mobile - Consult Hyperion

Doing something about US card fraud

13th January 2016by Consult HyperionLeave a comment

OK, OK, so we all know that the world’s card fraud has been steadily migrating to the US because the rest of the world was busy adopting EMV (“chip and PIN”) cards while the US insisted on sticking with magnetic stripe technology for as long as possible. You remember magnetic stripes? Signatures?

Chip cards reduce certain kinds of fraud over magnetic stripes cards because, basically, you can’t use stolen chip card data to make a bogus chip card but you can use stolen magnetic stripe data to make a bogus magnetic stripe card. You have to go somewhere that takes magnetic stripe cards to use it, of course: the US.

As the US experiences an unprecedented spike in fraudulent ATM cash-outs, it is reported that the US accounted for 47% of the fraudulent cross border transactions seen on UK debit cards in 2014
[From 25% jump in cross border fraud on UK debit cards – Payments Cards & Mobile]

The gap between US card fraud and card fraud everywhere else in the entire world is substantial. In fact US card fraud runs around triple the rate outside of the US. That’s a lot of money, whichever way you look at it. And remember, the reported figures for fraud are for the direct losses to the issuers – they do not take into account the money that merchants have to spend on PCI-DSS or the sales they lose because of complex authentication processes or the money that goes into data breach notifications and repair.

US fraud losses equaled 12.75¢ for every $100 in total volume last year. Fraud in all other regions combined was only 3.73¢ per $100.
[From Global card losses will exceed $35 billion by 2020, says The Nilson Report » PaymentEye]

And unless we do something about it, it’s going to get a lot worse. Why? After all, now the US has finally started switching to EMV, surely the situation should improve? Sadly , no. As well all know, EMV only help with “card present” (CP) fraud. That’s why people have been talking about the expected surge in “card not present” (CNP) fraud in the USA following on from the introduction of EMV as sure as night follows day. That’s exactly what has happened everywhere else.

While POS card fraud is expected to decline gradually in an EMV-enabled U.S. market, CNP fraud will nearly double by 2018
[From A Hole in the Balloon Analogy: The Complex Evolution of Card Fraud in the US – Javelin Strategy & Research Blog]

The US already has half of the world’s card fraud so this is an impressive effort. But hey, they’re on track because it looks as if that surge has already started – even before the EMV liability shift – and the number of fraud attempts is escalating.

Between January and July, one in 86 online transactions was an attempted fraud, compared to one in 114 for the same period a year earlier,.. That’s a 33% jump in fraud attempts in one year.
[From The Surge in Online Fraud Is Already Here]

Now, this figure may not be as scary as you think, because while the number of fraud attempts is climbing, the amount of fraud is climbing more slowly. We’re getting better at defending ourselves. And this is why I think there is some cause for optimism, even in the US. The reason is that the number of ways to fight card fraud is increasing and because, in time, the cards themselves will be supplanted by much smarter devices (i.e., phones) that have more security capabilities. Actually, whether they replace cards or not, phones are a critical component. Knowing where you are is a really big factor in working out whether a transaction is valid or not, and knowing where your phone is is a reasonable proxy. Hence my interest in initiatives like the Visa location-based fraud analytics.

Mobile Location Confirmation is an optional service for consumers that will be offered through participating financial institutions’ mobile banking applications. The service uses mobile geo-location data in real time as an additional input into Visa’s predictive fraud analytics… When a cardholder’s mobile device is in the same location as the payment transaction, the issuing financial institution can more confidently approve the transaction.
[From Tech Matters]

I love learning more about this sort of thing, so on Friday 15th January I’ll be taking part in IBM’s “Blab” on real-time fraud detection at 1pm EST. A “Blab” is a bit like a Google Hangout – so I’ll be on webcam with my chum Cherian Abraham from Experian chatting about the topic and mulling over some interesting questions. You’re welcome to come and join us!

When is an acceptance mark not a mark of acceptance?

20th July 2015by Consult Hyperion1 Comment

As a consumer interested in obtaining goods or services, it is important to understand what the provider is prepared to accept in exchange. It is a safe bet that (with the odd exception) cash will be one of your available options. Other than cash, though, how can you find out which of the myriad methods of payment will be accepted without question?

Well, you could talk to someone, of course. But this isn’t always possible, for instance due to language barriers. Neither is it always practical to wait until you have filled your shopping basket only to find that you have no accepted method of payment.

The solution, of course, is to display a recognised standard symbol, indicating to the consumer that they may use MasterCard, Visa, Amex, Discover, PayPal, bitcoin, or whatever other payment methods are on display. The additional display of the EMVCo contactless symbol indicates that contactless payments should be possible with the payment card brands displayed alongside.

I say ‘should be possible’ because, unfortunately, this is not always the case. For legacy reasons that we won’t go into here, it is not uncommon to find retailers who accept Amex payments, and contactless payments, but not Amex contactless payments. Still – whilst not as convenient, the payment can still be completed via Chip & PIN.

