Tue, 20 August 2019
For a nanosecond, about seven years ago, I thought the payments industry was entering a steady state where change, while sure to be accelerated by technology, was going to settle down to the familiar sedate pace the payments industry had taken for decades.
Hah! Payment industry evolution has leapt forward since then based on, yes, technology, but also new rules, regulations, business models, and changes in attitude toward how money moves, security, and privacy.
One major trend I didn’t anticipate then was the global phenomenon of faster payments, now in active implementation or operation in some 40 countries around the world. Another, of course, is cryptocurrencies but I’ll leave that one alone for now.
The emergence of faster payments is a function of new technology with new transaction switching infrastructure and (mostly) a common messaging standard in the form of ISO 20022. But it’s also a function of rules and market response.
Even in the United States, a nation whose payment strategy is largely set by competitive forces, the central bank has had significant influence in launching new settlement capability. (And now, the Fed is planning to build its own version).
Europe and India are standouts when it comes to government guidance and strategy setting for banking and payment systems.
The European Union’s active role in evolving payments policy is recently expressed in the second Payment Services Directive (PSD2).
PSD2 has chosen to address one of the most vexing digital security challenges: strong customer authentication or SCA. Article 4(30) of the directive defines SCA as:
“an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”
For anyone familiar with authentication requirements, this is hardly a novel approach. That said, as far as the payments ecosystem goes, however, this is a sea change.
This is also a necessary change. Faster payment systems, where the sender pushes the payment to the recipient, make the sender’s bank responsible for authenticating its accountholders. The accountholder has to prove to her bank that she has the right to access her own account and to initiate a payment.
Unfortunately, phishing and malware are attacks that make account takeover easier than ever. There’s been an uptick in authorized push payment fraud in the UK due to ATO.
Therefore, enforcement of multi-factor authentication is seen as a necessary response.
Point of sale transactions already meet the SCA requirement. The card is something you have; The PIN is something you know. That’s enough to meet the SCA requirement. Oh, right, in the US, we don’t put PINs on credit cards. They do in Europe. We’re going to need biometrics in the US (something you are).
PDS2’s SCA mandate requires that multi-factor authentication be used whenever a user logs into her bank account or makes an e-commerce payment. Whenever payment risk is a possibility, SCA has to be used (there are plenty of exemptions but that doesn’t change the point).
Every stakeholder—every bank, every e-commerce site—must comply by doing something they have not done before.
That means a lot of work.
In this Payments on Fire® episode (Episode 100!), I speak with Russ Jones, Glenbrook’s partner in charge of our Education work and a preeminently insightful payments consultant. Russ takes us through SCA, its relationship to other standards, and the impact of its now somewhat delayed implementation.
Russ concludes the conversation with the rather chilling observation that history is about to repeat itself. The US will experience in the digital arena what the US experienced at the physical point of sale.
When EMV chip cards were mandated in Europe, card fraud at the POS and the ATM migrated to the US. Reliant on the static data of the mag stripe, the US became a global magnet for magstripe card fraud.
Once SCA becomes broadly implemented in the EU, in 2021 and beyond, online fraudsters will redouble their already considerable attacks on US financial institutions, tech providers, and merchants. While security tools are more common than ever—FIDO capable smartphones are one example—the US lacks a single entity to mandate and enforce multi-factor authentication in payments.
Thu, 8 August 2019
One of the privileges of using a card to make a payment is the ability to dispute that charge should something go wrong. Maybe you ordered one garden rake but got charged for two. Perhaps you ordered a sweater and, as my colleague Allen Weinberg puts it, “got shipped a box of rocks.” Or you discover a charge that you didn’t make on your card account and believe it’s fraudulent.
In all those cases, the dispute process involves a chargeback.
The cardholder disputes the charge, the issuer credits the customer for the amount of that charge if it’s an obvious mistake or fraud, and, depending upon the chain of liability rules and the type of transaction, one party—the issuer, the acquirer, or the merchant—will have to bear the cost of the chargeback.
For merchants, just getting a chargeback message is a cost in the form of a fee paid to its acquirer. How does $5 and (way) up sound? Chargebacks, as a payments cost, are no financial joke.
The card system also views the chargeback rate—the percentage of transactions that result in a chargeback—as a leading indicator of poor merchant behavior. Once a merchant’s chargeback rate approaches one percent of its transactions, the merchant’s acquirer or PSP is going to put it on notice. If the merchant doesn’t lower that rate pronto the merchant could lose the ability to accept card payments.
The chargeback process is also a cost to issuers who are generally the party first called by the unhappy customer (issuers will often ask the customer if she or he has called the merchant, too).
In other words, chargebacks are a result of something going wrong and they can be a costly hassle for everyone because, for many stakeholders, chargeback handling is still dealt with manually.
In this Episode 99 of Payments on Fire® we talk with Rick Lynch, VP of Business Development from Verifi, about the impact of chargebacks on merchants and issuers. He updates us on rule changes by Visa and Mastercard. And he addresses the process and techniques needed to handle these post-authorization events.
While only mentioned in passing during the episode, Verifi is being acquired by Visa, in another example of expansion by card network operators into adjacent payment ecosystem roles.