Heists used to be so much effort — you’d need a gang, machine guns, a getaway car and long, meticulous planning. Nowadays, all you need is a couch, a laptop and some stolen data. When the barrier to entry is so low, it’s no surprise that online fraud is a huge problem. In fact, according to the authoritative annual True Cost of Fraud report from LexisNexis/Javelin Group, fraud losses as a percentage of revenue for retailers grew to 1.32 percent in 2015, nearly doubling from 2014.
To make matters worse, the past year has been a perfect storm for online criminals, which will sharply escalate the rate of e-commerce fraud in the coming years. Hacks of T-Mobile/Experian, Ashley Madison, Chase, Anthem Blue Cross, OPM and many more released huge amounts of sensitive personal data like names, addresses, email addresses, phone numbers and social security numbers onto the dark web.
These PII (personally identifiable information) leaks were compounded by payment data leaks: millions of credit card numbers released in the Target and Home Depot hacks, plus other data raids. Together, fraudsters have more than enough material to paint a full picture of an individual’s financial identity, enabling them to apply for loans, lines of credits and other financial products, as well as order goods online, fraudulently, in someone else’s name.
With all these hacks, it makes sense that financial institutions are bolstering security. The EMV deadline is just that — now that the deadline has passed, brick-and-mortar retailers must have chip-enabled point-of-sale terminals, or be held liable for any fraudulent transactions that happen in their stores. The U.S. EMV liability shift is being hailed as a firewall against fraud; in reality, it’s nothing more than a half-measure taken by credit card companies and banks to protect themselves while leaving retailers holding the bag.
Banks have no incentive to change the status quo for online transactions, as retailers are responsible for any fraud that happens there.
First, most point-of-sale terminals will require chip-and-signature, which is far less secure than chip-and-pin — a security shortcut chosen by the financial industry. And second, EMV will not fix the big growth area in fraud: the Internet. Past switches to EMV in countries like Australia and the U.K. show that fraud will simply migrate online as criminals look to exploit the next weakest target — sending a tidal wave of criminals straight toward unprepared online merchants.
When taken together, the situation for businesses looks bleak. To mitigate losses due to fraud over the long term, merchants and consumers alike need to move en masse to next-generation tokenized payment systems — which, like two-factor authentication to protect passwords, adds an extra barrier to the payment process, keeping sensitive data out of merchants’ fragile systems and safe from hackers.
And these payment systems haven’t been doing too well. Despite big promotion, use of Apple Pay is very low — a recent survey from the Aite Group found that it accounts for just 1 percent of all U.S. retail transactions. That’s still far above Android Pay (the product formerly known as “Google Wallet,” and now on its umpteenth rebranding) and Samsung Pay, which only launched recently.
This begs the question: What will it take to bring Apple Pay (or a similarly secure solution) mainstream, and save online merchants and banks from huge losses due to fraud?
Fix The User Experience
To change consumer behavior, it’s necessary to offer a product that is simpler than the most common option available. While this is something Apple has nailed in the past, they’ve yet to achieve this standard with Apple Pay. The March 2015 study from Phoenix Marketing International found that a whopping two-thirds of consumers who tried to use Apple Pay had issues paying both in-store and online, and only 48 percent decided to use the service again after their first try.
The SDK they’ve offered to developers results in inconsistencies to the user experience when used within third-party apps, leading many consumers to simply give up and stick with the simple practice of entering their card digits instead. The problems are even more severe on computers — Apple Pay is not available in the browser, where the vast majority of online shopping takes place. This means that most e-commerce merchants aren’t benefitting from Apple Pay’s heightened security, leaving them susceptible to losses due to the avalanche of stolen credit card numbers.
These issues wouldn’t be as big of a problem if the incumbent payment methods hadn’t already nailed the simple user experience. Consumers have grown accustomed to the simple card swipe functionality at brick-and-mortar stores and credit card data entry for online purchases. But this process is hopelessly insecure.
Incentivize The Consumer
While wider accessibility and better user experience will certainly improve Apple Pay over time, it will be an uphill battle for the broader industry. Unfortunately, extra security isn’t enough of a selling point for the average consumer because, in most cases, they’re not liable for any fraudulent transactions that happen using their card or identity.
The reality is that consumers do not have a financial incentive to change behavior from the way things have always been done. Further, the banks have no incentive to change the status quo for online transactions as retailers are responsible for any fraud that happens there.
Apple Pay is an incredibly secure system that has serious potential to reduce online fraud — but that won’t matter if no one is using it.
To drive adoption in the near-term, merchants need to incentivize consumers to use more secure payment systems. In addition, Apple should invest in strategies that mimic the popular options available with major credit cards. Options like cash back or rewards points will push consumers to use Apple Pay regularly, which will help drive adoption in the long run.
But this too has a problem. Apple’s margin on an Apple Pay transaction is reportedly 0.15 percent. Even if it rebated all that to consumers, it’s hardly a powerful incentive to switch.
These incentives don’t necessarily need to come from Apple alone. Merchants could offer discounts and rewards to customers who choose to pay with Apple Pay, rewarding them for using a more secure payment system. And Apple will apparently support this in the future. While it may marginally cut into their revenue in the short-term, they’ll see an impact on the bottom line due to lower fraud (and fewer chargebacks from banks).
Getting consumers to adopt secure payment solutions should be a priority for every online merchant in today’s fraud-heavy market. Apple Pay is an incredibly secure system that has serious potential to reduce online fraud — but that won’t matter if no one is using it. To stop the coming surge of fraud, it’s time for all parties to double-down on making secure payment systems work for the consumer.