This is been a big year for cards: new technologies, the EMV liability shift in the US, the cap on interchange fees and PSD2 are just a few examples of developments this year. But how has this affected 2015, and how will things change in 2016? Industry experts comment on what lies ahead for the card payments industry
TJ Horan, vice-president, fraud solutions, FICO
The biggest news this year from a card fraud perspective was, of course, the liability shift in the US and the mass introduction of chip cards there. This was a milestone in reducing the amount of card fraud in a country that has become a global target for fraudsters.
Go deeper with GlobalData
According to The Nilson Report, the US accounted for 48% of global card fraud in 2014, while it accounted for just 21% of card sales. The vulnerability in the US has had global repercussions: 50% of UK counterfeit fraud is in the US, and the US drives high levels of counterfeit fraud for many other countries as well, including Spain (42%), the Netherlands (60%), Mexico (42%), Japan (41%) and Canada (47%).
In May 2015, EMVco, the organisation that develops and administers Europay, Mastercard and Visa (EMV) schemes, reported that just 7.3% of US cards were chip-enabled, compared to 84% in Europe Zone 1, 60% in Canada and Latin America, 50% in Africa and the Middle East, and 25% in Asia-Pacific. Both retailers and consumers struggled to adapt to the use of chip cards.
Despite the liability shift, card fraud remained high. Large-scale data breaches at retailers, credit bureaus and telecommunications firms have exposed millions of cardholders’ account data, which FICO saw turning into card fraud in 2015.
For example, in April FICO reported that card and PIN skimming points of compromise at bank-owned ATMs in the US had increased 174%, comparing the first four months of 2015 to the same period in 2014. Non-bank ATM compromises increased by 317%. This spike appeared to have been part of attempts to ‘get it while the getting is good’ before the EMV liability shift took place and chip cards became more prevalent in the US.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataFICO also benchmarks card risk and performance in the UK. While we saw continued stability in mature accounts, there were worrying signs for new accounts, as over limit spending and delinquencies both rose.
We also saw the continuance of large unused exposure levels, which warrant reviews of both usage and risk.
Across both the fraud and risk dimensions, we saw an increasing focus on customer experience. This theme has been particularly strong for the past few years since the recession.
Contactless consumer use and mobile banking are part of this trend. I have seen growing interest in communication services that enable issuers to send an interactive SMS to cardholders when a card is blocked, or before, so that the cardholder can instantly validate spending activity.
2016
Next year promises to be a dynamic one on the fraud front, as criminals change tack to make up for the increased protection from chip cards in the US and mobile/frictionless payments strive to exceed customers’ expectations.
Some of the trends we predict for the US are:
- Card-not-present (CNP) fraud will soar. While EMV reduced payment card fraud in the UK, it was accompanied by a spike in CNP losses, and in the years since CNP transactions have grown tremendously. US issuers should prepare for a similar spike, raising CNP fraud above even the level where it is today;
- Counterfeit fraud will decrease – except where issuers have adopted EMV poorly;
- New point-of-sale (POS) processes and changes will lead to opportunities for POS fraud because of the need to train both merchants and consumers on the new terminals;
- Non-chip ATM locations will be targeted;
- EMV is likely to exacerbate tensions with merchants (and consumers) over fraud rates and declines;
- Criminals that had targeted the US may look for other countries where they can exploit weaknesses in defences;
- Criminals will also migrate from card fraud to application fraud, deposit fraud and other areas, and
New payment channels – P2P, mobile payments, and wearables – will present new opportunities for fraud.
Authentication will continue to be a hot topic for card issuers, and will drive innovative new approaches. We are already seeing the push for new standards in this area, with initiatives such as the Mobile Identity Authentication Standard (Midas) Alliance in the UK.
From a risk perspective, I anticipate further regulatory compliance requirements. There is a concern that in the UK, poor-performing new accounts will move into the ‘established’ vintage, and unless issuers improve decisions on the front end, they could end up with a portfolio that contains increasingly bigger numbers of risky accounts. This could lead to a tightening of originations criteria.
