Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

August 03, 2015


Friendly Fraud: Nothing to Smile About (Part 2)

Last week's post discussed the increasing frequency of friendly fraud and the problems it presents for e-commerce merchants. A transaction that could be classified as friendly fraud might actually be one the customer just forget about, or one involving a family member using the customer's card without permission, or one with the customer actually not receiving the goods. So the merchant really can't just assume the customer is out to commit fraud and take an aggressive approach in dealing with the customer. The merchant would probably then have lost the customer's business altogether. But with the burden of proof on the merchant, the merchant must adopt a number of best practices to help minimize losses.

A company that works with merchants to both prevent chargeback disputes and respond to them has published a detailed guide (the site requires e-mail registration for access to the guide) to help merchants deal with friendly fraud. The following list includes some of the guide's best practices:

  • Promote a clear and fair refund policy that encourages customers to contact the merchant directly instead of the card issuer.
  • Make sure that the name of the business is on all billing statements—clearly, to avoid confusion.
  • Ensure that the customer communication channels—such as a call center or e-mail—are accessible.
  • Be responsive to customer inquiries.
  • Clearly communicate shipping charges and delivery timeframes to avoid misunderstandings about the total cost or delivery date of orders.
  • Always obtain the card security code and use address validation services. For larger-value purchases, consider the use of delivery confirmation and other validation services.
  • With digital goods or services, consider using a secondary verification tool—an activation code or purchase confirmation page—to ascertain that the customer received the goods.
  • When there is a chargeback, make every effort to contact the customer directly to attempt to resolve the matter. While the contact may not resolve this particular situation, it may offer a lesson that might help prevent future chargebacks from other customers.
  • Keep a database of customers who initiate chargebacks that appear fraudulent. Research shows that customers who deliberately defraud merchants and succeed at it are very likely to do it again.

As with all efforts to fight payments fraud, merchants must study their own customer base. They should identify their particular risks and then employ the practices that will help them best mitigate their fraud losses.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 3, 2015 in cards, fraud | Permalink | Comments (0)

July 27, 2015


Friendly Fraud: Nothing to Smile About (Part 1)

Friendly fraud (also referred to as chargeback fraud or first-party fraud) occurs when someone makes an online purchase then later requests a chargeback from the bank. The person has received the goods or services, but claims they were defective or the transaction never authorized. Sometimes this happens because of buyer's remorse—the customer just doesn't want to have to explain his or her regret to the merchant, preferring to initiate a chargeback and let the bank resolve it with the merchant. Sometimes the buyer's remorse comes from a child making purchases, particularly digital goods, using the parent's card, or when a merchant's refund time limit has passed but the cardholder still wants to be reimbursed.

While there certainly can be legitimate disputes, friendly fraud is becoming a growing problem for e-commerce merchants. Not only are the merchants out the cost of the goods or services, but they also incur administrative costs and fees from the card-issuing bank. Companies selling digital goods, office supplies, or electronics—as well as auction sites—seem to be the most frequent targets of friendly fraud, but other types of businesses can also be affected.

One of the main difficulties merchants experience in combating this fraud is predicting or recognizing when it first occurs, since it often occurs on the account of a "good" customer. And with these remote purchases, the merchant is at a disadvantage in determining if a legitimate cardholder made the purchase or the goods were actually received by the cardholder.

Because the burden of proof is on the merchant, the merchant community has started to implement a number of tactics to help reduce this increasing problem. In our next installment on this topic, we will discuss some of those tactics.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 27, 2015 in cards, fraud | Permalink | Comments (0)

July 20, 2015


Unsafe at Any Speed?

If you're a Corvair enthusiast, you likely get the title's reference to Ralph Nader's book that polemically accused manufacturers of resistance to the advancement of automotive safety. Shift your thoughts from automobiles, axles, and bumpers to payments, cyberattacks and data breaches. Then consider this question—if we successfully speed up payments, is payment safety more likely to advance or retreat?

I hear the question often. Since I first blogged about this topic in January, I've attended several conferences set in the context of building a better, faster, more efficient payments system. If the conversation hasn't gone straight to "safety," the topic has surely been broached before closing. The answers that presenters offer, in terms of how we make payments more secure, remain unchanged from earlier this year. The updated summary follows.

  • Innovate. Make full use of such things as biometrics and tokenization. Do not fear but rather make use of the best things coming from the cryptocurrency world.
  • Collaborate and coordinate. Share everything, taking full advantage of groups of all types to facilitate deployment and spread of best practices, among other things.
  • Prevent and plan. In a continuous and ever-improving activity, make use of such things as enhanced threat detection and continue to layer security measures. Also, educate fully, across the spectrum of both providers and users.
  • Track and report. We must do more of this in a frank, transparent way and it must be timelier.

Emphasizing and pursuing all these goals is still right in my view, yet something seems missing. I believe what's missing is a more expansive, easily accessible law enforcement regime—something that more closely parallels what's available for conventional crime fighting.

There has been good news, of late, in that various law enforcement agencies have both apprehended and successfully prosecuted cybercriminals of all sorts. What's important about this is, as law enforcement has more success, there is hope that miscreants will have an increasing expectation of getting caught. Let's assume a drop in crime rates is highly correlated to the likelihood or certainty of being caught. Self-test the theory by thinking of it this way. How often do you exceed the speed limit (answer silently to yourself). Now consider—how often do you speed when a patrol car is in the lane right next to you? It's imperative that law enforcement continue to evolve and improve such that the criminals who contemplate cybercrime increasingly anticipate they'll be caught.

The cliché that faster payments will mean faster fraud if we don't have faster security is somewhat beside the point. The fact is cybercrime has been and remains a material and looming threat. The world is all but fully a digital one and that means our police have to be able to put more—and more effective—digital patrol cars on the digital highway. Until then, to varying extents, payments are likely to be unsafe—at any speed.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

July 20, 2015 in crime, cybercrime, innovation, law enforcement, payments risk | Permalink | Comments (0)

July 13, 2015


Biometrics and Privacy, or Locking Down the Super-Secret Control Room

Consumer privacy has been a topic of concern for many years now, and Take on Payments has contributed its share to the discussions. Rewinding to a post from November 2013, you'll see the focus then was on how robust data collection could affect a consumer's privacy. While biometrics technology—such as fingerprint, voice, and facial recognition for authenticating consumers—is still in a nascent stage, its emergence has begun to take more and more of the spotlight in these consumer privacy conversations. We have all seen the movie and television crime shows that depict one person's fingerprints being planted at the crime scene or severed fingers or lifelike masks being used to fool an access-control system into granting an imposter access to the super-secret control room.

Setting aside the Hollywood dramatics, there certainly are valid privacy concerns about the capture and use of someone's biometric features. The banking industry has a responsibility to educate consumers about how the technology works and how it will be used in providing an enhanced security environment for their financial transaction activities. Understanding how their personal information will be protected will help consumers be likelier to accept it.

As I outlined in a recent working paper, "Improving Customer Authentication," a financial institution should provide the following information about the biometric technology they are looking to employ for their various applications:

  • Template versus image. A system collecting the biometric data elements and processing it through a complex mathematical algorithm creates a mathematical score called a template. The use of a template-based system provides greater privacy than a process that captures an image of the biometric feature and overlays it to the original image captured at enrollment. Image-based systems provide the potential that the biometric elements could be reproduced and used in an unauthorized manner.
  • Open versus closed. In a closed system, the biometric template will not be used for any other purpose than what is stated and will not be shared with any other party without the consumer's prior permission. An open system is one that allows the template to be shared among other groups (including law enforcement) and provides less privacy.
  • User versus institutional ownership. Currently, systems that give the user control and ownership of the biometric data are rare. Without user ownership, it is important to have a complete disclosure and agreement as to how the data can be used and whether the user can request that the template and other information be removed.
  • Retention. Will a user's biometric data be retained indefinitely, or will it be deleted after a certain amount of time or upon a certain event, such as when the user closes the account? Providing this information may soften a consumer's concerns about the data being kept by the financial institution long after the consumer sees no purpose for it.
  • Device versus central database storage. Storing biometric data securely on a device such as a mobile phone provides greater privacy than cloud-based storage system. Of course, the user should use strong security, including setting strong passwords and making sure the phone locks after a period of inactivity.

The more the consumer understands the whys and hows of biometrics authentication technology, I believe the greater their willingness to adopt such technology. Do you agree?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 13, 2015 in biometrics, consumer protection, data security, privacy | Permalink | Comments (0)

Google Search



Recent Posts


August 2015


Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          

Archives


Categories


Powered by TypePad