The Transaction Security Landscape: New Mandates, New Challenges

By Ilya Dubinsky, Head of the CTO at Credorax

As consumer adoption of mobile and online commerce channels continues to grow, fraud losses in this space are becoming a major pain point for mature markets. To address this security challenge, Strong Customer Authentication will become mandatory in the European Union. However, even without regulatory mandates, the problem is significant enough for providers to take proactive steps to improve transaction security.  The market trends to monitor will encompass security,stronger customer authentication, PSD2,3D Secure 2.0, card-not-present fraud, mobile experience issues, and shopping cart abandonment concerns.  To give some context around these trends, it is beneficial to review each area with regards to how fraud has had an impact.

PSD2 and a Stronger Need to Reduce Fraud

Ilya Dubinsky
Ilya Dubinsky

Several trends will affect how online stores will secure their checkout process while battling shopping cart abandonment. Besides the overall explosive growth of mCommerce, measures to reduce fraud in card-present scenarios cause an increase of fraud in the card-not-present environment. The EU PSD2 Strong Customer Authentication regulation mandates a form of authentication for all intra-European payments from September 2019, while providing exemptions for payment providers with low fraud rates. EMV® 3-D Secure Protocol, also known as “3D Secure 2.0”, lays a foundation to address these challenges and is likely to be mandated by card schemes.

Mandated Strong Customer Authentication

The Evolution of Card Fraud in Europe 2016 research by the Fair Isaac Corp. reported card-not-present fraud accounted for 70% of total card fraud in the European Union, reaching €1,231 billion in 2016. While the total fraud in the EMEA region grows at 4.4% CAGR, total volumes of card fraud were expected to exceed €2 billion by 2019 according to our research.

What ensued were actions prompted by the regulators, and so, as part of the PSD2 (Payment Services Directive 2), the EU lawmakers mandated Strong Customer Authentication to be part of any remote electronic payment, including all payments processed by a European institution and performed using credit or debit cards.

The details of Strong Customer Authentication are covered by European Banking Authority’s Regulatory Technical Standard, which was officially adopted by the European Commission on March 13th, 2018, to become applicable 18 months later, which means it will be effective from September 14th, 2019.

The changes in regulations will force all payment service providers that operate in the EU to combat fraud by means of enforcing mandatory Strong Customer Authentication on a large share of online transactions, or, alternatively, by implementing substantial fraud monitoring and prevention measures that would entitle providers to further exemptions from the mandate.

Card-Not-Present Fraud Expected to Skyrocket

Payment card fraud dates back to embossed plastic and imprinters, and as making payments has become easier with the evolution of technology, fraud in card payments has become more sophisticated, leading to increased checkout complexity. This was true for card-present, brick-and-mortar transactions and is even more so with card-not-present transactions in eCommerce and especially mCommerce environments.  Even Visa/US Chamber of Commerce’s “Cardholder Data Security and Fraud Prevention” reported that not only 67% of cardholders are becoming more cautious about their future credit card use but also acknowledge that raised awareness can’t prevent data breaches.  In fact, data breaches are reportedly increasing to 44.7% according to the Identity Theft Resource Center’s “2017 Annual Data Breach Year-End Review”.

As a result, card schemes, concerned about establishing and preserving their brand reputations as reliable methods of payment, have invested in the development and rollout of multiple technological solutions designed to reduce or eliminate fraud, and in particular, the use of counterfeit cards.

In the card-present environment, this was achieved to an extent by implementing EMV ICC technology, with the later addition of EMV Contactless and, further down the line, mobile card tokenization (ApplePay™, SamsungPay™, and others). However, the process of transition to this new fraud-resistant technology is still ongoing in some of the more mature markets such as the United States, where only about half of in-store payments are currently done with EMV according to BI Intelligence.

Furthermore, even after full-grade EMV transactions become the overwhelming majority, payment card fraud will not completely disappear. While counterfeit card-present losses in the USA are expected to decrease from $3,615 billion in 2015 to $1,771 billion in 2018 according to the Aite Group, card-not-present card losses are expected to more than double from $3.1 billion to $6.4 billion in the same timeframe.

In Europe, card-not-present fraud is a major driver behind the annual growth of fraud in general. While implementation of EMV has reduced fraud in ATMs and POSs, overall losses from fraud in 2016 are estimated at €1.759 billion, having grown with a CAGR of 5% during the last five years, with card-not-present fraud constituting 70% of the volume, growing at a CAGR of 9%. (See Figure 1.) In France alone, the annual losses due to fraud doubled in 10 years, increasing from €252.6 million to €548.3 million, while in Sweden, annual card-not-present fraud jumped from 94.1 million SEK to 142.4 million SEK (51% YoY), according to FICO.

