Digital Technology

Electronic signatures and their emerging presence in our Internet-connected world I had the opportunity to represent Experian at the eSignRecords 2015 conference in New York City last week. The concept of electronic signature, while not new, certainly has an emerging presence in the Internet-connected world — as evidenced by the various attendee companies that were represented, everything from home mortgages to automobiles. Much of the discussion focused on the legal aspects of accepting an electronic signature in lieu of an in-person physical signature. The implications of accepting this virtual stamp of approval were discussed, as well as the various cases that already have been tried in court. Of course, the outcome of those cases shapes the future of how to properly integrate this new form of authorization into existing business processes. Attendees discussed the basic concept of simply accepting a signature on an electronic pad as opposed to one written on a piece of paper. That act alone has many legal challenges even though it provides the luxury of in-person authentication through a face-to-face meeting. The complexities and risk increase exponentially when these services are extended over the Internet. The ability to sign documents virtually opens up a whole new world of business opportunities, and the concept certainly caters to the consumer’s need for convenience. However, the anonymity of the Internet presents the everyday challenge of balancing consumer expectations of greater ease of use with necessary fraud prevention measures. Ultimately, it always comes back to understanding who is actually signing that document. All of this highlights the need for robust authentication and security measures. As more and more legal documents and contracts are passed around virtually, the opportunity to properly screen and verify who has access to the documents gets more critical. Many organizations still rely on the tried-and-true method of knowledge-based authentication (KBA), while many others have called for its end. KBA continues to soldier on as an effective way to ensure that people on the other end of the wire are who they say they are by asking questions that — presumably — only they know the answers to. In most cases, KBA is viewed as a “check the box” step in the process to satisfy the lawyers. In certain cases, that’s all you need to do to ensure compliance with legal policy or regulatory requirements. It starts to get tricky is when there’s more on the line than just “check the box” actions. When the liability of first- or third-party fraud, becomes greater than simple compliance, it’s time to implement tighter security, while at the same time limiting the amount of friction caused by the process. Many in attendance discussed the need for layers of authentication based on the type of documents that are being processed and handled. This speaks directly to the point that one size does not fit all. As the industry matures and acceptance of e-signatures increases, so too does the need for more robust, flexible options in authentication. Another topic — that was quite frankly foreign to everyone we talked to — was the need for security around the concept of account takeover. When discussing this type of fraud, most attendees did not even consider this to be a hole in their strategy. Consider this fictional scenario. I’m responsible for mergers and acquisitions for my publicly traded company. I often share confidential information via electronic means, leveraging one of the many electronic signature solutions on the market. I become a victim of a phishing attack and unknowingly provide my login credentials to the fraudster. The fraudster now has access to every electronic document that I have shared with various organizations — most of which have been targets for mergers and acquisitions. Fraudsters are creative. They exploit new technologies — not because they’re trendsetters, but because oftentimes these new technologies fail to consider how fraudsters can benefit from the system. If you are considering adopting e-signature as a formal process, please consider implementing: Flexible levels of authentication based on the risk and liability of the documents that are being presented and what they are protecting FraudNet for Account Takeover, which enhances security around access to these critical documents to protect against data breaches Not only the needs and experiences of your own business, but customer needs as well to enable to the best possible customer interactions If you haven’t considered implementing e-signature technology into your business process, you should — but be sure to have your fraud team present when considering the implementation.

