Following the region’s reliance on eCommerce during the COVID-19 pandemic, fraudsters are targeting vulnerabilities in payment security systems.
As more businesses gravitate towards digital channels for eCommerce, fraud is expected to follow.
A recent Juniper Research study found that global losses due to eCommerce fraud will rise to over US$20 billion in 2021 as fraudsters target vulnerabilities in security systems.
In light of this, the recent Asia Pacific Visa Security Summit delved into the need for robust payment experiences. Risk professionals discussed key trends in the ways consumers shop and transact, and shared some solutions leading the way in fortifying fraud defenses for businesses.
On the heels of the security summit, CybersecAsia caught up with Joe Cunningham, Regional Risk Officer for Asia Pacific at Visa, for further insights:
A recent study found that global losses from eCommerce fraud could exceed US$20 billion this year. What is the best way to mitigate this risk?
Cunningham: As consumers move from traditional face-to-face shopping to eCommerce due to lockdowns and movement controls, fraud has also moved in the same direction. One of the most prevalent forms of eCommerce payment fraud today, which affects issuers, merchants, and acquirers globally, is enumeration attacks.
Cybercriminals are using big data and artificial intelligence (AI) to systematically submit transactions with enumerated values hoping to find legitimate account details or initiate 1-2 low dollar transactions to verify if an account is active in order to take it over. Once valid payment information is obtained, it is then sold on cybercrime websites.
At Visa, we take enumeration very seriously. That is why we are investing in technology to inform, block and identify these attacks in flight. An example of this is Visa’s Risk Operations Center (ROC). This is a 24/7, real-time fraud detection and mitigation system operated by our team of fraud and security experts.
ROC analyzes millions of transactions every day for known and emerging fraud threats. ROC’s capabilities are integrated with advanced Visa Account Attack Intelligence (VAAI) to quickly identify and report enumeration. However, we cannot prevent fraud attacks alone. To ensure that our ecosystem is secure, we need all players to employ anti-enumeration and account testing best practices, upgrade their infrastructure, and keep investing in fraud management.
How should merchants go about enhancing their existing infrastructure with reliable fraud management?
Cunningham: Due to the pandemic, many businesses had to pivot online and become digital merchants overnight. Similarly, many consumers have experienced digital commerce for the first time. In the last three quarters, we have seen more than 30% growth in eCommerce payment volumes in markets like the US, Canada, Italy, Germany and Singapore.
We believe eCommerce is here to stay, and many first-time digital consumers will decide where to shop based on whether they trust the seller or not. As digital commerce becomes mainstream, payment security is a fundamental driver of trust so the industry must deliver on consumers’ expectations of safe, convenient, and fast payment experiences.
One of the hardest things to get right in payments is fraud management. If merchants don’t have the right tools to decide if a transaction is genuine or not, they could end up blocking all payments and be left with no sales. But if they approve all transactions, including suspicious ones, fraud is bound to impact them. Therefore, merchants need to rethink their infrastructure in order to strike a balance between delivering convenience for their customers and ensuring that their high expectations of secure payments are met.
To help merchants deal with eCommerce fraud, Visa has introduced solutions based on industry standards such as Visa Secure and Visa Token Service. Visa Secure uses the latest standards of the EMV® 3-D Secure protocol to assure merchants and banks that transactions are genuine. This potentially reduces lost sales for sellers because of declined payments and improves the overall customer shopping experience.
Visa Token Service (VTS) turns sensitive payment data like card numbers and account details into randomized tokens, thus devaluing data and rendering it useless for fraudsters, even if stolen. This means merchants don’t have to store payment data on-premise. VTS is also one of the largest payment security platforms offering data protection while reducing unnecessary form filling steps for consumers. Data for the US shows that tokens can reduce fraud by 26% on average compared to online card transactions, where consumers enter their card details for making payments.
As eCommerce continues to grow, merchants and the rest of the industry all need to lift their security standards in order to capture digital commerce opportunities.
What are some key trends in Asia Pacific consumer patterns when shopping and transacting, and how should businesses cater to them?
Cunningham: The COVID-19 pandemic has changed the way we live and work. At the same time, the pandemic has also had a massive impact on how people buy and sell goods. Visa has charted consumer behavior changes along three trends pervasive in Asia Pacific.
First, as consumers prioritize health and safety, the spotlight is on contactless payments and tap-to-pay infrastructure. In Asia Pacific, one in two face-to-face Visa transactions are now contactless. We expect contactless payments to replace cash and become the preferred payment method for businesses and consumers.
Second, on-demand eCommerce experiences have become essential services. Shoppers expect products and services to be available when they want and where they want. This will require merchants to create a faster, smoother, and more convenient buying and payment experience for their customers.
Third, the lines between eCommerce and physical buying have blurred. Visa data shows that, excluding travel, global eCommerce payment volumes grew by over 20% in the last quarter versus last year. This shift is likely to persist as eCommerce growth continues to be robust, even as consumers begin to return to stores.
As we think about the future of commerce, we need to ensure that all stakeholders innovate responsibly. Consumer buying behaviors have permanently changed. This means businesses need to keep pace by adopting global security standards to ensure that they meet their demands for fast, convenient, and secure payments.
Please share some payment security tips and strategies for businesses in Asia Pacific to help prevent and mitigate fraud.
Cunningham: Consumer buying behaviors have changed dramatically over the past 16 months. At physical stores, customers prefer to use digital payments instead of handling cash. For eCommerce retailers, customers want a remote payment solution that is fast, convenient, and secure. And to add to the complexity, businesses also have to deal with the issue of the increasing risk of fraud, especially in eCommerce channels.
The good news is there are some basic security best practices that businesses of all sizes can put in place to safeguard themselves.
One, don’t store customers’ payment data. This includes the name of the customer, card account numbers, card expiry dates and others. Storing payment data makes businesses a target for fraudsters. If businesses don’t hold on to valuable data, there is nothing for fraudsters to steal. If businesses must store payment data, they need to make sure it is encrypted according to industry-based security standards.
Two, businesses need to make sure they are running the latest versions of any software that they use to process payments. Patches from service providers usually contain the most current security updates so businesses can protect themselves against the latest types of cyber threats.
Three, people continue to be the weakest link in the payment security chain. Therefore, it is very important that businesses educate their employees on safe online practices. Phishing emails are one of the most common ways hackers gain access to sensitive or confidential information. Install anti-phishing software and teach employees to spot and avoid suspicious emails.