In this episode, Diederik Klopper discusses SCA education for Merchants, Fraud rate optimization & The Impact of COVID-19 with Spencer McLain, Vice President & General Manager, EMEA from Ekata.
Ekata is the new standard in global identity verification, providing businesses worldwide the ability to link any digital transaction to the human behind it. Ekata helps cross-border digital commerce companies grow their revenue by maximizing predictability using our global identity verification product suite.
Listen to the podcast to find out:
If you’re curious to find out more about how Ekata can grow your revenue through their global identity verification product, please reach out to Spencer McLain (Ekata) for a conversation.
About PaymentGenes's "Voices In Payments" - The Future of Payments podcast:
The “Voices in Payments” Podcast, is an initiative launched by PaymentGenes to positively impact the payments community, by educating and connecting the market with vertical-specific industry expertise.
PaymentGenes Empowers Business growth by providing expertise-driven Recruitment, Contracting, Business Strategy Consult, and Data Strategy Services. These services all resolve and intersect around payments. Learn more about how we can help your business here.
Hi everybody. Welcome to the payment genes podcast series voices in payments. I'm your host David Cooper. In this book, a series, we will talk about the recent developments in the payment industry. Hi everybody. Welcome today to disfavor and Jean's book. The first one we recorded live here at the goddess office in Amsterdam. Today we have with a Spencer McClain, Spencer, a warm welcome to the show. Thank you. Diedrich Hey Spencer, I always start with the same question. Nobody woke up one day and said, I'm going to be in payments. How did you stumble into payments? That's a great question. I'm vice president and general manager of a Mia for Arcata. The Cod is a global identity verification provider focusing on helping acquirers issuers, eCommerce companies understand the risks behind phones, addresses, emails, and IPS.
·
00:57
I've been at the company for five and a half years now. I started as an inside sales person and climb my way up from there during my time with the kata, when I was living in the United States, I moved to Amsterdam about a year and a half ago, but when I was in the U S I was working with visa and through visa, I was actually working directly with Cardinal commerce and I learned a lot about three D secure. Specifically the three D secure two protocol. Mind you, this was three and a half years ago, and here we are secure to still isn't really out yet. No. We had this great project going on with Cardinal to help them, build a access control server for visa. Through that process, I learned a ton about payments.
·
01:43
We ended up winning a deal with Cardinal, but it was a lot smaller than it should have been because three D secure two still isn't at scale in the market. We learned a lot about the data that the merchants passing down through their MPI, which is, which then goes to the directory server to the access control server. Visa through Cardinals only makes a recommendation that small and medium sized issuers, can take to make a decision. Should they authenticate or not? Yeah, from there, I moved to Europe and then, we start talking about PSD two and we start working more and more in payments. I like to think that I am fairly knowledgeable about payments, but it's the space where you learn more and more every single day. I mean, there's not a day that goes by that. I don't learn something new about payments.
·
02:27
I'm excited to see what happens in Europe and, in the rest of the world over the coming years now. Exactly. That not as gathering that we as well, that night to Tinder, to amongst others, this podcast series, we see that there's a good general basic notice within the payment value chain, but the real expertise is vocalized in each niche. I think that everybody benefits by discussing the hot topics that are currently around such as three such ESPYs to of course, the PC too, is the buzzword. It has been already for a few years.
·
03:00
I should just be focused a bit more on three D secure and serve customer authentication. Can you just in layman's terms, what is it about and how does it work?
·
03:10
START SNIPPET 1: Yeah, so strong customer authentication is effectively a way for consumers to prove they are who they say they are and involves three components. Something the customer knows like a password or pin something. The customer has like a phone or a hardware token and something, the customer is like a fingerprint or face recognition. Strong customer authentication requires that the consumer does two of those three things. You can use a password and a face ID through your iPhone, for example, and there's lots of different forms to do this. At some level 3D secure is just a way to satisfy the requirements for stock strong customer authentication.
·
03:51
There will be more ways in the future, and there are more ways now, but 3D secure is the one that pretty much every merchant out there is planning on using at scale when PSD2 starts getting enforced at the end of the year.
·
04:02
If we're looking at more recent developments, what are alternatives through 3DS?
·
04:07
Well, there's a lot of developments around delegated authentication, which is a, a mechanism in the 3D sorry, in the PSD2 protocol that allows for, the SCA to be taken over by the merchant. I've seen some interesting things through copy of top where they're developing a mobile apps for merchants that take care of the authentication natively as part of that application, which is really interesting. Definitely as an alternative for a low friction, authentication method versus three D secure, which inherently has some challenges with step-ups and needing to know your passwords.
·
04:45
Yeah. It creates friction along the chain. So I can imagine it as well. The merchant itself most likely has the most accurate data about who their customer is as well. Well you have to have log ins.
