GS Logo
The Green Sheet, Inc

Please Log in

A Thing A Bigger Thing

Tuesday, June 19, 2018

Collaborations reduce chargebacks, study finds

A Javelin Strategy & Research study, underwritten by Verifi and published in May 2018, cites communication gaps as a leading cause of disputes and chargebacks. The 36-page report, titled The Chargeback Triangle, examines chargeback costs and impacts while demonstrating how to prevent chargebacks by resolving open issues.

In 2017, chargeback volumes reached $31 billion, including $19 billion in merchant losses and $12 billion in issuer losses, researchers found. Matthew Katz, CEO at Verifi, said improved collaboration among industry stakeholders would dramatically reduce these numbers.

"The report clearly indicates that collaboration between issuers, merchants and consumers is critical to resolve disputes effectively and avoid the direct and extended costs that chargebacks and consumer-initiated 'friendly fraud' cause for merchants and issuers alike," he stated. "In the end, the consumer pays the price in the form of higher purchase prices, as well."

In an interview with The Green Sheet, Katz called for industrywide changes in risk mitigation and chargeback management. "When you consider the sheer size of the card brands and major card issuers like Capital One and Wells Fargo, it's hard for enterprises that are so large with so much investment in technology to keep up with the times," he said. "We rely on each other to make changes across the board ‒ from cardholders all the way through to the merchant."

Sunk costs, attrition

Researchers found the costs of managing the chargeback process frequently exceed the value of a disputed product or service. "For every dollar in disputed transactions, an additional $1.50 is spent [by merchants and issuers] on fees, management expenses ‒ including technology and outsourcing ‒ and personnel," they wrote.

Following are additional report highlights:

Card brand mandates

The report references the Visa Claim Resolution (VCR) process, a newly launched initiative by Visa designed to simplify disputes. Katz expects banks to make additional investments in the program. "The benefit of being a card brand is having the ability to mandate a change," he said. "Visa set an effective date of April 14, 2018, for VCR, and Mastercard will be introducing a similar program in the near term. There has been a learning curve in the two months following VCR's effective date in terms of what works, what doesn't and how to improve."

Katz said at first glance, VCR may appear to oversimplify chargebacks, but it hasn't done away with former reason codes. Instead, it aggregates 22 original reason codes into 20 categories, which are then organized into four distinct themes, he noted. This is meant to bring clarity to the chargeback system, while maintaining a consistent experience across all channels.

"In retail, the buying experience is consistent across all channels, whether you are buying a shirt in a store, online or by using a mobile app," Katz said. "What is different are the risks involved in each channel and how merchants, acquirers and issuers monitor and view these risks. These channels are predicated on the same concept of buying a shirt."

Differentiate CNP merchants

Noting that most card not present (CNP) merchants are held accountable to the same risk thresholds, Katz said he would like to see more differentiation across CNP channels. "Internet, mobile, retail and IoT [Internet of Things] commerce need to be viewed differently by the card brands and monitored differently than they are now," he said. "The card brands need to set lower risk tolerances in channels that have a higher propensity for risk."

The IoT is a uniquely different CNP channel, Katz said, because unlike retail, online and mobile transactions, where consumers can make additional impulse purchases, the IoT facilitates targeted micro transactions. "The proliferation of commerce-enabled appliances raises the potential for curious children and inattentive consumers to inadvertently place orders," he said. "We may have to monitor our phones, appliances and wearables with the same vigilance as we currently monitor our networks and primary connected devices and networks."

Srii Srinivasan, CEO at Dallas-based Chargeback Gurus Inc., said CNP merchants that offer stellar customer service and lenient refund policies generally have reduced chargeback volumes. She recommended the following additional CNP best practices:

Pan-European digital bank to launch
Monday, June 18, 2018

A lior Bank developed a new digital platform with the intent to establish a bank that bundles best-in-class financial services from different fintechs and financial institutions. Four distinct enterprises have now joined forces to create such a bank. Set to launch in the fourth quarter of 2018, the pan-European digital bank is a collaboration between Alior Bank, solarisBank, Mastercard and Raisin.

