The business of merchant services continues to undergo two forms of transformation. First, the merchant services businesses, either as acquiring banks or via non-bank acquirers, has undergone massive consolidation over the last five years and more. Fiserv’s takeover of First Data, announced on January 16, is just the latest example.

The second sea change is the expansion of products and services these entities deliver. What was a fairly innovation-averse industry has become, under the competitive pressure of companies like PayPal and Square, far more committed to delivering value that helps customers run their business, not just accept card payments.

At the POS, Square changed the merchant services game by delivering a great deal more business value to the small merchant than the traditional ISO or agent focused on placing stand-beside terminals next to dumb cash registers. For the price of payment processing, Square has given those merchants inventory, time and attendance, sales and marketing focused reporting, and more.

As a result, the giants in this game have been forced to respond. In 2013, First Data acquired Clover to reach small retailers and restaurant customers. Others, like Global Payments’ Heartland unit, have invested heavily in serving the mid-tier and larger restaurant industry.

To deliver similarly broad services, TSYS recently come out with three new merchant offerings targeted at micro merchants, single shop operations, and larger merchants. The new line is called Vital, at vitalpos.com and its solutions are called Vital Mobile, Vital Plus, and Vital Select.

Along with the new Vital hardware, we can expect the offering, taking advantage of cloud delivery, to expand its software and services line-up in the future – a trick that the old POS terminal model never could pull off.

Take a listen to this episode’s discussion with Gavin Rosenberg, vice president of product marketing, at TSYS. It’s a revealing conversation about the decision making and product strategy of a major provider of merchant services.

This Stuff is Hard

As the remote payments domain (think in-app and browser-based payment transactions) continues to grow at around 15% a year, that growing number means the size and scale of fraud losses are going to increase. And they have – in both absolute terms and as a percentage of overall transaction volume. That also means rising chargeback rates for many merchants.

Rising fraud in the online world is also a result of better security technology in the physical world. While EMV chip cards have dropped counterfeit losses way down, the fraudsters still have their own bills to pay. They’ve just shifted more aggressively to the card not present channel.

A Delicate Balance

All e-tailers face a delicate balance in managing fraud. If they err too far on the side of fraud minimization by tightening approval standards too far, they leave good sales on the table and insult customers with unnecessary declines (the “insult rate”). Of course, those customers promptly go to another site to make their purchase.

The e-tailer’s sales and marketing team, then, tells the fraud manager that she’s killing sales.

If the approval standards are too loose, on the other hand, the e-tailer risks the twin threats of higher fraud and chargeback costs and, if the chargeback rate exceeds 1%, placement on a watch list if that rate stays over 1%. Not a good list to be on because the the merchant could lose card acceptance privileges if the problem is not addressed.

The Smaller E-Tailer is Challenged

While Amazon continues to gobble up half of the growth in US commerce volume, it still means that there is room for smaller online merchants to prosper. It also means they face growing fraud losses. Unlike their larger competitors who can afford internal fraud management teams and technology, small and mid-tier e-tailers have limited time, budget, and skills to meet those needs.

Fraud management is a non-trivial problem even for the largest enterprises. They deploy a layered set of technologies, ranging from table stakes tools like address verification system (AVS) to device and behavioral fingerprinting and on to rules engines, AI, and machine learning controls.

That level of sophistication is beyond what the mid-tier e-tailer can handle. Some enterprise customers don’t want to deal with that complex task either.

The Outsourced Option

That’s where the wholly outsourced proposition comes in. The third-party fraud management service provider assembles the necessary technology, makes the right integrations with shopping carts and other software providers, puts an analyst team in place to decide on questionable transactions, and offers its services for a fee.

ClearSale (www.clear.sale) is a provider in this space. Take a listen to Rafael Lourenco, its EVP, and George as they discuss fraud management in this segment, how the ClearSale service is deployed, and some merchant best practices. Rafael breaks down this topic very clearly. Definitely worth your time.

eCommerce fraud rates are rising and that means more cardholders are seeing unauthorized charges on their accounts.