·
04:57
Yeah, they do. They do. That's, leads me to a common theme in the ecosystem Diederik, which is, the merchant has all of this incredibly rich data about the transaction, about the consumer and the issuer just doesn't. The three D secure protocol is supposed to bridge that gap at some level, three D secure one dot, Oh, dot two only allowed for 11 fields to pass down from the merchant to the issuer. Even then the issuers, they don't have the muscle, they don't have the data science muscle to really make sense of that data, just 11 fields. Now in three D secure two, you're going from 11 fields to over a hundred fields, which sounds great. But that challenge and use it exactly.
·
05:36
Now these issuers that weren't able to handle, 11 fields are expected to handle, over a hundred fields, which kind of takes me back to the anecdote I had with Cardinal commerce, which is, visa through Cardinal has the access control server was trying to make a recommendation to the issuer. I think we'll see a lot of that in PSD2, with the transaction analysis, the tra that I'm sure we'll talk about a lot in detail during this podcast. At a glance three D secure and SCA, seems to be something that should dramatically reduce fraud across the ecosystem here in Europe. If I implement this correctly and everybody can make use of it. Well that's the challenge it's not implemented really at all right now. The deadline for enforcement is December 31st, this year for a dozen countries.
·
06:25
There's probably another dozen countries that haven't announced an enforcement date. You have the UK, which I think is September of 2021. So it'll be a gradual rollout. The fear in the ecosystem is that, for those countries then, for us at the end of the year, and it goes live Jan one, like what's going to happen to these transactions because what we've seen is while the merchants might be ready and the acquirers at some level are ready, the issuers just aren't. Yeah. So will be two declines. That's the, that's theory. The general sense in the ecosystem is that there'll be a sharp increase in authorization, declines, come January 1st. Yeah.
·
07:01
What's it got us part in this whole.
·
07:05
Yeah. Going back to the increased data in 3d scare too. In three D secure one, the only field that a kata could really enhance was the IP address, right? The IP address was passed down as part of the old protocol. That's something that we have good data on, but really our service is maximize. The efficacy we can provide to our customers is maximized when there's more data. Our API is, and our web interface, ingest name, address, phone, email, and IP. All of those are conditionally required as part of three D secure two, unless the merchant doesn't have it. For example, I mean, you look it up a marketplace like delivery hero. You're not going to be collecting all of those fields all the time.
·
07:46
More data will be passed down from the merchant to the issuer, through the rails and the issue, or just doesn't have the data science resources to really make sense of all of that. We're helping, both merchants, MPIs, ACS is, and acquirers understand all of this data that's coming down is this person who they say they are, does this phone number match this name? How old is this email address? Is this IP address risky? So our solutions provide intelligence on the PII that's provided to the merchant.
·
08:20
Start snippet 1.2: Yeah. So I think there's all general sentences. Adept neat issuers are not ready for this many expect. I think still that's the deadline will be moved up again. The do you see this happening at all? Or do you say now we've seen it already happened a few times before the ordination 31st December, that's it. And it's not moving.
·
08:39
I think everyone should prepare for that day. The EDA has come out recently, like in the last two months and made a statement that they're not moving the deadline again. There are still many industry bodies that are lobbying for them to change their position. I think no matter when the deadline is no, one's going to be completely ready. At some level it's time for the industry to just rip off the bandaid and to feel hurt, it will hurt, but it's going to hurt even if the deadline was a year, if they push it out a year. Yeah. Like people are going to deprioritize the project and work on other things. We're going to be in the exact same place we are today, a year from now. Everybody's like, Oh, we're not ready. Let's push it out again.
·
09:18
It will go live this year as my expectation. There will be some pain, but the good news is, the largest geography for e-commerce. The UK and Europe is delayed until September. So.
·
09:33
Take the lessons that have been learned from the issuers that have gone live 31st, 2020.
·
09:38
Exactly. What's funny is that the UK is actually the most ready of anybody. Some of our listeners might have, might be aware of the Microsoft studies they've been doing and do those studies. We find that issuers in France and Spain are not ready at all. Like the conversion drop-off and the authorization drop off is severe in those geographies. In the UK, the issuers in general, already in the dropoff that Microsoft saw there was quite minimal. I think that merchants that have the majority of their business being in the UK should feel really good, even if the deadline was December for the UK, which is not, but merchants that have the majority of their business outside the UK, like there's definitely some fear there and there's gotta be some pain. END SNIPPET 1.2
·
10:23
Yeah. Why is the main difference between the UK and for instance, Portugal, Spain, France, is it just clear mindset or has it been regulatory compliance or what's the main positive,
·
10:35
You know, that's a really good question. I mean, at some level,
·
10:39
Or are they already making use of your surfers and therefore they're compliant?
