Banks and merchants absorb billions of dollars in payment card fraud annually, but it’s not for a lack of tools designed to stifle that fraud. It’s becoming increasingly apparent that those tools simply aren’t being used to their fullest capabilities.
The arsenal of fraud prevention measures continues to grow, including EMV chip cards, dynamic CVV codes, 3-D Secure for e-commerce, biometric authentication, and artificial intelligence and machine learning for all types of payment and money transfer situations.
Most recently, the Secure Remote Commerce project has taken aim at guest checkouts, which is being implemented as a universal buy button that replaces the need to type in account numbers for guest checkouts. And more widely, the General Data Protection Regulation in Europe reminds everyone that some of the tricks of the payments trade, particularly encryption and tokenization processes, can go a long way toward making things more difficult for a fraudster.
Many of these fraud prevention tools are still developing and being adopted, and they require an effort on the part of card networks, acquirers, security vendors and banks to educate customers about how they work and why they should be used. And in many cases, they call for a change in consumer habits.
Education vs. exhaustion
“If you sit down with someone and explain these measures, there would be a better chance for adoption,” said Patrick Davie, vice president of risk management and card services solutions at Fiserv. “But the problem is, there are so many issuers and so many consumers and so many cards on the market that to get anyone to pay attention to changing their behavior is a real challenge.”
That, in part, explains why merchants have been so reluctant to deploy 3-D Secure 2.0 as an e-commerce security measure provided through the card networks. Merchants can’t get over the earliest edition of 3-D Secure — which was implemented widely as an extra password prompt during checkout — that caused so much friction resulting in either false positives or cart abandonment. Even though 3-D Secure 2.0 addressed that pain point, merchants also shy away from the costs of incorporating the fraud protection measure.
Fiserv estimates that less than one half of one percent of all e-commerce transactions are moving through 3-D Secure.
“We need to continue to advance in the fundamentals of fraud prevention with the tools we have had for years and years,” Davie said. “We have to get better and smarter in the use and application of them.”
It’s a frustrating environment for those who either provide the security tools or research the trends as fraudsters themselves seem to have no problem deploying new technology and putting it into widespread use against any number of sectors above and beyond payments and financial services.
Not using tools to fullest
Those in the payments industry know that security tools have advanced in such a way that, given a chance to operate to the fullest, they can create safety measures that weren’t available just a few years ago.
The lack of adoption of modern tools “makes me kind of mad, but it really comes down to a question of bandwidth,” said Avivah Litan, a vice president and distinguished analyst at Gartner Inc., a Stamford, Conn.-based market research company. “If a company has only one person to oversee the fraud operation, they don’t really think too much about the latest and greatest features.”
Merchants lacking manpower might also be reluctant to spend the money to have an outside vendor not only manage a fraud prevention system, but also handle its day-to-day operations, Litan said.
“The result is that a business may have a fraud system, but they don’t have a lot of the features turned on,” she added. “They would just be lax about that.”
Generally, the larger banks and merchants have the top fraud prevention tools, rules and ongoing monitoring in place. The smaller and midsize operations likely do not.
And the payments industry isn’t as bad off as some others, Litan said.
“When you think of some areas of fraud, they are much worse off than in payments,” Litan added. “When the victim is the consumer, and not the bank or the merchant, those are areas that are neglected the most, like identity fraud, health care fraud and voting fraud.”
Fear of false declines
While the push for advanced fraud protection continues, many security providers are also seeking ways to minimize the false declines that come about in the interests of protection. False declines represent a troubling trend in which associated lost revenue climbs to hundreds of billions of dollars annually.
Fiserv’s Risk Office has reported the lost revenue from false declines grew from $235 billion in 2015 to $331 billion in 2018. Losses from card fraud were $7.5 billion in 2015, compared with $9.1 billion in 2018.
“There are very sophisticated techniques through machine learning to drive down false declines,” Davie said.
Fiserv plans to launch a new False Decline Defense tool this year that may “increase fraud a little, but still in acceptable tolerance ranges” while addressing a problem that has plagued the market for a long time, he said.
It’s not likely the payments industry, or any others, will see a government-mandated change that would force security adoption beyond what the card networks already seek to do with liability shifts tied into EMV acceptance. In the same vein, it also seems highly unlikely that U.S. consumers would suddenly be forced to accept more of the liability when things go bad with their payment cards.
“The technology is there that allows consumers to get more engaged in fraud control through notifications and alerts,” Davie said. “More solutions like this will come, and the banks and credit unions have to convince their customers that we are in this together.”
If anything, card issuers are likely to develop more incentives for consumers to use available fraud control tools, Davie added. “I see it as much more carrot-based, rather than imposing penalties for not participating.”
Proving the cost benefits
Ultimately, it may come down to a fuller understanding of what all stakeholders can do to help decrease fraud and false decline losses — and understand the potential cost benefits.
“I’d argue there are more than enough tools to mitigate fraud of any type,” said Al Pascual, research director and head of fraud and security for Javelin Strategy & Research. “That said, it is not always cost-effective for a financial institution, issuer, network or merchant to make those investments.”
Establishing fraud prevention measures is “all about incentives, risk and perceived responsibility,” Pascual added. “Establishing return on investment is one of the biggest challenges facing anyone in a fraud leadership position, and the worst part is that many organizations don’t accurately measure fraud.”
That means when company leaders and security teams or individuals are forming a strategy, “they cannot adequately establish the true cost-benefit of their decisions,” Pascual said.