Cart abandonment rate is a common KPI for measuring the performance of your web store. It indicates how many customers added an item to your web store shopping cart but never finalized the purchase.
In other words, it showcases the rate of customers who showed interest in a particular product/service by adding it to the cart but left without making the purchase compared to the total number of completed transactions.
Industry benchmark based on a number of studies states that the average cart abandonment rate is 69.80%. An abandonment rate greater than the industry benchmark can be induced by a variety of reasons, some of them being shipping costs, required sign-up, limited payment options, or checkout processes that are hard to follow.
By tracking their cart abandonment rates, merchants can better understand how their customers behave during their online shopping experience. Also, it is a helpful tool for determining why visitors are not converting into customers.
Security threats in the online payments environment are as real as they get, but the simple truth is that most cardholders did not encounter such unpleasant situations. From their perspective, additional security layers are seen as an inconvenience during the checkout process, making the cardholder abandon the purchase because of long checkout time or unfamiliarity with the screens presented. The first version of the 3D Secure protocol provided sufficient security. Still, it did not consider the user experience, especially when discussing mobile versions of the web stores, because the protocol was introduced long before such channels of eCommerce stepped to the scene.
This resulted in a spike in cart abandonment rates because cardholders had to deal with more friction in order to process a single payment, although that meant a more secured transaction. From the cardholder's perspective, heightened security measures were seen as irritating rather than looked positively upon.
Luckily, the newest version of the protocol, 3D Secure 2, introduced Risk-Based Authentication, enabling frictionless transactions while further improving the payment's security.
Risk-Based Authentication calculates the level of risk for a particular transaction. Upon scoring the transaction as either high, medium, or low risk, the cardholder is challenged with additional authentication steps if needed. It is a dynamic, parameter-driven system that appoints an appropriate authentication method according to an individual transaction's risk score.
Some of the mentioned parameters include the device, location, network, transaction amount, number of transactions, delivery address, behavioral history, new or existing customer, and more.
To better understand how Risk-Based Authentication works, let's use a real-life example. Suppose a new customer is processing a purchase. In that case, the system detects that there is no previous transaction history connected to the card being used, and the cardholder will likely be challenged in the form of an additional authentication method. However, suppose an existing customer is processing a transaction with an, e.g., known device, and the transaction is within the transaction amount average. In that case, the cardholder won't be asked for any additional authentication, and a frictionless transaction will be processed.
Risk-Based Authentication promotes the so-called frictionless transactions, i.e., a transaction that does not require additional authentication on the cardholder side because the transaction is deemed low risk. It allows issuers to approve a transaction without interacting with the cardholder. By eliminating friction, the user experience is automatically improved.
A complete flow, enabled because of Risk-Based Authentication, is the following:
Benefits for the cardholders are obvious, a secured transaction with minimum effort regarding authenticating themselves. But the business benefit for merchants lies in reduced cart abandonment rates caused by reduced friction during the processing of online payments. It allows merchants to protect themselves and their customers from fraud while increasing revenue and customer satisfaction due to the frictionless experience enabled by Risk-Based Authentication.
As of right now, issuers are not confident in granting frictionless transactions, i.e., transactions that do not require additional authentication. The reason being is the fact that the issuing banks are the ones who take the liability in case of a fraud attempt. However, risk scoring services are acquiring more and more data by the minute and working on enhanced AI data analytics that are being applied to that same data in order to create and analyze customer profiles. This will result in detecting even the smallest deviations from the standard profile and the issuer can step in with SCA to confirm the authenticity of the cardholder.
The definition of authentication can be explained as a process of identifying a user requesting access to a particular service. Until recently, simple credentials in the form of a username and password would suffice, but with today's security standards, we need something much stronger.
Different business requirements demand different security levels, achieved by carefully choosing or combining various authentication methods available. When it comes to user experience, it plays a significant role in user satisfaction during online payment processing. Therefore, the authentication method applied must provide convenience and security at the same time. If the authentication process does not offer convenience and runs smoothly, it causes high cart abandonment rates. On the other hand, if the authentication does not provide appropriate security measures, the threat of fraudulent activities involving payment cards rises and results in chargeback costs.
