eCommerce fraud rates are rising and that means more cardholders are seeing unauthorized charges on their accounts.

The cardholder remedy is to call either the merchant or the issuer to flag the problem. If the cardholder turns to the issuer to resolve the problem, the remedy is often an expensive chargeback for the merchant and a generally lousy experience for everyone.

eCommerce Merchant Pain

eCommerce merchants have invested heavily in fraud detection tools because in the remote payment domain liability rules make them responsible for fraud losses. eCommerce merchants employ sophisticated fraud management processes and tools to detect fraud in realtime to stop authorization (best in class fraud rates are 25 bps – 35 bps).

On top of that, they must eat the direct costs associated with stolen goods and services. These include a chargeback processing fee from the acquirer as well as the merchant’s internal costs to manage the chargeback process. If the merchant fights the chargeback, the merchant has to gather the supporting evidence (the receipt or copy of the order) and submit it to the acquirer.

Disputes and chargebacks re initiated by cardholders for a range of reasons including fraud, authorization, various processing errors, and consumer-specific disputes. Examples of consumer dispute codes include products or services not as described, counterfeit, misrepresentation, and failure to process a credit.
https://www.worldpay.com/global/support/support-articles/what-are-chargeback-reason-codes-visa-and-mastercard

Issuer Pain

For issuers, disputes and chargebacks are painful, too. In the POS domain, issuers hold the liability for fraud losses. If a counterfeit card is used and the issuer authorizes the payment, the issuer owns that liability. Issuers also bear the customer servicing and communications costs as chargebacks initiate with the cardholder’s call to the issuer.

Consumers Game the System

Zero liability rules have taught U.S. cardholders that they don’t have to worry about fraud and that they have broad powers to dispute a transaction.

Knowing that, too many cardholders are taking advantage of these rules. Digital merchants, in particular, are suffering from friendly fraud (not exactly an accurate term) that occurs when a cardholder, for example, disputes the charges made by another family member. For some digital merchant, over half of their chargebacks are friendly fraud, purchases for which the cardholder is truly responsible but able to renounce (“It wasn’t me!”) because of the rules.

Such high chargeback rates carry other risks for these merchants. Once a merchant’s chargeback rate exceeds 1% of its transactions, that merchant is put on a watch list, a remediation plan, and faces the possibility of losing card acceptance privileges. High chargeback rates also increase authorization declines for the merchant, losing even more good transactions.

Card Network Remediation

On the face of it, there’s an asymmetry when it comes to liability. Merchants shoulder a large burden. With that in mind, both Visa and Mastercard updated their chargeback rules in 2018.

In a chargeback mitigating move, Mastercard recently announced an end to the automatic renewal of free trial subscriptions.

Timely Data Sharing

In other words, chargebacks are a pain. Steps to reduce chargeback cost and frequency are a Good Thing.

One approach is to speed up data sharing. For example, once an issuer determines that a transaction is fraudulent, a timely message to the merchant could halt a product shipment. While the rules would still make an eCommerce merchant liable for the chargeback costs, the merchant wouldn’t lose the cost of order handling, shipping, and the item itself.

Similarly, if merchants can share their cardholder fraud experience back to the issuer then that financial institution can adjust its fraud detection models and algorithms.

Such data sharing is the proposition of Ethoca, a firm that federates bank fraud signals from hundreds of major global issuers and connects to thousands of merchants in the developed world in order to share alerts and chargeback messages.

In this conversation with Keith Briscoe, CMO at Ethoca, we talk about the chargeback problem, hear some truly astounding chargeback stories (hackers aren’t the only fraudsters), and discuss Ethoca’s role in this space.

Fraud prevention today is about how quickly we can separate good customers from questionable ones and, for those doubtful transactions, use the right set of tools and data sources to optimize speed, costs, and fraud losses.

When it comes to fraud prevention, it turns out that data is key. No revelation there, but how we manipulate it, gather it, and assure its provenance is undergoing major change. What would be a revelation to fraud managers of a decade ago is the unbelievable amount of data and the wide variety of sources that we have today. It’s a flood.

The only means we have to make sense of this data deluge is through algorithmic examination. Rules engines and neural networks are staple approaches. In recent years, application of artificial intelligence and the newer incarnation of machine learning (“let the computer figure it out based on all the data it sees”) has become a hot, and effective, area for fraud prevention. Only machines can find correlations among all that data in order to identify potential fraud.

A number of firms focused on the fraud prevention problem employ techniques that gather data and then analyze it in order to provide their customers like eCommerce merchants or financial institutions with a risk score. Companies specializing in device fingerprinting, for example, gather the relevant data (think IP address, mobile IMSI number, device type, OS version, browser software version, etc.) to create a profile or “fingerprint” of that device in order to generate a history of its behavior. Threat Metrix, owned by LexisNexis Risk Solutions, is an example.