The cardholder remedy is to call either the merchant or the issuer to flag the problem. If the cardholder turns to the issuer to resolve the problem, the remedy is often an expensive chargeback for the merchant and a generally lousy experience for everyone.

eCommerce Merchant Pain

eCommerce merchants have invested heavily in fraud detection tools because in the remote payment domain liability rules make them responsible for fraud losses. eCommerce merchants employ sophisticated fraud management processes and tools to detect fraud in realtime to stop authorization (best in class fraud rates are 25 bps – 35 bps).

On top of that, they must eat the direct costs associated with stolen goods and services. These include a chargeback processing fee from the acquirer as well as the merchant’s internal costs to manage the chargeback process. If the merchant fights the chargeback, the merchant has to gather the supporting evidence (the receipt or copy of the order) and submit it to the acquirer.

Disputes and chargebacks re initiated by cardholders for a range of reasons including fraud, authorization, various processing errors, and consumer-specific disputes. Examples of consumer dispute codes include products or services not as described, counterfeit, misrepresentation, and failure to process a credit.
https://www.worldpay.com/global/support/support-articles/what-are-chargeback-reason-codes-visa-and-mastercard

Issuer Pain

For issuers, disputes and chargebacks are painful, too. In the POS domain, issuers hold the liability for fraud losses. If a counterfeit card is used and the issuer authorizes the payment, the issuer owns that liability. Issuers also bear the customer servicing and communications costs as chargebacks initiate with the cardholder’s call to the issuer.

Consumers Game the System

Zero liability rules have taught U.S. cardholders that they don’t have to worry about fraud and that they have broad powers to dispute a transaction.

Knowing that, too many cardholders are taking advantage of these rules. Digital merchants, in particular, are suffering from friendly fraud (not exactly an accurate term) that occurs when a cardholder, for example, disputes the charges made by another family member. For some digital merchant, over half of their chargebacks are friendly fraud, purchases for which the cardholder is truly responsible but able to renounce (“It wasn’t me!”) because of the rules.

Such high chargeback rates carry other risks for these merchants. Once a merchant’s chargeback rate exceeds 1% of its transactions, that merchant is put on a watch list, a remediation plan, and faces the possibility of losing card acceptance privileges. High chargeback rates also increase authorization declines for the merchant, losing even more good transactions.

Card Network Remediation

On the face of it, there’s an asymmetry when it comes to liability. Merchants shoulder a large burden. With that in mind, both Visa and Mastercard updated their chargeback rules in 2018.

In a chargeback mitigating move, Mastercard recently announced an end to the automatic renewal of free trial subscriptions.

Timely Data Sharing

In other words, chargebacks are a pain. Steps to reduce chargeback cost and frequency are a Good Thing.

One approach is to speed up data sharing. For example, once an issuer determines that a transaction is fraudulent, a timely message to the merchant could halt a product shipment. While the rules would still make an eCommerce merchant liable for the chargeback costs, the merchant wouldn’t lose the cost of order handling, shipping, and the item itself.

Similarly, if merchants can share their cardholder fraud experience back to the issuer then that financial institution can adjust its fraud detection models and algorithms.

Such data sharing is the proposition of Ethoca, a firm that federates bank fraud signals from hundreds of major global issuers and connects to thousands of merchants in the developed world in order to share alerts and chargeback messages.

In this conversation with Keith Briscoe, CMO at Ethoca, we talk about the chargeback problem, hear some truly astounding chargeback stories (hackers aren’t the only fraudsters), and discuss Ethoca’s role in this space.

Fraud prevention today is about how quickly we can separate good customers from questionable ones and, for those doubtful transactions, use the right set of tools and data sources to optimize speed, costs, and fraud losses.

When it comes to fraud prevention, it turns out that data is key. No revelation there, but how we manipulate it, gather it, and assure its provenance is undergoing major change. What would be a revelation to fraud managers of a decade ago is the unbelievable amount of data and the wide variety of sources that we have today. It’s a flood.

