Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 1 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

PSD2 and the e-commerce system

by The Gurus
March 6, 2017
in This Week's Gurus
Share on FacebookShare on Twitter

By Ian Newns, Senior Business Solutions Architect EMEA, RSA and Nathan Close, Head of Solutions Engineering EMEA, RSA.
The European Banking Authority recently drafted the latest technical standards for the Payment Services Directive II (PSD2), which serves as the legal foundation for a new cross-EU payments market. In 2016, European e-commerce sales are expected to increase 17% to €183 billion and the use of payment service providers (PSPs) is increasing significantly. Couple this with the changing attitudes around Internet banking and online payments, it is no surprise that the directive is coming out at this time, as the payments market is changing at such a rapid pace.
A new standard is being defined for the market. But does PSD2 take Card Not Present (CNP) payments in the right direction? Within the latest draft, one of the key elements is the requirement for strong customer authentication for all transactions except those under a certain monetary threshold. However, strong customer authentication is most often to the detriment of the convenience for customers.
The inclusion of CNP transactions
The original password-based 3D Secure protocol (v1.x) added too much friction into the transaction and consequently suffered from a lack of user adoption. This, plus the prevalence of new payment methods like mobile and eWallet, have led the industry to call for an updated protocol.  Led by EMVCo, industry leaders and security vendors came together to develop the long-awaited, and recently released 3D Secure 2.0 protocol which eliminates static passwords and recommends a risk-based approach for card-not-present transactions (and several other new enhancements).
With a risk-based approach, every transaction is still evaluated to ascertain if it should be flagged as suspicious or potentially fraudulent. For most issuers, a typical fraud rate is <1-2%, so it is imperative to be able to identify only the highest risk transactions to challenge for further authentication.
The impact of customer authentication for card issuers
A major UK bank, found that when it moved away from mandatory password-based authentication for all transactions, it realised a 4% increase in transaction success rate as a result of improved customer experience. This translates to a 4% growth in transaction volumes, not only for issuers, but also for the merchants, the card schemes and the acquirers, and most importantly the customers. However, if friction to the end user experience is added, it’s possible to lose 4% of sales. That is not a figure any provider in the e-commerce ecosystem wants to be reporting to their key stakeholders.
Experience from the field
What about the increased fraud? We’ve found that risk-based authentication can improve fraud detection rates when compared to 100% authentication. Issuers, merchants, acquirers, card schemes and, especially, cardholders benefit tremendously from a risk-based approach. Less fraud and less friction is a win-win combination.
Despite the successes from this approach, there’s always room for even higher fraud prevention rates with improved omni-channel visibility. For example, when looking at card-issuing banks in the UK, the bank’s view of a digital footprint starts at application for the new card account, and is reinforced through every interaction the customer has with them. This includes every time a user logs into online banking and every time a CNP transaction is carried out online. In isolation, an expensive watch being purchased online may look like a high-risk transaction. However, when cross-referenced, the bank will see it’s the same device from the same location that was used to open the credit-card account giving them much greater confidence that the transaction is being performed by the legitimate cardholder. Is it necessary for the user to get up and go find the hardware token to authorize a low risk transaction?
What the future holds
The EBA is being overwhelmed by the amount of responses to the technical standards consultation. The industry is saying that the proposed technical standards are counterproductive to the goals of the PSD2 and even the 3D Secure 2.0 protocol – to provide strong customer authentication and a friction-less customer experience. In the card not present space it took more than ten years, but issuers and merchants learned that a challenge all approach did not work and thus a major change was necessary.
Such is the nature of the technology required to address the ever-changing fraud threat, organisations must incorporate layered fraud prevention using a number of technologies. Vendors will need to do much more to provide components that fit neatly into the organisation’s architecture to address a specific problem.
To challenge the EBA, it’s necessary to look at the bigger picture, and not just the transaction in isolation. Of course, they will cite the fact that not all PSPs are equipped with the resources and the data available to big banks. This may be true, but the directive needs to be flexible enough to adapt to that. Don’t penalise the issuers, the merchants, the card schemes, the acquirers – and most importantly, customers – by introducing unnecessary friction that won’t do anything to improve the fraud prevention rate.

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Are you paying attention to your threat intelligence’s shelf life?

Next Post

Understanding the threat from non-malware attacks

Recent News

JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023
Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information