Fraud protection and prevention: embracing customer experience with PSD2

Gary McVie, Director of Fraud and ID, Experian.


 

The Second Payment Services Directive (PSD2) has been designed to create better fraud protection for online purchases.

Card Not Present fraud, (e.g. payment cards, remote banking and cheques) totalled an astonishing £768.8m in 2017, up 2% on 2016. This isn’t surprising given the growth of internet users and proliferation of devices. Online spending now accounts for almost one quarter of all retail purchases and has seen a 10 % increase year-on-year.

With more than half of the world’s web traffic comes from a mobile phone, this growth in digital usage is contributing towards a huge rise in online purchases -and a rise in fraud as a result. PSD2 is here to help relieve this threat, but how does it influence the digital journey?

With 85 % of online applications incomplete, and a fair proportion of shopping carts abandoned before finalising the transaction, many businesses already find converting sales a challenge.

PSD2 is set to advise businesses on how to undertake real time fraud assessments, and payment providers how to understand and embrace a whole new framework.

 

What is PSD2?

PSD2 was introduced with a clear objective – to protect the customer. It also advocates innovation and security while encouraging competition.

Strong Customer Authentication (SCA) is one element of PSD2, while another is the fraud risk assessment. PSD2 sets out that an organisation that is taking payments, without the person present, needs to follow a prescribed process to authorise that payment. Put simply, SCA means that a Payment Service Provider (PSP) should now be confident that the Payment Service User (PSU) is who they say they are.

 

Transitioning from 3D secure to Strong Customer Authentication

At present, many businesses have adopted 3D secure. PSD2 dictates that this isn’t robust enough and new processes that are much more embedded into the customer verification process will need to be used.

Payment authentication levels are governed by a range of factors, one of which is the value of a transaction. Outlined in the PSD2 criteria are a series of values that articulate when you need to proceed through additional layers of authentication, and when you don’t.

The criteria bandings are currently: €100, €250 and €500. Therefore, any payment that is more than €100 needs to go through a process flow to assess the authentication level needed.

Here is an example to demonstrate an online purchase post-PSD2:

Tom wants to purchase a bike, costing £800 (€861). The value of the transaction means the payment provider needs to go through checks, to authenticate, and initiate the payment. The ‘journey’ looks a bit like this:

  • The retailer sends the payment request to the payment provider (which we will use as a bank in this example), who manages the process from there
  • At this stage, Tom could be asked to log on to his bank account and confirm the transaction, but to obtain the payment authorisation he needs to have two separate forms of verification. So, Tom needs to authenticate himself using two factors of authentication
  • This is something he knows (e.g. a secure phrase such as a pin number), has (e.g. a security token), or is (e.g. a biometric).

As the value also exceeds the outlined thresholds additional checks need to be undertaken – regardless of passing the authentication processes so far.

This includes validating against the organisation’s overall fraud ratio. If it exceeds a certain level, the organisation is restrained by what value they can complete without strong factor authentication.

In addition, the bank will also need to check 5 external factors:

  • Device – Is this likely to be Tom’s’ phone? Has he made payments before, or are there any configuration concerns with that device?
  • Malware – Is Malware present on Tom’s device?
  • Known fraud – Are they on a fraud database, such as National Hunter and CIFAS databases for example?
  • Location – Are there any concerns with the location of where the payment request is coming from?
  • Fraud patterns – Again, using device monitoring to see whether there are any evident payment patterns that are indicative of fraud? Is the payee initiating multiple payments from a single device?

 

Differentiating single sign-on and integrated biometrics 

If people are transacting online, giving a biometric authentication could prove challenging. Many people currently use single sign-on using their phone, but this isn’t deemed secure under the new legislation. As such, biometrics will need embedding into the bank validation process for them to store and verify against.

Last year Juniper predicted there would be five billion biometric-authenticated payment transactions by 2019, up from less than 130 million in 2015. According to new data from Visa, biometric adoption is certainly on the right track, and can be a convenient method of authentication for a customer. It also has the potential to enhance the customer journey and not cause any unnecessary friction. The question will be how to do it.

 

Integrating PSD2 into the customer journey

There are many elements of PSD2 that will influence the customer purchase journey.

Banks, payment providers and retailers (including ecommerce) need to consider the level of friction involved for their customers when transacting remotely, and what they can do to relieve this as much as possible.

People won’t tolerate disruption to their shopping experience – they will simply look for the easiest route. This is where a competitive threat becomes much more apparent, as those who can create a frictionless, smooth journey will be the ones who reap the rewards of customer engagement.

Businesses need to consider how PSD2 and fraud monitoring will integrate into the customer journey, without compromising the customer experience. How will you formulate all the prescribed criteria to make a decision on the transaction authentication level?

At the moment, dynamic data sharing isn’t being used in a payment context,  but it is common to apply CIFAS known fraud checks at the point of a payment transaction. Could this help businesses with better identification of fraud?

Monitoring devices will be important, particularly in today’s mobile age. Understanding more about the patterns of device usage can help identify any concerns or discrepancies which require further exploration.

Keeping fraud low will be equally essential – and could be the difference between strong and weak customer authentication. Therefore, while new methods and new steps need to be considered for payments, keeping on top of your overall fraud levels should remain a core focus.

 

Guiding customers along the way

It is also important that you think about any customer education programme.

For the past 15-20 years, the focus has been around educating customers on chip and pin – more recently contactless. PSD2 will require the same, if not more intense education.

The biggest barrier to giving data is uncertainty of how it will be used. If customers understand the reason is for their protection, they are more likely to embrace it and not perceive any change as cumbersome and fractious.

Considering the foundations you can develop in order to comply with PSD2 is paramount, as well as considering how you can best serve the needs of your customers.

 

Related reading