There is no doubt there are big risks posed to consumers and merchants at ‘point of payment’. Simple errors of judgement can lead to real drama. Lost money, stolen identities, and confidence shattered. So, here's one suggestion to tackle the issue...

A tale of risk at point of payment

An article recently published by Yahoo says: “Fraud offences have risen by 24% during the pandemic, according to the Home Office…[three new] charters will see banks, accountancy firms and telecommunications businesses commit to working with the Government to stem the tide.

Plans include a pilot scheme to bring in point of sale bank authorisations for mobile phone contracts; a cross sector plan to protect customers who fall prey to a data breach; and a crackdown on fake text messages that appear to be from legitimate companies.”

There is no doubt there are big fraud risks posed at ‘point of payment’. Simple errors of judgement can lead to real drama for consumers. Money lost, identities stolen, and confidence shattered. 

The story also doesn’t play out well for the banks who lose money because of fraud each day. Or for merchants who can be hit with non-compliance charges.

So, what’s the story and how can things be changed to deliver a happier ending?

Dramatis Personae

There are several key players when it comes to controlling fraud at the point of payment. Here is a cast list, and this is how they will be referred to in the article - 

  • People/individuals: Consumers
  • Banks/card providers: The financial institutions
  • Shopkeepers/online retailers: Merchants

Setting the scene

Consumers are issued with payment cards by their bank. It has a Visa or MasterCard symbol on it (other brands are available) and the consumer is a customer of the bank. The consumer has their card and can use it online and offline to pay for goods and services quickly and easily. 

Between the financial institutions i.e., the bank and Visa/MasterCard etc., they have performed due diligence on the consumer – they now trust them. And they are going to try and protect the consumer from the risk of fraud or identity theft. These financial institutions are also going to decide whether to release the consumer’s money to a merchant as part of a transaction, but they have mechanisms for that in place. 

The merchants want to sell consumers their goods and services. Because they want to take receipt of the money in the easiest way possible. So, they let consumers pay with bank cards. 

Nice and simple so far. It’s all pretty seamless and the money moves around digitally. Everyone is happy.

Different payment types

There are essentially two types of card payment that happen:

  • Customer not present - which means the consumer is not physically with the merchant
  • Customer present, which means the consumer is physically with the merchant

With Customer present payments, the consumer can tap their card, use their watch, pay through their phone etc. They can also put their card in a machine and use a secure PIN to validate payment. 

Being with the card and paying in person is much more secure than taking a Customer not present payment. The reason for this is fairly obvious. The consumer with the merchant can authenticate their transaction in some way e.g., with a PIN or thumbprint on a device.

Getting the card details to the merchant in a Customer not present transaction is where the greatest risk lies. 

  • The consumer is giving the merchant their card details, which could be stored and or recorded for future illegal use.
  • The merchant has to look after the consumers’ data or risk a fine. 
  • And the financial institutions have to trust no one is doing anything in the transaction that they shouldn’t!

Act 1 – phone payment

There is a particularly common and surprisingly prevalent risk at point of payment and that comes with transactions conducted over the phone. 

Consumers will frequently read their card details out over the phone when asked to do so by a merchant. The merchant is receiving those card details and retyping them into a payment device to send a request to the bank to release the funds. 

Before this phone transaction, the consumer was the only person – other than the financial institution bound to protect them – who knew their card details. After the transaction, the card details have in essence been released to a stranger. 

The consumer has to rely on and hope that the merchant is trustworthy, however they have swapped security for convenience in order to get the goods and services they wanted from the consumer as quickly and easily as possible.

Despite the consumer having been through a rigorous and detailed KYC process with their bank, they have now released their card details to a merchant that isn’t known to the bank and who could commit a fraud. (Let’s not even delve into the possibility of bad actors having overheard the card details being read on the train/in the office/walking down the street.)

Just the simple difference between one party knowing the card details and multiple parties knowing them creates risk.

Supporting cast

Consumers are frequently told by financial institutions via apps, social media, TV ads and so on not to give their card details to anyone. All consumers know the line that goes - “We will never ask you to read out your card details over the phone”. 

However, when it comes to ordering a Friday night curry, consumers can often throw good sense out of the window. It's all too easy to give their entire set of card details over the phone, including name, long card number, expiry date and security code on the back. 

Much has been done to make web browsers more secure for eCommerce, but the point of payment via phone is still a big issue. 

A happy ending?

When it comes to making digital payments, data has to be submitted. There are no two ways about it. The consumer can’t make a payment to the merchant without providing card data in some way. 

The best solution is for merchants to be in a position where their business doesn't have to actually "take" the card information from the consumer. Effectively it becomes much more like a Customer present transaction (only virtually speaking). The consumer goes into a separate system - or platform - and authenticates their details online.

If the merchant doesn't have any customer data, they don’t have to protect it. They can’t be accused of losing it or stealing it either. And if the merchant doesn’t have to ask for the information, the consumer doesn’t have to compromise their position by reading it out over the phone. 

There is technology that enables consumers to be diverted or transferred onto a secure platform to input their card details when phone payment is required. They don’t then have to read the information aloud and the merchant doesn’t have to store or process it. Companies such as Paytia for example provide safe, simple ways to take phone payments and remove risk.

There is, of course, still the risk consumers will be contacted by bad actors and tricked into inputting their card details into a system or platform. And while education and communication (and now three new charters) are designed to tackle these issues, for consumers, financial institutions and merchants, fraud continues to be a drama.

Get in touch

PassFort is a SaaS regtech solution that enables financial institutions to onboard new customers then manage risk and compliance throughout the customer lifecycle. We help banks automate a workflow for KYC, KYB and AML compliance checks. 

If you would like to talk to us about how regtech can help you stop financial crime but not good customers, please get in touch – we’d love to hear from you.