I am in Vegas and I am fascinated by my room key. This is not the usual "insert into the slot, wait for it turn green or hear it chime" key cards; these are 'tap and hold to a door scanner till the door opens' RFID key card. It is befitting the event I am about to attend – Money2020, the largest of its kind bringing together over 2000 mobile money afficionados, strategists and technologists from the world over for a couple of days to talk about how payment modalities are shifting and the impact of these shifts to existing and emerging players. Away from all the excitement of product launches, I hope some will be talking about one of the major barriers for consumer adoption towards alternate payment modalities such as mobile – security and fraud.
I was in Costa Mesa last week and in the process of buying something for my wife with my Citi card, triggered the Citi fraud alert. My card was declined and I had to use a different card to complete my transaction. As I was walking out, my smartphone registered a text alert from Citi — asking me to confirm that it was actually I who attempted the transaction, and if so, respond by texting 1 – if Yes Or 2 – if No. All good and proper up to this point. If someone had stolen my card or my identity, this would have been enough to stop fraud from re-occurring.
In this scenario the payment instrument and the communication device were separate: my plastic Citi card and my Verizon smartphone. In the next couple of years, these two will converge as my payment instrument and my smartphone will become one. At that point, will Citi continue to send me text alerts asking for confirmation? If, instead of my wallet, my phone was stolen, what good will a text alert to that phone be to prevent the re-occurrence of fraud? Further, if one card was shut down, the thief could move to other cards within the wallet if, just as today, there are no frameworks for fraud warnings to permeate across other cards with in the wallet. Also, fraud liability is about to shift to the merchant with the 2013 EMV Mandate.
In recent years there has been significant innovation in payments, to the extent that we have a number of OTT (Over the Top) players, unencumbered by regulation, who have been able to sidestep existing players, issuers and card networks, in positioning mobile as the next stage in the evolution of payments. Google, Paypal, Square, Isis (a carrier consortium formed by Verizon, T-Mobile and AT&T) and a number of others have competing solutions vying for customer mindshare in this emerging space. But when it comes to security, they all revert to a 4 digit PIN, what I call the proverbial "fig leaf" in security. Here we have a device that offers a real-time context — whether it be temporal, social or geo-spatial — all inherently valuable in determining customer intent and fraud, and yet we feel its adequate to stay with the PIN, a relic as old as the payment rails these newer solutions are attempting to displace.
Imagine what could have been in the previous scenario, where instead of reaching for my card, I reach for my mobile wallet. Upon launching it, the wallet, leveraging the device context, determines that it is thousands of miles away from the customer’s home and should score the fraud risk and appropriately ask the customer to answer one or more "out-of-wallet' questions that must be correctly answered. If the customer fails, or prefers not to, the wallet can suggest alternate ways to authenticate – including IVR. Based on the likelihood of fraud, the challenge/response scenario could include questions about open trade lines or simply the color of her car. Will the customer appreciate this level of proactiveness on the issuer’s part to verify the legality of the transaction? Absolutely. Merchants, who so far has been on the sidelines of the mobile payment euphoria, but for whom fraud is a real issue affecting their bottom-line, will also see the value.
The race to mobile payments has been all about quickly shifting spend from plastic to mobile, and incenting that by enabling smartphones to store and deliver loyalty cards and coupons. The focus need to shift, or to include, how smartphones can be leveraged to address and reduce fraud at the point-of-sale – by bringing together context of the device and a real-time channel for multi-factor authentication.
It’s relevant to talk about Google Wallet (in its revised form) and fraud in this context. Issuers have been up in arms privately and publicly in how Google displaces the issuer from the transaction by inserting itself in the middle and settles with the merchant prior to firing off an authorization request to the issuer on the merchant’s behalf. Issuers are worried that this could wreak havoc with their inbuilt fraud measures as the authorization request will be masked by Google and could potentially result in issuer failing to catch fraudulent transactions. Google has been assuaging issuer’s fears on this front, but has yet to offer something substantial – as it clearly does not intend to revert to where it was prior: having no visibility in to the payment transaction (read my post here). This is clearly shaping up to be an interesting showdown. Will issuers start declining transactions where Google is the merchant of record? And how much more risk is Google willing to take to become the entity in the middle?
Cherian is a Mobile Payments Advisor with Experian Global Consulting. He is also an advisor to ModoPayments. As a mobile payments veteran and founder of Drop Labs, Cherian has worked with leading banks, retailers, mobile platform providers and startups in this space. Opinions expressed here are strictly his own, not that of Experian.