Register today for this webinar that summarizes Aite Group’s PSD2 Research Report, commissioned by iovation, a TransUnion Company, providing an in-depth analysis of how those in the payment services and e-commerce market should prepare to handle the new strong customer authentication (SCA) requirements under the second Payment Services Directive (PSD2).
Join Angie White, Product Marketing Manager and PSD2 expert at iovation, a TransUnion Company, and Ron Van Wezel, Senior Analyst at Aite Group's Retail Banking and Payments Practice, as they analyze the results of the actual market status in Europe regarding the main changes that PSD2 will bring to the online payments market. Learn what Aite Group concluded after interviewing 20 payments executives from European banks, other PSPs, merchants, payment networks and industry experts.
Key takeaways:
The impact of PSD2, highlighting the priorities that organizations have yet to manage in the transition to the new world after PSD2.
How organizations seek to implement the requirements for secure customer authentication (SCA) and minimize the impact on customer experience.
An analysis of the potential of payment innovation and open banking as a result of PSD2.
If you haven’t already, register for this complimentary research report, PSD2: Advent of the New Payments Market in Europe.
Read the overview of the implications of PSD2 for the payment space in relation to fraud prevention and authentication, including recommendations for banks and other players on how to comply while minimizing friction during the payment process.
2. 2
RON VAN WEZEL
S E N I O R A N A L Y S T , A I T E G R O U P
ANGIE WHITE
P R O D U C T M A R K E T I N G M A N A G E R ,
I O V A T I O N
3. Contents
Brief introduction to the PSD2
The impact of SCA
The arrival of open banking
Maximize SCA exemptions and
reduce friction
Conclusions
15. 15
5.9 Billion Devices seen by our network
42
Billion
Transactions protected
26
Million
Transactions protected per day
35,000 Websites and Apps Protected
16 Million Daily logins protected
66
Million
Fraud reports placed by our cybercrime network
16. 16
Baymard estimates that 28% of carts
were abandoned because of a
checkout process that was too
long/complicated”
18. 18
Lower Fraud Rates to Maximize Exemptions
Machine Learning
Predict Trustworthiness
of a Transaction
Authenticate
Use 2 or more
independent elements:
(1) Knowledge
(2) Possession
(3) Inherence
Authorize
Dynamic linking of
transaction to specific
payee and amount
with push
Authorization
Frictionless Strong Customer
Authentication
MEET SCA REQUIREMENTS OF PSD2
20. 20
TRANSACTION RISK ANALYSIS
R E Q U I R E M E N T S
To be allowed the exemption based on transaction risk analysis, the solution
must be operating in real-time and must verify a transaction against anomalies
in user behavior. Check points shall include the following:
• Previous spending patterns of the payer
• Payment transaction history of the payer
• Location of the payer and the payee at the time of the payment
• Previous use of the access device or the software provided to the payment
service user for SCA
21. 21
TRANSACTION RISK ANALYSIS
R E M O T E C A R D - B A S E D P A Y M E N T S
Exemption
Threshold Value
Reference Fraud Rate %
Remote Card-based
Payments
€500 <0.01
€250 0.01 - 0.06
€100 0.06 - 0.13
0 - €30 Default
22. 22
One click shopping: Being able to expedite payment processing for a
higher volume of transactions.
Cost savings: Reduce the overall number of transactions subject to higher
cost SCA checks.
Reduced friction: Only step-up transactions above the exemption
threshold or with risk signals to SCA.
COMPETITIVE ADVANTAGES
T R A N S A C T I O N R I S K A N A L Y S I S E X E M P T I O N S
24. 25
2 or more
independent factors
of:
• Knowledge
• Possession
• Inherence
Out-of-band
Element’s are
independent, so the
breach of one does
not compromise the
reliability of the
others
Dynamic linking
Tie the transaction to:
• specific amount
• specific payee
with a unique
authentication code
Strong Customer Authentication (SCA) Requires:
25. 26
v Or this much assurance?Do you need this much
assurance?
Σ Risk mitigation by authentication challenges = (Probability of compromise) x (impact)
30. 31
LaunchKey
Unified, Simplified, and Personalized Multifactor Authentication
“How can I provide strong, unified authentication for security-conscious customers?”
Through any channel, digital or physical
Thank you Matt. I’m very excited to get the opportunity to speak to everyone today about how you can improve your customer’s experience while also moving towards GDPR compliance. GDPR and Data Privacy rights are a topic I’m very passionate about and I know my colleague Mark Weston shares that enthusiasm, so let’s jump right in.
No one has deeper experience than iovation in recognizing devices, finding bad actors through those devices, catching fraud, and expediting secure experiences for the known-good devices that belong to your good customers
Of all these numbers, the ones that matter to us the must are the customer we continually keep happy, with a 97% retention rate year over year.
Consumers are very sensitive to any added friction, and are voting with their feet. Baymard estimates that 28% of carts were abandoned because of a checkout process that was too long/complicated. Your challenge, comply with PSD2 while balancing customer experience.