In some countries, we expect to see continued implementation of annual fees to counteract drops in interchange fees and to subsidise reward schemes. As margins suffer, the use of optimisation — analytics for determining decision strategies that meet specific portfolio goals — will become more widespread, in pricing, credit limit-setting, credit limit changes and collections.
We also see the expanded use of smartphones as a communications channel for payments, marketing, collections and fraud messages.
I will also have my eyes on how the UK’s Financial Conduct Authority moves forward in spring with its credit card market study — the potential remedies listed would require issuers to change strategies, policies and systems.
Mike Pierides, Marco Santori, and Sarah Atkinson, Pillsbury Law
In the UK, the launch of the new Payment Systems Regulator (PSR) was a development which in of itself indicated the increasing focus on payments as a standalone sector, and is a signal of further changes to come.
The PSR operates independently of the other banking regulators in the UK, and has its own statutory objectives including the promotion of competition in the sector. The PSR’s impact will, of course, take a number of years to be determined; however, opening up access to new market players will be at the centre of much of what it does.
For example, we expect the PSR to take a more prescriptive approach to indirect access terms and services than the sector currently has under Payments UK’s (the sector’s trade body) voluntary code.
Faster Payment transactions continued to grow in 2015, and the PSR announced its support for initiatives which encourage and progress development of technical solutions to facilitate access to payment systems.
In December 2014, Faster Payments published its New Access Model, which set out plans for a technology accreditation programme.
Whilst the PSR has stated that it believes that the industry is best placed to design and develop solutions to facilitate technical access to payment systems and is not prescriptive in its approach, it will nevertheless encourage commercial operators to develop service propositions, therefore we anticipate an increasingly competitive market pursuant to which payment service providers will not require access through ‘traditional’ sponsor banks.
Generally, 2015 saw a continued move towards the opening up of the sector to a larger number of participants. This includes the continued growth of fintech entrants such as Transferwise, and new service intermediaries who overlay the existing payments and banking system.
Apple Pay arrived in the UK, storing bank details on users’ mobile phones and making it easier to pay for goods. Innovations in technology, of course, continue to drive many of the changes in the sector, both in terms of the services being provided and the identity of the providers.
Probably the most disruptive technological development in 2015 has been blockchain technology. Blockchain, once implemented, would in theory remove the requirement that the parties to a transaction use a trusted intermediary. It does so by replacing the intermediary’s central database with a distributed consensus mechanism which would enable all parties on the network to take part in verifying and confirming the transactions that take place on it.
Less than two years ago, banks, securities exchanges and financial services companies looked at Bitcoin with disdain because of its currency use in connection with now-defunct internet dark markets like the Silk Road.
Now, nearly every large bank in the world has begun to dedicate significant financial resources, brainpower and political will to developing the blockchain platform for use within their organisations.
Looking forward
The direction of travel will continue to be towards more entrants and overlay services within the payments sector. This should be influenced by the PSR, which has amongst its central statutory objectives the promotion of competition in the sector.
The terms of sponsor banks for indirect access and the indirect access service provided are coming under increasing scrutiny, by the sector’s trade body as well as the PSR. We can expect a greater emphasis on better and clearer terms of service, and an improvement in the way in which sponsor banks and the non-bank indirect payment service providers engage, as a result of directions issued by the PSR as well as by trade guidance issued by Payments UK.
The move towards greater direct access, in particular to Faster Payments, through accreditation of technology providers will also continue. The support from the PSR for accreditation programmes and its proposals to improve technical access will continue to encourage existing operators and new entrants to develop and progress new service offerings.
The New Access Model white paper was published by the Faster Payments Scheme in December 2014; however, the accreditation programme has been progressing through 2015, on completion of which four technology providers will be accredited: AccessPay, Aevi, Compass Plus and Dovetail.
Increased competition is likely to be seen in the tap-to-pay mobile payments market; in the Next Generation of Payments Attitudes to Payments Research Report 2015 report issued in September, Vocalink commented on the potential opportunity for banks to enter this market, benefitting from the trust customers have in their banks.
In October, US bank Capital One became the first US bank to release a tap-to-pay functionality in its Android app; further banks are expected to follow.
As banks and financial institutions invest money in blockchain technology, there may well be a re-emphasis on cryptocurrency technology. Blockchain, as a database behind cryptocurrencies, can itself be implemented to create a so-called ‘private’ or ‘permissioned’ blockchain that may be used by trusted or semi-trusted members of the general public who are granted access to the network.
There are cases for uses of blockchain without cryptocurrency, in particular in B2B and bank-to-bank transactions, including in the payments arena by replacing settling transactions between networks of semi-trusted financial institutions.
However, a cryptocurrency itself does away with the need for centrally controlled and regulated money supply, and its application in the world of banking and payments could be truly disruptive to existing systems and institutions.
Finally, it’s a fair guess that the cyber resilience of technology solutions and overall corporate organisations to attacks will no doubt come into further focus in 2016.
This is, unfortunately, a topical issue, as global geopolitical issues, in addition to ‘regular’ financial crime, may no doubt lead to greater pressures on banking and payments systems.
John Marsden, fraud and identity expert, Equifax
Need to log onto something? Then, like me, I suspect, you just head for the ‘forgotten password’ link from the outset, as the futile efforts to remember different complex passwords seem fruitless.
The very human condition of forgetting seldom-used passwords or PINs for credit cards is natural. We are told to keep complex and different passwords for every login, to keep PINs different between cards, and never write them down. I suspect that there are some very capable people that can recall 30 different passwords and 15 PINs at will, but unfortunately I – and I’m sure many others – can’t.
This gives a rise to particular problems, for example those unused cards at the back of my wallet. They simply don’t get used either at point of sale or with 3-D Secure, despite the password reset function on 3-D Secure being as simple as the issuers can make it.
After four to five password resets I become lost in a lake of special characters, destined never again to remember the password I seek. Card issuers therefore need to make cards easier to use to get them to the ‘front of the wallet’ if they want to be the card of choice for an individual’s spending.
Despite the various opinions about the use of adaptive authentication with certain cards within 3-D Secure, these cards rarely prompt for a password, and therefore relatively quickly became front-of-wallet. This goes some way to demonstrating that reducing password fatigue massively changes cardholder behaviour.
A debit card empowered by this adaptive technology is by far my most used card and, probably more significantly, has prevented me from switching my bank. I have actually opened another account, tempted by the cashback offers, but the new account goes largely unused – it has just too much friction to deal with.
So what implications does this have for biometrics – the use of technology to digitally assimilate a particular biological pattern and recognise it again – authenticating against something the typical Joe Bloggs can’t forget? Be it fingerprints, iris, facial, voice, heartbeats, vein patterns, ear shapes or even just how you use your device – they are considered unique, can’t be forgotten and can be produced on demand. In combination, two factors of biometric authentication can be extremely robust.
Following the biometric authentication already seen with Apple Pay and contactless payments, MasterCard’s initiative with Zwipe to issue fingerprint -enabled cards, for example, is significant with the PIN requirement dropped and replaced with a fingerprint scanner embedded into the card itself. With no need for any external technology, such as a smartphone, this is a card that would fast become a front-of-wallet choice for me.
As yet, I have not been offered this choice, I suspect due to the cost of the card itself, which is unfortunate as the announcement of this technology was made more than a year ago.
But even though this new technology is harnessing biometrics and creating a frictionless experience for the consumer, how does fraud continue to creep into such an ecosystem, where personal traits are recorded and replayed to both enrol and operate within a trusted framework?
First, we need to consider what an identity is, otherwise we could be enrolling the account holder to an identity which does not belong to them. In simple terms, impersonation may start before a facility is opened. Without some underlying ‘absolute truth’, the system will always have the ability to be compromised.
I suspect that the fraudsters’ attacks may focus on the compromise of the electronic signalling that constitutes the biometric; if a signal can be intercepted, it can be replayed. We only need look at the compromises of PIN cards, despite this chip vulnerability being fixed. Basing our trust on the PIN card chip enabled the attack by introducing an additional layer which changed messages between the chip and the point-of-sale terminal.
Biometrics offer significant advantages to the consumer, enabling security and convenience, as well as delivering competitive advantage for card operators. The fear of being biometrically profiled seems to have disappeared for individuals. In a USAA case study, for example, when financial services customers were offered enrolment to a face-and-voice-verification service, adoption by over 50s was as quick as for the younger generations.
Biometrics offer convenience, far from a new battleground as providing convenience is why card systems exist. The functionality offers a solution to the friction needed to increase trust within the system, and a solution to the password fatigue and PIN overload we as consumers suffer in today’s world.
Philip King, founder and CEO, myPINpad
Overall, I would be surprised if there were any major new trends in 2016.
Rather, I would expect to see the continuation and consolidation of what we saw in 2015:
Biometrics: vendors will continue to push their wares while they have the chance and banks will adopt almost all of them in order to look progressive and stay competitive in the face of the far more nimble ‘challenger’ banks.
Regulation: PSD2 will open the doors to ‘money’ managers. With the ability to centralise every aspect of a person’s financial record into a single app, brand new services – for the EU market anyway – like instalment payments, instant credit, loyalty / reward consolidation and so on will begin to replace individual banking apps.
Banks will struggle to keep up: Leading on from this point, banks will struggle to keep pace with innovation. Will they be able to take on challenger banks? More to the point, will they want to?
The progress of the "Pays": GooglePay, ApplePay, PayPal and Samsung Pay will continue to disintermediate and will gain footholds, having achieved access to bank account information, enabling all sorts of propositions such as up-selling.
Consolidation: With such a diverse and huge market of propositions and solutions, the consolidation of large-scale or strategic domestic operators to produce a number of pan-European processors is inevitable.
Identity Assurance: Authentication will continue its decentralisation down to the mobile device, and will slowly be seen as an important step in the right direction toward proper identity assurance. There will be a proliferation of services similar to miiCard.
Software PIN will be implemented, representing a major threat to hardware manufacturers and a huge opportunity for every other ecosystem player and the terminal manufacturers if they grasp the need to build alternative business models.
There could be a race to be first in market, but it will be a marathon not a sprint, and new use cases will emerge, some of which will assist PSD2 compliance.
Authentication will slowly be recognised as key to the ‘glue’ that holds all together.
Identity and, in particular, federated identity will continue to be debated and sought at length, but no single solution is possible so it will not emerge, but debate will be consistent and building.
Privacy Concerns: The vast increase in mobile device functionality naturally involves a vast increase in the requirement for identity assurance, which has an equal and direct negative impact on privacy. The more functionality you want, the more of your privacy you have to be willing to surrender.
Security: Both handset and mobile application development have primarily focused on either aesthetics or functionality. The continuing decentralisation of authentication and payment functionality will demand stricter standards for security. Regulatory compliance will be far behind, but it is coming.
Christoph Tutsh, founder and CEO, Onpex
If one thing is certain in the world of payments, it is that it is fast-moving and ever-changing. This means that predictions are difficult, but critical.
As an industry, we are still searching for unifying standards in payments, in security and in authentication.
This means that the pressures and challenges that one company might face will be the same for many others.
What we saw in 2015
Bitcoin and cryptocurrency: At the beginning of 2015, cryptocurrencies started moving into the mainstream. It was in the latter half of the year that the legal status of bitcoin and other cryptocurrencies was confirmed, and more and more payment providers are accepting cryptocurrency payments;
Mobile payments: Mobile commerce is booming. Figures from earlier this year suggested a 77.8% growth in mobile commerce on 2014. To put this into perspective, retail from desktop computers grew by only 2%, according to MyCustomer.com. Mobile is now the consumer platform of choice;
EMV liability shift: 1 October saw the EMV liability shift in the US, and this, ironically, was one prediction that many might have either got wrong, or certainly mistimed. The predicted wave of CNP fraud has yet to materialise, and this is largely because despite the fanfare of publicity, the US was not ready for the liability shift. It could be years before the US is fully EMV-compliant;
Fraud prevention: 2015 saw data breaches like never before. High-profile data breaches, some by hackers, others, it would seem, by governments, focused the minds of the industry and consumers in general on security and fraud prevention. What went from being something we took for granted in our financial technology became something that new technology is being built around, and
Markets of interest (China and Brazil): For Onpex, we put focus on China and Brazil this year. China is, of course, a booming market; indeed, it is the booming market for payments. Yet, at the other side of the world, so are Brazil and the wider Latin America.
