The Chartered Institute of Credit Management (CICM) hosted a webinar from Key IVR – discussing the real impact of payment fraud and how organizations can combat chargeback fraud by using 3D Secure across online (ECOM) and over-the-phone (MOTO) channels. Presented by Abigail Richardson – Partner Relationship Manager and Aaron Smith – Technical Account Manager.
Key IVR are a PCI compliant payments solutions provider, providing solutions to many businesses across the UK, America, and Europe to take payments over the phone and online in a secure manner. We are a CICM corporate partner and have been for many years. CICM is also a loyal customer of ours, they actually use our phone and web payment solutions in-house themselves. Our solutions are available globally.
Card Payment and Chargeback Fraud
Card payment fraud is where card details from an individual have been leaked to the outside world and are potentially being sold on the black market. They may have been used fraudulently by individuals which have made a purchase online or also many different purchases. I want to be sure that everyone that’s on the webinar today can relate to a scenario that includes themselves or a friend, or they’ve heard in the news where card details have been leaked and used fraudulently by individuals. That’s what we label as a card payment fraud.
Now, chargeback fraud is completely different. Card payment fraud leads to chargebacks from individuals. What chargeback fraud is an example of-, I’m making a purchase online maybe buying some tickets, booking a holiday, or just purchasing an individual item. I may receive the item but then what I can do is, I can actually call my bank or even go on to my online banking and then query that transaction and create a chargeback. Essentially, I can actually get that purchase free of charge and that’s what we label as chargeback fraud.
Card-Present and Card-not-Present Transactions
There are different types of transactions that can happen when taking card payments, – we have card-present transactions which are usually in-store, face to face with the shop or with a company and you are presenting your card yourself. It might be used with a chip and PIN machine, where you physically have to enter your card into that terminal and put your PIN in, your contactless payments and mobile payments are also within that category.
Card not present transactions are done where you’re not physically in person with that business. You might be giving your card details over the phone or online. You might be reading them out to an agent or through an automated service, but you’re not putting your PIN number in, so you are not verifying that transaction yourself. That’s the difference between the two. Cardholder not present transactions are associated with the most amount of fraud. However, there are ways to minimize the risks involved with that.
Fraud Increases as Card Usage Rises
To give you a bit of a background in terms of a monetary value that’s affecting UK, especially on the last years, we’ve got some data that we’ve collated from UK finance.
Cash and check payments are drastically declining across all different sectors, whether it be B2B orB2C, lots of different sizes of payments are now being processed by card. They are becoming the more dominant means of taking payments, whether it be in a face to face transaction. You might be at a market, for example, making a purchase, you can now pay by card where, traditionally, they were more cash-driven. There’s a lot of different types of businesses now which were previously more cash-driven and are now switching out to card. For example, my window cleaner even takes card payments now, we never expected that to happen, but it does.
In terms of figures, we’ve got £671.4 million worth of card transaction turnover that was lost by fraudulent transactions last year. That’s a 19% increase from 2017. Now, as card payments tend to dominate lots of different sectors, you would imagine that the increase of fraud and risk would increase, which is correct. That is going to increase because there are more transactions which are processed in that method. However, there’s lots of different ways in which we can combat that, and things are changing in the industry to bring that down to an absolute minimum.
How chargebacks actually affect businesses
You might think that it’s simply the monetary value that the company has lost, but with chargebacks, there’s also struggles that companies face such as the loss of stock. You might have already sent out the goods before receiving that payment and it’s been charged back, before you know it you’ve lost the payment and you’ve also lost the product that you were selling.
Fees issued by the bank, by your merchant and gateway acquirer, are also contributors. If you get a chargeback, you can be having front fees from these types of businesses too. Obviously, there’s shipping costs as well from sending goods out. You’ve got staff’s time and salary, which you’ve also lost from that chargeback. That’s just a couple of things we can think of, but just to give you an idea that it’s not just the money that you’ve lost that’s being charged back, it’s also the process that’s happening with making that purchase that you’ve lost as well.
How do we protect against chargebacks? In the industry, especially here at Key IVR, we use what’s called 3D Secure for all online transactions. Essentially what this is, is authentication from your card issuing bank. For example, Barclays, when you sign up for a bank account with those providers and high street banks, what they will do as part of that enrollment is enroll your application as to include 3D Secure.
It’s a 3D secure authentication. The password or authorization code which is submitted by the cardholder is the same as having a PIN, so only the cardholder should have that information. If any online transactions are processed through a 3D Secure page, they can’t be charged back for being fraudulent transactions, because only the cardholder should have that information.
