Controlling exemptions to strong authentication and rethinking its risk analysis within the framework of the PSD2 are becoming imperative.
This article was originally published by Sasha Pons (Dalenys).
Banks, Payment Service Providers (PSPs) and e-merchants are ramping up on PSD2 (Payment Services Directive 2). The requirement for strong authentication for all electronic payments is raising concerns among merchants who fear a deterioration in the customer experience and ultimately a loss of revenue . Rightly so, these upheavals may impact their business if they don't quickly grasp the new rules of the game.
Indeed, the directive provides for authentication exemptions, some of which can be obtained through a thorough and effective real-time risk analysis. A risk analysis that complies with RTS (Regulatory Technical Standards) and is reliable will subsequently ensure a better overall fraud rate and improve the chances of obtaining so-called "frictionless" experiences.
Know the exemptions that are essential to optimize your conversion
It is essential to control the exemption conditions provided by the RTS to limit the impact of two-factor authentication on the purchasing process. Some exemptions are granted only if the acquirer and the issuing bank control their fraud rates. This rule therefore implies a rigorous fraud policy throughout the payment chain. The interdependence of the players is thus established de facto, with each link in the chain being impacted by fraud rates. In order to be prepared, issuers, acquirers and merchants must therefore raise their level of fraud detection today, so that in the medium term they can offer exemptions to as many people as possible.
That is:
A transaction risk analysis (TRA) can be carried out by the payment provider. It will enable the merchant to justify its requests for exemption.
The acquirer and the issuing banks will only be able to accept the merchant's exemption requests if they themselves control their fraud thresholds for their entire cardholder portfolio (0.13% to exempt transactions of less than €100; 0.06% for transactions of less than €250; 0.01% for transactions of less than €500).
Exchanging the right data
Merchants must be actors in the decision of triggering by communicating useful information to issuers so that they can make a decision. Data is useful if it is shared (valued field), of quality (complete e-mail, address valued in the corresponding fields) and representative (public and not private IP address, surname in Latin characters...). Here are some of the data that they will have to integrate into their payment flows and send to the issuers: device from which the transaction is initiated; information about previous transactions; customer authentication on their site, their risk assessment regarding the customer's order and their request for exemption (or not) on the transaction.
Develop your risk analysis
The evolution of the model driven by RTS also entails evolving risk analysis solutions. As these solutions will no longer be able to trigger the authentication request, these solutions will require the ability to transmit their analysis (and recommendation) to issuers based, among other things, on new behavioral data. In order to pre-empt this change, merchants must ensure that their payment service provider is equipped to fulfill this role, or ascertain whether an external solution is required.
Appropriately define exemption requests and forward them to the issuer
Thanks to their risk analysis, merchants will also have the ability to accurately spot transactions that could be waived. However, merchants will need to be careful with this lever, since it directly affects their fraud rate, acceptance rate and liability for non-payment. Indeed, if they request an exemption and the issuing bank follows their recommendation, they will be responsible for the unpaid amount in the event of fraud and will contribute to the increase in the fraud rate.
Issuing banks will therefore respond by issuing further requests for strong authentication to their customers, which can significantly reduce their acceptance rate. The RTS then highlights the necessary relationship of trust between merchants and issuing banks.
The latter are undoubtedly the decision-makers in triggering strong authentication, but they cannot decide without the merchants' assistance. By providing additional information to a fraudster's profile, merchants help issuing banks to make decisions and contribute to triggers that are more efficient. Under these conditions, it is possible to mitigate the possible negative impacts of the strong authentication requirement on the activity of e-merchants, with the result that there are opportunities to accelerate the digitalization and customer loyalty stakes.