The only means we have to make sense of this data deluge is through algorithmic examination. Rules engines and neural networks are staple approaches. In recent years, application of artificial intelligence and the newer incarnation of machine learning (“let the computer figure it out based on all the data it sees”) has become a hot, and effective, area for fraud prevention. Only machines can find correlations among all that data in order to identify potential fraud.

A number of firms focused on the fraud prevention problem employ techniques that gather data and then analyze it in order to provide their customers like eCommerce merchants or financial institutions with a risk score. Companies specializing in device fingerprinting, for example, gather the relevant data (think IP address, mobile IMSI number, device type, OS version, browser software version, etc.) to create a profile or “fingerprint” of that device in order to generate a history of its behavior. Threat Metrix, owned by LexisNexis Risk Solutions, is an example.

Behavioral biometric companies may take that data and layer on how the owner actually uses their device, often by looking for keystroke patterns, screen tap rhythms, the angle that the phone is held, and more, in order to build a more nuanced profile that includes how the owner interacts with the device. That richer data then feeds into analysis and risk scoring. Mastercard’s NuData Security acquisition uses this approach.

Subsequent bidirectional data sharing can provide these firms with insight into the results of their decisioning.

As these firms gain customers, they see more and more devices and develop clearer visibility into the outcome of their work. As a result, it becomes a natural step to pool or federate the data they see from all of their customers. There’s an expectation that a card account, for example, will be seen at multiple merchant clients of the fraud solution provider. These repeat interactions will improve fraud detection for all when the cardholder is a bad actor, or speed the transaction of a trusted one.

Data consortia where multiple financial institutions and merchants pool their fraud and chargeback data also exist. Ethoca is a prime example.

The deeper the data pool the better, provided, of course, there’s the ability to analyze it all.

Massive analytical capability is the foundation for artificial intelligence and machine learning. In the fraud prevention space, Feedzai is a firm that applies its analytics power to data sourced from multiple providers and techniques. Feedzai, like others providers who have attained a critical mass of customers, has also invested in federation of their data to improve, for everyone, its fraud prevention results.

In an earlier episode, we spoke with Feedzai CEO Nuno Sebastiao to get us grounded in how AI and ML apply to fraud prevention. In this discussion with Saurabh Bajaj, Feedzai’s Head of Product and Nick Stanchenko, product manager for Feedzai’s Risk Ledger, its data federation program, we go further. Saurabh catches us up on Feedzai’s growth and then takes a look at how Feedzai works and at the data sources it uses. Nick addresses federation, its value, and the light integration required.

Payment Innovation Moves to the Core

When we conduct our Glenbrook Payments Boot Camp, our first graphic illustrates the three essential steps in every transaction – initiation, funding, and completion. When looked at through the lens of of the past decade most innovation has been in initiation. Consider: Apple Pay, Google Pay, Venmo, QR codes. The list is long of ways to kick off a transaction.

Funding is all about where the money comes from. Usually a bank account, often a wallet holding money. Some innovation there but not a great deal. There are only so many ways to store funds.

Completion, the last step, is the most important to many participants as it’s when the transaction completes with the final movement of money.

Five years ago, in those boot camps, I said that completion, also called settlement, is the innovation-resistant phase of a transaction. Today, everything has changed.

In the U.S., we have new services such as Zelle and Venmo that appear to the end parties to deliver instant settlement. They may use card rails or bank rails like ACH to complete the transaction.

Two Forms of Settlement

In this discussion with Glenbrook’s Carol Coye Benson, we look at two forms of settlement: end party settlement – for example, an employer paying an employee – and then Carol focuses on the nuanced world of interbank settlement.

If you’ve heard the terms net settlement, gross settlement, or RTGS and wondered what they mean, take a listen.

Faster Payments and Settlement

We also talk about the phenomenon of faster payments and the settlement techniques these systems employ. 40 countries around the world are in one stage or another of deploying faster payment systems that push money from bank account to bank account. It’s already in the US via the Real Time Payments Network from The Clearing House and, perhaps, a competing service from the Federal Reserve. (To get an update on the Real Time Payment Network, listen to Episode 81 of Payments on Fire).