There are different ways in which this can work. The more traditional way is where you’re asked to enter your sixth, seventh and ninth or eighth character of your password. Where we’ve got American Express, they don’t do this, they actually send a text message to my phone and I have to put in an authorization code which is on that text message and is tied to me. If people don’t have a mobile phone, they can simulate an email with that same authorization code.
In some instances, they actually simulate a telephone call to a landline number, where an automatic voice reads out the authorization code. The industry itself has already got processes which they’re going through at the moment to try and combat this, but not everybody is aware that these things exist.
Protecting ECOM Transactions from Chargebacks
How do we secure ECOM transactions and protect them against chargebacks? You’ve got a customer, they’re making a payment on a web payments page. I might be a builder and I might be buying some tools for example. I’m processing my payment online, I get to the card details section where I enter my card details onto the web payments page, but before my payment’s processed, it’s actually going to pop up my little bank’s box where I might put my password in, or they might send me a text with the authorization code on. You put those details into that page which would then be processed. If they matched, that would be successful, and if you got that wrong, for example, that’s where the purchase would be declined because only you would know that particular password for your bank or the authorization code that’s been sent to your phone.
This isn’t just covered by processing payments on a web page, this method of payment can also be accessed through different channels, such as email and SMS campaigns. The customer might receive a text or email with a parameterized link which would then direct them online to take that payment. You’re not having to rely on the customer to actually visit that website off their own back. It could also be done through different methods such as web chat, social messaging, where, again, the customer would be sent a link to then land on a web page, to then go through the 3D Secure process, to find out if their payments been successful or failed.
Protecting MOTO Transactions from Chargebacks
One thing that we were certainly aware of as a company at Key IVR is our core solutions are all payment-driven by phone. We’ve got different options in where we can now combat chargebacks or reports and transactions by putting different rules in place for payments which are taken in a contact center or on an automated payment line.
There are many industries that we work with, and many customers that we have that don’t offer online payments. They have to be on the phone to process that payment. It may be a travel company, or a debt recovery firm, and certain things have to be confirmed through a customer or certain processes have to be in place which means that conversation has to happen.
Traditionally with telephone payments, there’s not a great deal of security that you can put around them, but we’ve got different features that we can put across all our solutions to combat that. There is a mixture of integrations to customer back-end systems, and, also, different options from the gateway/ PSP that you would use. In this particular flow here, we’ve got an option where we’ve got a customer and an agent having a conversation and the customer is verified.
Let’s say, for example, we’re booking a holiday. It’s the first payment I’m going to take and I’ve got my booking reference there. Now what we can do as part of that booking reference is, when we have a successful payment against that booking reference on the first attempt, we can allow that transaction to go through as a normal MOTO transaction where only limited security is checked. But, as a first deposit, what we can do is prompt the agent that the card hasn’t yet been authorized by a 3D Secure and we can allow them to process the payment online.
There are different options that we have where the agent can actually manually send a Click-to-Pay URL via SMS or email. Contained on that notification will be a website link which will take them to a prefilled webpage, containing the associated references and payment amount for that particular payment and they will then through our 3D Secure page.
This will allow the business to ensure that the card is safe and they can’t charge that payment back as it’s not someone else’s card. For future transactions, where they might call to pay off part of an installment, balance, or to add additions on to their booking – the organization now knows that if that card is then entered, they can now have that payment processed with the customer and agent engaged throughout the whole process. They don’t have to push them online and keep engaged from start to finish.
Another scenario using exactly the same business logic, is where we have an automated IVR. A lot of our customers come to us traditionally for an automated payment line to increase cash flow and to help with taking payments out of hours. The automated payment line that we provide, is available 24/7, 365 days a year and utilized by a huge number of our clients. We take the same stance with this.
Through an automated process, when the customer identifies themselves, we can trigger a flag. If it’s a brand-new account that’s being used against that reference, we can make it mandatory for the first-ever payment made on that card, goes through the most secure means possible. So, any alternative payments in the future we then know, if that card is used, it has already been authorized by a 3D Secure, and we can allow just a normal MOTO transaction to be processed.
We’ve got an example of an existing customer, Click Energy, where we’ve seen different changes being put in place to overcome fraudulent chargebacks, and obviously, card fraud leaking out to the outside world. Click Energy is an energy company based in Northern Ireland, and they have a self-service payment IVR which their customers or tenants use to top up their gas and electric on their meters. They call in, put their reference number in, and make a card payment.
They had a sudden spike in chargebacks coming through after card fraud was being used on their IVRs. As strange as it sounds, the card numbers which were being used were being leaked from a different organization. It might have been in a contact center or on a website, but card details were being captured by an individual and this individual was actually selling those card numbers in the pub in Northern Ireland to people who use Click Energy. They were selling these card numbers on and the people who were buying them were topping up their gas and electric with the unfortunate people whose card numbers were stolen and getting a gas and electric at the cost of somebody else.
