Best Practices in Risk Management for Mobile Payments - MRC 2011

MRC 2011 Annual e-CommercePayments and Risk ConferenceMRC 2011 Annual e-CommercePayments and Risk Conference

Best practices for Risk Management in Mobile Payments

Elena KrasnoperovaVice President of Analytics and Risk Management, Zong

MRC 2011 Annual e-CommercePayments and Risk Conference

Agenda1. What are mobile payments?2. How do mobile payments work?3. How do mobile payments differ from other types of CNP

payments?4. How can mobile payments make transactions more secure?5. What are the special fraud management challenges of

mobile payments?6. What are the key regional differences in fraud management

for mobile payments?7. What are the best practices from leading Digital Goods

merchants?

2


What are mobile payments?Mobile payment = payment for goods or services with a mobile device such as a phone or a PDA

Mobile device may be used to do any/all of the steps:• Initiate transaction (e.g., begin checkout)• Authenticate transaction• Settle transaction on the mobile phone bill

3


What are the main types of mobile payments?

• Payment is made at the Point of Sale (POS) or in proximity to recipient

• Competes with cash or swiping a plastic debit or credit card

• Similar to a card-present transaction

• Often involves Near Field Communication (NFC)

Proximity payments

• Payment is made remotely (e.g., via a web-enabled retailer)

• Competes with PayPal, credit, debit and prepaid cards

• Similar to a card-not-present transaction

• Often involves Premium SMS or direct carrier billing

Remote payments

4

Source: Adapted from Juniper Research report “Mobile payments for digital & physical goods”.


What are the main types of mobile payments?

Proximity payments Remote payments

Digital goods and servicesPhysical goods and servicesCash and credits

5



Examples of mobile payments



• Tickets • Online gaming• Music, video, publishing• SW downloads and services

• All types of physical goods (similar to POS purchases)

• All types of physical goods (similar to e-commerce)

• Social payments (e.g., cost sharing for meals or gifts)

• Money transfers• Remittances (domestic)• Remittances (international)

6



Today we’ll focus on remote mobile payments for digital goods



• Tickets • Online gaming• Music, video, publishing• SW downloads and services

• All types of physical goods (similar to POS purchases)

• All types of physical goods (similar to e-commerce)

• Social payments (e.g., cost sharing for meals or gifts)

• Money transfers• Remittances (domestic)• Remittances (international)

Main focus for today

7







merchants?

8


Transaction initiation

1. User selects Mobile as the payment option

2. User selects the amount of credits to purchase

9


“Log in”

3. User enters Mobile phone number (pre-populated for previous users of Mobile payments)

10

574 - 2341


Transaction validation

4. User receives and enters a PIN code

11


Transaction confirmation

5. User receives confirmation of purchase on the Mobile device and on the Web

$1.99

20

500

12


Transaction settlement

Phone number

User name

Account numberAccount number

13






merchants?

14


Differences from other CNP payments

Account creation

Transaction initiation

Transaction validation

Mobile payments

• None

• Enter phone number

• Enter 1-time PIN code

Credit or debit card

• Enter full cc info• Billing address• Username/password• Captcha

• Enter full cc info, or• Log in with username

and password

• None

PayPal (on the web)

• Enter email/password• Captcha• Verify email• Add/verify cc or bank

• Log in with username and password

• None

PayPal (on Mobile)

• Log in with username and password or with mobile number and PIN

• None

Much easer especially for first-time users -> 5-10x higher transaction completion rate

• Download PayPal app, wait for install

• Enter name, email, phone number, address

• Add credit card• Add PIN• Receive and reply to

verification SMS

15


Transaction settlement

Timing of transaction confirmationTiming of funds availability

Mobile payments

• Mobile phone bill, or• Credit or debit card

• Instant

• For carrier-billing: up to 90 days

• For credit or debit card billing: 1 month

Credit or debit card

• Credit or debit card

• Instant

• Varies from a few days to 1 month

PayPal (on the web)

• Credit or debit card, or• Bank account, or• PayPal balance, or• PayPal credit line

• Instant

• Varies, often instant

PayPal (on Mobile)

• Credit or debit card, or• Bank account, or• PayPal balance

• Instant

• Varies, often instant

Carrier-billing model -> delayed funds availability

Differences from other CNP payments

16






merchants?

17


User/device authenticationFrictionless experience for the user, combined with:

Instant risk checks “behind the scenes”, including:

• Positive / Negative lists• Credit availability

(for prepaid phones)• Type of phone plan (e.g.,

business vs personal)• Primary vs. secondary

account holder• Purchase history• Refund history• Spending limit• Velocity checks• Geolocation match• Device fingerprint

18

574 - 2341


Transaction authentication

Every transaction is authenticated and opted-into by the user• PIN code valid for one transaction only• PIN code expires after a pre-determined amount of time• Only 3 attempts to enter PIN are allowed to prevent guessing

19






merchants?

20


Four unique challenges

1. Consumers expect instant transaction confirmation and delivery of goods

2. Consumers do not tolerate payment friction as purchases are discretionary

3. Most of the fraud is “friendly fraud”4. Mobile operators control refund

policies and processes

21


1. Instant delivery Consumers expect instant transaction

confirmation and delivery of goods Can not put transaction on hold for hours to do

manual agent reviews Can not reverse transaction back on the mobile

phone bill if transaction is fraudulent Once the digital goods are delivered, can not take

them back if transaction is fraudulent

22


2. Low tolerance for friction Consumers do not tolerate payment

friction as purchases are discretionary Micropayments digital goods are highly

discretionary, impulse-driven purchases “No friction” is the core promise of mobile

payments, and the main driver of adoption Consumers have very little tolerance for any

additional payment friction (e.g., 2FA)

23


3. Friendly fraud

Most of the fraud is “friendly fraud” “Friendly fraud” is more difficult to predict than

“professional fraud”, as transaction patterns are similar to those of non-fraudulent purchases

Tools that work for “professional fraud” (e.g., device fingerprinting or IP geolocation) are less effective for “friendly fraud”

“Friendly fraud” is more difficult to contest with mobile operators

24


4. Refund policies and processes Mobile operators control refund policies

and processes Mobile operators can’t resolve “goods not

received” complaints and grant refunds instead Some mobile operators have a “no questions

asked” refund policy and thus high refund rates Most operators do not allow payment processors

an opportunity to contest refund requests Some operators do not give payment processors

visibility into transaction- or user-level refunds25


Consequences Effective risk management in mobile

payments has to be:– Instant / real-time (vs. delayed)– “Behind the scenes” (vs. user-initiated)– Effective for “friendly fraud” (vs. for

professional fraud)– Proactive (vs. reactive once refund occurs)– Based on millions of mobile payment txns

26


Best practices for risk management

Consumer transaction history

Phone area code

Geo-location matchRefund history

Recent txn velocity Consumer time on file

IP addressMerchant industry

Purchase amount

Time stamp

Carrier

Product type

Country

Block transaction

Bar user

Review transaction

Warn merchant

Monitor consumer

Reverse transaction

Allow transaction

Transaction risk level

Consumer risk level

Consumer lifetime value

Many data elements are combined…

…to assess risk and rewards…

…and to take action

Device fingerprint

27






merchants?

28


Regional differences1. European and Asian consumers are much more

used to Mobile payments than US consumers2. Refund rates are lower in Europe and Asia than in

the US because of differences in Mobile Operator refund policies and consumer habits

3. Operator-mandated spending limits are often much higher in Europe and Asia than in the US

4. Some European countries have very strict regulations affecting Mobile Payments, particularly as they relate to minors (<18 years old)

29


EU regulations: Example

By law, Spain prohibits processing of premium SMS (i.e., mobile payment) transactions targeting minors (<18 years old) between 11 pm and 8 am CET

Source: Comisión de Supervisión de los Servicios de Tarificación Adicional: Código de Conducta.

30


Consequences Risk management policies and tools must

be tuned for country/MNO differences– Must abide by operator-mandated spending

limits, consumer notifications, and other rules– Given differences in refund rates, risk-reward

tradeoffs differ by country/operator– Consumer usage patterns and fraud patterns differ

dramatically by country – what’s normal in FR differs from what’s normal in the US

31






merchants?

32


Merchant best practices1. Be clear about your refund policies2. Provide end-users with ability to contact

you and resolve problems3. Know thy user (what’s normal vs. not)4. Share risk-related data with your payment

provider (e.g., TOF, unique account identifier, device fingerprints, negative lists)

5. Take prompt action on fraudsters (restrict their accounts, reclaim unused goods)

33


Questions?Elena Krasnoperova

VP, Analytics and Risk [email protected]

408-219-0208

34

Business

Best Practices in Risk Management for Mobile Payments - MRC 2011