What the EMV Shift means for you I recently facilitated a Webinar looking at myths and truths in the market regarding the EMV liability shift and what it means for both merchants and issuers. I found it to be a very beneficial discussion and wanted to take some time to share some highlights from our panel with all of you. Of course, if you prefer to hear it firsthand, you can download the archive recording here. Myth #1: Oct. 1 will change everything Similar to the hype we heard prior to Y2K, Oct. 1, 2015, came and went without too much fanfare. The date was only the first step in our long and gradual path to EMV adoption. This complex, fragmented U.S. migration includes: More than 1 billion payment cards More than 12 million POS terminals Four credit card networks Eighteen debit networks More than 12,000 financial institutions Unlike the shift in the United Kingdom, the U.S. migration does not have government backing and support. This causes additional fragmentation and complexity that we, as the payments industry, are forced to navigate ourselves. Aite Group predicts that by the end of 2015, 70 percent of U.S. credit cards will have EMV capabilities and 40 percent of debit cards will be upgraded. So while Oct. 1 may not have changed everything, it was the start of a long and gradual migration. Myth #2: Subscription revenues will plummet due to reissuances According to Aite, EMV reissuance is less impactful to merchant revenues than database breaches, since many EMV cards are being reissued with the same pan. The impact of EMV on reoccurring transactions is exaggerated in the market, especially when you look at the Update Issuer provided by the transaction networks. There still will be an impact on merchants, coming right at the start of the holiday shopping season. The need for consumer education will fall primarily on merchants, given longer lines at checkout and unfamiliar processes for consumers. Merchants should be prepared for charge-back amounts on their statements, which they aren’t used to seeing. Lastly, with a disparate credit and debit user experience, training is needed not just for consumers, but also for frontline cashiers. We do expect to see some merchants decide to wait until after the first of the year to avoid impacting the customer experience during the critical holiday shopping season, preferring to absorb the fraud in the interest of maximizing consumer throughout. Myth #3: Card fraud will decline dramatically We can look to countries that already have migrated to see that card fraud will not, as a whole, decline dramatically. While EMV is very effective at bringing down counterfeit card fraud, organized crime rings will not sit idly by while their $3 billion business disappears. With the Canadian shift, we saw a decrease in counterfeit card loss but a substantial increase in Card Not Present (CNP) fraud. In Canada and Australia, we also saw a dramatic, threefold increase in fraudulent applications. When criminals can no longer get counterfeit cards, they use synthetic and stolen identities to gain access to new, legitimate cards. In the United States, we should plan for increased account-takeover attacks, i.e., criminals using compromised credentials for fraudulent CNP purchases. For merchants that don’t require CVV2, compromised data from recent breaches can be used easily in an online environment. According to Aite, issuers already are reporting an increase in CNP fraud. Fraudsters did not wait until the Oct. 1 shift to adjust their practices. Myth #4: All liability moves to the issuer EMV won’t help online merchants at all. Fraud will shift to the CNP channel, and merchants will be completely responsible for the fraud that occurs there. We put together a matrix to illustrate where actual liability shifts and where it does not. Payments liability matrix Note: Because of the cost and complexity of replacing POS machines, gas stations are not liable until October 2017. For more information, or if you’d like to hear the full discussion, click here to view the archive recording, which includes a great panel question-and-answer session.

What will the EMV shift really mean for consumers and businesses here in the U.S.? Businesses and consumers across the U.S. are still adjusting to their new EMV credit cards. The new credit cards are outfitted with computer chips in addition to the magnetic strips to help prevent point-of-sale (POS) fraud. The new system, called EMV (which stands for Europay, MasterCard and Visa), requires signatures for all transactions. EMV is a global standard for credit cards. In the wake of the rising flood of large-scale data breaches at major retailers – and higher rates of counterfeit credit card fraud – chip-and-signature, as it is also called, is designed to better authenticate credit card transactions. Chip-and-signature itself is not new. It has been protecting consumers and businesses in Europe for several years and now the U.S. is finally catching up. But what will the EMV system really mean for consumers and businesses here in the U.S.? There is the potential for businesses that sell both offline and online, to see an increase in fraud that takes place online called Card Not Present (CNP) fraud. Will credit card fraud ever really be wiped out? Can we all stop worrying that large-scale point-of-sale breaches will happen again? Will the EMV shift affect holiday shopping and should retailers be concerned? Join us as we explore these questions and more on an upcoming Webinar, Chipping Away at EMV Myths. Our panel of experts includes: David Britton, Vice President, Industry Solutions, Experian Julie Conroy, Research Director, Aite Group Mike Klumpp, Director of Fraud Prevention, Citibank Moderated by: Keir Breitenfeld, Vice President, Product Management, Experian

