payments business magazine mar/apr2015

PM40050803

Ma

r/a

pr

201

5

also in this issue:

❱ Bank of Canada Report Is cash still king?

❱ Technology Update Small data – the risks and rewards

Fraud Supplement Reducing, mitigating, combatting – what are the best practices?

BiG Data ReportFrom protecting financial services to driving customer engagement, there is a marked increase in the adoption of analytics.

The Merchant’s Guide to Transactions, Cards & eCommerce

3 March/april 2015 paYMENTSBUSINESS

TaBle oF ConTenTS

4 News 15 acT canada Update

COLUMNS & DEPARTMENTS

FEATURES

6Protecting Financial Services and Preparing for the Future with analyticsThe power of analytics has been widely used to generate timely insights

9Banks Turn to new Technologies to Drive Customer engagementIncreased adoption of new banking methods will be driven mainly by millennials

March/April 2015 Volume 6 Number 2

Editor Karen Treml [email protected]

Publisher Mark Henry [email protected]

Contributors Markus Bergthaler, Karen Cox,

Kevin Deveau, Kristian Gjerding, Andrew Higgins, Catherine Johnston, Anneke Kosse, Stephen Lindsay, Ronen Morecki, David O’Connell, Naeem Siddiqi, Angelika Welte

Creative Direction Jennifer O’Neill [email protected]

Photographer Gary Tannyan

President Steve Lloyd [email protected]

For subscription, circulation and change of address information, contact [email protected]

Publications Mail Agreement No. 40050803

Return undeliverable Canadian addresses to: Circulation Department302-137 Main Street North Markham ON L3P 1Y2 t: 905.201.6600 f: 905.201.6601 [email protected] www.paymentsbusiness.caSubscriptions available for $40.00 year or $60.00 two years.

©2015 Lloydmedia Inc. All rights reserved. The contents of this publication may not be reproduced by any means, in whole or in part, without the prior written consent of the publisher. Printed in Canada. Reprint permission requests to use materials published in Payments Business should be directed to the publisher.

Made possible with the support of the Ontario Media Development Corporation

Next issue…MaY/juNE — Cards, Cards, Cards – We will go into the restaurant industry and explore the payments

landscape. Our technology update will examine POS, NFC, HCE, and RFID.

11not Just analyticsLarge-bank disappointment with Big Data means big opportunities for vendors

13new Data, Big Data:The brave new world of analytics

18Is Cash Still King, and at What Cost?

COLUMNS

29Technology UpdateSmall data – risks and rewards

FRauD suPPleMent

22Reducing Fraud in a Mobile WorldMobile payments have awakened security concerns from consumers and merchants alike…

24Combatting Fraud as the Market evolvesProtecting sensitive information from cyberattack

26airline and Travel Rewards FraudSafeguarding valuable loyalty miles/points transactions


neWS

ottawa reveals improvements to the Code of Conduct for the credit, debit card industryFinance Minister Joe Oliver today released an update to the Code of Conduct for the Credit and Debit Card Industry in Canada, delivering on a commitment made in 2014 to help make life more affordable for Canadians and entrepreneurs. Following consultations with stakeholders, these new changes will make the Code even stronger by addressing unfair business practices and improving transparency for merchants and consumers, including new provisions that apply specifically to mobile payments. Participants in the debit and credit card market will have until 30 days from the issuance of this news release to review and adopt the enhanced Code of Conduct.

The Code was launched in 2010 to promote fair business practices and ensure that merchants and consumers understand the costs and benefits associated with credit and debit cards. Every time merchants accept a credit card payment from a customer, they pay fees. Like any other business cost, these fees are often passed on as costs to consumers in the form of higher prices.

Minister Oliver also released Balancing Oversight and Innovation in the Ways we Pay: A Consultation Paper, seeking the views of Canadians on the best approach to ensure that new electronic payment methods are safe and provide adequate consumer protection, while allowing innovation that benefits Canadians.

The Canadian Federation of Independent Business (CFIB) says that the Code of Conduct for the Credit and Debit Card Industry in Canada “has served merchants extremely well....[It] has done an excellent job in ensuring some fair ground rules and maintaining Canada’s low-cost debit system.”

CFIB adds that “the Code played a big role in saving low-cost debit in Canada and it gave merchants some degree of power in dealing with the payments industry.”

The updated Code of Conduct for the

Credit and Debit Card Industry in Canada includes:

A new requirement that the interchange •rate reductions announced by Visa Canada and MasterCard Canada in November 2014 will be fully passed-through to merchants, or merchants can cancel their contract without penalty;A new complaints handling process •available to merchants with Code-related complaints;Enhanced disclosure requirements that •will require plain language disclosure in information summary boxes in merchant contracts of key contract terms and conditions and merchant fees;Greater flexibility for merchants to exit •their contracts without penalty, including a right to provide notice of non-renewal at any point up to 90 days prior to contract expiry, and limiting automatic renewal of contracts to six-month increments;A new disclosure requirement for credit •card issuers, to inform consumers that apply for premium credit cards that the use of these cards can impose higher merchant fees;New branding requirements for premium •cards, to make these cards more easily identifiable to merchants at the point of sale;New consumer protections for mobile •payment users, to ensure that consumers will have full and unrestricted control of the default settings on their mobile wallets and devices;New protections for merchants who •choose to stop accepting mobile payments.

The Government is releasing Balancing Oversight and Innovation in the Ways we Pay: A Consultation Paper, seeking the views of Canadians on the national payment system, recognizing that:

Every year, Canadians make roughly 24

billion payments, worth more than $44 trillion;

According to the Bank of Canada, •between the early 1990s and 2011, the share of cash used in point-of-sale transactions dropped from more than 80 per cent of the total volume and 50 per cent of the total value, to less than 50 per cent of the volume and less than 20 per cent of the value of these transactions.The Canadian Payments Association •estimates that there were 24 million e-wallet and electronic person-to-person transactions in 2011, worth nearly $10 billion, up from $3 billion in 2008; The Task Force for the Payments System •Review found in its December 2011 final report that a thoroughly modernized payments system could save the Canadian economy as much as 2 per cent of gross domestic product in productivity gains, equal to $32 billion in annual savings for Canada; Core clearing and settlement systems •are currently subject to regulation and oversight for safety, soundness and efficiency purposes. However, this oversight does not fully extend to national payment systems. As a result, the system as a whole is not currently subject to comprehensive and consistent rules that protect consumers and ensure public confidence in the use of electronic payment methods.

“I am pleased to announce major improvements to the Code of Conduct for the Credit and Debit Card Industry in Canada. For merchants, these changes mean more transparency, more flexibility and more choice. Consumers will be getting the exact same—and paying less for the necessities of life. These changes mean more money in Canadians’ pockets and competitive retail markets, benefitting all Canadians,“ said Joe Oliver, Minister of Finance.


BIg DaTa RePoRT

Protecting Financial services and Preparing for the Future with analyticsThe power of analytics has been widely used to generate timely insights

By aNdrew higgiNs

Organizations worldwide are re-evaluating how to drive brand loyalty and

accelerate business growth as they navigate through the new age of the digital consumer.

In this environment, Canadians are progressively moving away from traditional to more electronic and mobile methods of payments and as such, analyzing electronic data can help banking institutions predict economic activity and assess possible revisions to retail information (Bank of Canada Review, 2013).

This era sees leading financial services corporations tapping into big data and analytics in new ways to continuously transform their business.

But we are at an inflection point. The power of analytics has been widely used to generate timely insights. Banks are able to create a single, holistic view of each customer by analyzing transactions, real-time market feeds, customer-service records, correspondence, and social media posts. Analytics has also helped connect people with contextual information. When customers conduct daily transactions like online shopping, analytical systems are able to deliver relevant promotions by email and mobile alerts per the user’s preferences. Here, analytics is embedded within various customer channels, like internet and telephone banking, SMS

alerts, and branch offices, to help banks better understand clientele and reach non-customers.

Now, the challenge is not only about handling the volume and velocity of this information or delivering insights from it; rather, it’s how institutions ensure customer data is secure. Gaining new, deeper, and actionable insights into consumer behaviour can help dramatically reduce financial risks, increase operational efficiencies, enhance brand loyalty, and improve business outcomes.

Securing consumer dataIn a 2014 survey, security and fraud were found to be the centre of consumer focus.


BIg DaTa RePoRT

Concerns for how to better manage risk and security have both been steadily climbing – by more than 40 per cent when compared to the previous year (Kount, Mobile Payments and Fraud Survey: 2014 Report). With the rise in electronic payments, it is even more imperative that banks are better able to spot and mitigate online fraud and manage cyber threats.

We are witnessing huge advances in big data and analytic solutions that can push banking capabilities further to anticipate and avoid risks, provide near-real-time trend analysis, facilitate better planning, implement predictive analytics solutions that foresee

future customer behaviors, and identify potential outcomes.

For instance, effective analysis of big data provides incredible potential for enhancing risk management and avoiding costly losses. Unlocking data captured in operational and financial systems and coupling it with the right cloud and security capabilities can arm banks to identify and interrupt potentially fraudulent transactions. Data is analyzed rapidly and risk models are updated frequently.