Behavioral biometric companies may take that data and layer on how the owner actually uses their device, often by looking for keystroke patterns, screen tap rhythms, the angle that the phone is held, and more, in order to build a more nuanced profile that includes how the owner interacts with the device. That richer data then feeds into analysis and risk scoring. Mastercard’s NuData Security acquisition uses this approach.

Subsequent bidirectional data sharing can provide these firms with insight into the results of their decisioning.

As these firms gain customers, they see more and more devices and develop clearer visibility into the outcome of their work. As a result, it becomes a natural step to pool or federate the data they see from all of their customers. There’s an expectation that a card account, for example, will be seen at multiple merchant clients of the fraud solution provider. These repeat interactions will improve fraud detection for all when the cardholder is a bad actor, or speed the transaction of a trusted one.

Data consortia where multiple financial institutions and merchants pool their fraud and chargeback data also exist. Ethoca is a prime example.

The deeper the data pool the better, provided, of course, there’s the ability to analyze it all.

Massive analytical capability is the foundation for artificial intelligence and machine learning. In the fraud prevention space, Feedzai is a firm that applies its analytics power to data sourced from multiple providers and techniques. Feedzai, like others providers who have attained a critical mass of customers, has also invested in federation of their data to improve, for everyone, its fraud prevention results.

In an earlier episode, we spoke with Feedzai CEO Nuno Sebastiao to get us grounded in how AI and ML apply to fraud prevention. In this discussion with Saurabh Bajaj, Feedzai’s Head of Product and Nick Stanchenko, product manager for Feedzai’s Risk Ledger, its data federation program, we go further. Saurabh catches us up on Feedzai’s growth and then takes a look at how Feedzai works and at the data sources it uses. Nick addresses federation, its value, and the light integration required.

Payment Innovation Moves to the Core

When we conduct our Glenbrook Payments Boot Camp, our first graphic illustrates the three essential steps in every transaction – initiation, funding, and completion. When looked at through the lens of of the past decade most innovation has been in initiation. Consider: Apple Pay, Google Pay, Venmo, QR codes. The list is long of ways to kick off a transaction.

Funding is all about where the money comes from. Usually a bank account, often a wallet holding money. Some innovation there but not a great deal. There are only so many ways to store funds.

Completion, the last step, is the most important to many participants as it’s when the transaction completes with the final movement of money.

Five years ago, in those boot camps, I said that completion, also called settlement, is the innovation-resistant phase of a transaction. Today, everything has changed.

In the U.S., we have new services such as Zelle and Venmo that appear to the end parties to deliver instant settlement. They may use card rails or bank rails like ACH to complete the transaction.

Two Forms of Settlement

In this discussion with Glenbrook’s Carol Coye Benson, we look at two forms of settlement: end party settlement – for example, an employer paying an employee – and then Carol focuses on the nuanced world of interbank settlement.

If you’ve heard the terms net settlement, gross settlement, or RTGS and wondered what they mean, take a listen.

Faster Payments and Settlement

We also talk about the phenomenon of faster payments and the settlement techniques these systems employ. 40 countries around the world are in one stage or another of deploying faster payment systems that push money from bank account to bank account. It’s already in the US via the Real Time Payments Network from The Clearing House and, perhaps, a competing service from the Federal Reserve. (To get an update on the Real Time Payment Network, listen to Episode 81 of Payments on Fire).

These faster payment systems vary in their capabilities. Speed and data carrying capacity are just two variables. But we have seen that when a new payment system enters a market innovative offerings can flourish, provided access to that system is encouraged by rule, regulation, or both. However, that level of openness is not guaranteed. As Glenbrook have seen in our work around the world, some systems are essentially closed by market power or operating rules. These constraints limit the network effect’s benefits of ubiquity, convenience and, often, cost.

This is an ongoing challenge. In this age of fintech, banks are under pressure to innovate. As owners or participants in new systems, some may choose to limit access to their fancy new rails in an attempt to forestall competitive market entrants. Others will be “encouraged” by regulators to open up. Of course, end party choices will play a big role, provided there’s a choice available.

The New Game

Settlement has traditionally been led by major commercial banks or the central bank of each country. That model still holds. In some markets, including the U.S., we expect a push and pull for control between those two entities. Christine Lagarde, Managing Director of the International Monetary Fund, suggests such tensions may justify  the issuance by a nation’s central bank of a fiat digital currency as a counterweight to the alternative control over payments by a concentrated set of banks and processors.

Settlement innovation has created a competitive environment that did not exist before. It will be the interplay of rules, regulations, technical capabilities, end party value proposition, and market power that will determine the evolution of each country’s settlement platform. In some, regulators will shape the outcome. In others, system access for fintechs and the “open banking” model will be a determinant. For all, cost effective access for end parties is critical.

So much for thoughts of a static payments ecosystem.