Commerce: A conversation between merchants and consumers Last week I joined Sherri Haymond of MasterCard and Bharathi Ramavarjula of Facebook on a panel moderated by Paul Moreton, for a CapitalOne summit on Payments. When asked what was more important for the future of commerce – Sherri spoke of how security and trust is key, and I talked about how messaging has intersected with payments, (and in Wechat’s case) now intersecting with lending – with Bharathi eloquently summing it up as – “Facebook sees Commerce as a conversation”. If Commerce is a conversation between a merchant and a consumer (however loosely defined those terms have now come to be), then it has become contorted and clustered around payments and point of sale. Till not too long ago, there also existed a high barrier for entry to become a merchant, to accept payments, to promote and sell online, and to find cheap capital for growth. All these things are different now – and unsurprisingly, little of this progress can be attributed to banks or other current payment stakeholders. For example: I didn’t know I could be a merchant till Square showed me how easy it is to accept credit cards, and setup a small business. I didn’t know that I could become a driver in my spare time – till Uber showed me how easy it is to become one. I didn’t know that I could become a landlord till AirBnB showed me how easy it is to find people to rent it to. I know I am oversimplifying. These three and others like them chose to use technology and smartphones to exponentially scale the size of existing two-sided markets as well as create new ones. When another billion people on the planet stand to be connected over the next five years – entirely via cheap smartphones – it is hard to view commerce as a zero sum opportunity. Being wired for commerce may come to mean something entirely different for those billion, and messaging apps and social networks will replace point of sale for discovery, acquisition and engagement. This is why I believe changes in payments today are largely incremental and localized to the developed world. The platform driven efforts – such as tokenization – do go beyond any specific modality (card, mobile, connected things) to further the notion and benefit of trust entirely within the network. But that is as far as it goes. Issuers and networks may have little role to play in discovery, consumer loyalty and now more so than ever – identity. Case in point: Through Relay, Stripe enables a retailer to push a button and start selling through new channels while taking comfort in that his pricing and inventory will remain real-time. Through Messenger and Shopping – Facebook will encapsulate product discovery, guide the intent to purchase, host the informed pre-purchase debate and even payment – flattening it and never letting it out of sight. It is no accident that each of the four horsemen of the Internet has heavily invested in voice assistants – (Apple/Siri, Google/Now, Facebook/M, Amazon/Echo, Microsoft/Cortana) – especially as we confront old habits in interaction design that are failing on mobile, to continue to shorten the distance between intent and action through things like 3D Touch, the Amazon Dash button, and intelligent agents. Everything that is interesting in commerce: product discovery, search, interface and interaction design are all being done – with the sole exception of Amazon – by an entity that is neither a retailer nor a bank. Conversational commerce does not end with payments being swallowed up by messaging apps. It is a pre-requisite, but hardly not even a way point in that journey. Originally posted on: Droplabs.co

A recent Experian survey found that while consumers are getting better about protecting their information on a regular basis, many do not take the same precautions when traveling. According to the survey, 1 in 5 consumers has had an item with sensitive information lost or stolen while traveling, and 39% have experienced identity theft while traveling or know someone who has. Organizations can protect themselves and customers by using innovative fraud-detection tools designed to reduce potential losses while preserving the customer experience. >> Video: The reputational impact of fraud and identity theft

Apple eschewed banks for a retailer focus onstage at their Worldwide Developers Conference (WWDC) when it spoke to payments. I sense this is an intentional shift – now that stateside, you have support from all four networks and all the major issuers – Apple understands that it needs to shift the focus on signing up more merchants, and everything we heard drove home that note. That includes Square’s support for NFC, as well as the announcements around Kohls, JCPenney and BJ’s. MasterCard's Digital Enablement Service (MDES) - opposite Visa’s Token Service - is the tokenization service that has enabled these partnerships specifically through MasterCard’s partners such as Synchrony – (former GE Capital) which brought on JCPenney, Alliance Data which brought on BJ’s, and CapitalOne which enabled Kohls. Within payments common sense questions such as: “Why isn’t NFC just another radio that transmits payment info?” or “Why aren’t retailer friendly payment choices using NFC?” have been met with contemptuous stares. As I have written umpteen times (here), payments has been a source of misalignment between merchants and banks. Thus – conversations that hinged on NFC have been a non-starter, for a merchant that views it as more than a radio – and instead, as a trojan horse for Visa/MA bearing higher costs. When Android opened up access to NFC through Host Card Emulation (HCE) and networks supported it through tokenization, merchants had a legitimate pathway to getting Private label cards on NFC. So far, very few indeed have done that (Tim Hortons is the best example). But between the top two department store chains (Macy’s and Kohls) – we have a thawing of said position, to begin to view technologies pragmatically and without morbid fear. It must be said that Google is clearly chasing Apple on the retailer front, and Apple is doing all that it can, to dig a wider moat by emphasizing privacy and transparency in its cause. It is proving to be quite effective, and Google will have to “apologize beforehand” prior to any merchant agreement – especially now that retailers have control over which wallets they want to work with – and how. This control inherits from the structures set alongside the Visa and MasterCard tokenization agreements – and retailers with co-brand/private label cards can lean on them through their bank partners. Thus, Google has to focus on two fronts – first to incentivize merchants to partner so that they bring their cards to Android Pay, while trying to navigate through the turbulence Apple has left in its wake, untangling the “customer privacy” knot. For merchants, at the end of the day, the questions that remain are about operating costs, and control. Does participation in MDES and VEDP tokenization services through bank partners, infer a higher cost for play – for private label cards? I doubt if Apple’s 15bps “skim off the top” revenue play translates to Private Label, especially when Apple’s fee is tied to “Fraud Protection” and Fraud in Private Label is non-existent due to its closed loop nature. Still – there could be an acquisitions cost, or Apple may plan a long game. Further, when you look at token issuance and lifecycle management costs, they aren’t trivial when you take in to context the size of portfolio for some of these merchants. That said, Kohls participation affords some clarity to all. Second, Merchants want to bring payments inside apps – just like they are able to do so through in-app payments in mobile, or on online. Forcing consumers through a Wallet app – is counter to that intent, and undesirable in the long scheme. Loyalty as a construct is tangled up in payments today – and merchants who have achieved a clean separation (very few) or can afford to avoid it (those with large Private label portfolios that are really ‘loyalty programs w/ payments tacked on’) – benefit for now. But soon, they will need to fold in the payment interaction in to their app, or Apple must streamline the clunky swap. The auto-prompt of rewards cards in Wallet is a good step, but that feels more like jerry rigging vs the correct approach. Wallet still feels very v1.5 from a merchant integration point of view. Wallet not Passbook. Finally, Apple branding Passbook to Wallet is a subtle and yet important step. A “bank wallet” or a “Credit Union wallet” is a misnomer. No one bank can hope to build a wallet – because my payment choices aren’t confined to a single bank. And even where banks have promoted “open wallets” and incentivized peers to participate – response has been crickets at best. On the flip side, an ecosystem player that touches more than a device, a handful of experiential services in entertainment and commerce, a million and a half apps – all with an underpinning of identity, can call itself a true wallet – because they are solving for the complete definition of that term vs pieces of what constitutes it. Thus – Google & Apple. So the re-branding while being inevitable, finds a firm footing in payments, looks toward loyalty and what lies beyond. Solving for those challenges has less to do with getting there first, but putting the right pieces in play. And Apple’s emphasis (or posturing – depending on who you listen to) on privacy has its roots in what Apple wants to become, and access, and store on our behalf. Being the custodian of a bank issued identity is one thing. Being a responsible custodian for consumer’s digital health, behavior and identity trifecta has never been entirely attempted. It requires pushing on all fronts, and a careful articulation of Apple’s purpose to the public must be preceded by the conviction found in such emphasis/posturing. Make sure to read our perspective paper to see why emerging channels call for advanced fraud identification techniques

