Online Payments Archives - Page 2 of 2 - Digital Payments, Payment Security and Lending

Cross Border Payments in India

Krishnan KN / June 10, 2024

What are cross-border payments? Payments or transactions done across borders are part and parcel of international trade. So, playing the role of medium between the vendor and customer, cross-border payment is one of the crucial entities that enables cross-border trade. Any export or import is dependent on cross-border payment, and its growth is crucially dependent on smooth and seamless transactions. Why are cross-border payments significant? The significance of cross-border payments is proportional to the significance of cross-border trade. The size of cross-border payments is significant, with export merchandise alone contributing to about 15% of the total GDP. This alone is enough to look into the cross-border payment facilities that we are enabling our traders with to boost our country’s economic growth. India is looking at becoming a $5 trillion economy, and one of the major contributors can be cross-border trade. However, the fact on the ground is that of the 17 states that share their borders with other countries, only nine of them can actively engage in safe trade. Digital India has thrown the doors to cross-border trade wide open to not just the conglomerates but also MSME in India. Talking of MSME contribution, Livemint.com reports that “In FY 2022–23, MSME products accounted for 43.6% of India’s exports.” What are the major challenges to cross-border payments in India? Charges: With different countries come different rules and different financial charges. Many of the charges are informed only at the time of transactions, which either the vendor has to absorb or charge to the customer, irritating them in the least. Cumbersome process: With most local banks dealing with only a few currency options, time is taken for the standard international payouts, and both time and transparency are lost. SWIFT and international wire transfers come with their own set of challenges with regards to cost and time. Risk of fraud: Digitalization has thrown the door open to not just traders but also to cyber criminals. Cybersecurity has been constant and updated with the ability to come up with new solutions for the threats emerging daily. And yet be cost-effective. Compliance changes: Different borders dictate different laws at different points in time. The law of the land is often tweaked to combat raising threats or cementing the loopholes of existing laws. Currency volatility: With VUCA, is it a surprise that every country has a relatively fluid economy when compared to the currency woes that have been an age-old story? Only the present digitization has removed the buffer that the lag of communication offered earlier. How do we provide a solution to one of the pillars of our economy? Fintech India needs its fintech industry to find a one-stop solution for not just an easy and transparent transaction but also a safe one. A solution that authenticates easily but with foolproof scrutiny. Though many start-ups are working on solving individual issues discussed, most of them are working on their expertise, which is limited to one area. The need of the hour is an aggregator who would collect all this expertise on one platform and provide a holistic solution. The future looks bright with a possible blend or amalgamation of both seamless and secure transactions across borders.

Industry Insights, Product, Reading List

Empowering Digital Transactions: A Comprehensive Guide to Payment Gateways and Wibmo Areion’s Innovation

