Card payment fraud on online transactions generates significant hidden costs, so merchants need to define a clear strategy to maximize sales while keeping fraud under control, says Gabriel Lucas, associate director at Redbridge.
While they are the preferred method of payment for European consumers, cards also involve the biggest challenges when it comes to security and fraud, especially when they are used for e-commerce transactions. In a 2018 report, the European Central Bank highlighted that 70% of total credit card fraud originated from remote payments (Card Not Present – CNP transactions)*.
There have been considerable efforts made over the years to make payments more secure, with issuers, retailers and businesses deploying cardholder authentication solutions such as 3D-Secure, as well as risk analysis and transaction scoring tools. These have paid off to a certain extent, but the fraud rate for online transactions is still 17 times higher than for face-to-face payments**. In July, Signifyd reported on changing purchasing habits in Europe, pointing to an increase in online sales since March that continued even after the lockdown ended. In fact, online sales are up 32% compared to the same period in 2019***.
In a bid to reduce fraud on online payments, the second Payment Services Directive (PSD2) will enforce the Strong Customer Authentication (SCA) for all CNP payments after 31st December 2020 by default in the EEA, 31st March in France and 14th September in the UK and Switzerland. The issuing bank now has the last word on the application of exemptions, whereas previously the triggering of 3D-Secure authentication depended solely on the merchant and its acquiring bank. To streamline the customer experience, the directive will allow merchants to request for exemptions to the SCA when certain criteria are met. Therefore, it is essential for merchants to effectively analyze the risk of each transaction and send sufficient data to the issuing bank for it to accept the exemptions. Meanwhile, mobile payments require special attention with regard to the anti-fraud strategy. It is important that payments be made on native applications (software completely integrated to mobile operating systems) to minimize security breaches and to make the most of these devices’ data collection capabilities to optimize fraud management.
The main types of payment fraud
There are three main types of fraud linked to card payments: criminal fraud, social engineering fraud and fraud resulting from dishonest consumer behavior (commonly referred to as “friendly fraud”).
Criminal fraud involves using computers to retrieve card data for future use or access a customer’s account to give the trader the impression that a purchase is legitimate. Social engineering fraud involves enticing victims to disclose confidential information and part with their money. Friendly fraud is more difficult to analyze, because this category encompasses several different situations: customer error, chargeback abuse, trader error, excessive repayment time, or sharing a single card (for example within a family or business circle). According to the European Central Bank, friendly fraud involves amounts twice as large as social engineering fraud and four times as large as criminal fraud.
Fraud is a major source of hidden costs
Some of the direct costs of fraud include loss of merchandise, unpaid receivables costs, the cost of delivering goods, credit card network penalties, higher processing and acquisition costs, operating costs, and the risk of service termination in the event of excessive rates of disputes, based on the thresholds set by card networks.
But fraud also involves many, often less obvious, indirect costs that can have a significant impact on a company’s results. These include the time spent on fraud analysis or overcoming challenges linked to unpaid receivables, losses related to false positives (legitimate customers blocked by antifraud rules), losses resulting from anti-fraud rules that are too strict and the loss of existing customers when the payment path is too complicated.
Defining an anti-fraud strategy
The acquisition of new customers and the retention of existing customers are key issues for any company, justifying the allocation of a significant budget to these issues. On the other hand, less attention is generally paid to the conversion of payments and to analyzing the reasons for refusal.
Many studies conducted by payment service providers (PSPs) have shown that more than one in five customers who experience a refused payment are legitimate customers with enough money in their account to settle the transaction. And of those customers who have been refused (false positives) more than one in two leave for the competition.
This means that implementing an anti-fraud strategy that provides a smooth experience is a priority for all merchants. Defining this strategy requires thorough analysis of the different stages of the customer journey. Some of the most important considerations include reducing the time required to make the payment, reducing the number of clicks, automatically verifying the data entered in order to reduce errors and proposing a means of payment based on the location of the customer.
A key feature in optimizing the client experience is tokenization, by which we mean recording card information after making a payment with the 3D-Secure authentication system. The purpose of doing so is that the customer no longer has to re-enter their payment information for subsequent purchases. Classic tokenization, known as “PCI tokenization” (according to PCI-DSS – Payment Card Industry Data Security Standard) is managed at the PSP level. But it has two limitations: the CVV (Card Verification Value) must be entered for each payment in order for the merchant to obtain the liability shift, and the card data must be updated in the event of expiration or loss.
In order to overcome these limitations, Visa and Mastercard have developed “network tokenization”, which involves registering the credit card token directly at the scheme level, which enhances security and offers a smooth payment path, free of the barriers that traditional tokenization processes involve. According to Visa, network tokenization improves the acceptance rate (the proportion of successful payments out of the total of attempts) by an average of 300 basis points. This is not a negligible amount.
It is also important to propose alternatives to the consumer in the event of payment failure in order to maximize the chances of them finalizing their payment. These could include providing other means of payment, the option to pay in several installments, or face-to-face payment. The implementation of payment solutions based on the SCT Inst could greatly contribute to this objective thanks to the instantaneous and binding nature of this payment method.
Finally yet importantly, fraud management is key when defining a revenue-maximization strategy. It can be summarized in three main areas: preventing fraudulent transactions by blocking them before they are approved, identifying risky transactions before the issuing bank considers them as chargebacks, and representing and winning as many disputes as possible with effective procedures and tools in order to automate most of the tasks.
Gabriel Lucas
* Fifth report on card fraud, September 2018, European Central Bank
** Annual Report of the French Observatory for the Security of Payment Means – Fiscal Year 2018, Banque de France
*** Ecommerce continues to be a bright spot for retailers across Europe, July 01, 2020, Signifyd Blog