·
10:43
We, I mean, we work with some acquirers and check out dot coms, the customer, and we certainly help them with this, but a CATIA is definitely not the reason why the UK is more ready than other countries. I mean, I think there's a lot that goes into it. One I think that UK issuers are a bit more sophisticated and data savvy and issuers on the mainland. To, Brits just work harder than other Europeans and that's not a stab at other Europeans. I've definitely enjoyed living in the Netherlands and benefiting from the increased work life balance here. I definitely enjoy the lifestyle, but the Brits are the closest that you get in Europe to Americans, right. They work hard, they work all the time. They don't take month long holidays in August, like the rest of the continent does.
·
11:23
I think that, a combination of the work ethic and just the data civic, sophistication savviness of UK issuers, is the reason why, they're a bit more ready than the rest of the countries in Europe.
·
11:37
Putting aside to issuers for now for a second, looking at the acquirers and eCommerce companies, what are the main hurdles they still need to overcome before they're fully compliant? Well, the large merchants
·
11:49
Are in general ready, or they've been doing a lot of testing. They've been working very closely with all of their requires to make sure that all of the mechanisms are in place to allow them to do SCA properly with minimum friction. I think the big gap is with the small to medium sized merchants where they just don't know what to do. At Ekata we've been talking ton of acquires over the last nine months. We actually did a survey with StratGranat, in February where we spoke to 36 leading acquires in Europe that accounted for about 60% of overall e-commerce, in Europe and not just in one country, but across the entire region. We found that, the acquirers in general understood the regulation. Very few of them were treating strong customer authentication as a strategic differentiator, but they knew what they were doing in general.
·
12:44
We'll go back to that about how they're differentiating whatnot. The biggest gap that we found in that survey was just the education piece. These acquirers, they weren't proactively educating the small to medium merchants at the level that they should now fast forward seven months later from February. Now we're almost at September and that education has ramped up but the deadline is rapidly approaching. I feel that unfortunately the small to medium merchants are the ones that are going to be hurt the most by this.
·
13:15
I've already been hurt to Tacoma. This will be an extra headbutt to, yeah, well, depending on what I need done, depending on.
·
13:22
What industry you're in, I mean, the majority of the cottage customers are in e-commerce and we have a significant portion of customers and travel and hospitality, and those are way down. I mean, we're sitting in a building that the booking.com fraud team works in a few floors up and, I'm a loyal customer booking.com and I've been going on as many trips as I can. In general, their business is way down and KLMs and other customer, their businesses down, but our e-commerce customers, their businesses way up, especially the ones in electronics as people are assigning, setting up home offices and whatnot.
In general, e-commerce has benefited from COVID from a sales standpoint. I mean, covert certainly led to a lot of other challenges that they've had to overcome.
·
14:04
The larger eCommerce companies certainly have the resources to overcome a lot of the remote work culture challenges that came up from the pandemic. Yeah, the small eCommerce companies, I mean, they're just getting the short end of the stickier.
·
14:19
And they had to adjust really quickly. A lot of them have taken this opportunity to migrate to, and to also have an online presence for the field of expertise they don't have internally. What are the main questions they should be asking their payment providers, their prior search that are banks,
·
14:37
They should be asking for just a full roadmap on what PSD could do. Compliance looks like, what do I need to do? When do I need to start on it, to make sure that I can be ready, but at some level, if you're a merchant and you only work with one, two, three different acquirers, it shouldn't be that hard for you to get ready. I think the ones that you mentioned were a company that didn't do e-commerce before and then Diddy commerce, because of COVID, those are the ones that are in the worst position of anybody, because they just don't have the eCommerce experience in general.
·
15:05
They don't have the payment processing knowledge in general, but we've really been advocating for the acquirers to take the lead here and hold the hands of the merchants and to teach them exactly what they need to do. Some of them like Adyen have done quite well, but other ones, especially the small to medium size acquirers, they haven't done as well.
·
15:23
That due to a lack of expertise or that their focus hasn't been on it, or I'm trying to figure out why, because it's, it should be their key way of getting business into the door.
·
15:34
I think so. I think it, I think it's a resourcing issue. You're a smaller acquire, you don't have the resources to have a dedicated, PSD, two person like Worldpay does with Charles Darwin, who you might know, Charles is great. He's like probably the most knowledgeable person around PSD two that I've ever met. If you're a small acquire your pay vision here in the Netherlands, like you don't have that budget and that head count to make that happen. And so you're focusing your resources elsewhere. We speak to a lot of acquires, a lot of big acquirers that don't know what they're doing either frankly, and I'm not gonna call out any names. It is what it is. There is a huge knowledge gap in the ecosystem, not just with merchants, but with acquirers.
·
16:18
I suspect with issuers too, although that's a part of the ecosystem that we don't interact with directly very often. Yeah.
