Payment security in a world going mobile
Table of contents:
If cash is king, we may be in the final days of its reign. According to a recent study, roughly half of American adults no longer worry about carrying cash as they increasingly reach for their smartphones instead of their wallets.
Within the past year, nearly a third of U.S. adults used one or more mobile payment options (like mobile wallets or apps) to make a payment or transfer money. The challenge for businesses accepting these payments is that consumers aren’t the only ones leaning into this payment system – fraudsters are increasingly targeting these transactions as well.
By implementing a multilayered approach to security, businesses can better protect their mobile environment and customer payment data.
Today’s cybercriminals aren’t just looking for credit card information. They’re targeting usernames, passwords, email addresses, social security numbers, bank account information and other sensitive data that can allow them to take over a consumer’s mobile app account. Account takeovers, which can be the basis for one-time fund transfers or ongoing exploitation, are one of the most prevalent forms of fraud in today’s mobile environment.
Hackers often acquire information needed for an account takeover through phishing attacks. They’ll send victims what appears to be a legitimate email or message from a trusted entity; by following the prompts, a user unknowingly gives hackers access to personal information.
The rise of social media has also made this type of fraud more viable. Using bots to scrape social media accounts, fraudsters harvest unthinkable amounts of personal information that they use to create fake profiles or conduct phishing schemes. But with the right security measures in place, businesses can identify these fraudulent attempts.
Protecting your mobile app
The best fraud protection models for mobile apps enact several layers of security tools to help prevent a fraudulent transaction from occurring, and immediately flagging it if it does.
A company’s first line of defense against mobile app fraud is multi-factor authentication, or obtaining additional evidence that customers are who they claim.
One simple but effective authentication option is to enable Address Verification System (AVS) and/or Credit Verification
Value (CVV/CVV2) with the payment provider or gateway, as businesses typically do with other card-not-present transactions. Once enabled, mobile app customers could be asked to supply a PIN or answer a security question when placing an order. And newer phones allow for biometric authentication, such as fingerprint or facial scans, which can provide an added layer of security that is more difficult to falsify.
The next step to maintaining security and mitigating fraud in your mobile app is through tokenization and encryption.
With tokenization, when a user adds a payment method within your app, that payment information is stored in a hosted enrollment vault and a token is generated. That token replaces the user’s card or bank account number with randomly generated numbers, and can be used to process payments across wireless networks without exposing account data. This helps mitigate the risk of storing sensitive payment data on the mobile device itself or within the business’ payment system.
Rules-driven authorization logic
As the payment is being transmitted, a modern fraud detection system will automatically enact velocity checks and behavioral analytics to confirm the legitimacy of the payment and source.
For example, a business could implement fraud protection rules that flag purchases over a certain amount, or multiple purchases made in the same day. Artificially intelligent algorithms can adapt to your business patterns to recognize the types of payments considered routine for your business, and reject transactions deemed outside the norm.
This form of real-time fraud scoring, alongside rules-based authorization and machine learning, can help reduce your app’s overall exposure and cost of fraud without compromising accuracy or performance.
The most robust fraud prevention measures employ predictive modeling through real-time machine learning and artificial intelligence applied to both a specific business payment activity and to other businesses in the same industry segment. And successful implementation greatly depends on continuous data capture and analysis.
For example, geolocation can show where a phone placing an order via your app is located. Through machine learning, this data could be used to learn more about the customer — and whether there’s concern about a U.S.-based customer suddenly placing an order from overseas.
By scoring each transaction, machine learning platforms constantly and quickly learn to provide accurate, up-to-date protection. Equipping these platforms with volumes of transactions and a variety of data points also enable accurate predication, which can help detect new threats and patterns of fraudulent behavior.
In the coming years, card brands are expected to implement Secure Remote Commerce (SRC) by EMV® to streamline online checkout. The standard promises to create a simple, secure and consistent checkout process across the web and card brands, therefore making the online purchase experience easier for consumers.
Once a shopper establishes their SRC credentials, their contact information and payment data would be held in a single, secure system that essentially “follows” them around the internet – they wouldn’t need to reenter payment information on any site from which they’re making a purchase. This is accomplished by SRC acting as a “bundle” of sorts for the above-mentioned fraud and security tools with a deep consideration for the customer’s experience. While there isn’t an immediate action for business owners to take in regards to SRC — yet — it is a standard to keep an eye on.
Between lost merchandise and the costs of investigating and rectifying a data breach, every dollar of fraud creates approximately $3 in total losses for a business — not to mention the pricelessness of their reputation. Because no single solution or product can 100% secure a business’ environment, businesses should enact transparent, multilayered anti-fraud measures to help mitigate risk while still reducing payment friction and cart abandonment. With mobile sales projected to encompass 70 percent of the eCommerce market by 2022, it’s all the more important that businesses make the payment experience both smooth and secure.
Source: Mobile Payments Today
Author: Brian Borneman
VP, product strategy manager, Bank of America Merchant Services