Security in a new recovery landscape: how to protect customer data
COVID-19 demonstrated to merchants and financial institutions the importance of having services and solutions that can quickly adapt to shifts in customer preferences, particularly as consumers have shifted more to digital channels for commerce. In fact, digital technology has been a major factor in providing businesses a lifeline to keep engaging and serving customers during the past year. Visa data on performance trends demonstrates the importance of these digital services to businesses.
Fraud Rate Declines as Spending Trends Evolve
Digital payment volumes have consistently increased since the first lockdowns began in March 2020 with volume levels stabilizing much higher than historical averages. From early March to the end of May 2020, Card Present (CP) volume declined by ~20 perecent while Card-Not-Present (CNP) volume increased by 20 perecent. If travel is excluded, CNP volume actually increased by 40 perecent.
One year later, CP spend was growing at 4 perecent while CNP volume excluding travel continued to grow over 30 perecent in the second quarter of 2021 (VisaNet). Improving card-present spending did not slow e-commerce, indicating that the e-commerce trend is likely to continue even as card-present spend recovers. While these figures are specific to the U.S. market, we have observed similar trends globally across both mature and emerging markets.
The sprint to digitizing everyday consumer interactions and experiences, along with volatile spend patterns and the emergence of highly motivated and creative fraud rings, created expectations for a significant increase in fraud. While there were spikes in certain segments, such as government disbursements, Visa data shows that the overall global fraud rate in CY2020 actually decreased by 4 percent while payment volume remained flat year-over-year.
This reduction in fraud is partly due to the proper management and transition to digital-first channels by adopting secure technologies like tokenization and contactless. In addition, the shift towards domestic transactions which generally have lower fraud rates than cross-border transactions played a major role in the fraud reduction. In fact, estimates prior to COVID-19 assumed the fraud rate would have increased by 5 percent over the past year based on domestic/cross-border channel mix before the pandemic.
The industry needs to be vigilant to continue to protect the payments ecosystem as recovery efforts continue and commerce grows and expands, both domestically and across borders. Below, Visa offers a look at new threats presented by fraudsters and areas of continued investment for ongoing safety and security of payments, and ultimately a smooth recovery for all involved.
The Evolving Threat Landscape
Visa has identified several key areas where fraudsters are focused across every phase of the transaction lifecycle. Read below to understand where they are targeted and how you can adapt strategies to keep your organization and your customers protected.
Account Onboarding & Management: Verifying consumer identity became a major challenge given the nature of the pandemic, creating opportunities to engage in application fraud and synthetic identity fraud. Visa observed fraudsters obtaining personally identifiable information (PII), which generally contain the victim’s full name, address, date of birth, social security number, driver’s license, and payment account information. They then use the PII data to fraudulently apply for accounts that are monetized, both domestically and cross-border, through purchases of cryptocurrency, gift cards, electronics, and of person-to-person (P2P) transfers through mobile payment applications.
- Leveraging AI to detect irregular use of identity elements during the application process to approve the right applications while detecting fraudulent behavior.
- Providing the ability to set card restrictions and alerts to identify unauthorized charges once the consumer is on-boarded.
Authentication: Impersonation attacks have been popularized, taking advantage of the virtual nature of consumer interactions today. Visa has seen examples of issuers who report that their legitimate customers receive One-Time Passwords (OTP) for 3DS transactions they did not initiate, which were later validated by fraudsters and approved, resulting in multi-million-dollar fraud losses. Threat actors are purchasing, or compromising, payment accounts and other PII, including e-mail and e-mail password, which allow them to enter a legitimate OTP during checkout. Consumers are also being “phished’ with criminals calling them on the phone pretending to be from their financial institution asking for their personal information. Criminals have gotten so sophisticated that they will do their research to make sure they know who a consumer banks with, and manipulate the caller ID to reflect the name of that bank.
- Enabling data-led authentication to confirm the customer’s identity through behavioral analytics, device data, etc. while providing access to sophisticated, secure authentication methods such as Biometrics.
- Focus on educating consumers about the latest fraud schemes and ways they can proactively protect themselves.
- Protect Acquirer and Merchant web assets (including APIs) from unauthorized use by bots.
Authorization: Throughout the second half of 2020, enumeration, which is the scalable and automated testing of common payment fields via ecommerce transactions to effectively guess the full payment account number, CVV2, and/or expiration date, remained a leading threat to the payments ecosystem. In fourth quarter of 2020, the number of enumerated accounts identified was up 9 perecent quarter-over-quarter, while the CNP fraud associated with the enumerated accounts has remained flat over the same period, implying a low success rate in fraudulent activity on enumerated accounts. Regardless of their low efficiency, these attacks impose significant operational costs on issuers and merchants. For instance, Visa data shows that the approval rate for a merchant that suffers an enumeration attack does not revert to its normal average until 2 months post-attack, resulting in lost legitimate sales.
- Utilizing fraud-detection systems that support device fingerprinting and botnet detection.
