When discussing PSD2 requirements, most stakeholders will have Strong Customer Authentication (SCA) in mind. SCA involves authentication methods that are more advanced than the old-fashioned static PINs and passwords. But this comes with a cost. SCA implementation is much more complex for payment service providers, as well as for the end-user. It requires additional actions on their side, such as a downloaded mobile token, supported biometrics, retyping OTPs, and more.

Yes, PSD2 requirements advocate Strong Customer Authentication, but what does that really mean for the stakeholders? SCA demands authorization which involves two out of three secure elements, namely: possession, knowledge, and inherence. Regardless of the methods chosen, PSD2 brought another tool to increase security measures as well as improve the end-user experience: Risk-Based Authentication. PSD2 makes it clear that the strength of authentication should correspond to the level of risk for a given transaction.

Utilize predefined PSD2 requirements and RTS exemptions

PSD2 requirements and corresponding Regulatory Technical Standards on Strong Customer Authentication specify that SCA exemptions are applicable. The prerequisite to applying any of the exempted scenarios is to conduct a transaction risk analysis. TRA rates a transaction either high, medium, or low risk. Such analysis can be as simple as a Low-Value Payment which presumes that transactions below 30 EUR, even in cases of fraud, pose a low risk and low financial impact.

For non-low-value payment transactions, a more sophisticated risk scoring approach is necessary on the issuer side. Mentioned risk analysis should consider the usual end-user behavior, their habits, channels, and devices they use, common geolocation, known delivery addresses, and more. On the other hand, issuers also need to track relevant merchants, meaning their fraud rate, blacklists, risky currencies, etc. As expected, sophisticated risk analysis requires advanced risk scoring solutions.

PSD2 requirements move liability to the acquirer and merchant

The main issuer's concerns are fraud costs and chargeback liability. With 3D Secure 2, acquirers and merchants shift liability to the issuer side. Therefore, issuing banks favor SCA for apparent reasons. It protects them and the cardholders from a wide range of fraudulent online payment activities.

Since merchants are much more fond of frictionless transactions than issuers, PSD2 requirements and the recent 3D Secure protocol enable merchants and acquirers to communicate their authentication preferences in the 3DS transaction flow. However, this does not mean that the authentication is invalid. Merchants who opt for this approach trust that the authentication is valid if they sign in to the merchant's web or mobile shop; i.e. the buyer authenticates during login to the web or mobile shop. This is not Strong Customer Authentication. Still, taking into account transaction amount, common delivery address, type of purchased goods or services, used card data; which is usually visible in the webshop; hopefully following the PCI DSS rules; merchants can be quite sure that the buyer is not a fraudster. Demanding additional authentication by the issuer usually makes end-users irritated and unsatisfied with the lengthy transaction authentication process.

Additionally, if the issuer approves an SCA transaction based on the merchant exemption, in case of fraud, merchant is the one that takes the liability for chargeback costs.

Give the buyer a choice

Different regions, merchants, and goods and services result in different buyer preferences when it comes to SCA or SCA exemption. The best option is to let the buyers decide for themselves. With the introduction of Trusted Merchant Listing in 3D Secure 2.1, which is additionally enhanced in 3D Secure 2.2, buyers are able to choose trusted merchants in order to avoid SCA. Prior, issuing bank analyzed eligible merchants and listed them to be included in the SCA exemption. Contrary to Merchant exemption preference, liability shift for fraud costs and chargebacks moves to the issuer side. To minimize this risk, Merchant Whitelist eligible candidates also need a risk assessment. This is done by using advanced risk scoring solutions regarding the merchant fraud rate.

No exemption? Use biometrics

Biometry is the most applicable, most user-friendly, and the most secure authentication method when talking about 3D Secure authentication in online payments. This is recognized by card schemes, as MC and VISA introduced KPIs for issuers to measure biometry authentication rates. As Juniper research states, already in 2019, facial recognition software was deployed on around 96 million mobiles, forecasting that biometric facial recognition will be present in 90% of smartphones by 2024, making biometric authentication widely applicable. Implementation of biometry solves Dynamic linking as required by PSD2. In the end, applying biometrics is extremely fast and straightforward when combined with push notification during online payment authentication.

eBook: Leveraging the full potential of payment data

ASEE provides actionable advice on how to confront the high cart abandonment rates for mobile, as well as provides the tools that have the capacity to address other mCommerce challenges.

eBook: Leveraging the full potential of payment data

To find out more about Trides2 portfolio, contact us or visit our blog section.  

When discussing heightened security measures regarding online payment security, it is very important to take the customer's online shopping journey into account. Making a transaction more secure without interfering with User Experience is a challenge, but 3D Secure 2 ensures exactly that, maximum security alongside smooth user experience.

To provide mentioned features, some actions need to be performed on the issuer domain; such as transaction risk analysis and risk scoring. These are the foundations of the so-called frictionless flow, which grants online payment security without disrupting the user experience. Furthermore, to make the risk assessment even more precise, KYC (Know Your Customer) checks on the merchant side can also apply. To get valuable insight into how 3D Secure tackled this challenge, keep reading.

Transaction authentication flow

During the main task of authenticating the buyer, 3D Secure 2 does not only rely on direct Customer Authentication using solely something that the buyers own or have in their possession. A strong focus is on banks knowing their customers, who are the actual buyers, during the transaction processes. This analysis looks at the customer's purchase and payment behavior patterns. It identifies deviations from this behavior pattern, which will result in additional authentication.

The so-called frictionless flow introduced by 3D Secure 2, but the final results depend on the risk score and fraud analysis tools used in the transaction risk analysis and monitoring process. When the risk scoring system at the issuer side recognizes the buyers' behavior; such as the buyers using the same device they usually use the same IoS version, using IP address lookups, and additionally transaction amount not exceeding the average spending amounts; the issuer does not need to ask the buyers for additional authentication. The risk scoring system conducted by the issuing bank should also consider merchant information within the transaction taking place. This includes the merchant's security background and historical fraud rate to make risk assessment more precise.

User experience results

The User Experience (UX) with 3D Secure will look similar to transactions without 3D Secure for the buyers or payees. However, it'll include a much higher security level, preventing fraudsters from making transactions with the payee's lost or stolen cards. Banks still hesitate about the benefits of frictionless transactions. As shown by Ravelin: only 10% or less of all transactions are frictionless. For comparison, with standard authentication, the average time to authenticate the buyer is about 37 seconds. Frictionless flow it takes as much as 5 seconds; providing a smooth user experience and reducing shopping cart abandonment rate due to the simplified checkout process.

eBook: Leveraging the full potential of payment data

ASEE provides actionable advice on how to confront the high cart abandonment rates for mobile, as well as provides the tools that have the capacity to address other mCommerce challenges.

eBook: Leveraging the full potential of payment data

To find out more about Trides2 portfolio, contact us or visit our blog section.  

The interdependence of security and user experience is an everlasting topic. A common denominator that ties these two together is the authentication method used during online payment processing. Explore which authentication methods provide a seamless user experience while keeping you secure from fraudulent attacks.

Authentication methods in a nutshell

The definition of authentication can be explained as a process of identifying a user requesting access to a particular service. Until recently, simple credentials in the form of a username and password would suffice, but with today's security standards, we need something much stronger.

Different business requirements demand different security levels, achieved by carefully choosing or combining various authentication methods available. When it comes to user experience, it plays a significant role in user satisfaction during online payment processing. Therefore, the authentication method applied must provide convenience and security at the same time. If the authentication process does not offer convenience and runs smoothly, it causes high cart abandonment rates. On the other hand, if the authentication does not provide appropriate security measures, the threat of fraudulent activities involving payment cards rises and results in chargeback costs.

Balancing between security and user experience is a challenge, but we at ASEE know how to approach this issue. The answer lies in Strong Customer Authentication (SCA) that enables various authentication methods tailored to the user's needs.

PSD2 driving innovation in online payment security

As a part of the PSD2 regulation from September 2019, Strong Customer Authentication (SCA) requirement is in force. SCA presents an additional layer of security in online payments and is based on at least two authentication factors from the following categories:

• knowledge (what the cardholder knows, e.g., PIN, password),
• possession (what the cardholder has, e.g., phone, hardware token),
• inherence (what the cardholder is, e.g., facial recognition, fingerprints).

This means that stakeholders needed to get creative and adopt a variety of authentication methods available for the end-user in order to be able to process a seamless and secure online payment.

Our top 5 authentication methods

We prepared a comprehensive list of authentication methods that provide both security and convenience during the processing of an online payment. Let's dig in!

1. Biometric Authentication Methods

Biometric authentication relies on the unique biological traits of a user in order to verify their identity. This makes biometrics one of the most secure authentication methods as of today. Additionally, it causes less friction during the authentication process in comparison to previously mentioned methods, making for a great user experience. Most common identifiers include fingerprint scans, facial recognition, and voice-based identification. 

2. QR Code

QR code authentication is typically used for user authentication and transaction validation. A typical flow for transaction verification starts with the user logging into their internet banking web application and opening a payment order. The internet banking application offers the user to process this payment using a QR code presented on the screen. To process the payment, the user needs to scan the QR code with their smartphone using authenticator software (can be apart of their mobile banking application). To finalize the payment, the user is presented with transaction details and, upon inspecting the validity of the showcased data, the user additionally confirms the online payment.

3. SMS OTP

This simple yet effective authentication method involves sending an SMS message to the user's mobile phone, containing a one-time password used for finalizing the authentication of online payments.

4. Push Notification Authentication Method

A push-based authentication system sends a notification to an app on a user's device, informing them about an authentication attempt. The user is able to inspect the details of the authentication attempt, and based on their knowledge about an, e.g., the transaction taking place, either confirm or deny request verification. 

5. Behavioral Authentication Method

Behavioral authentication verifies a user's identity based on unique patterns recorded during interaction with devices (e.g., smartphone, tablet, computer). Identification factors include everything from the angle at which the user is holding their phone to pressure applied while typing. This type of authentication method allows for a genuinely frictionless experience without having to worry about the level of security it is providing the user with.

3DS Mobile SDK Datasheet

Learn about fast and simple onboarding of your mobile application to 3D Secure programs. Unlock frictionless authentication and heighten online payment security at once.

Download 3DS Mobile SDK Datasheet

To find out more about Trides2 portfolio, contact us or visit our blog section.  

When talking about online payments, the first red flag that comes to mind is fraud. But there is another threat that is being overlooked. That being cart abandonment rate, which is causing headaches for both merchants and issuers. The first version of the 3D Secure protocol lacked in the user experience segment, making the cardholders suspicious when processing their payments, thus abandoning their purchases. Let's see how Risk-Based Authentication tackled this issue and eliminated friction which was the leading cause for increased cart abandonment rates.

Cart abandonment rate, a silent threat

Cart abandonment rate is a common KPI for measuring the performance of your web store. It indicates how many customers added an item to your web store shopping cart but never finalized the purchase.

In other words, it showcases the rate of customers who showed interest in a particular product/service by adding it to the cart but left without making the purchase compared to the total number of completed transactions. 

Industry benchmark based on a number of studies states that the average cart abandonment rate is 69.80%. An abandonment rate greater than the industry benchmark is due to a variety of reasons. Some of them being shipping costs, required sign-up, limited payment options, or checkout processes that are hard to follow.

By tracking their cart abandonment rates, merchants can better understand how their customers behave during their online shopping experience. Also, it is a helpful tool for determining why visitors are not converting into customers.

3D Secure 1 pain points

Security threats in the online payments environment are as real as they get. But the simple truth is that most cardholders did not encounter such unpleasant situations. From their perspective, additional security layers are an inconvenience during the checkout process. They make the cardholder abandon the purchase because of long checkout time or unfamiliarity with the screens. The first version of the 3D Secure protocol provided sufficient security. Still, it does not consider the user experience, especially when discussing mobile versions of the web stores. Simply because the protocol was introduced long before such channels of eCommerce stepped to the scene.

This resulted in a spike in cart abandonment rates. The cardholders had to deal with more friction in order to process a single payment, although that meant a more secured transaction. From the cardholder's perspective, heightened security measures were seen as irritating rather than looked positively upon.

Luckily, the newest version of the protocol, 3D Secure 2, introduced Risk-Based Authentication, enabling frictionless transactions while further improving the payment's security. 

How Risk-Based Authentication helps

Risk-Based Authentication calculates the level of risk for a particular transaction. Upon scoring the transaction as either high, medium, or low risk, the cardholder follows additional authentication steps if needed. It is a dynamic, parameter-driven system that appoints an appropriate authentication method according to an individual transaction's risk score.

Some of the mentioned parameters include the device, location, network, transaction amount, number of transactions, delivery address, behavioral history, new or existing customer, and more.

To better understand how Risk-Based Authentication works, let's use a real-life example. Suppose a new customer is processing a purchase. In that case, the system detects that there is no previous transaction history in connection to the card. The cardholder will likely be challenged in the form of an additional authentication method. However, suppose an existing customer is processing a transaction with an, e.g., known device, and the transaction is within the transaction amount average. In that case, the cardholder is not asked for any additional authentication, and a frictionless transaction will be processed.

Tackling Cart Abandonment Rates with RBA

Risk-Based Authentication promotes the so-called frictionless transactions; i.e., a transaction that does not require additional authentication on the cardholder side because the transaction is low risk. It allows issuers to approve a transaction without interacting with the cardholder. By eliminating friction, the user experience is automatically better.

A complete flow, enabled because of Risk-Based Authentication, is the following:

1. A customer adds items to their shopping cart and proceeds to confirm the order.
2. After entering their usual purchase information, a customer proceeds to checkout.
3. ACS server collects and checks the risk-based parameters (e.g., device, network, browser version, delivery address, transaction amount...)
4. A thorough history review compares the transaction with the customer's behavioral profile.
5. If the transaction risk score is low, ACS authenticates the cardholder without demanding additional interaction with the cardholder.

