Strong Customer Authentication
Webinar: Fighting Fraud in Challenging Times
Strong Customer Authentication - Fighting Fraud in Challenging Times (Webinar)
Hello and welcome to the JPMorgan webcast. Before we begin, a few brief announcements. This webcast is being recorded and will be available on demand for one year. Today's event will include interactive polling questions, which are optional for participants. For an enhanced view of the presentation, click the Enlarge Slides button located in the gray bar above the slide window.
We will consolidate questions received in advance or submitted in the question box and addresses many of these as possible during the Q&A at the end of the session. I will now hand over to the webcast host, Aimee McLaughlin of JPMorgan.
Good afternoon, everybody. Welcome to our "SCA-- Fighting Fraud In Challenging Times" webinar. My name is Aimee McLaughlin from the JPMorgan Payment Network Office. I will serve as your host and moderator today. We have some great speakers who will be covering various aspects of fraud and fraud management.
Our first speaker is Colm O'Monachain from JPMorgan. Colm is responsible for chargeback fraud strategy and mitigation for JPMorgan. Colm is also heavily involved in our PSD2 implementation project team and is a subject matter expert on strong customer authentication. Colm will discuss the current state of [INAUDIBLE] with the PSD2 regulations and the timelines and potential extensions being discussed in the industry.
We will then be joined by Una Dillon, the Managing Director of the Merchant Risk Council in Europe. Una is also currently the chair of the European Payments Council Card Fraud Prevention Forum. Una will provide an insight into fraud that is currently being seen in the industry, methods of detection, and the challenges merchants are currently facing due to the ongoing COVID-19 crisis.
Finally, we will be joined by Richard Trim from Visa, who is an internationally experienced risk management and compliance professional specializing in client-focused risk assessment and consultancy. Richard will provide insight from Visa as to the best practices for reducing fraud, highlighting some of the specific challenges for e-commerce businesses.
We hope to make this an interactive session. So before we head over to our first speaker Colm O'Monachain and would like to get your thoughts on two key questions in the form of two polling questions. The first question we have here, please select one answer. The current EBA deadline for SCA is December 2020. If this does not change, will your business be ready? The first answer, we are not ready for a December deadline; second the answer, we will be ready, but only just-- it will be a tight squeeze; and our third answer, our implementation is already complete, and we will be SCA-ready when needed.
So just to repeat that question again, the current EBA deadline for SCA is December. 2020 if this does not change, will your business be ready? A, we are not ready for a December deadline; B, we will be ready but only just-- it'll be a tight squeeze; or C, our implementation is already complete, and we will be SCA-ready when needed.
Our second question-- have you taken steps to reduce your fraud rate in advance of SCA? Yes or no. And just to repeat that question, have you take steps to reduce your fraud rate in advance of SCA? Yes or no.
Thank you so much for your participation. We will share the results at the end of today's webinar. Now, without further ado, I will hand over to our first speaker Colm O'Monachain from JPMorgan.
--very much, Aimee. And thanks, everybody, for coming and joining our webinar. I hope everyone's keeping safe and well. As Aimee mentioned, [INAUDIBLE] take everyone through a brief recap of what the PSD2 is; why fraud is so important to PSD2; give an overview of the regulatory landscape that we're seeing at the moment; and also, what merchants need to do to get ready for PSD2. So to begin, the first is a quick overview of what PSD2 is and in terms of the importance of fraud within PSD2.
So [INAUDIBLE] the [INAUDIBLE] was implemented was initially to reduce e-commerce fraud. And with that, that gave merchants a challenge to reduce or manage fraud but at the same time not negatively impacting the customer experience. So to do that, then, the European Banking Association offered multiple exemptions to PSD2 and SCA, one of which is the transaction risk analysis exemption, which essentially benefits those who have no fraud. Other exemptions you might see there is a recurring exemption, low value exemption, and also trusts and beneficiaries.
And as you can see there, then, two-factor authentication, it's something that you have, something to know or [INAUDIBLE]. So for merchants to facilitate and comply with those regulations, 3DS 2.2 is the industry solution that we're working towards in order to have SCA compliance. So that's really just a brief recap of why PSD2 is here, what the importance of fraud is to PSD2. And ultimately, we're going to focus on TRA exemption, because fraud is such a key part of the SCA.
So when we look at the transaction risk analysis exemption, it's essentially based off the either fraud rate of the acquirer or the issuer. So for any merchants on the call, you know, the merchants acquire a reference fraud rate is the key rate we need to understand in terms of how you can avail this particular exemption [INAUDIBLE] to get this exemption. At a portfolio level, every single merchant's fraud rates pulled together to essentially get a TRA rate for the acquirer.
And as you can see there on the right-hand side of the screen, the better the acquirer's fraud rate is, the better and higher value you can you can avail the exemption for TRA. So with that in mind, the key that merchants are working towards the fraud rate as it stands today with a view to getting it down towards acceptable levels by December 2020 for the rest of the European Union.
We'll also touch slightly here on friendly fraud, which Una will discuss further within the deck. But essentially, friendly fraud has been advised by the EBA as being out of scope for the TRA calculations for SCA. However, at the moment there is no systemic way to remove any fraud from the TRA calculations and how people can probably identify friendly fraud. So with that in mind, we're advising merchants to understand what types of friendly fraud they're seeing and try and stop that friendly fraud source, something that Richard and Una will discuss further on within the slides.
So I suppose the key part of my particular brief is to discuss the regulatory landscape and what we're seeing at the moment across Europe in terms of SCA readiness, what the various regulators are saying in terms of what issuers, acquirers, or merchants can do in terms of SCA, and, I suppose, what are the next steps. So to begin with, we'll focus on the SCA's statement around COVID-19 and SCA.
So the SCA have come out for the UK market and have given another six-month extension to the SCA migration date. So that means the new migration date is, of course, now October 2021, which was previously march 2021. So this differs, obviously, from the current [INAUDIBLE] rate [INAUDIBLE] for 2020.
