18 August 2017
Ketharaman Swaminathan

Talk of Many Things

Ketharaman Swaminathan - GTM360 Marketing Solutions

86Posts 486,462Views 2,732Comments

Mitigating Fraud Does Not Pay The Bills

20 July 2015  |  5335 views  |  0

Many discussions of security standards emphasize how Chip + PIN and Two Factor Authentication reduce fraud loss and exhort countries using Magstripe / Chip + Signature and Single Factor Authentication (e.g. USA) to immediately migrate to the newer technologies. Take for instance Campaign pushes for US adoption of chip and PIN on Finextra.

All these urgent missives are totally missing one thing that merchants (and banks) know too well: Mitigating fraud does not pay the bills. It's only when a transaction goes through that a merchant makes revenues. And not when some security algorithm blocks a transaction as potentially fraudulent.

I'm not for a moment suggesting that merchants throw caution to the winds but am only imploring them to remember that an obsession with fraud control could hit sales and cause customer dissatisfaction.

This is because virtually every security measure designed to prevent fraud causes collateral damage by way of friction viz. need to remember the PIN in the case of an offline Chip + PIN transaction. Security pundits have been claiming for years that there are ways to implement security without compromising on convenience but there are far too few implementations of such technologies in the mainstream market for merchants to take these claims too seriously as of now.

The amount of incremental friction caused by a security measure needs to be seen in the context of many factors specific to local culture and business practices viz.:

Cards Per Customer

If consumers have only one card, remembering just one PIN is not a big deal. However, if they regularly use multiple cards, the need to remember multiple PINs poses a lot of friction. (Most probably, people belonging to the latter category would write down all their PINs on a piece of paper and keep it inside their wallets, which would defeat the basic purpose of security.)

Recourse Against Fraud

In some countries (e.g. USA), when a cardholder spots a fraudulent charge on their credit card statement, they can report it to their bank and have it reversed, pending chargeback investigation carried out by the bank behind the scenes. So, compared to their ease of seeking recourse against fraud, even a simple PIN might seem like a lot of friction. On the other hand, in some other countries (e.g. India), a cardholder caught in a similar situation gets shunted around between the issuer, acquirer and the merchant, so they might be willing to jump through a few more hoops while making the payment.

The impact of friction is two fold:

  1. Customer abandons the transaction and the business suffers a loss of revenue, or
  2. Customer completes the transaction with an alternative method of payment viz. cash. Let's assume that the merchant suffers no net cost impact in this case since the incremental cost of cash handling could be offset by the savings on credit card processing fees.

So, while steps taken to mitigate fraud could lower fraud loss, they could also stunt revenues. This has to be kept in mind before any new payments security technology can hope to achieve mainstream adoption.

Therefore, any discussion about payment security is complete only when it addresses both

(A) Fraud loss as % of Sales, and

(B) Revenue loss.

In the migration from magstripe / Chip + Signature to Chip + PIN for offline payments, it's too early to predict which of these two metrics will prove decisive. But, in the related case of online card payments, it appears that fraud loss has proven to be not as critical as concerns over revenue loss owing to friction, given how leading merchants like Amazon have still not implemented 2FA (VbV / MSC / OTP) despite the fact that FFIEC issued guidelines for 2FA way back in 2005 and renewed them in 2012.

I'm not alone in advocating a balanced approach towards payment security. "The challenge is friction from a checkout point of view. If merchants are looking for security perfection, then they are going to be turning away good sales.", says George Peabody, a partner at Glenbrook Partners here. "When you are doing checkout out of a merchant's shopping cart − particularly on a mobile device − it is really important to be as friction-free as possible.", he adds.

End of the day, it all boils down to how a business wishes to treat the risk of fraud loss - or any other risk, for that matter. If they follow the advice of Sam Zell, the famous American real estate magnate and private equity investor, they'd analyze the risk unemotionally and take it if they get commensurate returns. Not because the technology thrust on them is new or old.