Benefits of implementing RBA

Benefits for the cardholders are obvious, a secured transaction with minimum effort regarding authenticating themselves. But the business benefit for merchants lies in reduced cart abandonment rates caused by reduced friction during the processing of online payments. It allows merchants to protect themselves and their customers from fraud while increasing revenue and customer satisfaction due to the frictionless experience enabled by Risk-Based Authentication.

As of right now, issuers are not confident in granting frictionless transactions, i.e., transactions that do not require additional authentication. The reason being is the fact that the issuing banks are the ones who take the liability in case of a fraud attempt. However, risk scoring services are acquiring more and more data by the minute and working on AI data analytics. That data applies to that same data in order to create and analyze customer profiles. This will result in detecting even the smallest deviations from the standard profile and the issuer can step in with SCA to confirm the authenticity of the cardholder.

eBook: Decreasing Cart abandonment Rate on Mobile

Learn how to optimize your mobile app in order to lower cart abandonment, provide your customers with a great user experience and drive more revenue.

eBook: Decreasing Cart abandonment Rate on Mobile

To find out more about Trides2 portfolio, contact us or visit our blog section.  

Nowadays, online transactions can be conducted using multiple internet-enabled devices (computers, smartphones, tablets), making the online shopping experience convenient for both cardholders and merchants. But growth in online and mobile payments brought concerns in other areas such as card-not-present fraud. In order to enhance online payment security, Dynamic Linking came into play.

Intro to Dynamic Linking

With PSD2 came Strong Customer Authentication. And with SCA came Dynamic Linking; a key component designed to prevent social engineering attacks during the processing of a transaction. It enhances SCA and is a part of the latest 3D Secure 2 upgrade.

SCA is an additional layer of security, based on at least two elements from the following categories:

• knowledge (something the cardholder knows, e.g., PIN, password),
• possession (something the cardholder owns, e.g., smartphone, token),
• and inherence (something the cardholder is, e.g., fingerprint, facial recognition, voice pattern).

Dynamic Linking aims to specifically link each transaction to its amount and the recipient of the payment. The end goal is to prevent social engineering attacks such as ''man-in-the-middle'' attack. The fraudster attempts to interrupt the connection established between the payer and the payee and hijacks the authentication code to authorize fraudulent transactions. If Dynamic Linking is applied, a ''man-in-the-middle'' attack won't be successful. This is because the authentication code will automatically fail if either one of the transaction details, transaction amount, or the payee, has been altered.

Dynamic Linking Requirements

Article 5 of the Regulatory Technical Standards (RTS) specifies the requirements for Dynamic Linking. Four main requirements are vital when discussing Dynamic Linking, and those are the following:

• The payer has to be aware of the transaction amount and the payee, a requirement conforming to the What You See Is What You Sign (WYSIWYS) principle.
• Generated authentication code has to be specific to the payment transaction amount that the payee agreed to with the payer at the moment of transaction initialization.
• The generated authentication code accepted by the Payment Service Provider (PSP) must match the original specific transaction amount, and the identity of the payee agreed to by the payer.
• The generated authentication code must be invalid if either one of the transaction details, transaction amount, or the payee does not match.

Conclusion

Implementation of SCA enhanced with Dynamic Linking impacts many participants involved in the online payment chain. To conclude, the main goals of these heightened security measures affecting the payment chain are available in the summary:

• Reducing the possibility of online fraud.
• Reducing the cost of processing fraudulent transactions.
• Increasing cardholder confidence in online payment services.

Top Online Payments Security Trends

Learn about the latest approaches when it comes to assessing security risks, and find out more about the latest authentication trends in the online payments industry.

Top Online Payments Security Trends

To find out more about Trides2 portfolio, contact us or visit our blog section.  

Merchant Initiated Transactions (MIT), or the so-called 3RI (3D Secure Initiated Transactions), are not in the scope of PSD2. However, such transactions could also be the source of potential fraud if left unauthenticated. Until Decoupled Authentication, issuers were only able to accept mentioned types of transactions without authentication or decline. Decoupled Authentication enables buyers to authenticate transactions at a time when they were offline. Let's see how it works!

3D Secure 2 & Decoupled Authentication

The latest upgrade of the 3D Secure 2 protocol includes multiple new features, one of them being Decoupled Authentication; an authentication method that allows cardholder authentication to be separate from the payment workflow/process and without customer interacting with the online merchant. Authentication responsibility shifts to the Issuing Bank, enabling cardholder authentication execution even though the cardholder is offline.

Decoupled Authentication Flow

Standard 3D Secure authentication, whether browser or in-app, is showcased in real-time, meaning that the authentication is being performed during the payment process. The challenge screen is displayed to the cardholder while the checkout is taking place. It gives them a predefined timeframe to complete the given challenge.

Alternatively, decoupled customer authentication is performed without interacting with the online merchant's webshop or app. This type of authentication verifies the transaction by using a different channel (e.g., push notification, email). The merchant sets a timeframe in which decoupled authentication takes place. The timespan varies from just a few days up to a week.

Decoupled Authentication is available in 3D Secure protocol version 2.2. It is a natural progression from Out-of-Band Authentication (OOB).  With OOB, the Issuer sends a Push Notification to a banking application, which prompts the cardholder to complete the authentication. It allows the cardholder several days to complete the authentication process. It is ideal when the cardholder is not immediately available for authentication, but authentication is mandatory. Therefore, decoupled authentication is a type of Merchant-Initiated Transaction (MIT), and it is applicable to all device channels: browser, app, and 3RI.

Authentication flow

DA enables authorization at a time different from when the transaction took place, on a different device (smartphone, tablet).

The standard decoupled authentication method applies the following flow:

• The merchant sends an Authentication Request message (AReq message) and waits for a notification that the authentication has is complete (it can last from several days up to a week).
• Issuer confirms if they support decoupled authentication. If that's the case, the cardholder authenticates himself outside of the 3DS challenge flow.
• After authentication, the Issuer sends the results back through the RReq (Results Request) message.
• The Merchant sends confirmation through the Result Response message (RRes message).

For the authentication process to run smoothly, it is vital that the cardholder is provided with all necessary data elements. Those elements involve merchant name, incremental transaction amount, reasons for additional authentication, making the user experience as seamless as possible.

Use Cases

If the Issuing Bank wants to authenticate its cardholder outside of the standard 3D Secure flow, it can use decoupled authentication.

Use cases are the following:

• Scenarios in which SCA  is mandatory because the cardholder is off-session; e.g., subscriptions, recurring payments for variable amounts, authorization amount is above authentication amount, and authorization for the difference in value is necessary.
• For Mail Order/Telephone Order (MOTO) transactions.

Top Online Payments Security Trends

Learn about the latest approaches when it comes to assessing security risks, and find out more about the latest authentication trends in the online payments industry.

Top Online Payments Security Trends

To find out more about Trides2 portfolio, contact us or visit our blog section.  

Data enrichment enables turning raw data into valuable sources of information. Along with providing more context, data enrichment ultimately leads to a more accurate risk assessment. Simply put; if you have more data, your fraud prevention and detection decisions will have a higher confidence rate, leaving less room for errors.

What is Data Enrichment?

A "by the book"definition of data enrichment would be the following: ''Data enrichment is the process of broadening and enhancing a set of collected data with appropriate context from additional sources relevant to the initial data set.'' Sounds pretty straightforward, but how do you exactly enrich the initial dataset?

There are countless ways to enhance existing data, and you can get fairly creative with your enrichment. However, when it comes to fraud prevention, common tools are the following:

• Device data enrichment: A device used for logging into a service can tell you a lot about the user. Information such as new/familiar device, type of browser, mobile or desktop enhances the initial data necessary for login and provides more context.
• IP address data enrichment: IP address can reveal the user's geolocation, is the user connected to VPN, whether the IP address is blacklisted, and other valuable information for determining the risk of fraud.
• Email address data enrichment: Login by email is one of the most common methods today. Therefore, checking additional data connected to the email itself paints a rich picture of the user and holds numerous data applicable for preventing fraud.

Along with mentioned enrichment methods, there is more room for growth. The full potential of data enrichment lies in the mobile industry.

Mobile-first Economy Fueling Fresh Data

Nowadays, businesses are living the mobile-first economy trend. The most noticeable switch regarding mobile lies in banking and mCommerce, accessibility and convenience being the main motivator for end-users to switch to mobile. To back this up, techjury brings us some jaw-dropping mCommerce statistics.

• mCommerce sales are projected to reach $3.56 trillion by the end of 2021.
• More than 1 billion smartphone users worldwide use them for mobile banking.
• Mobile traffic makes up more than 67% of total eCommerce.
• 79% of users made a purchase using their smartphones.
• More than 72% of all eCommerce will be mCommerce by the end od 2021.

This switch brings both threats and opportunities. Threats lie in a new payment channel allowing more ground for fraudsters to operate on. This opens doors for new types of fraud in the mobile payments ecosystem. On a more positive note, mobile enables a fresh perspective on user data and allows for quality data enrichment.

Common data extracted from mobile devices include the device brand, operating system, installed version of the OS. But why stop there? With mobile, you can go as far as behavioral factors, i.e., how the user interacts with the device itself. What kind of a keyboard is the user using? Custom or regular? Is the user connected to their usual Wi-Fi? Are there any unfamiliar Bluetooth devices connected to the smartphone? What about typing speed? The angle at which the user is holding the phone?

These are just a few examples of what information you are able to collect if you take a look at available data for mobile. This information provides so much more context and serves as one of the pillars for online payments fraud prevention and detection.

Benefits of Implementing Data Enrichment

Apart from the obvious benefit consisting of more accurate data that provides a more precise risk assessment, there are more that follow.

Getting to know your customers

By enriching user data, you are contributing to the security of the whole online payments ecosystem. Appointing new properties and tuning the risk parameters accordingly significantly reduces fraud and provides a whole new set of insights for future fraud prevention and detection development.

Eliminate friction

A huge part of online payments is the user experience. The end-user wants their online transactions to run smoothly and securely. Added pop-up forms and redirects create unnecessary friction that can easily be avoided by running user checks in the background.

Reduce Cart Abandonment

Added friction in the form of clumsy browser redirects and confusing authentication flows often end up in abandoning the purchase as a whole. By implementing data enrichment, you enable frictionless checkout, thus reducing cart abandonment rates.

How can Trides2 Help with Data Enrichment?

Trides2 is an online payments security portfolio consisting of issuer, acquirer, and merchant solutions to fit their particular need. When discussing data enrichment and online payment security in mCommerce, 3DS Mobile SDK is the star of the show. By implementing 3DS SDK into merchant applications, you are enabling additional data collection resulting in data enrichment, more secure payments, and frictionless transactions for end users. For more information about 3DS SDK, go to our recent blog post: 3D Secure 2 Mobile SDK: In-app purchasing never looked so good.

eBook: Leveraging the full potential of payment data

ASEE provides actionable advice on how to confront the high cart abandonment rates for mobile, as well as provides the tools that have the capacity to address other mCommerce challenges.

eBook: Leveraging the full potential of payment data

To find out more about Trides2 portfolio, contact us or visit our blog section.  

A recent announcement from MasterCard regarding the transition of customers to EMV 3DS 2.0 prior to decommissioning 3DS 1.0 calls for a proactive approach from all parties involved; including Payment Gateway Service Providers as well. This transition is causing a stir in the industry. ASEE is here to untangle some questions and make the transition process as seamless as possible.

Back in 2001 VISA introduced 3D Secure to provide issuers and merchants a way to authenticate cardholders for online payments. This standard under one name is 3D Secure 2.0 (3DS 2.0).

Initial introduction by EMVCo on 3D Secure 2.0 announces that 3D Secure 1.0 is in the phase-out stage; and will no longer have support after 31.12.2020.

This timeline crosses its path with the new PSD2 directive taking place and demanding further upgrades of 3D Secure. The result is 3D Secure 2.0 being fully compliant with PSD2 regulation on eCommerce and mobile payment channels.

A more detailed timeline leading to the current transition is available in our previous blog post. We cover the issuer side of the transition process.

Payment Gateway Service Providers Transition Roadmap

The prolongation of the transition period is causing headaches for payment gateways. Why? Because Payment Gateway is initiating 3D Secure transactions, but initial 3DS access points differ for 3DS1 and 3DS2 authentication. That means that Payment Gateway integrates with two APIs, but also manages the transaction logic. For example; since initially, PGW does not know if the card is enrolled in 3DS1 or 3DS2, authentication must be first initiated in 3DS2. If 3DS2 authentication cannot proceed, PGW must initiate a 3DS1 transaction.

With Asseco 3DS Server Single Access Point Facade, Payment gateway needs integration only with one API using one message protocol and initiating 3DS authentication transaction only once. In case the card is not apart of the 3DS2, the facade will initiate 3DS1 transaction to the dedicated MPI (Merchant Plug-in), and provide the final Authentication Response to the Payment Gateway. Asseco 3DS Server Single Access Point Facade is flexible for integration not only with Asseco SEE MPI and Asseco SEE 3DSS, but also with third-party MPI and 3DSS.

eBook: Leveraging the full potential of payment data

ASEE provides actionable advice on how to confront the high cart abandonment rates for mobile, as well as provides the tools that have the capacity to address other mCommerce challenges.

eBook: Leveraging the full potential of payment data

To find out more about Trides2 portfolio, contact us or visit our blog section.  

One of the significant turn points in the banking industry is switching from 3D Secure 1 to 3D Secure 2. To demystify potential risks and challenges regarding this transition, we in ASEE prepared a short read; listing and explaining possible concerns regarding transitioning to 3D Secure 2.

What is the best way to approach change when you are a decisionmaker in a financial institution considering the implementation of new technologies such as 3D Secure 2?

We summarized the main dilemmas discovered during our research regarding transitioning to 3D Secure 2 and pinpointed three key concerns:

1. An additional step in the online payment process

The revenue streams from eCommerce fees make up 15% of banks' income levels today. This is significant because the online payment process is a key component in the consumers' eCommerce journey. Both merchants and acquiring banks strive to reduce the online shopping cart abandonment rate to maximize their respective revenue streams. 3D Secure 2 is an additional measure in the transaction for safeguarding both merchants and banks. Although some stakeholders worry about 3D Secure 2 increasing payment drop-out rates; banks and merchants work on improving the consumers' overall customer experience constantly. Still, they must also continue to ensure that online payment security isn't in question. 

2. Requirement to change the broadly adopted authentication methods

A vast number of banks rely on SMS OTP authentication methods, inherited from 3D Secure 1. This method has various advances; it does not require special enrolment and a mobile application, it is simple to use and applies to non-smartphones. However, according to EBA's opinion, this method is not a Strong Customer Authentication method.

The first reason for this is that it doesn't include two out of three authentication methods, SCA (something you are – biometrics, something you have – e.g., HW/SW token, something you know – e.g., password/OTP). Anyone who possesses the buyer's phone will get access to OTP and is able to make an online purchase. Another reason is that OTP generates at the server-side and relies on a private key. The transaction data are not included – there is no Dynamic Linking as required by the PSD2 directive. That means that ''man in the middle'' attacks are a possibility. If an attacker changes a payee account and changes the payment amount,there is no way to identify fraud because of the transaction authentication.

3. Bad experiences with 3D Secure 1 card enrolment

When 3D Secure 1 was introduced, the initial adaptation did not cause a rise in eCommerce and online payments as expected but caused an increase in the transaction abandonment rate. Anywhere from 30% - 50% of transactions (depending on the country) were forfeited due to reliance on 3D Secure 1. Later analysis showed that card enrolment, which was a prerequisite to use 3D Secure-enabled cards, caused too much friction for buyers. Also, pop-up windows, which are a part of the 3D Secure authentication process, are in connection with ''man in the middle attacks'' by buyers and trigger them to terminate their online purchase process. Hence, the cart abandonment rate surge occurred. The new 3D Secure 2 protocol considers all of this fallback from the previous version and emphasizes smooth User Experience (UX) alongside a fast and frictionless flow.

eBook: Leveraging the full potential of payment data

ASEE provides actionable advice on how to confront the high cart abandonment rates for mobile, as well as provides the tools that have the capacity to address other mCommerce challenges.

eBook: Leveraging the full potential of payment data

To find out more about Trides2 portfolio, contact us or visit our blog section.  

ATO fraud (Account Takeover) is a rising threat in today's online business environment. ATO fraud has been around for decades. Despite losses that are already measured in billions of dollars, ATO fraud is yet to reach its peak. The concerning numbers pointed out in this article prove how important it is to understand what ATO fraud is and what you can do to prevent it.

ATO fraud 101

 ATO fraud happens when a fraudster gets a hold of the victim's login credentials and uses the account for their own gains. That includes activities such as making online purchases using the stolen account and saved card data, using loyalty credits, selling the account or the extracted data on the dark web, etc.

A typical ATO attack works as follows:

1. The fraudster uses stolen credentials and logs into the victim's account.
2. The attacker changes the account details, email, and phone number, for instance.
3. The fraudster uses the account for making unauthorized transactions or sells the account data to someone else.

What makes ATO fraud more dangerous than card-not-present fraud is the fact that with a single combination of credentials (e.g., username and password), the fraudster is able to access multiple accounts. The truth is, we are terrible with passwords. We constantly reuse them and make a low effort regarding our online security. Take a look at some interesting stats pointed out in a recent article by DataProt:

• 51% of users use the same passwords for both work and personal accounts
• 57% of users who have already been scammed in phishing attacks still haven't changed their passwords
• 23 million account holders still have ''123456'' as their password
• 78% of Gen-Z users use the same password for several online accounts

The list goes on. This gives us a clear picture of how irresponsibly we behave when it comes to our online presence security. The username and the password have little to no value. But the information behind those credentials is what piques the fraudster's interest.

Obtaining the credentials

There are a few different methods fraudsters use in order to get a hold of the user's credentials. More sophisticated methods such as phishing and malware are used to obtain more valuable credentials. It enables the fraudster to take over a victim's bank account, for instance. Other methods use credential stuffing and brute force attacks in order to obtain an account and target eCommerce accounts.

1. Phishing attacks

A phishing scam consists of sending a link via email, text message, or even social media containing malware that collects the victim's credentials. This method usually uses well-established website interfaces that the users trust. And while the interface seems familiar and legitimate, there is a fraudster in the background that is harvesting your credentials and accessing your account in order to use it to their own advantage.

2. Credential stuffing

Another known method for conducting ATO attacks is purchasing stolen credentials of the dark web in bulk. This information is usually published after a data breach and damages both users and businesses. The most valuable information published after a data breach consists of emails and their corresponding passwords.

For how many accounts do you use your email address and the same password? Think about it. By using automated scripts and bots, the fraudster is able to quickly scan through a multitude of account-based websites. They collect further information such as saved credit card numbers, social security numbers, etc. To see whether your email or phone number is a part of a data breach, check out haveibeenpwned.com.

3. Malware

Malware, or ''malicious software'', is software specifically designed to cause harm and damage in order to gain unauthorized access. By downloading content from sketchy sites, you are at risk of unknowingly installing malware to your device. That malware is able to track everything the user types. Now the fraudster just needs to be patient and wait for you to enter your credentials.

4. Man-in-the-middle attacks

A man-in-the-middle attack is based on intercepting a message and altering it to the fraudster's advantage. By using malware, the fraudster is able to intercept, edit, and resend an altered message sent between the victim's device and the bank's server.

ATO fraud: The consequences

The consequences of an ATO fraud affect both businesses and customers. The fact that the fraudster used legitimate credentials in order to log in to an account makes it that much harder to detect whether it is an unauthorized person behind the username. The fraudsters are getting better and better at mimicking the ''usual'' user behaviour by carefully choosing the amount to be spent, time of login, time of order, and other details visible in the account history.

By the time the rightful owner of the account notices any strange activity, they are probably already locked out of their account because the fraudster rushed to change the vital account recovery details as soon as they gained control of the account. Even if victims manage to retrieve their accounts, their personal information is most probably already compromised.

When talking about businesses whose customers' are victims of an account takeover attack, we need to mention great financial and reputational losses. The financial loss is due to incoming chargeback costs accompanied by inventory costs. The data breach itself ruins the company's reputation with clients, while higher chargeback rates cause problems with issuers and card schemes. Customers lose trust in such businesses and tend to turn to the competition, which means that customer loyalty is also at stake. The overall reputation of the business suffers, and the options for damage-control are scarce when overturning such an unfortunate course of events.

Concerning Numbers around ATO fraud

A report from Sift on Digital Trust & Safety Index reveals how ATO fraud progressed and caused losses amounting up to $16.9 billion in 2019. The pandemic-ridden year boosted eCommerce, and users turned to shop online. The increased online presence meant prolific ground for fraudsters to operate on. The report states that ATO attacks surged by 282% between Q2 2019 and Q2 2020.

The impact on businesses is detrimental. Customers who are victims of an ATO attack describe their behaviour and next steps. 40% of users continued using the site but decided to change their credentials. 20% of users continued using the service and contacted the support team in order to solve the issue. Nearly one-third of surveyed customers stated that they abandoned the site where an attack took place and turned to a direct competitor. But losing 28% of your customers is not the only issue. If you consider the average customer's lifetime value and customer acquisition costs, the cost of an ATO attack grows even higher.

The research also reveals that the fraudsters are getting better and more efficient with their time. The period between Q2 2019 and Q2 2020 recorded thought-out waves of ATO fraud. This means that the fraudsters are now using automation and bots. This way they take over as many accounts as possible while burying security teams with alerts and stressed-out customers.

Preventing ATO Fraud: Issuers and Merchants

Static passwords proved to be insufficient regarding online payment security. In order to heighten the security measures, implementing MFA (multi-factor authentication) enables your customers to protect their accounts using authentication methods such as biometrics (fingerprint, face-scan). Even if the fraudster gets a hold of the cardholder's pin or password, multi-factor authentication involving biometrics makes it hard, if not impossible, for the perpetrator to fake a fingerprint scan in order to process a fraudulent payment. Strong Customer Authentication (SCA) enabled through 3D Secure 2 solves this issue and provides both security and convenience to the end-user.

The next line of defense is the continuous monitoring of account activity supported by machine learning. ATO fraud requires detection in the earliest stages of the fraud lifecycle. To detect any anomalies in user behaviour, monitoring is a necessity that needs to be present from the moment a user starts their banking session. By tracking customer behaviour and how they interact with the device , monitoring allows the detection of ''normal'' customer behaviour. If monitoring identifies that customer behaviour has certain anomalies and deviations in regard to the ''normal'' behaviour, this might indicate an ATO attack.

Another means of prevention is Dynamic Linking required by the latest PSD2 directive. Dynamic Linking is successful at preventing social engineering attacks because it links each transaction to its amount and its recipient. The authentication code generated for a particular transaction is generated based on the transaction amount, account number, and other predefined details about the transaction. This means that in case of altering any transaction data during the interception (e.g., man-in-the-middle attack), the authentication code will change as well, and the authorization would be unsuccessful.

Final Thoughts

Fraud prevention in real-time is essential. Determining if requesting a change of email, or phone number is a possible ATO attack is a challenge. The above-mentioned techniques, accompanied by real-time fraud detection, allow for a better risk assessment. It provides a higher level of security, protecting your business and your customers.

To get more insight into how to protect your business and customers, contact our team to get a free, zero-obligation consultation or try our DEMO to see 3D Secure in action.

SCA exemptions include a neat feature, merchant whitelisting. Enabling the cardholders to pick and choose merchants whom they trust provides them with control over their online payments user experience. To get more insight into cardholder UX along with best practices regarding managing the merchant whitelist, keep reading.

This article is a part of our Merchant Whitelisting Best Practices series. To round up the story take a look at our post regarding MWL industry best practices, Risk Considerations edition.

What is Merchant Whitelisting?

PSD2 & RTS enable cardholders to exempt certain merchants from SCA by adding them to their merchant whitelist. 3D Secure 2.2 brought us merchant whitelisting, also known and trusted beneficiaries, a part of the SCA exemptions. MWL allows cardholders to whitelist trusted beneficiaries in order to avoid an additional authentication step during online payment processing.

This approach leads to a truly frictionless user experience, regardless of the transaction amount or merchant fraud rate. MWL is applicable for one-click payments, including both card-on-file and recurring payments with variable amounts. It is important to mention that not all merchants are eligible for whitelisting. The selection of MWL eligible candidates is under the issuing bank's control. Depending on the merchant industry type, level of risk, and cardholder transaction history, the issuer compiles a list of merchants eligible for merchant whitelisting.

Specific conditions under which merchant whitelisting is applicable includes the following requirements:

• During adding or modifying a merchant on a cardholder's whitelist, SCA is mandatory.
• Clear terms & conditions explaining what is the cardholder agreeing to, which entity on the whitelist, as well as in which countries and for which products is the exemption applicable.
• Once a merchant is on the whitelist, each following transaction under issuer monitoring.
• Issuing bank is the one in control of MWL candidates, i.e. merchants can't whitelist themselves.
• Cardholders are able to remove a merchant from the whitelist.

MWL User Experience: Best Practices

The following paragraphs bring a summary of best practices suggested by VISA and MasterCard regarding the UX when it comes to merchant whitelisting.

Adding a merchant to a whitelist

There are two flows for adding a merchant to a whitelist.

• During/after payment authentication

This approach involves issuing bank's ACS and has less impact on issuers. Merchants would be whitelisted one at a time.

Suggested best practices include the following:

1. Upon deeming a merchant eligible for whitelisting, the payer is offered one out of two options to add the merchant to the whitelist:
2. Checkbox visible on the payment authentication screen. The downside of this approach is the possibility that the cardholder will overlook the checkbox, while the benefit lies in fewer clicks and using a single page.
3. Using a separate page after the payment authentication process. This approach decreases abandonment but requires an additional click from the cardholder.
4. Use user-friendly language and make sure that the cardholder understands what stands behind merchant whitelisting.
5. Recommendations suggest that merchant whitelisting is available only in cases where SCA is necessary.
6. Since both payment and whitelisting are happening simultaneously, a single SCA is sufficient according to PSD2 RTS.

• Using issuing bank's online banking service

This would require issuers to make changes within their online banking service; the cardholder would be able to whitelist merchants in bulk, making the user experience much more friendly.

Suggested best practices include the following:

1. Recommendations suggest that issuing banks add an MWL management functionality to their online banking service.
2. A good practice would include offering cardholders their most frequent merchants (e.g. top 10), under the pre assumption that the mentioned merchants are eligible candidates according to the issuer's risk assessment. Recognizing cardholder's card-on-file and recurring payment agreements serves as a quality filter for determining their favorite merchants.
3. Each individual adding of a merchant, or any change within the whitelist, requires SCA.

Editing and preview of a merchant whitelist

Cardholders need to be able to view, add and remove merchants from the whitelist using their online banking service. Each attempt to modify or view MWL should require SCA. This is due to having access to sensitive payment data.

Promoting merchant whitelisting

Relevant stakeholders, issuers and ACSs, are the primary promoters of the new functionality. They should therefore communicate the benefits of merchant whitelisting to the cardholders.

Use the following ''selling-points'' when educating cardholders:

• Cardholders have full control over merchants who are a part of their whitelist. They are free to both add or remove the merchant.
• Recommended by the card payment industry and regulators.
• MWL enables fast checkout for merchant-initiated transactions (e.g. recurring payments of variable amounts), eliminating SCA.
• SCA is applied in certain scenarios (shipping address mismatch, unfamiliar device, etc.)

Multiple cards enrollment

It is recommended that whitelisting is applied for one card at a time; the card being used for processing the payment. In case whitelisting is enabled for multiple cards, each card should require a separate SCA.

If you want to find out more, contact our ASEE 3D Secure Team or download the datasheet.

Nowadays, when rating a product, you focus not only on the quality of the product itself but also on the overall user experience. Being a part of a Mobile-first economy, we are aware of the effect a poor In-App user experience can have on customer satisfaction. When it comes to mCommerce, 3DS SDK is a proven solution for authentication related user experience issues. And here's why!

Thinking Mobile-first with 3DS Mobile SDK

The projected retail mCommerce sales figures for 2021  are 3.56 Trillion USD, which is 22.3% growth compared to 2020. Also, in the same year, 72.9% of total eCommerce sales worldwide were registered as mobile retail eCommerce sales. The mobile payments market is expected to reach 12.06 Trillion USD in 2027, at a CAGR (compound annual growth rate) of 30.01% between 2020 and 2027.

These numbers point out that optimizing for mobile is imperative. Ignoring the Mobile-first economy trends will prove to be a critical mistake in terms of future business decisions. Enabling mobile access to payments in the banking sector is standard practice. eCommerce merchants are the ones who need to follow up on this trend. Investing in the development of mCommerce apps is a key element for success. Here are the stats for 2020 to back up these statements regarding user behavior:

• 67% of consumers have downloaded a retailer app
• 67% of users who practice online window-shopping initially do it for fun, while 77% of those end up with an impulse purchase
• 79% of smartphone users made a purchase online using their smartphones in the past 6 months

Despite the obvious need to provide access and easy checkout within mCommerce, it is still not delivering the desired user experience compared to the desktop variant. This is where 3DS Mobile SDK comes into play. This piece of software embedded in a merchant app does wonders for the in-app user experience by enabling less friction and a seamless checkout process.

State of In-App User Experience: Authentication

AS-IS In-App UX: without 3DS Mobile SDK

As of today, most mCommerce apps still rely on browser redirection during the checkout process. You are likely to stumble upon a great deal on a retailer app. You attempt to purchase the item, but the checkout process is all over the place. This ultimately leads to abandoning the purchase altogether. Online payment flows involving browser redirection disturb the checkout user experience and consequently cause higher cart abandonment rates. Switching between the merchant app and your internet browser; redirection to suspicious screens in a fraud-filled environment; not knowing the next steps. These are all common scenarios that the user is experiencing during a purchase that can be final in a matter of seconds.

To-BE In-App UX: with 3DS Mobile SDK

3DS Mobile SDK resolves these issues by eliminating browser redirection and unnecessary friction. It brings frictionless authentication supported by richer data gathered from mobile devices. This data is a valuable source of information that is more contextual than the one gathered for online desktop payments. You are able to observe a whole new batch of data useful for additional risk parameters setup. Information such as device type, OS version, geolocation, and timezone are only a few examples.

Also, mobile enables the use of advanced authentication methods. Biometrics, fingerprint and face recognition included, enable security and convenience at the same time. Push notifications are also a form of advanced authentication that is easy to use.

The result of implementing 3DS Mobile SDK is a fast and easy checkout process. All within the merchant app. There is no need for browser redirection. Both authentication and payment processing are within a single screen. This naturally has a positive impact on user experience, as well as on the cart abandonment rates, which also decrease. 

What about security?

Also, the security aspect is heightened as well. By integrating 3DS Mobile SDK into your merchant app, you are able to collect data that is far more contextual compared to online desktop payments. By implementing gathered information about the device being used for mPayments (and the user using the device)  to your risk analysis, you are opening doors for detecting new fraud patterns. In simple terms, you are generating data that yields a much more precise Risk-based analysis.

For a detailed description of 3DS Mobile SDK benefits go to our recent blog post and get first-hand info from our expert.

eCommerce Apps Guide: Striking a Balance Between Security and User Experience

As a dedicated guide for eCommerce app owners and merchants this eBook covers m-commerce security best practices and provides turnkey solution for in-app payments security. 

eCommerce Apps Guide: Striking a Balance Between Security and User Experience

To find out more about Trides2 portfolio, contact us or visit our blog section.  

3D Secure 2.0 provides fraud protection and online payment security to all of its stakeholders. These participants involve issuing banks, acquiring banks, merchants, and cardholders - buyers. Implementation of 3D Secure ensures additional authentication, which reduces potential fraud, including friendly fraud, lost-and-stolen card fraud, and middleman fraud. Let’s find out who is involved and how do they benefit from the 3D Secure solution.

Fear of fraud is one of the top reasons many Internet users prefer not to shop online, according to ResearchAndMarkets.com. Similar results are shown in Baymard's research: 17% of individuals said they worry about online card data security, which stops many of them to shop online. This particular buyers’ pain point should encourage banks to implement technology that provides online payment security without disrupting user experience while shopping online. An additional layer of security provided by 3D Secure makes buyers more confident when deciding to purchase and pay by card online. Please keep reading and get more insights into the 3D Secure ecosystem and its participants.

3D Secure 2 Participants

To get a bird's-eye view of the 3D Secure 2 ecosystem ASEE prepared an infographic showcasing all of its participants and their respective roles.

Now that you understand the roles in the 3D Secure process, we want to point out benefits for each of the stakeholders. Let’s see how you profit from the 3D Secure solution.

3D Secure 2 Participant Benefits

By implementing 3D Secure solution, all parties benefit. So take a closer look and see how each 3D Secure 2 participant gets a piece of their cake.

Top Online Payments Security Trends

Learn about the latest approaches when it comes to assessing security risks, and find out more about the latest authentication trends in the online payments industry.

Top Online Payments Security Trends

To find out more about Trides2 portfolio, contact us or visit our blog section.  

Out of Band authentication is, by definition, an alternative authentication method that applies a communication path that is not in direct association with the path for the initial login to the merchant app/web browser. It relies on two completely separate communication channels instead of one. This makes for a sophisticated authentication solution proven to be successful in ensuring heightened security measures. Continue reading to get a detailed overview of OOB authentication flows and practical use cases.  

What is OOB Authentication?

Out of band authentication (OOBA) is a type of two-factor authentication (2FA) that uses two different channels in order to deliver successful and secure authorization of online payments. The first channel is for making the transaction/purchase, and the second channel is the authentication channel, used for verifying the identity of the cardholder. By separating the process into two channels, using both the cardholder's internet and mobile wireless connection, the chances of compromising the transaction/account are greatly reduced. It is not likely that an attacker would be able to compromise both channels in the short timespan necessary for an online transaction to take place.

OOB authentication is widely used by financial institutions as well as organizations demanding sophisticated security requirements. It is an effective way to improve cybersecurity and known hacking methods such as ''man-in-the-middle'' attacks.

OOB Authentication General Workflow Overview

As mentioned, OOB authentication assumes two completely separate channels for conducting the successful processing of a transaction. Since it is a form of 2FA, necessary authentication components are something the user knows (password/PIN/OTP), something the user owns (smartphone/HW or SW token) or something the user is (biometry, fingerprint, face recognition).

A common example for implementing OOBA is for making an internet banking transaction. The cardholder logs in to their internet banking account on their laptop. Upon entering the transaction details, the cardholder is recevies an SMS OTP on their mobile phone to verify the transaction. And there it is - two completely separate channels, internet and wireless network, participating in achieving heightened online payment security.

OOB Authentication and Fraud Prevention

Typically, additional authentication is necessary when an Issuing bank's risk scoring engine detects a transaction that results in a score higher than the set threshold for frictionless transactions. Depending on the risk level, the cardholder needs to apply a more sophisticated means of authentication. This is when out of band authentication comes into play, assuming two different security elements obtained through different channels.

The possession element is the smartphone registered for receiving authentication request notifications. Following are the knowledge (OTP, PIN, etc.)  or inherence (biometry) security elements. Depending on the cardholder's selection, they are required to complete the chosen authentication challenge.

OOB authentication can be done using a single device (different apps running on the same device simultaneously), multiple devices (e.g., smartphone and tablet), or in case of the absence of authentication apps, by entering an SMS OTP into a designated field within the merchant's app.

OOB Authentication Flow within 3D Secure 2

Out of band authentication is a part of the EMVCo 3D Secure protocol and is proving to effectively combat malicious attacks directed towards online payments. What makes this approach successful is the combination of active components necessary for the functioning of 3D Secure environment. Those components are, namely, 3DS Requestor, 3DS Server, ACS (Access Control Server), and the Directory server.

To better understand the authentication flow, let's review three possible use case scenarios when it comes to OOBA.

     Out of Band authentication - Single Device Flow

OOBA enables authentication outside the merchant's shopping app, using an authentication application installed on the cardholder's device. Out of band checkout flow is triggered when an authentication app installed on the cardholder's device is identified as a second authentication channel. The mentioned application can be any of the following:

• Issuer's mobile banking app
• Issuer's app designed specifically for authentication purposes
• Third-Party authentication app

Within this flow, the cardholder is switching between the 3DS merchant app to the authentication app and finally back to the 3DS merchant app displaying the transaction/payment confirmation screen.

Let's review the entire checkout flow for a single device out of band authentication. This example includes push notification and fingerprint recognition as a means of authenticating the cardholder.

1. This can be due to Trusted Merchant Listing or card-on-file transactions.
2. By selecting the ''Confirm order'' option, the 3DS2 flow is triggered.
3. The 3DS Requestor communicates with the 3DS Server in order to initiate the authentication process. The sent message is received by the ACS, which determines the risk of the transaction based on the received data.
4. ACS evaluates the transaction as a non low-risk transaction and challenges the cardholder. The 3DS requestor communicates with SDK in order to trigger the authentication flow.
5. The cardholder receives a push notification on the registered device. Push notification is considered a first authentication factor, i.e. possession of a device.
6. By taping on the push notification, the cardholder is redirected to the Issuer app presenting the authentication screen.
7. Upon checking the transaction details, the cardholder either declines or confirms the authentication request.
8. By selecting confirm, the Issuer app will trigger the fingerprint recognition process. In case the fingerprint is not recognized, a fallback method must be included.
9. If the second security element (fingerprint) is confirmed, the cardholder is automatically redirected back to the merchant's app to complete the checkout process. By selecting ''Continue'', the cardholder is displayed a checkout confirmation screen indicating a successful transaction.

    Out of Band authentication – Multiple device flow

Numerous studies state that the vast majority of online transactions within Europe are initiated from a laptop, PC, or tablet. Research also suggests that this pattern is going to be relevant for the next two to three years. OOB authentication enables cardholders to conduct their online shopping using a laptop, while authentication can be controlled by using their mobile device.

The following flow covers an example of a cardholder purchasing items online on a merchant website (HTML flow). We will review the cardholder activity both on the laptop and on the registered user device.

1. The cardholder is shopping from within a browser using their laptop. As in the previous example, we will assume that the cardholder is familiar with the merchant and that necessary credentials are automatically filled out.
2. Upon adding the items to the shopping cart and selecting the ''Confirm order'' option, the 3DS checkout flow is initiated.
3. The 3DS Server communicates with the 3DS Server in order to initiate the authentication flow. The cardholder is presented with a loading screen indicating backend activity on their desktop browser.
4. The ACS challenges the cardholder and pushes the 3DS challenge screen for multiple device OOB flow.
5. The 3DS Requestor initiates the challenge flow as the ACS contacts the OOB backend to initiate the authentication flow.
6. ACS sends a push notification to the cardholder's registered device. This is considered the first factor of authentication.
7. By selecting the push notification on the device, the cardholder is presented with the app's authentication screen. Upon transaction review, the cardholder selects either decline or confirm option presented on the screen.
8. By confirming the transaction on the registered device, a second authentication factor needs to apply. In this case, we will again use fingerprint recognition. In case the fingerprint is not recognized, a fallback method must be included.
9. If the fingerprint is recognized, a confirmation screen will be displayed within the authentication app.
10. After completing authentication using the registered device, transaction confirmation within the browser displays.

     One Time Passcode via SMS

In the case where the cardholder does not have access to an authentication app, the alternative authentication method is OTP via SMS. We consider OTP (One Time Passcode) as a possession element indicating ownership of a registered device.

The following flow assumes a single device OOB authentication, including a merchant app and an OTP sent via SMS to the cardholder's registered device.

1. The cardholder adds wanted items to the online shopping cart and proceeds to the checkout page. We will assume that the merchant is familiar with the cardholder from previous purchases. Necessary credentials such as payment card, billing address, and shipping address are already filled out.
2. Cardholder selects the ''Confirm order'' option.
3. The 3DS Requestor communicates with the 3DS Server and triggers the authentication flow.
4. ACS challenges the cardholder with an additional authentication step and pushes the 3DS challenge screen. The screen is specific for OTP via SMS flow, including a field for OTP entry.
5. The 3DS Requestor communicates with the SDK to initiate the challenge flow.
6. ACS sends an SMS to the cardholder's registered device containing an OTP.
7. The cardholder enters the delivered OTP in the designated OTP field.
8. By selecting the ''Submit'' option, OTP goes to ACS for validation.
9. SDK validates the entry with ACS, and ACS communicates the authentication result to the 3DS Requestor.
10. A confirmation page indicating a successful transaction displays to the cardholder.

Top Online Payments Security Trends

Learn about the latest approaches when it comes to assessing security risks, and find out more about the latest authentication trends in the online payments industry.

Top Online Payments Security Trends

To find out more about Trides2 portfolio, contact us or visit our blog section.  

The release of 3D Secure 2 was motivated by reducing fraud in card-not-present transactions as well as improving the user experience during cardholder's online checkout process. Find out how 3D Secure 2 improved effectiveness both by introducing new features and bringing the security standards to a higher level without tampering with customer experience.

3D Secure 2

3D Secure 2 is an improved version of the 3D Secure authentication protocol from 2001 by VISA as an interoperable three-domain solution for online card authentication. As opposed to card transactions that occur in brick-and-mortar retail, which use chips and PIN authentication methods, there was no presented solution for eCommerce until 3D Secure stepped in.

