It’s not hard to find a wide range of merchants and businesses jumping at the opportunity to offer their customers a branded way to pay.
The consumer landscape is flooded with “Pays” — with many businesses hoping to create a closed-loop payment experience that will drive loyalty and capture customer information.
But let’s face it, not everyone can pull off what Starbucks has done.
Nonetheless, as “Pays” continue to hit the market, hoping to grab the attention and downloads of consumers, Ken Allen, SVP of Operations at Socure, said that it’s easy to see the similarities between the increase in digital wallets and the popularity of prepaid not that long ago.
Mostly because digital wallets have given prepaid payments a new lease on life.
A new lease on life, Allen said, can expose consumers and those merchants to a whole new set of risks — namely, whether the card that is being provisioned to fund these “Pays” is a set of valid credentials for a legitimate consumer.
“Ultimately, you’re connecting to some type of stored value or a pass through that still is a person doing a transaction someplace, but now, you’ve opened it up to a more digital space with more risk for the cardholder and the merchant,” Allen said.
When Going Digital Gets Risky
Allen’s opinion is that these digital wallets come with a unique set of risks, as they’re more open, yet lack the fraud controls that even prepaid cards have.
“It’s a mixed bag of a new version of prepaid, but at the end of the day, I don’t know that it really closes the loop on some of the risks,” he explained.
Traditionally, prepaid cards were physical cards that were bought for a single use by customers shopping at a retail store or kiosk. Now, with digital wallets, that concept is truly digital, taking place typically within a proprietary mobile app downloaded by the consumer.
Of course, the digital enrollment itself can open customers up to security vulnerabilities.
“It’s the provisioning of that wallet that is the risk entry point initially, and that just isn’t understood by all these wallet plays out there,” Allen said.
For example, fast-casual dining chain Tropical Smoothie allows customers to use its mobile app as a way to pay with their phone, but Allen said it’s not clear what verification is being done on the payment credentials being enrolled.
“That scares me as a consumer, knowing that the controls might not be there,” he added. “How do you know you’re dealing with the right person and that they don’t load my credentials on a wallet and put stored value there?”
Unfortunately, many of the wallets out there may not have the necessary security controls and guarantees to keep out fraud.
Allen’s point is that, if a merchant doesn’t have a rock solid way of provisioning that account into the proliferation of the “Pay” of the day, they’re potentially opening themselves up to fraudulent activity because they have no way to authenticate that consumer.
While experimenting with new digital capabilities is a good thing, Allen pointed out that many of the stores and businesses putting out wallets don’t have the strong eCommerce background and market sophistication to understand all the risks they are taking on. This means the jump from retail to wallet/quasi-digital is a significant move for many of these players.
Putting Mobile To Work
Though Allen does have concerns about the security of digital wallets, he noted that digital wallets do have one thing prepaid cards do not: powerful information.
After all, with mobile comes access to capabilities like geolocation and biometric authentication, and these can provide more data for security decisions to be made on.
“The phone isn’t just an enablement to pay; they need to be checking the geolocation, device and other aspects,” Allen explained, adding that this type of data can serve as the basis for approving or making the decision on transactions.
If he were tasked with fixing the digital wallet problem, Allen said, he would start with implementing a more authenticated provisioning process and setting up security controls around the device itself.
Why? Because, he explained, a wallet represents four things — a person with a device that loaded some value on it doing a transaction — and there needs to be some form of control on each component that will enable the account, allowing it to transact securely.
After all, in today’s payments landscape, especially with the adoption of EMV, there’s no question that fraud is going digital.
It’s not just about eCommerce or mobile commerce, Allen said; it’s now essentially just wallet commerce — a whole new umbrella of opportunity fueled by a diminishing supply of physical card fraud that can be committed.
In this quasi-digital environment, where channels are merging and customer-present, digitally enabled transactions are becoming more commonplace, it’s going to take even more work to authenticate consumers and secure transactions.
“The burden of proof on where [transactions] are going to go through and who’s going to hold the liability when I’m standing in front of a POS with a device that has a wallet stored to it that might not be mine,” Allen explained, “I don’t know how that’s going to get worked out.”