The transaction security landscape: new mandates, new challenges

By Ilya Dubinsky, head of CTO, Credorax

25 May 2018

As consumer adoption of mobile and online commerce channels continues to grow, fraud losses are becoming a major pain point for mature markets. To address this security challenge, strong customer authentication will become mandatory in the European Union. Even without regulatory mandates, the problem is significant enough for providers to take proactive steps to improve transaction security. The market trends to monitor will encompass security, stronger customer authentication, PSD2, 3D Secure 2.0, card-not-present fraud, mobile experience issues, and shopping cart abandonment concerns. To give some context around these trends, it is beneficial to review each area with regards to how fraud has had an impact.

PSD2 and a stronger need to reduce fraud

Several trends will affect how online stores secure their checkout process while battling shopping cart abandonment. Besides the explosive growth of mCommerce, measures to reduce fraud in card-present scenarios can increase fraud in the card-not-present environment. The EU PSD2 (Payment Services Directive 2) Strong Customer Authentication regulation mandates a form of authentication for all intra-European payments from September 2019, while providing exemptions for payment providers with low fraud rates. EMV 3-D Secure Protocol, also known as “3D Secure 2.0”, lays a foundation to address these challenges and is likely to be mandated by card schemes.

Mandated strong customer authentication

The Evolution of Card Fraud in Europe 2016 research by the Fair Isaac Corp. reported card-not-present fraud accounted for 70% of total card fraud in the European Union, reaching €1.231bn in 2016. While the total fraud in the EMEA region grows at 4.4% CAGR, total volumes of card fraud were expected to exceed €2bn by 2019 according to our research.  

What ensued were actions prompted by the regulators, and so, as part of the PSD2, the EU lawmakers mandated strong customer authentication to be part of any remote electronic payment, including all payments processed by a European institution and performed using credit or debit cards.

Card-not-present fraud expected to skyrocket

In Europe, card-not-present fraud is a major driver behind the annual growth of fraud in general. While implementation of EMV has reduced fraud in ATMs and POSs, overall losses from fraud in 2016 are estimated at €1.759bn, having grown with a CAGR of 5% during the last five years, with card-not-present fraud constituting 70% of the volume, growing at a CAGR of 9%. In France alone, the annual losses due to fraud doubled in 10 years, increasing from €252.6m to €548.3m, while in Sweden, annual card-not-present fraud jumped from 94.1m SEK to 142.4m SEK (51% YoY), according to FICO.

Mobile experience issues, abandonment a challenge, security a concern

Smartphone users continue to expand rapidly and expected to reach 2.87 billion global users by 2020 according to eMarketer, with over 55% of total mobile phone users utilizing a smartphone by that time.

The PayPal Mobile Research 2014/2015 Global Snapshot showed the estimated CAGR of mobile commerce in Europe is 42%, in comparison with the eCommerce CAGR of 13%. These figures are even higher in Nordic countries, where the aggregated growth rate of mCommerce is projected to exceed 50%.

While customers express growing interest and genuine intent to shop via their browsers and mobile devices, retaining a customer throughout the checkout process remains a significant challenge. The rate of abandoned shopping carts on desktops is over 70%, and even higher on mobile devices according to Adobe Insights, and about one in three smartphone users will immediately switch to another application or site if they feel their needs are not instantly satisfied.

While true that about 25% of consumers cited by PayPal Mobile Research show that mobile payment security concerns (and not checkout issues) as a barrier to shopping via mobile device more often, the introduction of additional authentication processes will hardly increase checkout speed and improve consumer experience.

A key solution to address fraud

EMV 3-D Secure can help, if handled with care. Card schemes have offered a solution for improved security of online payments since 1999, in the form of the Verified by Visa program, also known as “3-D Secure 1.0”.

The solution has reduced fraud significantly, with fully authenticated transactions being around three times less likely to be fraudulent. It has contributed to consumer dropout, which, according to some estimates, has reached double-digit figures according to Visa and Cardinal Commerce.

To address these challenges, card schemes have cooperated via the EMVCo standards body to deliver the EMV 3-D Secure standard which became known as “3-D Secure 2.0”. The standard allows a front-end application to retain full control over user experience, outlines rules for risk-based authentication (the so-called ‘frictionless flow’), introduces a number of alternative authentication methods including device biometrics, and is considered by card schemes to be the technological answer to the SCA regulation in Europe.

AI-based fraud prevention

Despite the directive not specifically mentioning machine learning methods, this set of requirements – including the analysis of individual cardholder spending patterns and anomalies – demands analysis of vast arrays of data for each cardholder, with identification of individual behavior patterns.

Unless the processor (or the merchant) only handles recurring transactions with small numbers of customers, no team of analysts can realistically compute the baseline spending pattern function for each cardholder that utilizes payment services. This means that in order to meet this set of rules, deployment of a machine learning solution is unavoidable.

The bottom line

Both sharp increases in rates of card-not-present fraud and the regulatory response to it inhibit growth can reduce the revenue of online merchants. Fraud causes direct damage to merchants, while government regulations that mandate strict authentication cause an increase in shopping cart abandonment. Existing mechanisms for strong consumer authentication such as Verified By Visa (also known as 3D Secure 1.03) are ill-suited for mobile channels, harm customer experience, and contribute to abandoned orders.

While mobile commerce drives online commerce growth and the ability to prevent fraud contributes to the bottom line, providing better security (but not necessarily stronger authentication), improving consumer confidence in mobile devices as a shopping channel will, in the end, have a positive impact. The best strategy is to implement an AI-based fraud prevention solution, deploy of a full card-on-file solution, including account updater services and provisions for cardholder authentication. In addition, it is recommended to implement 3D Secure 2.0 as soon as possible, combined with an authentication advisor solution.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development