These faster payment systems vary in their capabilities. Speed and data carrying capacity are just two variables. But we have seen that when a new payment system enters a market innovative offerings can flourish, provided access to that system is encouraged by rule, regulation, or both. However, that level of openness is not guaranteed. As Glenbrook have seen in our work around the world, some systems are essentially closed by market power or operating rules. These constraints limit the network effect’s benefits of ubiquity, convenience and, often, cost.

This is an ongoing challenge. In this age of fintech, banks are under pressure to innovate. As owners or participants in new systems, some may choose to limit access to their fancy new rails in an attempt to forestall competitive market entrants. Others will be “encouraged” by regulators to open up. Of course, end party choices will play a big role, provided there’s a choice available.

The New Game

Settlement has traditionally been led by major commercial banks or the central bank of each country. That model still holds. In some markets, including the U.S., we expect a push and pull for control between those two entities. Christine Lagarde, Managing Director of the International Monetary Fund, suggests such tensions may justify  the issuance by a nation’s central bank of a fiat digital currency as a counterweight to the alternative control over payments by a concentrated set of banks and processors.

Settlement innovation has created a competitive environment that did not exist before. It will be the interplay of rules, regulations, technical capabilities, end party value proposition, and market power that will determine the evolution of each country’s settlement platform. In some, regulators will shape the outcome. In others, system access for fintechs and the “open banking” model will be a determinant. For all, cost effective access for end parties is critical.

So much for thoughts of a static payments ecosystem.

If you think of yourself as a payments geek or just want to get under the hood of how money really moves, Carol is a terrific guide.

Restaurant payments is a complex area especially for those companies serving the mid-sized and large restaurant operator. They have different needs that extend well beyond payment acceptance but even that is a highly variable concern.

Ever notice that we pay differently depending upon the type of restaurant we’re in? It’s always been walk up and pay the central server at McDonalds. Applebees uses Presto table top devices to speed table turns, upset desserts (“that lava cake sure looks good”) and take payments. At most sit-down establishments, especially those in the fine dining segment, we still hand over our cards and the server walks away to authorize the transaction (later that night, the manual tip adjustment process determine the final clearing amount.)

For certain segments, order ahead is a priority. Order ahead dominates how pizza shop operate. Initially, that capability took market share from mom and pop pizza shops because only the largest operators in the “Big Pizza” segment could afford the necessary IT expertise. Now, mom and pop have multiple order ahead services to choose from.

But consider the complexities of integrating the order into the kitchen or at the barista’s station. Business process automation is a differentiator.

This podcast with Tim McKenna, VP of Sales, at Heartland Payment Systems, is both a deep dive into restaurant operator concerns and a revealing look into how a major payments provider has shifted its business model to serve mid-tier and larger restaurant operators.

Like Square, Heartland has realized the revenue benefits of expanded commerce services above and beyond the traditional payments revenue stream. By cross selling multiple services, Heartland expects to see 60% of its revenues coming from payments coupled with value-added services that automate the business of their customers.

If you’re interested in how the payments industry is evolving to market demands or how larger restaurant operators think about payments, Tim’s observations are well worth your time. Take a listen.

RTP Characteristics

Not All Things

It’s Taking a Lot of Work

Connecting up a financial institution to the RTP Network requires deep integration into the FI’s core system, the software responsible for managing debits and credits. Connecting bank ledgers to any payment system is non-trivial, a fact that impacts how fast banks implement new payment rails like RTP.

Tell Me All About the Payment

The RTP Push

Instant Clearing and Settlement

Competition?

The payment industry’s responses to ongoing payment security concerns are many. We have procedural approaches and technical ones. For example, we are requiring merchants to attest to their compliance with PCI security standards that themselves include procedural requirements.

Technical solutions are also called out by PCI and are, of course, being applied across the ecosystem. Encryption of payment data in flight is one approach. In the physical POS world, semi-integrated POS terminals connect directly to the acquirer’s front end instead of passing card transaction data back through the merchant’s workstation and enterprise system.

An important technique, and the topic of this discussion, is tokenization.

