Payments Talk: Steve Mott, President of BetterBuyDesign LLC11th January 2018
Steve Mott has worked in and consulted to the electronic payments and security industries for more than two-and-a-half decades. Steve also held the position of Mastercard’s first eCommerce executive, as President of one of the fastest growing internet start-ups (until Google), and as an advisor/analyst/subject-matter-expert on various mobile initiatives involving banks, technology providers, networks, merchants, processors and the Federal Reserve.
We invited Steve to give his insights on fraud in the U.S. market, barriers for merchants to overcome, and what the future holds for the industry.
Why is good fraud data on card payments so difficult to come by?
Unlike in many other countries, in the US there is no regulatory agency or industry body that governs payments. In particular there is no centralized authority that facilitates and coordinates the collection of fraud data in a holistic and uniform manner so that effective responses can be proposed, debated, deployed and monitored. For example, the Financial Fraud Action UK (FFA UK) group provides such a service, and produces annual and topical reports explaining the sources and impacts of fraud, as well as discussing what measures and approaches are being taken to address those sources, and how well they are working.
By contrast, in the U.S. – which is much like the UK market – at least 80% of payment fraud is likely to be coming from credit and debit cards, and yet all the actual data is ferociously protected by the issuing banks and the network brands. As a result, the only consistent assessment of fraud comes from the Nilson Report, which uses annual interviews of a few hundred banks and ‘Kentucky windage’ on the aggregate results. But there are many criticisms of this assessment, not least of which relates to recent changes in methodology that make US fraud look a bit less egregious than in the past.
What efforts have been made to get holistic and reliable data in the U.S.?
Probably the most noteworthy study is the annual LexisNexis report, which attempts to factor in the full costs of fraud (operational requirements, call center/customer service costs, card replacement, notifications, etc.), and typically comes up with estimates that exceed $100bn (mostly from card fraud), which contrasts with Nilson Report’s estimate of $9bn (out of $20bn worldwide).
Consumer surveys are fraught with problems that impact accuracy. One is that participants have poor memories and erratic performance on online survey forms that call for precise information on the circumstances and impacts of fraud. So, the real ‘counting’ needs to come from banks and networks and merchants that experience the fraud. The sooner that happens the quicker a consensus on the urgency and efficacy of solutions can be forged. Yet on at least three occasions in the 2000s, Fed officials proposed more comprehensive and detailed collection of data – from the banks and networks – only to rebuffed by the Fed official in charge of payments at that time. The justification for the rejection: the big banks wouldn’t like it.
Surveys from Oliver Wyman and the Fed continue to validate that security advantage for PIN, but the banks and networks continue to resist revealing the actual numbers for fear of negative consequences for these (and other) lawsuits, and likely regulatory responses that push PIN – which is much less lucrative than signature-debit for these dominating players – as an immediate expedient to combating fraud.
What are the motivations of the key players with the data – big banks and card networks – to not provide it?
It’s always been a bit dicey figuring out who the culprit is in the hiding of fraud data: the big banks or the network brands? Or both? For several of the biggest banks, their ability to deter fraud is considered to be a competitive advantage. As a result, they are loathe to share their insights and approaches with the rest of the banking industry. For the network brands, revealing the actual levels of fraud incurred in their ecosystems leaves them more exposed to lawsuits and regulation. That exposure heightened with the three merchant lawsuits (from Walmart, Home Depot and Kroger) against Visa over restrictions by the network on the use of PIN, when everyone in the universe except the networks acknowledges that signature-debit has historically been five to eight times more fraud-prone than PIN. Surveys from Oliver Wyman and the Fed continue to validate that security advantage for PIN, but the banks and networks continue to resist revealing the actual numbers for fear of negative consequences for these (and other) lawsuits, and likely regulatory responses that push PIN – which is much less lucrative than signature-debit for these dominating players – as an immediate expedient to combating fraud.
What can be done to circumvent this behavior?
The brands advocate replacement forms of authentication, using ‘dynamic data’ instead of ‘static data’ such as PINs. However, they continue to use and incentivize signature-debit (and credit) with card account credentials such as 16-digit PINs and expiration dates: ‘static data’ still flowing largely impeded in the clear! Such self-serving duplicity and disingenuousness not only constitute a rising threat to national security, but also serve to keep bank issuers buried deeper and deeper in fraud and extraneous costs for continuing to support signature.
One promising development, however, is that Mastercard recently came out of Visa’s shadow to declare that the ruse of gathering signatures at the point-of-sale in the fantasy that they provide any sort of cardholder authentication would come to an end by April 2018. Further, the Federal Reserve is on track to gather and collect better and more complete fraud data via a number of initiatives, including support for its faster and secure payments initiatives produced by industry task forces.
What are the consequences of getting full and accurate data?
Availability of complete and actual fraud data would provide both the levels of urgency for improving the most heavily exposed payments environments as well as targeting the best solutions that can be arrayed to make those improvements, fostering a cost-benefit assessment that takes into account impacts on all participants in the payments value chain. Without such data, the US remains burdened with extraneous investments in such self-serving card programs as PCI ($30bn spent so far to protect account credentials passed in-the-clear instead of investing in end-to-end encryption at the outset), and EMV ($15bn spent for a 20-year-old protocol that retains card credentials in the clear, and defers to lowest-common-denominator solutions in the service of interoperability to foster card acceptance over the best security).