Effective fraud prevention requires protection at multiple layers

The revised Payments Service Directive (PSD2) is set to revolutionize the European payments industry by opening up access to third party payment providers and to ensure that all payment services offered electronically are carried out in a secure manner, to guarantee the safe authentication of the user and to reduce the risk of fraud to the maximum extent possible.

Some of the requirements of strong customer authentication (SCA), such as the call for tighter authentication for all transactions over EUR 10, have raised concern among many in the payments industry.  

What is your take on Chapter 1 of the Regulatory Standard Techniques (RTS) draft proposing that an authentication code must be generated “each time that the payer … initiates an electronic transaction or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses”?

RSA agrees in general with the EBA’s reasoning around the requirements of strong customer authentication, particularly the mechanisms that should be included. Configurable policies, malware detection, transaction history, device identification and payer and device risk profiles complement unique authentication codes and RSA strongly supports their use to help identify high-risk payments. However, we do not agree with the approach that this type of authentication be prompted each time a user initiates an electronic transaction over a fixed transaction value, as it disregards industry-wide acceptance of risk-based authentication which a majority of consumers have become familiar with. RSA is a strong proponent of SCA technologies such as mobile OTP, biometrics and transaction signing that can provide a payer with transaction details, but applying it to every transaction will only create more friction for users.

What kind of approach would RSA recommend and how would this approach reduce fraud to the maximum extent possible?

RSA has been advocating risk-based authentication for over a decade. The overall flexibility of risk-based authentication is part of what makes it so appealing to many organizations within the financial industry. This approach allows organizations to set their own custom policies that align with the business and end user needs, and the risk policy can be adjusted on the fly in case of extenuating events. For example, an outbreak of phishing or malware attacks targeting users in a specific region might call for a temporary modification of policy. This is critical to help organizations quickly address emerging fraud threats.

Even more important than the benefits to the organization is the greater benefit to the end user – transparency. Today, organizations using RSA’s risk-based authentication are seeing average fraud detection rates around 92 – 93%, and those rates are being achieved by challenging less than 5% of users. Fraud could be reduced a little bit more if every transaction was challenged. But then user adoption would never take off, innovation would be restricted, and it would defeat the entire purpose of moving services to digital channels.

The EBA draft regulatory technical standards recommended the obligation for payment services providers to apply strong customer authentication for all electronic payments over EUR 10. The industry has not been very receptive to this proposal as evidenced by the record response received by the EBA. Is this response surprising to you?

The overwhelming response from the industry is no surprise at all. The proposed “challenge all” approach would force the industry to take a step back. For years, organizations have been moving towards creating a frictionless online environment for customers. Requiring authentication to be applied to every payment over EUR 10 would have a detrimental effect and lead to a major increase in abandoned transactions.

The EBA only needs to look to 3D Secure as an example as to why this approach is not a good idea. The original password-based 3D Secure protocol added too much friction into the transaction and consequently suffered from a lack of user adoption. This, plus the prevalence of new payment methods like mobile and eWallets, has forced the industry to call for an updated 3D Secure protocol. Led by EMVCo, industry leaders and security vendors came together to develop a new protocol which eliminates the “challenge all” approach via static passwords and recommends a risk-based approach for card-not-present transactions.

As we await the final PSD2 guidance to be published, do you have any final thoughts?

Fraudsters are not going to stop. Aside from the negative impacts to the customer experience, the current proposal will only cause cybercriminals to adapt their strategies. Effective fraud prevention requires protection at multiple layers. We must look at the bigger picture, and not just the transaction in isolation. Don’t penalise the banks, PSPs, issuers, the merchants, the card schemes, the acquirers – and most importantly, customers – by introducing unnecessary friction that will do very little to improve the fraud detection rate.

About Nathan Close

Nathan Close is a senior advisor and head of pre-sales engineering for RSA’s Fraud & Risk Intelligence solutions in EMEA where he works closely with organizations to define fraud prevention strategies across consumer digital channels. With over 15 years of experience in the IT security industry, Nathan is a seasoned expert with extensive experience in fraud and risk management, security solution architecture, security assessments and security solution engineering. Nathan is a frequent speaker at industry and media events on cybercrime and other fraud-related topics.

About RSA

RSA helps more than 30,000 customers around the world take command of their security posture by partnering to build and implement business-driven security strategies. With RSAs award-winning cybersecurity solutions, organizations can effectively detect and respond to advanced attacks; manage user identities and access; and reduce business risk, fraud and cybercrime.