PSD2, risk analysis, SCA, and 3D Secure

01 Feb

How to apply them to stay safe 24/7?

PSD2 – Revised Payment Services Directive was published in 2017. It is a body of law in force with payment services in the European Union and the European Economic Area. The document came into full force in 2019.

As a result, the European banking market has received a mandatory standard, which defines the mechanisms for user authentication in remote account management systems for the next few years. Moreover, not only for banks but also for new players in the payment market: operators of information services (Account Information Service Provider – AISP) and operators of initialization of payments (Payment Initiation Service Provider – PISP), which significantly increased the opportunities for new players in the banking market.

The reason for the creation

The first regulatory document was published in 2007 under the name PSD 1. There was a variety of situations after that, which forced the government to create a package of rules that could further secure the developing market.

Let’s take a closer look at some of these situations.

High growth rates of fraud

The European Central Bank recorded a 66% increase in online payment fraud between 2011 and 2016. Statistics from the British financial regulator show that cybercrime increased by 187% in 2018. Therefore, it became necessary to strengthen the security of online payments.

New business models

Since PSD 1 was created, the development of the digital market caused a sharp jump in the appearance of various companies. PSD 1 did not allow regulating financial relations with them on an ongoing basis. Now, this market has a standard to replace one-off requests, allowing new companies to access their customers’ bank accounts.

Development and growth of the API economy

APIs are application programming interfaces. Such giants as Amazon, Google, Uber, and others owe their success to them. These interfaces enable different systems to interact with each other. This, in turn, led to the development of new business models. Also, such interfaces make banking operations and any payments more open.

Main purposes of PSD 2

Stimulation of innovation and competition in the financial sector
Improvement of the European payment market, making it more efficient and convenient for payment service providers
Improvement of the security level of all payments
Protection from fraudulent activity

The directive gives third-party companies that specialize in financial technology and provide their services to banks and clients, access to user data for their analysis and financial advice, equal to banks

PSD 2 is part of a broader legal framework, but in this article, we will take a look only at the changes in online payments and how this affects consumers, payment service providers, and merchants.

What are the modifications for merchants and payment service providers?

Strong authentication

Most online payments in the European Economic Area now require authentication. This, in turn, increases the level of security.

Licensing

Now, to provide payment services to the European Union, the company will need to get a payment license, authorize, and also register by the EBA

Opening bank data to third parties

It is necessary to enable new players to work, including two new types of TPP suppliers. The directive introduces the principles of open banking, which deprives banks of a monopoly on user data. Banks are obliged to open their APIs and, with the consent of the account holders, share customer data with third parties.

SCA Spheres of influence

All transactions initiated by the payer are subject to authentication if both the card issuer and the acquirer are located in the EEA. If one of them is outside of it, then authentication is not required. It means that businesses that work in the United States with a local bank are not required to use strong authentication. This type of transaction is called “one leg out”.

Direct influence

Since the document covers all countries of the European Economic Area, it will affect 300 million buyers. It also operates in the UK despite Brexit as it was created before it. This caused waves of discontent in the financial community, as many consider the document not very expedient, fearing that the data could go to fraudsters. In general, the question is twofold.

Indirect influence

The document will also apply indirectly to companies that are not part of the EEA but have branches and subsidiaries in its territory.

What happens if not following the rules of the PSD 2?

Companies that fail to meet the requirements may see a drop in conversion rates as banks reject unauthenticated payments. That is, non-compliance threatens to lose many transactions. For payment providers, things are much worse, as they may get fines and may even lose the license.

What is Strong Authentication?

According to the PSD 2 requirements, authentication must include at least two of the three components (three are recommended):

Something you are…

Biometric factor − what is inherent in the user from birth (fingerprint, iris pattern, face)

Something you have…

Ownership factor − something that only the user has (smart card ID, for example, electronic identity card), payment card, token)

Something you know…

Knowledge factor − what the only user can know (password, PIN-code)

What does the biometric factor mean?

Who the client is. This includes the following 8 aspects:

It is important to keep in mind that information that is transmitted via 3D Secure 2 (or EMV 3DS) is not considered SCA compliant. But this may change in the future. But, this information is important as the need for analyzing the risks of (TRA) transactions and providing exceptions.

What does the ownership factor mean?

It’s not necessarily physical, as long as the client can prove ownership. This happens by entering a one-time password or push notification, as well as a QR code.

It is important to distinguish that, for example, printed card details are not considered as ownership, but dynamic security codes can. If they are constantly changing and are not present on the card itself. It also works with some virtual cards.