With better risk analysis, organizations like insurance agencies can more effectively analyze years’ worth of structured and

unstructured data – from consumer behaviour to financial transactions – to prevent and detect areas like fraud. Fraud accounts for a significant portion of an insurance company’s losses. These organizations are using analytics solutions for big data to make better and more informed decisions to minimize risk exposure.

A U.S.-based property and casualty insurance company experienced an insurmountable amount of data pouring in from different transaction systems, like policy, claims, and finance. Its challenge was to transform this information into answers for critical business queries.

They implemented reports, scorecards, and dashboards to collect critical information from diverse systems, including underwriting, claims, billing, agency production, and safety management. Then by using analytics to sort through this information, the company was able to manage – among other things – risk selection while finding the right balance between risk and price.

Financial institutions can also incorporate counter fraud management. Analytical fraud models and rules are applied in business processes to help detect potentially fraudulent actions before unnecessary deposits, withdrawals, transfers, or payments take


BIg DaTa RePoRT

place. Insights derived from fraud analysis are applied to specific scenarios to help differentiate between unthreatening and legitimate concerns, while quickly preventing and responding to suspicious patterns and activities. Fraud intelligence can be turned into action as investigation into deep inquires from suspicious activity to support a collection of evidence and provide the thorough examination required to build more compelling cases for threats. Finally, by reviewing historical data, analytic capabilities can be leveraged to help users discover suspicious activity via specific patterns to identify individuals that might be conducting fraudulent activities.

Predictive analytics can help further assess future fraud activity by allowing banks to monitor suspicious transactions and help prevent fraudulent attempts. Content analytics technologies deliver a more complete view of information than what service bureaus or existing solutions can provide. As a result, financial institutions are able to combine information from multiple departments and data sources, where they can easily and more efficiently monitor and analyze areas such as social media, for rumours, deliberate misinformation, and fraudulent impersonations.

The future of banking and the effect on consumer data protectionFinancial organizations require instant awareness of potential threats in addition to extensive insights to help increase fraud

detection. Where businesses once used technology solutions to analyze historical data and identify broad trends based on limited information, the industry is now seeing cutting-edge technologies that enable banks to evaluate much more data from an extensive array of sources at incredible speeds.

Mobility is also revolutionizing the banking landscape. Devices like smartphones and tablets are available now more than ever before and are increasingly becoming significant sources for sharing and transferring data, making them more susceptible than traditional, stationary systems for attacks, loss, infection, or compromise.

With the explosive growth of mobile clients, financial organizations must be able to leverage vast amounts of new data and provide deeper real-time insight for greatest business impact – all while being deployed within a secure and resilient infrastructure, such as cloud.

The speed at which mobile technology is changing has created dangerous gaps in data protection. At the same time, addressing the increasing number and sophistication of cyber threats is becoming more and more challenging. For instance, account takeovers can occur while cybercriminals exploit mobile browsers and applications to access a victim’s account; attacks on mobile applications can arise, where hackers access sensitive information as soon as users download mobile apps, and cross-channel theft can transpire when methods of attack take place through multiple channels – like mobile

device and online websites – to complete fraudulent transactions.

New mobile technologies that are supplemented by big data and analytics can deliver a protective layer of security intelligence for correlating events across businesses while facilitating proactive responses. This will allow financial service companies to help prevent identity theft, reduce the risk of fraud and protect all types of critical data. Based on new insights generated from analytics, organizations can help secure content, applications, and transactions on mobile devices and provide trusted mobile interactions through customized and easily deployed applications that are managed and upgraded by cloud services with greater security.

In fact, we are beginning to see more mobile applications facilitate secure transactions using big data and analytics. These mobile applications can allow financial advisors to access and manage client portfolios, and gain insight from powerful predictive analytics with complete visibility to test recommendations with sophisticated modeling tools to complete secure transactions. Some applications also provide secure authorization to access client profiles and competitive analyses; gather analytics-driven insights to make personalized recommendations; and help complete secure transactions.

A new financial era Today’s financial service consumer is uber-connected and seeks convenient, 24/7

access to financial service sites and applications. This type of digital consumer is not going away. The next generation of banking solutions must be well-equipped to handle the explosive growth of increasingly digital consumers, leverage vast amounts of new data, provide deeper real-time insight at the point for greatest business impact, and protect sensitive transactions to minimize business risk and client exposure.

Combined with the efficiency, accuracy, and deep insight from data and cloud technologies, revolutionary developments like mobile are transforming the banking business in new ways. As such, this raises the potential risks for theft and fraud. Innovative technology capabilities that integrate big data and analytics can help banking corporations assess mobile threats in real time and detect high-risk devices, allowing financial services to strike a balance between risk and opportunity by greatly enhancing decision-making and create a next frontier in banking.

With more than 25 years’ experience in Information Technology consulting and solutions architecture, Andrew Higgins is Associate Partner and Canadian Payments Leader for the Financial Service Sector at IBM. Andrew is responsible for IBM’s go-to market strategy for Payments and the creation of the Payments competency in Canada. He manages the end-to-end delivery of large, complex technology transformation programs and has developed payments strategies, roadmaps and established long term payments transformation programs at multiple Canadian financial institutions.


BIg DaTa RePoRT

Banks turn to new technologies to Drive Customer engagementincreased adoption of new banking methods will be driven mainly by millennials

Canadian banking institutions are constantly faced with external

pressures, such as the rise of financial technology start-ups that are looking to disrupt every aspect of the banking industry. Improving the customer experience has become a central point of focus for Canada’s largest banking institutions. Across retail experiences, customers have come to expect personalized and seamless experiences and the big banks are turning their attention to online and mobile services to achieve this.

Yet while Canadian consumers are increasingly incorporating new technologies into their daily banking habits, non-traditional banking – mobile wallets, alternative payments, and peer to peer lending – has seen relatively slow consumer

adoption. However, recent research shows that swift change is on the horizon and these services will be pushed to the forefront of the banking agenda by a massive cohort of the population – millennials.

Millennials represent both the greatest challenge and the greatest growth potential for banks today. Classified as those born between 1980 and 1994, they are currently seven per cent larger than the baby boomer generation. As a demographic, they are now coming of age in terms of their economic strength and social influence.

The difficulty is that millennials have been characterized as having very little brand loyalty. In a recent survey, Google found that they are 1.5 times more likely to change banks compared with the general population. Many

millennials will switch banks to gain better mobile banking experiences.

Keeping this group ‘digitally happy’ will be a key factor in securing the loyalty of this important customer base. To achieve this, Canada’s banks are turning to sophisticated predictive analytics technology to gain a much richer picture and better understanding of this generation’s unique preferences and behaviour. These insights will allow them to tailor the delivery of new and emerging mobile services and offerings specifically for this group and, in turn, secure their loyalty.

Adoption of non-traditional banking services is on the rise There have already been sizeable investments in mobile and payment technologies, but in

By KeviN deveaU


BIg DaTa RePoRT

the race to own this space, complacency is not an option.

New research released by FICO in January 2015 shows that adoption of non-traditional banking services is on the rise. The survey which asked 908 banking customers in the U.S. about their current and projected use of non-traditional banking services, found that 18 per cent intend to use a mobile wallet in the next year, whereas just five per cent reported that they are currently using this service. Furthermore, 39 per cent expect to use an alternative payment service in the next year. This compares to only 21 per cent that said they currently use alternative payment services.

As we might expect, millennials are embracing alternative banking services in greater numbers than older generations. The FICO survey found that millennial respondents are twice as likely to use mobile wallet services compared with those over 35, and they are 10 times more likely to use peer-to-peer lending than baby boomers. Mobile payment services are no different. Fifty-six per cent of those between the ages of 18 and 24 report using or planning on using mobile payment services.

Canada is seeing similar trends. According to a recent report by the Canadian Bankers Association (CBA), Canadians are projecting that in the next 10 years there is going to be a reduction in the number of people that will be carrying cash. And, in the short term, the CBA projects a

marked increase in the number of Canadians using mobile banking, especially among younger Canadians. Recent data from the CBA has found that 31 per cent of Canadians are currently using mobile banking, an increase of five per cent from 2010.

Using analytics to drive the customer experienceThe knowledge that millennial banking customers are motivated by premium digital experiences in and of itself is not enough. New online and mobile services must now be created and delivered with unmatched levels of precision in order to succeed. By leveraging existing data and using analytics to garner insights, the banks can gain a sophisticated understanding of these customers and in turn create unique personalized experiences for each and every one. Banks, with their robust sets of customer data, are uniquely positioned to use leading-edge predictive analytics to unlock valuable information on customer preferences.

Using this technology, banks will be able to gain insight into the behaviour patterns of their customers and define the way they shop, pay their bills, and manage their finances. It is a matter of using big data and analytics technology to understand a customer’s needs and preferences, and delivering tailored offers and services will improve the overall customer experience. By consistently developing the right data-based interventions, banks will ensure that they

are maximizing their customer relationships.

Furthermore, capturing and analyzing data from the customer relationship will allow banks to make highly refined decisions about how to best allocate available customer exposure. They can use these advanced analytics to identify the best next action. Advanced analytics also prompt and orchestrate interactions to help ensure the bank is reaching out to customers when and how it should: sending notifications to a customer’s current address, for instance, or adjusting the interest rate being charged to existing customers to align with a lower rate being offered on the same product to new customers.

