Is two-factor authentication effective in preventing payment-related fraud?
By Puja Sharma
Strong Customer Authentication (SCA) is a requirement of the second Payment Services Directive (PSD2) in the UK and the EU. Aimed at securing online payments, consumers’ identities are verified with two-factor authentication. However, like fraud prevention blocks, some avenues of fraud and abuse, those aiming to do your business harm will aim to find another.
Payment SCA will change fraud pressure for businesses. Here are how factors that online merchants must consider in the new world of SCA and how to address modern eCommerce fraud.
Out-of-scope transactions
SCA doesn’t cover all online payments. Some payments are considered out of the scope of SCA regulation. This means that any payments that qualify as an out-of-scope transaction will not trigger a two-factor authentication check. These out-of-scope transactions include:
- Mail order or telephone order (MOTO) payments
- Merchant-initiated transactions, such as direct debits
- One-leg-out (OLO) transactions
- Recurring transactions of a consistent amount, once the first transaction has been authenticated
Merchants can expect to see fraudsters shift their efforts to these channels as they attempt to cause harm to businesses beyond SCA enforcement. The psychology of the situation is simple: when you make one channel of payment difficult to commit fraud, then fraudsters will find another. Which other channels will they use? Those that are not protected by SCA, of course.
A classic example of OLO transactions: This occurs when either the merchant’s acquiring bank or the consumer’s issuing bank is located outside the EU or the UK. A fraudster could purchase international credit card information on the dark web as the issuing bank would be outside the remit of SCA, purchasing through them as a foreign identity. This would be classed as an out-of-scope transaction, and their fraudulent purchase would be exempt from SCA.
Liability
Payment Services Directive (PSD2) allows for certain in-scope transactions to be exempt from SCA. Exempting low-value, regular, whitelisted, and low-risk transactions can reduce friction for the customer. These exemptions are decided and applied by issuers and acquirers, but merchants can also play a hand in the outcome.
However, if a retailer utilizes an exemption strategy as part of their SCA strategy, the liability for those exempted transactions will lie with the retailer. When a fraudulent transaction occurs, your business could be losing money. It’s essential to incorporate other fraud detection programs in place to avoid this.
Friendly fraud
Friendly fraud occurs when these claims are falsified, and they can cost businesses a significant portion of their revenue. Interestingly, The Consumer Abuse Index states that non-payments fraud has increased five-fold during the COVID-19 pandemic. Worryingly, the index shows just how commonplace abuse is among shoppers. 36 percent of UK shoppers have claimed that a legitimate charge on their account was fraudulent. Meanwhile, 30 percent have falsely claimed that an item hadn’t arrived. Before the pandemic, only 14 percent had said the same – less than half of its current levels.
SCA is out of scope for this type of fraud because most orders will look legitimate when they are made as a genuine consumer isn’t hiding behind a false identity with friendly fraud.
Merchants must consider other fraud solutions to avoid friendly fraud. The prevention platforms that utilize historic shopping data can identify consumers that are more likely to commit friendly fraud, prevent them from doing it again, and remove liabilities of chargebacks for merchants.
Transaction risk analysis
Removing the friction caused by SCA will involve creating a seamless authentication strategy. Seeking out exemptions is the best way to remove the need for it and reduce consumer touchpoints that may lead to cart abandonment.
Transaction risk analysis (TRA) is one effective method carried out by issuers and acquirers that identifies low-risk transactions and exempts them from SCA. Transactions go under a real-time, dynamic evaluation of various risk factors, verifying the identity of consumers and assessing their fraud risk.
However, to be eligible for a TRA, merchants’ fraud rate must remain below a specific threshold. If your fraud rates rise, so does a PSP’s appetite to authorize an exemption – it’s bad news all around. Merchants could even be hit with financial penalties as a result.
To be eligible for exemptions as part of TRA, merchants must adopt an effective fraud prevention strategy that first reduces their fraud rate before accessing more frictionless checkout experiences. The lower your fraud rate, the more opportunities, the easier the checkout, and the better experience your customers will have.
Fraud is changing with SCA regulations. Fraudsters will continually find new ways to harm your business, but proactive merchants are utilizing more effective fraud prevention methods. A solid fraud prevention strategy can help reduce your fraud rates, improve the customer experience, and boost your revenue.
IBSi FinTech Journal
- Most trusted FinTech journal since 1991
- Digital monthly issue
- 60+ pages of research, analysis, interviews, opinions, and rankings
- Global coverage