Beyond the security benefits, regulation is opening the door to more exciting payment experiences, sparking increased innovation through new data-sharing and fraud-prevention programmes.

Regulation, notably the European Union revised Payment Services Directive (PSD2), has had a positive impact on the sector, allowing new tech companies to flourish.

While the EU General Data Protection Regulation (GDPR) has forced businesses to prioritise the safeguarding and governance of data, the advent of PSD2 has meant that digital payments are protected for consumers across the EU.

These new regulations, in addition to emerging laws around data use, artificial intelligence guidelines and general standards for ethical finance, have come together as a key step for the payments landscape.

With the clarity and additional protection provided by these regulations, and the supporting regulatory guidance from direct industry engagement, multi-party services can now operate with increased visibility of flow of assets and data, explains Brian Costello, vice president of Envestnet | Yodlee.

“This visibility allows for the application of fine-grained controls to detect and prevent fraudulent activity, while reducing false positives, as well as enforcement and recovery in the cases where fraud actually occurs,” says Mr Costello.

According to UK Finance, advanced security systems and innovations in the financial services industry prevented more than £1.6 billion being stolen through fraud in 2018.

Fraudsters

While this demonstrates significant progress across the industry, risks remain as fraudsters pocketed £1.2 billion last year.

With customer security one of the key drivers behind PSD2, merchants are required to implement strong customer authentication (SCA), such as two-factor authentication. However, two-factor authentication presents a challenge by getting in the way of frictionless, quick-and-easy payment methods. As consumers have to jump through more hoops, they are more likely to abandon purchases.

As consumers have to jump through more hoops, they are more likely to abandon purchases

"As a result, the PSD2 regulation has included some exemptions to allow merchants to provide frictionless payments for certain, lower-value and low-risk transactions, and transactions from trusted beneficiaries, recurring transactions and secured corporate payments,” explains Gabe McGloin, head of international merchant sales and business development at Verifi.

Consumer choice

Consumers are already benefiting from the ability to switch money between accounts, moving any spare cash to pay off a loan or move into an ISA on pay day, for example.

Dan Scholey, chief operating officer at Moneyhub, has high expectations of what could be in the pipeline for financial consumers.

“As friction in payments is reduced, we will see the replacement of legacy systems like direct debits, which are at best a workaround solution based on a mutual trust between the two parties,” he says.

“I expect to see a consumer protection framework evolve that replaces the insurance we are used to, such as credit cards with an 'opt in' model that can be applied where appropriate.”

The once stale financial services industry is now evolving at a speed that is difficult to keep up with. But is likely to be a few years yet before the full benefits are felt by consumers and businesses alike.

New regulations have been introduced to protect online shoppers from cybercrooks. Strong customer authentication, for example, is designed to reduce fraud and make online payments more secure by requiring two-factor authentication in some cases.

Regulators have also brought in measures to ensure companies treat the data they hold on customers responsibly. In May 2018, The European Union’s General Data Protection Regulation (GDPR) came into effect, to strengthen and codify data privacy laws across EU member states.

Under GDPR, personal data includes name, home and work address, location, phone numbers and IP addresses. It also covers biometric data, such as fingerprints and iris recognition, and any kind of personal data that can be used to identify an individual.

GDPR affects the way a company gathers and stores the personal data of its customers. Companies that fail to comply can be fined. Ultimately, these regulations aim to protect consumer data, while companies come up with innovative solutions to combat fraud and authenticate people.

Successful pre-authorisation risk evaluation results in fewer false-card declines and ultimately more revenue for everyone in the ecosystem

In the past, banks have been almost blind to the shopping cart data on which merchants made fraud risk decisions; they didn’t know the location of the customer, for example.

To address this, a major area of innovation has been pre-authorisation risk evaluation. It’s an assessment that is carried out while a consumer is browsing an online retailer and checking out. In partnership with the merchants, ecommerce companies and card networks, it’s now possible to extract better risk insights from the data.

Arjun Kakkar, vice president of strategy and operations at Ekata, explains that Ekata's global identity verification brings together a rich set of data about individual customers and their shopping behaviour to verify who they are. Successful pre-authorisation risk evaluation results in fewer false-card declines and ultimately more revenue for everyone in the ecosystem.

Streamlining the process

Michael Reitblat, chief executive and co-founder of Forter, which provides fraud prevention technology, says: “Pre-authorisation risk assessments are growing as market leaders understand the value in streamlining the decisioning process prior to the transaction being authorised.”

