To further increase the security of 3D Secure payments, Risk Based Authentication (RBA) comes in play. Consider the following: a fraudster with your credit card information wants to process a payment, but the system recognizes that something is odd; and the transaction is automatically terminated or additional authentication is required. How so? Let's explore RBA and find out which benefits it brings.
What is Risk Based Authentication (RBA)?
Risk Based Authentication is a dynamic, parameter-driven system that determines the risk level of an individual transaction and appoints an appropriate customer authentication method accordingly. By applying such an approach, RBA helps prevent various types of attacks present during the processing of online payments.
To score a transaction, data about typical user behavior is necessary. RBA collects and analyzes parameters such as:
- Device: checks if the customer is using a known device to process a payment
- Location: checks the user's geolocation/time zone
- Network: checks if the IP address is familiar
- Transaction amount: checks for deviations in regards to transaction amount history
- Number of transactions: checks for deviations in regards to the number of transactions history
- Delivery address: checks if the delivery address is familiar based on previous transactions
Depending on those parameters, a transaction is either low, medium, or high risk.
In case of a low-risk transaction, the customer is able to process a payment without applying further authentication.
For a medium risk transaction (e.g., unknown device), the customer provides additional information in order to process a payment.
When talking about a high-risk transaction (e.g., unusually high transaction amount, unfamiliar location), the user is automatically denied access and cannot process the payment.
Benefits of implementing RBA
Risk Based Authentication does not only help prevent unauthorized processing of transactions. It significantly impacts customer experience by eliminating user friction; i.e., RBA promotes a smooth user experience for legitimate customers while making things difficult for fraudsters.
The end goal regarding the user experience is to determine the level of risk for each individual transaction. The result is avoiding unnecessary authentication steps for low-risk transactions. By doing so, user friction is removed from the equation, making the processing of a transaction both secure and enjoyable for the customer.
With better customer experience comes customer loyalty. Studies have shown that banks that approached digital transformation by implementing RBA enabled quality engagement with their customers making them less likely to switch.
RBA is responsible for cutting fraud-related losses. By implementing Risk-Based Authentication, banks are able to detect and prevent fraudulent activities, resulting in a decrease of chargeback costs.
RBA as a setting stone for SCA exemptions
Strong Customer Authentication required by the PSD2 directive implies verification by selecting two out of three authentication elements: something you know (e.g., PIN, password), something you own (e.g., smartphone, HW token), and something you are (e.g., fingerprint, face recognition).
Thanks to RBA, not all 3D Secure payments demand SCA. SCA exemptions are based on Risk-Based Analysis, enabling less friction without compromising on security. In other words, RBA allows the customer to avoid an authentication step while keeping the transaction secure.
SCA exempted scenarios relying on RBA are the following:
Low-value payment – Transactions below 30 euros are a low value and do not require an additional authentication step. However, if a customer initiates more than five such transactions; or the cumulative value of the transaction exceeds 100 euros, SCA will be applied.
Merchant whitelist / Trusted beneficiary - A cardholder can flag individual online merchants as ''trusted'' with their issuing bank in order to avoid SCA during the checkout process.
Transaction Risk Analysis exemption – The most sophisticated exemption involving several different factors that need to be taken into account; e.g., overall fraud rate for that particular type of transaction.
Secure Corporate Payment exemption – A transaction initiated by a legal person rather than a customer that does not require an additional authentication step.
eCommerce Apps Guide: Striking a Balance Between Security and User Experience
As a dedicated guide for eCommerce app owners and merchants this eBook covers m-commerce security best practices and provides turnkey solution for in-app payments security.
To find out more about Trides2 portfolio, contact us or visit our blog section.