Balancing between security and user experience is a challenge, but we at ASEE know how to approach this issue. The answer lies in Strong Customer Authentication (SCA) that enables various authentication methods tailored to the user's needs.
As a part of the PSD2 regulation from September 2019, Strong Customer Authentication (SCA) requirement was launched. SCA presents an additional layer of security in online payments and is based on at least two authentication factors from the following categories:
This means that stakeholders needed to get creative and adopt a variety of authentication methods available for the end-user in order to be able to process a seamless and secure online payment.
We prepared a comprehensive list of authentication methods that provide both security and convenience during the processing of an online payment. Let's dig in!
Biometric authentication relies on the unique biological traits of a user in order to verify their identity. This makes biometrics one of the most secure authentication methods as of today. Additionally, it causes less friction during the authentication process in comparison to previously mentioned methods, making for a great user experience. Most common identifiers include fingerprint scans, facial recognition, and voice-based identification.
Hard to spoof – biometric identifiers such as fingerprint and retina are unique by definition for each individual. Also, when combined with Dynamic linking (i.e., adding additional transaction data in authentication data), spoofing is almost not feasible.
Simple to use – does not require memorizing various PINs and passwords, a straightforward authentication process.
Fast and reliable – biometric authentication provides more security and is less time-consuming.
Privacy concerns – one of the major issues users have with this method is privacy concerns. Even though this feeling is very subjective, it prevents a significant number of cardholders from using it. Biometric data are stored in a trusted environment, encrypted and inaccessible to regular operating systems.
Possible errors – errors including false acceptance and false rejection of an authentication attempt.
QR code authentication is typically used for user authentication and transaction validation. A typical flow for transaction verification starts with the user logging into their internet banking web application and opening a payment order. The internet banking application offers the user to process this payment using a QR code presented on the screen. To process the payment, the user needs to scan the QR code with their smartphone using authenticator software (can be apart of their mobile banking application). To finalize the payment, the user is presented with transaction details and, upon inspecting the validity of the showcased data, the user additionally confirms the online payment.
Simple to use – authentication process is straightforward.
2FA proof – easily combines with other authentication factors for increased security.
No additional hardware – independent from third-party hardware.
Lack of familiarity – the general public is not widely familiar with this particular authentication method, resulting in a possible poor customer experience.
Device dependence – requires the use of smartphones alongside correct reader software capable of scanning the QR code.
This simple yet effective authentication method involves sending an SMS message to the user's mobile phone, containing a one-time-password used for finalizing the authentication of online payments.
Simple to use – the authentication process is straightforward.
Access – in case of suspicious activity, only the user who has the device in their possession can verify the transaction's validity by entering the received OTP.
Familiarity – SMS OTP is one of the oldest forms of two-factor authentication, making it widely accepted by both users and security protocols.
Data network requirement – if a user is unable to use their phone network (e.g., the connection is down), they won't be able to receive the OTP. Also, SMS OTP delivery might not happen in real-time, causing a delay, and the authentication time could run out.
Compliance – SMS OTP authentication is not PSD2 compliant, e.g., if a mobile phone is not in possession of its rightful owner, the fraudster can easily receive SMS OTP on the stolen device and process a transaction.
A push-based authentication system sends a notification to an app on a user's device, informing them about an authentication attempt. The user is able to inspect the details of the authentication attempt, and based on their knowledge about an, e.g., the transaction taking place, either confirm or deny request verification.
Simple to use – if the authentication details do not raise any suspicion, the user simply confirms the authentication request.
Efficient fraud protection – push-based authentication enables simple implementation of Dynamic linking, which proves to be efficient in preventing phishing and MITM (man-in-the-middle) attacks.
Low cost – this method leverages user's existing mobile phones, eliminating additional hardware costs and maintenance costs.
Data access – notifications are sent through data networks, so in order for this method to be applied, the user must have data access.
Security issues – the user might accidentally approve a fraudulent transaction because of our habit of automatically approving incoming notifications.
Dependency – Push notification authentication demands having an appropriate mToken application installed on a user's device, as well as mToken activation, i.e., it requires certain actions to be undertaken in order for the authentication method to be available to the cardholder.
Behavioral authentication verifies a user's identity based on unique patterns recorded during interaction with devices (e.g., smartphone, tablet, computer). Identification factors include everything from the angle at which the user is holding their phone to pressure applied while typing. This type of authentication method allows for a genuinely frictionless experience without having to worry about the level of security it is providing the user with.
