The Three P’s Of Fighting Credit Card Fraud

by Michael Hallinan 0

The concept of credithas existed for millennia, but the creditcard,as we know it, is far more recent. Beyond convenience, creditcards also offered greater security than cash. The names on creditcards could be matched to photo IDs, as well as signatures to signatures, andthey could be shut down when lost or stolen. Today, just 9 percent of Americansprefer to pay with cash and 80 percent of consumer spending iscashless. The explosion of online and mobile commerce have further fueledthe use of creditcards, since online purchases are not paid for with cash.

However, cashless payments comewith their own security risks. Creditcardfraudis running rampant with card-presentand card-not-presenttransactions alike. Creditcardand debit cardfraudresulted in losses amounting to $16.31 billion during 2014, according to TheNilson Report, and will exceed $35 billion by 2020. That means that for every$100 in volume, $5.65 was fraudulent, and the volume of fraudcontinues to escalate. Security protocols may be getting better, but so do thescammers.

The ThreeP’s

In the face of this rising tide,machine learning is being lauded as a silver bullet of sorts, a solution thatuses Big Data to know when it is you using your creditcardand when it is someone else. There is no doubt that technology has pushed fraudprevention efforts forward by leaps and bounds, but that’s not enough. To trulykeep fraudat bay, and protect consumers and businesses, the best approach is one thatcombines humans and computers with what I refer to as “the threeP’s”: something I know (password), something I have (phone), something I am(physicality).

Password

Since the early days of theinternet, passwords have served as the main pillar of online security. Mostsites and services required user names and passwords, promising to keep yourinformation safe in exchange. However, it’s abundantly clear that passwords areneither safe nor sufficient. People re-use them and they are frequently hacked.

Yahoo recentlyannounced that data “associated with at least 500 million useraccounts” had been stolen in one of the largest cybersecurity breachesever. Amazon, Netflix, Dropbox have alsobeen hacked, releasing login and password information, and that’s just in thepast few months alone. Clearly the password model is broken.

Another security problem isthat creditbureaus are highly regulated and cannot keep pace with Big Data and marketingdata exchanges. Consequently creditbureaus do not offer a full picture into a consumer’s creditworthiness, andthus are slow (at best) or fail (at worst) to identify when something is amiss.In the meantime, a fraudster could cause significant damage to your financesand credit.

Phone

Smartphones represent anunprecedented and powerful opportunity to prevent fraudusing the ThreeP’s. With your phone, you are essentially carrying a creditbureau in your pocket that contains highly detailed, descriptive analytics ofyou.

To start, accessing your phonecan (and should) require a passcode to use at all, meaning if your phone fallsinto the wrong hands, the thief can’t quickly or easily gain access.Furthermore, phones open up a range of new possibilities for verifyingidentity. For example, many financial institutions and ecommerce companies areleveraging biometrics, like a fingerprint touch ID, or even selfies to preventanyone but you from making transactions. In the event of a chargeback, theselfie method provides a handy record of who tried to complete a purchase.

Phones provide a second layer ofidentity verification because a phone number trumps a social security number,in terms of the information or “digital heartbeat” it contains about you. Yourphone history is powerful because it is attached to information like where youlive, as well as who you communicate with. Your social security number is not.

Physicality

The final “P”—physicality—isvaluable for authentication because you can’t be in two places at one time. Aphone is something you have, something you carry, and includes GPS. Itknows where you are, and more importantly, where you are not. Analyticsdescribing what boxes you travel within, also known as geofences and orbits canautomatically flag your cardwhen it has fallen into the wrong hands.

When used together, the ThreeP’s work create a stable identity that can extend across new profiles andaccounts. Smartphones represent a safer and more convenient option forin-person and card-not-presenttransactions alike.

The U.S. is in the midst of theshift to EMV, meaning when you pay with your creditcardat a brick-and-mortar store, you use a Chip and PIN system, as opposed to amagnetic stripe and signature. While EMV is certainly more secure than thelatter approach, it is only as secure as the authorization system that grantsthe tokens and approves purchases. Paying with a physical cardremains far from ideal. Consumers still have to carry around the carditself, and legitimate but unwanted “gray charges” may still go unnoticed, anda signature or PIN may still be required.

In contrast, tokenizationtechnology assures security and prevents fraud.Tokenization hit mainstream awareness last year when Apple unveiled Apple Pay.As the high-profile breaches at Target, Home Depot and Neiman Marcus madeclear, creditcardtransactions are not safe, even when it is you holding your own creditcard.Tokenization is a new way to send sensitive data that works by creating proxyinformation—a randomly generated, unique number known as a “token.” The tokenprotects data when it is at-rest and in-transit, making it more difficult forhackers to steal. Furthermore, tokens on a phone limit losses after carddata breaches. This avoids the need to send a new cardalong.

The most effective way to preventfraudis by combining technology, like machine learning, analytics and tokenization,with the human element—the ThreeP’s. The ideal solution needs to be frictionless for the user, meaning it doesnot require a PIN or signature. At the same time, it needs to be informative,sending “nudges” like push notifications or SMS reminders. Finally, it needs toinclude instant recall if there is a dispute or uncertainty arises around acharge.

Cash is no longer king, and as the shift to digital paymentscontinues, it’s essential for consumers and businesses that there areeffective, easy ways to keep their sensitive financial information safe.