With more than one-third of customers interacting with a single business in five or more channels and more than 85 percent of consumers using online or mobile to conduct business, omnichannel fraud prevention has become a necessity. Implementing a layered approach to authentication and integrating device intelligence into the process to associate a consumer with a known device are critical components of a fraud mitigation strategy. In addition to providing another layer of validation, verifying a customer through his or her device makes it easier for the customer to interact with the business and is a huge benefit to the overall customer experience. Perspective paper: Protecting the customer experience - The impact of fraud on the customer relationship

Gift cards are the most requested gift item and have been for the last eight years. Merchants love gift cards because they take up very little space and the recipient often ends up spending more than the value of the gift card.

Apple Pay fraud solution Apple Pay is here and so are increased fraud exposures, confirmed losses, and customer experience challenges among card issuers. The exposure associated with the provisioning of credit and debit cards to the Apple Pay application was in time expected as fraudsters are the first group to find weaknesses. Evidence from issuers and analyst reports points to fraud as the result of established credit/debit cards compromised through data breaches or other means that are being enrolled into Apple Pay accounts – and being used to make large value purchases at large merchants. Keir Breitenfeld, our vice president of Fraud and Identity solutions said as much in a recent PYMNTS.com story where he was quoted about whether the Apple Watch will help grown Apple Pay.    The challenge is that card issuers have no real controls over the provisioning or enrollment process so they currently only have an opportunity to authenticate their cardholder, but not the provisioning device. Fraud exposure can lie within call centers and online existing customer treatment channels due to: Identity theft and account takeover based on breach activity. Use of counterfeit or breached card data. Call center authentication process inadequacies. Capacity and customer experience pressures driving human error or subjectively lax due diligence. Existing customer/account authentication practices not tuned to this emerging scheme and level of risk. The good news is that positive improvements have been proven with bolstering risk-based authentication at the card provisioning process points by comparing the inbound provisioning device to the device that is on file for the cardholder account. This, in combination with traditional identity risk analytics, verifications, knowledge-based authentication, and holistic decisioning policies vastly improve the view afforded to card issuers for layered process point decisioning. Learn more on why emerging channels, like mobile payments,  call for advanced fraud identification techniques.

