PayWave and Online Fraud
There are news reported regarding the possibility leakage of card holder information that suffices for online purchase. What is going to happen?
One of the possibility is the credit card holder doesn't know. Card Holder takes the lost, but this case really nothing much to talk about.
The next is, The credit card holder identifies this fraudulent transaction. He calls the card centre (issuer) for dispute with reason unauthorised purchase. Eventually, card holder and card issuer will win the case. That is, credit card holder and issuer doesn’t have to bear the lost, either acquirer or the merchant has to bear the lost. In most T&C, the liability will be borne by the merchant.
Please note that this is an online purchase, most merchants would ship their product within days, while the dispute would happens about 30-60 days - after the credit card holder received the statement. This will eventually result in a double lost. The merchant loses the dispute which means they couldn't receive the money, and they have shipped the product.
This is significant. Consider a merchant selling cameras makes $100 for each $1000 camera sales. A fraudulent transaction would effectively cause him $2000. He needs 20 more deals to balance that, and the problem is...
The good camera seller did nothing wrong.
That drives the good merchant to find a solution to fix this. In short, there are two theories of the solution.
The first is - put more gates to ensure every transaction is good. User registrations, verification, one time PIN, password and 3DS are part of this. Since the users have passed so many difficult gates, the issuer will now take the lost. Merchant is happy.
The second is - Merchant or Acquirer using other ways to identify a fraudulent transaction.
It downs to very complicated topics that could be covered in the future.
In layman'a term, you are using an email service which is really secure. It protects you by asking you a new strong password every 30 days with a history record of 12. It means you need to have 12 difficult passwords in 1 year. When you read an email, you have to type in an one time password sent over SMS.
That's the first theory.
The second is, the email provider identities you are using the same email client and platform, then I don’t have to ask for the password anymore.
That's like a customer always in same shirt at a pub sitting at the same table drinking the same beer talking to the same face but the bar tender doesn't know who is he but knows he is he. That guy can't be bad.
That's the second theory.
I am a big fan of the second, because online payment fraud is still very low in terms of transaction number percentage. With the right tech, it enables business with a lower barrier.
Let me re-cap in Cantonese
最近好多人話會比人隔空偷 PayWave Card 資料之後再上網買野,問題係現實既情況會點?
當然其中一個情況係個咭主係懵既,比人偷左野都唔知。
不過今時今日既人咁醒,好明天會係月結單到睇到呢一單唔係佢做既詐騙交易。之後,佢會打電話比信用咭中心(發咭行)話佢無做過。而一般尼講到最後既結果係,商戶或者收咭中心會輸,信用咭持有人或者發咭行無捐失。
但是,因為以上的是網上購物,大部份的商戶都會準快送貨,但是大部份的詐騙都會在交易三十到六十天後出現-即是當咭持有人收到月結單的時候。對於商戶來說是雙重損失,他們收不到錢又把貨運賠了。
即是說,假設一個商戶賣一台 $1000 的 相機賺 $100,一次詐騙就會令他捐失 $2000,他要多做 20 單生意才能䝶踴彌補損失。
問題是,這家好商戶會尖叫:「我無做錯野呀!」。
而這一家好商戶只好找方法解決問題。大致上有兩方面的方法。
一,就係加多幾把鎖問到個買家死為止。由用家登記,認證,一次性密碼,密碼到 3-D 認證都係同一個方法。如果咁都問唔死個用家既,咁呢一次,發咭行咪頂左佢。
二,就係商戶或者收咭行用其它方法知道個張咭係假既。
兩件事都好煩。
簡單 D 尼講,有一個 Email 公司話佢自己好 Secure,佢會要求每一個寫客戶每三十日用一個記唔到既密碼,而一年入邊又唔可以一樣既密碼咁。再加埋每睇一個 Email 你都要打返個 SMS One Time Password 咁。
呢個係極端既講法。
第二個方法係,你次次都係用呢部電腦 Check Email 咁部電腦又 Lock 左,咁唔洗次次問呀?
再簡單 D 講,即係有個人日日都係同一間 7-11 同同一個呀姐買同一樣既煙,咁個呀姐會認得架 Ma,第一次就問佢身份証咁唔洗次次問呀?
現今既世界鬥服務,好唔好既分別就係咁,如果呀姐次次問個客肯定佢問無咁煩既。網上詐騙其實依然是絕少數,其實收咭行可以利用科技幫商戶做少好多野同減少捐失。
There are news reported regarding the possibility leakage of card holder information that suffices for online purchase. What is going to happen?
