Ravelin’s mission is to secure the future of e-commerce by helping merchants and payments providers stay ahead in the battle against fraudsters. Alongside fraud detection there are a number of imminent industry initiatives which warrant careful consideration.
In this short series of guides we will distill the most salient pieces of information for anyone in the industry to build a comprehensive payments and fraud strategy in this new landscape.
The Second Payment Services Directive (PSD2) certainly covers a lot of ground, but one important requirement is that:
"strong customer authentication […] should be applied each time a payer […] initiates an electronic payment transaction"
Where Strong Customer Authentication (SCA) is defined as:
"authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others
Prima facie, this means that all payments initiated by European Customers in Europe now need to use Authentication, which in practise for online card payments means 3D Secure - a technology so notoriously poor for conversion that most sophisticated merchants deploy it selectively for only the riskiest of transactions.
| Explanation | Example | Something you can... | |
|---|---|---|---|
| Knowledge | Something only the user knows | Password, Card CVV2 | Forget |
| Possession | Something only the user has | One-time code or device | Lose |
| Inherence | Something the user is | Fingerprint or retina scan | Have chopped off |
When this requirement was first floated by the European Banking Association (EBA), they got more than they bargained for when the Payments Industry strenuously objected to this regressive and unnecessary stance.
The outcry prompted a concession from the regulators: Exemptions.
Thankfully, there are three* exemptions defined by the European Banking Association (EBA) which are currently relevant to online card payments.
If a transaction is under €30, the Acquirer may seek an exemption from SCA from the Issuer on the grounds that the transaction is of Low Value. On the face of it this seems great news, but there are a few catches within.
First are the caveats given by the EBA in Article 16 of the Regulatory Technical Standards (RTS):
Payment service providers shall be allowed not to apply strong customer authentication, where the payer initiates a remote electronic payment transaction provided that the following conditions are met:
Crucially, these running counters for cumulative amount and number of previous transactions are held by the Issuer of the payment instrument. This is a major problem as the Merchant has no idea for a given transaction whether or not the transaction will qualify for the Low Value exemption.
The second problem is that Low Value Transactions are not necessarily Low Risk. Fraudsters do not make exclusively high value purchases online, and since other SCA exemptions rely on having low fraud rates across the board neither Merchants nor Acquirers can risk hoping that all transactions under €30 will be fraud free.
Verdict: When the fraud risk and eligibility uncertainty of the Low Value Transaction exemption are combined it looks increasingly unattractive.
When a series of recurring transactions of constant value (for example, a Netflix subscription paid on card) is first set up, SCA is required but each subsequent billing attempt is exempt.
Verdict: Given the lack of cardholder in the loop for recurring billing attempts this is a no-brainer as long as the transaction is the same value each time.
There's still fraud risk on recurring transactions so best practise is to enforce SCA on the initial setup
Transactions that pose a low level of risk may be exempt from Strong Customer Authentication provided the Acquirer's aggregate portfolio fraud rate is below defined thresholds and the Transaction Risk Analysis employed complies with defined factors.
For a particular transaction value, the fraud rate of the Acquirer's whole portfolio must be at or below the Reference Fraud Rate:
| Exemption Threshold Value | Reference Fraud Rate (%) for remote electronic card-based payments |
|---|---|
| 100 EUR | 0.13% |
| 250 EUR | 0.06% |
| 500 EUR | 0.01% |
| > 500 EUR | No exemptions |
The Regulatory Technical Standards (RTS) define payments as posing a low level of risk where:
[…] payment service providers as a result of performing a real time risk analysis have not identified any of the following:
[…] shall take into account at a minimum, the following risk-based factors:
The assessment made by a payment service provider shall combine all those risk-based factors into a risk scoring for each individual transaction to determine whether a specific payment should be allowed without strong customer authentication.
Verdict: The Reference Fraud Rates are very ambitious and the minimum set of analysis criteria extensive, but the Transaction Risk Analysis exemption offers a sensible and achievable method for online businesses to preserve the smooth user experience expected by cardholders whilst remaining compliant with PSD2's bold security objectives
PSD2 applies to 'regulated payment service providers' which in online card payments means Issuing and Acquiring Banks. The legislation is clear that whomever requests or triggers an exemption is liable for any resulting fraud.
The most likely party to request an exemption is the Acquiring Bank since they represent the Merchant and it's the Merchants who want to avoid SCA. So, if a SCA-exempted transaction turned out to be fraudulent then the Issuer would pass the cost of that fraud back to the Acquirer.
The EBA have been very clear that the ability to trigger exemptions by Acquirers is tied to the fraud rate of the whole portfolio:
"The fraud rate […] is calculated for all credit transfer transactions and all card payment transactions and cannot be defined per individual payee (e.g. merchant) or per channel (whether app or web interface). The fraud rate that determines whether or not a PSP qualifies for the SCA exemption cannot be calculated for specific merchants only, i.e. where the payer wants to make a payment to a specific merchant and this specific merchant has a fraud risk that is below the threshold."
This means that Acquirers must work hard to attract and retain low risk Merchants in their portfolio so their aggregate fraud rate is below as many of the fraud rate thresholds as possible.
The European Banking Association (EBA) has made it clear that:
"Acquirers may contractually agree to ‘outsource’ transaction risk analysis monitoring to a given Merchant, or allow only certain predefined Merchants to benefit from their exemption eligibility."
Given the new importance to the Acquirer of maintaining a low portfolio fraud rate, this outsourcing agreement will likely be based on a contractually agreed low fraud rate and only available to Merchants able to demonstrate historically low and well managed fraud rates and compliant Transaction Risk Analysis (TRA) techniques.
This outsourcing ability is only available provided the Acquirer's aggregate portfolio fraud rate is below the required threshold; even if the Merchant's transactions are low risk, the exemptions are only valid if the whole portfolio is below the threshold rate.
Merchants with large transaction volumes exhibiting historically low and well managed fraud rates will be in increasingly high demand by Acquirers seeking to maintain the low-risk portfolio they'll need to offer SCA exemptions.
These Merchants will have a strategic advantage with their Acquirers in contract and relationship negotiations, a condition of which may well be the ability for the Merchant to employ their own Transaction Risk Analysis.
Acquirers that can technically and contractually offer both SCA exemptions and TRA outsourcing are therefore at a significant advantage in the modern competitive market of European Acquiring.