Digital payment in the banking ecosystem and managing fraud risk

Countries believe there is unfathomable growth of digital payment in the banking  ecosystems. In fact, many countries are including the plan to boost the digital payment ecosystem in their budget report. India, for example, has a plan to offer financial support for the digital payment ecosystem, which is included in the Union Budget 2022-2023. As per a report in Statista, “total transaction value in the Digital Payments segment is projected to reach US$8.50tn in 2022.” The report further highlights that “total transaction value is expected to show an annual growth rate (CAGR 2022-2026) of 13.10% resulting in a projected total amount of US$13.91tn by 2026.”

Let us discuss some of the distinct global digital payment features. Digital payment allows instant money transfer between wallets and different bank accounts in seconds. It helps in easy bill payments, both prepaid and post-paid. Users can also manage physical and virtual card operations without any issues. Digital payment services help in easy merchant payments using contactless technologies like (NFC codes and QR code scanners). Digital payment platform uses multiple technologies like tokenization, passwords, biometrics, security questions, point-to-point encryption, out-of-band authentication, and one-time password (OTP) via SMS to protect digital transactions. A lot is happening in the digital payment platform, which requires strict attention to follow the security guidelines.

Background of digital payment

Organizations have seen the challenges associated with maintaining the platform security for the digital payment platform. The scope of digital payment is not the same as it was in the mid-1990s when Stanford Federal Credit Union offered the first online payment systems to clients as a first organization. Today, digital payment systems provide services in various fields. From money transfer to bill payment and loan origination, the digital payment platform handles multiple services.

Millicent and Ecash were the first companies to launch digital payment in 1995 and 1996, respectively. They specialize in digital cash, e-money, and tokens modes of digital payments. The emergence of PayPal in 1998 changed the digital payment trend completely.

Digital payment in the banking ecosystem

The massive technological development in today’s era has led to the growth in online shopping, banking, and other services. The digital payment structure has seen significant expansion in the past few years, and it is further accelerated with mobile devices. As per a report in Statista, 950 million users carried out mobile payment transactions globally in 2019. And the projection says there will be a whopping growth of 1.31 billion users by 2023. Amidst all these growth and developments, the organizations have much to worry about the platform security, performance, functionality, accessibility, and usability. Organizations must establish a strong foundation and control over the digital payment platform if they have to manage the unrelenting growth of digital payment.

To initiate and encourage the growth of digital payment, banks are embedding futuristic technologies like AI, Machine Learning, IoT, and Robotics with their products and solutions. Digital and contactless payment have increased in the recent past. Not just in the major cities, the smaller cities are also adopting contactless payments. Users can carry out transactions by simply scanning the QR codes or in a single swipe.

Banks are collaborating with multiple digital payment platforms and third-party platforms to extend their services beyond the conventional banking systems. The tap-and-go payment options have enabled many vendors and retailers to embed the advanced technology into wearable devices that allow consumers to purchase products and services using smartwatches, smart rings, and wristbands. The only concern is how secure these devices are. To put all speculations to rest, retailers and vendors are doing enough to ensure the platform’s security by eliminating anomalies and errors from the payment platforms.

There is an increase in e-commerce transactions. Restrictions on movement during the Covid-19 lockdown could be one of the reasons but are not the only one. Banks have made their services available to the customers on digital platforms before Covid-19. But we cannot take away the fact Covid-19 has fast-tracked the process, and whatever was brewing beneath the surface has emerged strongly. Digitalization has changed the payment structure. E-commerce sites today have access to the user’s bank accounts. Banks are also collaborating with e-commerce sites to provide exclusive offers to consumers. The process has influenced people to rely on e-commerce to purchase groceries, health products and other essentials. The offers from banks and the benefits and advantages of these transactions have surpassed conventional buying and selling behavior. Hence consumers prefer to shop online and access remote commerce and digital payments.

Customers have payment flexibility using QR codes. It is easy to implement and use. The banks have integrated the services and made them available to their customers. QR codes carry transaction processes without any hassles saving significant time. Investment banks are adopting cryptocurrency to help people inspire to invest in digital gold. The financial market has seen a prominent surge in crypto investment, and it is evident that cryptocurrency is here to stay.