·
16:24
You mentioned as well that, not a lot of acquirers are using SCA as a differentiator to really use it to their advantage. What are some of the ways that they can use it to their advantage? Yeah. So when you look at PSD too,
·
16:38
It mandates the use strong customer authentication on all transactions. Yeah. A few exemptions here and there, but exactly. The differentiation I refer to it's about maximizing the exemptions. First you look at the fraud rate, right? The fraud rate of the acquirer, not the merchant. This is actually a point where there's a bit of confusion, right? But the ecosystem needs to know that it's the fraud rate of the acquire or the reference fraud rate that defines whether it's low risk or not. Exactly. If it's under 30 year olds, it's already low risk and you can apply for an exemption. If it's between 30 euros and a hundred euros, the acquirer's fraud rate has to below 14 basis points. If it's putting a hundred euros to two 50.6, six basis points under 500, between two 50 and 500, it has to be under one basis point.
·
17:26
Now, when you think about those numbers, depending on the acquirer's set of merchants, getting to under one basis, point is impossible. You shouldn't do it like, honestly, don't do that because what's gonna happen is you're going to be declining a lot of good customers, and then you have a whole separate set of issues on your hands. I've actually been surprised to hear that most acquirers view, the six basis point fraud rate as the people. Now you have transaction any transaction under 250 euros, is there exempt from this year? Not necessarily, this is the challenge. If it's under 250 euros, it can be exempt. If the acquire does transaction risk analysis, which transactional risk analysis or tra is basically a fancy word of run a risk model. Tell me, give a recommendation to the issue or a binary one or zero or true or false.
·
18:14
I don't know exactly. I was passed down on the rails on the historical transaction data. Yeah. Based on yeah. The historical data and all the data you're getting from your merchants. The acquirer now has to invest in their own data science capabilities to be able to tell the issuer, okay, do I think this transaction is good or bad? And if it's good, I need to advocate for my merchant to say, Hey, this should be exempt from SCA, which is especially important for the first say 12 months, once enforcement happens when three D secure two still isn't that frictionless promise that we all hope it's going to be someday. It's not there now. Like it's not. SCA should be avoided at all costs.
·
18:53
The acquirers that are investing heavily in tra both in gathering more data from their merchants, because historically merchants weren't incentivized to provide data to their requires. In fact, you have GDPR that came out in may of 2018 that basically said, don't give your data to anybody. Acquires, aren't getting much data at all from their merchants. To look@checkout.com, for example, they've been proactively working with their merchants for quite some time, at least two, three quarters to get more data, right.
·
19:25
To get the phone numbers, the email addresses do, make sure device ID is standardized there to, for them to then be able to in collaboration with Cod at some level, build very robust models to make the most accurate recommendation possible, both to protect the acquires own fraud rate, to make sure they can remain below that six basis point threshold, but also to minimize friction by Matt maximizing exemptions.
·
19:51
Yeah. Do you have any insights as to which data points are most valuable in that equation? So if the, you should be gathering any data, what are the most effective ones? Yeah.
·
20:01
Yeah. Resoundingly, bin number, and that one's actually pretty easy for acquirers because they get that already. Right. Bin number tends to be very predictive and understanding, what issuers behaviors are because you can drive the issuer from the bin number, right outside of bin number device ID tends to be quite predictive. In Ekatas world, email address and phone number, right? Physical address in general is pretty easy for fraudsters to fake, especially in very established markets like the UK and the U S where in the UK, I can go to one nine, two.com and look up someone's address and get it right by their credit card off the dark web. I go to one ninety.com.
·
20:42
I look up their address, and then suddenly I have the right address, right? Which that's something that's defeated AVS checks for years, which is why abs checks are historically very inaccurate, but emails and phones are a lot harder for a fraudster to fake. For us towards the credit card number, and as you already have, well, we don't keen off credit card personally, but the acquirers do, and Adyen does a really good job at this of tying all those data points together, in revenue protect, which is their own fraud platform that they offer to merchants.
·
21:09
For a kata, like tying an email address to a phone number, or tying an email address to a name or a phone number to an address, those are data elements that can identify synthetic identity fraud, where the fraudster is doing their best to fake the identity, but the data's just not available to them. Acquirers should have been, and if they're not doing it already, they should start doing it. Now start working with their merchants in gathering more data and standardizing it because I can tell you that is a multiyear project. Honestly. I mean, the bigger, the acquire is the harder it is for them to get standardization across their merchant base.
even for the bigger.
·
21:44
That are already doing. I still sense that there's a, there they're still on the fence about certain things. Part of the organization, once you gather as much data as possible, but other ones, GDPR regulation is a, okay, let's keep it to a minimum because yeah. We need to adhere to all compliance in that sense. Even for instance, again, I know that part of the organization is not that happy with gathering more and more data. Well I'll just are benefiting it for mainly.
·
22:11
Yeah. GDPR at the end of the day is not that hard to be compliant with. Right. There's a lot of fear in that ecosystem. Depending on your privacy counsel at your company, like, we're fortunate in the CADA that we have a very business friendly privacy team, but we're on the up and up with GDPR, right? We have, we operate on the legitimate interest carve out and we only serve fraud prevention use cases. That's one and two, we have all the proper mechanisms to allow European consumer to exercise their rights either directly with us or through our customers. For example, checkout.com going to get a data, subject access request, and then pass that down to us. We remove the data from our graph and whatever.
