Thinking ahead from the past is always fraught with hazards. When it comes to the future of digital payments, it may be a case of same-same but different. Various technologies, propositions and use cases will continue to co-exist in the digital payments future.

“We believe the pace of change taking place in the payments industry is going to increase as digital technology continues to advance,” says E-bai Koo, senior vice president, global network business, American Express. “While the number of digital payment options is growing, we believe it is too early to determine whether any one platform or form factor will win out. Customers adopt new technologies when they meet their current needs better than how they are being met today.”

For John Berns, managing partner, Accourt, co-author of the Digital Payments Report 2016, various factors are coming together to drive the perfect storm for digital payments.

“Historically innovation has generally been hardware-driven so you have had to wait and catch the innovation wave. For example, no-one upgrades to the latest model of digital television immediately. Consumers only adopt new technology as and when their old device or technology reaches the end of its natural life or breaks down,” says Berns.

“The payments industry has invested heavily in EMV so I think that this will be the consumer interface for some while to come in the physical world — and the survey results particularly around contactless reaching critical mass bear this out. In the digital world, however, it’s a complete revolution.”

“Consumer adoption of new digital payment methods will be far more rapid as you’ve got the perfect storm as technology, regulation and social desire to operate via a single device are coming together.”

NFC contactless: the de facto standard

Contactless payments are growing strongly and NFC technology will be one of the drivers of digital payments at point of sale (POS). The Smart Payments Association reports that around 40 percent of chip cards shipped in 2014 included contactless functionality. Meanwhile on the acceptance side, 9.5 million NFC-capable terminals were shipped globally in 2014. This represented a 33 percent increase on 2013, bringing the worldwide installed base to 21.4 million units, according to Swedish research firm Berg Insight. 

Although consumers can already make higher value contactless payments, typically for payments more than €50, by authenticating themselves with their fingerprint or PIN on their mobile devices, this is currently only available at selected merchants. However, the acceptance infrastructure for mobile contactless is to be extended. By 2017, all contactless terminals already deployed across Europe will be upgraded to allow high-value contactless functionality. And by 2020, all European POS terminals will allow this.

Survey respondents were confident about contactless acceptance reaching critical mass. The majority of respondents believed that this would happen by 2018. 52 percent thought that North America would achieve critical mass by 2018, whereas for Asia and Europe the figures were higher at 59 percent and 75 percent respectively.

On the issuing side, 53 percent of survey respondents thought that critical mass would be achieved in North America by 2018. 62 percent thought that Asia would be ready, whereas 72 percent felt that Europe would be at this level by 2018.

Wearables and connected commerce 

Where are wearables? They are already here, for example American Express and fitness tracker Jawbone announced a partnership in April 2015. This marked the first time consumers could use a wearable fitness tracker with an embedded NFC chip for Amex payments.

As second- and third-generation devices are deployed, the market for wearables and connected commerce generally will continue to grow. According to the International Data Corporation Worldwide Quarterly Wearable Device Tracker, the wearable market worldwide will reach 111 million units in 2016, an increase of 44 percent on 2015 figures. By 2019, total shipments are forecast to reach 214 million units, a five-year compound annual growth rate of 28 percent.

The debate around when wearables will reach critical mass, how much they will displace cash and cannibalise existing card spend almost misses the point. Wearables are not for every consumer or every payment situation. However they broaden the scope of digital payments beyond the plastic card. They are also part of the greater trend of integrating and embedding payment into a broader experience — making them invisible — for greater speed, convenience and ease-of-use.

Digital wallets 
With Apple Pay and Samsung Pay live in many markets, digital wallets are firmly back on the payments agenda. That said, there have been various high-profile causalities in the wallet wars, with more expected. Google Wallet has seen poor take-up and numerous iterations since it was first launched in 2011. Visa Europe’s digital wallet V.me by Visa has been withdrawn two years after launch and the investment of around €300 million.

“There are a lot of digital wallets out there — some of the local schemes are looking at this — but we are starting to see some consolidation,” said Berns. “The revised EU Directive on payment services (PSD2) may well lower the entry barriers even further to new entrants in the space, which could interest the internet giants. After all, iTunes is a stored value mechanism, so it’ll be interesting to see how Apple, Google and Amazon compete in the wallet wars.” 

Handset manufacturers and alternative payment providers were judged the most likely innovators in the wallet space across all regions, according to the survey respondents. Mobile operators faired the worst. Yet when it came to trust, payment networks and banks were most trusted to deliver wallets, and merchants and mobile operators the least trusted across all regions.