Fraud risk in digital payment

The growth of digital payment attracts multiple fraud risks as hackers are trying to gain access to customers’ personal and banking details. Following are the types of fraud risks that banks and customers are facing on a regular basis.

  1. Phishing – The scammers create identical bank website and send the links to the customers. The fake websites are used to capture user ID and passwords, Card numbers, ATM PIN, CVV, and OTP and misuse them.
  2. Vishing – It is a simple method where scammers use Voice over Internet Protocol (VoIP) technology to contact customers and seek personal and financial details over the phone.
  3. Smishing – Using this method scammers send text messages to the customers with links to call back, visit websites, download documents, and information about job offers, lottery wins, ATM deactivated and more.
  4. Identity Theft – Scammers use different methods to acquire customer personal information date of birth, passport number, Aadhaar details, PAN details and more to access customer bank accounts and carry out transactions.
  5. Sim Swap Fraud – The scammers obtain customers’ detail through phone calls, messages, and more and get a new Sim card issued in customers’ names to carry out illegal transactions.
  6. Social Engineering Fraud – The scammers update fake number that resembles bank toll-free number on various digital platforms or caller identification apps to deceive customers. 
  7. International Transfer Scams – The scammers create fake stories and trap customers to share their personal and bank details. They use this information to withdraw a large sum of amount from customers’ bank accounts.
  8. Money Mule – This method is used to entice customers with attractive commissions. Once customers share their bank account details and personal information, the amount which is already stolen from one account to transferred to the customers’ account.  
  9. Juice Jacking – The scammers install the malware in public charging ports. If the customers do not have their own charging device and they happen to charge their mobile devices in any of the public charging ports, scammers can get easy access to the customers’ details stored in the mobile phones.
  10. Cerberus Trojan Threat – It is malware that steals customers’ banking details like credit card numbers, CVV and more. Cerberus efficiently captures screenshots, and get easy access to SMS text, contact lists, account credentials, and more.
  11. Covid-19 Phishing Threat – Covid-19 has been used by many scammers as an opportunity to steal and manipulate customers’ personal data and financial details bank account and debit/credit card details, CVV numbers and secret passwords to gain access to customers’ bank accounts.
  12. IDN Homograph Attack – The scammers can create and use a domain or website name that resembles an established name to trick the customers.
  13. Loan Fraud – The scammers trick the customers by publishing fake advertisements for quick and easy loans and offer them low-interest rates, easy repayment, or without any security needs.
  14. Online scams through the classified marketplace – The scammers create a fake profiles with fake social media addresses to contact customers who post their advertisements. They trick the customers to share their personal and financial details.
  15. Aadhar-based Payment System Fraud – The scammers can use the gums and glues to replicate customers’ fingerprints and use them to carry out transactions.
  16. Broadband Internet Security Fraud – The scammers may call customers to pretend that they are calling from telecommunication or internet services companies and ask for customers’ banking and personal details.
  17. SMS Spoofing – The scammers may call or text customers informing them about the KYC process being incomplete, debit and credit card being blocked or expired, SIM cards expired, accounts credited with a significant and more.

Managing fraud risk

The digital payment platforms need a high fraud detection mechanism. It is critical to have security measures, but it is also crucial to ensure the platform is functioning without any errors. Digital payment platforms must adopt a few security measures to establish a secure connection in a high-speed transaction process. Every secure website must have SSL certificates as it creates a foundation of trust. HTTPS is safe compared to HTTP as it avoids redirection links. It requires a digital certificate to establish the website as safe and secured, and HTTPS websites have security certificates.

The digital era is all about real-time payments, and the digital payment platform is driven by technology. Considering the amount of fraud in digital payment, fraud checks, authentication, authorizations, and data analysis must happen simultaneously. Banks are improving the API ecosystems to integrate their services into the third-party platform and make them available to the customers. As in the real-time payment, the sender and the receiver send and receive the amount at the same time; it is crucial to have the notification and alert of all transactions in place to limit the chances of data manipulations.

