By Ian Newns
The European Banking Authority recently drafted the latest Directive on Payment Services II (PSD2), which serves as the legal foundation for a cross-EU payments market. In 2016, European e-commerce sales are expected to increase 17% to €183 billion and the use of payment service providers (PSPs) is increasing significantly. Couple this with the changing attitudes around Internet banking and push payments, it is no surprise that the directive is coming out at this time, as the payments market is changing at such a rapid pace.
A new standard is being defined for the market. But does PSD2 take Card Not Present (CNP) payments in the right direction?
Within the latest draft, one of the key elements is the requirement for strong consumer authentication (i.e., to challenge the customer with further authentication methods) for all transactions except those under a certain monetary threshold. In my experience, strong customer authentication is most often to the detriment of the vast majority of customers.
RSA have been providing a risk-based 3D Secure solution to card issuers for CNP transactions since 2004. The original password-based 3D Secure protocol (v1.x) added much friction into the transaction and consequently suffered greatly from a lack of user adoption. This, plus the prevalence of new payment methods like mobile and eWallet, have led the industry to call for an updated protocol. Led by EMVCo, industry leaders and security vendors came together to develop the long-awaited, and recently released 3D Secure 2.0 protocol which eliminates static passwords and recommends a risk-based approach for card-not-present transactions (and several other new enhancements).
With a risk-based approach, every transaction is still evaluated to ascertain if it should be flagged as suspicious or potentially fraudulent. For most issuers, a typical fraud rate is <1-2%, so it is imperative to be able to identify only the highest risk transactions to challenge for further authentication. In RSA's solution, ~95% of transactions are authenticated without additional end user input. RSA consistently boasts a consistent fraud detection rate between 92-95% at a 3-5% challenge rate with very low false positives.
So, what will strong customer authentication mean for card issuers?
We have seen first-hand at a major UK bank, when we moved away from mandatory password-based authentication for all transactions, we saw a 4% increase in transaction success rate as a result of improved customer experience. This translates to a 4% growth in transaction volumes, not only for issuers, but also for the merchants, the card schemes and the acquirers, and let's not forget - the happy customers! Put another way, if we add friction to the end user experience, we stand to lose 4% of sales. That is not a figure any provider in the e-commerce ecosystem wants to be reporting to their key stakeholders.
But what about the increased fraud, I hear you ask. We actually found that risk-based authentication (focused challenges vs. a challenge all approach) improved fraud detection rates for this bank! Now, a quick point to note - passwords are inherently vulnerable, and are not recommended by the EBA. However, they are arguably less intrusive than other "recommended" authentication methods such as carrying a token with a randomly generated number (great for enterprise use cases, but not conducive for a large consumer-based deployment). I would expect a similar trend for other authentication methods.
Issuers, merchants, acquirers, card schemes and, especially, cardholders benefit tremendously from a risk-based approach. Less fraud and less friction is a win-win combination.
Despite the successes from this approach, there is always room for even higher fraud prevention rates with improved omni-channel visibility. Let's look at a card-issuing bank in the UK. The bank's view of your digital signature starts at application, and is reinforced through every interaction you have with them, every time you log into online banking and every time you carry out a CNP transaction online. In isolation, the new motorbike being purchased may look like a high risk transaction. However, when you cross-reference, you realize that the same iPad was used to open the credit-card account giving you much greater confidence that the transaction is being performed by the legitimate cardholder. Do you really need to require the user to "get something you have" out of his or her pocket to authorize this?
I believe we are heading towards an environment where vendors can't sell products anymore. The proposed recommendations in the latest PSD2 draft being offered by the EBA are counterproductive to the goals of the 3D Secure 2.0 protocol - to provide strong authentication and a friction-less cardholder experience. It took more than ten years, but issuers and merchants learned that a challenge all approach did not work and thus a major change was necessary.
Such is the nature of the technology required to address the ever-changing fraud threat, organisations have to have incorporate layered fraud prevention using a number of different vendors' products. Vendors will need to do much more to provide components that fit neatly into the organisation's architecture to address a specific problem.
My challenge to the EBA is to look at the bigger picture, and not just the transaction in isolation. Of course, they will cite the fact that not all PSPs are equipped with the resources and the data available to big banks. This may be true, but the directive needs to be flexible enough to adapt to that. Don't penalize the issuers, the merchants, the card schemes, the acquirers - and most importantly, customers - by introducing unnecessary friction that won't do anything to improve the fraud prevention rate.
Author: Heidi Bleau
Category: RSA Fundamentals, Blog Post
Keywords: Authentication, Consumer Security, Cybercrime, Cybercrime and Fraud, Fraud