Unsurprisingly, acceptance and convenience were the factors most likely to drive wallet usage, according to survey respondents. Ubiquitous coverage, or allowing the consumer to use the wallet wherever they want to use it at the very least, preferably via a simple, one-click checkout are the fundaments of a winning proposition.

Technology should be regarded as an enabler to the success of digital wallets, rather than the starting point for a solution. Due to the investment in EMV, the payments industry has favoured NFC for point-of-sale mobile payments, and has perhaps been somewhat standoffish about QR codes. Consumers, however, appreciate the speed and convenience of scanning such codes to make retail or bill payments in-store. Tencent’s WeChat wallet and Alibaba’s Alipay have capitalised on this insight in incorporating choice as well as speed and convenience into their propositions. Their respective wallets have been available to users in China for some time and both companies are looking to expand into other markets and regions.

There is no single use case or one-size-fits-all for digital wallets. As with so much in the payments industry, winning propositions must address both acceptance and usage in a compelling way. They build scale quickly by piggy-backing existing acceptance infrastructure, rather than trying to re-invent it. As few consumers go out of their way to pay in a different way, winning propositions offer incremental value to consumers in addressing an un-met or unacknowledged need or pain point compared with existing alternatives.

Security and trust

When it comes to security and trust in digital payment methods, the present is the baseline for the future. “Security is first and foremost for American Express. When we make new technology available to our customers, we do so in a way that provides the same level of security they are used to receiving from us when using traditional charge and credit cards,” says Koo. 

Opportunities and risks exist in the same future. They are inherent to one another. As Koo explains: “While advancements in online and mobile payment options have widened the scope of fraud, they have also created new opportunities to fight fraud.”

Koo cites the American Express Token Service launched in November 2014. With tokenisation, real card account numbers are replaced with tokens, eliminating the need for merchants to store account numbers in the clear, and limiting the potential damage if their systems are compromised. Tokenisation also enables issuers to deploy new digital payment services, such as Apple Pay and Android Pay, in more secure ways.

“Digital technology has also enabled American Express to communicate with and service our card members in more ways. They can sign up to receive alerts about suspicious activity on their accounts through e-mail, SMS and mobile app push notifications,” adds Koo.

The future of digital payments

What does the future of digital payments look like? The future will be more omni-channel, namely using all sales channels interchangeably to serve the customer. More ‘click-and-collect’ and ‘endless aisles’ propositions are expected as merchants consolidate their back-end systems. However, just as service will become more channel agnostic, it will also become more device agnostic as customers expect to transact from any device, any time, anywhere. The future is increasingly digital, which means a greater take-up of digital payment methods.

These methods include automated clearing house (ACH) payments, which are expected to rise in prominence, particularly with the global movement towards immediate or real-time payments. Real-time settlement on the back-end is key to this because it minimises risk for everyone. The merchant receives faster settlement. The consumer sees the transaction immediately and is able to support, approve and challenge it as appropriate.

“Immediate payments is great fit with what is happening in the digital space and the perfect storm I mentioned earlier. So the short answer about the future of digital payments is: there is going to be more of it,” according to Berns.

Succeeding in the digital future

The digital future is about scale, partnerships and speed-to-market. According to Koo at American Express, advancements in digital technology have opened up opportunities for companies of all sizes to get into the payment business, and to grow scale almost overnight.

“We believe that scale wins and partnership is key to achieving success. Given the complexities of the payments industry, companies that can find ways to partner and break into the ecosystem have a much better chance of succeeding.”

“If you look at the amount of funding going into FinTech at the moment and the rate at which technology and innovation are moving, I think that the salvation of traditional players is partnerships and abandoning the build-it-yourself mentality,” says Berns.

“Payment industry incumbents and traditional players definitely have a role to play in making good lending decisions and managing deposits. Beyond these core functions, the technology innovators also have a role to play. Fortunately the industry is big enough for everyone to have a role.”

The Digital Payments Report 2016 provides views and projections on the state of payments based on research and a survey of industry executives, observers and analysts.

The post The future of digital payments appeared first on Accourt Payments Specialists.

UK card fraud losses rose by £29 million in 2014, a 6% rise on the previous year. Most of  this increase was

Cross border vulnerabilities of UK fraud

due to cross-border fraud, with domestic losses remaining flat.

In the UK, FICO previously reported a 25% increase in cross-border fraud on debit cards in 2014, compared to 2013. 47% of the fraudulent transactions were taking place in the US – a pattern that seems related to the delay in US adoption of EMV technology. The first wave of the EMV liability shift takes place in October 2015 in the US.

