In this guest post, Louise Ford, Managing Director at Empello discusses the role of one-time password ‘PIN loops’ in direct carrier billing payment processes and explains why they do not always add the kind of rigorous safety to transactions regulators and carriers might hope.
Whenever Empello sees an increase in complaints and non-compliance in a market, it often follows that one of the actions we’ll see taken by a carrier or regulator is the introduction of PIN or OTP flows to add more “security” to the payment journey.
It’s generally believed that adding a PIN makes any payment process more secure. Afterall PIN protection is commonly used in the finance sector to secure payments, from ATMs, to cards, to online payments. However, when it comes to direct carrier billing, they don’t work as effectively.
Why? Because the very same piece of malware that is emulating the user behaviour and clicking on buttons, is also perfectly capable of accessing the messaging inbox on that device, reading the PIN that you’ve just received or viewed, and sending a message with that PIN to authorise a payment.
The result on the UK market is that in 2021 Empello now sees less than 10% of the clicks via the PIN flow route than we did in 2019, but we still block the roughly the same percentage of clicks due to payment fraud.“
However, PIN flows do deter consumers by adding friction into the payment journey with additional steps. One of the great strengths of direct carrier billing should be its ease of use, particularly for low value purchases. Adding a Pin or OTP flow makes Direct Carrier Billing less easy for consumers to use.
In a world where there has been a shift to mobile commerce with sales estimated to hit $3.56 trillion by the end of 2021 (Statista), representing 54% of total eCommerce sales (Big Commerce), and there are multiple mobile payment platforms competing for these transactions (Apple Pay, Google Pay, Samsung Pay, Venmo, Wepay, Paypal to name just a few!), making direct carrier billing less easy to use doesn’t make sense, nor does it leave carriers in a good position to benefit from this shift in consumer buying behaviour.
We can see the impact clearly in a market like the UK. In November 2019 the regulator mandated a compulsory 2 stage verification, which included both SMS and onscreen pin flows. The result on the UK market is that in 2021 Empello now sees less than 10% of the clicks via the PIN flow route than we did in 2019, but we still block the roughly the same percentage of clicks due to payment fraud. In a nutshell, payment fraud still forms the same share of the pie, but it’s now a much smaller pie.
So what is the answer? Rather than adding additional steps to the payment that can be easily hacked but discourage users from completing their payment journey, another option is to implement comprehensive fraud protection measures.
Such fraud protection measures should include the ability to check every transaction to determine whether t has been made by a genuine mobile user or auto generated from the user’s handset without their knowledge and verify that transaction to both the carrier and the merchant with a security token.
There is no doubt that the implementation of such protection will also result in a decrease in VAS traffic in any given market as the problematic traffic is identified and weeded out by Merchants that cease paying for traffic from fraudulent sources, but the critical difference is that such measures are invisible to the mobile user and do not impede their payment journey at any point.
In this way, we can keep carrier payment journeys competitive against mobile payment platforms and fit for purpose in a mobile first world, whilst ensuring protection for all of the participants in the value chain, consumers, carriers and merchants.
