Apple Pay has gained momentum quickly, in typical Apple fashion, with 2,000 financial institutions committed to support it, millions of cardholders actively enrolled, and two-thirds of all contactless transactions in December 2014 coming from Apple Pay devices.
But Apple Pay is not without growing pains, including higher-than-expected fraud rates in
certain cases. As a result, some participants are learning hard lessons about the risks associated with the move to digital accounts and mobile wallets as they identify best practices in this new area – writes Ben Brown, Senior Consultant, specializing in Credit Card Issuing and Payments Innovation, First Annapolis.
While no issuer has disclosed public figures on Apple Pay fraud levels, our channel checks indicate that some issuers are experiencing higher-than-average rates of fraud, many times higher than the general-purpose industry average of about 0.1%. Apple Pay’s sales volumes are still nominal, so a small denominator likely contributes to a high percentage, and the issue hasn’t translated into enough absolute dollar chargeback volume to raise flags at most big merchants or acquirers.
The fraud associated with Apple Pay comes primarily from criminals with stolen data provisioning compromised card accounts to phones. Apple Pay leverages a range of innovative new security technologies to enhance cardholder authentication at the point of payment and protect against counterfeit cards, but authentication of the cardholder’s identity by issuers at time of registration appears to be a soft spot based on our industry conversations and our own in-house field testing.
When a cardholder registers their card for Apple Pay, a number of checks are performed to ensure the requester is the actual accountholder. These checks may include address verification, account validation, account age/history, and other factors using standard issuer calls and potentially Apple data (e.g., iTunes account information and history). If these checks pass, the card is tokenized and enabled on the phone – what is called the “green path.” If these checks fail, Apple Pay will direct users to contact their bank to authenticate their identity using issuer-specific protocols.
About half of Apple Pay card registrations require additional authentication, based on our research, indicating that it is an important part of the onboarding process — although issuers’ processes for additional authentication vary widely. Some issuers ask cardholders to call customer service, some ask them to log in to the bank’s mobile app, and others use two-factor authentication such as an SMS or email.
Many of these processes revolve around the concept of a “tenured” phone number on file being secure, which is proving to be troublesome. As a result, these processes are not always effective at stopping account spoofing: across approximately 30 tests, our team at First Annapolis was able to load and use several of our colleagues’ cards on one another’s phones.
As should be expected, issuers and other stakeholders will have a new learning curve as they participate in mobile wallets and other forms of digital payments. We are observing a number of early best practices start to emerge. Issuers should not just validate static account data, which could have been compromised in a data breach; it is also useful to leverage mobile authentication services like Payfone, and look for patterns in the mobile account lifecycle.
Issuers should develop more nuanced approaches to authentication, including perhaps “light touch” and “high risk” workflows, and leverage their channels beyond the call center. For example, if a user locks up their mobile banking app or a caller fails two or more identity questions, the issuer should consider directing them to a branch for in-person authentication. And issuers should closely monitor spending activity across all channels on new digital accounts to identify fraud patterns and quickly suspend suspicious accounts.
The digital environment will require a fresh look at many industry practices from cardholder authentication and fraud management to all-digital servicing and tactics to drive top-of-wallet preference. Issuers should expect to experience some pitfalls as they migrate to digital accounts and mobile wallets, but any setbacks should be temporary as the industry develops tools for this important new channel.