- Monitoring the velocity of small and large transactions and using velocity checks for low amounts or authorization-only transactions.
- Providing the ability to link authentication data to the authorization method for smarter decisioning.
- Refining authorization strategies through tailored rules engines and optimized rules strategies.
Dispute Resolution: First party misuse is a significant challenge for the industry, resulting in as much as $50B each year in costsi, and the current economic conditions are exacerbating the trend. So Visa is looking at solutions both in the near- and long-term, by leveraging chargeback management tools to facilitate the greater exchange of data between merchants and issuers as well as evaluating potential rules to curb first party misuse transactions.
- Facilitating greater communication between Issuers and Merchants/Acquirers to help reduce friendly fraud and keep accounts active thereby avoiding dispute processing & management costs.
- Expedited path for dispute resolution and automated, self-service options for clients.
- Workflow-based dispute processing platform and supporting service for clients to achieve improve dispute recovery rates.
Performance Optimization: Lastly, due to the rush to digitization, a majority of firms have not had the time to stand up their own integrated data infrastructures to maximize their insights into consumer behaviour. The shift from cash to digital payments will require business to rethink their risk models across their consumer touchpoints, and rethink how to optimize the delivery of their services through digital channels to deal with the fraud vectors discussed.
- Optimizing performance through peer data benchmarking and data driven insights.
- Developing and implementing security strategies tailored to business objectives and deploying custom developed optimization strategies.
Investment Priorities for Recovery
The acceleration and persistence of new digital behaviors, along with the increasing sophistication of fraudsters targeting vulnerabilities in these digital interactions, have resulted in firms feeling unprepared to deal with the challenges of a rapidly evolving security landscape. Only 35 perecent of firms feel prepared to keep up or stay ahead of emerging risks, despite 74 perecent of firms believing that to be a critically important priority, in a study that we conducted with Forrester on the future of risk management in the digital age.ii
Successfully navigating the post-COVID-19 security landscape requires holistic investment in risk management. Visa recommends focusing resources and future investments in three priority areas.
- People – Holistic risk management requires identification, assessment, mitigation, and risk reporting across all business units. Successful companies need employees who can effectively manage these various risk components. Moreover, we cannot rely solely on technology to solve the risk challenges that come with digital transformation. Careful alignment between business and risk teams is critical for secure growth. For example, Visa is investing heavily in risk managers who partner with clients to help troubleshoot issues and provide a comprehensive suite of benchmarking on fraud, authentication and other risk metrics, including insights on actionable areas of opportunity to maximize legitimate transactions and minimize fraudulent ones. Risk managers also provide support in case of ecosystem data breaches and other adverse events, focusing on quick event response and resolution.
- Processes – The pandemic demonstrated the dynamic nature of the payments ecosystem, with new participants, new form factors, new payment flows, and new threats coming to the forefront. As payment players navigate these threats, their solutions fall into two broad categories: Operational and Next Generation. Operational solutions focus on proven methods of understanding current ecosystem dynamics, performance and known threats. Next Generation solutions focus on capabilities that are at the forefront of existing risk management tools, looking beyond the borders of our current environment into new or unknown threats, and solving for risks that are currently outside our historical payment risk but are expected to be a driving force in the evolution of payment security. Taking a thorough approach focused on both operational and next generation processes can drive real outcomes for enhancing security. For example, through its established processes and programs aimed at protecting clients, Visa has been able to save its clients $3.3B in across 5.1 million fraudulent transactions since the beginning of 2021 through proactive detection and mitigation or blocking without significantly impacting legitimate transactions.
- Capabilities – Capturing risk data across an organization is important, but we must be able to take that data further and turn it into valuable business insight. Better integration of data across the organization and augmenting it with 3rd party data will be key to quickly identifying known problematic trends, as well as monitoring for emerging trends that have high negative impact potential. Adopting more sophisticated analytics capabilities, including leveraging machine learning, will play a critical role in bringing risk insights into broader business discussions. Embedding Artificial Intelligence capabilities into business applications and processes will also drive efficiency and reduce manual error.
The immediate response to the pandemic was focused on maintaining business continuity and mitigating client impact. Now the focus needs to shift towards developing risk strategies that promote payment security and strengthen the trust foundation necessary for long-term recovery and growth. Prioritizing security will determine the success of digital transformation efforts, separating businesses who merely survive this period from those that use it as a foundation for long-term growth and differentiation. Fighting fraud will be more complicated than ever, but with the right approach and the right technologies, payment players can stop threat actors from damaging the ecosystem, maintain trust in digital payments, and provide a great payment experience for customers.
Stay current with the latest payments insights from Visa Navigate North America – subscribe today.
i Mercator Advisory Group, “Merchant Chargebacks Are on the Rise Due to Friendly Fraud,” December 2019.
ii Managing Risk in the Age of Digital Transformation, a commissioned study conducted by Forrester Consulting on behalf of Visa, May 2020.