Simple to use – straightforward authentication process.
Hard to spoof – just like the fingerprint and retina are unique by definition for each individual, the same applies to the way a user interacts with their device.
Great user experience – the authentication process is passive, and friction is out of the equation.
Case sensitive – can be affected by the user's physical state and emotional behavior.
Invasion of privacy - major issue users have with this method is privacy concerns. What disturbs users the most is not knowing what data is actually collected, who has access to it, and how it is going to be used in the future. How far is too far?
Biometrics are physical or behavioral traits that, by default, uniquely identify a user. That makes biometrics one of the most secure means of authentication in online payments.
Physical biometrics commonly include factors such as fingerprint, iris scan, or face and voice recognition. Behavioral biometrics took it up a notch and observed the way users interact with the device being used to authenticate themselves. These factors range from the angle at which a user typically holds their smartphone to the speed of typing on the keyboard.
Both physical and behavioral traits are extremely hard to spoof, making biometric authentication the most secure and reliable way of validating someone's identity.
As the Second Payment Services Directive (PSD2) required Strong Customer Authentication (SCA) to become a standard, biometrics were of major importance. SCA is making sure that online payments are processed using multi-factor authentication, meaning that the user must verify their identity using two out of three factors from the following categories: knowledge, possession, and inherence. The inherence part represents ''something that the user is'', and therefore, relies on biometrics.
3D Secure 2, enhanced with SCA requirement, adopted biometric authentication as one of the standard methods for authenticating cardholders. This update brought improved customer experience and satisfaction because of less friction during online payment processing. Merchants and issuers thrive on biometric authentication because of reduced chargeback costs and cart abandonment rates. All thanks to heightened security measures and a straightforward authentication process enabled by biometrics.
There are many benefits biometric authentication provides to its stakeholders.
Biometrics provide unmatched protection against fraudulent activities taking place in the online payments environment. Even if a fraudster gets a hold of the cardholder's pin or password, multi-factor authentication involving biometrics makes it hard, if not impossible, for the perpetrator to fake a fingerprint scan in order to process a fraudulent payment.
Although the technical backend responsible for successful biometric authentication is complex, the user's point of view is simple and convenient. Biometrics are quicker than standard authentication methods involving PINs and passwords containing special characters and uppercase letters. Also, oftentimes, the users can't keep track of their credentials due to the extensive amount of accounts an average person owns. Passwords can be forgotten. Fingerprints, on the other hand, not very likely.
PINs and passwords are often shared. Sometimes to a trusted party, other times to a fraudster with bad intentions. Biometrics are non-transferable, meaning that the rightful cardholder has to be present upon authentication in order for it to be successful.
Biometric authentication relies on physical traits that are unique by default, meaning that there is no other person who shares that same feature. Additionally, physical factors such as face patterns and iris scans are extremely hard to replicate with today's technology.
Alongside existing biometric factors, others are waiting to be researched and implemented, becoming the standard trait used for biometric authentication.
One of those fresh features is vein-patterning. A blood vessel pattern on a person's hand is also a unique trait and can be used for authentication. Veins on a person's hand are mapped using infrared light. It is considered one of today's most advanced identification methods, even more precise than iris scans.
Gait recognition is based on a person's locomotive system. Supposedly, we all walk a bit differently and use different hand movements while doing it. Based on that fact, the idea of gait recognition came to life and might become a standard authentication method in the biometrics category.
We are excited to be apart of future development by implementing biometrics in our solutions!
The latest upgrade of the 3D Secure 2 protocol includes multiple new features, one of them being Decoupled Authentication, an authentication method that allows cardholder authentication to be performed separately from the payment workflow/process and without customer interacting with the online merchant. Authentication responsibility is shifted to the Issuing Bank, enabling cardholder authentication to be executed even though the cardholder is offline.
Standard 3D Secure authentication, whether browser or in-app, is showcased in real-time, meaning that the authentication is being performed during the payment process. The challenge screen is displayed to the cardholder while the checkout is taking place, giving them a predefined timeframe to complete the given challenge.