Alior Bank stated it will deliver multicurrency accounts with international transfers and deposits; solarisBank will add the banking infrastructure with its technological, compliance and regulatory framework; Raisin, through its network of partner banks and more than 100,000 customers, is adding various savings and investment possibilities to the offering; and Mastercard’s Benefit Optimization program will be used to offer additional value-added services to customers.

Leveraging open banking

The open API platform will leverage the opportunities of EU directive PSD2 and open banking, Alior Bank added.

"Thanks to this platform, customers will be able to access the best of each collaborator's offer in a fast and efficient way," said Daniel Daszkiewicz, Head of FinTech at Alior Bank. "For example, a customer in Germany, while opening an account with solarisBank, will instantaneously gain access to a multicurrency account with Alior Bank and to Raisin's savings products. Thanks to the cooperation with Mastercard on the other hand, customers will be able to buy additional value-added services that will facilitate clients' global lifestyles. This is our first cross-border collaboration to this extent, and it is a very challenging project at the same time, because it puts a bank in a totally new position."

“The new platform – for which solarisBank will provide the infrastructure for accounts and transactions – is an exciting step to build a digital, financial ecosystem for Europe," said Marko Wenthin, co-founder and CCO at solarisBank. "Moreover, this partnership with such an innovative financial institution proves to us the success of our banking-as-a-platform approach.”

The product will be available for all EU residents with a focus on the German market during the first phase of the project, the partners stated. For further details as they develop, visit

Dixons Carphone under fire for slow reporting of data breach
Friday, June 15, 2018

B BC News confirmed reports of a second major data breach at Dixons Carphone PLC, a publicly held British electronics retailer that operates as Currys PC World and Dixons Travel. The company reportedly found anomalies in its POS network in July 2017 but took nearly a year to disclose the malicious activity. In a June 13, 2018, statement, Dixons Carphone revealed the attack may have compromised 5.9 million credit and debit cards and more than 1 million consumer accounts. Security analysts criticized the delayed disclosure and failure to protect critical infrastructure after suffering an earlier attack in 2015. Lee Munson, security researcher at Comparitech Ltd., said the Dixon Carphone breach highlights how commonplace massive data breaches have become. "What is worrying here is the delay between the breach occurring last year and the disclosure today," he said. "Thankfully, under GDPR, non-disclosure for business reasons is no longer possible as the ICO [the Information Commissioner's Office] must be informed within 72 hours whenever possible."

Munson said he expects the incident to impact Dixon Carphone share prices throughout the remediation process and suggested even a short-term dip could be fatal to the retailer. "Of more concern is the affect this could have on the chain's customers, millions of whom have had their personal or payment card information leaked," he added.

Admit culpability

Munson and other security analysts have criticized Dixons Carphone for underplaying the incident's severity by saying it found "no evidence of fraudulent payments being made with the stolen cards." Tom Miller, senior vice president at Virsec called the statement a "disturbing refrain we hear over and over." If they were blind to the breach, not seeing evidence is hardly reassuring, he noted.

"Also disturbing is the comment that 'There is no connection to the previous incident' [the 2015 breach of Carphone Warehouse]," Miller said. "Of course there's a connection – the same organization got breached, fined, didn't take adequate steps to change security, and got breached again."

Michael Magrath, director of global regulations and standards at OneSpan Inc., noted the European Union's data protection legislation, such as the GDPR, will impose heavy fines on organizations with lax data security protocols. "Organizations relying on a single shared secret to protect sensitive personal identifiable information has been very lucrative ‒ for hackers," he said. "While no security solution is 100 percent secure, in 2018 organizations not deploying risked-based authentication solutions are hoping they can dance between the raindrops when it comes to security."

Miller expressed hope the newly enforced GDPR will raise the bar for accountability but said it will take more than harsh penalties to stop data breaches. Businesses need to start "seriously rethinking how they secure sensitive customer data," he said.

