Many discussions of security standards emphasize how Chip + PIN and Two Factor Authentication reduce fraud loss and exhort countries using Magstripe / Chip + Signature and Single Factor Authentication (e.g. USA) to immediately migrate to the newer technologies. Take for instance Campaign pushes for US adoption of chip and PIN on Finextra.
They’re totally missing that mitigating fraud does not pay the bills. For it’s only when a transaction goes through that a merchant makes revenues. And not when some security algorithm blocks a transaction as potentially fraudulent.
I’m not for a moment suggesting that merchants throw caution to the winds but imploring them to remember that an obsession with fraud control could hit sales and cause customer dissatisfaction.
This is because virtually every security measure designed to prevent fraud causes collateral damage by way of friction viz. need to remember the PIN in the case of an offline Chip + PIN transaction. Security pundits have been claiming for years that there are ways to implement security without compromising on convenience but there are far too few implementations of such technologies in the mainstream market for merchants to take these claims too seriously as of now.
The amount of incremental friction caused by a security measure needs to be seen in the context of many factors specific to local culture and business practices viz.:
If consumers have only one card, remembering just one PIN is not a big deal. However, if they regularly use multiple cards, the need to remember multiple PINs poses a lot of friction. (Most probably, people belonging to the latter category would write down all their PINs on a piece of paper and keep it inside their wallets, which would defeat the basic purpose of security.)
Recourse Against Fraud
In some countries (e.g. USA), when a cardholder spots a fraudulent charge on their credit card statement, they can report it to their bank and have it reversed, pending chargeback investigation carried out by the bank behind the scenes. So, compared to their ease of seeking recourse against fraud, any friction during the payment would seem severe. On the other hand, a cardholder caught in a similar situation in some other countries (e.g. India) gets shunted between the issuer, acquirer and the merchant, so they might be willing to tolerate additional friction at the point of payment.
The impact of friction is two fold:
- Customer abandons the transaction and the business suffers a loss of revenue, or
- Customer completes the transaction with an alternative method of payment viz. cash. Let’s assume that there’s no net impact on the merchant in this case since the incremental cost of cash handling could be offset against the savings on credit card processing fees.
So, while steps taken to mitigate fraud could result in lower fraud loss, they could stunt revenues.
Therefore, any discussion about payment security is complete only when it addresses both:
(A) Fraud loss as % of Sales
(B) Revenue loss.
In the migration from magstripe / Chip + Signature to Chip + PIN for offline payments, it’s too early to predict which of these two losses will prove more critical. But, in the related case of online card payments, it appears that concerns about revenue loss owing to friction have far overshadowed those over fraud loss, given how leading merchants like Amazon have still not implemented 2FA (VbV / MSC / OTP) despite FFIEC having issued its 2FA guidelines way back in 2005.
I’m not alone in advocating a balanced approach towards payment security. “The challenge is friction from a checkout point of view. If merchants are looking for security perfection, then they are going to be turning away good sales.”, says George Peabody, a partner at Glenbrook Partners here. “When you are doing checkout out of a merchant’s shopping cart ? particularly on a mobile device ? it is really important to be as friction-free as possible.”, he adds.
End of the day, it all boils down to how a business wishes to treat the risk of fraud loss – or any other risk for that matter. If they follow the advice of Sam Zell, the famous American real estate magnate and private equity investor, they’d analyze the risk unemotionally and take it if they get commensurate returns. Not because the technology is new or old.