Vesta: Ghosts In The (Payments) Machine

Halloween isn’t over — not by a long shot — in the payments industry. And three big stats tell you why. 30 percent, 65 percent and 4. Vesta CMO Tom Byrnes explained what those scary statistics tied to eCommerce fraud mean in the latest installment in the PYMNTS Data Drivers series with Karen Webster.

Quick. As you sit in a stupor from eating your kids’ Halloween candy last night at 3 a.m., name the five-letter word that scares the payments industry all the way from the POS to the very back end of the back-end office.

Nope, not ghost. Not Apple. Fraud.

In the latest installment of the Data Drivers series, PYMNTS’ Karen Webster pulled back the curtain on the nightmares that don’t only come in the night but can bedevil firms 24/7/365. In conversation with Tom Byrnes, CMO of Vesta Corp., the pair discussed the latest findings from Vesta’s deep dive into the real costs of fraud. Findings that, when combined with the rate at which fraud attacks directed at online merchants are escalating — some 137 percent year over year, according to the Global Fraud Index — are enough to scare a merchant half to death.

First: 30 percent. That’s the sales decline that comes in the wake of false positives, as Webster noted. “As we’re seeing the fresh data come in from the tail end of the first year of EMV in the States,” said Byrnes, “it’s a bit all over the place. But it’s tough times and about to get tougher,” he claimed, with an eye on the 80 countries that have already adopted EMV and may offer up a roadmap of sorts for the United States. There’s really a three- or four-year phase-in period, said the executive, who added: “I hate to be the harbinger of bad news, but the worst is yet to come.” Simply put, as eCommerce grows, fraud grows right alongside.

At the same time, there are any number of new innovations and attempts to combat fraud going on, and merchants are, in fact, “deploying new techniques that don’t fit,” said Byrnes, who likened the scattershot approach to the old game of Battleship, where everyone is effectively shooting in the dark.

As much as 14.9–22 percent of the total operational budget goes toward fighting fraud, Byrnes maintained, with the slice of sales tied to that coming in at about 7.5 percent. Firms devoting this much of their top line to fraud combat cannot grow as fast as they might otherwise.

Further, said Byrnes, of that 7.5 percent of lost sales, “2.8 percent, a blended rate” of physical and digital sales, are lost due to chargebacks. “That’s long-term repetitional damage to the bank,” said Byrnes.

Another scary stat: 65 percent of merchants still rely on usernames and passwords to authenticate customers using existing accounts. That data point, said Byrnes, stands out as a form of “legacy, if you will.” On one hand, he added, merchants have spent the last decade immersed in this process in attempts to simply drive adoption.

“The challenge here is … in the new reality of post-EMV, with liability slowly moving away form the point of sale … you’ve also got the fact that we have had all of these giant data breaches.” And those data breaches have tapped into historical data that has long been kept on file.

Amid the data thefts, continued Byrnes, merchants are sitting on the sidelines, watching the digital goods market pass them by, to the tune of $100 billion in global spend, because security here relies much more on next-generation fraud tools.

Previously, even with same-day fulfillment, merchants could cross-check data and credentials, and there were still a few hours to catch wrongdoing. “But if you’re in the digital space, now,” said Byrnes, “we’re talking about sub-second decisioning and approval and sub-second fulfillment.” Thus, additional measures of security must be considered, ranging from device ID or geolocation to data analytics, in efforts to stop fraud.

As for the four fraud management tools that most often have been deployed by merchants, which have served them well — or, as Webster noted, “at least, once did” — we find customer identity verification, address and card verification and static knowledge-based authentication. The question remains: What are merchants doing to push that quartet down the list and put other methodologies in place above them?

“I think that varies by the product mix that the merchant is selling,” said Byrnes. “If you’re a pure digital gift player, you’re someone in the gaming industry, selling digital gift cards, eTickets, things like this … you are sort of the canary in the coal mine. You are at risk.” On the flip side, he said, the real story here is that the real risk bearers can be seen to be the hybrid merchants, who sell physical and digital gifts. They require parallel fraud detection systems and authentication technology, said Byrnes.

“We are reaching a fork in the road for a lot of merchants,” added the CMO, with a nod toward device ID technology, where the protection has been around for awhile but only 30 percent of merchants are using it. The new technology is expensive, but a firm also needs a data scientist to be a line of defense. Merchants must figure if they are retailers or in business to fight fraud. In other words, let merchants do what they do best, and solutions providers do what they do best.

There are new threats lurking, said Byrnes, with account takeovers amid the biggest ones. “The level of innovation these fraudsters continue to show is impressive … You are taking a whole identity that is inside the system already.” Another wrinkle has come as wallets have emerged, via white-label banking offerings, said Byrnes, and what fraudsters are doing is taking chip-protected cards (bought online), loading them in the digital wallets, showing up at the POS, working with the near-field reader and buying items.

“What you are seeing here, whether it is in-store or online, is the constant evolution and innovation of new fraudulent concepts,” surmised Byrnes. All is not lost, however, he said, if a proper outsourced provider takes the reins of fraud combat and lets merchants get back to focusing on growing their businesses — which can amount to a happy ending to a scary tale.