You might have a great burglar alarm, but that doesn’t mean you’re going to leave your front door unlocked.
The same goes for fraud detection—criminals are not known for giving up, so improving one aspect of your security measures shouldn’t be an excuse to leave the door open for them elsewhere.
Since the revised Payment Services Directive (PSD2) came into operation in January, with its requirement for strong customer authentication (SCA) from September next year, merchants often ask us if they’ll be able to ease up on their fraud detection programs. After all, this enhanced authentication will keep the fraudsters away, right? Well, not quite. Here are four good reasons not to make that assumption:
1. Out of scope transactions
What SCA delivers is a much tighter framework for customer authentication than we’ve seen to date. It requires the consumer to present two or more of the following when making an electronic payment transaction:
- Something they know, such as a one-time password or PIN
- Something they have, such as a token generator, mobile device or plastic card
- Something they are, such as their thumbprint or a voice match
It doesn’t cover every type of transaction, however. The following are outside the scope of the legislation:
- Transactions in the mail order / telephone order (MOTO) channel
- Merchant-initiated transactions, such as direct debits
- One-leg-out (OLO) transactions
- Recurring transactions of a consistent amount, once the first transaction has been authenticated
When you make it more difficult for fraudsters in one channel, they’ll try another—possibly one that isn’t protected by SCA. So that’s the first reason not to dial back on the fraud detection.
2. Exemptions
PSD2 allows for certain in-scope transactions to be exempt from SCA. Exempting low-value, regular, white-listed and low-risk transactions can reduce friction for the customer. These exemptions are applied by issuers and acquirers, but can be influenced by merchants.
If you agree to an exemption strategy with your acquirer, you may take on the liability for those exempted transactions. So you’ll want to be confident you have a robust fraud detection program in place—things could get costly otherwise.
3. Transaction risk analysis
Transaction risk analysis (TRA) is carried out by issuers and acquirers to exempt low-risk transactions based on a dynamic evaluation of various risk factors. To be able to carry out TRA effectively, however, their fraud rates need to remain below a specific threshold. If your fraud rates rise, so do theirs; and that’s bad for everyone—you could even find yourself being hit with financial penalties.
4. Your brand
Even if you can absorb the financial impact of an increase in your fraud rates, perhaps the most compelling reason not to take that risk is the impact it could have on your brand. If customers don’t see you as being safe and easy to deal with, they may take their business elsewhere. And just one high-profile fraud incident could be very difficult to recover from.
SCA—a step in the right direction, but not a panacea
Of course, some issuers and acquirers are already offering two-factor authentication, but for the rest, SCA offers the chance to beef up the authentication stage of online transactions, and takes away much of the ambiguity around when to exempt or not. It’s not a cure-all for fraud though. It’s important to leverage all the power of SCA not on its own, but as part of a comprehensive, multi-layered, cross-channel fraud detection program.
If you want to know more about how PSD2 SCA will impact your business, please get in touch with us.