Just as issuers are migrating to the EMV environment, fraud is also on the move – going from offline to online. And since online is where more and consumers conduct their transactions, using more devices to do so, the fight to keep them safe isn’t going to get any easier. But there may be an answer to be found in the very fact that consumer behavior is changing. MPD CEO Karen Webster recently spoke with Nick Craig, VP of Sales for Digital Payments at CA Technologies, about the assets that customer behavior can provide in helping to protect them against increasingly complex fraudulent activity.
KW: It’s June; there’s a shrinking window to the transition to EMV here in the U.S. What I’d love to talk to you about is your experience in helping issuers migrate to this new environment.
Let’s talk about fraud. I think we all certainly expect that with this migration, offline fraud will decline, but we also know that online fraud is likely to spike.
I’d love to hear about your experiences, as you’ve done this with other issuers around the world. What can we expect in the U.S. – and, more importantly, what can we do about it?
NC: I think it’s well understood that EMV can have a significant impact on card fraud – certainly on card-present fraud. But in the case of online fraud, that could be the reverse; in fact, that’s what a lot of our experience suggests. EMV is a step in the right direction, but it’s not something that’s going to solve the problem for all types of fraud. As with any good fraud prevention strategy, a layered approach is required.
We have an interesting position in looking at the market, having provided CNP (card-not-present) solutions over the last 15 years or so. We’ve obviously seen EMV adoptions across many of those markets, and the statistics really reinforce what you and I are referring to – that significant jump in CNP fraud following an EMV migration.
In the U.K., CNP rose to about 60 percent of the total card fraud following the migration; Australia faced a very similar situation, with CNP rising to about 39 percent of the total. Closer to home, in Canada, CNP increased over 130 percent in just two years.
The trend is there. What’s interesting in the U.S. – where we’re obviously looking at the October deadline for the liability shift coming into effect – is that we’re already starting to see that migration, both in volume from a 3D Secure perspective as well is in the significant uptick of merchants that are moving over to 3D Secure. It’s evident that U.S. merchants are looking for ways to protect themselves in the migration process.
Another thing worth identifying is the fact that when we look at the U.S. market, unlike the case for previous EMV migrations, is a very large eCommerce market. It’s also one of the last markets to adopt EMV. In earlier EMV deployments, the fraudster had many other options. Those options may be far less in the United States – which may actually make the problem worse rather than make it better.
Also important to identify is the fact that – even if you took away the EMV migration – just the rate of online shopping growth, compared to traditional brick-and-mortar, is having quite a significant impact on online fraud. Even if the fraud rate stays the same, the actual volume increase is going to have an impact on the fraud policies that are in place today.
KW: I think that’s a really good point. Even if the rate of fraud remains the same, because volumes are growing with the online/offline convergence, that number will get bigger.
But the rate of fraud may not increase. And that’s something worth noting, right?
NC: Yes, but I think the factor of card-not-present is important to recognize. Looking at card fraud on a global basis, the rate of card-not-present fraud can vary enormously. It can range from maybe just a few basis points of fraud up to hundreds of basis points. And that’s a significant thing to try to deal with. If we think about that as a threat, it’s obviously going to have an impact on just how quickly that migration can take place.
KW: Maybe this is a crazy question, but I’m going to ask it anyway, because that’s just what I do:
We talk about the fact that fraud migrates, and I think we all accept that it does. But why? What is it specifically that the cybercriminals are doing – are they using credentials that they’ve stolen previously but now online? Is there some other thing that they’re doing? Why is there that shift?
NC: A lot of it has to do with general trends in the market. Obviously, we’ve been seeing large-scale breaches in the past 18 months to two years, and that has impacted the amount of credentials that are out there. And generally, fraud is becoming much more institutionalized, from the standpoint of being able to lay your hands on a range of tokens to be able to form an attack.
When you start to think about fraud as a whole and making certain vectors more difficult for fraudsters to attack – fraud’s not going to go away. It’s going to move from place to place. There will obviously be an opportunistic element to that. And certainly, card-not-present fraud represents an attractive opportunity for the fraudster because they’re able to work through a significant volume, can operate on a global basis, and do so from the comfort of their own living room. It doesn’t face the same physical barriers that other fraud attacks do.
KW: So it’s not as if they're stockpiling credentials that they may have acquired through physical point of sale hacks; they’re simply shifting the field of play to the digital world, where commerce is accelerating. Is that more or less what’s happening?
NC: Yes, but it’s also the fact that you don’t have a single group of people that is doing the end-to-end fraud attack. When we talk about this becoming more professional, there are groups of people out there that are focused on getting the credentials and monetizing the credentials and selling them elsewhere; there are others that are buying those credentials and trying to use them across a variety of different attack vectors.
KW: Let’s talk about a complexity associated with fraud in a digital environment – I think it speaks to the expertise of the cybercriminal.
My understanding is that close to half of fraud happens across multiple devices, because that’s the way that consumers operate. They sort of multi-home between their laptop, their smartphone and their tablet – and that is with multiple cards. Doesn’t that make the environment for detecting and preventing fraud that much more complicated?
NC: You’re absolutely right. To identify the connection between the devices that are being used and the cards that are being used is really important.
