5 tips to guarding against fraud in the age of SCA

Like any other business owners, fraudsters invest to keep pace with change and stay profitable. As the payments ecosystem has worked hard to educate consumers and merchants about PSD2 SCA, fraudsters will have used the same information to hone their tools and techniques.

Based on conversations with merchants, and trends in transaction data, we've come up with five tips to help merchants stay ahead of the fraudsters: 

1. Look out for new abnormalities

With transactions below EUR 30 considered 'low value' in SCA terms, some fraudsters are reducing their basket sizes to EUR 29, assuming they won't be stepped up for SCA. Merchants should be aware of this change in behaviour; and ensure their fraud screening tool can help flag and manage these transactions and request to step them up as necessary. Merchants whose basket sizes are typically under EUR 30 should also be alert to the potential for increased fraud. 

We've also seen more use of non-UK/EEA-issued cards for fraud with UK and EEA merchants, as these one-leg-out (OLO) transactions are considered out of scope for SCA. As well as monitoring BIN mismatches, merchants may want to request to step these transactions up for SCA if they display risky characteristics, or if margins make it worthwhile. Experienced fraud professionals can help guide your strategy here.

2. Re-evaluate promo code usage

Transactions using promo codes have historically been viewed as lower risk — associated with cost-conscious consumers, rather than with fraudsters who don't need discounts. Now however, we're seeing promo codes being used in more fraudulent transactions — to take the basket size below EUR 30, or in the belief that promo code usage may make the transaction look genuine and so less likely to be stepped up for SCA.

This change in fraudster behaviour underlines why merchants should take a holistic approach to fraud, rather than viewing individual aspects in isolation.

3. Sharpen your focus on mobile 

Now that EMV 3DS (version 2.x of 3-D Secure) is available, merchants can deliver a better SCA experience on mobile devices, which may accelerate consumers' ongoing transition to mobile. Fraudsters will likely make the same migration as they imitate genuine customer behaviour.

Merchants should therefore ensure their fraud strategy is optimised for mobile traffic, with models and profiles that include mobile-specific:

• Data points (such as device fingerprinting and geo-location data);

• Characteristics (such as low chance of multiple identities being associated with one device).

4. Anticipate potential fraud migration

As merchants develop SCA exemption strategies contingent on an agreement with their acquirer, we anticipate a possible increase in account takeover fraud, especially when consumers start adding trusted beneficiaries to their payment accounts. Merchants can mitigate the risk by ensuring they have access to account event metrics or by deploying an account takeover protection solution. 

Fraudsters may also attempt to manipulate alternative payment methods, such as digital wallets and bank transfers, where the association with fraud has historically been lower.

To date, we haven't seen an increase in suspect transactions in the Mail Order Telephone Order (MOTO) channel (out of scope for SCA), but merchants should remain vigilant as MOTO transaction volumes start to go back up as pandemic lockdowns ease. 

Fluctuations in cross-border fraud may also occur as fraudsters target non-EEA/UK websites where SCA doesn't apply. Merchants operating outside the UK/EEA area should monitor trends and adapt their fraud strategies in line with any changes.

5. Talk to acquirers about transaction risk analysis (TRA)

TRA makes low-risk transactions a key SCA exemption. Merchants who want to use TRA must agree in advance with their acquirers, each of whom will have their own exemption threshold that may be below the EUR 500 maximum. 

Once TRA application is  agreed with the aquirer including the extent of the Risk Analysis which is also prescribed in the RTS, you can decide how far you want to influence TRA decisions. You can leave issuers and acquirers in charge — but they could be too strict or too generous around risky orders. Or you can use your fraud management tool (such as Decision Manager) and your knowledge of your customers' risk levels to orchestrate when transactions get stepped up. 

As our five tips show, merchants can get ahead of the fraudsters by:

• Optimising the SCA process and their approach to exemptions and out-of-scope transactions;

• Using all their fraud management tools in harmony;

• Reaching out to acquirers, payment service providers, and fraud management professionals for help and advice. 

Learn more about Cybersource Decision Manager and other Cybersource capabilities to help you guard against fraud in the age of SCA.

These materials and best practice recommendations are provided for informational purposes only and should not be relied upon for marketing, legal, regulatory or other advice. 

Recommended marketing materials should be independently evaluated in light of your specific business needs and any applicable laws and regulations. Cybersource is not responsible for your use of the marketing materials, best practice recommendations, or other information, including errors of any kind, contained in this document.

About Mark Strachan

Mark is the business owner for the EMEA Managed Risk portfolio at Cybersource and a fraud risk professional with over 12 years’ experience in the card payment and banking industry. His current role as EMEA Managed Risk Principal at Cybersource allows him to work closely with enterprise clients on strategies to reduce risk associated with fraudulent activity and optimise revenue. 

About Cybersource

Cybersource helped kick start the ecommerce revolution in 1994 and haven’t looked back since. Through global reach, modern capabilities, and commerce insights, we create flexible, creative commerce solutions for everyday life – experiences that delight customers and spur growth globally. All through the ease and simplicity of one digital platform to manage all payment types, fraud strategies, and more. Knowing we are part of Visa and their security obsessed standards, you can trust that business is well taken care of – wherever it may go.