We provided Click Energy with an IVR with different rules in place to crack down on that. One thing that we did is, we only allowed a single card number to make one payment per day through the IVR, so it can’t be used across multiple accounts. We also introduced, through Worldpay, what we call an AVS check.
As part of that payment authorization, it’s mandatory that the house number and postcode digits are submitted to ensure that they match where that card is registered to. Fortunately, we’ve completely eradicated chargebacks from fraudulent transactions because for one, the individual who was selling these card numbers has been prosecuted and so if he was ever to appear again, by putting the AVS procedure in place, the customers who were making these payments only had the card number expiry date and CVC number.
When they were trying to process the payment and we asked for the address everything then failed as an additional fraud check. That’s a little bit of an idea in terms of how we helped one customer already who processes payments predominantly by phone and how we’ve overcome that.
You might have heard in the news recently about the big data breach that Ticketmaster experienced. They took a big hit as 40,000 of their customers’ details were affected, and card numbers were stolen. They did, essentially, get fined a hell of a lot of money for that. Because of this, to help in the future, what they did is that all payments now have to go through 3D Secure.
When you’re buying tickets, you have to put your password into the little bank’s box that pops up, but also, as an extra security measure, tickets cannot be delivered to an address that’s different to the billing address on that card. That’s how they’re trying to combat fraud and chargebacks for that business. It’s just one example that might be familiar.
How to reduce Credit Card Fraud?
Key IVR is a company that provides solutions that are level 1 PCI compliant to the highest level. Anything we provide, whether it’s a telephone platform, agent-assisted solution or online payments, is rubber-stamped against PCI compliance which reduces PCI scope for our clients.
This is kind of backwards in terms of, obviously, how card details are leaked to the outside world. From over the past five years that I’ve been with the business, I’ve been into some companies and assessed what their payment processing procedures. I’ve seen some horror stories in terms of card details being written down and then accounts will type those into a card terminal to process those payments.
We’ve also seen where card details are written down on a piece of paper and processed individually by the agent at a later time and where card details are fully recorded on call recordings which are easily accessible to a lot of people across that particular organization. We’re not saying that the people that work in these organizations are rogue agents or a person that would take those details and sell them to the outside world, but we know it happens.
Unfortunately, there is a risk when these card details have been taken in that manner. The reason why we have solutions in place for our telephone platforms, which are PCI compliant, is it allows the customer to submit card details securely, but the card details remain on the customer’s side of the call. Nothing in terms of card data is spoken when having a conversation with an agent. It’s entered into their telephone keypad, and nothing is externally sent out in any terms of reports by Key IVR. We don’t store that information ourselves and it remains with the card-issuing banks. It’s completely out of our database across all of our solutions.
Unlock Potential Savings with Gateways
In terms of what we have just spoken about, protecting yourselves against chargebacks and also fraud, it’s just something to bear in mind that if you do start taking payments in a more secured manner, or you start putting better security measures in place to protect against chargebacks, you can actually unlock savings with your gateway provider. People like Worldpay, First Data, SagePay, who some of you might be using already, they’re actually partners of ours as well. We also have to work with these particular services in the background to process those card payments.
If you do take payments in a more secure manner, you can unlock potential savings on your gateway fees and your acquiring fees, for doing so in a more secure way. It’s just something to think about, if you’ve not thought about it already, that you can potentially save yourselves some money whilst not only protecting yourselves and your customers.
Upcoming Legislation: PSD2 & SCA
As a company, Key IVR are PSD2 ready, across the gateways and acquirers that we work with and we have constant conversations with our customers to try and prepare for this. Unfortunately, PSD2 has been delayed for the next 18 months, which we had an idea that that was going to happen as we’ve had very minimal correspondence from relevant parties.
Essentially, the reason why this is being put in place is for the reasons we touched. It will make online card payments a lot more secure as it will be mandatory that all card payments which are processed in an online environment will be processed and authenticated a lot more thoroughly. This will prompt you to verify yourselves, using authorizations codes, your fingertips, and you can use recognition as part of this process because, if that was to be leaked to the outside world, the chances are that you wouldn’t then be able to process payments in that means.
This will really crack down on fraud. In terms of the UK finance stats that we’ve got, it’ll be really interesting to see in 36 months’ time what the difference is once this it’s in place. I would imagine that there would be a significant reduction in the monetary value of card payments which have been processed fraudulently.
If you would like to find out any more information about chargebacks or how to protect against card payment fraud, contact us today [email protected] or call +44 (0) 1302 513 000