As the world continues to move through COVID, every day can hold a surprise. A few weeks ago US economists were surprised when the Commerce Department reported that retail sales rose by 0.6% in June 2021 — up 18% compared to June last year and now 18% above their pre-pandemic level. As consumers flock back to stores, some may be surprised and delighted to learn that they can use popular person-to-person (P2P) payment apps like Venmo and PayPal at the cash register. What does that mean for fraud professionals? Let’s take a look.
I first became aware of P2P point of sale (POS) options several months ago at — no judging, please — Panda Express, where I (very) occasionally stop for a fast-food fix. It’s pretty easy to use Venmo in-store; after signing up for this feature on the app, you just scan your Venmo QR (Quick Response) code, displayed on the mobile app, at checkout to pay touch-free. At other places the Venmo user scans the store’s QR code. Once I started looking around, I saw that Venmo is accepted at quite a few national retailers.
PayPal made a big push in 2020 to expand its POS presence. It’s currently accepted at 600,000 retail locations, having signed up 29 major retailers last year. A growing list of national restaurant chains are making PayPal an option, too, such as Chick-Fil-A, McDonald’s, Burger King, Taco Bell and, importantly, Panda Express. CVS Pharmacy has gone big on both, offering contactless checkout in all of its 8,200 retail locations using PayPal and Venmo QR codes. Venmo is a PayPal company.
QR Codes and the ‘Wallet Diet’
As you can see, QR codes figure prominently into a growing category of payment methods. (When scanned, the QR code allows the user to access information instantly.) They’re not new technology—QR codes have been around since 1994—and, while not the dominant mechanism for mobile payments in the US, they are often at the forefront in emerging markets.
However, COVID has changed many consumer habits in the US and around the world, including handling cash and cards. A recent survey by the payments platform Adyen found that almost half of US shoppers (41%) say they’d like to see more stores let them scan-and-pay in-store. And almost one quarter (21%) say they don’t really use physical cards anymore, instead relying on their mobile device or digital wallets such as PayPal, Apple Pay, or Google Pay.
The latter point is another iteration of my four year-long “wallet diet” and the latest statistic supporting the idea that physical payment cards are less and less of a necessity to carry on our person — unlike the payments-making mobile phone, which the average American checks 63 times a day.
QR Codes and Fraud
Of course, any payment method carries inherent fraud risk. What about QR codes? The cybersecurity firm Kaspersky Lab says: “Attackers can embed malicious URLs containing custom malware into a QR code which could then exfiltrate data from a mobile device when scanned. It is also possible to embed a malicious URL into a QR code that directs to a phishing site, where unsuspecting users could disclose personal or financial information.”
That being said, in my view the biggest risk to the consumer isn’t so much being redirected to a phishing site by scanning a payment app QR code or the QR code displayed on a retailer’s POS terminal. (I’ll add, “Never say never.”) For consumers, I believe the best way to prevent QR code fraud is good mobile phone security hygiene, to prevent unauthorized access to the entire device.
Another Dimension of a Holistic Customer View
For banks fighting fraud, P2P payments at point of sale add a new dimension to the holistic view they must have of customer behaviors in order to detect anomalous transactions. Are new P2P transactions consistent with previous customer behaviors? Let’s revisit Behavior Sorted Lists (B-lists), an innovation patented by FICO, which identify cardholder "favorites" — or recurrences — over the transaction streams. These might include favorite grocery stores, drugstores, restaurants and fast food outlets, and preferred stores for online shopping.
B-lists can distinguish between frequently repeated transactions that indicate normal spending (“in-pattern” transaction activity) and infrequent activity that is more likely to be fraudulent (“out-of-pattern” activity). This technology enables faster fraud detection with lower false positive rates—that is, fewer declines on legitimate transactions, such as using a new P2P payment type at a new point of sale — say, if I branched out from Panda Express to try Yo Yo Bento, a popular food truck in my area.
Broad Data Access Is Essential
Here, unfettered data ingestion is key. The right fraud detection platform should give you the power to access all desired data, internal or external, regardless of the location or format, ingesting it in streaming or batch mode. This enables you to access the right data at the right time for optimal decisioning, as well as reduce costs by purchasing data only when it brings value. Important capabilities include:
- Ingest data without having to move, cleanse, or convert it
- Access data at the point in the decision stream where it makes the most sense (and costs the least)
- Share data and other decision assets across the business units
- Offer a robust set of ready-built third-party data connectors
- Bring together recurring batch, streaming, or one-off event data to make the most of decision workflow
Behavior sorted lists and flexible data ingestion capabilities are already in place at banks that use the FICO® Falcon® Fraud Manager for fraud management, which comes with built-in functionality for real-time payments, P2P payments, card not present transactions, application and identity fraud, mobile wallets, payment cards, account takeover and more. Leading banks worldwide use Falcon to gain a contextual, 360-degree view into customer activity.
Follow me on Twitter @FraudBird for my thoughts on the latest developments in payments and fighting fraud. And, if you see me at Panda Express — or at today's Aite Financial Crime Forum, where I'm participating in the feature panel, Best Practices for Operationalizing Converged Intelligence at 10:30 am ET — say hello.