Figure 1. European Card-Present and Card-Not-Present Fraud Losses(source: FICO by Fair Isaac, Euromonitor International)
Figure 1. European Card-Present and Card-Not-Present Fraud Losses(source: FICO by Fair Isaac, Euromonitor International)

Mobile Experience Issues, Abandonment a Challenge, Security a Concern

The smartphone user base continues to expand rapidly and is expected to reach 2.87 billion global users by 2020 according to eMarketer, with over 55% of total mobile phone users utilizing a smartphone by that time.

This will have a profound impact on consumer shopping habits, while driving the growth of mCommerce in absolute and relative terms as well as being the driver behind the growth of eCommerce as a whole.

The mCommerce market in the United States according to eMarketer is projected to reach $284 billion, or 45% of the total USA eCommerce of $630 billion, by 2020, up from $35.2 billion or 11% in 2014. And during the 2017 holiday season, 36% of USA consumers planned to use a mobile payment app.

At the same time the PayPal Mobile Research 2014/2015 Global Snapshot showed the estimated CAGR of mobile commerce in Europe is 42%, in comparison with the eCommerce CAGR of 13%.PayPal continued with showing these figures as being even higher in Nordic countries, where the aggregated growth rate of mCommerce is projected to exceed 50%.

However, while customers express growing interest and genuine intent to shop via their browsers and mobile devices, retaining a customer throughout the checkout process remains a significant challenge. The rate of abandoned shopping carts on desktops is over 70%, and even higher on mobile devices according to Adobe Insights (See Figure 2.), and about 1 in 3 smartphone users will immediately switch to another application or site if they feel their needs are not instantly satisfied.

Figure 2. Shopping Cart Abandonment Rates perChannel
Figure 2. Shopping Cart Abandonment Rates perChannel

While true that about 25% of consumers cited by PayPal Mobile Research show that mobile payment security concerns (and not checkout issues) as a barrier to shopping via mobile device more often, the introduction of additional authentication processes will hardly increase checkout speed and improve consumer experience.

A Key Solution to Address Fraud

EMV® 3-D Secure can help, if handled with care.  For instance, card schemes have offered a solution for improved security of online payments since 1999, in the form of the Verified by Visa™ program, also known as “3-D Secure 1.0”.

The solution has reduced fraud significantly, with fully authenticated transactions being around three times less likely to be fraudulent.  On the other hand, it has contributed to consumer drop-out, whichhas reached double-digit figures according to Visa and Cardinal Commerce.

To address these challenges, card schemes have cooperated via the EMVCo standards body to deliver the EMV® 3-D Secure standard which became known as “3-D Secure 2.0”. The standard allows a front-end application to retain full control over user experience, outlines rules for risk-based authentication (the so-called ‘frictionless flow’), introduces a number of alternative authentication methods including device biometrics, and, among its other advantages, is considered by card schemes to be the technological answer to the SCA regulation in Europe.

AI-based Fraud Prevention

Despite the directive not specifically mentioning machine learning methods, this set of requirements – including the analysis of individual cardholder spending patterns and anomalies – demands analysis of vast arrays of data for each cardholder, with identification of individual behavior patterns.

Unless the processor (or the merchant) only handles recurring transactions with small numbers of customers, no team of analysts can realistically process and compute the baseline spending pattern function for each cardholder that utilizes payment services. This means that, in reality, in order to meet this set of rules, deployment of a machine learning solution is unavoidable.

The Bottom Line

Both sharp increases in rates of card-not-present fraud, and the regulatory response to it, inhibit growth and can reduce the revenue of online merchants. Fraud causes direct damage to merchants, while government regulations that mandate strict authentication cause an increase in shopping cart abandonment. Furthermore, existing mechanisms for strong consumer authentication such as Verified By Visa™ (also known as 3D Secure 1.0) are ill-suited for mobile channels, harm customer experience, and further contribute to abandoned orders.

While mobile commerce drives online commerce growth and the ability to prevent fraud contributes directly to the bottom line, providing better security (but not necessarily stronger authentication), improving consumer confidence in mobile devices as a shopping channel will, in the end, have a positive impact.  The best strategy is to implement an AI-based fraud prevention solution, deploy a full card-on-file solution, including account updater services and provisions for cardholder authentication.  In addition, it is recommended to implement 3D Secure 2.0 as soon as possible, combined with an authentication advisor solution.