TRANSACT 2022: Key learnings for merchants and payment providers
By Arwen Heredia /
12 May 2022
At April’s TRANSACT 2022 conference in Las Vegas—powered by ETA, the Electronic Transactions Association—banking giants like Discover, Visa, and American Express joined fintech startups and merchants across industries to shed light on the trials and triumphs of an evolving global payments ecosystem. Over 100 speakers delivered theories, strategies, and insights over more than 40 sessions, with crucial conversations taking place around account takeover fraud, PSD2 compliance, data breaches, alternative payments, and the technology that helps businesses protect their customers and assets.
Security that can meet the standard of speed required by consumers—and the scalability prized by merchants—is top of mind. Recent reports from Microsoft and other tech pillars center fraud prevention as a strategic objective as news of breaches against alternative payments providers continues to make headlines. Sift’s team of Trust and Safety Architects attended TRANSACT with the goal of sussing out common pain points, cross-industry payment fraud trends, technology blindspots, and future-forward initiatives helping different markets fight financial abuse.
“The scope of our responsibility as fraud fighters has increased dramatically,” said Kevin Lee, VP of Trust and Safety at Sift. “The past couple years have been so full of disruption that predictability isn’t the ace up the sleeve that it once was—accuracy is. Because businesses are starting to recognize that growth at the expense of security isn’t sustainable or even possible anymore, we as trust and safety experts need to be more concerned about how and where fraudsters are spending their own resources, and monitoring merchant vulnerabilities that show up regardless of the vertical.”
Account takeovers are everyone’s problem
Payment fraud rarely happens in a vacuum. Frequent data breaches and universally poor consumer password hygiene have made account takeover (ATO) fraud unignorable in every market as it continues to pave the way for fraudsters to access loyalty points, payment details, and gift card balances—while also allowing them a platform to quietly test stolen credit card information and user credentials.
At TRANSACT, it was clear that the driving force behind increased concern over online abuse has to do with the complexity of the global Fraud Economy—the interconnected network of online abuse vectors, methods, and actors that serve each other symbiotically. Fraudsters buy and sell user account information to infiltrate accounts on merchant sites and masquerade as legitimate consumers.
“Fraudsters have recently evolved the tactics they employ in the Fraud Economy to maximize profits, turning to automation to commit account takeover, multi-level scams, and financial fraud at scale across widespread merchants and verticals,” said Sift Trust and Safety Architect, Jane Lee, in a recent article. “The increased complexity of fraud and bot-based attacks drove attempted payment fraud up 23% across the Sift network from 2020 to 2021.”
Merchants are aware of the problem, but many are drowning in it, leading them to implement friction and reactive security solutions that only address fraud temporarily (and after it’s already caused damage). But for e-commerce as a whole and financial services providers like PSPs, banking on post-fraud mitigation only widens the gap between growth and protection.
“Businesses need to deploy machine learning (ML) solutions that detect ATO and other types of fraud in real-time so the company can take action before there is significant exposure,” said Brittany Allen, Sift Trust and Safety Architect and one of the ETA’s 2022 “Forty Under 40” cohort, representing innovators in the payments industry. “Think about how your company can implement Dynamic Friction to enable the 99% of trusted users on your site or platform to interact with your brand safely and with the least amount of frustration.”
PSD2 pains and rising ransomware
Concerns over PSD2 changes and compliance also dominated talks at TRANSACT 2022. Due to an increase in user challenge rates, coupled with a decrease in acceptance rates post-PSD2 rollout in EMEA, many merchants are both upset and confused as to why some of their transactions—which should qualify for a PSD2 exemption—don’t.
Recent reports found that “users bear 68% of the losses due to fraudulent credit transfers…For card payments it is around 30%.” However, the European Banking Authority states that “this pattern is somewhat at odds with Article 73 of the PSD2, which provides that liability for unauthorized transactions should lie primarily with the Payment Service Providers (PSPs) (unless the user has acted fraudulently).”
Adding to the confusion, the EBA doesn’t indicate anywhere that it will take action to minimize these differences, or to ensure that liability for fraud falls to the PSP. But the bottom line is that merchants cannot manage the outcomes of payment fraud effectively without more integration and transparency across transactions and the platforms that support them, whether or not it’s coded into law.
“Merchants can and should be asking more of their PSPs,” said Kevin Lee. “They’re often the gatekeepers when it comes to order acceptance and decline rates for your business. From fraud tools to acceptance rates to PSD2 exemptions, they should be supplying you with the tools, KPIs, and knowledge to help you run a successful business.”
Ransomware and its roots in the ever-expanding dark web took center stage, too, with multiple stories told of public and private businesses falling victim to rising data breaches, all with increasingly higher price tags. One speaker shared that “the average ransom demand in the first half of 2021 amounted to $5.3 million—a 518% increase compared to 2020. The average ransom payment has also increased by 82% since 2020, reaching a whopping $570,000 in the first half of 2021 alone.”
For trust and safety experts steeped in fraud management, singling out payment abuse is becoming an effort in futility, leaving businesses vulnerable to sophisticated fraud tactics that leverage ATO, spam, and scams to orchestrate massive, multi-geo attacks. When it comes to the success of ransomware, malware, and account takeovers, payment fraud is the outcome—not the symptom.
Mining the passive user journey
“We recognize that fraud teams are fighting a battle on multiple fronts,” said Lee in his talk, The Dark Web, Account Takeovers, and You. “Siloed organizational structures mean differing KPIs and ways of working, all that make it challenging to influence change company-wide.”
Add increasingly well-armed fraudsters in a sophisticated Fraud Economy, and businesses are faced with new and ever-changing threats. Single-purpose tools mean extra effort for risk teams, as well as recurring budget to update and maintain a fully-functional tech stack. “But customers leave behind a lot of passive data as they make their way around an app or site,” he notes. “Teams can use what’s already there to make better decisions now, even as they work to deal with different types of fraud at scale.”
While these specific challenges continue to create business bottlenecks, fraudsters are turning to automation and proxy servers to scale and grow attacks, gaining an even stronger advantage over companies that have been slow to adapt. This, coupled with a bounty on emerging tools and consumer platforms like digital wallets, deeply threatens the growth of decentralized finances and alternative payments. Between 2020 to 2021, Sift Data Scientists saw fraudsters doubling down on fintech, on the hunt amidst skyrocketing 121 percent growth in transaction volumes across financial technology providers in the Sift network.
“Ultimately, it’s up to trust and safety teams to protect their customers and their business,” says Kevin Lee. “And that means addressing fraud proactively, comprehensively, and transparently, from the way ops are run to what integrations are considered and which providers you partner with.”
Visit Sift’s Fraud Intelligence Center for new expert insights, data, and breaking trust and safety news.