This editorial was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.
Payment management is becoming strategic for ecommerce. Merchants are striving to streamline the customer journey as much as possible to convert more customer visits into sales. A seamless payment experience is essential to achieve that. At the same time, however, card-not-present (CNP) fraud has been rising at a rate commensurate with the growth in ecommerce as a whole.
Regulators around the world are mandating secure customer authentication (SCA) to protect consumers from online fraud. In Europe, the PSD2 requires payment service providers (which include banks, e-money providers, and payment institutions) to apply SCA for all electronic payments initiated by the payer (such as card payments and credit transfers) above EUR 30, unless the payment qualifies as low risk. So how to balance the demand for a “click and pay” experience with the requirements for secure payments?
Mobile commerce requires a seamless user experience
Fraud prevention techniques often require step-up authentication e.g., via a one-time password, introducing friction in the checkout process. This tension between security and customer experience has been aggravated by the rise of mobile commerce. The mobile customer, while on the move and working on a smaller screen, has even less tolerance for security methods that make the checkout process inconvenient and clunky.
A recent survey that Aite Group and Mobey Forum conducted (see the report: Authentication in M-Commerce: Balancing Risk and Experience, November 2017) confirms that the user experience is considered to be the most important criterion for merchants when they evaluate their approach to payment transactions.
Risk based authentication: best of two worlds
Payment companies have found a solution for the customer experience versus security conundrum in risk based authentication (RBA).
With RBA, the company will test the transaction against a series of parameters in real time—e.g., the device used by the customer, the IP address, the location, and the typical behaviour of the customer. If no anomalies are found, the transaction can be approved without invoking step-up authentication, allowing a smooth payment experience for the majority of legitimate transactions. As it comes to the effectiveness of RBA, almost half of the survey respondents that implemented RBA solutions said that 70% or more of m-commerce payments were approved without requiring a second factor.
Figure 1: Effectiveness of Risk-Based Authentication
Source: Aite Group and Mobey Forum online survey with 76 executives (November 2017)
So RBA works well in practice, but how does it fit in with the PSD2 SCA requirements?
PSD2 allows for RBA exemption
The PSD2 has included an exemption for the application of SCA that allows PSPs to implement RBA (called “transaction risk analysis”) under certain conditions. The amount, or “exemption threshold value (ETV)”, that it applies to depends on the PSP’s fraud rate for remote card-based payments and credit transfers, respectively. The maximum ETV is EUR 500 (see Table 1).
Table 1: SCA Exemption Using Transaction Risk Analysis
The lowest reference fraud rate for remote card-based payments of 0.13% seems achievable for PSPs. In 2016, the UK reported an average ecommerce fraud rate of 0.124%, suspiciously close to the lowest threshold in the EBA’s table (see: Fraud the Facts 2016: The Definitive Overview of Payments Industry Fraud). That would mean that the threshold for (mandatory) multi-factor authentication can be raised to EUR 100, well above the average value of ecommerce transactions (EUR 67).
Online stores selling high value products (such as electronics stores, or travel agents) would still be required to apply multi-factor authentication for a large share of their transactions. But perhaps the issue is a temporary one. Consumers may get used to SCA over time, as all PSPs and merchants will have to apply it. New techniques such as biometric authentication could reduce the burden of SCA, at least for the m-commerce environment.
Respondents to the survey appeared to have mixed opinions on this issue, but only a minority thought that SCA will have high impact on merchant sales.
Conclusion
Merchants are advised to work with the best PSPs to reduce their average fraud rate and make use of the exemptions that the PSD2 provides for RBA. Still, more transactions will require SCA under the PSD2 rules, but as consumer behaviour adjusts to its use, and new techniques such as biometrics reduce the friction, merchants will be able to keep their customers happy with a seamless and secure checkout experience.
About Ron van Wezel
Ron van Wezel is a senior analyst for Aite Group’s Retail Banking & Payments practice. His research covers market and regulatory trends in the payments space, with a focus on Europe.
About Aite Group
Aite Group is an independent research and advisory firm focused on business, technology, and regulatory issues and their impact on the financial services industry. Headquartered in Boston, Aite Group works with its clients as a partner, advisor, and catalyst, challenging their basic assumptions and ensuring they remain at the forefront of industry trends.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now