Fraud patterns are evolving quickly since the coronavirus outbreak. However, the recent introduction of PSD2 and Strong Customer Authentication has meant that the liability changes from merchant to customer for fraudulent transactions and the new payment rules are benefitting businesses in a volatile retail market.
Payment fraud losses have been steadily increasing over the last decade, causing headaches for all of those in the chain including customers, merchants and banks. UK Finance reported that Fraud losses on UK-issued cards totalled £671.4 million in 2018,[i] a 19% increase from £565.4 million in 2017.
The Covid-19 pandemic has also changed the landscape. According to Experian’s Global Insights Report[ii], consumers are engaging with businesses online more than ever before. The study found there has been a 20% increase overall in consumer online transaction activities, including 41% in online grocery shopping and 22% for both ordering food online for delivery or takeout. Merchants that previously only had bricks and mortar locations are now accepting e-commerce and over-the-phone transactions, which means keeping customers’ payment data secure has become a priority.
In addition, the sharp rise in home-working as a result of the government’s coronavirus measures has meant that organisations that deal with payments by credit/debit card have had to review their compliance with Payment Card Industry Data Security Standards (PCI DSS). The PCI council has published updated guidance[iii], to help organisations with remote workers maintain security practices and protect payment card data. From avoiding writing payment details down, to using strong passwords and encryption and secure remote access, the guidelines have been designed to help merchants understand the vulnerabilities and mitigate risks associated with these card-not-present transaction types.
Protecting the customer
Even before the pandemic the focus has always been on protecting the consumer, such that if a fraudulent transaction is reported, the amount stolen is credited back to the customer. In the case of mail order/telephone order (MOTO), it is the merchant’s responsibility to prove that the customer made the transaction. Often this requires tracking back through call histories, recordings and notes made by the agent in the contact centre. With homeworking this potentially presents even more of a challenge – processes and systems need to be clearly in place to ensure customer data is securely managed and stored.
The truth about chargebacks
Research from payment specialists Verifi[iv] has shown that up to 86% of cardholders contact their banks directly when they don’t recognise a charge on their credit or debit card statement and request the transaction be reversed. Merchants are hit with the cost of each challenged transaction, as well as the fines, fees and related operational expenses, and the long-term damage to customer relations.
The payment landscape is changing – Strong Customer Authentication
As a result of the coronavirus outbreak, cybercriminals moved quickly to take advantage of rapid changes to the new payment card data environments, with a 475% increase in malicious reports related to Coronavirus in March 2020[v]. The good news is that the finance industry which is constantly looking to tackle fraud, had introduced Strong Customer Authentication (SCA) legislation in September 2019.
SCA not only protects the customer, it promises benefits for merchants. Part of PSD2 (the EU regulation introduced to provide protection for consumers), SCA adds an extra layer of security for when customers make a payment online. Customers can no longer checkout online using just their credit or debit card details, they also need to provide an additional form of identification. Only when the payer can provide two forms of authentication i.e. a password and a code from a mobile device, are they allowed to complete their payment.
In the case of a fraudulent transaction, the liability has now transferred from the merchant to the card holder to prove the purchase didn’t take place. Ultimately the money is being safeguarded from fraudsters without the merchant having to take on the debt or chargeback, while the financial transaction is being investigated.
New challenges bring fresh opportunities
Of course, introducing new systems to ensure compliance comes at a cost. Regulations, such as GDPR and PCI DSS that impose penalties for non-adherence already place a heavy burden on merchants and payment services providers.
However, there are technologies available that can help to address these compliance issues in cost effective ways. By choosing these options, and partnering with a trusted PCI-DSS compliant payment service provider, merchants can achieve the necessary requirements to ensure that they meet new payment regulations.
Switching to mobile and online payments smooths the way
Implementing technology that enables mobile and online payments is an effective way to mitigate the risks of security and increased charges. By enabling customers to pay for products and services digitally and automating payments, the highest levels of mobile and online security are provided, while creating an engaging customer experience at the same time.
As an example, Encoded’s Customer Engagement Platform and PayByLink have been designed with PCI DSS and GDPR in mind. The PayByLink service offers a method of sending a one-time-use link to a customer’s phone or email address which can then be used to open a simple pre-populated payment form.
Customers can pay with stored card data or new details if required - with no data exposure to the agent high levels of security and PCI DSS compliance are assured.
Customer service is still a priority
Like all regulation, SCA does impact on the commercial marketplace and for merchants and contact centres it brings new challenges. Ultimately shifting liability should not mean avoiding responsibility or have a detrimental effect on delivering a service that engages and retains loyal customers.
With the right strategies and technologies in place, merchants can help reduce fraud and offer secure payments to customers while benefitting from the current opportunities in remote and online retail sales and remain PCI DSS compliant.
[ii] Findings from the Global Insights Report in the Global Decision Analytics Insights blog
[iii] PCI Security Standards Council
[v] BitDefender - Bitdefender 10 IN 10 Study: The Indelible Impact of COVID-19 on Cybersecurity
For more information visit www.encoded.co.uk