Improve protections

Magrath stressed the need for organizations to adopt "multiple, layered authentication technologies," by combining PINs and passwords with biometrics and "analyzing context based on location and device characteristics."

Robert Capps, vice president of business development, NuData Security, a Mastercard company, said bad actors exploit the smallest security gaps to steal customer data. "As we all know, credit card information, combined with other user data from other breaches and social media, can build a complete profile," he said. "In the hands of fraudsters and criminals, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the internet and in the physical world."

Capps said advanced techniques and technologies can protect consumers. "Multilayered technology that thwarts fraud exists right now," he stated. "Passive biometrics and behavioral analytics technology are making stolen data valueless by verifying users based on their inherent behavior instead of relying on their data, such as credit card information. This makes it impossible for bad actors to use stolen data, as they can't replicate the customer's inherent behavior attached to that data."

Apple Pay, Google Pay lose ground at stores
Thursday, June 14, 2018

A ccording to an annual survey of merchants, two major mobile wallet providers lost traction over the past year. Merchants accepting Apple Pay slipped from 48 percent to 35 percent in 2018, while Google Pay dropped from 38 percent 25 percent year-over-year. Support for PayPal, however, surged from 48 percent to 64 percent. Looking at the overall picture, mobile wallet support grew from 22 percent to 29 percent.

Pain points cited by merchants in the 2018 Mobile Payments & Fraud Survey, conducted by Kount Inc. and The Fraud Practice, included maintaining ease of use for consumers for 60 percent of those surveyed. The ability to detect fraudulent order attempts was a challenge for 52 percent. Even with these challenges, nearly one-third of merchants were optimistic that the mobile channel will represent at least half their total revenue by 2020.

Support across the board was up for near field communication at the POS, which grew from 29 percent to 37 percent year-over-year. Twenty-six percent of merchants surveyed indicated they plan to increase or add support for social commerce through social media channels.

The survey also found that while merchant awareness of mobile fraud risks continues to improve, the percentage of merchants that track mobile fraud to understand fraud attempt patterns remains relatively low, representing 35 percent of merchants surveyed.

"For the third consecutive year, merchants are showing signs of complacency and even regression in terms of managing mobile fraud risk," said Don Bush, Vice President of Marketing at Kount.

Merchant perceptions may be driving mobile risk tolerance to some degree. About half of those surveyed viewed traditional ecommerce via desktop browsers as their highest risk channel, compared with mobile web browser transactions (21 percent) and mobile app payments (18 percent). Overall, 38 percent viewed the mobile channel as high risk.

Mobile fraud cannot be ignored

Merchant pullback in mobile fraud monitoring comes at an inauspicious time, since more than 75 percent of financial institution, lender, and food and beverage businesses surveyed have noted increases in mobile channel fraud attempts over the last year.

"Despite the increase in mobile fraud and the evolution of tactics carried out by criminals to commit fraud in this channel, the number of merchants implementing specialized tools has decreased, demonstrating that merchants struggle to properly address fraud in the mobile channel including both apps and mobile browsers," Bush said.

Less than 20 percent of those surveyed have adopted artificial intelligence/machine learning, considered one of the most effective fraud detection tools available. The risk management tools most often used for detecting mobile channel fraud were card verification value check (62 percent), fraud scoring (43 percent), and address verification services (39 percent). Over 83 percent use two or more fraud prevention tools or techniques.

Both companies involved in the survey recommend a dedicated fraud strategy for the mobile channel to coincide with other channels. "Although mobile fraud attempts increased for 60 percent of merchants last year, just 17 percent employ a separate risk management strategy for the mobile channel," said Justin McDonald, Senior Risk Management Consultant at The Fraud Practice.

An area where progress is being made is the ability to detect transactions from mobile devices separately from other channels, which over the past five years, has grown from 16 percent to 46 percent among the merchants surveyed. The survey also found that 52 percent of merchants can tell which mobile operating system is in use.