3D Secure is an additional process that occurs before a transaction becomes authorized. The three domains are namely:

1.   Merchant: The seller that requires payment.

2.   Customer: The Card owner and purchaser of goods.

3.  Interoperability: Card scheme (Visa, MC, Amex, Diners, JCB, etc.)

eCommerce figures to consider

For a number of years, eCommerce and other online payment systems have proven to be lucrative and presented constantly growing business opportunities, accompanied by an ever-present and rising threat regarding online fraud and theft.

Below are some figures (via eMarketer) to consider comparing the annual percentages of total sales conducted online when compared to all sales that also include brick and mortar retailers, as well as the comparison of change annually within this sector and the growth that occurred from the year 2017 until the projected year 2023.

The data shows that the global eCommerce market had sales reaching $3.5 trillion by the end of 2019 and represented 14% of the global sales figures. Projections show that eCommerce sales will reach 22% of global retail figures by 2023, with total sales reaching around $6.5 trillion.

Why the upgrade?

Considering the ever-growing trend in eCommerce, security issues need to be taken care of, and significant changes regarding the authentication process are being implemented. Static passwords are untrustworthy and should be replaced by dynamic passwords and biometrics. This resulted in an improved user experience for both merchants and cardholders as well as more secure online payment processes.

Main changes included the following:

Stronger authentication 

Strong Customer Authentication (SCA) came into play as a PSD2 requirement. Its main goal is to reduce fraud and bring online payment security to a higher standard. Static passwords caused a variety of inconveniences for online shoppers, thus resulting in high cart abandonment rates. On the other hand, biometric authentication (e.g., face or voice recognition) is not only more secure than conventional static passwords. It contributes to a smooth user experience during online checkout, which cuts down cart abandonment rates. Another method within 3D Secure 2 is risk-based authentication, a setting stone for frictionless transactions. This means that transactions that are ''low-risk transactions'' do not require further authentication. This method is based on data from previous transactions and cardholder behavior information.

Improved User Experience

Bringing the security standards to a higher level without tampering with user experience presented a real challenge when it comes to 3D Secure 2. Alongside introducing new authentication methods such as biometrics, this upgrade eliminated pop-up windows and redirects which occurred during online payment, making cardholders more confident in the security of their purchase and consequently causing cart abandonment rates to drop.

Multi-device support

3D secure 2 enables authentication on a wide variety of devices. 3D Secure transactions are now available in application and browser-based solutions.

What after 3D Secure 2?

EMVCo continues to enhance 3D Secure protocol aligning it with eCommerce trends. This also refers to the buyer and stakeholder's needs to ensure the best UX and ultimate security. 3D Secure v2.1 brought frictionless authentication which resulted in a faster and more convenient checkout process. At this moment, there is actual 3DS v2.2, which brought new authentication methods; like decoupled authentication, and Trusted Merchant Listing to give additional control to buyers in managing transaction security.

Top Online Payments Security Trends

Learn about the latest approaches when it comes to assessing security risks, and find out more about the latest authentication trends in the online payments industry.

Top Online Payments Security Trends

To find out more about Trides2 portfolio, contact us or visit our blog section.  

3D Secure 2 is a fully PSD2 compliant solution for ensuring online payment security. It has made quite a leap in regards to the previous version of the protocol. The most notable changes are concerning mobile and In App purchasing. We sat down with our product manager for Trides2 portfolio, Dubravko Kovačić, and had a talk concerning the latest 3D Secure version and In-App authentication.

3D Secure 1 was first launched in 2001 by VISA, motivated by achieving payment security in the online ecosystem. The idea was good, but the execution not so much. Since it was not mandated by card schemes and due to poor user experience, the whole project resulted in very low adoption by card issuers and acquirers. Moreover, merchants who were willing to adopt 3DS1 suffered losses caused by increased cart abandonment rates. The reason being, again, bad user experience during online checkout.

It was evident that a change was much needed. And that change happened in 2017 when the 3DS2 protocol was published. The primary motivation was to improve the previous version's performance and adapt to the fast-growing mobile commerce market.

1. Hello Dubravko! To kick off our interview, could you share more details on the most notable improvements regarding the shift from 3DS1 to 3DS2? 

Sure. 3D Secure 2 brings us the so-called ''frictionless transactions''. This means that the cardholder is no longer required to go through all of the authentication steps present in the previous version of 3D Secure technology. Thanks to Risk-Based Authentication, additional authentication steps are eliminated if a transaction is assessed as low-risk. A prerequisite for conducting such risk analysis includes collecting both transaction and cardholder data.

Nowadays, consumers are proficient at online shopping, and there is significant growth when it comes to the use of mobile. Smartphones are a big part of the online shopping ecosystem and demand high levels of online payments security. 3D Secure 2 enables support for full In-App authentication experience during an online purchase. By implementing 3DS Mobile SDK, the cardholder is no longer bothered with suspicious web browser redirects and is able to experience a seamless checkout experience.

2. To my understanding, merchants are also greatly benefiting from the new version of 3D Secure. Can you give us a comparison of the previous mobile authentication flow in regards to the upgraded version?

In fact, the first version of 3D Secure did not support mobile applications at all. When 3DS1 was launched, no such thing as a smartphone app existed. We are talking about 2001. Nowadays, the backdoor is redirection to web browsers at the payment step, followed by another redirection at the 3DS authentication step within the checkout.

Such authentication flow, containing multiple redirects, disturbs the cardholder for a number of reasons. Firstly, the end-user needs to maneuver between multiple pop-ups, which tends to make the authentication process confusing, difficult to follow, to say the least. Secondly, with the growing online payment fraud awareness, consumers find such flows suspicious and are likely to abandon the purchase altogether.

With 3D Secure 2 and 3DS Mobile SDK built-in merchant application, the cardholder is able to pass through all of the mentioned authentication steps without leaving the app. This makes for a streamlined In-App authentication process and contributes to an impeccable user experience compared to the first version of the protocol.

3. Sounds like quite a leap, in a good direction ofcourse. Which components are responsible for enabling such frictionless payments?

There are two main benefits for cardholders and merchants when using 3DS Mobile SDK. As mentioned, the first benefit is a smooth and fast checkout process within the mobile application. Tedious redirects between web browser screens are history. Also, when checkout and In-App authentication are initiated, mobile SDK participates in the collection of various transaction, device, and application data (IP address, device ID, geolocation, etc.). This is necessary for conducting a more precise risk analysis mentioned earlier. All of the mentioned factors participate in assessing the risk of a particular transaction. More data means more accuracy. Therefore, issuing banks, who are responsible for risk scoring, can be more confident in granting frictionless authentication.

4. Talk us through the implementation and onboarding process of 3DS2 Mobile SDK. Is the mobile app able to do business as usual, or are there any delays caused during the integration process?

3DS Mobile SDK is in the hands of mobile app developers. Integration of SDK in their mobile applications is their ''business as usual''. Also, they are able to test the 3DS process using our 3DS test server available to third-party developers and 3DS integrators.

5. Got it. In your opinion, what are the most notable benefits mobile SDK brings, business-wise?

3DS SDK enables a better checkout user experience, which is top of the list when it comes to purchase abandonment reasons. Also, it contributes to a more accurate risk assessment due to the wider set of acquired transaction and device data. More confident risk analysis results in a higher rate of frictionless transactions, again providing a better user experience.

In addition, it is important to mention that 3DS2 generally brought us more advanced authentication methods, including biometrics.

6. SDK sounds like a bundle of perks for both merchants and cardholders. How does Trides2 portfolio fit into this 3D Secure 2 story?

Trides2 portfolio covers all 3D Secure software components needed for all online payments stakeholders. This includes Access Control Server with risk scoring for card issuers, 3DS Server for acquirers and payment service providers, and 3DS SDK for mobile app merchants. We also provide 3DS Test Tool for each of the mentioned components, regardless of independent testing or end-to-end 3D Secure transactions.

ASEE is a pioneer in 3D Secure, dating back to 2004 with 3DS1. This means 17+ years of experience in this area. In the past two years, we have supported 50+ banks, payments processors, and payment gateway providers in migration from 3DS1 to 3DS2, upgrading the authentication methods from signature and SMS OTP to PSD2 compliant methods such as mobile OTP, push notification, and biometrics.

7. I see, Trides2 is truly a one-stop-shop for 3D Secure 2. To finish off, we would like to hear how do you view the future of online payments and how does 3DS2 fits into that future?

All merchants, especially online merchants, are aware that today's buyers are very demanding. Fast and smooth service is the top of their priorities. Keep in mind that online buyers are mostly millennials and gen z, who are notorious for impatience and wanting everything to be over in just a few clicks. Having this said, In-App authentication will have to rely on efficient risk scoring in order to minimize the buyer's effort. When authentication is truly necessary, it will be based on behavioral authentication and AI analytics, enabling, again, authorization without the buyer's action.

eCommerce Apps Guide: Striking a Balance Between Security and User Experience

As a dedicated guide for eCommerce app owners and merchants this eBook covers m-commerce security best practices and provides turnkey solution for in-app payments security. 

eCommerce Apps Guide: Striking a Balance Between Security and User Experience

To find out more about Trides2 portfolio, contact us or visit our blog section.  

How can something that sounds so innocent cause so much trouble for merchants and issuers? After all, how can fraud be described as friendly? The name comes from the simple virtue of convincing the merchant that the actual fraudster is the victim of fraud by making plausible and honest-like claims. Imagine the backlash you, as an issuer or merchant, would get if you neglected a legitimate dispute under the claim that you're suspecting it is an attempt of friendly fraud. Now that you understand the complexity of the problem, let's start from the beginning.

Friendly Fraud 101

The first distinction between friendly fraud and conventional fraud in online payments is the fact that the fraudster is not using a stolen credit card or credentials, but their own (or from a friend, family member, etc.). The initial intent of the ''friendly fraudster'' is to receive and retain goods and services while asking for chargeback under the claim they did not make the purchase nor receive goods or services.

A common scenario is the following; a cardholder purchases goods from a merchant and claims they did not make the purchase, did not receive the goods, or received a partial order. This gives the cardholder enough ground to file a chargeback, demanding a full refund.

It is evident that there is a common denominator when it comes to friendly fraud - chargebacks. That is why friendly fraud is often referred to as chargeback fraud. The cardholders with ''unfriendly'' intentions have figured out how to game the chargeback process. In order to benefit from it, they claim legitimate purchases to be fraudulent.

Chargeback: Returning funds to the cardholder by revoking funds from the merchant based on a reported fraudulent activity.

Friendly Fraud: Any scenario where a cardholder wrongly files a suspicious charge, either by mistake or with malicious intentions.

Now that we cleared up the difference, it is good to know that 86% of all chargebacks (Paymentsource) are likely to be friendly fraud. A  mechanism used for protecting the customer is being abused, and merchants' hands are tied.

Types of Friendly Fraud

The truth is, not all friendly fraud is malicious. There are cases where an honest misunderstanding took place. But that makes things even more complex when it comes to detecting and preventing such fraudulent activities. Let's go through our list and distinguish the ones which are malicious from unintentional ones.

1. Chargeback vs. Refund

An average cardholder does not understand nor cares about the difference between chargebacks and refunds. Instead of contacting the merchant to file for a refund, they go to their issuing bank to reverse the charges. This results in a chargeback, which harms the merchant.

2. Auto-Pilot Mode

Good memory or bad memory, living in today's fast-paced world often results in unintentional fraud reports. Recurring payments and transactions made in a rush tend to fade out from our memory, causing confusion when we take a look at our transaction history. What do we do? File a chargeback dispute.

3. Unfamiliar Descriptors

There are cases where the cardholder is not able to recognize the company name on the billing statement. This can be due to rebranding or the business simply being registered under a name different from its legal business name because of branding. Red flags are automatically raised in the cardholder's head, and the only logical option is to open a dispute.

4. Bad Communicators

In some cases, people share, even borrow credit cards from their family, partners, coworkers, etc. Despite there are no ill intentions, we fail to inform one another about particular purchases. This results in confusion, suspected fraud, and finally, a chargeback.  

5. Malicious Intentions

This one is for the cardholders who tend to abuse the chargeback process. They game the system by falsely reporting transactions made by themselves. Typical claims involve unsuccessful delivery, unapproved authorization, partial delivery of the purchase, all resulting in chargeback processes harming the merchant. 

Who is to blame?

Given all the facts, friendly fraud resulting in chargebacks damages the merchant, leaving the fraudster without consequences and with full pockets. The question of the day is: Why do we tolerate this behaviour?

Banks and card associations have created an environment that puts customers first. If an issuer wants to issue or receive payments from a particular card scheme, they need to comply with the card scheme's rules and regulations. Since the end goal for card schemes is to increase the number of cards used by cardholders, they encourage consumer-first policy and guarantee rights regarding transaction disputes.

By association, issuers are adopting the consumer first policy, favoring customer rights over merchant rights. Unless the merchant has solid proof that the cardholder disputed a chargeback with ill intentions, the chances of coming out victorious are slim to none.

How to Find a Way Around Friendly Fraud?

Fraud can't be terminated, but it can be influenced. Friendly fraud is a specific genre of online fraudulent activity. No matter the circumstances, if a cardholder with malicious intentions is determined to game the system through the chargeback process, the chances are, he will execute it. But keep in mind, only one out of five mentioned types of friendly fraud involves intentional fraud.

By undertaking some specific fraud-prevention actions, you can reduce the likelyhood of friendly fraud. Here are a few tips on how to approach this issue:

• Providing clear refund and cancellation policies that are concise and easy to find help guide the cardholder where to turn in case of demanding a refund.

• Informing the customer at the right time and the right channel about their transactions. Such notifications can prevent potential confusion and stop an incoming chargeback.

• Billing description needs to correspond to the purchased product description, and most notably, business name visible to the cardholder during their online shopping experience.

• Offering 24/7 customer service helps in cases when the cardholder wants to discuss an issue with the merchant. If the merchant can't be reached, the cardholder will have their issuing bank on speed dial.

• Blacklisting cardholders who frequently file chargebacks and sharing that knowledge among your niche protects your business from customers with a bad track record.