The digital payment platform is customer-centric; hence it must be customer friendly. Customers would not want to be pinned by unnecessary compliance requirements. But digital payment platforms cannot be open to cyber threats. Hence, the platform must follow the necessary security guidelines without overdoing them. In today’s world, digital payment platform follows blockchain technologies and are visible to the customer. This technology helps in detecting illegal transactions and malicious user behavior. Organizations are investing in technologies to tighten security knots and prevent monetary losses. Companies would not compromise on external and internal security.

As important as it is to maintain the security of the digital payment platform, it is also critical to test the platform end-to-end for seamless functionalities and error-free performance. Without an adequate testing solution, the platform would miss out on important alerts.

Conclusion

It is crucial to create a tenable cybersecurity framework and it is also important to ensure the integration, performance, accessibility, and usability of this framework. Organizations must adapt to digital channels and platforms to retain their customers. Digitalization is making it easier for organizations to acquire customers and serve them digitally. Accessing funds and payments is becoming more convenient.

The organizations need support to promote and build products with the right features and capabilities. The banks see growth in their ROI when the people use these digital platforms. Organizations would witness a significant cost reduction in delivery when people use the platform for many years. Digital payment testing is a method to validate the platforms’ sustainability and tenacity for long years.

User experience is the most vital point as the users’ attention span is less, and any unsatisfactory designs would bring down their interest leading to the lowering of companies’ investments. The usability and accessibility of the digital platforms are the parts that the organizations must focus on. Testing the platform ensures customer experience with the UI design, platform usability, and accessibility. We have seen clients coming back with requests to understand if their application performances are consistent across multiple devices and operating systems. As banks are slowly moving to multi-channel from mono-channel, which means that banks are interacting with their customers and offering services on multiple channels. Hence, integration, performance, functionality, and security are the most essential areas that require adequate validation.

There is a significant growth in API channels as in Yethi, we have witnessed several instances where banks had requested upward of a thousand APIs to their partner networks. Our partners have contacted us to build an infrastructure that could validate the APIs. The CIOs may face challenges if somebody releases a patch set in a multiple-interconnected network, which could lead to disruption of ongoing processes. The banks need to ensure their reputation as any of these instances could cause heavy damage to their business flow.

Improving core banking implementation with a viable performance test approach

Banks and financial institutions are evolving to be more customer-friendly. They no longer need complicated applications & software, bulky systems, or multiple platforms to store customer and banks’ data, simply because it no longer serves the purpose. Hence, they opt for various core banking solutions, which help them bring all data onto a uniform platform and be more strategic and organized in maintaining the details.

Core banking implementation is a transformation journey for financial institutions. But 7 out of 10 banks go through many challenges during the different stages of the implementation project. These challenges include the non-functional aspects like stress, performance, or security penetration of the project. Let us look at the consequences of avoiding these mandatory checks. On a few specific days, banks may see a sudden spike in traffic; it can result in an extreme load on the system leading to performance failure.

In the past, several incidents were recorded where the customers were affected and disappointed with system performance failures. No banks can guarantee to function as usual with a massive surge in digital transaction volumes. Banks have realized the importance of testing the non-functional aspects of the systems, so today, it is an essential and integral part of any large-sized and mid-sized transformation project for banks.

We are a little far from realizing what performance testing means for a bank or financial institution. This article serves as a reference to improve core banking implementation with appropriate testing methodologies and a test automation approach. I will also explain why it is a critical exercise and cannot be cast aside until the last minute.

The important aspects of non-functional testing

A statistical report published in Gartner reveals that the average cost of IT downtime is around $5,600 per minute, which amounts to about $300,000 per hour on average. The calculation excludes regulatory penalties and reputational damage. This brings organizations to much deliberation about preventing downtime during production. The load testing helps an organization confirm that the systems are ready to take the usage load adequately to its capacity in the production stage.  

Knowing the objectives of performance testing

Performance testing measures the system behavior and response during peak activity hours. It ensures the consistency of the systems even with a high load. Performance testing also ensures that system performance does not deteriorate with time under average load and continuous usage. It determines the system sustainability, and if any performance bottleneck is detected or identified during testing, it must be reported and documented immediately. Performance testing also validates that the system and load is uniformly distributed across different product architectural layers. It also ensures that the system allows the access of multiple users at the same time and the system scalability to accommodate more users under the same sessions.

