PSD2: next generation of payments and…fraud

Moreover, the discussion focused on understanding the new requirements under PSD2, and why responsibility in fraud prevention for merchants PSPs is changing. But first…

Could you introduce Ravelin to our readers?

Ravelin is an award-winning fraud detection and prevention platform for online merchants and the payments industry. We use many different technologies in the pursuit of fraud, but primarily combine machine learning and link analysis with the client’s expertise and ours. Our team balances reducing fraud risk with removing friction for trusted customers.

Why do you think PDS2 is so transformational for the payments industry?

What I like most about PSD2 is the fact that it is so focused on consumers. In this industry, we often lose a bit of perspective by getting too caught up in the numbers. We need to make sure we understand what drives the consumer and continue to serve their needs as they evolve.

PSD2 also gives us a new kind of focus on the security aspects of online payments, similarly to GDPR and the increased focus on data protection. While this presents some significant challenges for the payments industry, it will create major benefits for consumers.

Even though the open banking aspect of PSD2 gets the most attention, the impact on security and authentication for other industry players is perhaps the most transformational.

What has changed for PSPs from a fraud detection and prevention perspective?

At the heart of PSD2 is a drive to tackle the fraud problem in online payments. In practice, this will mean requiring strong customer authentication (SCA) for the majority of online transactions. For example, every time I use my card or another payment instrument to pay online, I will need to be able to authenticate before I authorise the payment to prove that it is indeed myself, the actual Martin Sweeney, who is really making the payment.

Although experiences vary, the ecommerce industry dislikes SCA, especially in its current guise of 3D Secure. The feeling (with much data to support it) is that it causes a significant drop-off in conversion. Until now, smarter merchants have sidestepped the issue by only requesting 3D Secure for the riskiest orders, and assuming liability for everything else. For payments under PSD2, merchants will no longer be liable for unauthorised transactions, but will also no longer have the choice to accept low-risk transactions without SCA.

So will this mean SCA for every transaction?

This is where things get interesting - and complicated. PSD2 already contains an exemption for transactions under EUR 30, as with offline contactless payments. There is also an exemption for transactions determined to be low-risk, which means if you have exceptionally low fraud rates, you will be able to exempt a significant number of transactions from SCA. But it will be up to a regulated PSP (such as an acquirer), not the merchant. Since the ability to accept as many transactions as possible without SCA will help merchants create more frictionless buying experiences and maximise conversion, PSPs with robust and effective fraud controls will be able to add more value to their clients.

You have just launched a product specifically for PSPs, therefore what would you say are the biggest challenges that they face when complying with regulation?

A basic requirement is a really good support for SCA. From next September (when the regulatory technical standards of PSD2 are expected to come into force), a merchant who does not support SCA will see more transactions declined. A PSP who does not support SCA will get into trouble with the regulatory authorities.

Competitive advantages will be gained and lost over the ability to exempt transactions from SCA. Keeping fraud below the aggressive reference fraud rates required to use low-risk exemptions to SCA will be challenging, and only the PSPs with the best transaction risk analysis (TRA) mechanisms will be able to offer their clients the benefit of higher conversion.

Of course, not everything is set in stone here and the requirement to apply fraud rates across a PSPs whole portfolio may fall under pressure from the industry. For instance, we have already seen Stripe start to lobby for enforcing fraud rates on a per-merchant basis. Whether or not these efforts succeed, having the right technology in place to optimise for maximising acceptance while keeping fraud below the required thresholds will be key for all PSPs/Acquirers, and this is precisely what the Ravelin platform is designed to offer.

Auditability also comes into focus here. Helping PSPs develop and demonstrate an effective mechanism for transaction risk analysis is innate in Ravelin anyhow. Interestingly, while regular audits are not be negotiable, the constituent parts of that audit are - even to the extent of defining how fraud rates are determined. Ravelin will work with PSPs to develop best practice here.

From what you have said, as a merchant you have two options: you either comply and do a really good job or offer 3D Secure. Do you see other stronger customer authentication solutions popping up besides 3D Secure?

All European merchants will need to support SCA, and 3D Secure (3DS) is frankly no longer fit for purpose. Over the next three years, we expect SCA requirements to drive a dramatic improvement in authentication methods, from the adoption of 3DS 2.0 for card payments, to a range of authentication protocols for alternative payment methods.

3DS 2.0 will certainly bring much-needed improvements in security and user experience, but will require mass adoption by issuers, merchants and PSPs. Making sure this happens is a big task for all of us.

How will payments look like after PSD2, in your opinion?

It’s incredibly difficult to know, but we will see some big changes. I personally hope to see more open banking-type payments and direct bank-to-bank transfers initiated by payees between banks; this is an interesting part of PSD2 that not enough people are talking about. Right now, this still has some implementation issues that need consideration - perhaps the subject of another interview.

It will also be interesting to see how PSPs work with merchants to achieve the aggressively low fraud rates required for low-risk exemptions to SCA. While acquirers will have the ability to request an exemption, merchants and intermediaries have more data to make an informed decision on risk. The merchants and PSPs who find ways to work closely together to analyse transaction risk will gain a major competitive advantage under PSD2.

My advice to acquirers and other PSPs is to start laying the groundwork for this now to avoid a cliff-edge next September. For merchants, you should ask your PSPs how they will help you through this and if you don’t get a good answer, consider taking your business elsewhere to continue providing the best customer experience possible.

About Martin Sweeney

Martin is the CEO and co-founder at Ravelin. In addition to the usual governance responsibilities of a CEO, Martin has been deeply involved in the product direction and development at Ravelin, a passion going back to his days in consumer apps (and rocket science). Martin is a keen fisherman though with three young children not so much these days.

About Ravelin

Ravelin prevents fraud and protects margins for online businesses. Companies all over the world are accepting more transactions with fewer chargebacks thanks to our unique machine learning-based approach to fraud prevention. By automating standard fraud tasks, fraud teams can spend time focusing on the root causes of fraud instead of day-to-day review of transactions.