But now adding to the mix we have a brand new acceptance mark for Apple Pay. On the face of it, this seems a sensible decision. After all, if you want to use Apple Pay then it’s good to know where you can use it. But then again, you already do know where you can use it – everywhere that displays the EMVCo contactless symbol. Apple Pay, after all, is not a payment scheme in its own right, but rather uses the existing card schemes’ contactless card payment infrastructure to perform NFC transactions.

What the Apple Pay decal does not tell me is whether or not the payment card loaded into Passbook is accepted at this retailer; for that I still look for that card scheme’s mark. It also doesn’t tell me if that retailer who does accept my card scheme is able to perform that particular contactless transaction. For instance, those retailers who accept Amex, but can’t yet perform Amex contactless transactions, will not be able to accept Amex Apple Pay transactions either, as the BBC’s Rory Cellan-Jones discovered on the morning of the UK launch when he was out and about in London. (Indeed, Apple Pay featured on the main evening news in the UK, as shown here!)

But more importantly for an aspiring acceptance mark, a retailer advertising their acceptance of Apple Pay may not actually accept the cards loaded into it at all. Amex and Discover/Diners do not enjoy the same level of acceptance as MasterCard or Visa, but their cards are (or will be) available to be loaded into Apple Pay. Should a consumer not expect that a retailer who advertises their acceptance of Apple Pay will actually accept Apple Pay, regardless of what they have loaded into it?

Incidentally, whilst the focus is currently on what “Apple Pay acceptance” actually means, there are similar potential implications for ‘four party payment card schemes’ (i.e. MasterCard and Visa) as a result of the recent EU Regulation 2015/751 on interchange fees. As well as the headline-grabbing cap on the fees themselves, Article 10 of this regulation is concerned with the schemes’ “Honour All Cards” rules, which currently require merchants to accept any card from the accepted scheme. This Article provides that:

Payment card schemes and payment service providers shall not apply any rule that obliges payees accepting a card-based payment instrument issued by one issuer also to accept other card-based payment instruments issued within the framework of the same payment card scheme.

In other words, payees (merchants) can choose which MasterCard or Visa cards they want to accept. Merchants may, for instance, choose to accept only debit cards and not credit. Or they may choose to accept everything except higher-fee rewards cards. “Honour All Cards” will instead become “Honour All Issuers,” meaning that merchants cannot refuse to accept a card based only on the issuer of that card.

To achieve this, the cards will need to be both electronically and visibly identifiable, as long as the card is issued within the EU. In deference to the second law of thermodynamics, merchants will be required to advertise which cards they do not accept, alongside the acceptance information. It is not yet clear how a non EU-issued card would be treated by a merchant who is depending on being able to identify a card product; the expectation of a non-EU cardholder will be that they can use their card at a merchant displaying the appropriate symbol.

So, when is an acceptance mark not a mark of acceptance? Well, when it cannot be relied upon to signify that the indicated payment method will actually be acceptable.

We still haven’t finished talking about mobile wallets

20th October 2014by Consult Hyperion1 Comment

I had assumed that the world had got bored with talking about mobile wallets by now, but that certainly wasn’t the case in London last week, where I had the great fun of chairing a couple of discussion panels on the topic and found new perspectives on the likely marketplace trajectory.

Continue reading “We still haven’t finished talking about mobile wallets”

Authentication expectations are changing rapidly

30th September 2014by Consult Hyperion2 Comments

Apple TouchID has completely changed my expectations of how security should work on my mobile phone and I don’t doubt it will change other people’s as well. And very quickly.

Continue reading “Authentication expectations are changing rapidly”

Yes we KANZ

10th September 2014by Consult HyperionLeave a comment

The discussions around digital identity and digital money down at the KANZ Summit in Auckland left me convinced that they remain mobile-centric for the foreseeable future. They also left me convinced that this whole Internet of Things thing hasn’t really been thought through.

Continue reading “Yes we KANZ”

Apple speculation

28th August 2014by Consult Hyperion1 Comment

Even if Apple does put NFC in the iPhone 6, I do not see why they will use it to implement the existing industry model for contactless mobile payments.

Continue reading “Apple speculation”

Mobile wallets in Woking in 2014

26th August 2014by Consult Hyperion1 Comment

I’ve got Seasonal Affected Disorder (SAD). I get this every season when I try to buy something using my mobile phone.

Continue reading “Mobile wallets in Woking in 2014”

Japan and the US are special cases for mobile payments

2nd June 2014by Consult HyperionLeave a comment

The US shouldn’t look at Japan as a model for mobile payments, and Europe shouldn’t look at the US.

Continue reading “Japan and the US are special cases for mobile payments”

HCE for MNOs

27th February 2014by Consult Hyperion4 Comments

The MNOs first thoughts are HCE might have been negative, but they need to rethink. It’s a great opportunity for them if they decide to take it.

Continue reading “HCE for MNOs”

Service Opportunities for Mobile Identity

28th January 2014by Consult Hyperion1 Comment

I still think that mobile identity is a real opportunity for mobile operators to provide a valuable service and occupy a key position in the future value network.

Continue reading “Service Opportunities for Mobile Identity”