The combat against fraud was an important and recurring topic at the recent MPE, and not without reason. Card-not-present (CNP) fraud remains a focal point of attention for merchants and PSPs. For instance, in the single euro payments area (SEPA), CNP fraud is claiming an increasing share of total fraud.
The market has responded with a number of innovations in fraud detection and prevention, according to a joint report between MPE and Aite, such as 3-D Secure, biometrics, risk-based authentication, tokenization of sensitive data, and advanced risk analysis systems using artificial intelligence.
These developments have successfully contributed to containing fraud. According to the ECB, the data suggest that CNP fraud grew at a lower rate than CNP transactions as a whole within SEPA.
Nevertheless, the share of CNP fraud in the total value of fraud amounted to 73% of total card fraud losses in 2016. In that year, the total value of CNP fraud increased by 2.1% compared to the previous year, reaching €1.32 billion.
To combat fraud more effectively, the European Commission decided to strengthen the security requirements for electronic payments with the Secure Customer Authentication (SCA) requirements under PSD2. SCA requires two factor authentication of all electronic transactions, unless these can be considered “low risk,” and exemptions apply.
However, as it stands many think SCA will add more friction to the payment process, particularly for e-commerce. Merchants and their PSPs need to define their strategy to implement the SCA requirements while maintaining a superior user experience for their clients.
SCA: How to minimise conversion risk
The SCA requirements mean that buyers will experience many more stepped-up authentications than they do today. Aite Group estimates that, on average, the number of stepped-up authentications will double.
This may expose merchants to the risk of cart abandonment and loss of sales if the new process is not properly managed. Merchants and acquirers have several tools available to reduce conversion risk as much as possible.
This will involve a multilayered approach with the dual purpose to reduce the number of transactions that require SCA and offer the best user experience for the remaining transactions that require SCA.
Merchants can do the following to minimise conversion risk:
Offer non-regulated payment methods:
The SCA requirements only apply to electronic payments that are initiated by the payer. Merchants can offer their clients payment options that do not fall under the SCA requirements because they are initiated by the payee (merchant), such as direct debits.
Apply transaction risk analysis and other SCA exemptions to filter out low-risk transactions:
PSD2 allows for several exemptions to filter out low-risk transactions that do not require SCA. One of these exemptions is transaction risk analysis (TRA), which was discussed at length during the conference. TRA can be used to spot abnormal spending or behavioral patterns, changes in the user’s device, suspected location of the payer and/or the payee, and other criteria. The application of the TRA exemption depends on the average fraud rate of the acquirer and, ultimately, the issuer. This means that the average fraud rate of the PSP can become a competitive differentiator.
Other exemptions are allowed as well—e.g., for low-value transactions, recurrent transactions for the same amount to the same beneficiary, or the option to whitelist a merchant as a trusted beneficiary. The issue is that the PSPs involved in the transaction choose if and how these exemptions are implemented. The expectation is that many banks will not support some or all of the exemptions by the September deadline, as these are not a mandatory part of the SCA requirements. The new normal post-SCA reality is that merchants will not be able to fully guarantee or control their customers’ checkout experience.
Optimize the user experience for transactions that require SCA:
Even after applying the filters mentioned before, many transactions will still require stepped-up authentication. Fortunately, new tools have become available to offer a smooth user experience, at least for card transactions. EMVCo’s redesign of the 3-D Secure protocol, called 3DS 2.0, will be the primary method to comply with SCA requirements for card payments. It enables issuers to make more informed decisions based on data provided by merchants and acquirers.
A liability shift for 3DS 2.0 comes into force in April, whereby any member that does not support 3DS 2.0 will automatically have liability for that transaction. A central feature of 3DS 2.0 is the ability for merchants to share far more data with issuers, allowing issuers to make more informed authentication decisions. 3DS 2.0 is also capable of seamlessly integrating with mobile apps as well as browser-based environments. This allows for integration with mobile authentication solutions, including issuer-provided solutions and third-party-provided solutions such as Apple Pay.
Is the market ready for SCA?
Major concerns were raised about the ecosystem’s readiness for SCA. Mastercard recently conducted a quantitative survey among European merchants to understand to what extent small and midsize e-commerce merchants are aware of and prepared for PSD2’s SCA requirements.
The results indicate that awareness is low, particularly among small merchants. Only 25% of European online merchants say they are aware of SCA requirements under PSD2. Only 14% of European online merchants already support SCA, and another 28% mention that SCA will be ready in September 2019.
The survey also found that 24% of European online merchants interviewed have no plans (yet) to support it. Issuer support of 3DS 2.0 may also be limited by September 2019. Participants feel that there is a real risk that customers may have completely different checkout experiences with the same merchant depending on the issuer.
They feel that consumers may quickly work out which of their cards supports the best experience and will thus incentivise issuers to move to 3DS 2.0.
The post Fraud & friction: Is the payments market ready for SCA appeared first on Payments Cards & Mobile.