Many are trying to predict the card payment trends in 2019 that will be huge. One thing that everyone agrees on is that security will remain crucial. Briony Richter speaks to experts in the sector on how security can, and needs to, do better
Benjamin Hosack, Chief Commercial Officer, Foregenix
Businesses will be more proactive in their cybersecurity strategies in the next 12 months. New legislation such as GDPR, and continuing high-profile hacks and their consequences – including resignations at board level – are starting to change minds.
Increasingly, the board – rather than just IT or operations departments – is realising that it has a responsibility to understand cybersecurity and ensure comprehensive procedures are followed. The trend is moving away from viewing issues such as compliance as a tick-box exercise and towards a procedural framework that improves security. After all, what is the point in just trying to get through a sign-off process if the breach happens and the results are costly?
Many businesses appreciate that it might be a matter of time before they experience a major incident, so a more proactive approach to cybersecurity is necessary. One result will be more investment in solutions that want to cut through the data, and see alerts that really matter so action can be taken quickly. Will also see a switch to managed detection and response (MDR) services. Continuing skills shortages will mean businesses that lose cybersecurity expertise will be left facing the challenge of operating security systems and determining the real threats within all the noise of day-to-day business-as-usual alerts. The solution could be greater use of specialist MDR services for many businesses. SMEs that are unable to afford or warrant a full-time cybersecurity professional will see MDR services as critical to monitoring assets and detecting threats early in the breach cycle – before data assets are stolen.
Old vulnerabilities will remain an issue. While cybercrime is constantly evolving, many criminals continue to exploit old and tested vulnerabilities. Research we conducted in October on over 170,000 Magento websites worldwide found that no region registered less than 78% of its sites being at less than high risk from hackers for the failure to update security patches – a very simple oversight. There is no reason to see this changing in 2019 until there is a shift in the effectiveness of vulnerability management governance.
Companies will start to focus on the broader enterprise, as opposed to just the sensitive data environment. There has been a shocking lack of investment and interest in the greater environment, and very often that less-protected environment is used as a beachhead to gain access to the sensitive areas. The growth in the Internet of Things and the media attention it will gain in relation to security will bring this issue to the fore. While many businesses are starting to move in the right direction regarding preparation and responses to cybercriminals, the threats constantly evolve. Boards need to take necessary steps to keep the risks as low as possible.
Ralf Gladis, CEO, Computop
In 2018 we have seen innovations – but perhaps not as many as we hoped for. The PSD2 directive kicked off in January, and while instant payments were a key part of this, they still had a tough start. Banks introduced Instant Payments only for online banking, but the European retail industry is still waiting on APIs for retail payments and two-factor authentication (2FA).
For the first time in the UK, debit card transactions overtook cash as the most popular form of payment. According to research, when it comes to cashless payments, both Canada and Sweden are ahead of the pack, but this change in the UK is a significant indicator of the general trend towards electronic payment solutions and away from cash.
So, it was no surprise that Google took another step at getting involved with the launch of Google Pay – formerly known as Android Pay and Pay with Google – or that Apple Pay announced its release in the largest EU market, Germany. NFC payments rule! Of course, this activity in the mobile payments sphere prompts interest in other areas, and this year we have seen European banks responding with proprietary apps to try and take their piece of NFC action.
However, at Computop, we have not seen many new and relevant payment methods emerging. Instead, our merchants are focusing on implementing the infrastructure that will allow omnichannel payments on an international scale. Good examples of this are international car-rental firm Sixt, which now has highly encrypted P2PE terminals in its locations in Europe and the US, and German fashion company s.Oliver, with click-and-collect and ship-from-store solutions and many other advanced services.
In 2019, 2FA will start with PSD2 retail technical standards stepping into power in September. Merchants should start to find ways now to convince customers to put them on the 2FA whitelists in order to avoid repeated authentication every time customers pay for an order.
Card payment trends in 2019: avoiding 2FA friction
One solution to avoid 2FA friction is SEPA direct debit in Germany, Austria and Switzerland. Given the friction involved with 2FA, we will see a huge take-up of biometrics by consumers, banks and merchants – not only for payments but also for all other use cases where biometrics can replace passwords.
The rise of NFC payments with biometric authentication is the beginning of the demise of POS terminals. As IoT gains momentum, NFC allows ‘things’ to be transactional and run payments. An NFC signal will be good enough to process payments with Google Pay, Apple Pay or other banking apps; POS terminals will no longer be needed. Sales for terminals will peak in three years and slowly decline afterwards.
However, payment is a serious subject and consumers do not jump on payment trends. Adoption will be slow, so we should not expect rapid changes, but we will gradually see payments becoming more and more invisible. We are entering the world of the ‘Silent Payment’ and NFC payments.
Russell Robinson, MD – Customer Communications Services, EMEA, FICO
2019 will be a challenging year for payments and compliance. With less than 12 months to go until EU banks implement their Strong Customer Authentication (SCA) solutions, project teams are facing tough decisions about the most important aspect of the business – customers making payments.
I meet many banks that are in the process of compiling their requirements and vendor selection, and know some of these final designs are either non-compliant or will create an unacceptable customer experience.
Some banks believe they can achieve SCA compliance by relying too heavily on sending one-time passcodes. While this will suit many consumers, based on consumer research across the EU (October 2018), 60% of consumers do not want a one-time passcode by SMS. In addition, 30% of consumers said in a recent survey that they would complain if they are unable to select their preferred channel to enable SCA — for example, not with an SMS.