However, as new technologies and banking methods come into place, customer loyalty can’t be captured by a single low rate or special offer. Rather, customer trust, repeat business, and advocacy arise from the goodwill that banks amass over time. Banks earn it by delivering one excellent customer experience after another, while helping customers achieve financial goals and navigate financial challenges. They secure it by rewarding customer loyalty as the relationship endures and expands.

What this means for customers The millennial generation, as a whole, is quickly advancing towards their peak earning years – with some already in their 30s. Their gravitation to non-traditional banking

is an area to watch as the generation matures and as more new non-traditional products emerge. They are going to drive adoption of this product category in both the U.S. and Canada. For the banking industry to secure and keep customers within this demographic, service delivery and engagement must reach new levels of personalization and sophistication – at a level that can only be achieved by unleashing the value of customer data assets through analytics.

Kevin Deveau is Managing Director of FICO Canada and has held positions with the company since 2010. He has more than 30 years of experience providing information technology solutions to clients in the financial services, insurance, health care, retail and government sectors. Prior to joining FICO, Deveau was the chief operating officer for ICOD Inc., a provider of cloud-based business and technology solutions to the global financial services industry. He was instrumental in growing the small company from less than $500,000 to $15 million in annual revenue. FICO has been operating in Canada for more than 20 years. It is a leading analytics software company, helping businesses in 90+ countries make better decisions that drive higher levels of growth, profitability and customer satisfaction. The company’s ground-breaking use of Big Data and mathematical algorithms to predict consumer behavior has transformed entire industries. FICO provides analytics software and tools used across multiple industries to manage risk, fight fraud, build more profitable customer relationships, optimize operations and meet strict government regulations. Many of our products reach industry-wide adoption. These include the FICO® Score, the standard measure of consumer credit risk in the United States. FICO solutions leverage open-source standards and cloud computing to maximize flexibility, speed deployment and reduce costs. The company also helps millions of people manage their personal credit health. FICO: Make every decision count™. Learn more at www.fico.com.


BIg DaTa RePoRT

not Just analyticslarge-bank disappointment with Big data means big opportunities for vendors

Large banks’ attitudes about Big Data can be summed up in three

words: ambitious, disappointed, and funded. In Big Data, banks see a potential gold mine of insights about factors such as their risk profiles, prospects, customers, their preferences, and price sensitivities. The challenge for banks — and the opportunity for vendors — is in removing bottlenecks so that the banks’ Big Data machines can be fed. These findings are the result of an Aite Group survey of 141 large banking institutions in Q1 2014.

Big banks’ big data ambitions….In its findings, Aite Group sees Big Data broadly embraced by banks. Aite Group’s survey of banks indicates that 62 per cent have either always relied on Big Data in the form of technologies

otherwise named, or have started embracing it at least moderately (Figure 1). Big Data is just now being considered at 35 per cent of banks, and only three per cent stay away from this new analytics technology. Large banks are certainly ripe for the adoption of Big Data, as many of their data sets possess the “three Vs” traditionally used to define Big Data. Volume, variety, and velocity are all present, given banks’ large customer bases, the significant number of transactions completed per day, and the broad variety of ways in which banks interact with customers and complete transactions. Far more importantly, banks stand to make significant insights about their customers, products, exposures, and capital-related decisions by better examining their large and rapidly changing data sets.

… And ambivalenceEmbracing a technology such as Big Data is one thing. Deploying it successfully so that its benefits can be reaped is quite another, especially with a technology as complex as Big Data. Aite Group sees such a gap in the adoption of Big Data, with the result being an ambivalence that should be of concern to vendors. When Aite Group ranks the 52 technologies examined in its survey, its findings with regard to Big Data are interesting. On the one hand, Big Data is the technology for which banks are most likely to have a planned upward direction of spend. On the other hand, Big Data is also the technology most likely to invoke dissatisfaction among bankers. While the location of Big Data in a ‘sweet spot’ defined by high spend and high dissatisfaction may seem like good news to vendors, they

By david O’cONNell

Source: Aite Group’s global survey of banks with more than US$10 billion in assets, Q1 2014

Figure 1: Big Data

Q. Which of these statements do you agree with? (n=133)

My organization is just now considering big-data strategies 35%

30%

21%

11%

3%

My organization is embracing big data moderately

My organization is embracing big data aggressively

My organization has always relied a lot on big data, it was

My organization is staying away from big data


BIg DaTa RePoRT

should proceed with caution informed by the underlying causes of large banks’ Big Data ambivalence.

The Big Data roadmapBig Data isn’t just analytics. Like its predecessors, business intelligence and performance management, Big Data relies on data — and mounds of it — that can paint the whole picture of any given data point by virtue of its being highly governed, equipped with contextual metadata, and stored on hardware that enables calls and queries that can be completed in nanoseconds, not minutes. Unfortunately, such pristine data environments are quite a reach for banks, the vast majority of which are the net result of so many acquisitions and ad-hoc new business introductions. For if they are operationally an agglomeration of separate legal entities and businesses, their data sets are as well. In fact, data is a significant source of dissatisfaction for banks. Multichannel integration, data warehousing, data management, and core integration were all (along with Big Data itself) among the ten technologies most likely to invoke dissatisfaction among senior managers at large banks across the globe.

So, with regard to Big Data and banks, are vendors pitching a technology challenged by too many adoption barriers and for which there isn’t really a market? Hardly. But at banks, and especially within their wholesale operations, the large Big Data wins will be hard to come by, because these

institutions have more small data headaches than they have Big Data opportunities. In the navigation of this tricky set of selling conditions, there is only one route for Big Data vendors: they must first address large banks’ data challenges. For analytics vendors, such a win will not only eliminate a significant pain point for banks, it will also result in coveted incumbent status with banks. Though its evidence is anecdotal only, Aite Group, in its RFP consultations with banks, finds these institutions heavily favour incumbent vendors. In this preference, data is typically the primary driver; the more a vendor has proprietary access to an underlying data set, the more likely they are to win business by analyzing and monetizing that information.

Three Big-Data use casesDespite barriers to its adoption at large banks, Big Data has a number of valuable use cases which — despite the skepticism-inducing hype of Big Data — ought to be pursued. Included among them are:

Borrower next best •action. Banks should combine data from ratings agencies, their own interactions with borrowers, and borrower financial data to more rapidly detect changes — both favourable and unfavourable — in their borrowers’ credit worthiness. Given the nearly infinite amount of sentiment data that is available over the Web, banks’ annual review of their borrowers’ financial conditions based on quarterly financial

statements is looking like a rather blunt way for banks to manage credit risk. We see better risk management and reduced losses in a combination of payment related data, brand sentiment, tweets, and blogs that provides a more granular and more frequently refreshed assessment of each borrower’s financial condition.Customer next best •action. With so many channels for interacting with customers and selling their products, banks are notorious for providing customer-facing staff with only a partial picture of an in-flight transaction when a customer calls. Big Data, by combining the rapidly changing customer interaction records from branches, call centers, and online banking sites, can not only give customer service representatives a full picture of a customer and their in-flight transactions, it can also prompt staff to pitch a product — or merely thank them for their business — when a customer is most likely to be receptive to such an interaction.Small-business banking.• The granting of credit to small businesses has become a thorny issue for banks. In small-business banking, every loan, despite its size, requires almost as much underwriting as a middle-market loan; as a result, the business is extremely hard to scale profitably. But banks choosing not to lend to small businesses risk the perception that

they are not supporting their community, a real PR black eye. In small-business lending we see valuable Big Data opportunity. By using the technology to examine their small borrowers’ credit card receipts banks can, in nanoseconds, update their credit assessments. By combining these findings with Web-based sentiment, more finely grained insights can be achieved. For example, Web based sentiment can, with very little manual research, help a lender determine if a borrower’s drop in revenues is perhaps driven by operational issues, such as a supply-chain disruption, and therefore not a credit issue, or if it is due to deterioration in long-term fundamentals, which can impair credit worthiness.

David O’Connell is a senior analyst with Aite Group’s Wholesale Banking team, where his primary coverage area is analytics technologies, including business intelligence, performance management, and predictive analytics. Also among his areas of focus are analytics-enabling technologies such as data governance and data integration. He is also the author of Aite Group’s rapidly growing body of ROI-related capabilities, including customized ROI calculators, case studies, white papers, and sales force training. O’Connell began his career in commercial lending, holding roles in underwriting and relationship management; he first specialized in large syndicated facilities and later focused on loans to technology companies. Prior to joining Aite Group, he was an analyst at Nucleus Research, where he covered the analytics and workforce management spaces and was the author of a large body of ROI-related content. He has spoken at user events for a variety of vendors. Mr. O’Connell has written or contributed to articles published at Time Magazine, the American Bankers Association, Dow Jones Newswires, and the Global Association of Risk Professionals.


BIg DaTa RePoRT

By NaeeM siddiqi

The art of lending isn’t new – bankers have been using the same principles

of capacity, collateral, condition, and character to gauge credit worthiness for centuries. The idea is that these principles indicate whether a person is willing and able to pay back their loan, and if conditions and collaterals are necessary to help guarantee both of the above. About half a century ago, the advent of computers enabled the use of statistical algorithms to do the same. Since then, banks and other lenders have relied on predictive modeling techniques such as regression and decision trees to analyze repayment behavior and predict how likely a person is to pay back their loan.

In recent years the industry has been affected by two major changes (other than the regulatory changes, which aren’t trivial by any means) – namely

access to new data sources and ‘Big Data’.