·
22:50
Yeah, I mean, GDPR and PSD2 kind of do conflict with each other because GDPR says, Hey, be careful about who you share your data with. PSD two says, Hey, you should share more data and they are conflicting forces. In my opinion, the dust is kind of settled on GDPR. I mean, it's what two and a half years old at this point, everyone kind of knows what they're doing, but really what throws a wrench in that calculation is the privacy shield getting struck down, a month ago about, that makes it a lot harder for processors and sub-processes to work together. For the audience, the super high level GDPR review, you have a controller, which is typically a merchant. You have a processor, which is typically your payment processor. You'll get those two confused. They're two different things.
·
23:37
Acquirers typically act as processors where a merchant, the controller will tell the, acquire the process or how to process the data. The processor could work with sub processors. Now with privacy shield going away, it's much more difficult for a processor to work with a sub processor. Basically the only way that can happen is if everything's siloed off within Europe, fortunately for us, we have a data center in Germany, so that's fine. But privacy should going away. Does certainly cause more hesitation than was there even three months ago.
·
24:08
Yeah. Do you see that as well as a limiting factor to expand to other regions outside of Europe, because of course having a data center in Germany, then you are allowed to serve the European market. How does it work for Asia Pacific Latin America?
·
24:22
The nice, the nice thing about GDPR is it's the only consistent privacy regulation globally, right? There's a lot of strict privacy regulations in APAC, Vietnam, Australia, for example, Australia actually models a lot of their policies around the European union, which makes it a bit more easy. It's pretty, it's a patchwork set of regulations and APAC, but in general, if you look at GDPR as the gold standard for privacy, you're going to be okay overall. The caveat there is, Hey work with, local law firms. We partnered with Deloitte, for example, to help us understand all the regulations globally, because if you're a small eCommerce company or a smaller acquire, like there's no way you're going to know the regulations everywhere. You've got to rely on external counsel.
·
25:06
In general, GDPR is the most strict and also the most clear as to how the date to how the data needs to be handled.
·
25:12
Yeah, exactly. We all should also shortly mentioned how you can make use of the exemptions. We talked about the fraud rates. Of course, there are a few other exemptions. Do you see merchants really picking up the gauntlet and say, okay, I'm going to change my business model, change my revenue model in order to make sure to can best make use of those exemptions.
·
25:32
The large merchants will, and the small to medium merchants will over time, but only with the guidance of the requires. Those are the ones where they're going to have to feel the pain first, but where they make adjustments. I don't think that it's not like everyone's going to shift their entire business to mail order telephone order, right? I mean, that's one of the exemptions, right? All, as an aside, we do at a cotta expect fraud to migrate to that channel, and companies to be ready for that. In general, people are going to continue operating the way they're going to operate. Then, over time three D secure will get, will become more frictionless. Exemptions will become easier to get, especially as issuers adopt tra more broadly. I mean, that's the other thing it's like,
·
26:14
But it has it. And everybody can use it.
·
26:16
Well, not just that, but just, even if the acquire and the merchant do an amazing job and they're like, okay, this is a super low risk transaction. We did an amazing job with tra and like, there's, this should be exempt. The issue we can just say, no, they can just say no, they're ultimately the ones that decide. My guess is that it will take probably six months for issuers to really adopt things. The pain will be most severe in the first half of next year. The second half of the next year, it should be okay. Especially as the UK goes online in September.
·
26:50
Trigger to, incentivize the issuers in order to, yeah. To get up to speed.
·
26:57
I mean, there really isn't one. I mean, those triggers are, if you falsely decline a consumer, it's likely that the consumer would put the card in the back of the wallet. Like, these are all risks that the issuers have known. The thing is when you decline someone, either the merchant decline, someone acquire a client, someone the issue where to find someone there's really no way to know if you declined a good customer or not, right. Not every customer is going to call in to their bank being like, why did he decline my transaction? I mean, just last week I was in Corfu in Greece for holiday. And bank of America declined my transaction. I've switched to my IBM card. I'm like, fine. I'll just use a different card and issue with know that they're never going to know that happens.
·
27:39
So, because there's a lack of visibility there, you can kind of put your head in the sand and be like, Oh, this is normal to the climb. 14% of eCommerce transactions. That shouldn't be the case. I mean, billions of euros are being left on the table every year. Hundreds of billions of euros being left on the table every year because of false declines. It's what I view as kind of the final frontier of fraud prevention, right? It's not fraud prevention. It's revenue max like maximizing your revenue, conversion optimization. Yeah.
·
28:10
I always make the analysis that if you're going to a bar and there's no bouncer and everybody can get in. Sure. If I could break out somewhere at three in Gacaca and at night, but if you woke up to a bar and they're 15 bouncers and everybody's checking your ID before you come in, you won't even get into the bar. There's somewhere, there's a balance of having a good party inside where everybody feels safe and making sure and having all the false declines of a party, people that just won't have a good time. But yeah. How do you find that balance in an eCommerce as an, as a merchant?