The experience of being a victim of data breaches has created a shift in consumer behavior and attitude over the past year. A recent Ponemon Institute study found that more than one-third of consumers ignored data breach notification letters, taking no action to protect themselves against fraud. To combat data breach fatigue, companies should communicate with customers sincerely and avoid treating the notification process as a compliance issue. Notification letters should include an apology, a clear explanation of what happened and why, and steps consumers can take to protect themselves from fraud. 2015 Data Breach Industry Forecast

While marketers typically spend vast amounts of money to increase customer acquisitions, fraud prevention can undercut those efforts. According to a recent 41st Parameter® study, average card-not-present declines represent 15 percent of all transactions; however, one to three percent of those declined transactions turn out to be false positives, equating to 1.2 billion dollars in lost revenue annually. Marketers can avoid unnecessary declines and create a seamless customer experience by communicating campaign plans to the fraud-risk team early on and coordinating marketing and fraud-prevention efforts. Download Experian’s latest fraud prevention report. Report: Holiday Marketing & Fraud

By: Maria Moynihan Mobile devices are everywhere, and landlines and computer desktops are becoming things of the past. A recent American Marketing Association post mentioned that there already are more than 1 billion smartphones and more than 150 million tablets worldwide. As growth in mobile devices continues, so do expectations around convenience, access to mobile-friendly sites and apps, and security. What is your agency doing to get ahead of this trend? Allocating resources toward mobile device access and improved customer service is inevitable, and, arguably, investment and shifts in one of these areas ultimately will affect the other. As ease of information and services improves online or via mobile app, secure logons, identity theft safeguards and authentication measures must all follow suit. Industry best practices in network security call for advancements in: Authenticating users and their devices at the point of entry Detecting new and emerging fraud schemes in processes Developing seamless cross-checks of individuals across channels Click here to see what leading information service providers like Experian are doing to help address fraud across devices. There is a way to confidently authenticate individuals without affecting their overall user experience. Embrace the change.      

According to a recent 41st Parameter® study, 85 percent of consumers use online or mobile channels to conduct business.

Cherian Abraham, our mobile commerce and payments consultant, recently wrote about the future of mobile banking in regards to the Apple Pay news out this week. The below article originally appeared in American Banker and is an edited version of his blog post. Editor's note: A version of this post originally appeared on Drop Labs. Depending on who you ask, the launch of Apple Pay was either exciting or uninspiring. The truth is far more complicated — particularly in terms of how it will impact the dynamics of Apple's relationship with banks. I would venture that most of the financial institutions on stage at the launch of Apple Pay earlier this week have mixed feelings about their partnership. They have had to sacrifice a lot of the room for negotiation that banks have retained with other wallet players such as Google Wallet and Softcard (the company formerly known as Isis). If you are an Apple Pay launch partner, having your credential or token on Apple Pay does not mean that you get to extend that credential into your own mobile banking app or wallet. For example, Bank A, with its credentials stored on Apple Pay, cannot leverage those credentials so that its own mobile banking app can use them to enable direct payments. Banks will have to accept that their credentials will be indefinitely locked to Apple Pay till deletion.  No bank wants its brand to be overshadowed by Apple, nor do banks want smartphone users to close their app and open up a different wallet to make a payment. But this was not up for debate with Apple, which wants to tightly control the payment experience. This should be a cause of concern for Apple Pay partner banks, for whom enabling payments outside of Apple Pay in iOS is now off the table. Banks' only hope of having an integrated payment experience is to focus on Android, which supports host card emulation technology. HCE uses software to emulate a contactless smart card and communicate with near-field communication readers. I would expect a lot of banks to revisit Android and HCE in upcoming months. That goes double for the institutions that were not chosen to partner with Apple, along with retailers who have not rejected contactless payments as a modality in stores. Given that Apple will reportedly collect fees from its partner banks when customers execute transactions on the mobile wallet, all banks should be thinking about ways that they can make their presence on other Apple offerings more lucrative. If I were them, I would begin segmenting customers who hold one of iTunes' 500 million active accounts to see which ones are affluent spenders and which cards have higher interest rates, then implement targeted customer incentive strategies to move Apple users to higher-rate cards. I would use the same tactic to convince customers to replace debit cards on file with iTunes with credit cards. But the big takeaway is that from here on out, banks can only gain incremental value from iOS. If they want to create a unified payment system that customers can use as part of their existing banking relationships, they'll have to focus on Android. Should that happen, I doubt that Apple could prevent such moves from diluting its merchant value proposition. But such moves on the part of issuers are hardly long-term strategies to incentivize frequent usage, merchant participation and overall customer value. Learn more about how Experian can help you with your mobile banking needs please visit: http://ex.pn/1t3zCSJ?INTCMP=DA_Blog_Post091214

As data breaches continue to attract publicity, consumers are expecting more from impacted organizations.