“Banks in the UK and most of Europe adopted EMV technology years ago, so it may appear that they have little to worry about from mag-stripe fraud,” said Martin Warwick, FICO’s fraud chief for Europe. “However, the trends suggest that any European plastic card can be targeted, as criminals try to ‘fill their boots’ before the US finally shuts the door on skimming fraud.”

As reported in the FICO European Fraud Map for the last three years, the leading type of fraudulent card transaction is so-called card-not-present (CNP) fraud. The percentage of fraud losses from CNP fraud averaged 41% for Western European countries, and 23% for Eastern European countries.

In the UK, ecommerce spending in the UK more than doubled between 2008 and 2014, but CNP fraud losses have grown just 1% in that time. However, it has become a greater share of UK card losses, rising from 54% of card losses in 2008 to 70% in 2014.

European Fraud Changes 2013-2014

“We are winning the war on CNP fraud, but we still have a long way to go to get CNP fraud fully under control,” Warwick said. “Authentication of customers and their devices will play an ever-increasing role.This is why FICO has been focused on advances in analytics that assess consumer behavior, and profile not just cardholders but also devices and merchants.”

France had the highest card fraud losses relative to card sales, followed by Greece and the UK, which is the same ranking as last year. Russia saw the fastest growth in card fraud losses – 24% — but card sales in the same period grew 36%.

Fraud severity levels 2013 Vs 2014

“Any market that is growing will attract criminals attention and that’s exactly what is happening in Russia,” Warwick said. “EMV  has a long way to go to reach maturity in Russia. However, overall Russia has low fraud relative to sales. The key aim for banks will be to ensure that when growth in sales slows they are also in a position to slow the growth in fraud losses”.

The post European cross-border and card-not-present fraud on the rise appeared first on Accourt Payments Specialists.

Chip and signature is a joke!

Author:  Vaughan Collie, Partner, Accourt – Payment Specialists.

“The fact that we didn’t go to PIN is such a joke,” says Mike Cook, Walmart’s assistant treasurer and a senior vice president, in reference to the USA’s current migration to EMV where chip and PIN or chip and signature are equally acceptable. “Signature is worthless as a form of authentication,” continues Cook, with Walmart preferring a Chip and PIN mandated approach similar to the UK and most of Europe. Not so says Visa Inc. vice president of risk products Stephanie Ericksen, “we don’t see a need for it; [chip and PIN] will have a shorter shelf life. We’re moving to new technologies and innovation.”

So who is correct, Visa or Walmart?

To answer this question it is most instructive to very briefly revisit the origins of EMV.

EMV in its ‘chip and PIN’ incarnation was ultimately designed for effective use in a predominantly offline card authorisation ecosystem (e.g. the UK at that time), thereby enabling issuers to delegate significant ‘authorisation authority’ to the chip without requiring an online authorisation from the issuer’s host system. Interestingly, the UK and most other European geographies are currently in the final stages of moving to a fully online ecosystem.

Back in 2002, following a number of years of unacceptable growth rates in various fraud types, the UK card industry formally began its migration to EMV chip and PIN. Significantly elevated levels of counterfeit fraud was one of the primary drivers of this decision and EMV chip, coupled with PIN as the cardholder verification method (CVM), was seen as the most effective approach given the predominantly offline nature of the UK authorisation ecosystem and the technology and commercial landscape at the time.

A centrally managed, UK-wide migration programme not only addressed the technical considerations and decisions, but arguably more importantly, the challenges that were likely to be faced by the various sets of stakeholders (e.g. industry, merchants, consumers, etc.). These challenges included the significant societal and cultural move away from signatures as the prevalent form of cardholder verification at the point of sale to the ‘high-tech’ PIN alternative already found in ATM transactions (although not chip-based PIN at that time).

The UK chip and PIN programme was ultimately regarded as an industry success and it certainly achieved one of its objectives: reduce counterfeit and lost and stolen fraud numbers significantly. However, this was not without some fairly harsh lessons being learned at the time and since then, for example:

• A credible industry business case was extremely difficult to develop due to varying approaches to risk appetite and management across the industry. Ultimately the view was that there was enough of a case to continue and that it was the right thing for the industry to do at the time (coupled with the ‘do nothing’ option being utterly unpalatable for all).
• Carefully consider the consequences – by effectively mitigating against certain fraud types (e.g. skimming/counterfeit), are you incentivising criminals to supercharge their efforts and focus on other fraud types (e.g. cardholder not present – CNP)? And will these subsequent fraudulent activities lead to a greater problem (e.g. increased CNP fraud) than the one you are solving with chip and PIN?
• A card scheme liability shift mechanism (effective from October 2015 for POS transactions in the US) is critical to drive appropriate and timely actions across the card payments value chain and industry as a whole. The general EMV liability shift rule-of-thumb is that those stakeholders that implement and enable the highest level of EMV capability/technology within their environments will enjoy the lowest risk of fraud loss (e.g. if a merchant implements a fully EMV capable terminal, that merchant will benefit from the liability shift if a magstripe card is presented).
• ATMs should have been one of the first channels to convert. ATMs were a primary card skimming enabler (and still suffer today notwithstanding various mitigating measures and technologies that have been developed over the years).
• Upfront agreement to the phasing out/cessation of CAM (chip) fall-back to magstripe and CVM fall-back is critical to drive desired behaviours and ensure that, for example, cardholders don’t continually ‘forget’ their PINs and therefore continue to rely on signatures. This is of course an extremely difficult and fraught journey for stakeholders to embark upon, especially merchants and consumers, but it has proven time and time again to be the appropriate course of action to support achievement of desired outcomes for EMV migrations.

Surely then, being mindful of these and other learnings, EMV chip and PIN is a must in the US? As ever, it’s not as straightforward as that. There are many factors to consider, not least of which is the cost – financial, operational, customer, social and cultural – of this decision. And apart from cost, are the reasons for deciding for chip and PIN historically still the same today?

Let’s deal with cost first. It is widely established (e.g. UK, Australia, Europe) that implementing EMV chip (typically CDA) is one of the most effective mitigants to skimming/counterfeit fraud. The addition of the PIN element generally mitigates against fraud types such as lost/stolen fraud.

The diagram below provides a perspective on the 2014 card fraud loss landscape in the US. Clearly the predominant fraud types are counterfeit ($3.0bn pa) and cardholder not present ($2.9bn pa), with lost and stolen fraud a not insignificant $0.8bn pa.

Bearing in mind that the US is almost entirely an online authorisation ecosystem and EMV chip and PIN was designed for a predominantly offline ecosystem – does it make sense to invest significantly in infrastructure to support offline PIN?

From purely a financial cost perspective, given significant current economic pressure from all quarters to reduce and manage costs, surely it makes sense to prioritise and focus limited resources on the areas of greatest exposure and impact? In the case of the US, this appears to be counterfeit and CNP fraud losses with lost/stolen appearing as the third priority. Therefore, based on current experience and relatively predictable outcomes, it appears most likely that chip and signature would be the most balanced, cost-effective immediate solution to the skimming/counterfeit fraud issue.

Furthermore, in a world where high-profile data breaches are too common for comfort, this would be a significant step towards rendering card data obtained from these breaches useless in geographies where EMV chip is the only acceptable form of face-to-face card payment type. The caveat however, is that as long as a magstripe exists on today’s payment cards, there is still a risk that, without the application of additional mitigating measures by value chain stakeholders, this data can still potentially be used to commit fraud in online environments (as can EMV cards without additional risk management controls in the online environment – EMV in and of itself does not reduce/remove CNP fraud risk).

One of the next questions is whether the payments ecosystem has changed to the extent that chip and PIN is no longer valid. Clearly the ecosystem has changed dramatically in many respects since the early days of EMV, not least of which is the phenomenal pace of technology advancement in the fraud and risk management space. Much has been written about a multi-layered approach to fraud management (this article will not seek to replicate that discussion) – at this time, EMV should be one component of that multi-layered approach. There are numerous other components such as advanced KYC, real-time behavioural analytics and transaction scoring (with the new breed of self-learning Bayesian modelling beginning to threaten the incumbent neural network based solutions), geographically aware location-based solutions, etc. Many of these solutions did not exist at the time that EMV PIN versus signature decisions were being made in the non-US EMV migrations – needless to say, their existence today significantly influences the considerations that underpin such decisions.

A further, oft-cited justification for ‘ignoring’ PIN is the argument that a large proportion of the general American population is likely to be unable to remember and use their PINs as required. This article cannot support that argument – Americans have been successfully using PIN-based debit card products for many years. For consumers, the EMV PIN experience is identical.

Perhaps a less obvious, but potentially important consideration is how chip and signature cards will be treated outside of the US. Most non-US implementations of EMV have been chip and PIN. US chip and signature cards being presented for payment in geographies that expect chip and PIN are likely to cause significant confusion and friction at the POS.