So with that in mind, UK Finance has been tasked by the SCA to try and look at a new road map for SCA implementation within the UK domestic market. And they're looking at a ramp-up plan from March 2021 all the way out to October 2021 for the new migration date for SCA.
So with that in mind, JPMorgan, we're a member of the UK Finance Business Working Group, and we're working hard on a new migration path and a new ramp-up plan for the UK market, which essentially will begin in March 2021 with a full rollout to SCA migration by October 2021. So from a merchant perspective, while you may be selling-- and you feel that you may have until October 2021 to be SCA-ready and to avail exemptions, there is a plan to have a ramp-up from March 2021 out to October 2021.
So if you're looking at your 3D Secure solutions to have in place for the UK, it's best to aim for a March 2021 date, with a view to a full [INAUDIBLE] by October 2021. But here we come to the divergence between the UK and the rest of the European [INAUDIBLE].
So as it stands at the moment, the EEA migration date is still December 2020 and as it stands, the EBA have stated that they have no plans to change that particular migration date at all, and that any particular change to SCA migration date will have to be done through legislative change by the European Commission. So with that in mind, that obviously has far greater implications to rest of merchants who deal in e-commerce, because e-commerce is a global cross-border business. So while you may have the UK rolling it out to October 2020, merchants, acquirers, and issuers alike are working towards the earliest implementation date of December 2020.
So from a JPMorgan perspective, we're working very hard with our merchants to get them ready for the migration date of December 2020. And with that-- that includes getting the 3DS confirmed, 3DS ready, working very hard with our merchants in terms of helping to reduce their overall fraud rates so they can avail the TRA exemption and other exemptions by December 2020. So we continue to monitor the regulatory landscape in terms of how we can see any further divergence.
The EBA, as we stated, has come out explicitly and said they're not in favor of an extension. That then leads us to work towards the December 2020 time frame for the SCA implementation. Where that is difficult for merchants, particularly in the current environment, is that resources are stretched. you know, restrictions have a heavy resource pressure on various merchants to get the development resources in place, and also to work on the fraud solutions.
So work with your acquirers and any other partners you have to try and understand what the effort involved to getting your fraud solutions in place, what are the tweaks you can make now to try and reduce your fraud before December 2020 and to better that TRA ratio, and work and reach out with your acquirer to understand what they need to do to help you essentially become SCA-ready.
So with that in mind, and I'll pass over to Una in the MRC who can give a greater understanding of what we're seeing in the fraud environment at the moment.
So thank you, Colm. Before we introduce our next speaker, we'd just like to go through a few more polling questions for the audience here. So our first question here is, have you approached your acquirer about their fraud rate? Yes or no. And just to repeat that, have you approach your acquirer about their fraud rate? Yes or no.
And then onto our last polling question-- how will you manage transactions from outside of the EEA? A, multifactor authentication will be applicable to all our customers, regardless of geography; B, we will differentiate between customers' locations and only require SCA for EEA customers; or C, we haven't yet considered it. Just to repeat that question again-- how will you manage transactions from outside of the EEA? A, multifactor authentication will be applicable to all our customers, regardless of geography; B, we will differentiate between customers' locations and only require SCA for EEA customers; or C, we haven't yet considered it.
Thank you so much for your participation in those polling questions. As I mentioned previously, we will go through the answers at the end of the webinar today. So on that note, I will pass on to our next speaker, which is Una Dillon from the Merchant Risk Council. Thanks, Una.
Thanks. Thank you, Aimee and [INAUDIBLE] Colm. Hi, there. It's lovely to speak with you today. And thank you to JPMorgan for inviting me to join you. You can understand with all of the acronym being used, all of these deadlines changing that things can be confusing. So Colm asked me to talk to you a little bit about the MRC and the resource that we can provide to you.
So the MRC is a membership organization. We were set up originally for merchants or for e-commerce merchants. And JPMorgan is actually an elite member of the MRC and is represented on our global board of directors. So delighted to have them there and to be here.
And so within the MRC, we have various communities, the retailer communities in particular. And within the retailer communities, we have other players within the payment cycle. So you have issuers, acquirers, processors, solution providers, law enforcement, and so on.
Within those communities, we have those split up into different sectors. So if you're in gaming, or if you're in travel, or whatever sector you might be, we have a specific community for you. And people go onto those communities and talk about things like SCA and PSD2, and GDPR, and, you know, things like chargebacks. And people will ask questions every day. You know, it's open 24/7/365 where you can ask questions and people will answer those questions.
And it could be something as simple as, what's a chargeback? Or, what does GDPR mean for my company or my organization? And I think we're all well and truly versed in GDPR, so SCA is obviously that the latest piece of interest.
So within the MRC community, we have various things that you can access. So as a member, we have almost like a phone book where you can access people in other organizations, similar organizations. So if you want to talk to the head of Gold or [INAUDIBLE] another similar organization or retailer, really in most cases within the world-- certainly around the US and Europe-- you can contact them through that portal.
We obviously have our conferences in the normal world when things are working out OK. And then we have things like Women on Payments and Fraud Program, where we help women and their careers and progression. And we have a mentor program where we push together people who want to learn more about the business or about career progression with people who are you know quite senior in the industry.
So it's quite a lot of areas where you can connect with us. We have Wednesday Webinar every week where we talk about all sorts of topics. And really, anyone can join. You don't need to be a member to do some of these things.
And then we have things like that the issuer-merchants community, where we get issuers and merchants together in a room to talk about things like false claims, first-party fraud, chargebacks, you know, that sort of thing. And really, the aim for us-- we're a non-profit organization-- is to get you together, to get people within the payments community together, to talk about the industry, to make it a better place, really, without meaning to [INAUDIBLE]
So our members are predominately in the US. The company was set up to 20 years ago in the US. So 2/3 of-- just over 2/3 of our organizations are based in the US. I say they're based in the US. We might have a company like Uber, for example, that has their membership in the US, but obviously there were a lot of people around Europe, and we engage with them as well.
So over a third of our customers are based in Europe. And we engage them on a daily basis, again, through our communities. And again, when we're all allowed to move and travel, we have Connect events, what we call Connect events, where people gather in a European city. Actually, the last one we had was in Amsterdam at the end of February, the 1st-- just before the March [INAUDIBLE] before the craziness happened.
We have around 570 companies in the organization at the moment. And that includes 85% of the top e-commerce merchants. So a lot of people listening today will probably be members already. And so within the membership, as I said, we aim to have everyone within the payment sector as part of the discussion. So it makes sense, not necessarily just to have merchants speaking, but to have other organizations that are part of the payments process. So solution providers are there.
And we have law enforcement agencies involved. So law enforcement agencies includes the likes of Europol, for example. We have an MOU with Europol, where we do a lot of work getting the private sector of merchants like yourselves involved with local law enforcement agencies that know about e-commerce fraud, know about the kinds of issues that you're facing. And we aim to help them through training exercises and workshops to look at case studies. There's quite a lot going on there, and we have a law enforcement community for that.
Ancillary services would be the likes of consultancy firms, so the likes of [INAUDIBLE]. We have several of those. And then the card issuers. So the issuers are very much increasing in numbers at the moment, especially around that issuer merchants community.
And so the top business [INAUDIBLE] we have at the moment would be companies selling digital goods, so like the gaming companies and so on. Travel and tourism were obviously all suffering at the moment in the current climate, although we are seeing a turnaround already, looking into it a little bit more [INAUDIBLE].
So we have all of these merchants available and solution providers who are really there as a resource for members, and in some cases for nonmembers as well. So if you're looking for a particular topic like SCA, there's just a huge amount of information within our resource.
And then in terms of the kind of members that we have, this is just a sample of the MRC members, including JPMorgan obviously. You see several very well-known brands there. So when we say we have a member like Netflix-- for example, Netflix is a member, but we may have hundreds of subscribers from Netflix. So we have one particular large merchant, [INAUDIBLE] marketplace merchant, and we have something like 2,000 subscribers from that merchant.
So if you are a member of the MRC, everyone within your organization has access to our resource, which is just hugely important, I think. We run a survey every year, a fraud survey, just to look at the issues that people are facing. And it really enables merchants to benchmark against that survey. And I'll go into some of the details next in relation to the results from that survey.
So one of the first things that we found when we ran the survey-- and again, this was amongst our merchants members e-commerce only. And so all of our members are e-commerce. So what we found-- what we asked them was, what is your biggest fraud issue at the moment?
These are the main types that came back. These are ranked number one, number two, and number three. So if you can see the percentages there, the highest there was clean fraud. This might be a new phrase to some of you. Clean fraud is described as e-commerce fraud but where it appears as if the persons who carried out the transaction had all of the information they needed.
So they might have had a CDB number. They may have fudged, you know, the 3D Secure. They had the correct address. So they seemed to have quite a lot of information that could show that they were the bona fide customer, but it turns out that they weren't. So it's-- certainly, we're seeing-- merchants are seeing that in greater numbers, where transactions are going through but turn out to be fraud but where they have pushed a lot of tools in place to make sure the transaction was valid and it wasn't. So that's called clean fraud.
Again, you'll be familiar with phishing. Phishing fraud is obviously where you can get your emails, you know, people phishing for information. You know, they're hoping that you click on an email and give away your information. You'd be surprised how many people still do that. And unfortunately, merchants are still seeing fraud as a results of that.
Farming is similar to phishing, but where criminals will set up a fake website. So they'll send you a link in an email to a website that looks as if it is a valid merchant website, but it's actually a fake, a copy of the genuine website. And then they'll dupe you into purchasing goods and so on.
Whaling is similar to phishing, but it's where the criminals will target usually the head of the company-- the CEO, the managing director-- and so they send a phishing email right to the top. And usually, that would be looking for their details or account details, or looking for credit transfers and so on. So merchants are seeing that still as a major issue.
Money laundering, not necessarily related to payment fraud as such. Money laundering is still a big issue where merchants are seeing people, you know, criminals logging money through their organizations. Account takeover you're familiar with. Again, 11%, it's still quite high. This is where you might have a regular customer but someone actually-- they might not even be your regular customer. You just have a genuine cardholder whose account details are taken over by a criminal, and they're used to carry out transactions and then subsequently charged back.
Identity theft is similar to account takeover, but where the criminals will actually take over the identity of an individual. So, you know, in the old days, they used to do bin raiding, where they would go through bins, pull out credit cards, invoices, or receipts, or utility bills so they could actually set up an account, set up a bank account with valid information but with their false information. And that's where someone would usually take over the identity of an individual.
Unfortunately, we still see that is an issue. I know certainly in the UK and Ireland, we saw an issue where criminals were targeting-- it's awful, really, but they're targeting graveyards. And usually, in the UK and Ireland certainly, births and deaths are not necessarily recorded together. So you would have criminals seeking out, you know, small children, maybe, who've passed away, and they'll actually create an identity for them.
So someone who would be over 18 now, and they would, basically, set up an account, get card details in some cases. They would even get loans and mortgages. And when they get a card detail, they'll spend away on the card for 30 days, and then the genuine individual, their family usually receives a credit card bill after 30 days. And that's when the merchant sees the bullet coming through.
Coupon/discount/refund abuse, again, on the increase. And then triangulation schemes are something we see increasingly. So triangulation scheme is where someone will-- a criminal will see an image on a website, like [INAUDIBLE] for example or Etsy. They'll take a copy of the picture and the details, and they'll put that item on another website like eBay for example. And they will pretend to be selling that item.
And so they'll get someone to buy the item from [INAUDIBLE] to pay them for the item. They will then use a stolen credit card to actually buy the item from a genuine seller, and they'll send the item on to the individual. So it's usually a good period of time before the genuine seller realizes that they've received a stolen card detail. So this is a triangulation scheme. And more merchants are seeing that increase.