Pre-authorisation risk evaluation is done during a consumer’s checkout experience. That’s typically between entering your payment details and before the authorisation request is sent out to a bank. This means that is has to happen very swiftly, if merchants don’t want to risk disrupting payment.

Since pre-authorisation risk evaluations have to be done quickly, there needs to be a predictive engine in place that has enough data to make decisions about the risk of fraud. Those who provide pre-authorisation risk evaluations do not typically have the luxury of calling on various third-party data sources as would be the case for risk evaluation post-authorisation. With less data available at the pre-authorisation stage, the process becomes more challenging.

Good risk evaluation involves a layering of data that has been collected from different sources. This data needs to span all phases of a customer’s engagement cycle, from when they first open an account, to when they log in and decide to make a payment.

Multiple layers of data are required to build a robust fraud-vetting process. These include internal data points, such as blacklists, account histories and shopping carts, combined with device fingerprinting, behavioural biometrics and the identity data provided by customers.

What are the benefits?

So what are the benefits for those who overcome the challenges of verifying a customer during the checkout process? Firstly, it’s less likely to lead to false-card declines. This will increase customer trust and retention.

Mr Reitblat says: “More accurate decisions will lead to minimising insult rates to good customers, minimising false declines, and improving revenue streams and approval rates. Additionally, pre-authorisation decisioning greatly benefits the merchants, as any declined transactions will ultimately save merchants money, avoiding sending a bad transaction to a bank or issuer and incurring extraneous fees.” 

If customers are accurately accessed prior to authorisation, this opens up a number of paths for retailers to engage with consumers as they are paying for their order. One strategy used by retailers is to offer customers additional options, such as same-day shipping. Another is to suggest customer promotions including free shipping or value-added services and top-ups. With perks like these, retailers try to encourage customer loyalty and build trust. 

Another benefit is pre-authorisation risk evaluation increases issuer approvals. Those merchants who are sending fewer fraudulent transactions through are likely to have more authorisation requests approved by banks. 

In addition, it helps reduce operating costs, including manual reviews, more expensive checks done post-authorisation and payment processing costs associated with fighting fraud.

“It’s not like fraudsters are going away, they’re just migrating,” says Ekata’s Mr Kakkar. “Fraud is their job. While the good guys are making it harder for them, fraudsters also use machine-learning. Both sides are getting more sophisticated.” 

It is, therefore, crucial for retailers to ensure they stay on top of the latest security innovations, while keeping their customers’ data safe.

How do fraudsters operate online? Are their attacks too fast and too strong for companies to protect against? Looking at the numbers, it appears that fraudsters are doing quite well. Global payment card fraud losses were over $28 billion in 2019, continuing the growth trend of over 15% a year in the last few years, according to the Nilson report. Digital commerce growth serves as a strong tailwind for these fraudsters.

To determine whether fraudsters are overpowering the ecommerce ecosystem, let’s first understand the journey of a customer online. Imagine you are the customer using Airbnb. What do you experience? Each customer typically goes through four stages on their payment journey.

First, there’s the “logged out” experience, when you’re browsing a website or mobile app. You might be looking for a place to stay on your next vacation, and you find a listing on Airbnb using a Google search. Apps and marketplaces typically give you more in-depth information and personalise their listings for you after you have created an account (or signed in to an existing account).

That’s the second stage: the “logged in” experience. Throughout your browsing history, apps will try to collect information about you, both to personalise their services for you, and to authenticate who you are once you’re making a transaction.

The third stage is the “check out” experience. Let’s say you have decided to book the villa in Bali. At this point, you have to enter additional information into the system, including your credit card details and billing address. If you are buying physical goods, you have to provide your shipping address.

Once you hit submit, there might be more or less friction in the process of authenticating who you are, depending on where you’re based. In the EU, the regulators will soon mandate higher friction “strong customer authentication” for riskier transactions. In the US, there is a lot less friction.

Once you confirm your payment, the merchant will send your information to the bank, which checks whether you have enough funds to cover the purchase.

And finally, there is the fourth and final “post checkout” stage, where you have bought a plane ticket, for example, and your transaction is complete, but the ticket has not been issued yet. At this stage, further checks are run in the background for riskier transactions.

Identity

Fraudsters strike at several points of this customer journey. It could be when you sign up or sign in, where they open an account using stolen identities, or take over existing accounts. Alternatively, the fraudster could use stolen credit cards during the checkout phase. In each of these cases, the fraudster is trying to trick the merchant’s or bank’s process to authenticate your identity.

