Reconciling consent in PSD2 and GDPR - Exclusive interview with CA Technologies

Wednesday 23 January 2019 00:55 CET | Interview

James Rendell, CA Technologies: With the PSD2 regulation and new rules from card associations, authentication has become the brightest target on the ecommerce radar

Ecommerce continues to grow at an astounding rate – and so does online fraud. According to Javelin Research, card-not-present (CNP) fraud accounts for 81% of total fraud, representing billions of dollars in losses annually. To address this crisis, the industry is taking a fresh look at transaction authentication.

Why has authentication become such a hot topic?

First, let’s compare Europe and North America because the landscape and the drivers are a bit different. In Europe, PSD2 is making it a legal requirement to apply authentication to any type of remote electronic interaction that carries a risk of fraud. In North America, the focus is more on optimising the customer experience by moving toward the frictionless checkout.

The card associations – Visa, Mastercard, and American Express – are also introducing global rules to make the use of these authentication programmes mandatory. Thus, ecommerce purchase authentication is critical in both geographies.

With the PSD2 regulation and new rules from the card associations, authentication has become the largest, brightest target on the ecommerce radar. And it’s happening just as the 3-D Secure authentication protocol is launching. So the timing of EMV 3DS is spot-on.

Because we co-invented the 3-D Secure protocol, and we’re one of the few providers that have been running the platform for 20 years, we can help get you there in the most efficient way. And I should add that we were the first to authenticate a EMV 3DS transaction. 

How is artificial intelligence changing the authentication experience?

AI can evaluate any given transaction, using its unique contextual and transaction data. Whether it’s a log-in event, a shopping transaction, or a new-product application, analytics can make a fine-grain decision about its implied or inherent risk. This is important for both driving out fraud and providing frictionless experiences.

This intelligence, grounded in the ecommerce space, is a uniquely powerful consortium dataset to have. In the end, virtually every online crime, whether an account takeover, identity theft, or a malware compromise, ends up in a fraudulent payment attempt somewhere – often through the use of stolen user credentials such as online banking or card details.

On top of this, competing across multiple digital channels is very important to our customers. By providing a central, omnichannel platform for authentication of card and non-card ecommerce payments, we make it possible to manage these risks and customer experience demands.

What kinds of data do you need for risk analytics?

To be useful across geographies, analytics needs a really good consortium dataset. You need the largest possible pool of globally diverse risk and fraud data to draw on. But there’s a common misconception that this data invades privacy, which is not the case. All the data we use for predictive modelling is anonymised to ensure that consumer privacy is protected. It is the patterns of use over time that are important, and the profiles that accumulate these patterns cannot be tied back to an individual.

Predictive analytics is actually a well-established fraud prevention discipline. It extended into the ecommerce 3-D Secure scene a decade ago, which is when the focus on gathering data to support its development became our core business. We have the longest established dataset in the ecommerce payment fraud field and we believe we have the largest market share of issuers in this space. 

We service more than 13,000 card portfolios and well over a billion transactions a year. Having a globally diverse, large consortium of data for the analytics to chew on, as it were, is really important. Otherwise, you end up with predictive analytics that are trained out of very limited datasets, useful only for point problems.

How do you build an AI engine to fight fraud?

Certainly, the most important factor is that we employ a group of world-class data scientists with, when you add it all up, hundreds of years of experience in payment fraud.

You need this kind of expertise in knowing how to apply the techniques of data science. It’s easy to make mistakes and misapply them, and there are plenty of war stories where a model was being biased the wrong way.

In the end, the more data you have, the more powerful the offerings you can build based on predictive analytics. It’s about how you leverage data to build the advanced machine learning needed to optimise user experience and drive out fraud – while protecting consumer privacy at the same time.

This interview was first published in the Web Fraud Prevention, Identity Verification & Authentication Guide 2018-2019. The Guide covers some of the security challenges encountered in the ecommerce and banking, and financial services ecosystems. Moreover, it provides payment and fraud and risk management professionals with a series of insightful perspectives on key aspects, such as fraud management, identity verification, online authentication, and regulation.

About James Rendell

James Rendell heads Payment Security Strategy and Product Management for CA Technologies. James is a recognised fraud and security expert, covering topics such as mobility, cryptography, ecommerce, and network and infrastructure security.



About CA Technologies

CA Technologies, a Broadcom company, is an industry leader in payment and identity fraud prevention, with friction-free transaction authentication powered by patented artificial intelligence. As a pioneer in analytics for online fraud, CA delivers a unique 360º view of transactions for issuers, processors, and merchants, across all payment schemes. Learn more at

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: CA Technologies, PSD2, GDPR, James Rendell, authentication, ecommerce
Countries: World