Performance testing scope

Performance testing becomes as essential process for a core banking implementation project and production lifecycle. It must cover all types of process activities including online transaction processing from systems interface and various channels, same day uploads, end of cycle batches, and data migration from legacy systems.

There are two methodologies for testing the core banking implementations, i.e., automated load testing and business simulation. In this article we will specifically talk about the first methodology.

Automated load testing

There are four phases of the automated load tests for performance testing.

  1. Designing phase

In the designing phase, the team gathers the requirements and studies them thoroughly to understand the scope and functionality of the application. They understand the performance requirements from a business viewpoint and analyze the matrix of business volume and historical data. The team finalizes the performance testing goals and objectives based on these requirements, finally measuring acceptable results. The automated load tests are designed, followed by an appropriate action plan.

  • Building phase

The channels and test scripts are prepared in batches for different business scenarios common to the user interface. The channels and batches test scripts are used to simulate load into the application tiers. An initial sanity check of the application is conducted after the data is migrated and uploaded onto the performance test platform. If there are remaining historical data to be created, they are injected into the system. During the build phase, the team configures the monitoring tools for gathering system performance metrics for the testing window.

  • Executing and diagnosing

The performance test is executed to validate environmental configurations and application performance behavior. Executing and diagnosing stage leads to an optimized environment for the final measurement run. Repeated performance testing is conducted to evaluate application performance behavior. There are three possible iterative stages which can be configured. And between each of these iterative stages, the team reinstates the performance testing, and the test is re-run again.

  1. Stage 1

The system behavior is recorded by executing the specific functions at the peak load. If any errors or flaws are noticed in environmental or application configurations, it is immediately reported to the respective stakeholders to upgrade and obtain maximum throughput.

  • Stage 2

In stage two, the system behavior is recorded along with the simulation of an integrated business scenario. Similar to stage one, if there are any errors or flaws in environmental or application configurations, they must be reported to respective stakeholders to upgrade and obtain maximum output.

  • Stage 3

The final round is a final round of simulation where all refinements / fine-tuning / fixes are updated from earlier test rounds and are validated. The load testing is executed at peak hours to ensure the resilience and stability of the system through volumes, endurance runs, and stress tests.

  • Measuring and evaluating

In the final measuring and evaluating phase the system metrics are captured and measured. The system testing is conducted to validate the metrics post-run. It is used to prepare the final performance test report.

Improving core banking implementation with Yethi’s testing services

At Yethi, we follow a strategic test objective. We capture non-functional requirements, set up a testing environment, script used cases, build scenarios, execute the test, and prepare PT documents based on reporting and analysis. We gather & analyze NFR, perform a feasibility study, and identify performance test tools. We set up server tier deployment, populate target database, populate target DB, external systems & licenses, and plan performance test strategy. We develop load test scripts, design load test scenarios, create test data, identify & build volume, soak, and stress scenarios. We determine and define the injector profile for injector deployment and timelines. We execute sanity, volume, isolation, stress, soak and load balancing tests.

When it comes to reporting and analyzing, we collect data samples, determine test outcomes by comparing expected performance, and maintain result reports and dashboards for all types of tests. We focus on the following,

  • Baseline Test – Measures the current performance metrics
  • Load Test – Create demand on a system and measure its response
  • Stress Test – Determine the stability of the system by testing beyond normal operational capacity
  • Soak Test – Run at high levels of load for prolonged periods.

Our performance test management is based on test execution and analysis and transaction capture and analysis. We capture and analyze transactions from applications under test (AUT) by pulling data from a web server, app server, and database server. And execute tests and analyses across various server systems through load injection and KPI monitoring. Our test management module focuses on creating and executing performance test scenarios and creating scenarios for different end-user activities against AUT.

We offer load injector and KPI monitoring as dedicated services to generate requests against AUT simulating concurrent virtual users, executing the specified use-cases. Through load injector and KPI monitoring, we collect performance metrics from all metrics collection agents and store them in the performance metrics repository. We collect load test results by Controller are stored in the result repository database. We execute performance testing for the application under test (AUT) and its components.