What does the knowledge factor mean?

List of main elements in the table

Are there any extra requirements for these elements?

Yes, it is important to remember the following points

Dynamic linking

In the case of a payment transaction, the generated confirmation code must be unambiguously associated with at least the following data: the transaction amount and the payee.

This means that any change to these transaction parameters must change the value of the generated confirmation code.

Independence

In the first version, it was proposed as a prerequisite that the device initiating the transaction and the device confirming the transaction must be different, independent of each other. The newest version assumes that the creation of a transaction and the creation of a transaction confirmation code can occur within a single device, using two independent applications, or even one application.

Right to use a card reader

In this case, the script can contain 2 elements. For example, you can first enter a pin code to access the device, then create an OTP.

Reusing elements

The same item can be used two times during one session. For example, initiate a payment and access your account. Another example is that a user can access their account using a statistical password and OTP and then immediately initiate a payment.

Exemptions

After the first proposal about the document, EBA got a lot of outrage. However, all reviews have been reviewed and a list of certain exceptions has been posted. Let’s consider them in more detail.

An online merchant cannot apply for an exception, but a payment service provider can do so on his behalf.

It is important to remember that the cardholder’s bank decides whether to grant these exceptions.

List of verified sellers

The buyer can create a “whitelist”. He can add sellers he trusts there. In such case, authentication will not be needed. The convenient solution here all depends on the seller. If it wants to be on such a list, he must do several actions, to cause the buyer’s trust, so that the seller wants to add him there.

Regular payments

Here we are talking about subscriptions or recurring billing for the same amount from the same seller. In this case, authentication should only be performed at the first payment. This is very convenient for such giants as, for example, Netflix. But, if the recurring payments differ in their amount, the system will require authentication.

Payments up to € 30

On the one hand, it seems convenient, but, implementation difficulties arise. The bank needs to choose how it requests authentication: at every sixth payment up to 30 euros, or after that, the number of such payments will exceed 100 euros.

The difficulty is that only the bank determines this limit. It is hard to predict whether the bank will impose any restrictions. That is, these points will need to be clarified with the bank. Because you may unexpectedly run into a lawsuit after 5 payments of 10 euros, or you will need to make 10 payments before you are required to authenticate.

This exception does not work if an order is made for more than 30 euros.

Making payments with a low level of risk

If payment providers have confirmed low fraud on their platform, they can conduct a real-time transaction risk analysis and then apply for an exemption on behalf of their merchants. it is important to note that the exemption can be up to € 500. If the payment is more than 500 euros, this exception does not work.

What methods are used to analyze risks in real-time?

There are regulatory technical standards that explain what should be considered in a risk analysis.

This includes:

Previous customer expense model;
Payment history;
Location of the payer and recipient if they are at a high level of risk;
Strange and suspicious payment schemes;
Unusual behavior;
Suspicious information about access to a device or software;
Infection with malware at any stage of authentication;
All commonly known scenarios of committing fraud;

All these aspects should be collected in one document and, based on the passage from all these stages, a risk assessment is formed.

Fraud rate limits

Once every 3 months, each company is required to provide the national regulatory authority with a list of evidence of the level of risk and fraud. Depending on the percentage, a decision is made on restrictions or permissions

What depends on a rate?

From 0.13% to 0.06%, all low-risk payments up to € 100 can be exempted.
From 0.06% to 0.01%, all low-risk payments up to € 250 can be exempted from tax.
Below 0.01%, all low-risk payments up to € 500 can be exempted (this will be very rare)

It is important to understand that if a payment provider is wise to invest in an anti-fraud system, it increases the level of eligibility for its customers. However, it is important to be aware that in such cases, the responsibility for security and fraud is again placed on the shoulders of the payment provider. On the one hand, this can bring new clients, still, it can be a serious investment.

Exception for online sellers

An online seller can contract with a payment provider that they take the risk of using an exception and will use their own risk management systems. It also means that companies that have invested in fraud protection heavily have an advantage in negotiations with payment providers. This is beneficial for both of them.

What does an online merchant require from a payment provider under the PSD 2?

High rates of payment acceptance

Likewise, an internet merchant wants to avoid SCA too.

Low fraud rate

A low rating allows the payment provider to request an SCA exemption

Opportunity to get support

Online sellers will look to payment providers for PSD2 expertise and help to manage the changes ahead

The significance of issuer knowledge

One way or another, a payment provider can handle more transactions than any of the merchants who work with it. This means that it has a lot of information about how issuing banks can respond to various requests. It also knows which versions of 3D Secure work in a particular bank.