·
28:44
Well only apply SCA when you have to per the regulation, but then furthermore, one thing that I've seen merchants do really well and I've encouraged merchants to do this sooner rather than later, because if everyone starts doing it in November, people are going to get fatigued and not look at it. Maybe six months ago, I got an email from one of each travel, these online travel agencies in the UK, where I've used them a handful of times to book flights. The email was explaining what three D secure is, what SCA is at a very high level for consumers and educating me on, Hey, this is what the experience is.
·
29:21
Basically to ready. You said, next time you're going to make a purchase, expect a SCA to be applied so that you have one extra step in the process, or,
·
29:29
Yeah. So, and so merchants should start educating consumers now to minimize the drop off. Also when you're doing that, and if you do it now, before you get lost in the noise, because I expect everyone to do this and like November, if you do now, before you get lost in the noise, you can also advocate for the consumer to whitelist you, right. Which is another way to get around, get on sta if the consumer is white list, you as a merchant and with their issuer, then there is no sea. Then you're good to go. I mean, there's some exceptions to that. Of course, based on recurring transactions and whatnot, it gets quite complicated, but both merchant education from the acquirers and consumer education from the merchants is of paramount importance.
·
30:08
Like that's how, that's the best way for a merchant to take control of their own day.
·
30:12
START SNIPPE6 6: You mentioned a few times about at only apply SCA if you really have to, do you see a future where SCA can be an advantage?
·
30:21
Well, I think so. I mean, getting liability shift is very attractive to merchants. Also just the fact that you're sharing more data with the issuer, going back to the final frontier, which is the false declines, 86% of card not present transactions are authorized where SCA has beneficial is if the issuers adopt all of that additional data, that's coming down in theory, the authorization rate should improve, right? That is the benefit really. Like, it's not, to me, it's less about fraud prevention and it's more about accepting good customers. I suspect it's going to take a year and a half for that to really sink in. Because again, we'll see a decline in authorization rates. We just will, at the end of the year, it's gonna happen. There's no avoiding it. We'll see how severe it is. Some merchants are in panic mode.
·
31:07
Other ones thinks is going to be okay, no one knows exactly what's going to happen. Over time, authorization rates will stabilize and then end up being higher than they were.
·
31:16
Yeah. Because you have more data points to figure out if you need, this is the right customer.
·
31:22
Yeah. Again, it requires that the issuers is ready for it and they have the data side to acumen to make sense of it. All right.
·
31:29
Yeah. It's interesting to see if there are in timing, scaling up those capabilities or not. Well they're not, but how long it will take them to.
·
31:37
Really figure it out. Some are, which is refreshing to see. But most of them.
·
31:41
Alright, then be sure to use, well talked about consumers being forced online and because of COVID, but other developments, have you seen due to COVID in an industry as general?
·
31:54
Well, what's interesting. This is something that one of my friends at GB group coins, so I'll give him of a shout out pair. Matthew Ferno, he calls it generation zoom, which is like this older population that's never bought online before. Right. I mean, that's the thing. It's not like everyone is basically being forced to do e-commerce they haven't done e-commerce before. These people will continue doing e-commerce at some level after the pandemic's over. The increase in volume we're seeing across most of our eCommerce segments will continue at some level, even when coverage is done. Because these people have now experienced the convenience and ease of online shopping and just availability of different products.
·
32:39
Besides that, I mean, one thing I've been surprised at just how productive people can be working remotely, economy is the type of company where, everyone comes into the office, that's just our culture. Now our office in Seattle is still closed. I'm lucky to be here in Amsterdam, where I worked from the office two to three days a week. We don't require anyone to come in, but we do like that sense of cohesion. There's going to be a big shift just globally around. Okay well, do I need an extensive office in zone? Maybe not, do I need an expensive office in New York city? Can I just have my employees be remote in the Midwest, in the U S where labor is cheap,
·
33:21
The huge shift in that as well, that needs location is becoming far less important in hybrid process than it did before.
·
33:27
Yeah, I think a lot of companies, so we'll want to return to the office when this is all behind us. Yeah.
·
33:33
Some way shape or form, but as well, I do feel that working from home will stay an integral part of, working, after COVID just for specific tasks, it just works better if you're asphalt, if you have to the workplace that allows for that to reading meaningful focus mode and not be bothered by colleagues or phones or visitors or whatever. I think that a part of that will stay but need, it will be a more, cohesive mix of working remote and working from office.
·
34:06
It'll be interesting to see how it plays out and I, for one, and I'm sure every listener on here agrees with me on this hope that we see that sooner rather than later returned to some semblance of normal. I mean, even here in the Netherlands cases are going back up, which is disheartening, but it is what it is outside of our control.
