Is Striving for a Zero-Fraud Future a Worthwhile Endeavour?
Fraud prevention is serious business
The business consequences for failing to stop fraud and secure customer data are serious. According to 451 research conducted in 2019, 45% of consumers in the EU that were impacted by a data breach in the last 12 months said they were very or somewhat unlikely to return to that business in the future.
Taking steps to mitigate fraud is paramount to avoid monetary losses, reputational damage and erosion of customer loyalty. But while preventing fraud should be a goal for all businesses, two fundamental questions remain: Is it possible to completely stop fraud? And is stopping all fraud actually a good thing?
Considering the consequences of a zero-fraud world
The challenge with fraud isn’t just about keeping bad actors out. It’s keeping them out while still letting legitimate customers in. As a result, merchants and card issuers walk a fine line. They don’t want to suffer losses because of loose fraud controls, but they also don’t want to miss out on revenue (including from merchandise and interchange) from legitimate customers by being hypersensitive to fraud. Consider that according to 451 Research, one in five EU consumers have experienced a declined transaction as a result of hypersensitive fraud models in the past year, and of those more than half expressed some degree of unlikelihood of returning to same retailer in the future.
First, it would result in costly and laborious security protocols. In a world with perfect security – which is what it would take for zero fraud – consumers might have to undergo onerous enrolment. For instance, they might be required to go to their bank, in person, and present multiple identity credentials to receive a secure hardware token to be used for every purchase. On top of the secure token, the consumer would almost certainly be required to present additional forms of identification on each device, for every new purchase, even if only slightly outside their normal payment habits, and even when the transaction was for a €3 cup of coffee. Aside from a prohibitive amount of friction that would drive cart abandonment to new heights, each layer of this security would carry operational costs for all stakeholders, including banks and merchants. Meanwhile, any indication of a new type of fraud attack, or even perception of a new risk, would require an immediate upgrade to existing systems to prevent any possible loss.
Furthermore, payments innovation would be severely restricted. Networks, banks and tech companies would be unable to create new purchase experiences, as risk is not an option in a zero-fraud world. Digital commerce, P2P payments and the Internet of Things (IoT) would remain as fantasies due to the risk associated with entering data into third-party devices. As such, consumers’ only option to transact would be face-to-face, which would throw sand into the gears of global commerce while throttling the market opportunity for cards.
It would also mean there would only be one way to pay. Eliminating fraud means the industry would only be able to offer the optimal, most secure payment method. This means no flexibility, no fall-back, and ultimately, less resilience of the payments ecosystem. When perfect security isn’t viable, then neither are payments.
Finally, in this zero fraud world, card issuance could be significantly dialled back. In a world where we can’t take risks – in case it leads to fraud – we would have to question whether allowing cardholders who are naturally trusting, or susceptible to fraud scams, is secure. Many demographics could be deemed far too risky to serve.
A zero-fraud world could equate to one payment option with a single, in-person form factor that necessitates multiple forms of stringent authentication for each purchase. The consequences of this are many and would limit consumer participation, limit use cases for card payments and ultimately lead to a drastically smaller, far less flexible and far more costly payment system.
Refocusing on risk
Focusing our efforts as an industry solely on eliminating fraud without taking into consideration the customer experience is counterproductive as any savings accrued from a reduction in fraud losses would easily be offset by lost sales and a limited addressable market.
A zero-fraud world could equate to one payment option with a single, in-person form factor that necessitates multiple forms of stringent authentication for each purchase. The consequences of this are many and would limit consumer participation, limit use cases for card payments and ultimately lead to a drastically smaller, far less flexible and far more costly payment system.
These include:
- New regulation and standards - Regulators and legislators are increasingly setting minimum standards to ensure strong fraud management becomes the rule, rather than best practice. GDPR and PSD2’s mandate for Strong Customer Authentication (SCA) serve to increase accountability while working to collectively elevate the industry’s focus on fraud prevention and data security. EMV 3D-Secure has emerged as the ideal framework to address SCA, enabling a significant increase in data sharing between merchants and issuers while opening the door for secure, user-friendly authentication technologies like physical biometrics. With EMV 3D-Secure, the overwhelming majority of transactions can be authenticated through a frictionless flow while only those with the highest-risk are stepped-up for an additional form of authentication.
- Underlying, invisible security and risk technologies - Behavioural biometrics, device fingerprinting and frameworks like EMV 3D-Secure help to assess risk associated with a transaction in the background without interfering with the customer experience unless absolutely necessary. Paired with data security technologies like cryptography and network tokenisation, which strive to fortify the transaction flow, these emerging approaches are helping to transform the risk assessment equation.
- Strengthening data and intelligence - The growth of electronic payments across geographies has created a deep and diverse data pool that can be leveraged to detect emerging fraud patterns globally. Layered with statistical modelling, AI and machine learning, this data can be converted into intelligence to enhance the accuracy of fraud detection systems to address fraud in real-time.
Payments has always been a risk business, and without it the industry doesn’t exist. Rather than endeavouring to eliminate fraud, our industry’s focus must be on transitioning to a layered approach to fraud and risk management that accounts for the customer experience. Leveraging next-gen approaches like tokenisation, AI/ Machine Learning, and behavioural biometrics while collaborating with various industry stakeholders to share intelligence will help to support this goal while giving the payments industry a unique balance of security and usability that has not been seen before.
Jordan McKee is a Research Director for Customer Experience & Commerce and also leads 451’s Research’s coverage of the payments ecosystem.
Glossary
- Cryptography - Cryptography uses mathematical techniques to protect data. It can be used to scramble the data into a form which can only be unscrambled by the intended recipient. It can also be used to protect the integrity and authenticity of data, allowing the recipient to confirm that it has originated from the expected source, and is unaltered.
- EMV 3D-Secure - 3-D Secure (3DS) is a technology that enables consumer authentication for online payments. It uses payment data – such as the amount, time of day, and location of the payment – to check for fraud and challenge the payee when necessary
- GDPR - The General Data Protection Regulation (GDPR) is an EU-wide data protection law that regulates all processing of personal data for residents in the European Economic Area (EEA). It applies to companies operating in the EEA and to companies outside the EEA that process data of those living in the EEA
- Tokenization - Tokenisation is a process currently used in mobile payments (Apple Pay, Google Pay, Samsung Pay etc.) that replaces sensitive information, such as a 16-digit card number, with a unique digital identifier called a token. The token allows payments to be processed without exposing actual account details.
- P2P payments - Peer-to-peer transactions (also referred to as person-to-person transactions, P2P transactions, or P2P payments) are electronic money transfers made from one person to another through an intermediary.
- PSD2 - The EU has introduced a regulation called the “Second Payment Services Directive” (PSD2). It is designed to increase competitiveness and enhance security across the European payments industry.
- Strong Customer Authentication (SCA) - Part of the EU’s PSD2 regulation, Strong Customer Authentication (SCA) is designed to enhance fraud management for online and contactless payments, and foster innovation. Due to be introduced in September 2019, SCA is stricter about when and how banks and merchants verify a payment is coming from the correct cardholder, rather than from a fraudster.
All brand names, logos and/or trademarks are the property of their respective owners, are used for identification purposes only, and do not necessarily imply product endorsement or affiliation with Visa.
Share Feedback