If you think of yourself as a payments geek or just want to get under the hood of how money really moves, Carol is a terrific guide.

Restaurant payments is a complex area especially for those companies serving the mid-sized and large restaurant operator. They have different needs that extend well beyond payment acceptance but even that is a highly variable concern.

Ever notice that we pay differently depending upon the type of restaurant we’re in? It’s always been walk up and pay the central server at McDonalds. Applebees uses Presto table top devices to speed table turns, upset desserts (“that lava cake sure looks good”) and take payments. At most sit-down establishments, especially those in the fine dining segment, we still hand over our cards and the server walks away to authorize the transaction (later that night, the manual tip adjustment process determine the final clearing amount.)

For certain segments, order ahead is a priority. Order ahead dominates how pizza shop operate. Initially, that capability took market share from mom and pop pizza shops because only the largest operators in the “Big Pizza” segment could afford the necessary IT expertise. Now, mom and pop have multiple order ahead services to choose from.

But consider the complexities of integrating the order into the kitchen or at the barista’s station. Business process automation is a differentiator.

This podcast with Tim McKenna, VP of Sales, at Heartland Payment Systems, is both a deep dive into restaurant operator concerns and a revealing look into how a major payments provider has shifted its business model to serve mid-tier and larger restaurant operators.

Like Square, Heartland has realized the revenue benefits of expanded commerce services above and beyond the traditional payments revenue stream. By cross selling multiple services, Heartland expects to see 60% of its revenues coming from payments coupled with value-added services that automate the business of their customers.

If you’re interested in how the payments industry is evolving to market demands or how larger restaurant operators think about payments, Tim’s observations are well worth your time. Take a listen.

RTP Characteristics

Not All Things

It’s Taking a Lot of Work

Connecting up a financial institution to the RTP Network requires deep integration into the FI’s core system, the software responsible for managing debits and credits. Connecting bank ledgers to any payment system is non-trivial, a fact that impacts how fast banks implement new payment rails like RTP.

Tell Me All About the Payment

The RTP Push

Instant Clearing and Settlement

Competition?

The payment industry’s responses to ongoing payment security concerns are many. We have procedural approaches and technical ones. For example, we are requiring merchants to attest to their compliance with PCI security standards that themselves include procedural requirements.

Technical solutions are also called out by PCI and are, of course, being applied across the ecosystem. Encryption of payment data in flight is one approach. In the physical POS world, semi-integrated POS terminals connect directly to the acquirer’s front end instead of passing card transaction data back through the merchant’s workstation and enterprise system.

An important technique, and the topic of this discussion, is tokenization.

Tokenization is an ancient security technique. In the broadest sense, a token is just a dummy representation of something of higher value.

In cards, that means the replacement of a PAN with a number or even an alphanumeric value that represents the underlying PAN. The mapping between the two is stored in a vault with the owner restricting access to that vault. If a hacker gets ahold of a token value, it’s useless. It’s a value that, to the payments ecosystem, is gibberish.

Tokenization is used in pull payment systems where payment credentials are given to the payee by the payer so that the payee has the information necessary to go get the money. Think card numbers or the routing and account numbers on a check.

In card payments, there are two forms of tokenization: merchant and issuer tokenization. Merchant tokenization has been around for more than a decade. A response to PCI, merchants generally outsource that token vault to a third party so they no longer store PANs themselves. When the merchant needs to do a lookup or initiate another payment, the merchant sends the token to the upstream service provider who then looks up the PAN and sends it off for authorization by the acquirer.

That’s been around for awhile.

The newer innovation is what we call issuer tokens – token values that are at the heart of Apple Pay, Google Pay, Samsung Pay and more. These token values are real card numbers, issued by your bank, but unlike a PAN that can be used to initiate a payment everywhere, issuer tokens are expected to come, for example, from specific devices or merchants.

Every card in your Apple Pay wallet is represented by an issuer token and whenever that token is presented for authorization, data about where it’s coming from is sent along too. If the token is sent from another device, for example the one the hacker has, authorization will fail.

This approach is totally compatible with the current card payment system. No changes are needed at the merchant or the acquirer and minimal ones at the issuer.

Glenbrook will be conducting an Insight Webinar on December 13 called Tokenization Fundamentals. Russ Jones will conduct that webinar.

In this Payments on Fire podcast, George talks with Russ about issuer tokenization, its role in the Pays (Apple Pay, Google Pay, Samsung Pay), in eCommerce, and the need for new entities in the payments ecosystem to support tokenization. This gets complicated. There’s now the need for token gateways.

Take a listen to the podcast and then sign-up for the webinar. Use the code POF80 to take 10% off the registration price.

In the U.S., there’s the automatic assumption that payment cards and perhaps PayPal are the way to pay online. But if you’re an eCommerce merchant trying to sell in the Netherlands, you’d better support the domestic system known as iDeal.

