Friction versus Fraud

Fraud exists – has always existed. Whatever the method of payment or the value attached, there is a way to steal.

Our job should be to make it as hard as possible to steal… but at the same time we are pressured to make it easy to pay for things.

From cardholders to merchant to banks, card payments are a fantastic and easy way to make stuff happen like buying a coffee, booking a dream holiday or that late night takeaway. Where we need to introduce friction into the buying journey the industry has been thoughtful, methodical but not always entirely sensible in making payments easy. Let’s break this down into card present and card not present:

‍

Card Present Fraud
Magnetic stripe is decades old technology – a £5 card reader and a little bit of creativity could create a counterfeit card which could spoof the system undetected. As card payments grew, so did the prevalence of this type of fraud. The solution was simple, upgrade to Chip to prove the card is genuine and then enforce PIN to ensure the cardholder is genuine. Pretty expensive at the time and now historic in the UK, but a very live issue in markets like the US.

The fraud migrated to markets which did not enforce Chip – mainly the US or Asia. Moving the liability for this fraud to the least secure party has achieved global Chip roll out and very low fraud rates.

‍

Card Not Present Fraud
As card not present transactions become a mainstream method of payment, fraud ballooned. All a fraudster needed is a card number and an expiry date and the deed is done. So the industry came up with solutions.

First – you can now ensure that the person paying has the card by printing a card verification value (CVV) on the signature panel. This generally works great, but then these have a value to fraudsters and can be bought, sold, traded and so the value as a fraud prevention tool is diminished. CVV is not terribly disruptive to cardholders other than them either remembering it or pulling their card out of their wallet when paying online.

Secondly, in instances when CVV became less helpful or reliable, the industry came up with 3D Secure – commonly known as Verified by Visa or Mastercard Securecode. This technology does introduce a disruption in the payment process as the cardholder has to enter a credential of some kind when paying online. 3D Secure is not well loved: customers hate it (they have to remember a password), merchants hate it (interruption of the checkout flow and associated drop out outflanks any chargeback shield they get) and banks don’t especially like it because, despite fraud being low, it costs money to administer and some customers just don’t like it. 3D Secure is evolving in that most issuers are using data to make smart decisions about when to challenge or disrupt the cardholder. With that said, and online payments becoming easier, the regulator got involved.

The introduction of Strong Customer Authentication (SCA) as a requirement of the updated Payment Services Directive is game changing. Most transactions will need a two factor method of authentication – meaning that banks need to demonstrate that the customer really is who they say they are when paying remotely. This could mean disrupting the payment journey with an SMS one time passcode, a banking app prompt or even a phone call. It can be said with certainty that SCA will subtract a substantial amount of fraud from the payments ecosystem – but at what price? The introduction of a myriad of authentication methods into the transaction process is viewed as confusing for all parties and will mean poorer customer and merchant experiences. The regulator in the UK has recognised that the market is not entirely ready and so the September 2019 deadline for compliance has been relaxed.

This allows for some breathing room for sensible thinking on how to ensure a common experience online (think back to I ♥ PIN), and make transactions even more secure but without making consumers spend more time authenticating than enjoying the experience of buying.

‍

Read the full article here.