And so there's a lot going on. You know, we see these trends changing all the time, and it's good to know what you have going on in your organization compared to everybody else. So then, obviously, to stop these fraud. And obviously, as customers of JPMorgan you'll see a lot of these tools that are available to you.
This was just-- you know, we asked the question, what fraud tools are you using? And really, the majority of people are using multiple tools. It's really the only answer for a lot of these frauds. And SCA, again, [INAUDIBLE] talked about multifactor authentication, making sure that you are authenticating the consumer. So there's quite a lot going on here.
So we asked the question, what do you have now, and what are you planning on using or implementing in the next 12 months? And you'll see people are still using CVN-- that's the three digits on the back of the card. They're still using internal negative lists, customer history. So you'll see lower down on this chart, you have proprietary data for customer history. So looking at using machine learning in particular and AI just to examine genuine customer activity versus unusual activity that might come up.
And so there are lots of tools that can be used. And certainly, most of the merchants that we have on board will use all of these tools. And again, it's one of the resources within the MRC around asking other merchants what tools are you using? Are they any good? Are you seeing a reduction in fraud? You know, does this tool help me to be SCA-compliant, for example?
And so there's-- you know, there's quite a lot going there. So I'd recommend you have a look through all of those and see what might be relevant to you. So then, in terms of frauds, actually, in organizations and how people are managing fraud-- it's interesting, because we've asked this across the board, and what we found was that 72% of merchants don't actually outsource fraud at all. You have people who-- they look at your [INAUDIBLE] in the customer services section or the finance section or-- you know, there are various different areas.
We obviously encourage merchants, especially if you're a large merchant, to have a bespoke fraud area, fraud risk area. And one of the key things with fraud department is also just to engage all of the other departments in the organization. I know when I was in banking, the fraud department was sort of in a dark room in the basement with no windows. Fraud people tended to be, you know, kept very much away from the sales people or the operations people.
But things have changed so much now. And fraud is very much around data and criminals looking for data. So it's just hugely important. And one of those things that keeps coming up in our surveys and member feedback is just the need to engage the fraud department or the risk department with all of the other areas from the top down, really, to make sure that they know what's going on, that the fraud department knows what's going on, and just to make sure that everyone is on the same page.
So of the people we asked, 18% of merchants said they outsourced manual review and fraud tool usage. And 14% outsourced their fraud analysis. And 11% outsourced the chargeback investigation.
I would suggest that it's just hugely important to be aware of chargeback and what chargebacks are. And again, JPMorgan will talk to you about that, and about the process, and about how they can help you with any chargeback that you receive. I have spoken to merchants in the past, where I was aware of their fraud levels, when I spoke to them about the fraud levels, it turns out they weren't necessarily aware, because they had been outsourcing their chargeback system. Their third-party provider was actually accepting all of the chargebacks that were coming into this company.
And it turns out that something like 80% of those chargebacks could have been represented. So they could have saved quite a lot of money there, just by knowing within the organization what a chargeback was and how to process it. So look at these things. Look at what is being outsourced and what you can bring in-house and what can save you money in the long run. So it's interesting that 72%, as I said, of people don't outsource fraud at all and do keep it in-house.
So [INAUDIBLE] those surveys then we talked to them about first-party fraud, also known as friendly fraud. [INAUDIBLE] couple of the guys from Visa and Master got together. And they were both ex-army, so they talked to those first-party fraud being friendly fraud, which is what you might hear called that from time to time. But nearly a quarter of total fraud lawsuits are considered to be friendly fraud or first-party fraud.
And we asked merchants, how do they identify if something is friendly fraud? Because it can be difficult to identify, especially if a consumer is adamant they didn't carry out the fraud. So what they said was 57% of merchants looked at prior purchase history. So again, if the customer has purchased-- if their consistently using a particular merchant, and they've never had an issue with them before, and suddenly they decided that they didn't like a particular transaction, but it's typical for them to be using that merchant, they can identify it that way.
Shipping and delivery information. Again, if a cardholder's address has been verified in the past, and obviously, the card issuer room will have their valid address, they'll check against that. So if the customer, again, consumer is saying that they didn't receive an item, for example, but the merchants provide proof that they did actually receive an answer and to their genuine address, it's likely friendly fraud.
Discussing it with the banks, again, card issuers, through the likes of your acquirer. JPMorgan, just talking to them, they'll have information on the details on the account they can share with you. 6% didn't really know what they just, I guess, felt that it was friendly fraud. And then 27% didn't track at all.
Probably worth noting that as part of the issuer merchants initiative or task force that we have running in the MRC at the moment, our aim is to remove friendly fraud from [INAUDIBLE] fraud counts altogether and to look at solutions for friendly fraud and work together with some of the-- quite a few of the big brand merchants are working with us so on that at the moment just to determine what works and what doesn't. And then our aim is just to spread the word and let everybody know what is working to stop friendly fraud altogether.
Where it can't be stopped, we're looking to redefine it as a dispute, first-party misuse. So keep an eye on that. You can subscribe, actually, to the MRC website. You don't need to be a member. And you can keep abreast of all of that kind of information.
So then we asked, what challenges do you face in your organization? So the top two challenges merchant face, internal resource constraints and fraud tool gaps were kind of the top two, really, that came up. And so one of the things that just keep coming up for us is just the lack of sufficient internal resources.
So I think in the current climate, especially, everyone's just desperate for new fraud [INAUDIBLE] risk staff. We see it all over LinkedIn and all over HR companies people looking for fraud and risk staff. Most of them go to school or college to learn about these things. We learn about it on the job. So it's really a learn-on-the-job kind of a topic.
