PSD2 MADE STRONG CUSTOMER AUTHENTICATION MANDATORY – RISK BASED AUTHENTICATION MAKES IT CONVENIENT

Jun 17, 2021 // Roy Prayikulam

Strong Customer Authentication (SCA) is designed to protect banks and customers from fraudulent activity, but it creates high overhead costs and can compromise customer convenience and revenue opportunities. Using risk-based authentication (RBA) can mitigate these hurdles without sacrificing transaction security.

Background

Throughout the entire COVID 19 pandemic, digital payment channels have proven to be a boon. Spurred on in no small part by the e-commerce and online shopping boom, they have enabled customers to access goods and services quickly and conveniently, thereby ensuring the survival of large parts of the economy. In a consumer study conducted by the German E-Commerce and Distance Selling Trade Association (bevh), one in two of those surveyed (54%) said they would generally like to order more online in the future.

This increases the pressure on financial service providers to make digital financial transactions and payment options more widely available and at the same time more secure.

The security of financial transactions must be a top priority. Financial transactions require protection from fraud attempts and payment failures, while retailers and consumers need to safeguard their data, accounts and digital identities. This task is complicated by the fact that it requires new technologies, channels and payment methods to be regularly updated and included in the authentication process.

Making Use of Exemptions

As of January 1, 2021, the Second EU Payment Service Directive (PSD2), which was adopted in the Fall of 2019, makes Strong Customer Authentication mandatory for all European banks and payment service providers. SCA is an authentication process that requires the payments industry to add further security measures to financial transactions. When a transaction is initiated, the authentication process asks for data from two of three possible categories: knowledge (such as a PIN, password, or one-time passcode), possession (such as a smart card or mobile app), or inherence (fingerprint scan, iris scan, or facial recognition).

These specifications increase the security of transactions but require a great deal of effort on the part of financial service providers to implement, and at the same time, impact the end-user experience, convenience and thus sales volumes due to the additional authentication step. Customers do have the option to whitelist selected accounts and merchants at their banks to process their payments faster. If that is the case, a simple authentication would be enough for the bank to approve the transaction. However, this would also override the security mechanisms that make PSD2 so valuable.

There is a more elegant - and at the same time secure - way to reduce the effort and restrictions imposed by SCA.

Under certain highly regulated conditions, PSD2 allows for the waiver (exemption) of additional authentication without loss of security. The payment directive therefore serves as the legal basis for risk-based authentication (RBA).

Financial institutions that can reliably perform transaction risk analysis in real time can approve low-risk transactions in an automated manner without delays caused by additional query steps, thus providing customers with a better shopping experience.

AI support for risk-based authentication.

The data required for RBA is provided by the 3D Secure protocol. In its current version, 3D Secure delivers more than a hundred data elements per transaction to banks, payment service providers and merchants. In addition to basic data such as card number, purchase amount, billing and delivery address, this also includes information about the customer relationship such as past payment behavior. In addition, the transaction can be enriched with further information, such as lists of cards registered with banks or law enforcement agencies.

Critical to the successful implementation of RBA is a hybrid AI approach that integrates data and knowledge-driven processes. On the one hand, learning systems help to detect even complex fraud patterns from data and block them. It is important that the learning procedures work transparently as a white box, i.e., that the conclusions remain traceable for compliance experts. Transparency of decision logic enables financial institutions to gain far-reaching insights into fraud prevention, simulate scenarios in real time, and react quickly to market developments. On the other hand, knowledge-driven methods based on fuzzy logic technology, for example, are needed. These rule-based decision models can be adapted ad hoc. This allows concrete decisions and recommendations for action to be derived even from imprecise data.

An AI-powered system can thus check and evaluate fraud risks in real time based on the evaluated data without compromising the user experience. In doing so, a result is not based solely on individual parameters according to the yes-no principle. Thanks to the use of intelligent algorithms, the analysis of many data elements leads to a fine-granular evaluation (scoring) that can also identify gray areas. This allows automated, risk-based decisions to be made within milliseconds as to whether a transaction is permissible, strong customer authentication must be performed, or the transaction is rejected.

Closing thoughts

The risk-based authentication (RBA) approach helps mitigate fraud risk and reduce customer payment failures due to payment abandonment.

By increasing the level of security and customer convenience in parallel, revenue potential can be better realized, and the security interests of all stakeholders can be better protected.