Recently on the BBC consumers affairs program highlighted complaints being raised by small UK retailers of the costs from transactions where card details are reported lost or stolen after the transaction. These customer not present transactions are authorised
when the transaction is made but are later recalled by a process is known as a 'Charge Back' by the issuer of the card.
The total costs to small business are estimated at £22 billion in fraud and lost sales. (http://www.discoverretail.co.uk/fraud-costs-uk-small-firms-22bn-a-year)
These issues have been known for over a decade as shown in this article written in 2003 -http://www.out-law.com/page-406.
This article reviews the options available to the UK regulatory bodies to protect both retailers and card holders paying for items or services remotely.
When retailers experience a transaction 'Charge Back' after the card is reported stolen by the issuer to the scheme. The retailer usually has to return the funds and incurs the processing costs as well as the loss of the goods from the sale and potentially
increased fees for payments in the future. ‘Card / Customer not present’ transactions can be protected from stolen card chargebacks by ecommerce retailers implementing card scheme protocols referred to as '3-D Secure' on their e-commerce sites. This protects
some e-commerce retailers but not generally the small retailer.
In the UK Customer not present retailers (e-commerce, m-commerce, mail order and telephone order) are further protected with the use of Address / Post Code verification. This is not available for international card transactions or in non UK markets. Therefore
some retailers and specific transactions types are not protected as well as being more vulnerable to fraud.
A card payment transaction can be simplified into two processes. The first process is the 'Authorisation' when funds are reserved / marked against the payment account. The second process is the 'Funds transfer' when the funds are moved from the card account
to the retailers account minus the fees imposed by the payment companies involved. The 'authorisation' process is usually conducted when the payment details are received by the retailer and the second process initiated by the retailer at a later time.
One approach for regulators could be to protect retailers by preventing a 'Charge Back' if the card is reported stolen after a successful online 'Authorisation'. This option is unsuitable as it creates a significant risk of retailers colluding with fraudsters
to accept transactions using cards that are stolen. Thus creating another fraud problem rather than resolving the issue.
A different approach would be for regulators to protect retailers by preventing a 'Charge Back' if the card is reported stolen after the 'Funds transfer' process has completed. This would provide an opportunity for card issuers and other parties to review
the transactions and if necessary take extra steps to reduce the transaction risks after authorisation but prior the funds being transferred.
This option would appears a more suitable option for national regulation and it could be applied to Faster Payment / ACH transaction types as well. Some methods are available for issuers to contact the customer to confirm the transaction was performed by
their card holder.
Regulators could go further and mandate that issuers protect customers by requiring them to verify customer not present transactions prior to the funds being transferred. The mandating customer verification of an e-commerce transaction during the authorisation
process was the original model for 3-D secure. This model proved difficult to implement with the card holders dropping out of transactions and not being unsuitable for all the different customer not present channels for transactions. For example if the transaction
is being performed via a voice telephone call then asking for authentication data may create a processes that would not be acceptable to any of the parties involved.
There are now feasible options that could be implemented by card issuers. Tickvantage has created a process that provides out of band transaction notification and optional customer verification prior to funds transfer process for all GSM mobile devices.
We are also seeing in the US through Apple Pay in app purchasing the use of a fingerprint verification helps with some transaction types but is not suitable for all types of Customer not present transactions.
The issue facing the payments industry is that without a mandates from regulators the status quo will remain. This is because the card transaction risks and costs for lost or stolen chargebacks are taken by retailers. This is often seen as a cost of doing
business but is in fact a barrier to completion. This barrier is that the retailer market is reduced only to those prepared to take the risk. It also increases the costs of goods and services as these fraud costs have to be factored into the retail costs
In a similar way for the UK the use of FasterPayments, PAYm and the ZAP are currently constrained due to the risks associated with the payments. One risk relates to the retailer being genuine or recipient of the funds being correct. Therefore, a process
where the identity of the person being paid is identified, validated and presented back to the person sending the funds for payments.
Tickvantage provides this and could enable the classic payment terminal to be dematerialised in the future for all payments.
The role of regulation in disrupting the status quo of payments cannot be understated in helping the payment industry innovate and develop further.
I hope to have presented why if retailers are protected from stolen card details once funds are transferred issuers are more likely to notify the customer and verify the transaction prior to releasing the funds. Similarly I hope to have presented the advantages
this type of transaction notification and verification could aid the development of more advanced retail payments in the near future.
In several years we could be looking back wondering why we still have payment terminals and cards when we get a notification for each transaction and verify transactions simply, conveniently and securely over our mobile phones.