Tokenization is an ancient security technique. In the broadest sense, a token is just a dummy representation of something of higher value.

In cards, that means the replacement of a PAN with a number or even an alphanumeric value that represents the underlying PAN. The mapping between the two is stored in a vault with the owner restricting access to that vault. If a hacker gets ahold of a token value, it’s useless. It’s a value that, to the payments ecosystem, is gibberish.

Tokenization is used in pull payment systems where payment credentials are given to the payee by the payer so that the payee has the information necessary to go get the money. Think card numbers or the routing and account numbers on a check.

In card payments, there are two forms of tokenization: merchant and issuer tokenization. Merchant tokenization has been around for more than a decade. A response to PCI, merchants generally outsource that token vault to a third party so they no longer store PANs themselves. When the merchant needs to do a lookup or initiate another payment, the merchant sends the token to the upstream service provider who then looks up the PAN and sends it off for authorization by the acquirer.

That’s been around for awhile.

The newer innovation is what we call issuer tokens – token values that are at the heart of Apple Pay, Google Pay, Samsung Pay and more. These token values are real card numbers, issued by your bank, but unlike a PAN that can be used to initiate a payment everywhere, issuer tokens are expected to come, for example, from specific devices or merchants.

Every card in your Apple Pay wallet is represented by an issuer token and whenever that token is presented for authorization, data about where it’s coming from is sent along too. If the token is sent from another device, for example the one the hacker has, authorization will fail.

This approach is totally compatible with the current card payment system. No changes are needed at the merchant or the acquirer and minimal ones at the issuer.

Glenbrook will be conducting an Insight Webinar on December 13 called Tokenization Fundamentals. Russ Jones will conduct that webinar.

In this Payments on Fire podcast, George talks with Russ about issuer tokenization, its role in the Pays (Apple Pay, Google Pay, Samsung Pay), in eCommerce, and the need for new entities in the payments ecosystem to support tokenization. This gets complicated. There’s now the need for token gateways.

Take a listen to the podcast and then sign-up for the webinar. Use the code POF80 to take 10% off the registration price.

In the U.S., there’s the automatic assumption that payment cards and perhaps PayPal are the way to pay online. But if you’re an eCommerce merchant trying to sell in the Netherlands, you’d better support the domestic system known as iDeal.

Connectivity into domestic payment systems is an important and complex issue. There are over 150 such systems across dozens of countries around the world. While not all are important to a given merchant, most are important to the acquirers and payment service providers serving eCommerce merchants.

Join George and Steve Villegas, VP Partner Management and Head of U.S. Office, of London-based PPRO Group, a company that provides white label connectivity to these domestic systems by serving acquirers and PSPs alike.

Knowing who you’re dealing with online is critical if you’re taking transaction risk. Digital identity is tough. To address that challenge – and it is a challenge – relying parties, those who take on risk, employ two broad categories of technology: active tools that require user interaction and passive network-based approaches.

When the user is required to explicitly provide identifying information, we use the interactive approach. The merchant or lender or website owner asks for user IDs, passwords, perhaps data generated by multi-factor authentication techniques such as biometrics, or one time passwords generated by an app or a hardware key.

If you’re an eCommerce merchant or an entity trying to sell something online – lenders included – you don’t want to ask the customer to do more than absolutely necessary to complete a good sale. Transactional friction is deadly to revenues and a main cause of shopping cart abandonment.

So, you use passive approaches that examine whatever data the customer’s device can provide. Device fingerprinting, behavioral analytics, rules engines, machine learning, and the past behavior of card numbers are among the portfolio of decisioning tools that do not interfere with the user experience.

Data is the foundation of the passive approach. In this podcast, George speaks with Ajay Andrews, Senior Director, Product, at Whitepages Pro, a data provider and analytics firm about identity verification and how the linkage of key data items influences decisioning. It turns out that particular pairs are strong indicators of potential fraud.

We discuss where the data linkage approach fits in the overall portfolio, what drives merchants to adopt, and how the tool is integrated into automated decisioning and case management.