GF Solutions team collects this information for every transaction. It helps us understand which method of accepting payments is the best for a particular transaction. We carry out this analysis based on the level of payment risk as well as past behavior of banks.

The more difficult it is for the client, the less successful transactions you get

Everything is simple, the more steps the client needs to go through to complete the operation, the more time and nerves it takes from him. It suggests that most likely he won’t complete the transaction. He may think that it is difficult for him, or it takes a very long time, or even strange.

3D Secure 1

This is an extra layer of security that almost all of us face. The most famous are Visa, Mastercard SecureCode, and American Express SafeKey. The mechanics are quite simple: at the end of the transaction, you are simply asked for an additional password in order to authorize the payment by the bank.

A payment with this protection system is considered safe. However, there are strange statistics: although this is a very good tool for protecting against fraud, some sellers use it only in very, very risky cases. There is a reason for this too – loss of conversion.

3D Secure 1 problems

Undeveloped interface

The tool has existed since 1999 and is absolutely not adapted for mobile devices. As we know, according to statistics for 2020, almost half of the purchases made online occur from a mobile phone. The weird user interface alienates shoppers because it seems suspicious to them.

The problem with remembering the password

As mentioned above, many companies use such authentication very rarely and only for very risky payments. Because of this, clients simply forget their passwords. The password recovery procedure takes a lot of time, which forces almost a quarter of buyers not to complete the transaction.

The real influence of 3D Secure on online payments

According to the statistics of the first half of the year 2019, we can see the following:

Almost a quarter of payments are not completed and are lost;
Authentication takes about 40 seconds;
Almost 100% of payments cause friction and require an extra 5 seconds for authentication;
The volume is from 68 to 92%;

If we talk about 2020, then the first quarter showed that admission rates improved significantly

What caused this?

In 2020, most merchants request payments through authentication, and customers are already getting used to it.

The tool can really be effective

The influence of PSD 2 is big, and this request the level of security. Also, the authentication time has decreased 42 seconds by 37. A large number of merchants are beginning to understand that such authentication helps security, so they are starting to use it more and more often.

Covid-19 affected customer loyalty

During a pandemic, many people do shopping from home, so they have no choice since many sellers have put up the requirement to pass such authentication.

3DS 1 and sellers

The intake rates improved, but still not 100%. They remain at 87%. Again, this does not mean that this is necessarily a fraud. This may be a client error or failure, a server error, or insufficient experience with such software. But still not 100%.

Again, this is very expensive. Thus, many players benefit from getting exceptions.

Be aware of the transition to exceptions

Exceptions help many companies win, so you need to be prepared for them. Future Solution team has a finger on the pulse and closely monitors issuing banks, and we provide the most comprehensive information to our clients.

The difference in 3D Secure 2

More data and fewer disputes

This tool enables vendors to provide more risk analysis data to the bank-client to avoid long client authentication.

Providing more distinction in authentication methods

Now you can choose the type of authentication that suits you specifically: one-time password or, for example, face scanning. It all depends on what the cardholder’s bank offers.

Optimization for a better user experience

Now you can download the application to your phone for ease of use. If the initial version of the standard required a hardware implementation of a trusted execution environment in a mobile device, then its final version allows the use of a secure execution environment, which is implemented in the most popular Android and iOS operating systems using software mechanisms.

What problems can occur?

Usage problems can be on older phone models, which may not support the application itself. Also, the problem may be in regions with a low signal level.

What is authentication enrichment?

This is adding merchant and fraud level details to an Authentication Request (AReq). Simply put, this is a message to the issuer requesting authentication. It can also be used to exchange data with the issuer to enable it to make a more balanced decision.

The reason to do

This thing provides the convenience of ordering. In simple terms, you give more information to your issuer so that it can provide exceptions. If this is not done, then the issuer does not receive enough information. This means it will use 3 DS authentication.

How to send AReq message?

Data received by issuers in the framework of 3DS 2

Cardholder Account Information
Merchant Risk Indicator
3DS Requestor Information
3DS Requestor Prior Transaction Authentication Information

Also, the classification of this data can be different for different companies. For example, Visa requires ‘3DS Requester Challenge Indicator’, but for EMVCo and Mastercard it is optional.

Why does the issuer gain confidence when using AReq?

Since the issuer itself is not able to get all the information about the client, if you provide it, it makes it possible to benefit. Primarily for you, as you can simplify the authentication process.

Our company enables you to share such information. This shows that you are using a huge risk analysis system for your issuer. And it increases the confidence of the bank.