For both originations and ongoing behavior scoring, most lenders have traditionally used data such as demographics, credit bureau information, payments and purchases with credit cards, and debit/credit transactions from checking/savings accounts to gauge credit risk. More recently, there has been keen interest in using social network data to do the same. Companies feel that the quality of people you know, the number of people you are connected to, and the professional affiliations you have are all indicative of your character, and hence your willingness to service your loans. In Canada, SAS Institute, in partnership with Transunion, has used Social Network Analysis to predict various types of fraud.

In addition to who you know, your character is also reflected by the tweets you send and

the comments you make in social forums like Facebook, for example. In one extreme case, an Asian lender even threatens to tell your friends if you miss your debt payments. In North America and most of Europe however, this is a path that mainstream lenders are treading with great care. In the U.S., using social media data is almost certain to run afoul of the Equal Credit Opportunity Act. In other countries, consumer protection laws, privacy acts, and reputational risk considerations usually stop the larger institutions from going down this path.

One alternate data source that does show promise is unstructured internal bank data such as collector or adjudicator notes. Text mining on such data can be used for several things including:

Better classifying override •reasons from adjudicator

BIG DATA BIG DATA

new Data, Big Data:The brave new world of analytics


BIg DaTa RePoRT

notes. Monitoring performance by reason can then be used to determine which ones are useful. Classifying occupations from •freeform text entered in the ‘other’ category (due to the limited pre-defined choices available for occupation on most banks’ application forms, between 60-80 per cent end up under the ‘other’ category).Identifying address •characteristics for potential fraud.Using collector notes to •build better collections models to predict who is most likely to repay their loan, or most likely to respond to a particular collections treatment.Using customer service •and collector notes to build models that will help in deciding whether a credit card holder should be allowed to go above their credit limit, or make purchases after they have missed payments.Building better rules and •models for fraud through analyzing lost/stolen credit card reports.

For the majority of lenders, the use of traditional structured data has produced adequate models thus far. But a bank looking for a competitive advantage should consider new untapped data sources. For collections, for example, this could mean the notes collectors make when talking to debtors. In the past, these notes have been inaccessible because of technology limitations and practical issues. The notes are freeform and contain many abbreviations,

code words, and internal jargon that require higher intelligence to decipher. However, technology has since improved to the point where text mining algorithms in software such as SAS Enterprise Miner can easily recognize the presence of certain words, and use the number of times they occur to better predict repayment behavior.

The algorithms work by first pre-processing text data into its constituent parts. This means separating out articles, prepositions and conjunctions, determining if a word is a common noun, adjective, adverb etc., identifying specific names of places, holidays products etc. and consolidating synonyms. It then uses different algorithms to determine how many times a certain word occurs and whether that has any relationship to increased likelihoods of events such as fraud or missed payments occurring. This data can then be combined with traditional structured data to build better models.

Each time you use your credit card, make a cell phone call, or click on a website, data is generated. Given the millions (and in some cases, billions) of such transactions, it’s easy to understand how banks, retailers, and phone companies end up with massive databases. This should help in two ways – the amount and depth of data collected should enable better models and analytics; and increased computing power should enable more frequent uses of such models.

A major caveat here is of

course, data quality. Data quality has a far bigger impact on model development and analytics than any other factor. Collecting large amounts of bad data only stretches the phrase ‘garbage in, garbage out’ to ‘big garbage in, big garbage out’.

Another consideration for the industry as a whole is the benefit of more processing power. In the past, collections scores were obtained monthly or bi-weekly at best. Monthly billing cycles for credit products led to credit scoring information being updated once a month. Due to a lack of computing power, banks were unable to score their entire customer base in one night, so the job was split up over a number of nights, so the scoring cycle took an entire month. With the advances in software and hardware technology around Big Data, these scores can now be produced en masse on a daily basis. There is no longer any reason for a bank to use month- or weeks-old intelligence when technology allows them to generate predictions in near real time. Better, more recent collections scores will allow collections strategies to be updated more frequently which should generate higher returns through better targeting of debtors with the appropriate collections strategy.

The same holds true for ongoing behavior scorecards for products such as credit cards. While many banks still use outdated behavior scores for their credit card authorizations and credit limit increase strategies, some banks now score their credit card

customers on a daily basis. Each customer’s score can change based on the purchases made on that particular day. Big Data also allows for such models to go further than previously possible. Retailers can use information on what customers are buying to gauge ongoing credit risk. Similarly, banks can use data on where their card holders are shopping. Information such as the types of merchants, geographical variety, and the frequency of shopping can increase the predictive power of behavior scorecards. Again, caveats similar to the case of using social network data apply here. While using where you shop in models may be considered acceptable, using what you buy may be far more controversial. Given the increased scrutiny over the loss of privacy and what may be seen as too much intrusion, lenders would be advised to consider these new techniques with caution. The idea that ‘correlation doesn’t necessarily mean causation’ would apply.

Technology has enabled us to become more efficient, but we would do well to remember what this is about – capacity, collateral, conditions, and character. While new sources of data and increased computing power has undoubtedly changed how we do things, it should not change what we do.

Naeem Siddiqi is the author of ‘Credit Risk Scorecards: Developing and Implementing Intelligent Credit Scoring’ (Wiley & Son, 2006), and has advised and trained bankers in more than 20 countries on the art and science of credit scoring. He is currently Global Product Lead for Banking Analytics Solutions at SAS Institute.


aSSoCIaTIon UPDaTe

aCt Canada: stakeholders driving payment evolution and digital identity

Are we doing things that affect you and your company? As always

there is a lot of activity. Our Customer Authentication and Mobile Strategic Leadership teams are well into their term mandates and members will soon receive the papers written during the prior term. Those papers will be available to the public six weeks later and will be posted on the www.actcda.com website. We are also about to launch a new Merchant SLT. For more information on the SLTs, please visit http://www.actcda.com/teams/strategic-leadership-teams.

Our annual plan has been written and approved by the board. This year we conducted a member survey and the results were used to ensure that we are focusing on the areas that are of the most value to the them. Mobile and innovation rated as key interests, so our annual Cardware program features both. We are also introducing webinars at their request. As a result of member feedback we have launched monthly bulletins that will include information on discounts we’ve arranged for our members at external conferences and events. It was very encouraging to hear

that members are pleased with the value provided by the association.

Earlier this year we submitted our ESD report to the International Standards Association (ISO). We asked them to review all card and chip standards related to ESD. It is our hope that a change to specifications will prevent other countries from experiencing the problems that occurred in Canada. We also published our Secure ID report and distributed it to governments and key stakeholders. It calls for all levels of government to increase the security of citizen IDs in the same way that financial institutions secured credit and debit cards with chip. This would reduce fraud and savings could be used to increase services and reduce taxes. Our third report, on the impact of contactless certification, has also been published. In each case, ACT Canada brought together stakeholders to advocate for action needed to improve the market.

We are in the planning stages for our fall awards ceremony. Last year we made two changes. We branded the awards as the IVIEs and held the ceremony in the fall. Because it sold out, we

are looking for a larger venue this year.

It has been a busy start to the year in terms of our participation in conferences around the world. We are often asked to speak about lessons learned in Canada related to payment. We are still speaking about EMV implementation and hope to see costly cross border fraud diminish as the US rolls our chip.

Data, big and small, is an area of interest for our members. Securing mobile and internet payment also ranks high. And, as always, driving revenue in this stage of an emerging market is a topic that is high on our list. All of this is on the Cardware 2015 program.

In other words, we are busy building and defending the markets that matter to more than 150 members. To do so, we draw on our 27 years of experience. Could we help you? Give us a call and we can talk about it.

Join our market shaping members to advance your goals.

ACT Canada Insights • Networking • Visibility Since 1989, ACT Canada has been internationally recognized as the stakeholder association that drives payment evolution and digital identity. Stakeholder dialogue drives profitable decisions. Join us. For information, please visit www.actcda.com.

By caTheriNe JOhNsTON

Securing Mobile Life.

Creating Confidence. Giesecke & Devrient offers a comprehensive range of payment products and solutions

based on the latest EMV, contactless and dual interface technologies. Our smart debit, credit and prepaid products are

available on a wide range of platforms based on secure and highly flexible operating systems. Alongside the comprehensive

portfolio of easily configurable card products and card solutions, we offer all services related to electronic payments

including m-commerce and transit. Our services include personalization, system integration, project management and

technical consulting from a single source. For more information, please visit: www.gi-de.com/ca


BanK oF CanaDa RePoRT

is Cash still King, and at What Cost?

By aNNeKe KOsse aNd aNgeliKa welTe

Business owners and consumers have a growing number

of options for completing transactions and each payment method comes with its own advantages, disadvantages, and associated costs. Understanding the evolution of the payment landscape, the reasons that motivate the use of payment methods, and the costs for completing transactions are objectives for several studies undertaken by the Bank of Canada. These research projects include the 2009 and 2013 Methods-of-Payment (MOP) Surveys that show how Canadian consumers are paying. The way consumers pay, however, is influenced by the acceptance of payment methods by retailers. One factor that affects their acceptance is the cost related to each payment method, and this will be explored in the upcoming ‘Retailer Survey’. So what are the key takeaways from this research program and what’s next?

