E-commerce fraud has increased by 14%, continuing its worrying upward trend. These figures show an above average fraud-to-sales ratio (i.e. a common industry indicator of how much fraud loss is experienced for every unit of sales) in an industry where online commerce continues to grow exponentially and, with the increasing popularity of commerce through mobile devices such as smartphones and tablets, this remains an area of significant concern.

Annual fraud losses on UK-issued cards 2008 to 2014 (Source FFA UK)

Online banking fraud has also shown an eye-watering increase of 48%.  One of the key drivers of this is a criminal element adept at basic, low-tech social engineering, preying on unsuspecting, sometimes gullible and vulnerable consumers – making this type of fraud relatively difficult to defend against (especially with legacy fraud management products and techniques).  This is primarily due to the ability of the criminals to bypass the safeguards put in place by the banks and other financial institutions once they’ve stolen sensitive information and/or credentials from consumers via these social engineering techniques.

It is not difficult to see the common element between the highest impact fraud losses is the underlying online ecosystem.  This ecosystem remains popular with criminals due to its inherent detachment from face-to-face interactions (often perceived as more risky) and relatively easy attack scalability coupled with, perhaps most importantly, the relative ease of exploiting human fallibility, especially in technology-enabled channels.

Fortunately, there are a number of advanced tools and techniques that service providers in the online ecosystem can employ to detect, mitigate against and, ultimately, stop future attacks.  However, there are so many products and services available in the market place and this makes it extremely difficult to determine which products, services, tools and techniques are most appropriate and effective at addressing the prevailing threats.  Many of the products and services have been available for a long time and have failed to adapt to the rapidly changing landscape of threats.  Technology and products that used to be good not that long ago are now less effective.

Annual online, telephone banking and cheque losses 2008 to 2014 (Source FFFA UK)

Furthermore, the P&L challenge to fraud managers is (rightly) changing dramatically.  Whereas fraud management was traditionally seen as a necessary cost of doing business, with very limited ability and budget to materially and positively impact an organisation’s fortunes, modern technologies and best practices enable dynamic fraud managers to positively contribute to the bottom line, but without adversely impacting the organisation’s fraud profile.  Done right, this means that an organisation is able to, for example, enable authorisation of more good sales volume and/or decrease the friction of consumer interactions – all without adversely impacting that organisation’s risk and fraud profile.

How can Accourt help?

• As a vendor/product independent organisation, Accourt advises on and conducts many vendor and product evaluations, particularly in the payments fraud management ecosystem.
• Accourt is at the forefront of the emerging and break-through fraud detection and management technologies across all geographies.  With a bedrock understanding of payments across the entire payments value chain, Accourt is consistently able to cut through to and isolate the core value and differentiators of market products, thereby objectively distilling market-leaders from the rest.
• Accourt’s focus is always an integrated approach, most effectively combining the product and operational aspects of the undertaking to its clients’ benefit.
• Recognising that many organisations cannot decommission existing products, Accourt has significant practical and pragmatic experience in how to engineer a complementary fit of newer products and technologies alongside the existing legacy.
• The focus on omni-channel commerce and customer service has further challenged legacy products in the fraud management ecosystem.  Accourt is able to independently identify and advise on those products that have managed to overcome and address this challenge.
• Coupled with industry-leading fraud management knowledge and experience, Accourt is steeped in deep operational knowledge and experience of chargeback optimisation and implementation.  An integrated approach to fraud and chargeback management generally returns greater operational and financial benefit than a ‘silo’ approach.

The post Online fraud – an unrelenting, unforgiving battleground… appeared first on Accourt Payments Specialists.