And this is just consistent across the board. A lot of people are finding it difficult. So again, you know, not trying to sell our wares, but we do have a rapid edge here, where we train people on payments fraud and chargebacks. It's a training session you can do online. And again, you don't have to be an MRC member to be able to do that. So if you have new people coming into the organization, and you want them to learn about the fraud issues that are there currently, it's a resource that's there for you.
And gaps in fraud tool functionality is another big issue for a lot of merchants. And what they're finding is the tools I listed earlier on, they may not have all of those in place. There could be cost constraints. You know, they're looking at the benefits of using these tools versus the cost of fraud. And they knew what's out there, but they realize that they don't have all of the fraud tools available.
Identifying and responding to emerging fraud. We know in the industry that every time you come up with a solution to a particular fraud, there's a criminal gang out there coming up with something new to get money from unsuspecting consumers and merchants. So identifying those, the criminals can work very quickly. Unfortunately, the industry can't. And it can take a while to put solutions into place. And so it's keeping up with that emerging growth trend, can be a challenge.
[COUGHS]
Excuse me. International expansion. Again, we have merchants who might want to-- they might be based in UK or in the west of Europe, and they want to expand into Asia or LatAm. And just, you know, not knowing what's going on in those countries. And again, that's something we have available within our resources of finding out what the challenges and barriers are in other sectors and other markets, and knowing what to put into place.
But sometimes, again, it goes back to the importance of having your fraud department talk to your operations, and your sales, and your planning departments around, you know, what they want to do. Because if you have, you know, the business and operations side of the company want to expand rapidly into another market, but your fraud department hasn't been made aware of this and so they haven't been able to push solutions into place in advance, that can become a challenge.
A lack of internal expertise. Again, you'll have people, maybe, from customer services, or the finance department who are basically thrown into the fraud department without any expertise. So it's just hugely important to train staff, or it continues to be an issue.
And then updating fraud/risk models. And so again, that goes back to the lack of understanding and expertise around what models you need to put into place. We actually produced a white paper last year which is available on our website. It's around setting up a relevant fraud department and how to sort of start and finish that, what to look at, what kind of people you need in that department, and what they need to be looking at. And again, another useful resource.
And then, you know, we were talking about SCA, and we were talking about the current climate. What we're seeing in terms of increased risk during the pandemic-- we're seeing reduced capacity across the board. Obviously, there are a lot of industries where people are working from home. You know, a lot of us are working from home at the moment, and people don't have 100% access to the systems and tools that they would normally use. They're not in their office, they're not able to talk to each other.
So we're seeing things like industry like home entertainment delivery services, gaming, and so on, they have basically a flood of new customers. So you're seeing some areas that are really, really busy trying to cope with this new flood of customers. And again, the fraudsters are going to take advantage of that. They know that-- while it looks like a good problem for the merchants, the fraudsters are going to take advantage of the fact they have increased numbers. And they're going to slip in there and really take advantage of the fact that people don't have full access to their tools and so on.
Friendly fraud, we've already discussed. Again, with people staying at home, we'll have a lot of people, especially around things like gaming or gambling, or people just shopping online because there's nothing else to do. And you've got that sort of guilt. This also comes in with people when items arrive, and rather than sending them back and getting a refund, we are seeing that people are looking at disputing those transactions. And we've certainly seen an increase in that.
Account takeover, again, we talked about. Again, it applies to to new accounts and dormant accounts. Again, you know, fraudsters are going to take advantage of the fact that people are using-- or have an increased number of customers and they go to slip in with account takeover fraud.
Increased chargeback volumes again. I mean, I have my own case where I had ticket for an event that's due to happen on this Friday. I just got an email from the ticket provider expecting-- I was expecting it, of course, but it finally came yesterday that the event is going to be rescheduled. But they haven't given a date, so, you know, I might be in for a refund. You know, their email basically says, don't contact us for a refund, because we're too busy.
So as a consumer, as a cardholder, I could go and charge that back for services not rendered, for example. But I know that that merchant is dealing with a lot of refunds. And I would like to get a refund at the end of the day, but a lot of consumers just want their money back right now, especially if it's something like a holiday, and they spent an awful lot of money. So we're going to see an increase in chargebacks. So while people are trying to process refunds and also processing increased chargebacks, they're trying to manage all of that at the same time. So it's a big issue.
And then, notably, higher decline rates. This is the last thing there. So again, you know, the industry overall is seeing less traffic, fewer transactions. You know, obviously the travel industry has been hit a lot, and the ticketing industry has been hit a lot.
But the criminals are still out there. They're still trying to raise funds for more serious crimes. So they're going to-- you know, they're going to keep trying. And so while transaction volume might be down for most merchants, don't expect the frauds to go down.
So these are things to look out for. And then just my last point-- which, again, our next speaker can talk a little bit more on. But just some temporary changes that Visa and MasterCard have put into place to help merchants that are out there. So they reduced the need for monitoring and reporting and so on.
But just to be aware of what the scheme is doing. And again, JPMorgan can provide you with information on any waivers that are happening over the next few months that might help you. So that's me. If there are any questions, we can talk later on.
Brilliant. Thank you so much, Una. That was really great. So just before we move on to our final speaker, I just wanted to encourage our attendees to keep sending in your questions. We're hoping to have some time for a Q&A at the end. So please continue to send in those questions via the Q&A section of the webinar.
So without further ado, I will pass it on to our final speaker, which is Richard Trim from Visa.
Thank you, Aimee. And good afternoon, everyone. And welcome to my kitchen. That kind of summed things up, really. We're all in very unusual times at the moment. And we've seen a rapid shift from the traditional environment to extensive home working, communicating with our friends and colleagues on a mobile basis, but particularly shopping from home, shopping from mobile devices, et cetera.
And that's really kind of driving where the market is going. So it's probably going to give it a good push in that direction as we go forward. So first slide I've brought up here really is just introductions, kind of sitting at home, again in my kitchen, working through what I perceived as the benefits and some of the challenges as well of operating in the e-commerce world.