How Canadians pay at the point of saleAccording to the recent Bank of Canada ‘2013 MOP Survey’, cash is the most popular way to pay at the point of sale in Canada – if your yardstick is the number of transactions. As shown in Figure 1, in 2013, 44 per cent of

all transactions were conducted in cash, followed by credit cards (31 per cent) and debit cards (21 per cent). In terms of transaction

value (Figure 2), the picture is entirely different. Credit cards take the biggest share at 46 per cent in total sales and debit

Source: 2013 Bank of Canada Methods-of-Payment Survey. Note: The table shows the proportion of the total number of transactions by method of payment. The results include transactions made at the point of sale, as well as person-to-person (P2P) and online payments. Recurrent bill payments (e.g., mortgage, rent) are excluded.

Figure 1: Use of payment methods in Canada

(in per cent of total number of transactions)

Figure 2: Use of payment methods in Canada

(in per cent of total sales)

Source: 2013 Bank of Canada Methods-of-Payment Survey. Note: The table shows the proportion of the total value of transactions by method of payment. The results include transactions made at the point of sale, as well as person-to-person (P2P) and online payments. The debit card shares include debit card cashbacks. Recurrent bill payments (e.g., mortgage, rent) are excluded.

2009

2013

0%

Cash

Contactless credit

Debit

Stored-value cards

Contactless debit Credit

Cheque

10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

2009

2013

0%

Cash

Contactless credit

Debit

Stored-value cards

Contactless debit Credit

Cheque

10% 20% 30% 40% 50% 60% 70% 80% 90% 100%


cards claim another 25 per cent, leaving about 23 per cent for cash. This shows that cash is popular for lower-value transactions, whereas cards are more often used for larger purchases.

These latest results represent a shift from 2009 when the Bank first conducted this MOP Survey. Overall, the use of cash in terms of numbers of transactions fell from 54 per cent to 44 per cent, and the number of debit card payments decreased from 26 per cent to 21 per cent. In contrast, credit cards gained further ground. In particular, contactless credit cards climbed from below one per cent in total transactions in 2009 to around six per cent in 2013. Prepaid cards issued by retailers and restaurant chains also doubled between 2009 and 2013 and are now used for three per cent of all purchases.

Payment choices differ by retail sectorThe 2013 MOP Survey confirms that payment choice depends heavily on the transaction location. The popularity of cash in terms of numbers of transactions is mainly driven by its use at grocery stores and restaurants, whereas credit cards are the more common choice in the gasoline segment. At general merchandise stores, cash, debit cards, and credit cards are used with similar frequency. In all industry segments, the value share of cash is considerably smaller than its share of transactions, again confirming consumers’ preferences for using cards for transactions of higher value.

Retailer size also plays an important role The 2013 MOP Survey added a new twist to help the Bank better understand the range of payments received by individual retailers. Survey participants recorded the names of the stores they visited in a three-day shopping diary. This allowed for an analysis of the purchases made at different types of retailers. The results show that consumers tend to use their payment cards more often at larger grocery and general merchandise stores than at their smaller counterparts. On the other hand, at fast food restaurants and coffee shops, cash is still king in the larger businesses, while at smaller establishments, credit cards are most popular. The larger restaurants and coffee shops also differ from their smaller counterparts in that they receive more contactless and prepaid card payments.

What are the costs of different payment methods? And why conduct a retailer cost study?The 2013 MOP Survey points towards interesting differences in payment patterns across industries and business sizes. To further understand these dynamics, the Bank is launching a new study to assess the acceptance and costs of payment methods from the perspective of retailers.

Retailers play an important part in the way consumers pay, since consumers prefer payment methods that are widely accepted. But what drives retailers to accept

a payment method? One reason is the desire to provide greater payment choice, and to attract a broad client base. Yet while retailers benefit from accommodating consumer preferences, they also incur costs for offering such choice. Some of these costs, such as transaction fees, are explicit to the retailer, while others, such as the labour costs associated with handling cash, are less obvious. These costs may affect retailers’ preferences and steer them away from some payment methods.

A retailer survey commissioned by the Bank in 20061 showed that the costs of accepting different payment methods varied by retailer and transaction value. Small stores with lower average transaction values viewed cash as less costly than cards, and therefore preferred cash to electronic payments. Since this survey was conducted, though, the Canadian payment landscape has changed significantly. Innovations such as contactless credit cards and mobile payments have joined the payment scene, adding to consumers’ and retailers’ choices. The adoption of a code of conduct has also changed the payment card industry. Since the effect of these changes on retailers is not known, the Bank is conducting a major study to measure how much it costs Canadian retailers to accept cash and other methods of payments.

Why should retailers participate in the study?The Retailer Cost Study is one part of the Bank’s larger Cost of Payments Study, which will

measure the total costs of cash, debit card, credit card and prepaid card payments in Canada. In 2015, the Bank will also study costs incurred by financial institutions and cash-in-transit companies. The Bank’s own costs for issuing Canadian bank notes will also be taken into account. Results, including those of the Retailer Cost Study, will be published in 2016 on the Bank’s website to encourage discussion on how to improve the cost efficiency of retail payments in Canada.

The Cost of Payments Study will shed light on the cost efficiency of cash in comparison to other payment methods and how the total costs are distributed along the payment chain. Previous central bank studies from Europe and Australia, for example, show credit cards are more costly to society than debit cards and cash. Two of the main reasons are the higher fraud prevention costs and longer tender times of credit card payments. Most of these costs are borne by financial institutions and retailers. These studies also demonstrate that cash is the lowest-cost payment method for low-value transactions, while debit cards are cheapest for transactions of higher values. In the main, this is because higher value cash transactions mean a larger number of bank notes and coins must be exchanged, giving rise to higher cash handling and safeguarding costs. By contrast, most of the costs related to debit cards, such as processing costs, do not depend on the size of the transaction.

The Bank’s Cost of Payments




Study will help determine whether similar conclusions can be drawn for Canada. The results will shed light on where retailers and other participants could potentially reduce their costs, and on how the overall cost efficiency of the Canadian payment system may be improved. Also, advances in technology and new business models are expected to result in continued payment innovations. The results of the Retailer Cost Study and the Cost of Payments Study will help the Bank further understand the acceptance and use of these different payment methods. In particular, the Bank will have a clearer view of the future demand for cash and how to

continue efficiently meeting that demand.

What’s next? Starting in the spring of 2015, the Bank will mail the Retailer Cost Study questionnaire to 1,000 to 1,500 thousands randomly-selected retailers in Canada. The questions relate to costs incurred by retailers, such as fees paid to banks and payment acquirers, HR costs related to transaction processing times, and costs for payment terminals and other equipment. To ensure that the results accurately reflect the costs incurred by the Canadian retail sector, participation by retailers representing a range of business sizes, sectors and regions will be sought.

Therefore, the Bank encourages all contacted retailers to participate, either by filling out the paper questionnaire or by completing it online. The Bank will provide all retailers who complete the questionnaire with the results of the Retailer Cost Study, and, if desired, a more detailed report outlining costs by sector, size and geographic location. These reports will be useful for retailers seeking to reduce costs or to make decisions about accepting particular payment methods. Any retailer who would like to participate can send an e-mail to Anneke Kosse ([email protected]) or Angelika Welte ([email protected]).

Anneke Kosse is a principal researcher at the Bank of Canada and leading the Cost of Payments Study. She has been seconded from the Central Bank of the Netherlands (De Nederlandsche Bank, DNB), where she was responsible for conducting research and providing policy advice in the field of retail payments. Specifically, her research and policy activities focused on better understanding consumers’ and retailers’ payment behaviour and on how the efficiency and safety of retail payments could further be increased.

Angelika Welte has been a member of the Bank of Canada Currency Economic Research and Analysis team since 2011. She holds a doctorate in Mathematics from the University of Ottawa and a Master’s degree in Economics at Carleton University. Her research interests include payments systems, econometrics, industrial organization and monetary policy.

1 Carlos Arango & Varya Taylor, 2008, “Merchants’ Costs of Accepting Means of Payment: Is Cash the Least Costly?,” Bank of Canada Review, Bank of Canada, vol. 2008 (Winter), pages 17-25.

WOMEN IN PAYMENTSTM

SYMPOSIUM 2015

SEPTEMBER 15 & 16

SAVE THE DATES!New this year: Join us at an exciting Awards Dinner on September 15! Award nominations open until June 15

See womeninpayments.org for program and other information

FRaUDS U P P l e M e n T

InS

IDe Reducing Fraud •

in a Mobile World

Combatting Fraud •as the Market evolves

airline and Travel •Rewards Fraud

SPONSORED BY


FRaUD SUPPleMenT

Reducing Fraud in a Mobile WorldMobile payments have awakened security concerns from consumers and merchants alike …

By KareN cOx

Mobile devices are the tools we rely on most to keep pace in a world that is constantly on the move. In addition to keeping

us connected and informed, these devices help manage important aspects of our lives, including everything from our careers and finances to our health. It comes as no surprise that over 62 per cent of Canadians are now reported to own at least one smartphone or tablet.1 Consumer appetite for greater usability has given rise to the mobile payments phenomenon, with many heralding the mobile phone as the next leading transaction platform.

The term ‘mobile payment’ is used interchangeably to refer to consumers using their mobile devices to make a payment (replacing the traditional plastic credit card), or to refer to merchants who use their mobile device to accept a payment (replacing the traditional point-of-sale terminal).

