Mobile Payments: Tackling Risks

Council Brings Banks, Merchants Together to Fight Fraud

The growth in mobile payment options is increasing global concerns about fraud, says Nicolas Vedrenne, managing director of European operations for the Merchant Risk Council, an international trade association.

"The future is not clear when it comes to security, fraud and payments [in e-commerce]", Vedrenne says in an interview with Information Security Media Group's Tracy Kitten [transcript below].

U.S. merchants face growing pressure to operate abroad, which inevitably raises new payments challenges, Vedrenne explains. "In the U.S., you have a lot of data to rely on. In Europe ... there's a lack of availability of data, and also it's a very payments-diverse environment."

One of the council's new initiatives is to educate international merchants about operating within a global infrastructure.

Merchants also need to improve their breach response preparation, Vedrenne says. "We want our merchants to be ready in case it happens," he says.

Better collaboration will help merchants, as well as card brands, processors and law enforcement, to better understand threats within the e-commerce environment, Vedrenne says.

During the interview, Vedrenne discusses:

  • The role the Merchant Risk Council plays in helping merchants, card issuers and others mitigate payments fraud;
  • How different global markets address e-commerce, mobile payments and traditional payments; and
  • Why cross-border information sharing is increasingly critical.

Vedrenne began his career in France, the United Kingdom, Latin America and Spain with Société Générale, Sema Group and Monext, where he specialized in payment systems, fraud prevention, risk-management and credit bureaus. In 1999, Vedrenne oversaw several Experian businesses in Latin America and Spain. Since 2010, he has overseen European operations for the Merchant Risk Council, a global, nonprofit, merchant-led organization focused on managing payments, preventing online fraud and promoting secure e-commerce.

Merchant Risk Council

TRACY KITTEN: Could you give us a little background about the council and the role you play?

NICOLAS VEDRENNE: I come from the banking sector. I used to work for Experian, where I was managing director of Spain and Latin America. I was looking for an interesting challenge in the retail industry, and the Merchant Risk Council really matched my expectations, because the retail sector is a very diverse sector. When it comes to risk, fraud and payments, it's quite diverse.

KITTEN: What about the council? How long has it been around?

VEDRENNE: It's been around for 12 years. It all started in Seattle in 2000, when Microsoft, Amazon and Expedia thought they needed an association to tackle payments and fraud issues. In fact, it focuses exclusively on e-commerce. It's a global organization, but we focus explicitly on payments and fraud. It's a merchant association and it's non-profit.

Enhancing Security Internationally

KITTEN: How are you working with merchants internationally to enhance security?

VEDRENNE: First, we want competitors to speak to each other because we think that payments and fraud are not a competitive issue. We would like an Adidas and a Nike, for example, to exchange, on a regular basis, information about that sector, and this is what we call our networking program.

The second pillar of our activity is education. We want to deliver education when it comes to fraud prevention and payments diversity. We also publish some benchmarking data with our trusted parties of the industry. Sometimes, when it comes to security, what you read in the press is not necessarily true. We gather the data in the industry from our members and publish them widely. Finally, we do a little bit of advocacy. We are not involved in any lobbying, but we bring together all the stakeholders of the industry.

Fraud Schemes

KITTEN: What would you say are the greatest concerns the council now faces where merchant payment security is concerned?

VEDRENNE: The first thing is that there was a massive shift last year in security, because although it's true that the main challenges were observed in the U.S. at first, we observe that it's now moving to Europe. The reason is that you guys in the U.S. prosecute fraudsters and hackers much better than Europe. If you're a fraudster or a hacker, you would prefer to do all your activity in Europe now, because you know that you won't have the FBI or the U.S. Secret Service on your back. The first observation we have is this shift from the U.S. to Europe.

Also, with the implementation of EMV [Europay, MasterCard, Visa standard] as it happened in the U.K., it's more difficult to commit fraud on the POS [point-of-sale] side. People will move their specialty from committing fraud there with skimming of cards to online fraud. The concern now is, depending on what gets hacked, it's very difficult for any company in this world to resist an attack. We know that there are some bad guys out there looking for volume when it comes to the payments data. This is the major trend, shifting from a friendly fraud kind of activity to organized fraud. We know that 80 percent of the fraud committed in the market is actually coming from mafias, from organized fraud rings, and this is a major concern right now.

Bringing Together the Stakeholders

KITTEN: How is the council working with different entities that touch the payments space?

VEDRENNE: We need to bring together all the stakeholders of the industry so they get a better understanding of each other's activities. Traditionally, in other organizations - and I'm not going to name any - you have a lot of retailer associations focusing their activity on lobbying, or on talking about costs with all parties of the ecosystem, and that's not good for dialogue. What the Merchant Risk Council is doing is bringing all the people around the same table. We do have on our board some card issuers, banks, and we also have law enforcement involved in all of our committees, so they can witness the activity and the latest trends of the merchant sector. It's pretty much a friendly advocacy, and I've been in several meetings at conferences where all of those parties have said they must investigate more. They must use this as a laboratory to observe the latest trends. It's pretty much an investigation and solution-finding tool that we're offering.