Ravi Battula / January 11, 2024

The dynamic landscape of digital payments has posed challenges and opportunities for stakeholders across the financial ecosystem. From merchants and payment facilitators to issuers and payment gateways, each entity grapples with considerations of customer convenience, operational costs, compliance, security, and value-added services. This comprehensive guide explores the critical decision of selecting the right payment gateway, emphasizing the importance of compliance, security, transparent costing, and value-added services. Additionally, we delve into the innovative features of Wibmo Areion, a cutting-edge payment gateway that redefines the digital payment experience. Understanding the Landscape: The payment ecosystem operates as a connected network of platforms, where the considerations for selecting a payment gateway vary based on the role of the player. The two primary providers of payment gateway services to merchants are acquiring banks or intermediaries such as Payment Aggregators, Payment Facilitators, or PSPs. Table Stakes and Prerequisites: Before embarking on the payment gateway journey, certain prerequisites must be addressed. Compliance with supported payment schemes and robust technological infrastructure, complying with standards like PCI DSS and NPCI for UPI, is crucial for a seamless and secure digital payment experience. Key Business Considerations: Cost per Transaction (MDR): Derived from the Merchant Discount Rate (MDR), transparent costing is complex and varies based on factors like merchant category code, payment limit, and payment instrument type. Transaction Success Rate (SR): Paramount for all stakeholders, payment gateways strive to offer the highest success rate through innovative payment flows and partnerships. Fraud Management: A robust fraud management platform is essential to minimize chargebacks and secure payments, especially in online transactions. Billing, Reporting, and Dashboards: Transparent billing and reporting are crucial for stakeholders to gain clear insights into transactions through simple and informative dashboards. Differentiators and Value-Added Services: Beyond core capabilities, payment gateways seek to differentiate themselves through value-added services: Frictionless Check-Out: Using biometrics for seamless authentication. Loyalty Programs: Allowing customers to earn and redeem loyalty points at checkout. EMI Options: Providing affordable instalment options at checkout. Diverse Payment Methods: Supporting additional payment methods such as wallets, net banking, and local payment methods. Unveiling the Future: Exploring Wibmo Areion Payment Gateway In the rapidly evolving landscape of digital payments, having a robust and versatile payment gateway is crucial for businesses seeking seamless transactions and enhanced customer experiences. Wibmo, a leading player in the fintech industry, introduces its cutting-edge payment gateway — Wibmo Areion. Let’s delve into the features, benefits, and potential impact of this innovative solution. The Rise of Wibmo Areion: Wibmo Areion represents a significant leap forward in the world of payment gateways, offering advanced features and capabilities designed to meet the dynamic needs of modern businesses. From security enhancements to a user-friendly interface, Wibmo Areion aims to redefine the digital payment experience. Key Features: Enhanced Security Protocols: Prioritizing transaction security with state-of-the-art protocols and compliance with PCI DSS standards. Seamless User Experience: Commitment to a smooth and seamless user experience for quick and hassle-free transactions. Adaptive Fraud Management: Employing adaptive fraud management tools to stay ahead of evolving fraud tactics and minimize chargebacks. Multi-Channel Support: Recognizing the diverse nature of modern transactions, Wibmo Areion offers support for various channels, including e-commerce, mobile payments, and in-app transactions. Flexible Integration Options: Providing businesses with flexible integration options through Rest-based APIs, ensuring a hassle-free implementation process. Benefits for Businesses: Enhanced Security: Instilling trust among customers by providing a secure and reliable payment environment. Improved Customer Experience: Contributing to an enhanced customer experience, leading to higher satisfaction and retention rates. Reduced Fraud-related Costs: Minimizing the financial impact of fraudulent activities, reducing operational compliance costs. Scalability and Multi-Channel Reach: Scaling with businesses as they grow and ensuring support for various platforms and channels. Efficient Integration: The flexible integration options make the onboarding process smoother, allowing businesses to quickly adopt and benefit from advanced features. The selection of a payment gateway is a nuanced decision that traverses various dimensions based on the role of the payment player. As stakeholders navigate this landscape, the emphasis on compliance, security, transparent costing, and value-added services will play a pivotal role in shaping the future of digital transactions. Let us work together and ensure that we, as one family, soar to new heights in the coming year. None of this would have been possible without each one of you. Your dedication and hard work have been the driving force behind our success. As we bid farewell to this incredible year, we express our deepest gratitude. We look forward to seeing you grow with us in the coming years. Author: Ravi Battula, Vice President- Merchant Acquiring Business Wibmo A PayU/Naspers FinTech Company Card Payment, Online Payments, Payment Gateway, Payment Processing, Payments Technology

Reading List

Browser Fingerprinting- Part 2

Vaibhav Chandel / June 16, 2023

Are you all set to find out more about browser fingerprinting? We bring you Part 2 of this series. Types of Fingerprinting Techniques: Canvas Fingerprinting: The browser fingerprinting technique uses the HTML5 canvas element to identify variances in a user’s GPU, graphics drivers, or graphics card. Steps- First, the script draws an image, often overlaid with text. Then, the script captures how the user’s web browser has rendered the image and text. Naturally, every device with different hardware and drivers will render the image slightly differently, distorting its colour and shape. A hash is then computed using the rendered image’s data, which serves as the ‘canvas fingerprint.” The scripts used for canvas fingerprinting operate in the background to keep the user from realizing that the fingerprinting is occurring. This fingerprinting technique is accurate and not too processing-intensive, making it one of the most commonly employed script techniques. The visitor’s specific browser and device render images, which can be narrowed down to a pool of fewer than 0.01% of total visitors. WebGL Fingerprinting: WebGL fingerprinting is very similar to Canvas fingerprinting, as they both use the browser to render images off-screen. The WebGL API can be used to render 3D forms in the browser. With the help of the three.js JavaScript library, many 3D forms can be rendered, such as Sphere Cube Precomposed geometric shapes The test is not that reliable because it is too sensitive to changes in the environment, such as the size of the browser window or the use of the browser console. These changes caused the dimensions of the rendering context to be updated, which resulted in different rendering results when the page was reloaded. The methodology is still to use images to distinguish users based on their graphics drivers and device hardware. Media Device Fingerprinting: This technique uncovers a list of all the connected media devices and their respective IDs on a user’s laptop or PC. This includes all internal media components like video cards and audio cards, as well as all connected or linked devices like headphones. Media device fingerprinting is not widely used for fingerprinting functions. This is because it requires the user to grant access to their microphone and camera to get a complete list of connected devices. Audio Fingerprinting: While other fingerprinting techniques force browsers to render a text or image, this technique checks how their devices play sound. The browser vendor and version used impact minute differences in sound waves generated by a digital oscillator and differences in CPU architecture. Clock Skew: Clock skew is a measure that can be used to identify the hardware specifications of a machine by analyzing the uneven arrival of electrical signals from a clock generator at different components. These differences can be affected by temperature variations in the hardware and can be analyzed with sufficient data and numerical analysis. This is considered an extreme measure in the field of fingerprinting. Browser fingerprinting workflow: Utilizing browser fingerprinting for authentication during payments as an additional layer of security and protection against fraud is helpful, but it has to be coupled with a two-factor authentication process. Two-factor authentication involves verifying a user’s identity using two different methods, such as a password and a fingerprint or a code sent to their mobile device. By adding browser fingerprinting as a third factor, Wibmo’s Trident FRM solution uses canvas fingerprinting and creates a more secure and reliable payment authentication process. It is important to ensure that proper privacy protections and data security measures are in place, as browser fingerprinting data is unique to each user and can be used to track and identify individuals across different websites and devices. Additionally, it’s important to comply with data privacy regulations such as GDPR, CCPA, and the upcoming Digital Personal Data Protection Bill when collecting and storing browser fingerprint data. Fingerprinting and Online Fraud Detection: Browser fingerprinting techniques can be useful for identifying and targeting visitors with a pattern of fraudulent behaviour on a website. These techniques can be particularly effective in identifying users who use identity concealing techniques such as disabling cookies, using a VPN, or browsing in incognito mode. 1.In cases of account takeover, where malicious users try to hack a legitimate user’s account, fingerprinting and other user identification technologies can be used to add additional security measures to the login process for suspicious traffic only. 2.To prevent brute force or bot attacks, it is best practice to require users to solve a CAPTCHA after a certain number of failed login attempts and to lock out the user for a set time after a certain number of attempts, as such attacks often rely on automation and thus may not have the unique browser configurations of genuine users. a. Browser fingerprinting can detect bots through their unusual browser configurations. b. Multiple login attempts with the same fingerprint can signal a brute-force attack. c. Bots that either lack a unique fingerprint or use identical fingerprints can be spotted and investigated. d. It can improve CAPTCHA systems by triggering a CAPTCHA when a fingerprint is linked to suspicious activity. 3.For phishing scams, requiring email or two-factor authentication for new fingerprints attempting to log in and blocking repeatedly visited fingerprints can also be effective measures. Conclusion: Limitations and current scenario of browser fingerprinting: Author: Vaibhav Chandel, Product Manager Wibmo A PayU/Naspers FinTech Company BaaS

Industry Insights, Product, Reading List

UPI Fraud Trends and Their Possible Mitigation

Sujit Kumar Mahato / March 16, 2023

With over 2 billion transactions worth over INR 4.5 trillion processed every month, India’s United Payment Interface (UPI) has revolutionized the digital payment ecosystem. UPI has been emerging as the most preferred payment method among Indians. However, at the same time, we are witnessing a rise in fraudulent transactions in recent times. A total of 1,46,495 unified payments interface (UPI) fraudulent activities were reported on the National Cybercrime Reporting Portal (NCRP) during the first and second quarters of 2022, as per the Ministry of Home Affairs (MHA). Up until now, banks and financial institutions have predominantly relied on educating consumers against fraud. But, in cases of fraud, the consumer is at the mercy of the grievance process, which adversely affects the consumer experience and dents customer loyalty. Fraud Trends and Their Possible Mitigation Impersonating Sellers and Customer Care It is more of a habit to google customer care contacts when facing issues with our online purchases. Fraudsters are flooding the internet with fake customer care details to lure in consumers. After gaining the trust of gullible customers over the phone, refund collect requests are shared via QR codes, SMS links, and so on. Financial institutions can integrate with technological solutions that detect and alert the customer in the event that a payment is made over the phone. Spoofed VPA IDs In the name of disaster relief or support, fraudsters created multiple spoofed VPA IDs that are remarkably similar to the original ones. In recent times, we witnessed an unprecedented rise in VPA IDs, similar to the PM Cares Fund. Maintaining a list of suspicious keywords such as support, relief, care, disaster, army, minister,” etc. and running risk rules over transactions being made to VPA IDs containing high-risk keywords have the potential to curb fraudulent transactions. Screen mirroring apps and malware Through malicious links, fraudsters get consumers to download screen-sharing or remote-access apps or malware. Once installed, the fraudster gains access to confidential UPI details, which are then used in combination with other modus operandi, such as SIM-swapping. Payment apps should have the capability to detect potential malicious apps already downloaded on the device and restrict payments from going through. Collect Request Through classified ads, fraudsters initiate conversation with sellers they are impersonating as potential buyers. Creating a sense of urgency, the fraudster intends to make a quick payment without much negotiation and sends a collect request, sometimes in the form of a QR code. The VPA IDs used by fraudsters are generally gibberish and at times have numbers or alphabets in sequence. Banks or financial institutions’ apps should have the capability to detect such patterns on beneficiary VPA handles. UPI has made digital payments more accessible and convenient for millions of people in India, and it is expected to continue to play a significant role in India’s digital payments ecosystem in the coming years. With continued efforts of educating consumers against frauds, banks and financial institutions should leverage the technological advancements against the mushrooming UPI frauds. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company BaaS

Industry Insights, Product, Reading List

Regulator asking your bank to migrate from SMS-based OTPs to more secure authentication options? Use the opportunity to derive multiple benefits

Edward Chien / November 21, 2022

Central Banks are proactively taking steps to reduce the risk of banking/financial fraud The phrase “two sides of the same coin” applies to the world of digital banking and financial services as well. Internet/mobile based banking capabilities have undoubtedly enabled convenience and speed for consumers and reduced costs for service providers. Simultaneously, however, there has also been a steady rise in digital frauds and scams around the world. New ways of scamming consumers are constantly emerging because omni-channel digital first banking has given perpetrators more options based on how banking transactions are authenticated. Central banks around the world have regularly been raising the bar for digital security within their jurisdictions, given their responsibility for orderly conduct of a country’s banking and financial services system and ensuring the highest levels of consumer safety and protection. Individual banks and fintech players are proactively integrating new technologies and protocols to provide customers with the additional security of multi-factor authentication. About a month ago, Bank Negara Malaysia (BNM, the Malaysian central bank) announced that banks operating in that country needed to adopt authentication methods for online activities (opening accounts, making payments and other transactions) that go beyond SMS-based OTPs (One Time Passwords). BNM’s new measures also cover changes to default customer account settings, cooling off periods for new accounts, using just one device for authentication, etc. The rules pertaining to the detection of scams/frauds and the triggering of blocking actions are also being tightened. While many of the steps will kick in after suspicious transactions are detected, what is essential for banks is to strengthen measures that can minimize the occurrence of frauds and scams through superior digital authentication and the detection of risky transactions. OTPs and two-factor authentication are no longer adequate Over the past years, OTPs have become ubiquitous and deeply embedded in our lives as the primary means to authenticate all banking (and many other) transactions. But the two-factor authentication provided by OTPs is no longer enough to provide customers with the desired levels of safety and protection. Authentication is based on entering the 4 or 6 digits sent by the service provider to the customer’s mobile number. It does not verify the identity of the person who has entered the OTP. This means anyone with access to the OTP can easily impersonate a customer and complete transactions without the genuine customer being aware until it is too late. Think about three commonplace scenarios that customers might routinely face: a lost or stolen mobile phone, an unlocked phone on their office desk while they briefly step out, or a phone given for repairs (where unscrupulous staff members have the chance to copy/access personal data). In each of these situations, unauthorized persons can easily access OTPs and other transaction-related messages sent by banks to the phone and essentially “authenticate” transactions that will go through as legitimate transactions initiated/approved by you. If such impersonation risks are not bad enough, think about phishing frauds and scams where users are induced to click on links that they believe have come from their bank or other service providers via SMS. A world of non-banking digital payment apps and platforms gives fraudsters even more opportunities to scam customers by voluntarily giving out information that is needed to complete unauthorized financial transactions. In such a high-risk environment, online authentication must necessarily be made a more rigorous and fool-proof process that is inherently harder to circumvent. Rather than relying on an OTP that can be entered by anyone (and not just the genuine customer), banks must adopt authentication protocols that use multiple data points that can be collectively used to establish customer identity and authenticity of transactions. Multi-factor authentication can make a big difference to the reliability of your authentication and hence customer experience Banks need to balance secure and reliable authentication with the associated costs and impact on customer experience. Working even when there is mobile network latency (or lack of network coverage) is another requirement. Compliance with the bank’s own security norms and complete adherence to prevailing regulatory requirements also needs to be considered. The solution must be such that it can be used seamlessly with mobile banking as well as internet banking. Multi-factor authentication (MFA) solutions tick all these boxes. A robust MFA solution uses a combination of three distinct sets of data points for authentication: · Knowledge- what the customer knows (e.g., password, security question); · Ownership/access- what the user has (e.g., mobile device, USB token); and · Inherence- something that is inherent to the customer (e.g., fingerprint or other biometrics) A world-class MFA solution must provide banks (and other organizations) the option to authenticate customers and transactions based on a variety of authentication touchpoints that cater to customer preferences and risk profiles. It must be used either on a standalone basis or be capable of easily being integrated with a bank’s existing assets. It must support Out of Band (OOB) authentication- which means that the channel used for authentication must be distinct from the one used to sign in or perform a transaction. Ideally, the OOB authentication element must reside in the customer’s registered mobile phone, making it easier to leverage ownership- and inherence-based data points as well for authentication. The MFA solution must be compatible with EMV 3-D Secure and 3-D Secure 1.0 protocols and support CNP transactions as well. Wibmo’s Tridentity is an MFA solution that is designed to address the above needs and deliver the above capabilities. It supports authentication based on Push notifications, Offline OTP, and Biometrics. It is available as a simple SDK or downloadable as an Android/iOS app. Tridentity is compliant with the EU’s PSD2 initiative. Please click on https://www.wibmo.com/tridentity/ for more information on Wibmo’s Tridentity solution and how it can help your bank in Malaysia or elsewhere. If you have specific questions and would like to speak to one of our experts, write to us at [email protected]. Author: Edward Chien, Director- Sales, South-East Asia Wibmo A PayU/Naspers FinTech Company Authentication, Multi-Factor Authentication, Online Payments, Out of

Reading List, Stories

True Cost of Combating Payment Frauds

Sujit Kumar Mahato / September 14, 2022

A quick recap of major players involved in payment transactions : 1. Customer 2. Issuer Bank — holding the customer’s bank account 3. Payment Networks — Visa, Mastercard, NPCI, etc 4. Merchant 5. Acquirer Bank — holding the merchant’s bank account In simple terms, Payments Fraud is the one where someone made unauthorized payments/purchases. Though the liability of fraud differs(customer/merchant/banks etc) on a case-to-case basis, someone in the payment system has to finally bare the brunt and mark the money as lost in their respective books. Fraud is a global issue that affects not only individuals but also organizations — merchants, banks, insurance companies, and who so ever is dealing with payments. Payments frauds have been crippling every country across the globe and according to recent studies, the epidemic of payment fraud has been growing over the recent years. When it comes to payments, there are 2 major elements – 1. FALSE NEGATIVE — when an act of fraud goes undetected and through the payment system 2. FALSE POSITIVE — when a faulty fraud detection system blocks a legitimate transaction. Anti-fraud solutions and fraudsters are caught in a cat-and-mouse game. Both have been leveraging technological innovations to meet their underlying need and eventually adding to the cost of combating fraud. Whenever we come across the term COST, our first thought is that it’s a mere cumulation of expenses incurred in producing or building a product or service. However, in financial terms, the cost is segregated into — Direct Cost and Indirect Cost. The majority of the time, indirect costs are neglected when it comes to deriving the actual cost of a project due to the difficulty associated with deriving a cost-effective methodology for the assignment of indirect costs. When it comes to defining the cost associated with fraud, organizations generally tend to consider the amount lost in the fraud process. These numbers are a significant percentage of the topline revenue. Moreover, it’s a concerning fact that even less than 20% of businesses are able to fully recover the amount from unauthorized transactions and other fraudulent activities. Apart from the obvious Direct Cost — fraud amount value — associated with the transaction, the Indirect Cost often goes unnoticed. Cost of Combating Fraud: Huge infrastructure and resources — manual as well as technological are deployed by organizations in payment authentication and authorization. The cumulative loss arising from both False Positive and False negative scenarios burn a larger hole in terms of operational efficiency. Cost to Reputation: Businesses incurs huge cost when it comes to building a reputation of trust through the marketing function which employs varied techniques to increase the perceived value of a product or service over time. Undetected frauds and consequent delays in grievance redressal often leave the customer/merchant with a bad experience with their respective banks and also with the payment entities involved in the process. Cost of declining Genuine transactions: High False positive rates can leave the customers/merchants frustrated. Organizations leave no stone unturned through sales and marketing and customer support to acquire and retain a customer. In the era of fierce competition, if one thinks Customer acquisition is hard, think about the retention of a frustrated customer. It is somewhat now possible to measure fraud and error losses but one needs to surely factor in the Indirect Costs in order to make a proper judgment about a proportionate level of investment to be made in reducing them through the deployment of anti-fraud tools. Direct costs associated with fraud are just the tip of the iceberg and give even less than half a picture of the menace lying underneath. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company Anti Fraud Management, Digital Payment, Fraud Detection, Fraud Prevention, Online Payments

Reading List, Stories

Account Takeover Frauds- Adaptive Protection Approach

Sujit Kumar Mahato / August 31, 2022

Once a fraudster has gained access to an account, they eventually end with either or combination of the following : – Make fraudulent orders – Reload digital wallets – Use loyalty points – Sell the confirmed account – Extract customer data to sell The process of gaining access to a victim’s login credentials to steal funds or information is referred to as Account Takeover Fraud (ATO). Fraudsters can take over any account type — bank, e-commerce, etc and have multiple ways at their disposal to trick gullible victims. Account takeover fraud is not new, but it is becoming more common. In 2018, account takeover fraud losses totaled around $4 billion. By 2021, this figure had increased by more than 200%. (PaymentsJournal) Fraudsters are finding innovative ways to carry out their trade. Screen-sharing apps are one of the newest additions to their arsenal as more and more individuals adopted digital payments during the pandemic for daily transactions. These screen-sharing apps were developed with the intention to provide tech support using the screen-sharing feature. However, these apps are now being used by fraudsters to access the mobile devices of their targets and make transactions without waiting for victims to share OTPs. Often gullible consumers fall prey to fraudsters pretending as bank officials who create urgency on the pretext of account/card block and ask users to download screen-sharing apps for account retrieval. Once installed, fraudsters have a clear view of not only the account credentials but also the OTP messages received over the phone, and consumers eventually end up with debit messages of their hard-earned money. One of the growing concerns is that ATO frauds are happening through screen-sharing apps despite the constant efforts from government agencies and banks to educate consumers not to share sensitive financial information or download apps from suspicious sources. Apart from the recent Screen Sharing Apps, a few of the other methods deployed by fraudsters to conduct Account Takeover Fraud (ATO) are : – Phishing: Impersonating as representatives of well-known brands/ businesses, the fraudster persuades the individual to click on links that redirect to spoof websites or install malware that does the credential harvesting. – Credential Stuffing ( Brute-Force): Dark web provides bank account/card details at a cost as low as USD 15. Once the fraudster has sourced a list of stolen credentials from the Dark Web, bots are used to run automated scripts to guess the correct account password by making multiple login attempts with a different password each time Account takeovers can significantly damage customer trust and brand reputation. Often, businesses introduce tighter security measures and add verification steps, but too much of either can harm the user experience. The need of offering an experience that is welcoming to consumers and hostile to fraudsters can be addressed through an adaptive protection approach. Billions of transactions take place across the globe generating valuable data points which are utilized in the concept of adaptive protection and the ability to run through layers of controls in real-time — including consumer behaviors and network anomalies — to determine whether a user should be pushed through with no friction, declined or given an alternative experience. Differentiating between good users and fraudsters helps in avoiding account takeover fraud. Wibmo’s TRIDENT FRM, an enterprise fraud, and risk management solution, evaluate diverse data points across channels and devices for the risk associated with each transaction. Learning and adapting to evolving consumer behavior as well as fraud patterns, TRIDENT FRM helps to detect and predict fraud while ensuring a delightful user experience. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company Account Takeover, Fraud Detection, Fraud Prevention, Online Payments