Like any new payment technology, mobile payments have awakened security concerns from consumers and merchants alike. Nearly all new smartphones are being equipped with hardware that facilitates mobile payments, as well as built-in security features, such as the secure element and biometric sensors. Even so, ‘security concerns’ are cited as the number one reason for consumers’ reluctance to embrace the technology in spite of its proven benefits.

In Canada, the ubiquity of EMV chip and PIN (Personal Identification Number) at the physical point-of-sale has greatly reduced rates of in-store fraud. EMV is a global standard that ensures the

interoperability of chip cards in authenticating credit and debit card transactions. The ‘chip’ is actually an integrated circuit that stores sensitive payment data and generates a unique code for each transaction, making it nearly impossible for fraudsters to produce counterfeit cards. The requirement for EMV cardholders to enter a PIN in place of a signature has greatly reduced the incidence of lost/stolen and counterfeit fraud. However, EMV alone does not prevent online and card-not-present fraud, or the security issues that contributed to last year’s highly publicized data breaches.

Payment fraud follows predictable patterns, migrating to new and emerging payment technologies that typically lack stringent security controls. The widespread implementation of EMV within physical environments has redirected the attention of fraudsters to online and mobile payment channels. Mobile commerce is an attractive option simply based on the number of acceptance avenues it opens up and the customer inputs required. Apple Pay has recently come under fire for fraud related to the registration of lost and stolen cards. Failures in any part of the mobile payment process – in this case, card enrollment – is a failure of the entire system.

When consumers use their mobile devices to make purchases online or in-store, payment card information is transmitted via contactless EMV or an identifier that stores their payment information elsewhere and retrieves it to complete the sale. To enhance the security of mobile payments, we need to utilize all of today’s known technology for fraud prevention.


FRaUD SUPPleMenT

NFC in face-to-faceNear Field Communications (NFC) is a wireless communication protocol that sends data between devices in close proximity. It is inherently secure by virtue of its extremely short range and sensitive signals that are difficult to intercept and the use of Contactless EMV technology.

HCE: How to bypass the secure element securelyHCE (host card emulation) leverages highly secure software available on many Android smartphones. Payment credentials are not stored on the phone, rather in a secure remote server. Typically, the phone fetches tokens representing the payment credentials and the HCE software presents these tokens to a contactless-accepting point-of-sale terminal.

Credentials stored in the cloudToday, there are many remote systems that securely store payment credentials in the cloud. Instead of sending sensitive payment information to mobile devices, these cloud storage systems issue tokens that represent a consumer’s account details. A token does not include the original 16-digit credit card number. Furthermore, tokens typically expire after they have been used to make a payment and are invalidated if misused.

BLE: Where will Bluetooth emerge?BLE (Bluetooth low energy) is the technology that drives proximity beacons, otherwise known as in-store beacons. As a mobile device comes into close range of a BLE beacon, applications on that device can be activated (as long as the phone’s owner has explicitly opted-in). For example, a merchant may send a time-limited coupon to shoppers passing by the store’s entrance. While it’s unlikely that BLE will be leveraged to send and receive payment transactions, BLE has the potential to become a formidable marketing tool.

Biometrics: Adding a layer to consumer authenticationBiometric authentication has been used for nearly a decade as a reliable and accurate identification platform in industries such

as healthcare, government, and law enforcement. Mobile biometrics is a technology that measures and analyzes biometric characteristics to authenticate mobile device users prior to the transaction taking place.

The secure elementThe secure element is a special, segregated chip within smart phones that provides a secure storage and execution environment to run payment applications. The data stored on the secure element never makes its way onto the phone’s software. Even if there was an attack on the operating system (software), there would be no way to extract any cardholder information stored on the secure element (hardware).

Secure hardware as the entry pointIn the case of transactions made with smartphones at chip and PIN enabled terminals, there must be a traditionally secured peripheral device to read the card, enter the PIN and transmit encrypted data through the phone application.

End to end encryption End-to-end encryption takes place in the secure hardware at the point of card entry, and locks the data until it arrives safely at the processor for authorization.

TokenizationTokenization eliminates the need to store a card number for any purpose. Instead of transferring payment information with each transaction, tokenization replaces it with a randomly generated number, rendering it a useless target for hackers or fraudsters. The real card number is stored securely in the processor’s systems and translated only once it reaches the payment network. Tokenization is effective against data counterfeiting and data breaches, but does not prevent enrollment fraud as seen with Apple Pay.

Although mobile commerce is growing more rapidly than other payment channels, it still represents only a small fraction of gross retail sales. Consumer response to using mobile devices for in-store purchases has been limited to early adopters, with

stronger uptake in mobile purchases being made while browsing the Internet. In-app mobile purchase is also growing. Apple Pay has given this emerging form of mobile payment a big push and the technology can easily be leveraged by retailers to build iOS applications that accept Apple Pay payments.

Validating consumer identity with existing card brand programs, geo-location, and velocity checking are all best practices that can be used to combat mobile fraud. In addition, we are seeing public announcements from the card brands to invest in incorporating biometrics into their programs.

For mobile payments to be secure, strong authentication measures (binding the mobile device’s owner to payment authorization) must be combined with the protection of sensitive payment data. All parties in the payment chain – issuers, networks, acquirers, and merchants – need to work together to make this happen. A multi-faceted approach to security will foster the higher level of consumer trust needed to drive mainstream adoption of mobile payments, and enable merchants to make the most out of their mobile sales channels.

As Vice-President of Payments and Retail Solutions at Moneris Solutions, Ms. Cox oversees Moneris’ product delivery and end-to-end processing technologies across all merchant segments. Ms. Cox joined Moneris in 2000, following operational roles with the Bank of Montreal. She has held responsibilities for new product introduction and system deliveries for integration into the business. In 2005, Ms. Cox became Moneris’ director of new market solutions and led the delivery of analytics for new market opportunities. As director of POS devices and merchant certification, Ms. Cox brought new POS technologies to market and led consulting initiatives as the payment industry underwent tremendous change. Ms. Cox uses her extensive knowledge of the technical, operational, and regulatory drivers of the industry to introduce optimized solutions and process engineering avenues to clients. Over the course of her 20 year tenure, Ms. Cox played key roles in the development of Moneris’ major brand programs, including EMV, NFC and mobile enablement. She currently sits on the Board of Advisors of Advanced Card Technologies (ACT) Canada and acts as a Technical Associate Member at EMVCo.

1. The Canadian Radio-television and Telecommunications Commission, 2014 Communications Monitoring Report.


FRaUD SUPPleMenT

Combatting Fraud as the Market Evolvesprotecting sensitive information from cyberattack

By rONeN MOrecKi

The evolution of fraudCyberattacks are not a new threat, yet the rise in high-profile hacking cases has merchants rightfully concerned about fraud and their ability to protect their own interests as well as their customers’ sensitive payment information. While no merchant is entirely immune, there are a number of ways merchants of all sizes and verticals can combat fraud and prevent it from impacting their business and customer loyalty. To prepare for and prevent fraud, merchants must be aware of the factors that increase risk, integrate technology capable of detecting anomalous activity, and address the specific problems contributing to fraud within their businesses.

Awareness: pinpoint the problemsAs with most problems, the first step towards a solution is identifying the precise cause of the fraud. The number of vulnerabilities a merchant faces is infinite and constantly evolving, so I will focus on the three threats that I see as most relevant to merchants today – user experience, global reach, and social networking.

User experienceProviding the best user experience is of primary concern to every retailer, but enhancing the security of one’s offering often comes at the expense of a pristine experience. Uber, for instance, has argued that even simple two-factor authentication negatively affects its conversion rate. The more personal details a customer is required to provide at the onset of a payment, the more secure the transaction. However, were retailers to require such time-consuming information input, it would destroy the user experience, drive most shoppers to

abandon before checkout, and discourage return visits to the site.

Global reachThe second major challenge facing retailers today is their global reach. Secure e-commerce is much easier to attain when transacting within one’s own borders, but considering the massive revenue potential of global Internet retailing, merchants are opting to sell abroad despite the risks. Often, merchants are unaware that each country has its own payment methods and banking systems, and that the fraud mitigation methods that work in one’s home nation may not apply to other regions.

Social networkingFinally, retailers are faced with the challenge of protecting consumers who themselves are unwittingly enabling fraudster activity through their social networking behaviors. Today’s consumers are so comfortable sharing personal information over social media that they do not realize that the details they post can be found and maliciously used by fraudsters. An experienced fraudster can scan social media profiles and easily find information like a user’s address, maiden name, living situation, and daily schedule – all details that can be used to commit fraud.

Merchants can hardly expect to control what their customers share about themselves online, but are still burdened with the task of identifying fraudulent activity. Luckily, many technologies have been developed to enable retailers to detect fraud in cases like these. As fraudsters become more sophisticated and the opportunities for fraud more prevalent, retailers must prepare themselves to combat these new challenges by learning about


FRaUD SUPPleMenT

and choosing the right tools to detect and prevent fraud.

Detection: choose the right fraud detectorEvery worthwhile fraud detection tool is based on four detection algorithms that, working together, achieve the best results. Each practice on its own can be effective, but only to a certain degree. The benefit of relying on multiple fraud detection practices is that, by cross-referencing the transactions identified as fraud by each algorithm, the system can more accurately distinguish between true fraud and false positives.

