May 5, 2017
As I review the latest payments industry news, I am trying to identify if there could be some low-hanging fruit that would make sense for the payments card industry to focus on. It seems that there is a consensus out there that most consumers still prefer using their familiar plastic cards and do not show obvious signs of abandoning them for more advanced payment form factors (like mobile payments) anytime soon. Although it may sound as counterintuitive, it looks like there might still be decent room left for incremental innovation and improvements in the plain vanilla payment card space. I will try to explain why, where, and potentially how.
EMV cards were originally introduced to prevent the possibility of fraud by counterfeiting mag stripe cards. The EMV technology is indeed very effective and successful in curbing that type of fraudulent activity. Unfortunately, EMV payment cards are not protecting (although they easily could) sensitive payment credentials (like PAN) when transacting with POS terminals, since EMV designers probably wanted to preserve backward compatibility with the way mag stripe transactions were processed by merchants and acquirers. It means that if fraudsters eventually hack into vulnerable merchant's systems, they could obtain vast amounts of PAN data, which they can either try to sell on the dark web or attempt to use for online purchases themselves.
The fact that a majority of online merchants do not even ask for CVV (three-digit number on the back of the card), makes it relatively easy for this type of fraud to 'migrate' from in-store to online payment channels. 3D Secure (known as Verified By Visa or Mastercard Secure Code) was another attempt by payment networks and issuers to address online fraud, by ensuring that the consumer is authenticated by their financial institution during online transactions. But in a similar way, it is almost abandoned due to significant checkout flow friction that it introduced. CVV and 3D Secure usage today is very sporadic and inconsistent. EMVCo is in the process of completing 3D Secure V2.0 spec and time will tell if it may be more successful than its predecessor.
Consumers are fully protected by 'zero liability' clauses in their cardholder agreements if their card credentials are stolen from merchant's systems and misused in online transactions. However, in these cases, it is usually the issuer's bottom line that gets affected since they incur most of the costs for: a) refunding the account of the affected cardholder, b) canceling old and reissuing a new card, packaging and shipping them, etc. Although cardholders may not be affected financially in these cases, they still may have to go through a fairly frustrating process of updating new card number for all of their existing recurring card payments with various billers.
Many consumers, out of frustration, will quickly choose to replace compromised card in recurring biller's system with the other valid card they may have, resulting in loss of future interchange revenue to the issuer of the stolen PAN. What's even worse, many cardholders may never activate reissued cards that they receive, resulting in complete loss of future interchange revenue for the issuer.
The challenges described above could be ignored in the early days of online commerce when it was in its infancy. Today, it is a very different story. According to the Kaspersky's estimate, online fraud is already costing the global economy "many times more" than the initial 2011 estimate of $100 billion (£62bn) a year. McAfee's estimate from 2014 states that a conservative estimate would be around $375 billion, with the maximum as high as even $575 billion
The industry had high hopes that mobile payments (powered by tokenization) would appeal so much to the consumers, and rapidly replace plastic form factor. If that had happened as planned, most of the in-store and online payment transactions would be tokenized, where the sensitive payment card data would be protected. But unfortunately, for several years already, mobile payments seem to be struggling to gain consumer adoption, so the current contribution of payment tokenization on reducing online fraud levels is in the domain of rounding errors at best.
Online fraud may be caught potentially by sophisticated (and expensive) fraud detection and prevention systems. With advances in geolocation, AI and machine learning, the scoring ability of these solutions will definitely keep improving over time. But experience teaches us that it may not be nearly enough to eliminate fraud. Would it not be nice if we could be proactive and eliminate the opportunity for fraud to migrate from brick-and-mortar to online channel in the first place?
Some of the fairly cost effective 'quick win' recommendations, that may help achieve that goal, are:
With these relatively simple and cost-effective recommendations for improvements combined, issuers can dramatically reduce and maybe even completely eliminate opportunities for fraud migration from card present channel toward card not present channel and elegantly enable very convenient and secure online banking logins for their customers.
Now, isn't that worth doing?