Industry Insights, Reading List

Things you must know about Tokenization — talk of the town

Ravi Battula / July 6, 2022

After the industry requested more time to comply with the latest data security rules, the Reserve Bank of India mandated the implementation of tokenization of card transactions, with a deadline of June 30, 2022, which is further extended to September 30, 2022. So, what exactly is tokenization? And how would it aid in the security of online transactions? Tokenization is a process of replacing sensitive information with non—sensitive information [token]either completely or partially, rendering the token useless for the unintended users. Tokens are irreversible, original data cannot be derived back using a key, unlike the cryptographic process. It follows the principle of ‘pseudonymization’ [Pseudo Anonymization or simply put alias or surrogate] for sensitive data like Aadhar, SSN, Credit Card, Bank ac/c, phone, or DOB. A tokenization system links the original data to a token but does not provide any way to decipher the token and reveal the original data. For e.g. in the case of a card/PAN, Token PAN is generated using the Format Preserving Hash which is irreversible PAN, and Lunch’s check is passed on the same so all the card validations on the token are also successful and follow card network rules. Original PAN: 7654 1111 1111 1111 Token PAN: 6667 2397 1422 2655 [Identical to PAN but of no value for a bad actor as it cannot be used without the valid Token Requestor and Merchant Id combination.] Any token generated for a card will inherit the key attributes of the original card e.g. expiry date, product code, card art, etc. Tokenization is a secure method of storing payment information. In essence, a token (an alias or a Pseudo number) is generated for the stored payment card. As a result, simply possessing the token does not grant you access to the card information without first passing through the tokenization system. When we apply this to the real world, we can see the benefits. Consider a website that sells specific products but also offers recurring deliveries. When a client purchases from the website for the first time, they will enter their credit card information themselves; however, for recurring transactions (such as the delivery of specific cosmetics on the first day of each month, for example), the information must be stored by the website in order for a monthly payment to be made. If card information is not stored securely, unauthorized personnel or even bad actors can gain access, causing a nuisance for the consumer and a serious problem for the merchant resulting in chargebacks. To solve this problem in the simplest way possible, we turn to tokenization. When a client first enters his card details, the payment platform collects the information and sends it to the tokenization system, which returns the token to the website and processes the payment. The token will be stored on the website in conjunction with the information entered during the registration process. For a Standing Instruction when the merchant website needs to charge the client on a recurring basis, it will simply send the amount and the token to the payment platform. The payments platform will then send the token to the tokenization system, which will map the card number against the token and complete the transaction on behalf of the customer. The website does not need to store the actual card details to process recurring payments using this method, and the payment process is limited to the dialogue between the tokenization system and the payment platform, both of which have high levels of security. Tokenization inherently uses a pseudonymization process to replace sensitive data with random data. Card tokens are intent-based which is unique per merchant. Card tokens generated at one merchant cannot be used at other merchants. In case of any data compromise at a particular merchant/entity, it cannot be used for any other purpose. Even if the bad actor wants to use the stolen token at the same merchant, they will also need the cryptographic keys to initiate any transactions which are almost impossible to get access to organization cryptographic keys. Hence tokenization makes the data storage, data transmission, and data usage very secure without worrying about misuse. In this case, the user would simply delete/cancel the token for a particular merchant only as opposed to canceling the card and managing storage at all other locations Because online shopping is becoming more popular by the day, cybercrime has skyrocketed so as data proliferation, both businesses and their customers must now rely on secure online solutions for all types of transactions. This means that more credit card information is being stored and processed, providing more opportunities for cybercriminals. Security solutions such as tokenization are arguably more important than ever before, as they can assure clients that their sensitive data is much more secure, thereby fostering trust and loyalty between businesses and consumers. Benefits of tokenization on your cards : · With rising subscriptions and recurring economy, intent-based unique tokens enable users to manage multiple subscriptions (COF or SI) very securely · Can be used for an online card on file and device-based tap n pay contactless payment on mobile devices · Greater protection against data theft due to higher storage security · Higher customer control to view and manage tokens and set controls · Bring standardization for card storage across the ecosystem rather than every entity implementing their own standards The Wibmo Areion ‘Token Hub,’ built in accordance with EMVCo standards, is the only unified tokenization solution for merchants, acquirers, Issuers, and Fintechs. It ensures that you are in compliance with the latest RBI guidelines while also providing a frictionless payment experience. To find out more, write to: [email protected] Author: Ravi Battula, Vice President, Merchant Acquiring Business Wibmo A PayU/Naspers FinTech Company Card Payment, Card Token, Digital Payment, Online Payments, Tokenization

Tech Bytes

Prediction, Prevention, and Detection of Fraud Attempts, the key to faster payment processing

