Could New eCommerce Fraud Rules Separate the Best from the Rest in 2019?

Written by

Last year, PSD2 and GDPR were the two most prominent topics in the conversations around data privacy regulations. Now in 2019, the discussion around the applicable use of consumer information isn't expected to wane - if anything, it is only getting louder.

The mandated adoption of Strong Consumer Authentication (SCA) is coming September 2019 as a part of PSD2, requiring additional layers of authentication to allow specific types of transactions. Facilitating the ability to meet the new mandate will be the adoption of 3D Secure 2.0 (3DS 2.0), which will make it easier to collect SCA information at the time an eCommerce transaction is executed. 

By collecting and sharing information behind the scenes during online transactions, financial institutions and their merchant customers should become increasingly better at spotting and stopping potential fraud.

However, the standard will also measure the quality of merchants' data and if too much fraudulent activity has occurred, they'll need to add barriers in the payments process to right the ship and provide adequate security for customers. Equally, new PSD2 regulation has clauses that outline if certain fraud rates aren’t met by card issuers, some transactions on their cards will have to be authenticated.

Could such requirements establish an even wider divide between the merchants and issuers that can offer frictionless payments and the ones who can't?

3D Secure: New and Improved
The current iteration of 3D Secure (3DS) isn't always user-friendly, hampering retailers' ability to deliver a frictionless payment experience. Some have cited today's 3DS as a contributing factor in increased cart abandonment, and merchants have even gone as far as to propose that losses from cart abandonment over time (due to anti-fraud 3DS measures) could outweigh the losses from fraud. 

The new version of the 3DS 2.0 protocol will offer multi-factor authentication, which means e-commerce transactions are simple and straightforward for consumers. 

Previously, banks and card issuers didn’t always have enough information on the consumer to build a full picture of their behavior and merchants were unable to contribute any of their own accumulated customer data, seriously impeding the authentication process. This meant some fraud was missed and other times, too many transactions required inputting passwords, the bugbear of all online consumers.

With 3DS 2.0, card issuers and merchants will be able to communicate, whereby the card issuers accept and use a larger number of data points from the merchant in a risk-assessment to determine if a transaction should be flagged. Some of these data points will be supplied by customers, while others come from the customer’s device and browser data. Then, the issuers’ access control server makes a decision based on the data points given via the authentication request message to determine if the transaction requires flagging for authentication.

Essentially, what this means is if the card issuer thinks the transaction needs closer attention based on the transaction and merchant data, users will have to input biometric verification, such as a thumb print or facial scan on their device, or will have to enter a two-factor code received via SMS to prove they are who they say they are. 

Fraud History Could Hamper Frictionless Authentication
Part of the data exchange under 3DS 2.0 will also include information about the merchants themselves. The new standard will likely measure the quality of merchants' own data and could trigger additional authentication layers in their payments processes if fraud rates on the part of the merchant or the type of transaction are high enough.

So customers who have had no history of fraud may be asked to enter additional layers of authentication due to their choice of retailer or service provider, disrupting their payment. The primary benefits of 3DS 2.0 are faster and safer payments, but it may be that the merchant or product itself are the reason that create friction in the system.

Equally, card issuers with a history of fraud within their own systems may not satisfy the new transaction risk analysis, meaning payments of a certain threshold on their cards could require authentication where other card issuers do not. 

We already know that too much transactional friction drives customers away, but could 3DS 2.0 accelerate that behavior? For instance, a large retailer cannot compete fully if, due to its adverse fraud history, it is asking customers to do more than its rivals to complete an online transaction. 

In such a competitive retail environment, it will be interesting to see how the impact on the authentication process influences spending decisions – will 3DS 2.0 lead more customers to abandon if they are being asked to input more authentication?

The best from the rest
More than a third of UK consumers are using their mobile devices to make payments and that is only going to increase, so we expect 3DS 2.0 to be a powerful driver in the industry's ceaseless efforts to make the payment journey frictionless.

However, to ensure the frictionless experience, everyone in the 3DS 2.0 information supply chain will have to be implementing smarter anti-fraud strategies. If the transaction risk analysis isn’t satisfied, additional authentication might be triggered and that risks retailers and card companies losing customers.

In the early part of this century, we all had to manage a new way of transacting using a card with the introduction of Chip & Pin. This new eCommerce mandate is no different – there will be a certain learning curve as we all get used to more authentication, and there may be winners and losers as we all gets to grips with the new rules.

By highlighting everyone's respective fraud detection and prevention capabilities in a better way, it will separate the best from the rest when it comes to delivering a superior payment experience going forward.

What’s hot on Infosecurity Magazine?