Connectivity into domestic payment systems is an important and complex issue. There are over 150 such systems across dozens of countries around the world. While not all are important to a given merchant, most are important to the acquirers and payment service providers serving eCommerce merchants.

Join George and Steve Villegas, VP Partner Management and Head of U.S. Office, of London-based PPRO Group, a company that provides white label connectivity to these domestic systems by serving acquirers and PSPs alike.

Knowing who you’re dealing with online is critical if you’re taking transaction risk. Digital identity is tough. To address that challenge – and it is a challenge – relying parties, those who take on risk, employ two broad categories of technology: active tools that require user interaction and passive network-based approaches.

When the user is required to explicitly provide identifying information, we use the interactive approach. The merchant or lender or website owner asks for user IDs, passwords, perhaps data generated by multi-factor authentication techniques such as biometrics, or one time passwords generated by an app or a hardware key.

If you’re an eCommerce merchant or an entity trying to sell something online – lenders included – you don’t want to ask the customer to do more than absolutely necessary to complete a good sale. Transactional friction is deadly to revenues and a main cause of shopping cart abandonment.

So, you use passive approaches that examine whatever data the customer’s device can provide. Device fingerprinting, behavioral analytics, rules engines, machine learning, and the past behavior of card numbers are among the portfolio of decisioning tools that do not interfere with the user experience.

Data is the foundation of the passive approach. In this podcast, George speaks with Ajay Andrews, Senior Director, Product, at Whitepages Pro, a data provider and analytics firm about identity verification and how the linkage of key data items influences decisioning. It turns out that particular pairs are strong indicators of potential fraud.

We discuss where the data linkage approach fits in the overall portfolio, what drives merchants to adopt, and how the tool is integrated into automated decisioning and case management.

Alexa. Siri. Cortana. We’re talking to or at our machines. I walk into my office and say “Hey Google, what’s the weather?” or “Hey Google, when’s my first appointment?” When I’m driving in a strange town, it’s “hey Google, navigate to the [fill in the blank] hotel.”

This kind of hands-free access to information is hugely helpful and hugely popular. But there’s a long way to go toward a general purpose voice interface for every task we want to accomplish.

That said, we’re getting there. In this conversation with Central 1’s Alex Chan, we discuss the process of voice-enabling access to the high volume queries that credit union members make, i.e. balance inquiries, balance transfers, etc.

We cover what it takes to build an Alexa skill, the code that links Alexa’s natural language processing to the underlying application that executes the action.

Voice design, the process of imagining and codifying how the user interaction proceeds, is at the heart of a successful voice-enablement project. Alex takes us through that process. It sounds like fun.

While payments are a tiny fraction of today’s voice-based interactions, they’re coming along, too. Better design and broader participation is needed. As a recent (failed) demo proved, Siri can’t send me money if I’m not an Apple Pay Cash user.

Take a listen and get in touch if you’ve questions or comments. We’d love to hear from you!

During the Glenbrook Payments Boot Camp we make clear that national payments systems are domestic by definition. Each country has its own set of systems to effect payments. We point out that national payment systems differ in many of their details. Regulation, operating rules, governance, ownership, technology, and more are highly variable.

At the same time, we also point out that major components are generally similar. An overnight, batch-based system for low-cost, low-value retail payments and an instant, irrevocable wire system for high-value transfers are typical of most countries.

Across the planet, countries are planning, designing, trialing or enjoying fully deployed immediate funds transfer systems, new ones that instantly transfer lower value payments. The UK’s Faster Payments system and The Clearing House’s Real Time Payments (RTP) are two examples of this system type.

Beside increased speed of payment, a second push for changes to national payment systems is the need for a richer representation of the data surrounding the payment transfer itself. Remittance data, for example, communicates what the payment is for, which invoices a payment may be covering, and what trade terms were taken by the payor. ISO 20022 is the internationally recognized method for representing this information and support for it has become a new priority not just for system operators but for financial institutions and enterprise customers.

Generally, major upgrades, never mind deployment of an entirely new system, are performed in a step-wise manner because of the critical nature of these systems, the cost, and the difficulty of herding system stakeholders through the many stages needed to achieve broad support and usage.

Undeterred by those realities, Canada is taking on a comprehensive upgrade to multiple systems over the next few years, including its overnight settlement and wire systems while simultaneously planning for its own immediate funds transfer system, codenamed Real Time Rails. Significantly, each system upgrade will include support for ISO 20022.

Payments Canada is the non-profit organization mandated by the federal government to manage, operate, and upgrade these systems.

In this Payments on Fire episode Glenbrook’s George Peabody speaks with Justin Ferrabee, Payment Canada’s COO about his organization’s work, how its systems differ from those in the U.S., and what’s ahead. It’s a great conversation between payments geeks.