The industry is making moves to prepare customers for SCA with requests for current contact details. However, we are seeing signs that prescriptive demands to enable future user access are not being well received. That is evident by the John Lewis article in the Guardian and comments from readers. It is well worth reading some of these comments, if you are in any way involved with SCA.
My prediction is that many banks are going to implement point solutions to achieve compliance, and the programme managers that executed this will move on. Due to these point solutions not meeting consumer acceptance, lack of up-to-date contact details, meeting regulations and many other issues, there will be a significant number of complaints, unacceptable fraud false-positive rates, and consumer payments not completed to a level we have not seen before.
If this happens, the people who inherit the SCA programmes of 2019 are going to have their work cut out unpicking this stuff and looking to replace them with a platform approach to SCA. They will need to enable SCA extensibility and rapid integration to new authentication use cases and channels as demands require or novel fraud attacks appear in the environment.
On a related point, many banks understand phone device profiling, and SIM-swap or call-forwarding solutions are essential. However, many are expecting that SIM-swap services offered by MNOs will have evolved before SCA implementation. I believe this will be true for some MNOs, but suspect alignment will not be in place across all UK MNOs in 2019. Therefore, banks need to plan better around how they secure the SMS channel, and deal with the higher false-positive ratio using traditional methods.
Roland Brandli, Product Manager – TLM Aurora, SmartStream
2018 has seen increases in activity both in the regions of digital payments and instant payments.
The further growth of alternative payment systems such as Apple Pay, Samsung Pay and Alipay have led to institutions looking for ways to enforce stricter control frameworks around these payments and card transactions in general. High volume, low value means organisations are turning to us to increase automation and transactional control over the entire lifecycle, from authorisation to settlement, identifying exceptions and following through on their correction as quickly as possible.
Simple point-to-point reconciliations are no longer enough; it introduces complication running across many departments and leads to delays in resolving customer issues. In order to meet the customer expectation of instant payment/instant resolution a new approach has to be taken, requiring the monitoring of multiple, complex transaction lifecycles and presenting them in a simple way that users can find, track and resolve exceptions faster.
We see a very similar evolution taking place on the more traditional international payments with the introduction of SWIFT GPI, here by providing a unique tracker for payments, SWIFT has enhanced transparency and customers are looking to manage their exceptions in a more automated and rapid manner.
For next year we see a similar focus, with the paradigm being: yesterday’s challenge was ‘end of day’; today’s challenge is ‘intraday’; tomorrow’s challenge is ‘instant’.
SEPA will be introducing mandatory ISO 20022 Investigation messages in November 2019. Many banks in Europe are looking also to launch SEPA instant payments and in many other countries across the globe we see similar payment initiatives being launched.
With the introduction of TLM Aurora, SmartStream has launched two brand new Solutions: Digital Payments Control and Payment Exception Control. Both Modules are designed to address the initiatives and issues that come with reconciling across the transaction lifecycle and automating the exception management process. Together with our new innovation labs, we will be looking to further improve these new solutions with the introduction of machine learning during the year.
Customer expectations are changing. With the fact that a payment can now be conducted within seconds or minutes – even cross-border – not only do they expect quick payments, they expect issues or exceptions to be resolved in similar timeframes. It is, therefore, important to provide the control framework and the exception management capabilities that allow customers to address these expectations and further improve their turnaround times.
Stan Swearingen, CEO, IDEX Biometrics
In 2014, mobile payments were hailed as the next revolution in payments by major payment providers such as American Express, MasterCard and Visa. However, this payment method has failed to meet its anticipated high expectations, with card prevailing as the firm favourite for UK consumers.
In fact, according to recent Idex research, 65% of respondents said they would not give up their debit card in favour of mobile payments, and a further 78% also admitted to feeling more secure using their debit card in comparison to mobile payments.
This is a trend that we believe will continue into 2019, as security remains a key factor driving consumer payment behaviour. To stay relevant, banks must focus on the clear consumer preference for cards and use it to focus innovation that directly meets the wider demand for greater emphasis on security, but also to comply with Strong Customer Authentication under the Second Payment Services Derivative (PSD2) regulators in order to combat fraud. This will mean everyday transactions – including contactless payments – will become subject to two-factor authentication to combat fraud.
We anticipate that biometric authentication for card payments is set to play a key role in the two-factor authentication process, and will help shift payment authentication methods away from what we know or can remember (PINs), to who we are and what we can physically prove, such as our fingerprints. In turn, this will remove the ability to easily share PINs or have them fraudulently stolen, and deliver greater security to combat fraud.
The desire to ditch the PIN is one that is shared by consumers too. From our recent research, a resounding 56% of those surveyed stated that they would be happy to use biometric methods of authentication to replace PINs, if banks could assure them that their fingerprint biometric data would be safe and not held in a central bank-controlled database. In fact, 52% would feel more confident if their fingerprint biometric data was stored on their payment card, rather than a bank’s central database.
The consumer demand for fingerprint methods of authentication is a reality, with two-thirds (66%) of UK consumers expecting their roll-out to authenticate in-store card transactions by 2019. We are preparing for what we believe is the true tipping point of biometric smart cards.
We predict that by 2019 biometric bank card adoption will go into many millions. When this becomes a reality, payment card adoption is likely to be the springboard to us accepting biometrics more broadly in other areas of our lives.