Alternatively, decoupled customer authentication is performed without interacting with the online merchant's webshop or app. This type of authentication verifies the transaction by using a different channel (e.g., push notification, email). A timeframe in which decoupled authentication may take place is set by the merchant, in a timespan varying from just a few days up to a week.
Decoupled Authentication is introduced in 3D Secure protocol version 2.2 and is a natural progression from Out-of-Band Authentication (OOB). With OOB, the Issuer sends a Push Notification to a mobile or banking application, which prompts the cardholder user to complete the authentication process. Decoupled Authentication allows the cardholder several days to complete the authentication process. It is ideal when the cardholder is not immediately available for authentication, but authentication is required. Therefore, decoupled authentication is a type of Merchant-Initiated Transaction (MIT), and it is applicable to all device channels: browser, app, and 3RI.
Decoupled authentication flow enables customer authorization at a time different from when the transaction took place and on a different device (e.g., smartphone, desktop, tablet).
The standard decoupled authentication method applies the following flow:
For the authentication process to run smoothly, it is vital that the cardholder is provided with all necessary data elements such as merchant name, incremental transaction amount, reasons for additional authentication, making the user experience as seamless as possible.
If the Issuing Bank wants to authenticate their cardholder outside of the standard 3D Secure authentication flow, decoupled authentication may be applied.
Use cases are the following:
Our research shows that within the MEA region, the majority of transactions occurring are done using the 3DS1 protocol, with SMS OTP authentication methods, which does not protect buyers to the same extent as the new authentication methods that support 3DS2. We found out that more than 60% of issuing banks have not yet migrated their cards to 3DS2.
3DS protocol is able to acquire ten times more data during the message flow, cca 300 information. This data is primarily obtained from the merchant's site and buyer's devices. It is further used to evaluate the risk level of the transaction taking place. Based on this risk evaluation, Strong Customer Authentication will be required, or a Frictionless Transaction will take place. This data enables the financial institution, bank, or card issuer to get to know their customers and potentially release them of additional authentication steps through the frictionless transaction process.
Frictionless Transaction is the second big deal when it comes to 3DS2 over the original 3DS protocol. It is aligned with the PSD2 requirement and exempts SCA when the transaction is evaluated low risk.
As mentioned above, to evaluate the risk, banks will make behavioral analysis from acquired transaction data of their customer, then banks will identify deviations from regular transactions and buyer behavior. Another way a frictionless transaction takes place is when payments of a low amount, which is that of under 30 EUR as defined in PSD2, take place. They are then also exempted from greater evaluations and made frictionless.
3DS2 supports technology to smoothly integrate 3D Secure flow with mobile in-app payment services and avoid HTTP redirections for authentication on mobile devices. One of the reasons many card issuers or banks had for abandoning 3DS transactions on mobile devices was HTTP redirection.
Static passwords are very weak in assuring authentication and not particularly user-friendly. In cases where they are not often used, static passwords often get forgotten, and in this case, additional friction for the transaction process is required. Strong Customer Authentication (SCA) requires that two out of three secure elements – inherence, possession, and knowledge, be used as a part of the authentication process. Inherence elements are something that a payee gives onto, say, a mobile device, i.e. fingerprint scan, face or voice recognition, or other biometric or behavioral data. Possession elements are what the buyer owns, such as s HW token, mobile phone containing a mobile token for generating One Time Password. It should also be noted that the card also counts as a possession element, but only if it has been verified by a card reader, not by readable data printed on the card itself. Finally, the knowledge element is something that the user knows by heart, i.e. a PIN, password, or a secure question.
3DS2 relies on Strong Customer Authentication methods (SCA). The most acceptable method is bush with biometry, which contains both a top-notch user experience alongside the highest level of security using strong authentication methods. The push method exchanges transaction data from an eCommerce website to the buyer's mobile phone as well as the banking authentication application. This ensures the so-called Dynamic Linking and prevents man-in-the-middle attacks as well as potential changes done on the payee's account and/or charge amount by signing of critical data. Biometry will be used to associate the buyer with ''something that they are'', on a device they use, which is ''something they own''.
QR codes with biometry can provide a similar user experience to push with biometry and can be combined with either biometry, fingerprint, or face recognition. However, face recognition is not as widely accepted as the fingerprint method.
