For issuers and acquirers, PSD2’s impact will be felt differently

The exponential increase in non-cash transaction volumes and the ever-rising valuation and buyouts of payments groups reflect the incredible growth in cross-border and cross-channel commerce. Instant connectivity is redefining marketplace dynamics and its effect on the relationship between banks and merchants is undeniable.

In this evolution, the spotlight on security mechanisms grows brighter. “Faster payments means faster fraud” is hardly a hermeneutic observation; nobody in 2019 is surprised criminals are using these channels to perpetrate fraud as much as genuine customers use them for convenience. The challenge becomes in how we allow the good in and keep the bad out.

Today’s regulatory efforts are evidence of the size of this challenge and the entire industry is going to be influenced; however, PSD2 and its emphasis on Strong Customer Authentication (SCA) have a few different implications for issuers and acquirers:

Acquirers

For acquiring banks, SCA’s introduction of 3-D Secure 2.0 (or 3DS 2.0, which is an updated version of two-factor authentication intended to authenticate CNP transactions) enables merchants to protect themselves from negative transactions.

Following the enactment of PSD2, SCA will be required for all transactions above €30 (for certain merchants), placing more scrutiny on an organization’s ability to detect and prevent fraud and protect customers at the point of purchase. Two of three proof points will need to be authenticated: something the user is, something the user possesses and something the user knows. This step-up authentication takes more time and costs more money though, making the ability to identify transactions that are exempt from SCA pivotal.

To do this, acquirers need real-time transaction monitoring and risk analysis that factors in various pre-determined risk signals such as abnormal spending or behavioral patterns, information on the customer’s device, malware detection across the session and the location of the customer. This information builds profiles of API-based payments and alternative payment types, as well as traditional plastic/non-plastic transactions in a single system. Combined with advanced data science models and adaptive behavioral analytics, an acquirer will lower fraud rates and reduce customer friction, ultimately increasing merchants’ conversions and removing pressure from fraud teams.

Issuers

Issuers face a bigger friction concern. For example, if implementing SCA by way of a one-time-password, an issuer’s customer would need a mobile device and be within range of a cellular network. Without this, it wouldn’t be possible to authenticate the customer.

Banks that implement APIs are also a concern for issuers – some of which are already incurring significant fraud losses – as it potentially provides criminals with opportunities to execute social engineering attacks. And the commoditization of fraud is only fueling the arms race between issuers and banks.

There are two essential components of the PSD2 regulations: SCA controls and transaction monitoring, and the challenge for issuers is integrating these within their existing fraud and risk management strategies. This will yield business-wide benefits, satisfying PSD2 requirements and reducing customer friction and exposure to money laundering. Using adaptive behavioral analytics and adaptive behavioral biometrics to detect and prevent fraud in real time is essential, as is issuers’ ability to understand their overall risk thresholds.

When strategically approached, PSD2 can provide opportunities for issuers to evaluate their overall fraud and risk management schemes, bolstering the ability to remain compliant and establish an unparalleled competitive edge.

A post-PSD2 world

Remember how counterfeit and stolen fraud dramatically fell following the roll out of EMV? Well, while those fraud types remain low, we saw an uptick in CNP fraud. We expect to see a similar causation following PSD2. Criminals will once again target transactions and channels that are less protected; we could potentially see an increase of the number of attacks on low-value purchases or on merchants and acquirers with exemptions.

In addition, there’s a concern that the mandatory nature of 3DS 2.0 will drive fraud and genuine transaction volumes to non-EU countries, who offer less friction, especially with purchase amount threshold being lowered to €30. Finally, we could potentially see fraud migrate toward alternative payment types, where no formal or standardized set of controls has been established.

Make no mistake, PSD2 and its accompanying rules were designed to reduce fraud and they will. However, substantial changes to processes and technology must be made across the board: issuers, acquirers, retailers and banks. Not to mention the cooperation from tens of millions of consumers, most of whom remain largely unaware of the imminent changes… but that’s another challenge for another day.

Related reading