The global growth of mobile has democratised e-commerce as never before. So, in markets such as China and Brazil, consumers who might not have the resources to access a laptop or Wi-Fi certainly have the resources to access 3G and a smartphone – putting commerce in the palms of their hands.
What we can expect in 2016
Blockchain: As cryptocurrencies were hyped in 2015, 2016 will see the growth of blockchain technology to regulate and assure cryptocurrencies. More than this, though, the potential of blockchain to work with other payment methods and currencies is significant;
Omni-channel conversion: E-commerce and, latterly, mobile commerce have made consumers more demanding. And rightly so. Part of this means that customers are increasingly demanding to pay on the platform they want, with the payment method they want and in the currency they want. In 2016, more and more merchants will start to offer omni-channel payments as they try to keep up with demand;
Data security, identity and authentication: The fear of data breaches means that there is more demand for secure, identity-based authentication. From ID scanning to biometrics, we will see more development and more products coming to market. But, will they be able to offer the unobtrusive authentication that consumers want?
Banks vs fintech or banks and fintech: Just like 2015, next year will see a vast increase in fintech companies that are popping out of the group. However, the majority of fintech companies see banks as old dinosaurs and their aim is to replace them. However, fintechs fail to realise that they cannot survive without banks;
Fintech faces regulation: As just stated above, fintech startups are increasing rapidly. The majority are not recognising the massive regulations that they have to face. Regulation is simply a must, and
Go east! Asia, Australia and New Zealand will see the focus of Onpex’s activity in 2016. Fertile grounds for fintech and fertile grounds for commerce. We predict great things for these regions.
Tamer El-Emary, SVP & Group Head, Issuing, UK & Ireland, MasterCard
2015 was a seminal year in the way we pay for things. Every year has its milestones but this one is marked by large scale behaviour change among consumers and retailers.
This was the year that electronic payments overtook cash payments for the first time in the UK. We saw 560% year-on-year growth in contactless payments across our network but we experienced growth in many other European markets.
We’re embracing contactless payments like never before. Just look at Transport for London passenger use – and the effect that has in onward use of cards to tap and pay for everyday items – and it represents a seismic shift in confidence and adoption.
This opened the door for the increased £30 payment limit later in the summer and the recent news that London taxis will soon accept contactless. It has also paved the way for all kinds of digital payment forms and applications.
Most notably, contactless is the solution-of-choice for the big mobile payment schemes. Apple Pay landed in July, and we’re seeing increased retailer acceptance of the payment option for transactions above £30 and most card issuers are now on board. As the new entrants arrive next year in the form of Samsung Pay and Android Pay, I expect this to have a multiplier effect on adoption and use of all of the mobile payment schemes, and further use of biometrics in the marketplace.
Fingerprint is already well established as an authenticator but 2016 will be a huge year with more applications and biometric types gaining traction – including our Identity Check product which uses facial recognition, and the Nymi wristband which works off the users’ electro-cardiogram or unique hearth rhythm.
Pay-at-table solutions took off this year, with Wagamama, MasterCard’s lead partner, allowing customers to pay from their phones whenever they chose. More and more restaurants, cinema and stadia have seen the business benefits this has and are starting to adopt the Qkr! app.
This year’s Rugby World Cup was the first to see all of the stadia fully equipped for contactless, but I expect 2016 to see the reduction of queues and payment forms changing in social and cultural scenarios.
And for the owners of SMEs, banks will next year develop more attractive and relevant card products targeting this group that squarely meet their needs, as opposed to the consumer propositions they tend to leverage today.
Lastly, looking ahead at 2016 we can expect banks to make a more aggressive play in the mobile banking space and offer customer much more.
Consumers are surrounded by new payment choices but even in this digital age they continue to trust their banks the most for their financial needs. While we are working closely with digital giants such as Apple, Samsung and Google to roll out their payment services, we’re also working with the banks to create their own payment functionality embedded within their existing hugely popular banking apps.
