The growth of in-app and social media payments may please consumers, but merchants are worried that these new forms of card-not-present payments will expose them to more fraud liability.
As it is, in-app payments and those made through social networks operate like e-commerce sales, despite the security tools built into smartphones making them more like card-present transactions.
This is particularly troubling for merchants and security vendors that see more commerce taking place in platforms such as Facebook Messenger, which works with Uber and Ticketmaster to enable purchasing from within chats. This scenario highlights another element of the growing in-app trend — for a ticket sale made this way, is Facebook or Ticketmaster responsible for chargebacks?
"Any question about the uncertainty of who the merchant of record is for social media payments is spot on, given that merchants bear anywhere from 70% to 100% of card-not-present fraud losses in the U.S.," said Liz Garner, vice president of the Merchant Advisory Group.
Despite ongoing investments from merchants to make online payments more secure, the amount and share of merchant card-not present losses is poised to grow as more transactions are classified as CNP through mobile payments, Garner said.
"Given the fraud loss dynamics dictated by Visa and MasterCard, merchants have tremendous incentives to protect CNP transactions, and many have invested heavily in app security," Garner added. "In-app transactions that are owned and managed by merchants are highly secure and efficient."
Determining how to categorize a transaction initiated through a mobile device becomes more complex when Apple Pay transactions in a store are considered "cardholder present" at lower interchange fees, yet Apple Pay in-app transactions are categorized as card not present, said Jose Diaz, director of payment strategy for Thales e-Security.
"We all recognize that CNP is the next frontier, but it is partly being addressed with apps being available on mobile phones," Diaz said. "If I use Apple Pay in-app, it is using the same biometrics and payment tokens, so why is it not cardholder present?"
The quick-service restaurant industry provides a prime example of the ramifications of mobile payment advancements, given the recent trend of allowing patrons to pre-order food from the store's mobile app.
That industry often uses a franchisee model, which used to be simple: The franchisee generally worked through its own acquirer for payment acceptance and handled all chargebacks. Now it has become a gray area involving the franchisor's mobile payment app. The corporation is the merchant of record for in-app sales, accepting all of the fraud liability, while the franchisee or operator of a specific store handles the risk for in-store transactions.
Things don't become any less complicated when a business extends its customer engagement into social media platforms with niche apps that can lure sales with easy payment options.
"We will continue to see a growing trend of social media sites or those using payment apps or buttons, as the providers want to keep the customer engaged on those sites," said Peter Galvin, vice president of strategy and marketing for Thales e-Security.
"They are looking for ways to monetize that customer and be the face of that portal to purchase products."
But to do that, consumers and merchants have to be sure that the proper security layers are in place to protect personal information and card data, Galvin added.
As Facebook Messenger advances its technology and interaction capabilities, such as using bots, it is more likely to create new payment avenues.
It's becoming obvious that in-app payments, particularly one like Facebook and Ticketmaster, raise "some very murky questions," said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
There are different scenarios with payments via Facebook Messenger in which Facebook operates as lead generator and engagement platform, and others in which the transaction takes place within Messenger, making Facebook the merchant of record, Conroy said.
A company like Ticketmaster would still benefit from its existing fraud prevention methods, but not every merchant has the luxury of requiring the customer to log in to retrieve goods, she said.
"Unless Facebook is the merchant of record and bearing the risk, the merchant will need to have some pretty strong assurances about Facebook's fraud prevention capabilities," Conroy said.
Consumers are already drawn to social media and are likely to want to make purchases within the apps they already use, Thales' Diaz said.
"The big question has to be whether the card data is secure," Diaz added. A service like Facebook Messenger may indicate it has several layers of security, but it is rarely specific as to what that means, Diaz said.
Apple Pay and others have incorporated biometric authorization and the use of payment tokens as part of their security systems, but not all in-app payment methods use this technology, Diaz added.
"If they used tokenization, I am sure they would talk about it," he said.
However, mobile devices introduce the opportunity for multi-factor authentication by incorporating biometrics, passwords and device fingerprints. Multi-factor authentication is becoming a requirement in many facets of Payment Card Industry security standard compliance.
"The flexibility of options that a mobile device offers makes it simpler and if you are making a lot of purchases online, it is a method of validating that it is you," Diaz said.