For buyers who don't have mobile devices with fingerprint readers, PIN numbers or passwords can be used for buyer authentication, but to ensure SCA, it must be combined with OTP.
One of the widespread old authentication methods is HW and SW tokens used for generating OTP transaction signatures. However, nowadays, boyers demand a smooth, fast and frictionless user experience. This method requires transaction data to be entered manually into an HW/SW token and to retype the calculated OTP onto the webshop. This may cause prolonged checkout time and possible errors during the re-typing stages. Thus, this method should only be used as a fallback method when push/Qrcode/biometry cannot be compleded due to technical restrictions.
Risk-Based Authentication is a dynamic, parameter-driven system that determines the risk level of an individual transaction and appoints an appropriate customer authentication method accordingly. By applying such an approach, RBA helps prevent various types of attacks present during the processing of online payments.
To score a transaction, data about typical user behavior is necessary. RBA collects and analyzes parameters such as:
Based on mentioned parameters, a transaction is deemed either low, medium, or high risk.
In case of a low-risk transaction, the customer is able to process a payment without applying further authentication.
In case of a medium risk transaction (e.g., unknown device), the customer is asked to provide additional information in order to process a payment.
In case of a high-risk transaction (e.g., unusually high transaction amount, unfamiliar location), the user is automatically denied access and cannot process the payment.
Risk-Based Authentication does not only help prevent unauthorized processing of transactions but significantly impacts customer experience by eliminating user friction. That being said, RBA promotes a smooth user experience for legitimate customers while making things difficult for fraudsters.
The end goal regarding the user experience is to determine the level of risk for each individual transaction in order to avoid unnecessary authentication steps for low-risk transactions. By doing so, user friction is removed from the equation, making the processing of a transaction both secure and enjoyable for the customer.
With better customer experience comes customer loyalty. Studies have shown that banks that approached digital transformation by implementing RBA enabled quality engagement with their customers making them less likely to switch.
RBA is responsible for cutting fraud-related losses. By implementing Risk-Based Authentication, banks are able to detect and prevent fraudulent activities, resulting in a decrease of chargeback costs.
Strong Customer Authentication required by the PSD2 directive implies verification by selecting two out of three authentication elements: something you know (e.g., PIN, password), something you own (e.g., smartphone, HW token), and something you are (e.g., fingerprint, face recognition).
Thanks to RBA, not all 3D Secure payments demand SCA. SCA exemptions are based on Risk-Based Analysis, enabling less friction without compromising on security. In other words, RBA allows the customer to avoid an authentication step while keeping the transaction secure.
SCA exempted scenarios relying on RBA are the following:
Low-value payment – Transactions below 30 euros are considered low value and do not require an additional authentication step during the processing of a transaction. However, if a customer initiates more than five such transactions or the cumulative value of the transaction exceeds 100 euros, SCA will be applied.
Merchant whitelist / Trusted beneficiary - A cardholder is enabled to flag individual online merchants as ''trusted'' with their issuing bank in order to avoid SCA during the checkout process.
Transaction Risk Analysis exemption – The most sophisticated exemption involving several different factors that need to be taken into account (e.g., overall fraud rate for that particular type of transaction).
Secure Corporate Payment exemption – A transaction initiated by a legal person rather than a customer that does not require an additional authentication step.
Over the years, eCommerce became an efficient and effective way for consumers to shop for goods and services from the comfort of their own homes. Online shopping provides a convenient way of purchasing for cardholders due to wide offer in all market segments, 24/7 availability, delivery tracking, and online card payment convenience.
Increased number of online transactions also opened doors for less wanted activities, one of them being fraudulent use of payment cards. To tackle this challenge, Visa introduced the 3D Secure 1 protocol through its Verified by Visa program in 2001. Other credit card schemes were quick to adopt the protocol as well, in order to secure online payments.
Nowadays, consumers have more ways to pay than ever before, whether through a browser, mobile app, or a connected device. Another trend is that online shopping is moving from the desktop to the smartphone, which results in the fact that today more than 45% of eCommerce traffic is mobile.
The original protocol from 2001 could not predict this trend, and it was never designed with the proliferation of mobile in mind. This caused poor user experience on mobile devices and hampered the use of the latest trends in authentication methods.