Sujit Kumar Mahato / December 29, 2021

The global digital payment market size is expected to grow from USD 89.1 billion in 2021 to USD 180.4 billion by 2026. The promotion of digital payments worldwide and the increasing penetration of smartphones are major contributors. Besides, the pandemic has accelerated the adoption of contactless and wallet payments. India, too, saw exponential growth. Thanks to 1 Billion cards and more than 2 Billion prepaid payment instruments like wallets and other digital payment modes. But, cyberattacks are a major roadblock in the growth of digital payment solutions. These global attacks are the most critical challenges that the payment industry has been facing. New and evolving cyberattacks affect businesses by breaking into payment systems to get cardholders’ data. The evolving frauds include : a) Friendly fraud — Fraudsters make the purchase on a credit card, receive the product or service. Then demand a refund for a lost or short-shipped order, or file a chargeback through their credit card issuing bank. With the intention of receiving a full refund of the purchase amount. b) Affiliate fraud — Refers to any unscrupulous activity conducted to generate commissions from an affiliate marketing program. Newer types of affiliate fraud include using stolen data for lead generation or stolen credit cards to generate sales. c) Botnets- Submit large numbers of transactions to test the viability of stolen payment card credentials. d) Phishing — Fraudulent communications, through email, text, or call, that appear to come from a reputed source. e) Velocity attacks — Multiple monetary authorizations seeking to detect an active account and decipher CVV/Expiry Date values of a set of cards within a BIN range. f) Triangulation — Fraudster is the middleman between a customer and an unsuspecting merchant. The customer places the order through the fraudster (impersonating as a merchant). Then the fraudster uses stolen credit card information to buy those goods from a legitimate merchant. It is estimated that 9 million identities are stolen each year in the US alone, with a new victim of identity theft every two seconds. Since many people do not report identity theft, no true number of victims exists. According to the Central Statistics Office (CSO), by 2021, loss from cyberattacks would rise to US$ 6 trillion from US$ 3 trillion in 2015. The growing number of cyberattacks is a hindrance to the adoption of digital payment services. In a recent study by YouGov and ACI worldwide, consumers are increasingly concerned about digital payments fraud. As a result, exercise greater caution when using digital payments compared to a year ago. 71% of consumers are more concerned about scams and fraud because of Covid-19, compared to 47 percent of consumers last year at the onset of the pandemic. The study also indicates that banks continue to be the preferred first point of contact in event of fraud. Around 60% of respondents would first call their bank to block their account or visit the bank branch to file a written complaint. Though worldwide initiatives towards customer awareness are on the rise, the banks will need to continue to lead the way not only by increasing customer awareness but also by deploying modern and robust enterprise-level fraud management solutions. For a delightful customer experience, banks need to predict, prevent and detect fraud attempts even before the payment processing to pave way for frictionless digital transactions. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company Fraud, Fraud Detection, Fraud Prevention, Global Digital Payments, Online Payments

Industry Insights

What are Pre-Paid Cards and how do they work?

Nsele P. Bokuma / October 2, 2021

By referring to Prepaid Cards, we first need to agree on what do we understand by Prepaid Card, and how do we see it? Do we see it as a closed card program or an open card program? Many get confused in the definition of what exactly is a Prepaid card? A Prepaid Card can be defined as a secured card (a plastic) that enables users to process transactions in order to make purchases of goods and/or services. We can then say that we do have two types of Prepaid Cards: Closed Card Programs. Open Card Programs. A Closed Card Program is usually referred to as a closed-loop, mostly in the form of Gift Cards, used by many stores. On the other hand, an Open Card Program is usually referred to as a debit card, which is linked to a bank account. Both solutions could be referred to as Prepaid Card solutions; however, one does not require the need of having a bank account but for the other, having a bank account is a must. To some extent, some countries around the world are now initiating closed-loop programs, as a debit card, for domestic card transactions. For instance, a country may opt to have a closed-loop domestic card program that can only be utilized in the country, in form of a domestic prepaid card scheme. In today’s world, Financial Institutions (FI) are working hard to promoting Financial Inclusion by providing financial services and/or products to customers at a very affordable cost. However, despite, the efforts and times put together by Financial Institutions, the results for getting everyone inclusive into the Financial Ecosystem is still low. Therefore, FI is constantly improving their products/solutions in order to meet customers satisfaction by positioning solutions such as Prepaid Cards in order to make inclusion attractive. That is why, to meet customer’s satisfaction, Financial Institutions have opened up to the closed/open loop payment program to reach out to all markets and/or segments. These programs have been put in place to solving problems for Consumers, Retailers, Corporates, and Governments. The benefit of those cards is that consumers can make use of the solution to make a purchase, pay bills, transfer funds, and/or withdraw cash from an ATM, Merchant/Retailer stores, or an Agent (Agency Banking), in a very convenient and secure way. Prepaid Cards used by the bank (“the debit card”), can also be offered to customers who do not qualify for credit facilities. By these means, the bank is offering a product to customers which will enable them to transact by using their own funds. On the other hand, Retailers or Merchants are also offering similar solutions to customers in form of Gift Cards, for instance, as previously mentioned. Once a Prepaid Card has been offered to a customer, the Service Provider will immediately issue a card to the customer in order to enable the customer to start transacting from day one. Nevertheless, to make this mechanism fully functional: A plastic card will have to be issued to the customer. Customer will have to load own funds onto the cards. The card will have an Expiring Date, Card Number, and a PIN. Customers can now start transacting. Yet, for Prepaid Card such as Gift Cards, cards can only be used within a network of retailers, and most of the time, the card does not have a PIN number for acceptance of transactions. However, transactions are authorized on a signature basis. So, Prepaid cards could be considered as a fast-growing segment for Retail Banking and Merchant Services Industry despite entries of new innovative payment technologies. Author: Nsele P. Bokuma, Director-Sales, South Africa Wibmo A PayU/Naspers FinTech Company Card Payment, Digital Payment, Online Payments, Prepaid Card