Payment Authentication: Balancing Risk Assessment with Customer Convenience
The payment ecosystem has changed significantly over the past 15 years. While it was common to use cash, debit or credit cards for purchases, today there are numerous payment methods to choose from: Twint, Jiffy, iDEAL or payDirect are just a few to be mentioned.
What impact do these new payment methods have on the card schemes?
The new payment methods are typically based on technological developments and are very convenient to use.
Many of the examples above are both browser-based and available on mobile devices. You log into your account, enter the payment information, such as the beneficiary and amount, then issue the transaction. These payment systems already provide the possibility of smooth authentication using a smartphone or biometric authentication like fingerprint or facial scan.
These easy and convenient payment methods put an increasing amount of pressure on the card schemes. While it is easy to authenticate cards in the POS area by chip and PIN, e-commerce transactions are much harder to secure. Card holders typically have to enter the card holder name, primary account number (PAN), expiry date as well as the card’s CCS or CSV code. All this information can to be found on credit cards and can easily be retrieved and copied. This opened doors for credit card fraud and misuse. The trust in using credit cards for online purchases decreased dramatically.
Therefore, card schemes introduced the 3D Secure protocol to secure online credit card transactions. The idea of the protocol was to authenticate the credit card owner as the legitimate user by requesting a static password for the purpose of validation. Every bank implemented this “step-up” in security a little different. As a result, customers experienced friction in their online shopping activities. A lot of customers aborted their purchases as they forgot passwords or technical features such as pop-up blockers made it impossible to enter passwords.
Second iteration of 3D Secure
The rise of new technologies and the increasing use of mobile phones, tablets and wearables for e-commerce transactions, combined with the increased availability of easy to use payment methods for online transactions presented significant competition for the card schemes.
As a response, EMVCo, an organization made up of six major card networks, released a new version of 3D Secure. The new iteration of the protocol aims to address many of the shortcomings of 3D Secure 1.0 by introducing less disruptive authentication and a better user experience by fully integrating customer authentication into the sales process. It also supports mobile devices, tablets, wearables and in-app-functionalities.
3D Secure 2.0 did not have a high impact on the underlying technology itself, such as the use of an Access Control System (ACS), which triggers the authentication step. The merchant plugin, which identifies the account number and queries the servers of the card issuer, also remained unchanged. However, the most significant change is the amount of data fields which can be sent from the merchant plugin to the ACS. While 3D Secure 1.0 supported 11 data fields, 3D Secure 2.0 now supports more than one hundred.
How can Issuers Leverage the Benefits associated with 3D Secure 2.0?
More data coming with 3D Secure 2.0 enables a broader view on the e-commerce transaction. Merchants and issuers are in an even better position to use the information from e-commerce transactions to assess the risk of card misuse while at the same time routing as many e-commerce transactions through a frictionless workflow as possible, ensuring a smooth and easy user experience for the card holder.
The use of sophisticated risk engines enables merchants and issuers to request additional authentication when necessary to keep the risk low. Using AI based behavioral analysis and profiling technologies makes it easy to recognize similarities and deviances in the shopping behavior of a card holder. Recurring e-commerce transactions, which have already been authenticated before, can be sent through the frictionless workflow. A profiling on device ID allows for the prediction of the likelihood that the current user initiating a payment is the card holder. If the likelihood is high and the transaction has a low risk, no additional authentication is required.
To give an example: A customer orders an airplane ticket online for 200€ using his browser. An intelligent risk engine can base the risk assessment on
• if the merchant or merchant category is known to the customer
• if the amount is a typical amount for the customer
• if the device and installed apps used have been used before
• if time and IP geolocation is in line with previous behavior
Taking all the indicators into account, a merchant or issuer can decide to request an additional step-up, or omit it. The more transactions that can be verified without additional authentication, the better the shopping experience is for the customer.
VISA estimates that 95% of all transactions do not require a step-up if sophisticated risk engines are in place. Transactions can be conducted 85% faster and termination rates will decrease by 70%.
Using 3D Secure and risk-based authentication, the balancing act between minimizing risk and increasing convenience for the card user can succeed.
Are you using an intelligent risk engine to leverage the benefits from 3D Secure 2.0?