Although the algorithms discussed here can be used by any business, each will define rules differently based on the nature of the business (i.e. whether it only sells over mobile channels or across all channels; whether its transaction amounts are high or low; whether its products are virtual or physical). By customizing these four algorithms, merchants can better meet the unique needs of their business and mitigate fraud without impacting business activities.

Static rulesThe first type of test your detector should rely on is static rules – defined rules that detect and decline fraudulent charges across the board. This can mean automatically flagging large payments from certain countries or major transactions made at specific hours of the day or night. Using these rules, the fraud detection engine can define the degree to which an activity is risky and react accordingly.

Behavioral enginesBehavioral engines are sets of dynamic rules that a detector creates for specific users. Once the fraud detection tool creates the user profile, it can detect when the user displays anomalous behavior. For instance, if a specific user has been buying merchandise for his or her business from a single IP address, but suddenly initiates a transaction from a different IP address or country than usual, the fraud detector will flag the transaction as potentially fraudulent.

Device fingerprintingAnother important parameter leveraged by fraud detection tools is device fingerprinting, a means by which recognized devices associated with previous purchases are used to authenticate user identity and prevent fraud. Once a device proves trustworthy, the fraud detection service will identify the device as reliable in future cases. By the same token, devices regarded as suspicious or which have yet to be used by the specific user will be regarded with caution and flagged as potentially fraudulent.

Cross-network referencingThe last algorithm leveraged by fraud tools is cross-network referencing, which is based on the idea that the fraudulent activity observed in one merchant’s interactions can help protect other businesses using the same anti-fraud technology, even if they offer a completely different service and have an entirely different customer base.

For example, if a fraud detection tool is used by both a fashion retailer and a technology provider, it can use information gleaned from the fashion retailer’s interactions to protect the technology provider. If a particular IP address is associated with fraud for one retailer in the network, for instance, the fraud detector will protect other customers in its network against attacks or requests from that IP address.

Solution: implement prevention strategiesIn addition to integrating the proper technology to ward off fraud, there are simple solutions merchants can implement to address the previously discussed issues of user experience, globalization, and social networking. For instance, while retailers cannot make excessive demands of customers in order to authenticate their identities, they can implement secure multi-factor authentication protocols and further secure these processes with tokenization. Apple Pay, for example, uses tokenization technology to streamline customer authentication and purchasing

without harming the security of the transaction. With tokenization, no credit card information is stored on the device. Instead, the technology generates a single-use, sixteen digit number for each transaction. Since only the credit card network can trace the transaction back to the corresponding account, the sixteen digit code is useless to fraudsters.

Similarly, cross-border merchants can protect their customers by establishing relationships with acquirers and e-wallets in each region where they want to conduct business. This will ensure that they comply with the security features, risks, and payment standards of the regions within which they operate.

Finally, merchants should integrate risk management solutions that mitigate and evaluate risk for suspicious transactions. Companies like Riskified use various algorithms and fraud detection methods (including static rules, behavioral engines, device fingerprinting, and cross-network referencing, among others) to identify questionable orders, provide merchants with recommendations regarding whether to approve or decline each transaction, and cover the chargeback fee for any fraudulent charges they fail to identify.

Adaptability: the ultimate protective measureWhile there is no one security vendor that can solve all the problems retailers face today, awareness about the factors contributing to fraud, the solutions available to protect against it and easily implementable strategies for reducing risk are necessary for securing payment processes for both the retailer and the consumer. Merchants must be not only vigilant, but flexible and willing to evolve with security developments over time in order to provide the utmost protection for themselves and their customers.

Ronen Morecki is CTO and co-founder of Zooz. He has more than 12 years experience in the software industry as a business, operation, and engineering manager. He specializes in enterprise applications and platforms, as well as web security and fraud detection. His experience ranges from startup companies to large enterprise software companies.


FRaUD SUPPleMenT

Airline and Travel Rewards Fraudsafeguarding valuable loyalty miles/points transactions from hackers and online fraudsters

By KrisTiaN gJerdiNg

All too frequently, headlines alert the digital world to yet another hack of a credit card company, a major retailer, or a banking

system with unfortunate but predictable results – consumers’ personal information compromised, tens of millions of dollars in potential losses, and another security lapse at yet another big company.

Add to the growing of potential targets for online fraud – loyalty programs, especially airlines and their billions or trillions of unredeemed passenger miles, and the travel industry’s valuable loyalty points and rewards, all of which are stored in the digital realm. Unscrupulous operators have already proven they know how to commit what’s known as ‘loyalty fraud’, with the Hilton HHonors® rewards program a recent target in early November.

The sheer number and value of loyalty program currencies mean that potentially large sources of revenue – as well as the trust that consumers place in their airline, hotel, and retail loyalty programs – are at risk.

How common is loyalty fraud?Considered a gray area of the broader online fraud landscape, loyalty fraud is a recent and growing phenomenon, according to some surveys, with potentially billions of dollars at stake. According to an Airline Information Survey, 72 per cent of airline loyalty programs have experienced an issue with fraud, and 30 per cent say it is growing rapidly each year. Worldwide, more than 70 frequent flyer programs have about 300 million members, according to ‘Consumer Reports’.

For airlines and other travel rewards programs, the financial consequences are potentially huge. A 2014 IdeaWorks projection shows annual airline revenue from frequent flyer miles at $21.4 billion, meaning airlines’ unredeemed miles are a value-laden asset. In 2011, a Colloquy study identified $16 billion in unredeemed rewards and travel miles each year. By other estimates, up to 24 trillion frequent flyer miles are unredeemed today, representing potentially billions in value.


FRaUD SUPPleMenT

Why are loyalty programs so vulnerable?Passengers’ unused frequent flyer miles and travelers’ loyalty program rewards/points are lucrative targets that can be manipulated digitally and sold for profit. Miles and points can be stolen, acquired, and transferred illegally, purchased for cash, pooled in fictitious accounts and converted into tickets, gift cards, and other currencies that are sold at far below the market value of the ill-gotten miles and rewards.

In November’s Hilton cyber-attack, for example, members’ four-digit PINs were hacked by scammers who sold off the stolen rewards cheaply for gift cards, phones, and electronic devices, hotel stays, airline tickets, even Bitcoins (833,000 hotel points, for example, became $20 in Bitcoins).

The impact to frequent flyers and program members is usually immediate. After spending months and years building up their miles and points for a family vacation, exotic trip, or second honeymoon, they might find a ‘0’ balance the next time they log into their account.

For chief financial officers, revenue managers, and loyalty programs, the consequences are even deeper and potentially more damaging.

If loyalty fraud happened to your airline or loyalty program today:

Are the critical account profiling and •risk analysis solutions in place to detect suspicious financial or rewards transactions in real time? Can internal investigators be alerted •quickly to a potentially major breach?Are step-checks in place that can •temporarily halt questionable transactions until the member/owner confirms it as legitimate?Does the sign-up process require •complex passwords that are less vulnerable to hacks?How can flyers and members be assured •that their points/rewards are safe, and that their online and digital interactions with the program/company are not vulnerable to similar attacks?

Understanding, mitigating loyalty fraudSo how does loyalty fraud occur, and what can airlines and travel rewards programs do to mitigate it? Some common fraud-related scenarios for airline miles and travel rewards programs include:

Criminals hack into members’ accounts to •steal airline miles, create fictitious accounts to accumulate the stolen miles, and then turn the illegally acquired miles into tickets or other merchandise, which they sell for cash at far below market valueNon-members try to access accounts •and redeem miles they do not own Online brokers buy unwanted miles from •members and sell them for cash to other interested buyers, also often at far less than market valueEmployees steal or manipulate miles/•rewards for themselves or othersMembers try to accrue miles/rewards to •which they are not entitled

The retail losses experienced by Target ($450 million in 2013), Home Depot ($2 to 3 billion in 2014) and Sony PlayStation Network ($171 million in 2011) from earlier hacks do not have to happen to airline or travel loyalty programs, especially if executives, managers, IT departments, and mobile payments managers implement the needed digital solutions and checks-balances to identify and halt fraud quickly.

Frequent flyer miles and travel rewards need to be protected and monitored by the same behind-the-scenes platforms and solutions that handle billions of mobile payments and digital transactions each day. This is particularly true as travelers worldwide increasingly use mobile/digital devices – cell phones, smartphones, and tablets – to track, manage, and redeem their travel plans, miles, and rewards.

Checks, balances, profile data, and verificationFinance managers need to implement for loyalty accounts the same kinds of security given to bank accounts, because the value of the points/miles they contain is both substantial and vulnerable.

Typically, fraud mitigation solutions

are built on data derived from both the frequent flyer/rewards program and from the members’ digital-channel behavior or transactions. When stored and combined securely, these data points creating a comprehensive passenger profile and audit trail based on contact info, mobile number, account number and activity, transactions, preferences, and other key metrics.

Technology platforms with built-in rule sets then use the profile to monitor members’ transactions for the kinds of suspicious or questionable activities commonly linked to loyalty fraud, such as change-of-address requests, activity from non-account phone numbers or email addresses, or transactions involving unusually large amounts of miles/points

Once real-time suspicious activity is detected, a series of step-checks can halt or delay transactions until their veracity can be confirmed, including multifactor authentication (one-time passwords) or other verification procedures. Legitimate transactions are allowed to proceed, and those that remain questionable are referred for manual investigation and follow-up.