• Notifying customers upon processing their order and before and after recurring payments reminds them of the purchase before looking into their transaction history.

The Future is Looking Bright

Friendly fraud as such is not in the primary scope of 3D Secure. However, 3D Secure 2 is very much focused on transaction risk scoring. It provides a frictionless user experience by identifying low-risk transactions. Risk scoring services in 3D Secure evolve through the year by deploying machine learning, behavior analytics, and artificial intelligence algorithms in risk scoring.

So the answer lies in gaining in-depth data about customers,enabling quality prediction and a better understanding of where threats are coming from.

AI-powered analytics are able to provide insight into unusual behaviour patterns. It is useful for detecting suspicious activities involving friendly fraud as well. More data will provide more knowledge about frequent chargeback and refund abusers, making them blacklisted.

Merchants should be able to set certain parameters such as refund limit per customer or prevent customers from demanding a refund for a specific period.

eCommerce Apps Guide: Striking a Balance Between Security and User Experience

As a dedicated guide for eCommerce app owners and merchants this eBook covers m-commerce security best practices and provides turnkey solution for in-app payments security. 

eCommerce Apps Guide: Striking a Balance Between Security and User Experience

To find out more about Trides2 portfolio, contact us or visit our blog section.  

False declines are frustrating. Whether you're a cardholder, merchant, or issuer, false declines are never pleasant and you should avoid them at all costs. They result in a missed opportunity for a pinned sale, reduce revenue for both merchants and issuers, and most notably, send customers packing right in the hands of the competition.

False declines are legitimate transaction attempts that are declined because of suspected fraud. They are the so-called ''false positives'', fully valid transactions classified as invalid, and rejected by the Access Control Server (ACS).

Picture this - you're about to purchase something online, let's say a new smartwatch. You spend some time researching all of the functionalities. You find the best deals offered to you from various merchants. That's it! After hours, maybe even days of researching online, you are finally ready to make a purchase. You enter all of the required details necessary to finalize your purchase, and – your order declines. Frustrating would be an understatement for this situation.

Now let's examine the next steps. The cardholder will most likely turn to the competition or use a different credit card in order to process their order successfully. Either way, there will be a loser at the end of this story. The cardholder will keep this unpleasant situation in their mind. The chances of them using the same declined credit card or returning to the ''problematic'' merchant are slim to none.

And there it is; a missed sale, reduced revenue, and an unhappy customer - the three horsemen of false declines.

Why do false declines happen?

The occurrence of false declines is closely connected to the anti-fraud solution used by the merchant, issuer, or acquirer. The cardholder is usually presented with a generic message such as ''transaction refused''. This offers no additional information that explains the decline or guides the cardholder to take the next step.

Common reasons for false declines involve the following:

1. Merchant side issue – anti-fraud solution rejected a valid transaction.
2. Acquirer side issue – anti-fraud solution rejected a valid transaction, e.g., false positive in address verification.
3. The Risk-management solution configuration is too strict.
4. The issuing bank is suspecting fraudulent activity.

Also, anti-fraud solutions based on behavioral analysis might classify a transaction as fraudulent, while it is, in fact, a valid one. Let's say that the cardholder has a pattern of purchasing low-value items online, not more than 10 EUR per transaction. All of a sudden, that same cardholder decides to book an all-inclusive trip online. Regardless of sufficient funds and correct card information during checkout, the transaction might be blocked because the pattern is unusual, and the system flags it as suspicious or fraudulent activity.

Balancing between false positives and false negatives

There is a fine line when it comes to configuring the ACS solution in order to identify suspicious transactions correctly. False negatives represent transactions that are fraudulent but are valid according to the system. On the other hand, we have false positives, which represent valid, honest transactions that end up as false ones. Configure the system ''too loosely'', you're going to end up with false negatives. Set it up ''too strictly'', you are risking a high number of false positives, i.e., false declines.

False declines vs. Fraudulent transactions

If we examine the end impact of fraudulent transactions, we need to keep in mind that the loss is not equal to the amount of the processed fraudulent transaction. It can be anywhere from 100% (gold) to 0% (digital goods) of the amount displayed in the web store. If we take sneakers as an example, the total cost of loss will be equal to the manufacturing cost. It is usually as low as 5% of the displayed price.

When talking about false declines, the end impact is much more significant. After receiving a notification about an invalid transaction, the cardholder doesn't have any guidance on the next steps. They will most likely use a different credit card or look for the same product/service in the neighbor's yard, the competition. Either way, they are leaving with an unpleasant experience with the overall service, and it is not likely that they will use the same rejected credit card or revisit the same merchant.

Riskified surveyed 5000 US-based consumers in order to find out more about their online shopping experiences and fraud. Regarding our topic, the survey discovers that almost one-third of shoppers in every segment are wrongfully rejected during a purchase, resulting in a false decline. After being rejected, 42% of shoppers abandon their cart immediately and move on to the next best thing. If we look at the big picture, that means that all acquisition costs and efforts went through the window because of a ''single'' false decline.

False positives are extremely expensive. The Global Fraud Survey published by the Merchant Risk Council states that the average online store rejects 2.6% of all transactions under the claim they might be fraudulent. The pricing pattern says that the higher the price, the higher the percentage of declines (e.g., merchants decline around 3.1% of orders over 100$).

3D Secure 2 and False Declines

3D Secure 2 enables issuers to access ten times more transaction data than before, which results in more precise risk analysis and profile creation of the cardholder. The end result? Less false declines, among other benefits, of course. Both merchants and issuers are able to increase profits and keep their customers satisfied and returning to use their service.

eBook: How to choose the right 3D Secure software

This eBook contains all the critical elements you need to consider while making intelligent, well-informed decisions regarding implementing 3D Secure technology.

eBook: How to choose the right 3D Secure software

To find out more about Trides2 portfolio, contact us or visit our blog section.  

Although there is a lot of talk about PSD2, we understand that the information contained in the directive can be, and indeed is, overwhelming. To understand the primary motivation behind the PSD2 regulation, we covered key points relevant to you and your business on a single page. 

What is PSD2?

As stated by the official summary of the PDS2 directive, the main goal of the regulation is to provide a legal foundation for the further development of electronic payments within the EU. It is a comprehensive set of rules aiming to make payments within the EU simple, efficient, and secure. Motivated by offering a broader set of choices and better prices for consumers, PSD2 advocates opening up payment markets to new participants, to create more competition, leading to greater efficiency and strengthening consumer's trust.

The directive strives to enhance the existing set of EU rules regarding electronic payments. It emphasizes innovative and emerging payment services, such as internet and mobile payments. Rules stated in the directive concern security requirements, i.e., safeguarding consumer's financial data, promising secure authentication, and reduction of online payment fraud rates. Transparency is another key point that PSD2 advocates in order to provide accurate and timely information about requirements regarding the payments services. PSD2 establishes the rights and obligations of participants involved in the online payment environment. The users, as well as providers of payment services.

Several notable suggestions regarding leveling the payments playing field are pointed out, and those are the following:

1. Expanding the EU payments market – PSD2 advocates opening the payment market to new participants in an effort to decrease the monopoly banks have over the customer's accounts and payments services, promising increased efficiency without compromising the security of online payments,
2. Empowering consumers – consumers have reduced liability for non-authorized payments, unconditional refund rights for a predefined period of time (8 weeks), eliminated surcharges for the use of a consumer credit/debit card,
3. Restricted interchange fees – PSD2 limits interchange fees between banks for card-based transactions in an effort to reduce merchant costs for accepting credit/debit cards as a means of payment.

What happened to PSD?

The first payment services directive dates from 2007. While it set out good practices and regulated guidance on rules regarding payment services, as of today, it is obsolete. With the rapid evolution of ''all things digital'', new e-commerce trends, authentication methods, and the overall innovative approach to payment markets, PSD was outdated and needed an upgrade. Now that we had a brief history lesson let's get back to our main topic.

PSD2 participants

With new regulation came new terminology, and below are the ones concerning PSD2:

AISPs (Account Information Service Providers) – Providers that can ask for permission to connect to a bank account using an API. They use that bank account information in order to provide a service. Having access to such data implies a ''read-only'' approach, i.e., they can't move the fund from the account.

ASPSPs (Account Servicing Payment Service Providers) – A customer's issuing bank that provides and maintains payment accounts. They publish APIs so that the customers are able to share their account data with TPPs in case they want them to initiate payments on their behalf.

PISPs (Payment Initiation Service Providers) – Authorised PISPs are able to move funds on the customer's behalf upon connecting to the bank account. An example of a practical use case is the automatic transfer of funds to a customer's savings account.

TPPs (Third-Party Providers) – Third-Party Providers are either/both Payment Initiation Service Providers (PISPs) and/or Account Information Service Providers (AISPs).

PSUs (Payment Service Users) – Users of any of the above mentioned service providers.

What changes PSD2 brings?

PSD couldn't foresee trends in the payment industry ten years in advance, and that is why PSD2 steps in. It brings a fresh set of rules in an effort to enable modern, innovative payment services to users. PSD2 provides them with the highest level of security in terms of online payment fraud, which is constantly present. A comprehensive list of the most important payment threats published by the Europen Payments Council makes you think twice before entering your card data to process an online payment, and it should. Take a look.

The 2019 Payment Threats and Fraud Trends Report provides an overview of the most important threats in the payments landscape, including:

1. social engineering,
2. malware,
3. advanced persistent threats (i.e. sophisticated targeted malicious attacks aimed at a specific individual, company, system, or software),
4. mobile device-related attacks,
5. denial of service attacks,
6. botnets (i.e. a network of private computers infected with malicious software and controlled as a group),
7. threats related to cloud services and big data, IoT, virtual currencies

Strong Customer Authentication

In order to combat fraud, PSD2 introduced Strong Customer Authentication (SCA). PSD2's weapon of choice protects customers by demanding them to authenticate with two out of three authentication elements, namely:

1. Knowledge - something the user knows (PINs and passwords, for instance)
2. Possession- something the user owns (a token or a mobile phone)
3. Inherence - something the user is (biometric authentication including fingerprint, face recognition, voice scan)

Initially, this put pressure on issuers and merchants. They were wary of the effects it will have on the overall traffic. The added authentication steps could potentially drive away the customer from their purchase. But there is a cure for this disease, and it comes in the form of SCA exemptions within the scope of the SCA mandate.

SCA exemptions

SCA exemptions include various scenarios where SCA is not necessary. The customer is not asked for an additional authentication step during the processing of a payment. SCA exemptions are the following:

1. Low-risk transactions – within other innovative approaches in the payments industry, shared information about customer's account data-enabled risk scoring or the so-called Risk-Based Authentication. It enables risk assessment of an individual transaction, deeming a transaction either high, medium, or low risk. In case a transaction is classified as low risk based on predefined parameters, additional authentication is not needed.
2. LVP (Low-Value Payment) – transactions less than or equal to 30EUR are considered low-value transactions and do not require additional authentication. This rule is applicable for up to five consecutive payments equal to or less than 30EUR and in cases when the cumulative value since the previous SCA is equal to or less than 100EUR.
3. Trusted Merchant Listing – The cardholder is able to trust list a merchant (if they are eligible for whitelisting, this is managed by the issuing bank) and avoid additional authentication because they believe that the merchant is known and can be trusted.
4. Corporate payments – processing payments with a card that belongs to an entity rather than an individual.
5. Recurring payments – Subscriptions, loans, and similar payments with a fixed amount require SCA only for the first payment. In cases where the amount changes, SCA is mandatory for each individual change.

Out of scope - SCA

There are other scenarios that are out of the scope of the SCA requirement but are not classified as SCA exemptions.

1. Merchant-initiated transactions – payments initiated by the merchant on the customer's behalf based on an agreement.
2. Mail order/Telephone order – commonly known as MOTO transactions, they are out of the scope of the SCA requirement.
3. One leg out transactions – Cases where either the card issuer or acquirer (or both) are outside the EEA.
4. Anonymous transaction – Cases where a gift card is issued to a customer without identifiable cardholder credentials.

3D Secure 2.0

3D Secure is a protocol that enables Strong Customer Authentication and protects online payments by adding an additional layer of security. It is the main determinant for PSD2 compliance and enables both payment service providers and merchants to achieve alignment. You can get more insight on the latest version of the 3D Secure protocol in our blog post. 

How to achieve PSD2 compliance?

If you're a merchant or a PSP, main question of the day is: Am I PSD2 compliant? If not, how do i become PSD2 compliant?

Merchants need to decide between two options. One option suggests that they pick a PSD2 compliant PSP. This relieves them from all the administrative aspects of compliance and enables them to focus on their primary business. The second option advises merchants to integrate authentication into their checkout process. This requires more effort financially but enables them to be PSD2 compliant and in charge of the customer's checkout experience.

If you're an issuing or an account-holding institution, you want to follow the following steps: create APIs in order to enable transactional payment data access, provide access to accounts to TPPs, make sure you have a Consumer Identity and Access Management solution set up in place, and finally implement the network and API security infrastructure.

Lastly, Third-Party Providers must take care of their PISP or AISP license. They need to establish a trust framework with banks and financial institutions. Next, they need to develop secure apps including user consent and fraud monitoring. Lastly, TPPs need to implement a consumer IAM solution.

Key takeaways

Although PSD2 is causing a stir in the online payments industry by demanding fast onboarding and regulatory compliance, it brings an array of new opportunities for new players in the payments environment. Increased competition most definitely increases efficiency and boosts customer trust. By introducing innovative approaches in regards to online payment security, it reduces payment card fraud, as well as opens doors for further improvement in the risk assessment department enabled by extensive data sharing. Even though PSD2 enforces strict rules and binds the participants to comply, it is done in an effort to assure more quality services that do not compromise on security.

eBook: How to choose the right 3D Secure software

This eBook contains all the critical elements you need to consider while making intelligent, well-informed decisions regarding implementing 3D Secure technology.

eBook: How to choose the right 3D Secure software

To find out more about Trides2 portfolio, contact us or visit our blog section.  

Since the first 3D Secure protocol was launched in 2001 by VISA, the online payments ecosystem changed substantially regarding regulation and channels used for conducting online payments demanding improvements regarding the user experience of the solution and a more flexible approach. The new versions of the protocol enable SCA on mobile apps, support biometric authentication, and allow exemptions. All in order to provide the stakeholders with a solution that brings benefits to all parties.

Importance of 3D Secure

Online payments have been around for quite a while. However, last year marked with the Covid-19 pandemic, caused a big spike in the number of stakeholders who went online. For reference, Office for National Statistics states that online sales in the UK accounted for 35,2% of all retail in January 2021.

A 2021 report from Retail Economics and Natwest reports that 46% of UK consumers bought goods and services online that they, prior to the pandemic, only ever purchased online. What makes this a new trend is the following fact; 32% of consumers state that they plan to continue with their new shopping habits in the future.

Such numbers pose new opportunities as well as threats. As more and more people turn online to purchase goods and services, those with ill intentions do not waste time. Security questions regarding online payments have popped up, and that is where 3D Secure steps in. In order to provide ultimate security in the online payments ecosystem, EMVCo's specification reflected on current and future market trends to support security, performance, and user experience.

Issuers are still on the fence when it comes to adopting new 3D Secure versions. But there is no doubt about the benefits they bring to the table. From security matters to user experience improvements, 3D Secure ties it all together. Key benefits the protocol provides are the following:

• Reduces fraudulent online payment activities alongside false declines
• New versions of the protocol are fully compliant with the second Payment Services Directive and Strong Customer Authentication requirement
• Provides a smooth user experience resulting in a decrease in cart abandonment rates

3DS v2.1 Overview

Since the previous 3D Secure v1.0, there had been a lot of changes in the online payments industry. One of those major changes was extending to mobile apps and securing mobile payments, impacting both security and user experience positively. Secondly, since mobile emerged as one of the alternative online payment channels, alternative authentication methods, which are becoming today's standard, were introduced. We're talking about supported biometric authentication, which provides a high level of security without tampering with user experience during the checkout process.

Following, 3D Secure v2.1 collects ten times more data than the previous version, allowing issuers to conduct a more precise risk analysis, resulting in fewer step-ups and false declines. A new feature introduced in this version enables Merchant-Initiated Transactions, such as subscriptions. The first payment requires SCA, but the following identical payments do not. One of the essential upgrades revolves around the PSD2 SCA requirement, making the 3D Secure v2.1 a fully compliant solution.

3DS v2.2 Overview

3D Secure v2.2 includes all features provided in the v2.1 upgrade, plus some extra benefits. Supported SCA exemption flags allow for a more flexible approach. This is thanks to enhanced risk analysis which resulted in low-value payment exemptions as well as merchant whitelisting. The cardholder is in control when it comes to choosing the authentication method they want to apply during checkout. It makes the solution more user-friendly and the authentication process straightforward. Moreover, decoupled authentication introduced in this version allows authenticating the transaction at a time different from when the transaction occurred, which comes in handy in scenarios such as recurring payments or split shipments. Another feature included in the v2.2 is delegated authentication, which means that issuers can enable third parties (merchants, acquirers, etc.) to conduct the authentication on their end. This method eliminates unnecessary friction and provides a better customer experience.

To sum up

A considerable leap happened between 3D Secure 1 and 3D Secure 2, influenced by the fast-moving global digitalization, demanding more security and less friction. New versions of the 3D Secure protocol successfully overcame all of the obstacles 3D Secure 1 encountered. They are compliant, flexible, secure, and user-friendly.

eBook: How to choose the right 3D Secure software

This eBook contains all the critical elements you need to consider while making intelligent, well-informed decisions regarding implementing 3D Secure technology.

eBook: How to choose the right 3D Secure software

To find out more about Trides2 portfolio, contact us or visit our blog section.  

Asseco SEE successfully completed the EMVCo testing and received the EMVCo Letter of Approval for the TriDES2 3D Secure Server aligned with the EMV® 3D Secure v2.2 standard. The TriDES2 Secure Server enables merchants and acquiring banks to protect online payments from fraudsters at their web and mobile shops via interoperable 3D Secure authentication.

EMVCo continues the 3D Secure strategy set with EMV3DS v2.0 – having a strong focus on adopting current trends in e-commerce and online payment, fast and smooth transactions, minimal friction and disturbance for the Payee, great User Experience, and ultimate level of transaction security.

Check out most notable 3DS v2.1 and 3DS v2.2 improvements in our recent blog post.

3D Secure Server v2.2. improvements

In 3DS v2.2 there were additional protocol improvements in this direction. These improvements include the following:

• More details and new transaction data for 3RI (3D Requestor Initiated) transactions,
• Additional data in Merchant Whitelisting including process explanations and best practices,
• Introduced Decoupled authentication to support the authentication for 3RI (3D Requestor Initiated) and MIT (Merchant Initiated Transactions),
• The extended and clarified Acquirer exemption message and business process to improve the adoption by both acquirers and issuers.

Both VISA and MC, have different 3DS 2.2 adoption roadmaps. As one of the main card schemes, VISA has defined a milestone for issuers and acquirers to adapt to EMV3DS 2.2; until the end of Q1 this year (2021). However, Mastercard has not set such a milestone; since MC has adopted some of the features from EMV3DS 2.2 through its MC 2.1+ extensions.

In addition, ASEE provided a comprehensive overview of the extended transition period. Learn more about the efficient management of the extended transition period in our recent blog post.

eBook: How to choose the right 3D Secure software

This eBook contains all the critical elements you need to consider while making intelligent, well-informed decisions regarding implementing 3D Secure technology.

eBook: How to choose the right 3D Secure software

To find out more about Trides2 portfolio, contact us or visit our blog section.  

This year's holiday shopping season came early. Merchants are not wasting any time and are heavily promoting Black Friday deals and seasonal discounts. All in an effort to attract customers. Naturally, cardholders are rushing to get a good deal and making sure that all of their goodies arrive on time. This results in heightened online shopping activity across both desktop and mobile channels. What makes these jolly moments less enjoyable are fraudsters waiting around the corner to take advantage of the holiday season shopping frenzy.

2021 Holiday season stats to consider

A recent survey by PowerReviews reveals how and when consumers will approach holidays and what influences their purchasing decisions. Nearly 8000 customers provided insight into their shopping habits and intentions for this holiday season. We focused on stats relevant to the online shopping side of the story and filtered the most important findings.

• 99% of participants state that online shopping will be a part of their holiday spending
• 50% of consumers plan on doing the majority of the shopping online, while 13% stated that they would do all of it online
• 41% of participants anticipate doing more online shopping during the holiday season in comparison to the last year
• 48%, which is almost half of the participants, state that they started thinking about holiday shopping already in September
• 33% of participants already kicked off their holiday shopping in September or earlier
• 44% of consumers state that returns and refund policies will play an important role in making a decision about a purchase; this is a sign for merchants to be on the lookout for possible cases of refund abuse

Fraud related findings state the following:

• Desktop online shopping orders are more likely to be an attempt of fraud compared to mobile orders.
• More than half of overall orders recorded on peak online shopping activity dates such as Black Friday and Cyber Monday are done through mobile.

• More than-two thirds of mobile users tend to abandon their purchases because of added friction and bad checkout user experience.

• Merchants state that over 10% of their chargebacks from the previous year are a result of ATO attacks.

Fraud expectations and prevention during holidays

These stats tell us that the shopping season started particularly early in 2021, as early as September. This gives the fraudsters more time to operate on busy grounds and take advantage of overlooked billing statements. Although the percentage of consumers who plan on shopping online this year (41%) is lower than the one in 2020 (64%), it still indicates a consistent growth of consumers turning to online shopping. Keep in mind, in 2020, Covid-19 restrictions prevented consumers from shopping in brick-and-mortar stores. It is expected that a portion of that 64% from 2020 will return back to their old habits and enjoy holiday shopping in-store.

eBook: Leveraging the full potential of payment data

Also, data referring to the importance of returns and refund policies indicates that the cardholders are more aware of how to protect their purchases. On the other hand, there is a number of bad guys who use these policies for their own gain and abuse the refund and chargeback system. Merchants need to prepare for increased numbers of chargeback disputes and develop efficient workflows on how to filter cases that are worth fighting for.

Predicting (un)fortunate events

The holiday shopping season is in full force, and so is the fraud that comes with it. We can't talk about exact stats yet, but some things are sure. Following is what financial institutions, merchants, and cardholders can expect in the upcoming days:

1. The card-not-present channel is targeted by fraudsters more than ever before. That is due to heightened online shopping activity, which leaves them more ground to work on. Overlooked security issues within eCommerce will most certainly arise.
2. As 3DS1 end of life is around the corner, 3D Secure 2.0 will be in full force. The new version of the protocol promises increased online payment security and liability shift in cases of online payment fraud.  
3. Merchants are becoming skilled with fraud control. They are now aware that they can adjust the security levels according to their own preferences and needs. That being said, during peak transaction activity season, merchants are ready to compromise security in order to provide a better user experience to their existing, and more importantly, new customers.
4. Our inboxes will be swamped with deals that you just can't say no to. eCommerce marketing teams will be working hard, but fraudsters will be working harder. If you receive an offer in your inbox that sounds too good to be true, it probably is. Think twice before clicking any links on such deals yourself and warn customers about bogus email deals.
5. Typical for the holiday season is the increase in chargeback fraud - a malicious trend in the online payments environment. This type of fraud is particularly difficult to detect since the fraudster is the actual cardholder who is abusing the chargeback system. It is also referred to as friendly fraud. A nail-biting statistic for merchants is that 86% of chargebacks are considered to be friendly/chargebacks fraud.

Holiday season fraud prevention best practices

Here are the tips on how to handle the holiday shopping season by mitigating risk and following best practices:

Fraud history review and systematic approach

Review historical data from previous years and find common patterns for fraudulent/damaging transactions. Document these findings, design workflows for approving/declining orders, point out key criteria for determining suspicious orders, and define the next steps after a transaction is flagged as suspicious. Ensure that your teams are up to date with mentioned processes by providing additional education regarding fraud prevention during the holiday season.

Chargeback process flow

An increased number of incoming chargeback disputes is inevitable. This is due to the higher volume of online shopping, which sometimes causes confusion when a cardholder takes a peek at their billing statement. Oftentimes they don't recognize transactions because of bad billing descriptors and merchants at whom they shopped for the first time. Set yourself up for success, take a look at our blog post Merchant Guide: How to win a chargeback dispute? 

Review your returns policy

As mentioned, returns and refunds will be flowing in at a higher rate than usual. Adjust your return and refunds policy for the time being. Limit the return date for high-value items, set cutoff dates during the holiday season. While you're at it, take a closer look at your policy and search for potential loopholes that the fraudster might take advantage of.

Watch out for ATO attacks

Account takeover attacks are also common to make an appearance at a higher velocity during holidays. A swarm of new accounts makes it even more difficult to determine if a legitimate owner of the account is making a purchase. To minimize risk, enable two-factor authentication to your users, watch out for spoofed versions of your website related to stealing user login credentials, and put effort into detecting data breaches.

Shift liablity

By implementing 3D Secure 2, merchants are shifting the liability for fraud to the issuing bank. That means that all losses caused by a proven fraudulent transaction will have to be covered by the cardholder's issuing bank.

eBook: Leveraging the full potential of payment data

ASEE provides actionable advice on how to confront the high cart abandonment rates for mobile, as well as provides the tools that have the capacity to address other mCommerce challenges.

eBook: Leveraging the full potential of payment data

To find out more about Trides2 portfolio, contact us or visit our blog section.  

Digital transformation led to innovative financial solutions, one of them being the ''Buy Now, Pay Later'' option commonly abbreviated as BNPL. It enables consumers to relieve the financial pressure and acts as a layaway plan enabling them to redistribute the amount in a predefined number of payment installments. Despite being favored by the general public and gaining more popularity over time, the average consumer is not the only one showing interest in BNPL options. Fraudsters got themself another greenfield for their operations. Let's go through everything you need to know about BNPL, advantages, and risks included.

How does BNPL work?

The general idea of a BNPL service is to allow consumers to split a purchase into a fixed amount of payment installments. Buy now, pay later; quite literally. As a financial instrument that commonly does not charge interest; i.e. if payments meet the deadline; it is an attractive way of making both online and traditional point of sale purchases for many consumers. Some of the most popular BNPL services include Affirm, Afterpay, and Splitit.

It is a favored payment method in underdeveloped markets where consumers do not have access to a great variety of credit options. Another segment that is fond of BNPLs are Millennials and Gen-Z. Using such a service, they avoid potentially high interest rates and are not required to pass credit checks to apply for a credit card.

Buy Now, Pay Later (BNPL) flow

By subscribing to a BNPL service, merchants enable their customers to split their purchase into equal payment installments over a predefined period of time. The payment option is triggered at point-of-sale, regardless if a purchase is made in a physical store or online. In the case of an online store, after adding items to the cart, the customer is able to choose BNPL option at checkout. They are then redirected to a BNPL service provider, where they authenticate themselves and select the number of wanted payment installments. 

• Before checkout, the customer is presented with a variety of payment options
• The customer selects BNPL option
• The customer is redirected to the BNPL provider
• BNPL service provider verifies the customer
• Customer selects the wanted amount of payment installments
• BNPL pays the whole amount to the merchant

Specific for BNPL payments is the liability issue. Regarding that the BNPL service provider pays the amount of the purchase to the merchant as a whole, and the customer makes periodic payments to the BNPL; liability lies with the service provider. In simpler terms, any form of chargeback won't concern the merchant. This is an additional reason for merchants to offer their customers the Buy Now, Pay Later option.

Stats to consider

As more people turned to online shopping caused by the ongoing Covid-19 pandemic, BNPL services bloomed and are continuing to grow. As demand grows, the market responds. Affirm now offers a virtual credit card enabling consumers to shop at thousands of online and point-of-sale merchants that have Affirm integrated into their checkout.