And, you know, some of these will be up for discussion, I'm sure. But from Visa's perspective, we obviously-- and particularly my function's responsibility, Visa Risk Services-- we're really keen to be there and working with our clients, our acquirers, and also through then to our merchants on the risk and security and trying to promote the awareness around that. And that's why we're so pleased at what JPMorgan are doing today and more than grateful to want to participate and share some information with you.
Thank you, Aimee. Next couple of slides, really, I've pulled together, again just to kind of give some of the headline issues that we see from a risk perspective. And certainly for those of you organizations that are new, either into business or into accepting cards online and cards not present, it really is a journey. And one of the key things we see is that from the get-go, we really want to make sure that, when we're setting up our businesses, our payments online, that we take into consideration all the risks that are there up front. So that's working on understanding the key rules, the requirements, whether that's regulation, but also around the various different scheme rules as well. And I'm sure that your acquirers can and should be assisting you with those.
We've also got various different security mechanisms in the system to ensure that you keep data safe and get the authorizations through to the transactions. You obviously want to make sure that you're aware of those, how they work, and what they're specifically used for. But also, from your own kind of fraud and risk teams, the responsibility that can be part of [INAUDIBLE] team, it could be an individual person, with your organization, that has that responsibility, making sure that they're aware of the risks of what [INAUDIBLE] can be used for, how it's used, and how it can affect your organizations, and leading on from that ensuring, that that information is shared as part of a training program with your operational staff.
But having the right acquirer or payment service provider goes a long way to achieving this. So if you're starting your journey, then having a process where you're going through and you're considering everything about the acquirer, the experience, the systems that they have, services that they can provide, training-- particularly important [INAUDIBLE] a new merchant level-- but also around aspects of what security they have, what they can do around your hosted payments pages. But quite a key one as well, ensuring that you're made aware of the merchant-related updates that come from the rule changes from the various schemes.
You've moved on, set your business up. You now have your mobile content. You have your website available. There are certain key things you need to understand here. And it's so much better to work on these from the start rather than try to retrofit them through.
Now, one of the key things I find is that, say for smaller merchants, it is so much better to work with a payments page that is hosted for you by your acquirer or a third party that is PCI DSS compliant and duly registered by your acquirer. There are other key things, as well, you need to make sure that you've got built into your website-- so ensuring that there is a data security policy there that is clear for your consumers to be able to obtain and review; all the various details around your products, ensuring that they are clearly described, clearly priced, and accurately represented; fulfillment details and time frames are available; likewise with the shipping policy, they're very easy to understand.
And also then, when things go wrong-- and they do go wrong from time to time-- is ensuring that the returns policy is there and it's clear, not just for your customer, but also for your internal staff as well, making sure that the customer support element of how they can be contacted by your consumers [INAUDIBLE] incredibly clear as well, whether that be via email, live chat, telephone numbers, but making sure they're accessible within your website.
And one area that does drive some problems further down the line when it comes to disputes, sometimes, whether it be billing details, the merchant description or the payers and the cardholders [INAUDIBLE] statement is not necessarily clear and doesn't really explain what the business is. And it's a way of at least helping to ensure that you can reduce the potential impacts of that.
I know that the merchant are obviously making excessive-- extensive use, sorry, of web browsers, they find they're a great way of knowing your consumer when they're returning, and being able to share information with them. But they are a potential risk. And really, as part of that deal process, ensure that there's no secure information like passwords or any other details that could identify your customer externally going into those cookies.
When the consumer has made their commitment, and they're looking to purchase a gift from your site, It's very clear [INAUDIBLE] data entries is very clear. And what that does is it brings a benefit for you in terms of being able to process the transaction, but also making sure that the relevant [INAUDIBLE] take from that information goes forward into the various different risk systems that you may have that enable you to then evaluate whether a transaction is high risk or not. We'll come into those a little bit later.
But in order to mitigate a fraud going forward, there's lot of key considerations here to be made. And I think, certainly large organizations or smaller organizations that grow, ensure that staff are fully aware of their responsibilities, particularly in a kind of risk-management framework document that kind of explains to them everything that is required. It's part of those kind of growing pains that you have as you're progressing from a very small merchant onto a medium-sized merchant, et cetera. But it's key to have in mind, ensuring that everyone is specifically aware of their responsibilities.
But from a management perspective, always ensure that you have a view on an acceptable level of fraud and loss that you have. There's always going to be risk within business. And we will try and make sure that we mitigate those as best we can. But having a figure that you review against your statistics or your management information on a regular basis ensures that you can then track back and see your systems are working properly.
Una mentioned within her presentation negative files. It is quite surprising how often forces do return. And it's also beneficial when you're tracking your exposure to what I like to call first-party fraud rather than friendly fraud. I don't think any fraud's friendly whether it comes from the [INAUDIBLE]. So from my perspective, it's always first-party fraud.
But ensuring you're evaluating transactions that are coming through against those negative lists, and you're looking for kind of comparisons and similarities across the information that you will receive around certain key areas of concern, maybe like postcodes, high-level concern IP addresses, shipping, mailing addresses, et cetera.
Taking the information that you get from your transactions, just a general list I've got here in terms of how we should be evaluating them. But we should have value thresholds that you're expecting from a certain transaction. Velocity of transactions coming from various different demographics to look at gives you a good idea of if you're getting a hotspot that could be occurring, whether that's at a micro level on a card, or an address, or on a slightly wider area.
But also [INAUDIBLE] looking for kind of commonality of emails, addresses, telephone numbers, IP addresses, et cetera, but particularly the mismatches when they're coming through, where you've had transactions that have come through that you've approved [INAUDIBLE] specific IP addresses, but a card number or billing address has changed, maybe the country doesn't confirm to the IP address, it's only different interactions of data there. But it's key to have a viewpoint that when you've got these mismatches, that you identify them as quickly as you can.