As to which merchant categories are expected to lead in mobile payment acceptance, merchants selling jewelry (71 percent), electronics and computers (63 percent), health/beauty products (63 percent), and apparel or accessories (56 percent) were the categories most likely to consider the mobile channel very important to their overall strategies in the coming years.

Encryption debated in Washington
Tuesday, June 12, 2018

S ecurity experts are debating the Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act, proposed legislation to create a uniform national encryption policy. Introduced June 7, 2018, by Reps. Ted Lieu, D-Calif., Mike Bishop, R-Mich., Suzan DelBene, D-Wash., and Jim Jordan, R-Ohio, the bill would enable federal agents to access “back doors” into encrypted data. It would also prevent individual states from enacting separate data access policies. ENCRYPT Act supporters call it a necessary protection against counterterrorism; opponents argue it gives too much power to federal law enforcement.

Rep. Lieu believes the bill has received bipartisan support because it addresses conflicting encryption standards for interstate commerce, economic security and cybersecurity. “I can tell you that having 50 different mandatory state-level encryption standards is bad for security, consumers, innovation, and ultimately law enforcement,” he stated. “Encryption exists to protect us from bad actors and can’t be weakened without also putting every American in harm’s way.”

Morgan Reed, president of the App Association, added, “On behalf of app developers and tech innovators across the country and around the world, we can attest to the value of encryption technologies to protect data and prevent crimes. The ENCRYPT Act is a necessary step to ensure Americans can use encrypted technologies to protect themselves and their data, regardless of where they live.”

Reed further noted that encryption protects data from criminal access, but the current patchwork of conflicting state policies creates known vulnerabilities that criminals can exploit. “This legislation establishes national guidelines for the interstate use of encrypted technology and protects the data that drives our local economies and the app economy at large,” he said.

Assigning backdoor keys

Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies, is concerned by the ENCRYPT Act’s potential to force technology companies to implement security backdoors. “Undoubtedly any backdoor that is introduced will be available to both law enforcement and bad actors alike, collectively making us less secure,” he said.

Anthony James, chief marketing officer at CipherCloud, also voiced concerns about granting federal law enforcement unilateral access to civilians’ encrypted data. “Despite the noble objective of nationally standardized encryption in support of law enforcement and counter-terrorist activity, the use by government of forced disclosure, whether at the state level or the federal level, can move the control of your data into someone else’s hands,” he said. “‘Back doors,’ or special APIs that access your data at various points of being used within applications, can also easily circumvent basic protection such as ‘at rest’ encryption for your databases.”

James said the only way civilians can maintain control over their confidential data is to implement Zero Trust end-to-end encryption. This level of protection would not allow anyone to use a backdoor into a third-party-provided cloud application to access data without a user’s explicit knowledge and approval, he noted, adding that only “your decision to deliver your data encryption keys to the requesting party will expose the data.”

Details, questions remain

Ruston Miles, chief strategy officer, executive vice president and founder of Bluefin, pointed out that the PCI Security Standard Council's P2PE solution protects merchants and cardholders by encrypting card data immediately upon entry. "Around the world, a growing number of merchants, from multinational enterprises to local businesses, are using PCI point-to-point encryption to protect their customers’ cardholder data,” he said.

Miles observed that more than 1,600 data breaches were reported in 2017, and nearly all involved transmitting and processing unencrypted payment card data. Additional incidents went unreported or undiscovered, he said. He described the ENCRYPT Act as a well-intentioned effort to create a national security policy but suggested that numerous details will have to be solved during implementation.

Willy Leichter, vice president of marketing at Virsec, said having a standardized national encryption policy seems like a positive move, but it falls short of solving the basic collision of interests around encryption. “Law enforcement wants broader access, while privacy experts (and most of the security industry) don’t want to neuter the effectiveness of encryption,” he said. “This group seems to understand that encryption is a fundamental building block of most digital business, and weakening it, for whatever reasons, can be disastrous.”

View prior breaking news

Spotlight Innovators:

North American Bancard | USAePay | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems