Thales Blog

In-app Payments: Who Foots The Fraud Bill?

May 17, 2016

Thales Thales | Cloud Protection & Licensing Solutions More About This Author >

Ticketmaster has just begun selling event tickets directly on Facebook. While this a great perk for both users making a convenient in-app purchase and advertisers wanting to link social campaigns directly to revenue (rather than just 'likes' and followers), there’s a huge security and trust issue that’s being overlooked: authentication.

Log-in credentials are nearly always cached, and users are notorious for creating weak passwords. Yet, these same credentials that formerly just gave access to a social media site might now enable payment. This adds a layer of complexity to the risk and liability for fraud and chargebacks. These are considered 'card-not-present' (CNP) transactions, so the risk must fall with the merchant. But who is the merchant – the social media site or the retailer?

This is a critical question, since retailers in the U.S. are responsible for 70 to 100 percent of fraud losses. It’s clear that CNP is the next frontier and that we will continue to see a growing trend of social media sites offering in-app purchases. This capability engages and monetizes customers. But for this to work, both consumers and merchants have to be certain that these transactions are safe. Merchants have a vested interest in protecting CNP transactions and are making significant investments in security measures. That means the proper security layers have to be in place to authenticate users and protect personal information and card data.

One of these layers must be point-to-point encryption (P2PE), which protects sensitive payment data within mobile payment offerings. Encryption turns card data into unreadable and therefore useless gibberish; even if cyber criminals are able to get their hands on it, the data is worthless to them and they can’t commit fraud.

It will be interesting to see how CNP is defined as in-app payments increase in popularity, as well as what the definition of “merchant” turns out to be. However until these questions are resolved, the best bet is to do everything possible to reduce the chances of fraud with a layered security strategy that includes P2PE.