Identity Verification

Identity theft and fraud are a big deal – everyone knows it. And most companies are super aware, and are even offering identity services as well. Five years ago, it was enough to know who a customer was online. Today, though, visit any industry trade show and the halls are packed with identity verification products. It seems every company wants to get in on the action.

Why now? The public has become very aware of security incidents that have compromised their data and that of others, and it’s making them ask the tough questions: What does identity mean to them? Who are they, who has their documents and data and how are those things being stored and secured?

The industry has responded by spawning countless solutions, and there is eventually going to have to be regulation covering all these different products. Moreover, there must be some sort of gold standard for identity truth and how to confirm it.

Jumio vice president of products Philipp Pointner is among those experts.

Can I See Some ID?

Perhaps counterintuitively, the key to the future may lie in the past, Pointner said. Customers are comfortable being asked to present their government-issued IDs in brick-and-mortar settings. Why not have them do the same with online businesses?

Jumio, the software company that Pointner is president of, can recognize various types of ID from 250 different countries, Pointner explained, including multiple generations of IDs from all 50 U.S. states. The company knows exactly what these government-issued identity documents should look like, from security characteristics to items encoded in the document to how the photo should be held in place (to prevent fake IDs being used).

Where Device Verification Falls Short

Device fingerprinting determines whether the device making a transaction is the same one that the user was on when he created the account, but it cannot account for a device that has been stolen or for fraudsters who are able to make remote web traffic appear to come from a local point of origin.

Similarly, location services can be used to show whether a purchase is being made from within a reasonable radius of the customer’s usual activity, but it runs into the same roadblock if fraudsters are spoofing IP addresses.

Biometrics have made huge leaps forward in recent years, Pointner noted, and they can confirm that a certain human characteristic — such as a fingerprint, eye print, voice print or other identifiers — is present, thus verifying that the same person is conducting the activity.

However, he argues that biometrics fall short at the point of origin: Who is enrolling the fingerprint? Is this person who he or she is claiming to be? Whether it’s the same fingerprint this time and next time becomes irrelevant if the person who enrolled it in the first place is a fraudster. In that case, Pointner said, a real-world identity check does offer some advantage because a merchant or bank teller can hold up a photo ID next to a customer’s face and compare the two.

“The photo is what ties it to the real-world person,” Pointner said. “Jumio does the same thing online, making it a ‘person-present’ transaction.”

From Plastic to Digital Identity

The big question is whether customers would willingly use a method like this, especially since security researchers have cast doubt on the integrity of Apple’s new Face ID authentication method by fooling it with masks. Pointner still thinks the answer is yes — if not today, then tomorrow.

People have grown used to recording videos of themselves, he said, especially younger generations that are taking a hundred selfies a day. Why not leverage what they’re already doing on Snapchat, Instagram, Facebook and elsewhere to keep their data safer?

Pointner believes physical ID cards will one day give way to digital IDs. Many governments are already experimenting with this approach, he explained, and others are using distributed ledger and blockchain technology to create identity systems, an application that makes sense if innovators can make it work.

As digital natives grow up, it seems likely these methods will also make a lot of sense to them — certainly more sense than the paper, plastic and static identifiers that their parents once used.

But, don’t trash that nice leather wallet just yet.

“Digital identities are definitely going to come,” Pointner said, “but the plastic will stay in our wallets for a while longer.”

The Change in Chargebacks

The biggest buzzword in business and credit processing for years has been Chargebacks. The Nilson Report estimates chargebacks costing merchants $31 billion by the year 2020. This is huge for big business and crippling for small merchants. Corporate monsters have cushion in their profit to absorb the impact of fraud, but for a small business a few chargebacks can mean the no more ballet lessons or family vacations.

Visa is attempting to simplify dispute resolution by identifying chargebacks quicker and streamlining the process. Under terms of the Visa Claims Resolution (VCR) rule change, which will take effect in April 2018, there’s a boost to automated processes, with Visa using data in real time through its already extant Visa Resolve Online (VROL) to determine liability through automated checks.

As a merchant, though, a few challenges could emerge. There are dozens of chargeback codes right now that are about to be eliminated – forcing something as simple as a customer not recognizing the merchant’s code to be coded as fraud. The part of the process that is going to change (which could potentially impact merchants most urgently) is the specificity or reasons for the disputes.

One is “do not recognize” (known as a Code 75) – a chargeback code that is being removed, at least in its present incarnation, as a reason for dispute rather than a claim of outright fraud. Fergerson said that the unintended consequence of that move is that consumers who truly don’t recognize a charge will have no choice but to mark the nature of their dispute as fraud. Thus, the standard 22-character descriptor, where there is simply not enough information to jog the customer’s memory of a legitimate purchase, may lead to knotty problems for merchants down the road. Some issuers may choose to keep the “do not recognize” choice live, but will do their own forensics on transactions behind the scenes.

Of course, there are positives in store, said Fergerson. Cardholders will get their disputes answered more quickly, merchants will get data faster and the process will be significantly streamlined. For merchants, the re-presentment process is streamlined too, but in a different way: Now, they will get only one shot to offer up the data that proves a transaction was legitimate. As all claims will be handled through Visa’s new process, merchants have 30 days to respond to a Visa chargeback, compared to the previous 45-day timeframe.

Under the revamped rules, disputes will pass through automated workflow, which checks whether the dispute is centered on 3D-secure authorized transactions, whether the holder disputed the purchase after the allotted timeframe or if a refund has already taken place. Liability is automatically assigned to the merchant, which leaves some firms in a tough spot when, for example, someone’s kid is charging items on their parents’ Amazon account, unbeknownst to them.

Visa’s process seeks to eliminate invalid chargebacks right off the bat – for example, by denying chargeback requests from customers that are past the stated time limits. With fewer disputes in the pipeline (and those that are in the pipeline vetted as legitimate disputes), efficiency should improve. This is good for merchants as consumers have less time to forget what they purchased. When it is a more recent transaction, consumers are more likely to remember what happened and less likely to dispute.

In the case of disputes that do go forward, data is of the essence. To that end, several innovations are being worked on with issuers to implement, including one that allows issuers to look up descriptors and get a copy of the transaction receipt so they can explain to the cardholder what they purchased. Fergerson said the focus is to craft solutions that give issuers and cardholders the information they need so they can better sort out what’s on their statements – and dispute only the charges that truly aren’t theirs.

Looking ahead to this time next year, Fergerson predicted that there will be some early adopters in 2018 who will start to show the full consumer receipt in online statements or on mobile applications, which will drive change. If people can identify what they actually purchased, this will help to identify what they bought and what they didn’t.

American Express Eliminates Signature Requirement

American Express announced that it was dropping signature requirements for American Express-accepting merchants worldwide starting in April 2018.

The move, American Express says, will provide a simplified checkout experience for merchants and card holders everywhere.

“The payments landscape has evolved to the point where we can now eliminate this pain point for our merchants,” said Jaromir Divilek, Executive Vice President, Global Network Business, American Express. “Our fraud capabilities have advanced so that signatures are no longer necessary to fight fraud. In addition, the majority of American Express transactions today already do not require a signature at the point of sale as a result of previous policy changes we made to help our merchants.”

This move away from signature requirement is in conjunction with other card networks who are making similar announcements. Last week, ETA member Discover Global Network also announced it was dropping signature requirements for merchants in the U.S., Canada, Mexico and the Caribbean. In October, Mastercard announced that the signature requirement was going away starting April 2018 for merchants in Canada and the U.S. American Express is the first card network to eliminate the requirement globally, the firm said in its release.