·
34:23
Yeah, exactly. Yeah. We'll have to wait and see how that works out. I'm a partly scared party positive, but,
·
34:30
We'll see how it works in general. Like I'm optimistic.
·
34:34
Touching back on those merchant, but I think as well as also goes for requires that makes it interesting to, e-commerce or have seen massive growth. Part of the analysis that you have to do is to benchmark your data, to head towards what it should be, what are some of the key, data sources that they can use in order to accurately benchmark their performance?
·
34:57
Can you elaborate on what you mean by benchmark?
·
34:59
Yeah. If I'm say I'm new to e-commerce, to the eCommerce landscape, I'm a small Dom shop here in Amsterdam and I'm sending online and I see that my fraud breads are, 14%, that the chargeback rate are X, Y, Z. How do I know whether I'm performing up to industry standards or right. She should be doing better, should be doing worse.
·
35:23
Well, the first thing is educating yourself on what industry standards are. I would encourage every merchant in Europe to join the merchant risk council. It is by far the best forum for eCommerce companies to collaborate with their beers. They have a great forum during COVID they've, they're doing virtual events, and then once Cova Dover, they have amazing conferences two a year. You're up once, typically in London or Paris and another one kind of rotates around, for platinum members. The MRC is a great place to figure out, okay, well, am I on the right track? Am I in the same in the ballpark of what I should be? and, but then too, if you're a small merchant, you should be working with fraud platform. If you're not already, adding us revenue, protect, CyberSource and the certify are good options.
·
36:09
Step science work with somebody that has expertise that you don't have because were a small merchant. Like you getting that expertise internally is going to be really challenging, right? CyberSource has, a merchant risk analysts program where you can basically, pay a retainer to get access to external fraud manager that can be optimized your KPIs. As you get larger, as you go up the scale of merchant size there, the large merchants have a lot more control over their KPIs. I mean, look at they'll have in house teams, I mean, booking.com here in this building has dozens of fraud professionals that work on various things. You would need to track your KPIs and not just fraud. You also track acceptances, right? and mainly reviews for example, and make sure that you're optimizing all of those don't, reduce your fraud rate, and sacrifice your acceptance rate.
·
37:02
Going back to false positives, there are ways to track those. Honestly people just don't do it, or they don't know it's possible. One, not every customer call in to the call center. Sure. When they do call in, definitely note that and to feed that data back to your fraud team, to make sure they know that, Hey, this is a false positive, that's the most basic feedback loop that you can get and often overlooked it's often overlooked. Yeah.
·
37:25
Or there's just like, it's hard to make that feedback loop, but it's worth it because then you have something right to, if you do have a main review team, you can task you more senior agents to look at the rejected transactions to try to see, Hey, are there any good customers in here? and three, if you have the appetite for it, which most merchants don't you can do, what's called a control group where you can take a small subset of your rejects and you can just approve this and see what happens and then extrapolate out the results from the control group to have proper labels.
·
37:58
I think that was a roundabout way of saying, Hey, unless you have proper labels that, it's actually good or bad would, you will know if you're not tracking false positives, then it's really hard for you to optimize your KPIs. If you're too small to come up with all this stuff internally, there's great resources out there, through the MRC or through a fraud platform that you can leverage someone else's expertise to really come up that curve.
·
38:20
Yeah. Very interesting. I think a lot of our viewers or listeners want to know that yet, but, thanks for that course. Looking towards the future, we've already talked a bit about when it will be implemented, but as well, there are alternatives on the way. How do you see SCA or identity authentication in five minutes,
·
38:41
10 years? Well, I think then most people will be authenticating entirely on their device, right through mobile applications,
·
38:49
Facial recognition, fingerprint.
·
38:51
I mean, just looking at an iPhone that satisfies SCA at some level, right. When I, when I pay with Apple pay, that's satisfies, I see it entirely, but there's a click of a button, right. Which is amazing, which is why I use Apple pay here in the Netherlands instead of American cars all the time, because like, I don't have to sign anymore.
·
39:08
Frustrated when I'm at the cashiers and somebody pulls out a wallet and has to put the card into the machine and tap their bin, whatever I use that.
·
39:18
Yeah. I think that, five to 10 years from now, there will be truly frictionless authentication methods, frictionless, a hundred percent of the time. That's what, that's what we're building towards. It'll take us a long time to get there. Because even Apple pay doesn't have the adoption. It needs to be used broadly across the entire ecosystem, but it'll get there. I think, I think wallets are probably one of the most promising things. You see a lot happening in blockchain, which I think is interesting. Honestly, I'm not an expert on blockchain, but you see a lot of very interesting identity verification, solutions coming out that leverage blockchain technology. I think that will be picked up more on the ecosystem. Yeah, I mean, I think that, I think at the end of the day though, no matter what happens, with authentication, Brad's not going to go away.
