By Chris Thomas, Managing Director of EMEA, Emailage
The way in which customers interact with businesses online has evolved considerably in recent years, due to the arrival of new regulations, such as Payment Service Directive 2 (PSD2).
However, as new legislation is introduced, to protect consumers as they shop online, many merchants are concerned that rather than enhancing the customer experience, the new requirements are in fact doing the opposite. This could have negative repercussions for merchants, damaging the consumer experience, resulting in lower sales conversions and suppressed profit margins.
With this in mind, merchants need to consider solutions to enable them to successfully verify a customer’s identity, with minimal friction, when opening a new account or making a payment transaction.
Combating CNP fraud
Stronger authentication has been demanded by consumers, businesses and regulators across the world for many years now to tackle the pressing issue of card-not-present (CNP) fraud.
In EMEA, CNP payment fraud losses have been steadily growing for ten years, with no end in sight. The Fifth Report on Card Fraud published by the European Central Bank (ECB)in 2018 revealed CNP fraud accounted for 73 per cent of the €1.8 billion lost to card in 2016[i], an increase of 2.1 per cent on the previous year[ii].
A significant number of fraud cases currently aren’t reported, but the numbers above show that the reported costs alone are staggering – and getting worse.These levels of fraud are becoming increasingly burdensome for merchants and issuers and a grave concern for consumers.
With this in mind, the European Commission has introduced new Strong Customer Authentication (SCA) requirements on payment transactions incorporated into PSD2 with the aim of taking on CNP fraud.
The SCA detail
Under PSD2’s SCA requirements – due to be introduced on 14 September 2019 – eCommerce transactions must be processed via a security mechanism like 3D Secure 2.0.
As such, customers buying items or services worth more than €30 could be required to enter two forms of identification. Known as multi-factor authentication (MFA), this confirms a user’s identity by layering a combination of different components including: something they have (such as a debit or credit card); something they know (a PIN number or password); or something the they are (e.g. a user’s fingerprint or retinal scan).
Combining two or more of these components enhances security and can, in fact, make transactions easier for trusted customers.However, many businesses fear the complexity of such a multi-layered approach to authentication will inevitably turn consumers away from completing online purchases. This basket abandonment will result in a loss of revenue which, in the long run, can put merchants’ businesses in jeopardy.
On the other hand, focusing on seamlessness at the expense of security can hurt customer relationships too. Many customers refuse to make purchases from vendors that they feel aren’t doing their utmost to safeguard their payment information.
Evidently, businesses are caught between the devil and the deep blue sea. If they focus on security, they risk impacting the customer experience. If they pay too much attention to frictionless payments, they could potentially damage security and customer confidence.
A balance needs to be struck between these two extremes, finding a solution that allows low friction customer experiences without compromising on security.
Far too many merchants have security protocols in place that wrongly block good customers while still letting the fraudulent ones. This is an indication that merchant processes still have scope to improve in order to optimise sales conversions. The phenomenon of “one-click” transactions is another issue. These are not just popular with consumers, due to their ease of use, they are favoured by fraudsters too, as they don’t have the security protocols in place capable of preventing CNP fraud.
These two extremes ultimately have repercussions for fraud rates and sales conversions. Careful consideration of the entire customer experience, from the Home page to the payments process, incorporating expert consideration of the potential fraud risk is needed in order to strike an appropriate balance and gain an edge over rivals and fraudsters.
This balance can only be achieved when merchants’ decisions about customer experience and payments are better informed through dynamic, real-time fraud risk analytics and data. It is vital to deploy solutions and a strategy that are effective and compliant with PSD2, without impacting on the customer experience. The key goal for any merchant or PSP is to minimise the need to deploy 3D Secure 2 by reducing fraud as much as possible – having customer information early in the process allows a more effective risk decision to be made at the point of purchase.
A number of innovations in recent years have transformed the way merchants analyse underlying transactional data. Such solutions can play a key role in supporting merchants to ensure their anti-fraud processes are fit for purpose.
One analytical solution that is fast gaining traction in the eCommerce space is “email risk assessment”, which uses a simple and widespread piece of authentication information to gauge whether a purchase is genuine – the email address.While this assessment is not a replacement for SCA, it can help keep fraud levels to acceptable levels allowing merchants to qualify for the “low-fraud” PSP exemption under PSD2.
Under the SCA regulatory technical standards (RTS), payments via PSPs that are considered to have a low fraud risk will not require explicit customer authorisation. These low-risk payments include transactions worth up to €100 if the merchant’s PSP’s fraud rate is less than 13 basis points (abbreviated to “bps”, this is a standard measure of fraud risk, 13bps is 0.13%). Payments worth up to €250 if the PSP’s fraud is less than 6bps, and purchases of up to €500 if the PSP’s fraud rate is less than 1bps, are also exempt.
All online transactions require an email address but, until now, many companies have believed these were only useful for customer receipts, notifications and marketing campaigns. However, email is a unique global identifier, which is already a basic requirement whenever a customer sets up or logs into a digital account.This makes tools like email risk assessment a valuable asset in adding another layer of protection to any eCommerce business.
Alternative forms of identification, such as social security numbers or device IDs are not unique and are rarely transportable globally. More, alternative identifiers can be easily hacked or stolen, with the data accessed by criminals via the dark web and account takeovers growing in popularity. Only an email can definitively be traced to the genuine account holder.
There is a simple reason for this – a staggering 91 per cent of email users keep the same email address for at least three years, and 51 per cent keep the same email address for over 10 years. This represents a vast amount of data that can be analysed and put to great use in the fight against online fraudsters.
Innovative email risk assessment systems, like Emailage’s EmailRisk Score, harness multiple data points and a vast network of historical transactional data associated with an email address to separate fraudsters from genuine customers without impacting on conversion rates or customer experience – making them a practical, “zero-friction” method of preventing fraud.
Having these security protocols in place merchants can optimise their processes to protect customers from fraud, reduce false positives and protect revenue.
Getting the balance right
Achieving the appropriate equilibrium between a frictionless experience and security is a challenge for merchants. With SCA, it will only become more of a minefield.Nevertheless, it is crucial to ensure regulatory compliance while ensuring an enjoyable, smooth and secure customer experience.
With the advice of anti-fraud specialists, it is possible for merchants to have the tools they need to better analyse the fraud risk for every transaction, so they can gauge how to reduce fraud without compromising the consumer experience. As a result, they can protect their business, and ensure it can thrive in the future.
To find out more about how Emailage can support you in balancing SCA requirements with a seamless user experience, visit:www.emailage.com.