By Ian Newns, Senior Business Solutions Architect EMEA, RSA and Nathan Close, Head of Solutions Engineering EMEA, RSA.
The European Banking Authority recently drafted the latest technical standards for the Payment Services Directive II (PSD2), which serves as the legal foundation for a new cross-EU payments market. In 2016, European e-commerce sales are expected to increase 17% to €183 billion and the use of payment service providers (PSPs) is increasing significantly. Couple this with the changing attitudes around Internet banking and online payments, it is no surprise that the directive is coming out at this time, as the payments market is changing at such a rapid pace.
A new standard is being defined for the market. But does PSD2 take Card Not Present (CNP) payments in the right direction? Within the latest draft, one of the key elements is the requirement for strong customer authentication for all transactions except those under a certain monetary threshold. However, strong customer authentication is most often to the detriment of the convenience for customers.
The inclusion of CNP transactions
The original password-based 3D Secure protocol (v1.x) added too much friction into the transaction and consequently suffered from a lack of user adoption. This, plus the prevalence of new payment methods like mobile and eWallet, have led the industry to call for an updated protocol. Led by EMVCo, industry leaders and security vendors came together to develop the long-awaited, and recently released 3D Secure 2.0 protocol which eliminates static passwords and recommends a risk-based approach for card-not-present transactions (and several other new enhancements).
With a risk-based approach, every transaction is still evaluated to ascertain if it should be flagged as suspicious or potentially fraudulent. For most issuers, a typical fraud rate is <1-2%, so it is imperative to be able to identify only the highest risk transactions to challenge for further authentication.
The impact of customer authentication for card issuers
A major UK bank, found that when it moved away from mandatory password-based authentication for all transactions, it realised a 4% increase in transaction success rate as a result of improved customer experience. This translates to a 4% growth in transaction volumes, not only for issuers, but also for the merchants, the card schemes and the acquirers, and most importantly the customers. However, if friction to the end user experience is added, it’s possible to lose 4% of sales. That is not a figure any provider in the e-commerce ecosystem wants to be reporting to their key stakeholders.
Experience from the field
What about the increased fraud? We’ve found that risk-based authentication can improve fraud detection rates when compared to 100% authentication. Issuers, merchants, acquirers, card schemes and, especially, cardholders benefit tremendously from a risk-based approach. Less fraud and less friction is a win-win combination.
Despite the successes from this approach, there’s always room for even higher fraud prevention rates with improved omni-channel visibility. For example, when looking at card-issuing banks in the UK, the bank’s view of a digital footprint starts at application for the new card account, and is reinforced through every interaction the customer has with them. This includes every time a user logs into online banking and every time a CNP transaction is carried out online. In isolation, an expensive watch being purchased online may look like a high-risk transaction. However, when cross-referenced, the bank will see it’s the same device from the same location that was used to open the credit-card account giving them much greater confidence that the transaction is being performed by the legitimate cardholder. Is it necessary for the user to get up and go find the hardware token to authorize a low risk transaction?
What the future holds
The EBA is being overwhelmed by the amount of responses to the technical standards consultation. The industry is saying that the proposed technical standards are counterproductive to the goals of the PSD2 and even the 3D Secure 2.0 protocol – to provide strong customer authentication and a friction-less customer experience. In the card not present space it took more than ten years, but issuers and merchants learned that a challenge all approach did not work and thus a major change was necessary.
Such is the nature of the technology required to address the ever-changing fraud threat, organisations must incorporate layered fraud prevention using a number of technologies. Vendors will need to do much more to provide components that fit neatly into the organisation’s architecture to address a specific problem.
To challenge the EBA, it’s necessary to look at the bigger picture, and not just the transaction in isolation. Of course, they will cite the fact that not all PSPs are equipped with the resources and the data available to big banks. This may be true, but the directive needs to be flexible enough to adapt to that. Don’t penalise the issuers, the merchants, the card schemes, the acquirers – and most importantly, customers – by introducing unnecessary friction that won’t do anything to improve the fraud prevention rate.