It was evident that 3D Secure needed an upgrade. 3D Secure 2 protocol was developed to provide the best possible user experience in online shopping while having online payment security in mind. The end goal was to make online transactions both more secure and friction-free while making the authentication experience as smooth as possible.
EMV 3D Secure is a messaging protocol that promotes easy consumer authentication while making card-not-present eCommerce purchases. It enables consumers to actively authenticate themselves with their card issuer if cardholder verification is required.
3D Secure stands for ''Three Domain Secure'' and involves the following domains:
After the customer enters their payment information during checkout, they are redirected to their credit or debit card issuer's 3D Secure web page. Here they are required to provide one of the following:
In case of a frictionless transaction, the customer won't have to provide any further information. By entering the correct data, the payment will be approved by the card issuer, based on buyer's behavioral analysis confirming their authenticity.
Finally the customer is redirected to the initial website containing an order confirmation notification. It's that easy!
Since 3D Secure has many parties involved, we are going to summarize benefits for each participant. We already mentioned ultimate security and smooth user experience, but there are many more to discuss when talking about 3D Secure.
Regardless if a purchase is being processed online or in a physical store using a payment card, payment systems operate digitally, making both merchants and consumers vulnerable to third party attacks.
However, in-store purchases are still considered more secure because of visible proof of card possession as well as chip-and-PIN authentication. E-commerce is considered more vulnerable to third party attacks since it lacks face-to-face interaction. The additional rise in online traffic caused by the Covid-19 pandemic makes eCommerce a greenfield for fraudsters.
According to the American Express Digital Payments Survey in 2019., 27% of online sales are classified as fraudulent online transactions, making the merchants eagerly search for a solution that provides both security and a seamless checkout experience for consumers. The survey also indicates that as many as 82% of merchants feel vulnerable when it comes to mobile transactions and 79% state that they feel the same way about website payments.
Like merchants, cardholders are exposed to payment card fraud, which is confirmed by 42% of respondents who state that they have been victims of attacks directed to the theft of their credit/debit card information. These statistics explain why cardholder confidence in online payments is decreasing, thus causing a spike in cart abandonment rates. At the same time, cardholders are not satisfied with the online checkout processes involving various passwords and PINs, stating that they are oftentimes confusing and cause them to abandon their purchase.
It is evident that major security measures need to be undertaken in order to protect both merchants and cardholders from fraudulent activities. The solution lies in 3D Secure authentication, implementing Strong Customer Authentication (SCA), enabling maximum security accompanied by a smooth user experience. This protocol provides benefits to all of its stakeholders, making it a universal solution that addresses all pain-points present in the online payment ecosystem.
Payment card fraud is a term used for fraud committed using a credit/debit card without the authorization of its genuine owner, the cardholder. Motives behind such activities vary from obtaining goods or services to making payments to other accounts without the cardholder's consent.
Such actions cause tremendous losses, which is confirmed by the data published on merchantsavvy.co.uk. The latest statistics state that fraud losses in 2019 reached $30.07 billion, and the projected loss for 2027 amounts to $40.67 billion. These losses need to be accounted for, putting issuers and merchants in an ungrateful position.
Now that we got the numbers down and realized the severity of this trend let's examine common types of online payment card fraud.
Card-Not-Present (CNP) Fraud is a type of online payment fraud that typically occurs when making either online or telephone transactions. In order to commit such a scam, the fraudster needs to obtain the following details: cardholder's name, billing address, card number, three-digit security code (CVV), and card expiration date. What makes CNP fraud even more alarming is the fact that some processors do not even check the CVV number.
The most common way of obtaining mentioned data is through phishing, i.e., creating a replica of an original webpage, personalized email, or text so that the cardholder thinks that they are interacting with a legitimate business. That way, the cardholder is confident that they are giving away their personal information, such as account number or username and password, to a trusted party. With that information, the fraudster can easily use the data to process online payments without the cardholder's knowledge. Another method is hacking, a direct attack on a system containing financial information for legal purposes, e.g., the computer system of a hotel. Stolen payment card information is usually sold online for further fraudulent use.
In the case of CNP Fraud, the merchant is liable for the loss, which leads to decreased revenue.
