Australia is currently in a period of immense change as far as payments go with initiatives like PIN@POS due in August and real-time settlements already taking shape for a 2016 go live date. In the context of this change, criminals are already looking at how best to capitalize on the changes and exploit any and all loopholes left open.
Against this backdrop, I was very interested to see the results of the Australian Payments Clearing Association’s annual fraud report which came out recently. Most notably covered was the rise in Card-Not-Present (CNP) fraud losses in 2013, after an admirable reversal in the trend in 2012. What wasn’t that surprising was how, in Australia, the growth in CNP fraud and its relationship to skimming and counterfeit fraud, is following the same path as it did in the UK over the past 5 years. Given that the UK has implemented many of the changes we are working on here in Australia; it would be smart to look at, and learn from, how they are managing this issue.
The other interesting trend I noticed was the comparison between overall fraud values vs. volume of fraud. According to the report, the overall value of fraud nearly doubled since 2008 (AU$161 million in 2008 to AU$304 million in 2013). Yet the average value per fraudulent transaction has dropped from AU$358 in 2008 to AU$197 in 2013. Meaning, we are seeing a higher volume of fraudulent transactions (more than triple over 5 years) than ever before.
Financial institutions all over the country have worked to implement prevention measures to help mitigate risks and decrease these losses including verification codes of 3 or 4 digits to prove genuine cardholder identity, stronger card authentication from tools like 3DSecure, fraud detection tools used by merchants, schemes and issuers, as well as enforcing PCI compliance. While all of these initiatives are admirable, they don’t go far enough towards mitigating the growing threat. The staggering growth rate in CNP fraud losses should be enough proof that the status-quo isn’t sufficient. So what should we do?
- Explore behavior analytics and dynamic authentication. Verification codes are a good layer in the security mechanism, but many next generations tools including behavior analytics and dynamic authentication take this concept to a higher level.
- Expand 3DSecure adoption. 3DSecure is currently under represented in the Australian merchant community with less than 25 percent of CNP payments being routed through the stronger authentication solution. Merchants with higher than normal fraud losses should seriously consider the adoption of 3DSecure.
- Employ a frictionless authentication strategy. Tools and technology will only be as effective as the business case needed to implement them. Many merchants see fraud losses as a “cost of doing business”. For such businesses, implementing additional fraud prevention tools actually only implements more friction, which leads to customer abandonment which isn’t good for anyone. If tools are to be adopted, they need to be transparent to consumers and create confidence and prove that security can be an enabler not a hinderance.
- Security has to go beyond PCI Compliance. PCI compliance is a good step, but it provides a false sense of security for many in the payments industry. A number of high profile data breaches have occurred in recent years with millions of card being compromised despite PCI compliance. Compliance is the minimum but strategies like tokenization of card data help to reduce the size of a PCI scope.
The great news for Australia is that all of the above suggestions have been implemented with success in other geographies. While there are certain elements of the fraud challenge that are unique to the region, there are a lot of overlaps in lessons that can be learned from Europe and North America. Ensuring the best balance between security and a great customer experience can be tricky, but by using a combination of smart people, processes and technology, security can be a huge enabler for innovation while reducing risk.