The risk of moving money.

Once, there was cash, and then there were cheques, and then there were charge cards and credit cards. Cash has always provided the ability to transfer value in real-time, cheques provide a means of transferring value in near real-time whilst avoiding the need to carry cash. In both cases, the value is transferred from the buyer to the seller directly. Charge cards and credit cards introduced the notion of authorisation and settlement to retail transactions, adding an intermediary and disassociating purchase from payment.

Now that we are living at the dawning of the age of the real-time account-to-account value transfer, do we think that we have come full circle? Is the global real-time payment grail, holy? Or is this just another example of doing stuff simply because stuff can be done?

The financial advantage to merchants of receiving payments in real-time rather than a day or so later in the settlement is essentially a one-time benefit. Large organisations with high turnovers may be able to maximise the impact, but even this is questionable since many acquirers already provide large merchants with early settlement. Ironically, the merchants most likely to benefit from real-time payments are those who are currently considered to be of a higher risk, where acquirers tend to hold on to settlements for an extended period in order to reduce their exposure. If these high-risk merchants were to benefit from real-time payments, would that benefit not be derived from the transaction risk being passed from the acquiring bank to the consumer?

The global expansion of cards and card payments brought with it a global acceptance of card payment principles that ultimately served to protect the cardholder. The reality is that consumers making payments by card are generally protected.

How much consumer protection exists in the world of account to account transfers? Card fraud may be the criminals first choice but the industry picks up the tab, which is usually passed to the merchant, or to the acquirer or the issuing bank. Again, the reality is that card transactions were never designed for the internet. [There is, I believe, a solution but that is the subject of another discussion.]

So, whilst the fraud is easy, the cardholder is rarely at risk. We should be asking the question: will consumer rights be maintained in an Open Banking environment where the money has already moved, and where there are no mechanisms for moving it back?

The future consumer value for real-time payments lies in the ability to move it back.

The Problem with Fraud

There is a misconception about the challenges we are facing in payments. Whilst it is well recognised that there is a significant global fraud problem across the payments landscape, payment fraud is not equally distributed. Payment card fraud has migrated to the internet.

Not long after squashing the millennium bug, the UK sailed away into the uncharted waters of Chip and PIN. Whilst it was certainly and exciting time in the evolution of payments – for some of us at least – the adoption of EMV went a long way towards solving the growing problem of face-to-face plastic card fraud. As a result of chips and PINs, plastic card fraud in the UK plummeted and this effect was subsequently replicated abroad. Payments on the internet at that time, compared to current transaction volumes, were few and far between. The cost of internet fraud was very low and therefore not considered worthy of any particular attention.

The problem was, and is, that the 16-digit PAN and the 3-digit CVC (when it is used) is not fit for the transaction processing world of the 21st Century.

Underlying payment fraud problems relate primarily to the weakness of the e-commerce payments transaction structure, and whilst many of the so-called clever, alternative solutions may indeed look clever and alternative at the front-end, they generally rely on the same old “card on file” processes at the back-end. Ultimately, this is all smoke and mirrors … tweaking the front-end does not make the underlying problem go away!

Card payments and card technologies are not going anywhere, anytime soon, so the problem needs to be addressed. The solution to rising card fraud needs to focus on the card fraud problem directly, and not simply obscure it by introducing alternative payment options to the consumer and the merchant.

In the late 20th Century, the growing card fraud challenges in the bricks and mortar world were limited by the introduction of EMV, and it works everywhere – nearly! In the 21st Century the same growing fraud
challenges in the digital world could be resolved using that same tried and tested approach.

It’s time to introduce the power of EMV into the world of e-commerce. The technology exists to support this and history has shown that it works.

I have a plan!

Card fraud lowest for 13 years

And the good news is that card fraud losses at terminals in the EU are at their lowest level since 2005.  It looks like much of it is down to EMV, which limits the effectiveness of card skimming strategies, although the excitable clever people are telling us that it’s down to geo-blocking, fraud monitoring and fraud detection.  I am not sure how true this is as I would think that these techniques are more suited to preventing fraud on non-EMV transactions.  

Since the ability to clone and create a usable EMV card is non-existent, the opportunities for fraud using EMV cards are seriously limited.  It is well established that there can be no duplicate EMV cards.  If this is the case, then an EMV card must either be in the hands of its rightful owner, or it must be lost or stolen.  If it is in the hands of its rightful owner, then there is no fraud, and if it is lost or stolen, there is essentially a four hour window of opportunity for any would-be criminal.  Adding geo-blocking, fraud monitoring and fraud detection is not going to identify lost and stolen EMV chip cards.      

Geo-blocking, fraud monitoring and fraud detection are more suited to payment ecosystems that rely more on mag stripe, and can be effective in the e-commerce world.  The reduction in fraud that we have seen over the years is due primarily to the introduction of EMV – in the UK – back in the early part of this century.  It is now spreading out and we are reaping the benefits.  If you want to see how much benefit we are reaping, look at the card fraud levels in the US.  

The impact of reducing the opportunity for fraud in one sector is to increase  its presence in others.  We are inevitably going to be seeing a growing number of social engineering attacks, as the vulnerability of people is now greater than the vulnerability of the card payment systems.  We need to be looking at finding ways of preventing the growing financial losses associated with current accounts.