Let’s dive deeper into the fraud at the checkout phase. In order to protect themselves from fraud, banks tend to err on the side of caution. As a result, the current authorization rate in the United States is around 83%. This means banks reject as much as 17% of online transactions in order to protect themselves. In stark contrast, they reject less than 3% of in-store transactions.

One issue is the high volume of risky transactions that merchants send banks for authorization. The information banks receive from merchants is usually limited – it doesn’t include a customer’s location or email details, for example. Knowing that no one has checked for fraud so far and not having too much information to make a good decision, the banks take the conservative route of not authorizing transactions.

However, the problem is that experiencing a declined payment erodes customer trust, with 32% of people who have been falsely declined saying they will not shop with that merchant. Customers also tend to stop using credit cards that were falsely declined, impacting the bank’s revenue. When there is too much friction in the customer experience, merchants and banks lose out on customer trust, brand equity, and revenue.

One of the best ways to resolve this issue is to use advanced techniques like machine learning on trusted data for real-time risk evaluation before sending the transactions to banks for authorization. That’s being proactive, not reactive. We call this process pre-authorization risk assessment, and merchants can send risker transactions through a higher friction authentication process. Banks will get the less risky and authenticated transactions, improving authorization rates.

Risk assessment

Thousands of customers across the globe use Ekata’s identity data for risk assessment. We have engineered solutions for pre-authorization that give merchants, payment providers, and banks access to this data in less than a tenth of a second in US and Europe.

The core of our product is our identity engine, including identity attributes such as email, phone, and address, behavioral network information from 1,700 of Ekata’s global customers, and scores that we have built using machine learning.

And finally, privacy and security are at the heart of everything we do. Giving more industry players access to consumer privacy data for fraud prevention comes with the risk of the data getting to the wrong hands. All players need to use appropriate technical and organisational measures to protect data from unauthorized access, aligned with EU’s GDPR principles.

All parts of the ecosystem – whether they’re merchants or banks – should focus on driving customer trust. How can they do that? The answer lies in the amount of data they have, share, and get access to from trusted third party data sources. Fraudsters continue to amass more data, and our job is to be several steps ahead of them.

Several merchants and banks have been using these principles to give their customers a great online user experience while keeping fraud in check. Thanks to these efforts, though the fraud losses continue to grow, they are not growing nearly as fast as the growth in online transactions. The loss per dollar spent has flattened, an early sign of success. With more players working together to fight fraud, we can win against fraudsters.

Despite sounding like something from a sci-fi film, technologies such as tokenisation, encryption and secure remote commerce are helping firms across the world reduce fraud, increase authentication and enable globalisation of online commerce.

“It’s hardly an overstatement to say machine-learning, and more broadly artificial intelligence (AI), have revolutionised ecommerce,” says Stefan Nandzik, vice president of corporate communications at Signifyd, who explains that AI has transformed risk management from a manual task relying on gut instinct and educated guesses, or a system of static rules which didn’t adapt to changing fraud patterns.

“In recent years, innovators have developed a form of risk management called guaranteed fraud protection. This uses big data, machine-learning and domain expertise to sift legitimate orders from fraudulent ones, typically in milliseconds,” he says. “The advance means that retailers can automate their order flows, which is vital in the Amazon era.”

Ecommerce sales have skyrocketed, and despite the much-rumoured global slowdown and waning high streets, sales are predicted to reach $6.5 billion by 2023. Data from Statista shows that in the five years from 2014 to 2019, ecommerce sales grew more than 150 per cent.

Lucrative target

However, with the market set for billions of dollars’ worth of growth each year, it has become a lucrative target for fraudsters and organised crime groups. With the stakes increasingly high, AI has a vital role to play in combating fraud.

Caroline Hermon, head of AI at SAS UK and Ireland, says: “AI and advanced analytics can enable companies to sift through vast quantities of complex data in real time, picking up on patterns and anomalies, which would otherwise be missed, and alerting investigators before fraud actually occurs. ”

It’s hardly an overstatement to say machine-learning, and more broadly AI, have revolutionised ecommerce

Secure remote commerce (SRC) is designed to standardise the checkout process for global online commerce, to make the payment experience as seamless as possible by enabling one-click checkout for all cardholders. However, convenience must be balanced with security.