A study by The Ascent regarding BNPL services showcased insightful stats about consumer's Buy Now, Pay Later habits. Here are some interesting ones to consider:

• Buy Now, Pay Later usage growth was largest in the 18 to 24 (62% growth) and 55+ (98% growth) age groups between July 2020 and March 2021.
• 62% of Buy Now, Pay Later users think BNPL could replace their credit cards, but only ¼ want that to happen.
• 45% of users state that they make BNPL payments because the particular purchase does not fit their budget.
• 36% of BNPL users use it once a month or more.
• 61% of BNPL users would rather use a Buy Now, Pay Later service offered directly from the retailer they're buying from than going through a third party.
• 30% of BNPL users trust Buy Now, Pay Later providers more than credit card companies when it comes to fair business practices.

Types of BNPL fraud

In order to process a BNPL payment, the user must create an account with a particular BNPL payment service provider. The account in question is vulnerable and exposed to various types of fraud already present.

Account Takeover Fraud

Since having an account is one of the main prerequisites for the consumer to process a BNPL payment, ATO fraud is a potential threat. Moreover, regarding that the payment is delayed, the rightful owner might not notice strange activity happening on their account up to several weeks.

New Account Abuse

It is fairly easy to set up a BNPL account; in some cases, one might need only a driver's license or current address as proof of identity. Generally, such information is easily accessed after data breaches or obtained through phishing. After setting up the account using fake information, the fraudster has access to the default line of credit offered to all new accounts.

Synthetic Fraud

Following the above mentioned account abuse, another popular way of creating an account for fraudsters is synthetic fraud. The bad guy literally invents a new persona and uses it to create legitimate looking accounts for their own personal profits.

Friendly Fraud

Another way of making unauthorized BNPL payments is friendly fraud. A family member; e.g. child; might gain access to the device and process a BNPL payment without the parent knowing about it.

Fraudulent Chargebacks

There are two main types of fraudulent chargebacks. The first one involves a rightful owner who detected an unauthorized purchase on their billing statement and demands chargeback. The second one stages an opportunistic owner who claims that they never made a particular transaction and demands funds to be returned to their account.

Signs of BNPL Fraud

Customer behavior is the main indicator when it comes to detecting suspicious activity. Pay attention to the following tell-tale signs of potential fraud.

Shipping Address

If the shipping address does not match the one in the account information, you might be shipping goods to a fraudster. Keep an eye on this one.

Unfamiliar Devices

Customers tend to stick to the same devices when online shopping. An unfamiliar device is a good sign to dig a little deeper and look out for other suspicious activity tied to the particular account.

Newbies

Be careful with new accounts. If a customer is making their first purchase, make sure that there are no other signs of suspected fraud.

Purchasing Behaviour

Looking back at the user's history record, does this particular purchase fit the profile? Are there any unusual shopping patterns that are not typical for that particular customer?

Transaction Velocity

If you notice that an account is making multiple purchases in a short period of time, it might be a fraudster on the other end who is trying to profit as much as possible before getting discovered.

When looking for threats and potential signs of fraud, make sure to think critically. Don't raise alarm bells if only one out of mentioned indicators is present. False positives can alienate customers from using your service.

How to fight BNPL fraud?

Validate information

Make sure that the information provided during account setup is valid. Simple checks like validating the entered email address, as well as the actual existence of a home address goes a long way. To validate info such as email or phone number, the standard practice includes sending an OTP.

3D Secure

3D Secure technology is efficient when it comes to reducing chargeback fraud and detecting high-risk transactions. Chargeback liability shifts to the issuing bank, and BNPL service providers can better focus on other, less damaging types of fraud.

Rule-based risk assessment

Using historical data in order to set the ground for determining chargeback fraud patterns. The crucial part of successful rules is using the right information in order to distinguish fraudulent transactions from legitimate ones. Use our list for signs of BNPL fraud as a starting point. Quality data for assembling rules would be transaction amount, transaction velocity, new/returning user, shipping match/mismatch, etc.

Machine learning

Same as with rule-based risk assessment, the key to a quality machine learning model is the appropriate data. Types of data to consider include identity data, behavioral biometrics, and device data.

Top Online Payments Security Trends

Learn about the latest approaches when it comes to assessing security risks, and find out more about the latest authentication trends in the online payments industry.

Top Online Payments Security Trends

To find out more about Trides2 portfolio, contact us or visit our blog section.  

At first glance, one might think that 3D Secure 2.0 is a simple upgrade of 3D Secure 1.0. However, nothing could be further from the truth. Those two protocols are not even backward compatible. Outside of the main hub, everything is different. This includes message flow, message format, and what's the most important end-user look and feel.

Our research shows that within the MEA region, the majority of transactions occur through the 3DS1 protocol; with SMS OTP authentication methods, which does not protect buyers to the same extent as the new authentication methods that support 3D Secure 2. We found out that more than 60% of issuing banks have not yet migrated their cards to 3DS2.

Enhanced Data Analysis that Allows Banks to Understand Customers

3DS protocol is able to acquire ten times more data during the message flow, cca 300 information. This data is primarily obtained from the merchant's site and buyer's devices. It is further used to evaluate the risk level of the transaction taking place. Based on this risk evaluation, Strong Customer Authentication is necessary, or a Frictionless Transaction will take place. This data enables the financial institution, bank, or card issuer to get to know their customers and potentially release them of additional authentication steps through the frictionless transaction process.

Frictionless Transactions Improve the Overall Checkout User Experience (UX)

Frictionless Transaction is the second big deal when it comes to 3DS2 over the original 3DS protocol. It is aligned with the PSD2 requirement and exempts SCA when the transaction is low risk. 

As mentioned above, to evaluate the risk, banks will make behavioral analysis from acquired transaction data of their customer. Then, banks will identify deviations from regular transactions and buyer behavior. Another way a frictionless transaction takes place is when payments of a low amount (below 30 EUR) take place. They are also exempt from greater evaluations and made frictionless.

In-App Purchase Support without an HTTP Redirect

3DS2 supports technology to smoothly integrate 3D Secure flow with mobile in-app payment services and avoid HTTP redirections for authentication on mobile devices. One of the reasons many card issuers or banks had for abandoning 3DS transactions on mobile devices was HTTP redirection.

Static Passwords vs. Strong Customer Authentication

Static passwords are very weak in assuring authentication and not particularly user-friendly. Also, we tend to forget passwords. In this case, additional friction for the transaction process is necessary. Strong Customer Authentication (SCA) requires that two out of three secure elements – inherence, possession, and knowledge, are a part of the authentication process.

Inherence elements are something that a payee gives onto, say, a mobile device; i.e. fingerprint scan, face or voice recognition, or other biometric or behavioral data. Possession elements are what the buyer owns; such as s HW token, mobile phone containing a mobile token for generating a One Time Password. Note that the card also counts as a possession element, but only if it has been verified by a card reader, not by readable data printed on the card itself. Finally, the knowledge element is something that the user knows by heart, i.e. a PIN, password, or a secure question.

3D Secure 2 Authentication Methods

3DS2 relies on Strong Customer Authentication methods (SCA). The most acceptable method is bush with biometry, which contains both a top-notch user experience alongside the highest level of security using strong authentication methods. The push method exchanges transaction data from an eCommerce website to the buyer's mobile phone as well as the banking authentication application. This ensures the so-called Dynamic Linking and prevents man-in-the-middle attacks as well as potential changes done on the payee's account and/or charge amount by signing of critical data. Biometry associates the buyer with ''something that they are'', on a device they use, which is ''something they own''.

QR codes with biometry provide a similar user experience to push with biometry and work well with either biometry, fingerprint, or face recognition. However, face recognition is not as widely accepted as the fingerprint method.

For buyers who don't have mobile devices with fingerprint readers, PIN numbers or passwords can be used for buyer authentication, but to ensure SCA, it must be combined with OTP.

One of the widespread old authentication methods is HW and SW tokens used for generating OTP transaction signatures. However, nowadays, boyers demand a smooth, fast and frictionless user experience. This method requires manual transaction data entry into an HW/SW token and to retype the calculated OTP onto the webshop. This may cause prolonged checkout time and possible errors during the re-typing stages. Thus, this method should only be used as a fallback method when push/QRcode/biometry cannot be completed due to technical restrictions.

eBook: How to choose the right 3D Secure software

This eBook contains all the critical elements you need to consider while making intelligent, well-informed decisions regarding implementing 3D Secure technology.

eBook: How to choose the right 3D Secure software

To find out more about Trides2 portfolio, contact us or visit our blog section.  

By introducing SCA exemptions, PSD2 did not only relieve issuers and merchants from the fear of soaring cart abandonment rates; it also enabled customers to enjoy a user experience that is truly frictionless and straightforward. Let's see how to achieve the ultimate user experience while making sure your online transactions are secure.

PSD2 introducing SCA exemptions

The latest PSD2 directive includes SCA exemptions which are available in the 3D Secure v 2.2 upgrade. Exemptions enable cardholders to process particular types of online transactions without the need for an additional authentication step. The initial introduction of Strong Customer Authentication (SCA) requirement was turning heads. Merchants and issuers feared that added friction caused by demanding the cardholder to authenticate using two out of three security elements; knowledge, possession, inherence; would cause friction, ending up with a spike in cart abandonment rates. PSD2 approached this issue by defining particular types of online payments which do not require SCA, i.e., SCA exemptions.

SCA exemptions

1. Low-risk transactions – data sharing in the payments industry enables transaction evaluation (low, medium, or high risk). If the transaction's score upon risk assessment result as low risk, that transaction does not require additional authentication.
2. Low-value payment (LVP) ­– All online transactions amounting up to or equal to 30EUR are low-value payments and do not require SCA.
3. Trusted Merchant Listing – Another convenient feature available in our 3D Secure v2.2 upgrade that enables the cardholder to trust list a merchant as a trusted party. By doing so, they only need to process the first payment upon enrolling the merchant to their trust list using SCA; every future payment will be frictionless.
4. Corporate payments – In cases where online payments are paid using a card belonging to an entity rather than an individual, there is no need for an additional authentication step for convenience reasons; often, the payments card is shared between multiple colleagues, etc.
5. Recurring payments – Payments with a fixed amount (e.g., loans, subscriptions) only require SCA for the initial payment authentication. Every future transaction is frictionless unless the transaction amount changes. In such cases, SCA is mandatory for each individual change.

User Experience vs. User Expectations

In 2020 nearly a quarter of the world population shopped online. To be exact, 2.05 billion consumers purchased at least one item online and contributed to the overall eCommerce growth. Let's put things into perspective; this means that roughly every fourth person you see passing by has purchased at least one item online in 2020. Cardholders are active participants of the eCommerce ecosystem. They have high standards when it comes to their online shopping experience.

The main motivator behind such a shift in customer behaviour is convenience. Purchasing online provides them with a broad offering, as well as the alternatives, backed up with easy access to information about the product/service. But what happens when there is a hiccup during the checkout process? It is naive to assume that the cardholder goes through a lengthy trial-and-repeat process. They simply move on to the next best thing. What follows is a missed opportunity for sale, cart abandonment rates soar, and customer loyalty is at stake.

Concerning numbers

A Baymard research states that too long/complicated checkout process is within the top five reasons why customers abandon their purchase and do their business elsewhere. 18% out of the 4329 survey participants expressed their reason for abandoning a purchase to be an issue during the checkout process. That means nearly 780 missed opportunities for a pinned sale; 780 customers lost during the last stage of the buyer's journey.

Until recently, eCommerce merchants had little to no influence on how the checkout experience would look like from the cardholder's perspective. They had to rely on UX designed by the cardholder's issuing bank, which often involved numerous pop-up screens and redirects. Although friction generally means more security, it raises alarm bells in customers' heads or simply annoys the end user.  

By implementing the latest 3D Secure technology, including features such as Strong Customer Authentication (SCA) exemptions, cardholders enjoy a smooth checkout experience that is straightforward and demands only the necessary amount of friction, if any.

Leveraging SCA exemptions

A part of the latest PSD2 directive are SCA exemptions, online transactions that do not demand an additional authentication step because they meet the predefined criteria. Being aware of the cardholders' low tolerance for friction, PSD2 introduced SCA exemptions in order to relieve merchants and issuers from having to demand SCA for each and every online transaction made. By defining such exemptions, the end-users encounter a checkout experience that is genuinely frictionless.

In order to enable the above-mentioned exemptions, a certain type of data-driven evaluation is necessary. Each exemption type demands an individual risk assessment approach, and therefore, particular data is necessary to evaluate if a transaction meets any of the exemption criteria. This demands a cautious setup of the parameters, regardless if the risk scoring engine is rule-based or relies on machine learning.

Enhanced data collection enabled by the new 3D Secure 2 protocol allows the issuer to conduct a more precise risk analysis. Fraud monitoring is necessary on both exempted and SCA-required transactions. Also, in case of merchant whitelisting, risk scoring is necessary on both the transaction risk level as well as the merchant risk level. Real-time fraud monitoring enhances the level of security and does not impact the execution of the transaction. In cases where criteria for exempted transactions are met, the cardholder will place their order instantly. However, if the transaction is flagged, an alternative authentication flow will be applied in order to prevent a possible fraudulent activity.

Conclusion

Although PSD2 puts pressure on merchants and issuers to apply 2FA in the form of Strong customer authentication; SCA exemptions are a convenient way of avoiding additional authentication. If the setup of the parameters is correct, honest cardholders will enjoy a fully frictionless experience. By implementing 3D Secure 2 technology, issuers and merchants are granting flexible and straightforward online payment authentication to their customers.

Top Online Payments Security Trends

Learn about the latest approaches when it comes to assessing security risks, and find out more about the latest authentication trends in the online payments industry.

Top Online Payments Security Trends

To find out more about Trides2 portfolio, contact us or visit our blog section.