·
40:06
There's always, there's always going to be a way for fraudsters to get around whatever systems there's always going to be, exemptions out there where there's going to be a vector for fraudsters to go to. I think that, if the European union rules out PSD too well and the issuers adopt it and treat it seriously, then we have an opportunity as a region to get the fraudsters, to shift somewhere else, right back to the us or to Latin where fraud is easier for them to do. Even then there will still be fraudsters in Europe. I mean, that's not going to go away, but I think the industry will shift almost entirely in Europe from proper prevention to optimizing acceptance. I think they really well, and that's not five years from now. That's a year, two years from now. Yeah.
·
40:50
Especially once this is implemented, then in need, you can have a better look at, to the optimization of the acceptance rates. Absolutely. Yeah. You also mentioned you expect to shift towards Moto. Do you expect other parts of industry to experience more fraud rate?
·
41:06
Well, I think motos an obvious one, I think the one leg in one leg out exemption where, if I'm using my American credit card in Europe, I'm exempt from SCA. I think you'll see a lot of that. People buying stolen American credit cards on the dark web and using them with European shops because you can actually get through that. Although as an aside, I've seen a lot of three D secure being rolled out on American cards do. It's a pretty easy way for Europeans to get of that fraud vector, although Americans are much less, willing to deal with friction. Right. It's always, this, it's always this balancing act, but I do think that a Modo and, the one that again, one leg out, are gonna be the two most abuse.
·
41:49
Yeah. I think I have to agree on that. Yeah. Alright. Yeah. There anything we haven't discussed yet that you think, we should definitely touch upon that?
·
42:01
I, I, you know, I don't know. I think in general, like my overall recommendation and this isn't just because I worked for CADA, it's just, data's really powerful. Let us set aside working with us or not like, we can help if you need that help, but in general, like embrace the data you have and really understand it and make sure it's clean. Something that my, one of my data scientists in Budapest told me once that I found really fascinating was that, only about 10% of his job is actually making risk models. The other 90% of his job is cleaning data. Literally 90% of his job is just making sure the data that you're putting into your risks into the system is clean because if your data's not clean, it's worthless.
·
42:43
So, everyone listening to this, if you're an acquire, if you're a merchant, if you're an issuer, invest in a data strategy, right. Understand the data you're getting in and try to get some level of consistency there from what you're gathering it from, treat it properly because GDPR is serious, right? And you need to give the Europeans their rights to erase an access and whatever. But really understand your data. It's been surprising to me throughout my career at a kata. Before, when I worked for a small eCommerce company in Seattle, which I forgot to mention, where it's just the data so bad and yeah, making clean data is kind of a pain, but it's so worth it. Once you get there and you can do really sophisticated things, but until you have good data, it's really,
·
43:23
Before it can do sophisticated things, you really need to go back to the drawing board and say, okay, from scratch, where did we start? What data do we collect? How do we bundle it? How do we migrate it into one platform?
·
43:35
Yeah. How long do you store it for it too, is one thing that people frame it, that you use storage where you store it, how long you store it. Data minimization is a really core principle of GDPR. Don't store data longer than you need to. We store data for two and half years personally, which we do because we see that there's left in our models from having data for two holiday seasons, to look at how it compares year over year. Yeah, there's a lot you need to do, but there's a lot of resources out there to figure that out. Yeah, start working on your data now. Because it's a journey. It takes some time. Yeah.
·
44:08
Of course. Part of data is looking at the historical data. Of course now with COVID, we've seen so many differences that, yeah, it's a data in that sense still valuable, or it should become even more valuable.
·
44:22
Well, we did analysis of our own scores that we built for our customers. We have a confidence score, which is a zero to 500 score of, Hey, is this a good customer on the left at a zero? Or is it a broadcaster on the right at a 500? And then there's a bunch of, variations in between. We found that during COVID because of the increased volume and that increased volume is primarily good customers, right? We see the same thing as on black Friday, cyber Monday, you see this massive spike in volume, but the majority of it's good customers, in fact, fraudsters, all of a sudden on black Friday, quadruple in size. No they don't. Your fraud rate actually goes down organically on black Friday without doing anything, which I find fascinating, but during COVID, it's the same thing.
·
45:06
We found that our average score has actually decreased by about 30 to 35 points during COVID because the increase in good customers is greatly outweighing the increase in fraudsters. The reason I'm saying that is because my conclusion is that, you got to take the COBIT period and set it aside because that's not good data. That's not good historical data to train your models on. When we do data tests with our customers, we do a pre COVID because the COVID times, it's just, it's not a good trend, right? Ideally again, the ever optimist, we're going to get this behind us. The polluted data is polluted data at some level, but it's still data you need to use right now during this times, because if you don't, then you'll be declining of customers.
·
45:46
Again, it's kind of a balancing act, but in general, treat it as polluted data and look at pre COVID as the truth, if you will, and make a data strategy. Yeah. All right. I think on that note, research subjects and, I think we've had some interesting conversation and Spencer, thanks a lot for your time. Pleasure having you on this podcast. Likewise. Thanks. Diedrich all right.