As payments providers shore up their security, using tokenization on top of biometrics on top of encryption, will there be a need for merchants to manage fraud on a per-transaction basis?
If not, then companies like Riskified will need to adapt.
"Payment technologies like Bitcoin and Apple Pay, they are very secure," said Eido Gal, co-founder and CEO of Riskified, an Israeli machine-learning fraud detection software provider. "These unique offerings will continue to gain traction."
The card networks envision Apple Pay as a catalyst for their own tokenization efforts, and have vowed to apply the same security to other emerging payment systems, such as the MasterPass digital wallet. Biometric authentication is getting a boost both from Apple's TouchID and the new FIDO Alliance standards. And the point of sale is enabling more secure payments through the addition of EMV-chip card readers.
But even given all that is happening in online, mobile and in-store payments, the financial services industry is still very much in the early stages of improving its security, warned Julie Conroy, a senior analyst at Aite Group.
Because there is so much data floating around already, "even if tokenization were to become ubiquitous tomorrow, you still have account takeover risk," Conroy said. "There are so many vectors bad guys can come at you from."
And financial and payments data is a huge business for fraudsters; they're not just going to walk away from it, she said.
One way that third-party fraud management vendors can eliminate the need for merchants to do per-transaction risk assessments is to take over the process and provide a guarantee, Conroy said. Riskified, Klarna and Trustwave offer guarantees for their services, typically on the condition that clients turn over some degree of control over their risk management process to the vendor.
Machine-learning fraud detection software analyzes activity in real-time and makes decisions based on a number of factors, including device fingerprinting, behavioral analytics and biometrics. Machine-learning has become a popular way to analyze transactions, but some merchants still want the control a rules-based fraud system elicits.
Industry experts worry about smaller merchants in the U.S. that have less advanced security systems, particularly as the country migrates to EMV.
But ironically, Gal said, "The enterprise guys have the most outdated technology currently probably because of the time it takes to deploy."
With the huge advancements in security technology in recent years, it's easier for small- to medium-sized businesses to adopt these systems, he said.
Most of Riskified's 2,000 merchant clients are based in the U.S., including Burton Snowboards, Leica Camera and giftcards.com.
Historically, fraud detection providers would calculate a risk score for transactions and allow the merchant to make its own decision about whether to approve or deny the sale. The idea that merchants shouldn't make their own risk decision is a recurring theme among third-party fraud management platforms today.
"Because the merchant isn't an expert, they'd usually take a more conservative approach and throw a few legit transactions under the bus," said Liron Damri, chief operating officer at Forter, another Israeli fraud prevention platform.
Merchants today look at risk as part of a more holistic view of the company's operations, said Gal.
"Once there was someone in charge of marketing, someone in charge of payments, someone for risk and someone for fulfillment and companies didn't look at the picture together," he said. "But to understand bottlenecks you need to look at them together."
For example, when a merchant wants to start selling to Brazil, the marketing department might spend several thousand dollars to introduce localized campaigns and the gateway team could spend time and money to offer Brazilians their preferred payment method. But then the risk manager would deny many transactions originating from Brazil because of their risk profile.
It wouldn't make sense to spend resources marketing and establishing partnerships if the risk team was then going to prohibit those transactions, Gal said. When these groups work together, the company is able to decrease risk but also increase sales, he said.
"Electronic payments are evolving in ways that blur the line between transaction methods at brick-and-mortar retailers and those with online merchants," said a security report and roadmap released Dec. 11 by the Payments Security Taskforce, a group that includes the top four card networks, large merchant services businesses and several leading merchants. "It is imperative that security innovation keeps pace with the continuously evolving convergence of consumer buying experiences."
Another way to improve security is through the use of the technology underlying digital currencies such as Bitcoin. Because there isn't a chargeback mechanism built into the Bitcoin protocol, many digital-currency enthusiasts characterize it as being merchant-friendly. However, this quality makes the system more risky for consumers, Gal said.
And Bitcoin is far from mainstream.
"The future of payments is always going to be what the consumer wants to use," Gal said. The reason merchants accept credit cards is not because they love those financial instruments, "but consumers are voting with their pockets."