Open-loop EMV Standard Fleet and Mobility Payments – Convenience, Security and the Road Ahead
By Jonathan Hancock
View it in Finextra: https://www.finextra.com/blogposting/26104/open-loop-emv-standard-fleet-and-mobility-payments--convenience-security-and-the-road-ahead
The fleet and mobility payments industry is undergoing a significant transformation driven by technological advancements and the collaboration of major payment providers like Mastercard and Visa. This collaboration brings together the best practices, expertise and technologies from the retail fuel market and the world of fleet and fuel card management.
One of the central aspects of this transformation is the rise of open-loop fleet systems. These systems allow cards to be used at any merchant accepting the card's brand (for example, Visa or Mastercard), giving fleet operators significantly greater flexibility to use their card system for a broader range of payments beyond fuel, which is comparable to a personal credit or debit card, and gives drivers flexibility to use their fleet cards for accommodation, vehicle repairs, or toll payments.
However, whilst open-loop payments using EMV standards offer enhanced convenience for fleet managers and drivers, they also introduce new security challenges. The ease of access inherent in open-loop systems is like what we see with credit cards, debit cards, and mobile wallets. This necessitates a closer look at the potential vulnerabilities and the robust security measures that are required to mitigate them.
Combating Fraud in a Changing Landscape
Open-loop fleet and mobility solutions face threats similar to traditional open-loop EMV card payment systems. These threats include:
- Account Takeover (ACTO): Fraudsters may hijack user accounts through phishing scams, social engineering tactics, or malware attacks. Once they are in control, they can make unauthorised purchases.
- Card-Not-Present (CNP) Fraud: Transactions occur without the physical card being present, increasing the risk of fraud using stolen card details.
- Data Breaches: Hackers can exploit vulnerabilities in systems that store sensitive data, like card details, potentially leading to large-scale theft.
- Fuel Theft: Open-loop payments can create new opportunities for siphoning fuel from vehicles if security measures are not strong enough.
Building a Secure Future: A Multi-Layered Approach
The industry is actively addressing these challenges by implementing a multi-layered security approach that includes:
- Multi-Factor Authentication (MFA): This adds an extra layer of security during transactions by requiring users to verify their identity using two or more factors, particular around securing card not present (online) transactions. This could include passwords, biometrics like fingerprints, facial recognition, or one-time tokens. MFA significantly reduces the risk of unauthorized access, even if hackers manage to obtain usernames and passwords. EMV 3-D Secure clearly has a beneficial use case here.
- Advanced Fraud Detection: Machine learning (ML), artificial intelligence (AI), and behavioural analytics are valuable tools for identifying anomalies and patterns that could indicate fraudulent activity. These systems analyse vast amounts of real-time data on user behaviour, including transaction history, spending patterns, location and odometer values. Deviations from expected behaviour can trigger alerts for further investigation, potentially catching fraudulent activity before it occurs.
- Data Encryption and Tokenisation: Sensitive data, such as card details, is encrypted in transit and at rest. This ensures that unauthorised parties cannot read the data even if intercepted. Additionally, tokenisation replaces actual card numbers with unique tokens used for transactions, so even if a token is compromised, the actual card details remain secure.
- Continuous Monitoring and User Alerts: Robust fraud management systems continuously monitor transactions for suspicious activity. Any red flags trigger immediate alerts to fleet managers and end-users, allowing swift intervention to prevent further damage. User notifications for every transaction also empower them to identify and report unauthorized charges quickly. These notifications may be bi-directional and integrated into fraud detection systems that can automatically block further transactions should the end customer confirm fraudulent activity having taken place.
- User and Employee Education: Educating both drivers and fleet managers about common fraud tactics is essential. Awareness training on phishing scams, social engineering techniques, and account takeover attempts equips everyone involved to recognise and avoid these threats.
- Industry Collaboration and Regulation: Open communication and collaboration between payment providers are vital in the fight against fraud. Sharing threat intelligence and best practices helps strengthen overall defences. Additionally, adhering to industry regulations like PCIDSS and GDPR ensures a baseline level of security by setting clear guidelines for secure payment processing.
The transition to EMV based open-loop payments in fleet and mobility offers significant convenience and increased benefits for the end user and the issuer. However, it is critical to acknowledge and address the associated security risks. Fleet and mobility companies can build a secure and robust payment ecosystem by implementing a multi-layered approach that combines advanced authentication, fraud detection techniques, data security measures, user education, and industry collaboration. By prioritising security alongside convenience, the industry can ensure a smooth and trustworthy journey for all stakeholders, paving the way for further innovation.