One of the possibility is the credit card holder doesn't know. Card Holder takes the lost, but this case really nothing much to talk about.
The next is, The credit card holder identifies this fraudulent transaction. He calls the card centre (issuer) for dispute with reason unauthorised purchase. Eventually, card holder and card issuer will win the case. That is, credit card holder and issuer doesn’t have to bear the lost, either acquirer or the merchant has to bear the lost. In most T&C, the liability will be borne by the merchant.
Please note that this is an online purchase, most merchants would ship their product within days, while the dispute would happens about 30-60 days - after the credit card holder received the statement. This will eventually result in a double lost. The merchant loses the dispute which means they couldn't receive the money, and they have shipped the product.
This is significant. Consider a merchant selling cameras makes $100 for each $1000 camera sales. A fraudulent transaction would effectively cause him $2000. He needs 20 more deals to balance that, and the problem is...
The good camera seller did nothing wrong.
That drives the good merchant to find a solution to fix this. In short, there are two theories of the solution.
The first is - put more gates to ensure every transaction is good. User registrations, verification, one time PIN, password and 3DS are part of this. Since the users have passed so many difficult gates, the issuer will now take the lost. Merchant is happy.
The second is - Merchant or Acquirer using other ways to identify a fraudulent transaction.
It downs to very complicated topics that could be covered in the future.
In layman'a term, you are using an email service which is really secure. It protects you by asking you a new strong password every 30 days with a history record of 12. It means you need to have 12 difficult passwords in 1 year. When you read an email, you have to type in an one time password sent over SMS.
That's the first theory.
The second is, the email provider identities you are using the same email client and platform, then I don’t have to ask for the password anymore.
That's like a customer always in same shirt at a pub sitting at the same table drinking the same beer talking to the same face but the bar tender doesn't know who is he but knows he is he. That guy can't be bad.
That's the second theory.
I am a big fan of the second, because online payment fraud is still very low in terms of transaction number percentage. With the right tech, it enables business with a lower barrier.
Let me re-cap in Cantonese
最近好多人話會比人隔空偷 PayWave Card 資料之後再上網買野,問題係現實既情況會點?
當然其中一個情況係個咭主係懵既,比人偷左野都唔知。
不過今時今日既人咁醒,好明天會係月結單到睇到呢一單唔係佢做既詐騙交易。之後,佢會打電話比信用咭中心(發咭行)話佢無做過。而一般尼講到最後既結果係,商戶或者收咭中心會輸,信用咭持有人或者發咭行無捐失。
但是,因為以上的是網上購物,大部份的商戶都會準快送貨,但是大部份的詐騙都會在交易三十到六十天後出現-即是當咭持有人收到月結單的時候。對於商戶來說是雙重損失,他們收不到錢又把貨運賠了。
即是說,假設一個商戶賣一台 $1000 的 相機賺 $100,一次詐騙就會令他捐失 $2000,他要多做 20 單生意才能䝶踴彌補損失。
問題是,這家好商戶會尖叫:「我無做錯野呀!」。
而這一家好商戶只好找方法解決問題。大致上有兩方面的方法。
一,就係加多幾把鎖問到個買家死為止。由用家登記,認證,一次性密碼,密碼到 3-D 認證都係同一個方法。如果咁都問唔死個用家既,咁呢一次,發咭行咪頂左佢。
二,就係商戶或者收咭行用其它方法知道個張咭係假既。
兩件事都好煩。
簡單 D 尼講,有一個 Email 公司話佢自己好 Secure,佢會要求每一個寫客戶每三十日用一個記唔到既密碼,而一年入邊又唔可以一樣既密碼咁。再加埋每睇一個 Email 你都要打返個 SMS One Time Password 咁。
呢個係極端既講法。
第二個方法係,你次次都係用呢部電腦 Check Email 咁部電腦又 Lock 左,咁唔洗次次問呀?
再簡單 D 講,即係有個人日日都係同一間 7-11 同同一個呀姐買同一樣既煙,咁個呀姐會認得架 Ma,第一次就問佢身份証咁唔洗次次問呀?
現今既世界鬥服務,好唔好既分別就係咁,如果呀姐次次問個客肯定佢問無咁煩既。網上詐騙其實依然是絕少數,其實收咭行可以利用科技幫商戶做少好多野同減少捐失。