The goals of a fraud mitigation program are simple. For airlines and travel programs, fraud prevention provides built-in safeguards that protect a financially valuable part of the business from unscrupulous activity, potentially large financial losses and eroded margins.

And for frequent flyers and loyalty program members, a fraud prevention program helps maintain and bolster the trusted sense that their valuable and aspirational miles and points are safe and will remain so.

None of those assurance can materialize, however, unless the checks and balances involved in loyalty fraud prevention are in place today. Because the next hack might be launching right now… .

Kristian Gjerding is CEO of CellPoint Mobile, a technology solutions firm that enables mobile payments and digital transactions for clients worldwide. Gjerding has shaped the digital payment environment through his work with best-practice and standards groups at airline and trade organizations around the world. Before joining CPM, he served in senior executive roles covering technology, wireless and mobile payments at StorageTek, Sun Microsystems, Amdahl, Network Appliance, and OIS. www.cellpointmobile.com or [email protected]


SeRvICe DIReCToRy

To learn more call Paul DeRosse, Senior Vice President, Sales at 905.530.2351 or visit www.apriva.com.

SECURE DEVICES | RELIABLE SERVICE | EXCEPTIONAL SUPPORTApriva is North America’s Leading Wireless Gateway.

SECURE PAyMENT SOLUTiONSEMV & NFC CONSULTiNG

CARD MANUFACTURES PRiNT & MAiLiNG

iNTEGRATED PAyMENTS SOLUTiONS

Secure Solutions for Payment & Identification

Toll Free: 1-800-387-9794 www.gi-de.com

Since 1852, G&D has been an integral partner that is solutions orientated and trusted by banks, governments and carriers. Our solutions are founded on trust, integrity and the creation of value through Confidence.• Contact, Contactless and Dual-Interface Smart Cards • Mobile Payment • On-line Secure Authentication • Enhanced Card Identification

Integrated PaymentSolutions and Services

www.everlink.caToll Free: 1.866.388.0076

One of the most advanced and reliable payment delivery solutions

in financial services technology.

see youR company name heReContact Mark Henry - [email protected] x 223

905.670.48381.888.503.4528

Guarantee your

liquidity

CMS PRINTING SERVICE.For all your printing needs.

Call 416-755-7761 ext. [email protected]

NEW LOWER PRICING!!!

Talk to Your Target Market.Advertise today contact Mark Henry, [email protected]


TeChnology UPDaTe

small Data – Risks and Rewards“we are perched on the edge of a new phase which will change our lives and the world …”

By caTheriNe JOhNsTON We are on the edge of what future historians will term a new ‘age’

in keeping with the Bronze and Iron Ages. It will be compared to the industrial revolution. I don’t know what they will call it, but for now let’s refer to it as the Digital Age.

It’s fair to say that we have been in it for quite a while, in fact since the advent of computers and even more so with the Internet. But now we are perched on the edge of a new phase which will change our lives and the world. It has to do with the amount of data that will soon be available about us and how that data is used. Some people say that everything about us is already known, but that isn’t true. Very few people know whether I ate dinner last night or how long I slept, but the Internet of Things (IoT) could soon make that information available.

Small data and the internet of ThingsAccording to Wikipedia “The Internet of Things is the

network of physical objects or ‘things’ embedded with electronics, software, sensors, and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator, and/or other connected devices.” Simply put, it is connecting everyday items to the internet, not just computers and phones.

The example that we often hear about is food. How often have you had to throw out food because it spoiled before its ‘best by’ date. Imagine a carton of milk with a smart chip or film that can monitor the milk’s temperature from the time it was put into the carton. When the grocer receives the milk and when you buy it, you can see that it has always been stored at the right temperature and you can safely assume that it will be good for the time you need it. Now, imagine that is true of all the packaged food that you buy. Let’s take it one step further. The chip or film can also monitor weight, not just temperature. This means it knows when an

item is being used up. Because your refrigerator will also be internet enabled, it can read the data and alert you that certain foods are spoiling or running out. Kitchen cupboards could do the same. Your microwave could read instructions from a chip or film on pre-packaged meals so that you don’t have to program the microwave. There are lightbulbs available today that are internet enabled. They are capable of changing hue and reacting to music.

By connecting things to the internet you can remotely turn them on or off or adjust them. This capability is used by many people today.

Cars, buses, and other modes of transportation can offer better service when they provide data about their operations and usage. Imagine the benefits in the healthcare field.

The upside is that we can enjoy countless benefits as an estimated 25 to 50 billion devices become internet enabled between now and 2020. Each device generates small pieces of


TeChnology UPDaTe

data. As with all innovation, care needs to be taken to ensure that the benefits outweigh potential risks.

Risky business?In spite of what some people have posted on their Facebook pages, most of us have a strong desire to protect our privacy. If we look at small data and the Internet of Things, the privacy principle that we need to focus on is inference. Simply put, inference is when you take two or more pieces of information and use them to arrive at an assumption. If someone knows that I have a credit card issued by a local store, they can infer that I shop there. Harmless – right? If someone knows that I go to the liquor store everyday they may infer that I drink – a lot, but what if I go there because I have a part time job taking inventory.

You might ask what this has to do with the small pieces of data that IoT generates. Let’s look at a hypothetical example.

Via the Internet, you can •unlock your door to let in tradespeople and the door records information.Your refrigerator monitors •much of its contents, as well as its own temperature. For that reason, it records when the door is open and how that affects the temperature.Your kitchen garbage pail •monitors the growth of any bacteria. That requires it to monitor temperature and that is affected by the lid being opened.Your light bulbs monitor •the amount of energy used by tracking how long they are on.Your liquor bottles monitor •

temperature to ensure that the product is at its best and also monitor to ensure that no-one has substituted the original contents.Your microwave and your •stove monitor when you use them.Your wearable health •monitor records how well you sleep each night.Your car has many functions •that can be controlled remotely, using IoT data.

Every one of these has distinct benefits and all but one is available today. (I’m sure that someone is working on the garbage pail.) The data generated by each poses little risk to privacy. That is, until you think about what can be inferred from the data when it is aggregated. Let’s continue with the example.

You come home early – 5 •pm instead of your normal 8 pm.You slam the door behind •you.You take nothing out of the •refrigerator, cook nothing in the stove or microwave, and put nothing in the garbage.You have two drinks of •scotch.Your bedroom lights stay on •all night.Your health monitor says •you didn’t go to sleep until 5 am.

One could reasonably infer that you had a very bad night and that the lack of food and sleep when combined with your body weight and two drinks now makes you unfit to drive.

Here is the real story.You came home early •because the school called

to say that your child was ill and being sent home.The door slammed because •you left a window open and a breeze caught it.You brought home a pizza •knowing that you wouldn’t have time to cook and the empty box was left on the countertop.Your child was ill and didn’t •get to sleep until 4 am.You were frazzled and had •two drinks to help you relax so that you could sleep and then you fell asleep with the lights on.

You did have a bad night, but you did eat, are not hung over, and you can safely drive. That’s a good thing because your child needs to go to the hospital. Unfortunately, your car was remotely disabled because it was assumed that you were unfit to drive.

Mitigating risks to reap rewardsWe can have the best of both worlds – data and privacy. I know because I’ve seen it work here in Ontario, Canada. When the 407 toll road opened there was concern that if the government knew where you entered the road, where you exited, and how long you were on it, they could also calculate how fast you were driving. If it was determined that you were speeding, they could send you a ticket. But that didn’t happen, thanks to privacy legislation.

One of the core foundations of privacy legislation around the world is that you cannot use data for unauthorized uses that are secondary to the purpose for which you collected it.

If that rule is clear…•If the rule is consistent •across borders…If the penalties for breaking •the rule are substantive and appropriate…If the rule is seen to be •enforced…

then the country where the violation takes place should have jurisdiction to enforce the rule. Although there has been much debate about jurisdiction related to Internet crime, in the physical world the matter is much clearer and could apply.

Security and ioTIn addition to a focus on privacy, we also need to think about security. When cars, power plants, hospital equipment, doors, and countless other items can be remotely controlled, how much more security will we need? I’m comforted by the fact that this question is being asked in the corner offices of the very companies building these IoT products.

The bottom lineOne thing is frighteningly clear. The amount of data that will be generated will have significant value, making it a target. We cannot afford a wait and see attitude. We need to demand privacy protection and robust security, loudly and persistently. Each of us has both the opportunity and responsibility for ensuring that the Digital Age is golden.

Catherine Johnston is President and CEO of ACT Canada stakeholders driving the evolution of payment and digital identity. Ca/linkedin.com/in/catherinejohnstonact www.actcda.com

Want to know more about your card programs?Do you issue fl eet cards? Manage transactions?

Is it vital to keep on top of technology which affects your mobile solutions?

Sign up NOW for a free subscription to Payments Business magazine.

Visit our website at www.paymentsbusiness.ca and learn more about the magazine

Payments Business is a Lloydmedia, Inc publication. Lloydmedia also publishes Financial Operations magazine, Canadian Treasurer magazine,

Canadian Equipment Finance magazine, Direct Marketing magazine and Contact Management magazine.

payments business magazine mar/apr2015

Documents