Great article in today’s MRC Journal Moving identity authentication earlier in customer flow/
Short Blog. Summary. US issuers are creeping into identity and eCom data as they seek to build a non-network auth. The only model which will work is where networks are the enablers of identity. From a payments perspective, there are only 2 options for owners of identity and authorization 1) V/MA or 2) Apple/Google.
I was fortunate to go to MRC-Vegas this year. Whereas M2020 is filled with Issuers/Fintechs/Investors MRC is filled with payment operators (merchants), and the companies supporting them (ie Visa/Cybersource, Stripe, Adyen, …).
As I related previously, 3DS 2.2 is not working well in Europe, with over 50% of eCommerce merchants seeking exceptions. While 3DS is a fine standard, the core problem is that Issuers are not investing resources to make the frictionless flow work (95% frictionless target). Given that Issuers own fraud loss in a 3DS/SCA flow, they would prefer to decline the transaction if there is uncertainty. This starts a negative cycle as 3DS volume decreases, fraud/device data flow to issuers decreases, further hampering their ability to risk score transactions. This results in either increase in step-up authentication (think OTP) and a reduction in conversion rates.. Or increased declines.
At the MRC, Stripe presented the successful results of direct issuer integration with Capital One (COF). COF is the top bank globally in terms of both data and tech execution, investing significant resources to create CNP risk models and isolate the 3DS device data which best informs authorization. COF is rumored to be productizing this effort in their own custom ACS server. JPM is rumored to be completing the same. Data flows outside the network are not a positive thing for V/MA.
Future of 3DS and DAF – Identity
V/MA are aware of 3DS shortcomings. I believe both networks and US issuers are INDEPENDENTLY reworking both 3DS and DAF to enable mobile identity as a replacement for device data. For example, a cryptogram exchange within a DAF.
Authorization is core to payment networks. While V/MA seek to minimize issuer effort, US Issuers seek to gain control of authorization (and capture ecom device fraud data) to operate independently of networks (ex new payment instrument).
Whether it is the networks operating within EMVCo Standards, or US Issuers operating independently, both are challenged to gain consensus of Apple and Google, as a cryptogram exchange would require their platforms (and SEs) to sign transactions not initiated on phones, and gain consumer permissions to do so. Of course, US Issuers would rather use their own mobile apps to do this, but these apps can’t gain access to the SE in the Apple world (only ApplePay/wallet).
PAZE – Device Data and Auth – Next 2 Yrs
I don’t anticipate any of this to change in the near term. A key challenge for US issuers in creating their own payment scheme (PAZE) is the ability to construct a value proposition. For the merchant there are 3 primary value levers
- Cost of payments
- Acceptance Rate
- Liability Shift
US issuers have no desire to provide a discount for PAZE (in fact they would like a premium.. ). Thus acceptance rate and liability shift are their only prospects. Either of these require fraud data with improved authorization. Merchants and their partners hold all the eCom fraud data because they are the entities that manage it. Thus the first phase of any PAZE value proposition has to be collecting enhanced CNP data (ex device data) as COF has done with Stripe above.
Assuming COF and JPM have done so, it would be logical for US issuers to place these innovations with other bank data assets in Early Warning.
The challenge remains the starting point. Few merchants will accept the PAZE wallet with no value proposition, no data on improved acceptance rates, and request for increased device data to flow into issuers. Particularly when US issuers are the group that has been the roadblock for 3DS implementation and liability shift.. Now they want to be friends?
As I related, a top 3 merchant said there was no way they would use issuer direct services, but rather authorization must come through the network. Why? “Visa and Mastercard are the devil I know, while they may be tilted toward the issuer they have contracts, rules, and standards that can be contractually enforced. If I deal with banks directly, I’m concerned my customers will become addicted to PAZE then banks will change both rules and fees to their benefit. Historically there are many examples”.
With a separate retailer relating an even more positive network view “While I may voice support for FedNow or alternate payment methods, [Retailer] wins with Visa and Mastercard. They are highly efficient and their network fees are justified.. Just don’t tell them I said that”.
The MRC article talks about moving identity upstream. This is a payments perspective, not a retailer’s perspective. While retailers incur payment costs of 1% of sales for payments, they spend 9%+ of revenue/GMV on marketing. Identity is the core of marketing (ie targeting and effectiveness – see Role of Identity in Retail).
Google certainly has the lead here, as Google’s Ads help Marketers target consumers across all Google properties and affiliates, and Google analytics tracks behavior and conversions. Internally, Google’s internal consumer identifier is known as the Gaia, and the advertising ID (mobile) is AdID. Similarly Apple has both an immutable ID and an Advertising ID (IDFA) in mobile both of which consumers manage (see impact of Apple’s privacy on Facebook).
Payments IDs are tough to move upstream beyond their payment use for 5 reasons:
- As deterministic IDs they are PII, and must have consumer permission to share across partners. Merchants are highly sensitive to bringing consumer device data to issuers (as discussed above), and issuers are likewise sensitive to providing deterministic data to retailers outside of the payment transaction.
- They are “owned” by one or more financial institutions, and hence face restrictions on use and mapping. While similar to #1 above, this is much more related to cost and efficacy beyond risk scoring for authorization.
- Advertising requires flow of information across a very broad ecosystem (ie 10,000+) of advertising intermediaries, each adding some value. LiveRamp is a leader here.
- Payment networks provide the only control structure, and governance for use of payment IDs.
- Banks have limited ability to bring value beyond payment because of their inability to influence upstream of payment event. Similarly they are restricted in how their deterministic identity can play in 3rd party marketing.
Thus my view that only Payment Networks or Google/Apple can manage identities through the funnel.
Super interesting post as always Tom. Do you have some examples of the ecom data merchants have that issuers do not that helps with CNP fraud detection?
Issuers also have lots of transaction history for accountholders, are they not able to use this for ecom fraud or is CNP fraud too different its not useful?
re eCom data. The most important rule to remember is that data does not flow without a value proposition under which it is shared. Merchants have 25 yrs of history in managing online fraud. Banks do not have the data, nor do most banks “care” about it. Banks take a “security guard” perspective to managing suspected fraud, requesting “step-up” our OOB/OTP auth. But the 3DS promise was that 95% of volume woudl be the frictionless flow. This required a NEW DATA SET to flow from merchant to issuer: Device Data (OS, OS version, browser, browser version, screen resolution, language setting, time zone, …etc) there are 100+ attributes. Merchants have always used this data to risk score, in addition to the ITEM being purchased (ie SKU). Issuers have never had this data… 3DS 2.2 provided the structure for device data to be exchanged AND THE ECONOMIC INCENTIVE in the form of liability shift and in UK a rate reduction prior to IFR.
50% of EU merhants seek exceptions to the process because banks have not invested to build the fraud models around device data that would allow them to perform the 95% frictionless flow. They just don’t care. Thus both approval rates are lower than if merchants managed the process AND conversions are lower because banks want to perform a step-up authentication (because their fraud models are inadequate).
Michael, you should really spend time with merchant fraud teams, its a very important side of payments to understand, and a key reason why cards will not be displaced. The economic infrastructure investment by all parties is substantial.
Thanks Tom. The merchant side is things is definitely a gap in my knowledge I am looking to close!