Despite several well-publicized bumps in the road, the U.S. migration to EMV-based chip cards has undeniably reduced payment fraud at the physical point of sale. That’s the good news. On the flipside, increasing fraud rates in the rapidly growing card not present (CNP) channel have the potential to more than offset gains in card present (CP), perpetuating an overall upward trend in card fraud.CNP security, most often associated with e-commerce and online shopping space, poses a particularly thorny set of challenges. The inability to stand face-to-face with a customer or even to confirm possession of a card inevitably adds risk to the equation. Naturally, there is great incentive to solve this conundrum, especially in the United States where one of the world’s highest e-commerce payment fraud rates exists. The next generation of biometric solutions offers a promising remedy.
Compelling examples are cropping up in overseas markets. Let’s look at a few emerging approaches, as well as some hurdles that remain on the road to a fraud-free promised land.
Protect Me, but Don’t Inconvenience Me
One interesting new model being tested in South Africa (by MasterCard) and in Cyprus (by Visa) adds a fingerprint scanner to the plastic debit or credit card, replacing the need for a password or PIN. This will ensure a customer is in rightful possession of the card. And, presumably the validation process will be familiar since it matches the one already used on many smartphones.
The obvious challenge here is cost; U.S. card issuers have recently endured the significant effort and expense of rolling out chip cards. No one knows exactly what this new functionality will add to the production of a debit/credit card, though it is likely to be non-trivial. In addition to the cost of implementing this type of biometric measure for issuers, merchants (online and brick and mortar) and customers will also see impacts associated with enabling these new features at the point of sale.
Here’s where the Catch 22 enters: although everyone hates fraud, merchants are highly reluctant to impose any checkout routines that might conceivably limit sales. Cart abandonment is among the most studied metric in online commerce. New tools will need to perform well to maintain any chance at mass adoption.
Therefore, the best solutions to fraud may be routines taking place in the background outside the customer’s line of sight. Pilots of this sort are underway, gathering info on the timing and pressure of users’ keystrokes, the angles at which phones are held, etc. The Royal Bank of Scotland is combining this info with geo-location data (is the user inclined to log in from a street fair in Jakarta?) to flag exceptions for additional challenge questions, or outright denials.
A challenge with biometric information used to authenticate individuals – finger, voice, retina/iris, others – is it has to be stored and available for query whenever needed. As with all security systems, it is not beyond incursion. It’s only a matter of time before fraudsters hack the database housing these biometric factors.
While passwords can be reset, rebooting with a new set of biometrics isn’t quite so simple.
No financial institution has yet fully converted to biometrics for customer validation. However, the card networks’ activity combined with the increasing value and exposure of e-commerce fraud makes this a space ripe for innovation that banks and credit unions need to watch diligently. After all, the customer experience surrounding fraud events – whether positive or negative – impacts the reputation of the card issuer as well as the merchant. The trick is to protect those reputations without troubling the cardholder in the process, which is no mean feat.