Daniel Cohen, director of the fraud and risk intelligence unit at RSA Security, explains that enrolling in the SRC framework requires card issuers to have a clear authentication channel in place, such as 3D Secure 2.0 to verify cardholders.

Surrogate tokens

Tokenisation allows banks to place sensitive data in a vault and replace it with surrogate tokens. Transactions can then be safely conducted using a token instead of the sensitive data itself. Even if the SRC data is breached, the information available to fraudsters will be unusable and have no value outside specific merchant or payment channels.

Mr Cohen says: “Tokenisation can work well in tandem with encryption, which converts sensitive data into code that can’t be read without the corresponding key.”

Richard Bennett, head of industry strategy and solutions, Europe, Middle East and Africa, at VMware, claims SRC is critical in a world of AI and machine-learning where cyberattacks are now able to penetrate in significantly more areas of data transit and data at rest.

However, he adds: “It is blockchain that will support us in correcting any fraudulent connections or transactions, allowing a clear chain to both reverse fraud and then act on the cyberattack itself with concrete certainty of the perpetrator or perpetrators.”

According to Mr Bennett, cybercrime is more sophisticated because AI is enabling the same innovation in attacks that is needed for defence. Therefore, the industry must deliver technology solutions which secure, end to end, sensitive customer and financial data. This approach to cyber-hygiene is growing the globalisation of online commerce.

To protect themselves, merchants should ensure their fraud prevention strategy combines these four key elements.

1. Internal data

Many e-retailers are sitting on a vast trove of customer data. It’s a tempting target for cybercriminals, but it’s also one of the keys to preventing fraudulent activity. For example, if a customer suddenly starts making multiple high-value orders, it could be a sign of fraud.

The same goes for the shipping address as a sudden change could be a sign that an item is about to be shipped to a crook rather than a genuine customer.

Custom rules, and increasingly machine-learning tools, can help to flag up suspicious activity and prevent fraud. However, Masha Cilliers, specialist payments partner at iBe TSE, a pan-European financial services advisory firm, sounds a note of caution.

While traditional methods, such as velocity counts, customer history and simple rule-based technologies, still work to a degree, she warns: “They are often circumvented by the growing number of sophisticated fraudsters and, frustratingly, they may lead to creation of false positives, which lead to declining a genuine transaction.”

2. Device fingerprinting

Device fingerprinting is an imperfect tool on its own, but it can be helpful in terms of preventing mass attacks from organised fraudsters.

It essentially enables ecommerce retailers to see whether a device has been used to complete transactions on their site in the past. In some cases the opposite is also true as it can tell you if the device has previously been used for fraudulent purchases, at which point it can be blocked.

Information identifying the device is passed from it to the server each time it’s used to access the retailer’s website. Everything from the device’s operating system to the type of web browser being used and the device’s IP address can help identify it. And if the location of a device doesn’t match the address provided by the customer, for example, it could also be a sign of potential fraudulent activity.

3. Behavioural biometrics

While the previous two fraud prevention methods still have their uses, retailers are increasingly turning to more advanced forms of fraud prevention, such as behavioural biometrics.

“With biometric authentication, we’ve replaced the password with the person,” says Ajay Bhalla, president of cyber and intelligence solutions at Mastercard. He explains that techniques such as fingerprint and facial recognition are far more secure than knowledge-based solutions, such as passwords, PINs and logins. “These ‘explicit’ biometrics can be combined with ‘passive’ biometrics, such as how you type and hold your phone, and device ownership to confirm you are who you say you are,” Mr Bhalla adds.

A fraudster who has someone’s phone and fingerprints, or even similar facial features, like a twin might, will have an extremely difficult time trying to replicate unique mannerisms, says Jason Tooley, chief revenue officer at authentication platform Veridium. “By tapping into the power of behavioural biometrics, businesses can diminish the risk of identity and strengthen authentication in a way that is both transparent and frictionless for the end-user,” he says.

4. User-inputted data

A suspiciously fake-sounding email address or an invalid phone number are still common signs that the 'customer' using your site may be someone who is attempting to defraud you. And then, of course, there’s the obvious red flag of a shipping address that doesn’t match the billing one.

Customer passwords can provide some protection from cybercrooks, but the increasingly sophisticated nature of fraud, and wide availability of stolen data on the dark web, mean it’s far from a secure solution on its own. If some of the details a customer inputs during the checkout process appear suspicious, two-factor authentication can be used to help weed out potential fraudsters.

By successfully implementing this multi-layered strategy, businesses stand to increase security and reduce payment fraud.