KITTEN: How large is the council?

VEDRENNE: Out of the 500 top e-commerce players in the market, because we focus only on large companies, we have 350. It goes from the travel sector, with Expedia, Travelocity and Orbitz; to the physical sector, retailers like Walmart, for example; to the digital-content download sector, such as Spotify; and, finally, to the gaming sector. When gambling is authorized in Europe, we also need to incorporate that sector. And one would think that speaking with merchants from their own sector would solve a lot of problems, but, in fact, 85 percent of the issues we observe are cross-sector. That's very convenient for us, because when the airline companies speak with the gaming companies, they can swap a lot of expertise and experience, but they're not competitors, so they can really have an open conversation. This is what has benefited the industry most over the last year - the swapping of information.

Card Brands and Payments Processors

KITTEN: What role, if any, do the card brands play, as well as payments processors, on the council?

VEDRENNE: All of them are members of the MRC. Some of them can witness the conversation we have and then help merchants keep up with the development of a new product. It's not our intention to be very aggressive with card brands, but we have to drive them quite a lot. Because at the end of the day, when you have the top 350 players of the market reporting an issue, the card brands usually react. We're very satisfied that those card brands are using us as a laboratory by organizing focus groups with our key members for new product developments.

The second trend we observe is that traditionally there is no relationship between card issuers and the merchant. The merchant stays on with the acquiring side, and the [card] brands are the single point of contact between the issuers and the merchants. We're working to develop direct relationships, and there's a lot to learn.

Addressing Payments Security

KITTEN: How is the council working with card issuers to address payments security concerns?

VEDRENNE: On the issuer side, for example, a French issuer will always reject transactions coming from Romania; you can read in the press that Romanians are committing fraud. In fact, it's a wrong decision to reject those transactions, because while it's true that you have some Romanian mafias, they usually operate out of London or Barcelona. In Romania, you actually have a lot of very good consumers. The highest fraud rate we observe in e-commerce for physical goods in Europe is from France, not from Romania. This kind of dialogue allows us to correct the way the issuer would authorize, or not, a transaction.

... You read a lot about mobile payments; but there's something that did not happen yet, and that is consumer adoption of the technology. You will have a lot of options in the market, too many, I would say. If you take the U.K., for example, in 2012 you had something like 18 new companies dedicated to mobile payments that were launched. There's confusion both on the merchant side and the consumer side. What the merchants must consider is inviting all the players to first focus on security. We must embrace the most secure technology.

We're also observing what the big players will do, because, so far, Visa, MasterCard, Amazon and even Google haven't been completely serious about launching their [mobile] solutions massively. This will happen. But I do not foresee an environment where each consumer will deal with 30 or 50 mobile payments solutions. They will have one, two or three, at the maximum. The consumer in Europe has an average of three credit cards. I think it's seven in the U.S. This will be the same for mobile payments. Right now, it's a big issue for mobile payments: What will be the adopted technology in the future? And when I speak about adoption, I mean by the consumer.

PCI Council

KITTEN:Are you working with the Payment Card Industry Security Standards Council?

VEDRENNE: The PCI Council is speaking at our conference. We speak on a monthly basis. So yes, there's a big exchange of information. We also support a lot of their work. You can hear a lot of complaints about PCI being a pain, but it's really necessary. Of course, I cannot name any company, but a lot of data breaches are happening and those companies have not been PCI compliant. When it comes to big merchants, 100 percent are PCI compliant.

There's still a little bit of work to do for the third-party providers of those companies, but they're compliant. I think the issue in the future will be for smaller companies, where it's very hard to be PCI compliant. In that case, they have to choose providers that are PCI compliant. I would say we relay the message of the PCI Council and also we're very keen to investigate their activity, like they do right now with third-party supplier compliance, for example.

Global Security Initiatives

KITTEN: What would you say are the council's top global security initiatives for e-commerce in 2013?

VEDRENNE: The future is not clear when it comes to security, fraud and payments. We have three main focuses for the next year's commitments. First, because of the [economic] crisis, a lot of merchants are asking to go abroad very quickly and expand their business. I met yesterday a lot of the key players in the U.S. who do not have activity yet in Europe, and they're asking to expand to raise their sales. But this is not an easy task when it comes to payments and fraud. In the U.S., you have a lot of data to rely on. In Europe, that data is an issue. There's a lack of availability of data and also it's a very payments-diverse environment. Every country has their own national schemes, so the first pillar of our activities is trying to explain better what the specifics are when you have to move to across-border activity.

The second thing is that we know that data breaches happen and it's difficult to prevent them. We want our merchants to be ready in case it happens, and to spot it and detect it in the next half hour after it happens in order to react and protect their consumers.

Finally, we do work more and more with law enforcement. They do have to deal with a lot of queries of investigation and so on; but sometimes they're under-resourced. The solution to that is for them to be able to do the link between all the fraud cases and to detect who the top-10 mafias are acting in the market. By helping them understand better the environment and providing them with some data for their investigations, I'm sure we can improve the environment we deal with.





Around the Network