It is therefore valid to argue that, given the nature of the face-to-face payments ecosystem today and, in the absence of anything else (e.g. removing payment card data from the ecosystem entirely), perhaps chip and PIN is relatively the most appropriate solution. However, when implemented in a predominantly online authorisation ecosystem and in conjunction with a multi-layered fraud and risk management approach, compromising with chip and signature is unlikely to pose the same level of risk it may have done in the past. To Visa’s point, there are other innovations being driven into the market in this space and, while it will take some considerable time for some of these to gain the global ubiquity that is essential to their success, it probably makes sense to balance limited resources, i.e. industry investment, across these innovations in parallel with investment in today’s toolbox for fraud and risk management – of which EMV is definitely a part.

The Walmart position is both valid and unsurprising for a number of reasons – for example, having your till-based check-out staff carrying the burden of authentication, i.e. deciding whether a signature matches the version on the back of the payment card, is entirely unrealistic and has been proven to fail as an effective risk management measure time and again (e.g. there are many examples of ‘Mickey Mouse’ signatures being successfully used in face-to-face transactions…). PIN helps to address this issue, although effective online authorisation screening (e.g. context-aware, dynamic authentication) can be an even more powerful tool in both the face-to-face and online transaction ecosystems. Walmart is also in the position of having already made the investment in a PIN-based strategy – something a number of their competitors are not keen to do.

So, back to our original question, is Visa or Walmart correct. Both actually. There can be no doubt that signature has long been a very poor form of authentication, however, given the US context, implementing PIN where there are more advanced and effective methods of authentication available probably makes less sense today than historically. Value chain stakeholders with potentially significant exposure to fraud risk must consider investing in a sophisticated, multi-layered approach to fraud and risk management. With or without PIN, EMV is not and was never designed to be a standalone silver bullet solution to all payment fraud.

The post Chip and signature is a joke! appeared first on Accourt Payments Specialists.

Worldpay saw over 133,000 fraudulent transactions worth £10 million reported in March alone, leaving businesses out of pocket as fraudsters purchased goods and services using stolen card details. Over 67% of all fraudulent transactions happened online, while purchases made over the phone or by mail accounted for 19% of the total.

“Technology to guard against card counterfeiting and fraud has come a long way, yet the rates of attack are truly alarming. Card details are the weakest links in consumers’ and businesses’ defences and the one area that fraudsters know to hone in on,” comments Tim Lansdale, Head of Payment Security at Worldpay.

This graph shows the number of investigations into card breaches (i.e. known breaches) amongst Worldpay customers, by business PCI DSS level during 2011-2014. There were a total of 140 investigations held during this period.

Businesses that fail to protect their payment systems are not only left out of pocket when goods are purchased using stolen card details but also face paying for the investigation into the breach and the stiff industry penalties which inevitably follows. They are also likely to face bad publicity, which can swiftly erode the years of trust customers have built up in a business and can lead to even more lost custom in future.”

Small businesses, which accounted for 85.7% of all card data breaches, last year, make easy prey for the more advanced cyber hackers. By contrast, Worldpay has seen a 179% increase in payment security compliance amongst the UK’s biggest businesses, as the boardrooms of larger, better resourced companies look to bulk up their security in line with the card payment industry standards.

Causes of card data breaches

Regardless of business size, the clean-up costs of being targeted by hackers and suffering a card data breach can run to tens of thousands of pounds. A standard small business forensic investigation into a card data breach costs £11,250 on average and typically attracts at least a £8,000 industry penalty, not including the costs of lost goods and damage to reputation. Worldpay has seen larger businesses pay up to £100,000 for the forensic investigation alone.

“Prevention is clearly better than the cure when it comes to getting hacked. The UK’s largest companies have made great strides to improve their payment security but small businesses are still falling behind and being targeted as a result. Businesses of all shapes and sizes should be taking the necessary measures to protect themselves and their customers and employees,” said Lansdale.

Industries affected by card data breaches

Download the report here

Advice to businesses: How to avoid being a victim:

Card data breaches:

1. Check you meet the card industry’s standards for keeping card data safe, and that your third party suppliers do too.
2. Install all the latest patches for servers, operating systems, applications, and frameworks (Java, .NET etc.), to protect your ecommerce website.
3. Change online system log-ins from the default, and use strong passwords that hackers cannot guess.

Fraud:

1. Ask your payment processor about online protection, such as Verified by Visa, to make ecommerce payments safer from fraud.
2. Be wary of high value or unusual orders from a customer you do not know, particularly if the product can be resold easily.
3. Use the Address Verification Service, to match the customer’s delivery address with the billing address of the card owner.

The post Card fraud increases as stolen cards used once every 20 seconds appeared first on Accourt Payments Specialists.