We've mentioned PCI DSS. That really is-- for me, that is the baseline from a security perspective that [AUDIO OUT] but not just merchants, all organizations that store, process, or transmit data must [INAUDIBLE]. So it's incredibly important that we follow that through. But as a merchant, you can help yourself by reducing the scope. And that is where using a hosted third payments provider that is PCI DSS compliant, registered with the schemes in their various agent compliance programs, that is a way that you can [INAUDIBLE] down to a mere fraction of being having to actually devote whole environment, your own payments page, and your processing and storing the data yourself. So it makes a huge, huge difference.
But from a security perspective, one of the biggest things you can do is ensure that your staff are fully aware of the risks when it comes down to phishing. We see it regularly that organizations are being contacted by various fraudsters trying to phish for these [INAUDIBLE]. We've seen this over the COVID-19 period. And that's just a slight variational thing. But it's always there.
The quality of the phishing has obviously improved and the language that has been used. They're something to be very, very careful [INAUDIBLE] organization is going to be asking you for your password, details, or will be delving deeply into your network setup to be able to get information that could allow them to break into your systems.
One of the key things that we are seeing at the moment, which is causing me some headaches, we've seen an increase in account testing attacks. This is where sometimes a collusive, but more often than not an unsuspecting merchant, is being used by a fraud gang that has gained access to the system to test-- basically, it's almost like a reconnaissance mission-- to be out to test the cards to see which ones are valid and which ones have got enough information to be able to use. So ensuring that you've got some controls in place here, particularly around capture-type tools to protect against botnets, because these attacks are becoming more sophisticated and targeted using multiple devices, but also just some fairly basic generic velocity checks-- maybe specific to things to see whether a specific issue is being targeted.
Next page, please, Aimee. Thank you. Cool. So a lot of this slide we have already effectively discussed. But some kind of running short of time. So I'm going to try and wrap up relatively quickly. The key notes here which I want to pick up on certain key topics,
The scheme rules are really important, not just for acquirers and issuers, but also when it comes down to merchants. And I know that there are restrictions-- and they do vary a little bit by product by product. But always ensure that when you're processing a transaction, you have a valid authorization that has come through. Now, if you're working for a fulfillment process to fulfill that order, if you exceed the time limit, which currently is seven days, you would probably need to get [INAUDIBLE] new authorization through.
But that shouldn't necessarily be a problem. Ensure your systems are set up so that you're working closely with your customer, and you're informing them and ensuring that those details are exchanged via emails and the correct mechanism that's been agreed so that the customer is aware. And that will help in reducing the amount of chargebacks that you're likely to suffer.
But so yeah. Going on from there, I think we obviously know that from time to time issues will crop up. There will be disputes. Some of the key things here is to ensure that your customer queries and complaints are acted upon promptly. So if you have got clear communication program for your customers to connect with you, then as long as those complaints and concerns are addressed quickly, then it makes it more likely that you will be able to resolve the issue, whether it's the product itself or potentially looking at a refund to the customer rather than going through the chargeback routes.
Make sure that those communications are formal and traceable so you can show that you are communicating with your consumer. Because if it does go down to the chargeback route, and you've shown that you've tried to provide the necessary mechanisms to get recompense for a transaction that's not got correctly, then that helps you in terms of your-- potentially in terms of your defenses. OK?
Right. Next page, Aimee. Cool. OK. Sorry, I think we've gone a bit too far. I'm struggling to see, I'm afraid, the slides on the screen. So go back to the--
[INAUDIBLE] to the fraud monitoring program slide there for you, Richard?
Yeah, that's it. Yeah, I'll finish off on that one very quickly. Just to let you know that we are aware that issues can arise from time to time. However, we want to ensure that the performance of merchants remain at a certain level. So we have a dispute monitoring program which is volume based. And we have an excessive threshold there. The standard threshold is 100 disputes per calendar month, and a dispute sales count of 0.9% and an excessive threshold of a 1,000 disputes with a dispute sales count of 0.8%.
In those situations, in the excessive count, 1,000 disputes count, there is a fee of [INAUDIBLE] for a dispute from there. That is why it's incredibly important that you work with your acquirers. So if you are progressing towards that, Visa's aware of that. We do have a kind of an early warning program, where we notify acquirers of merchants that are approaching that threshold.
And likewise with the fraud monitoring program, this is a value based program, where the standard notifications will be advised if a merchant has exceeded $75,000 US in a calendar month of fraud and the ratio is 0.9% and above and, for the excessive threshold, if they exceeded $250,000 US in a calendar month and the fault sales ratio is 1.8%. So again, we have a program in place where if a merchant is approaching that, then we will notify the acquirers as well. And it's very important, then, that the acquirers work directly with their merchants.
So I've taken a little bit longer than I anticipated. And thank you you very much for your time. And best wishes to everyone and stay safe.
Brilliant. Thank you so much for your time, Richard, there. That was really helpful. So we're just going to quickly go through some of our polling questions that we had earlier in the session. So we will move on to these now.
And you'll see the contact information for all of our speakers on this slide. So please don't hesitate to reach out if you have any questions. And also, just before we go into the polling questions, this webinar will be available on our Merchant Services website within the next coming days if you want to, obviously, listen to it again, or also share it with any of your team.
So just moving on to our polling questions, the current EBA deadline for SCA is December 2020. If this does not change, will your business be ready? 9.1% say they will not be ready for December deadline. 50% say they will be ready, but it will be a tight squeeze. And 40.9% are in place-- implementation is already complete, and we will be SCA-ready when needed.
And just moving on to our next question. Have you taken steps to reduce your fraud rate in advance of SCA? 76.7% of attendees have said yes. And 23.3% have said no.
I just [INAUDIBLE] put that out to any of our speakers, if you have any kind of additional comments that you want to make on those two questions.
I just think from a--
Una or Colm--
Yeah. So I just think from the second question there, around taking steps to reduce your fraud rate around SCA, I think I think it is a key one. And it's great to see so many people have already taken to do so. But for those who haven't, whether it's that they feel that they're fraud rate's on acceptable levels already, or whether they just haven't started yet, it's a key one to get ready, because issuers are proactively looking at [INAUDIBLE] merchants that are of higher risk.
