The regulatory implications of payments and technology
As mobile payments and contactless card payments increase in popularity, the security of transaction technologies is thrust into sharp focus. According to UK Finance, nearly a third of adults are registered to use mobile payments – a figure that rises to more than 60% of Americans, according to separate research from YouGov.
This increased adoption places a burden of obligation and responsibility on payment service providers and processors. So, what should we be looking out for around the security of transaction technologies?
What regulatory implications currently exist?
As you would expect from a heavily-regulated industry like finance and payments, there are certain regulatory minima that payments companies must follow.
“Payments have always been a trade-off between security, cost, and ease of use,” explains Andrew Neeson, Managing Editor and Research Director at regulatory intelligence firm VIXIO. “This trinity can often feel like a fine balancing act, with the exertion of one typically being at the expense of the other. For example, it is possible to add so many layers of security that a payment could be made virtually impenetrable to fraudsters. However, in doing so, it could also mean prohibitively high costs and a level of complexity that would frustrate users.
“Contactless is a great example of how this can work in practice. While it makes payments easier for both consumers and merchants, there is a trade off in terms of a cost to security (no PIN authentication), which is balanced by maximum spend limits to minimise risks. This can be adjusted as risk becomes better understood or for public policy reasons, such as the increase in contactless limits during COVID-19 in many parts of the world. Regulators often deal with this trade off.
“In terms of transactional security, one of the big pieces of regulatory interventions in the EU and UK was the introduction of Secure Customer Authentication. With some notable exemptions, banks require two forms of identification at checkout, in the form of something the user knows, something the user has and something the user is.
“When introduced, this was controversial – and it still is – resulting in a heated consultation. The big issue for some payment firms and merchants was they feared that the introduction of additional friction (security) would cause shoppers to abandon their baskets and loss of sales would outweigh any fraud prevention benefits. The regulator had a difficult job in trying to balance concerns, ensuring a level playing field as well as adequately protecting users from fraud. Acknowledging this challenge, the European Banking Authority’s chief recently noted that it was their job to make everyone equally unhappy with the rules and guidance that it oversees.”
Does contactless boom risk card security?
One of the most pressing security concerns emerging out of the pandemic is the prevalence of contactless payments. UK Finance’s figures show that nearly 70% of debit card transactions are now contactless, representing a multi-billion-dollar industry. Their popularity only increased during the pandemic, as wary consumers and businesses owners tried to reduce contact and observe social distancing as best they could.
Andrew Novoselsky, CPO at Sumsub, says: “Contactless payments have seen a significant rise in popularity, and we see new features being actively launched; for instance, Apple just announced Apple Pay Later, allowing users to split purchases from $50-1,000 in four payments. However, evolving so rapidly, the payments industry is not without its weak spots, and it is crucial to identify and address them to ensure the security and efficiency of the payment system.
“One significant weak spot is bank card fraud in contactless payments. Recent reports suggest that hackers are using stolen credit card data to conduct fraudulent transactions using Apple, Samsung, and Google Pay. This highlights a significant issue in the financial industry, as many businesses rely on mobile payments to accept transactions. The fraudulent purchases made contactlessly are challenging to detect, which makes it easier for fraudsters to get away with their criminal activities.
“To combat this, it is crucial for financial institutions to invest in robust security measures to prevent such frauds. One of the possible ways to tackle this rising type of payment fraud is transaction monitoring. Financial institutions must employ cutting-edge technology to monitor transactions to detect suspicious activities proactively. AI-powered transaction monitoring solutions are able to identify and prevent fraudulent transactions by immediately freezing accounts and reporting such activities to relevant authorities. Furthermore, it is essential to educate users about the dangers of storing sensitive data on mobile devices and educate them on best practices for safe mobile payment transactions.”
What will the future of payments regulation look like?
As new technologies come online, it is likely we will need greater regulatory safeguards to protect consumers against abuse or fraud. In 20 years’ time, it is entirely plausible that we will be paying for parking from inside our car, or ordering groceries through smart refrigerators. Who knows, maybe our smart doorbells will even use machine learning to let delivery drivers into our homes to put the delivery into our cupboards? As always, these technical opportunities present regulatory challenges.
VIXIO’s Andrew Neeson says that, although the channel may change, the underlying technology behind it will still be similar to the card payments we make today – though that is not always a good thing.
“The payments infrastructure designed for one channel does not necessarily translate well to others,” Neeson says, “and fraudsters are adept at switching targets as new opportunities open up. In the same way chip-and-PIN did not protect card users from online payment fraud, a shift in channel can open up new potential weak spots where existing protections (including regulatory requirements) are not adequate.
“Regulators are constantly battling with fast-changing technologies and consumer habits. In reality, regulators tend to be behind the curve on this and only tend to intervene when a particular market starts to mature and potential detriment can be identified.
“Buy-now-pay-later is probably a good example of this: in many countries, it sits outside of existing consumer credit regulations. As the market has matured, several countries have begun to bring it into regulatory scope.”