Famous Sam Zell Quote For Entrepreneurs TagsCardsRisk & regulation

Comments: (6)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 23 July, 2015, 11:21

I love the way Stripe minces no words in holding 2FA / 3DS responsible for potential loss of revenues: "at Stripe we've so far opted not to support 3D Secure since we believe the costs outweigh the benefits." More at https://support.stripe.com/questions/does-stripe-support-3d-secure-verified-by-visa-mastercard-securecode. Thanks to Adam Nybäck - Anyro - Stockholm for sharing this Stripe link.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 01 August, 2015, 11:42

According to this NYT article, fraud caused by "Stolen Consumer Data Is a Smaller Problem Than It Seems" (http://www.nytimes.com/2015/08/02/business/stolen-consumer-data-is-a-smaller-problem-than-it-seems.html). It also confirms what I've long suspected, namely, "...consumer fears can be stoked by the incentives of the people providing the data. Many of the statistics on identity fraud and online attacks come from security firms that want more people to buy their services. It’s not so different from the soap company that advertises how many different types of bacteria are on a subway pole without mentioning how unlikely it is that any of those bacteria would make you sick."

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 14 August, 2015, 18:02

SQUARE just announced that it'd take over the fraud liability of US merchants who don't move to EMV by the October 1 deadline.

https://squareup.com/news/why-square-sellers-can-rest-easy-about-the-liability-shift

While parties in ROW question why it's hard to remember a PIN, SQUARE actually tells businesses that "It’s all a bit complicated — and scary-sounding" and assures them that it would take over the fraud liability, so "...there’s no cause for alarm."

With a partner like SQUARE, why would a US merchant rush to adopt the more friction-prone EMV technology? Goes to show how local business culture influences mainstream adoption of some technologies like these.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 02 October, 2015, 17:10

http://www.nbcnews.com/business/consumer/chips-dips-tips-5-potential-problems-new-credit-cards-n436511

Early reports of Chip + Signature in USA point out one more cultural factor that poses a hurdle to this technology in USA:

"Some people are experiencing a 20 second wait times with these chips," said Avivah Litan, vice president and analyst at Gartner Research. "We're a more rushed society than anyone else. So me, I'm going to be a little mad when I have to wait longer at checkout. You have to wait until the very end to get your card." 

As I'd predicted in my post, some retailers are expecting customers to prefer cash because of the delay in processing chip cards: 

"Litan says retailers who have met the deadline will likely ... create cash-only lines." 

So, ironically, a security measure that is intended to increase security and make people more comfortable about using cards is actually driving them away from cards and towards cash!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 15 October, 2015, 16:59

"Netflix is blaming slow US growth on the switch to chip-based credit cards"
http://qz.com/524537/netflix-is-blaming-slow-us-growth-on-the-switch-to-chip-based-credit-cards/

Well, Netflix confirms my fear that "steps taken to mitigate fraud could ... stunt revenues." While Netflix is the first, according to this article, it's not likely to be the last.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 21 October, 2015, 16:51

Good question!

Sam Charbonneau @BMPayments

It's pretty sad how slow #EMV transactions are. When the lost time outweighs cost of fraud...how do they expect major retailers to react?

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Ketharaman

Can Chatbots Replace Humans?

14 August 2017  |  4651 views  |  0 comments | recomends Recommends 0 TagsArtificial IntelligenceRetail banking

How To Fight Credit Card Surcharge And Take CashlessIndia To The Next Level

18 July 2017  |  7319 views  |  0 comments | recomends Recommends 1 TagsCardsPayments

Why Branch And Digital Channels Will Coexist Forever

08 June 2017  |  7785 views  |  0 comments | recomends Recommends 0 TagsRetail bankingStart ups

Why Is Software Still Built From Scratch?

16 May 2017  |  3458 views  |  2 comments | recomends Recommends 0 TagsOpen APIs

Why Does Cash Still Rule Ecommerce In India?

21 April 2017  |  12971 views  |  2 comments | recomends Recommends 2 TagsCardsPayments

Ketharaman's profile

job title Founder & CEO
location Pune
member since 2009
Summary profile See full profile »
As Founder and CEO, S. Ketharaman provides overall direction and leadership toward setting and achievement of GTM360's goals and objectives.

Ketharaman's expertise

Member since 2009
77 posts2,732 comments
What Ketharaman reads

Who's commenting on Ketharaman's posts

Chandrashekar Rao Kuthyar
João Bohner
Charmaine Oak
Chetan Ghadge
Shaju Nair
Ganesh Guruvayur
Ramanuj Banerjee
Sandeep Todi