Competitive advantages will arise for lower fraud rates as they will require less friction for higher exemption amounts.
To be allowed the exemption based on transaction risk analysis, the solution must be operating in real-time and must verify a transaction against anomalies in user behavior. Check points shall include the following:
Previous spending patterns of the payer
Payment transaction history of the payer
Location of the payer and the payee at the time of the payment
Previous use of the access device or the software provided to the payment service user for SCA
To retain control over the buyer’s journey merchants will need to work cooperatively with payment processors in order to reach the highest exemption thresholds, but this could provide a major competitive advantage on a number of fronts:
One click shopping: Being able to expedite payment processing for a higher volume of transactions, i.e. all transactions below €500 vs. only transactions below €30
Cost savings: Reduce the overall number of transactions subject to higher cost SCA checks
Reduced friction: Only step-up transactions above the exemption threshold or with risk signals to SCA
Calculations for Reference Fraud Rate % = Total value of successful fraudulent transactions ÷ Total value of all successful transactions (including SCA and exempted)
Stats are inclusive of all Financial Services February 26, 2018 – February 26, 2019
Article 4 of the PSD2 (Directive (EU) 2015/2366) defines “Strong Customer Authentication” as authentication based on the use of two or more elements categorised as:
Knowledge – something only the user knows
Possession – something only the user possesses
Inherence – something the user is
Independent factors means that the two authentication factors have to be out-of-band, so that the breach of one doesn’t compromise the other. That’s why you have to have at least 2 of the three independent factors
SCA also requires dynamic linking – being able to tie a transaction to a specific amount and payee with a unique authentication code.
In a well designed system you can incorporate risk signals to tailor the level of authentication to the riskiness of the transaction. So for instance if a customer is logging in from a known device and just wants to view their account, that’s a low risk transaction. But if the same customer want logs in from a new, unknown device and make a €1,000 purchase; that’s a much riskier transaction. This is why risk insight is so important. Not only will it allow you to apply the right level of authentication based on risk-insight, it’ll also help you create a better user experience.
Device based authentication isn’t reliant on personal data that has likely been breached, and is very low friction for customers.
Refer back to case study
We’re still missing a piece with all of this, the customer. So how can we make this all easier on the customer?
Omnichannel flexibility: Today, authentication varies by the channel. On the web, customers enter their username and password. They enter the same credentials on your mobile app, but with a tiny, typo-prone keyboard. Imagine a time when every channel will use the same simple authentication method: the user’s device. Across the web, mobile app, streaming service, call center, and even in store.
Let’s look at this through the lens of a Merchant securing the online customer journey. The numbers vary widely by study but most figures put cart abandonment at around 75%. Hence why guest checkout is so incredibly important for Retailers. Even a small increase in friction can mean an increase in abandonment rates, and therefore a decrease in revenue. (redo)
Some of the common issues we see here include: promotions abuse, CNP fraud, Shipping fraud and chargebacks.
By integrating FraudForce at guest checkout we can identify when disparate devices are used to access the same account or when the same device accesses many different accounts. Specify a transaction velocity for an account, device, or IP address to stop high-volume transactions, a common symptom of a fraud ring. Effectively stopping fraud.
As more online merchants are launching their own apps and moving towards persistent accounts, ATO is on the rise. Implementing ClearKey at login is a very effective way to curtail account takeover without adding friction. (redo x3)
Customers select devices to pair with the merchant and then at subsequent logins ClearKey will check the device pairing, assess risk factors indicative of ATO attacks such as: device anomalies, spoofing, and evasion. All of this is done in the background, creating a frictionless customer experience, while providing a higher level of assurance.
Another common way that fraudsters attempt to takeover accounts is either at change account details or through the call center. (redo)
So, if say a fraudster gets shut down when trying to takeover an account online and instead tries going through the call center. They gather data about customers (often through social media) and then combine high-pressure tactics with spoofing technology to socially engineer agents and take over a good customer’s account. With LaunchKey, the call agent could simply push an authentication request to the user’s device allowing them to authenticate before proceeding with the call.
(redo)
At purchase the Merchant can transparently authenticate using ClearKey and add a FraudForce check to stop the same types of fraud that you see at guest checkout. Especially hard to shut down is Friendly Fraud, where a customer purchases goods online and then disputes that they placed the order, uses the item and then returns it (think high end retail), or claims to have never received the item. This is another use case were our reputation report database is invaluable, allowing merchants to share confirmed friendly fraud reports with each other.
(redo)
Many fraudsters target higher end items on e-commerce sites because they’re easier to convert to cash. For highly targeted items, or items over a certain dollar amount merchants can add a step-up using LaunchKey or us the built-in authorization. This allows Customers to respond in real-time to a specific request, like “Approve purchase of new iPhone X?” Or even, “Do you grant permission for this package to be delivered without signature?” The customer could then authorize using say a pin or thumbprint or deny if the transaction is fraudulent.
By combining ClearKey, LaunchKey and FraudForce; we can help Credit Card Issuers protect customers throughout the entire buyer’s journey. Providing confidence and convenience.