We talked about how eCommerce fraud is a global problem; fraud can migrate very quickly, et cetera. Fundamentally, when you start looking at those transactions – and in particular with the use of programs such as 3D Secure – that insight becomes quite important to shopping habits, the types of devices that are being used, their profiles, their specific characteristics, and their location preference.
When you look at card/device association, it really reinforces what the majority of us might think about the way in which we run our lives and how we operate. Our data science team completed a study recently on millions of transactions, and they found that the majority of them are done on not more than a couple of devices. The interesting thing is that as the number of devices increases per card that is being used, the fraud rate starts to jump. If you go beyond maybe five devices being used on a single card, the fraud rate increases by about 14 times, and continues to grow accordingly.
But that’s just one metric. To look at devices on the whole as a single metric, it can lead to misconceptions and false positives. You really have to take a much broader perspective – both in terms of the types of data that you can collect about that device as well as the wider context of the transaction itself: what products are being purchased, what kind of behavior has the cardholder exhibited before, where in the world is the cardholder connecting from, and so on. The device is a great tool, but that wider context is really important.
The challenge, of course, is how to use that context to improve the customer experience in real time.
KW: You mentioned that you’re seeing an uptick in the number of merchants that are looking to deploy 3D Secure – which had a very mixed reputation in its early days, because it compromised conversion.
It’s come a long way since then. I’m curious to know what your ROI and business case story is to merchants now.
NC: When you think about 3D Secure, the central question is: Can you implement the solution, and is it going to enhance or improve the metrics? If you can’t show that, throw it out the door and move on.
Fundamentally, 3D Secure offers significant opportunities that just aren’t available in other transactions. The difference boils down to three things: Can you identify fraud more effectively? Can you improve the cardholder experience? And can you balance that cardholder experience against the fraud detection?
The thing that the solution really brings is the opportunity to gather those insights and get a much broader perspective – not just at bank level or a merchant level, but across the entire portfolio of transactions. CA operates across 13,000 different portfolios around the world, so that insight is hugely valuable in being able to identify suspicious behaviors and the trends in behaviors.
We’re now in a position where you’re able to implement the 3D Secure solution without affecting the cardholder journey. The idea that you have to implement 3D Secure, and you have to challenge all transactions all of the time, and you have to use a static password – those days are long gone. The opportunity to use the data for far greater levels of intelligence and to be able to really pinpoint suspicious behavior using some of the analytical capabilities that we’ve built into our platform is a tremendous benefit to customers.
To compare our method of using analytics to just taking a one-size-fits-all approach, the experience for some of our customers is that – in addition to having the fraud problem addressed significantly – they have actually seen the shopping frequency rate increase, much more so than they have through more traditional portfolios. One customer saw nearly double the frequency of shopping, and double the shopping cart rate.
The idea that 3D Secure is a bad thing or affects cardholder experience is false. We as an industry have to a much better job of communicating the value that 3D Security brings.
KW: You’ve done some “mythbusting” in our conversation. What are some of the other myths that you think we need to break through as we make this journey that is the EMV migration, and as fraud moves from one channel to another?
NC: Ultimately, what most customers are focused on is improving the cardholder and consumer experience. We’re operating in a world that has far greater levels of competition – certainly from a card perspective – than what existed just a few years ago. The opportunity for alternative payments and the range of card products that are available is hugely competitive, and certainly cardholder experience is front and center to everything that we do.
It is very important that we try to change the dimension of how we think about these problems; they need to be addressed purely from the standpoint of the customer.
If you start with the customer work from there, you’re going to see very different insights. The customer journey itself is a complex one; in many cases, a merchant or a bank may not have full control of it. Typically, what you see is an overreliance on control points or systems that have been effective in the past: “We’re seeing an increase in fraud; therefore, we need to increase the intervention rate.” The challenge, of course, is that when you’re dealing with a mass consumer experience, just a small amount of friction can lead to a very significant impact.
Customers’ expectations are very different than what they once were. The idea of having to use different methods of authentication depending on the channel or engagement point is missing the point entirely – missing the opportunity to reinforce the customer journey.
There are many different types of customers – mass consumers, VIP, commercial portfolio – and they all operate in different ways. It is a complex problem to solve; there is no silver bullet. What matters is understanding what the customer journey is and being able to identify the areas within it that you can tweak, rather than relying on the one or two control points or systems that have been effective in the past.
Ultimately, that comes down to an understanding of the data. If you don’t understand how the transaction flow moves and where you are losing transactions, then it’s very difficult to implement a fraud strategy.
The idea that you have to compromise the cardholder journey for the sake of fraud prevention is really the myth that we have to push back against.
VP of Sales for CA Digital Payments, CA Technologies
With an impressive amount of experience in SaaS and enterprise security software systems, Nick is currently responsible for CA Digital Payments at CA Technologies, working with clients globally to provide innovative solutions to the payment industry. He has in-depth knowledge in current online payment authentication schemes and possesses expertise on using advanced models and dynamic, bank-defined rules to help card issuers fight fraud in real time while providing a frictionless checkout experience for genuine cardholders. Nick has held several management roles in EMEA, including 9 years with IBM with responsibility on IBM software portfolios. He previously ran CA Digital Payments in EMEA at Arcot (acquired by CA Technologies), the leader in securing 3D Secure eCommerce transactions.