And they're going to I suppose, change their risk filters accordingly. So you know, I would look to try and take steps to reduce your fraud, you know, starting from now through to the end of December, just to get ready for the TRA exemptions in December. And also, work with your acquirer and any third-party fraud solution you may have to try and understand where you can, I suppose, look for optimization around your fraud rates.
Brilliant. Thanks, Colm. So just moving onto our third question--
I'm sorry--
--there. Have you approached your acquirer about their fraud rate? Yes, 26.1% and no 73.9%. There's actually quite a difference in there in, I guess, the approach to fraud risk.
Yeah. And I suppose that's a key one. Just because TRA ratio is based on the acquirer's fraud rate, it will be good to understand, if you reach out you acquirer to understand what their fraud rates are, and what types of exemptions they can offer you in terms of the TRA exemptions. That's something probably most likely you should reach out to your acquirer to understand what their fraud rate is and what they can do to help you with your fraud rate.
Great. Thanks, Colm. And then just moving on to our final question here for our polling questions, how will you manage transactions from outside of the EEA? 12.5% said they have multifactor authentication will be applicable for all our customers, regardless of geography. 54.2% said we will differentiate between customers' locations and only require SCA for EEA customers. And 33.3% have said that they have not yet considered this.
So I think I will hand over to the panel for commentary, but I think it's very important during this period as we ramp up for SCA deadline on December 2020, that this would be looked up for your consumers just to make sure that all of the geography [INAUDIBLE] looked at and that the EEA countries are being addressed for the SCA requirements and to determine if there are other countries that may not need to meet those requirements.
Una or Colm or Richard, have you any comments on that that you'd like to add?
Yeah, I'd say I think that 33% is quite high in terms of not considering it at this stage, which would suggest to me that maybe a lack of information. So all I can say is coming to webinars like this is fantastic. Going to the EBA website just to get all of the [INAUDIBLE] information and getting your information from your acquirer, just being informed is hugely important. And starting at this late stage, there should be decisions made in this regard.
So if we go back to--
[INAUDIBLE]
Yeah, sorry. Going back to some of the questions before-- that's thinking about the-- analyzing the fraud rate, that's absolutely crucial to go back over the fraud rate, confirm those with your acquirer, payment service provider, look at ways where potentially you can improve those rates before we get towards the compliant state. Because there will always be a period of time that you [INAUDIBLE] change your systems, change your processes, target the ones that are most applicable for your business. And then there's always going to be a little bit of lead time into reducing those rates as well.
So very, very important. But also, in terms of this non-EEA customers, making sure you know what your potential risks are, looking at your client profile base and seeing how potentially you will be exposed, because SCA is quite a significant step up in security for all players that will use [INAUDIBLE] through the payment ecosystem. So if you're looking at areas that are currently not within the SCA, you can potentially expect there to be an increase going forward of fraud in those areas, where they think that SCA and step-up may not be used.
Brilliant. Thank you so much, Richard. So we've reached the end of our polling questions there. So I just want to say thank you so much to everyone for joining. We have gone over a little over time. So any of the questions that we've received in the Q&A we will reach out to you and provide response to those questions directly.
But as I mentioned before, this webinar will be available on the Merchant Services website in the next coming days for a year for you to replay. And obviously, do not hesitate to reach out to any of us if we can be of any assistance. But thank you so much for your attendance on our webinar today.
Thank you for joining us today. As a reminder, this webcast will be available on demand and slides JPMorgan Merchant Services [INAUDIBLE] website. And you'll receive a link in the next couple of days. This concludes our webcast. You may now disconnect.
Please Note: The webinar content begins at 00.30
Disclaimer: The information in this presentation is for informational purposes only, does not constitute an offer for products or services and should not be construed as an offer to buy or to sell. There is no warranty, express or implied, for the accuracy, completeness, or correctness of the information contained in this presentation.
The information herein or any document attached hereto does not take into account individual client circumstances, objectives or needs and is not intended as a recommendation of a particular product or strategy to particular clients and any recipient of this document shall make its own independent decision. The information provided herein may not be copied, published, or used, in whole or in part, for any other purpose other than expressly authorised by Chase Paymentech Europe Limited. © 2020, JPMorgan Chase & Co. All rights reserved.
Chase Paymentech Europe Limited, trading as J.P. Morgan, is regulated by the Central Bank of Ireland. Registered Office: J.P. Morgan, 200 Capital Dock, 79 Sir John Rogerson's Quay, Dublin 2, D02 RK57, Ireland. Registered in Ireland with the CRO under the Registration No. 474128. Directors: Catherine Moore (UK), Carin Bryans, Dara Quinn, Steven Beasty (US), Eilish Finan.
Disclaimer: The information in this presentation is for informational purposes only, does not constitute an offer for products or services and should not be construed as an offer to buy or to sell. There is no warranty, express or implied, for the accuracy, completeness, or correctness of the information contained in this presentation.
The information herein or any document attached hereto does not take into account individual client circumstances, objectives or needs and is not intended as a recommendation of a particular product or strategy to particular clients and any recipient of this document shall make its own independent decision. The information provided herein may not be copied, published, or used, in whole or in part, for any other purpose other than expressly authorised by Chase Paymentech Europe Limited. © 2020, JPMorgan Chase & Co. All rights reserved.
Chase Paymentech Europe Limited, trading as J.P. Morgan, is regulated by the Central Bank of Ireland. Registered Office: J.P. Morgan, 200 Capital Dock, 79 Sir John Rogerson's Quay, Dublin 2, D02 RK57, Ireland. Registered in Ireland with the CRO under the Registration No. 474128. Directors: Catherine Moore (UK), Carin Bryans, Dara Quinn, Steven Beasty (US), Eilish Finan.