Account Takeover (ATO) Fraud involves a hacker who acquires access to an account that does not belong to them, with the end goal of making a profit using the account's value. Account takeover is done in a very sophisticated manner so that the rightful owner of the account cannot notice any suspicious activities. These activities include actions from changing a password, updating a shipping address to processing unauthorized online payments or money transfers.
Fraudulent account takeover activities result in increased chargebacks and customer disputes, loss of customer trust, and damaged brand image. Oftentimes, an eCommerce company is just as unaware of the fraud being committed as the unsuspecting owner of the account, making the scam extremely hard to detect and prevent chargeback costs.
Friendly Fraud might sound harmless, but the truth is, it is as damaging as all other types of payment card frauds.
The main difference between friendly fraud and other types of fraud is the identity of the perpetrator. Commonly, the fraudster uses stolen identity in order to profit from the committed fraud. However, friendly fraud is conducted by the actual cardholder, a person originally authorized to use the payment card. There are a few types of common friendly fraud nowadays, and we are going to describe each of them using a simple scenario.
This type of fraud involves an online purchase scenario made by a family member without the authorization of the rightful cardholder. Another possible scenario is that the cardholder genuinely does not remember purchasing certain goods and opens a customer dispute demanding a refund.
In this scenario, the cardholder initiates a customer dispute regarding a store policy (e.g., the merchant offers credits for future purchases instead of refunds) or because they simply regret their purchase while demanding a full refund.
The goal of Malicious Friendly Fraud is to gain an item without paying for it. This is often done by opening a customer dispute, claiming that the ordered product was never delivered to the cardholder's address, demanding a full refund.
Loyalty program fraud, or reward points fraud, refers to exploiting a loyalty program for personal gain. Since loyalty fraud is often apart of ATO fraud, involving a perpetrator logging into a cardholder's account by using legitimate credentials, it is extremely hard to detect and prevent. But this is not the only way to game the system. Loyalty fraud comes in different shapes and forms, and to explain them, we need to take a look at the main actors when talking about reward points fraud.
In this scenario, the fraudster is an outsider that has nothing to do with the organization which offers a loyalty program. Hackers exploit loyalty program systems by finding their weak spots or simply taking advantage of weak customer passwords. That way, the fraudsters are able to access the account containing reward points and use them for their own benefit (e.g., claim free products, get discount codes, resell the points on the ''hacker bazaar'').
Oftentimes the fraudster is the employee of a business offering a loyalty program. A common scenario would be a situation in which a customer does not use their loyalty card (they did not sign up for the loyalty program, or they simply forgot the card), and a staff member credits the purchase to their own account for personal gain.
Customers who signed up for a loyalty program tend to ''game the system'' in various ways. One way to claim rewards is by buying an expensive item that generates a lot of points, only to cancel the purchase after the prize is redeemed. Furthermore, customers are no strangers to selling their points since most loyalty programs allow gifting points to other customers. This opens an opportunity for a customer to sell their points, which is usually strictly prohibited.
All of the previously mentioned types of payment card fraud have one thing in common, they result in chargebacks. A chargeback is the amount returned to the cardholder after they successfully file a customer dispute regarding a product or a service. Chargeback costs should not be taken lightly since the merchant (or issuing bank) is obliged to refund the amount for falsely purchased goods to the account owner without ever receiving back the product. Another threat lies in the fact that if the chargeback rate is higher than acceptable, processing companies might raise the fees for each transaction. These costs can have detrimental effects on one's business, especially if we consider SMEs and start-ups.
We can't wipe out fraud from the equation, but what we can do is heighten the security measures and protect merchants and issuing banks from chargebacks. The new generation of 3D Secure enables ultimate security accompanied by a smooth user experience, resulting in consumer confidence in online payments and reduced chargeback rates. By implementing Strong Customer Authentication required by PSD2, online payments are enriched with another layer of security while ensuring a seamless customer experience during the processing of online payments.
3D Secure can successfully fight common CNP, ATO, and friendly fraud. However, since 3D Secure can be implemented in non-payment environments and transactions, it can also prevent loyalty fraud by protecting loyalty cards and cardholder authenticity.
The latest PSD2 regulation (the second Payment Services Directive by the Europen Union) required the implementation of Strong Customer Authentication (SCA) as a means of heightened security measures during the processing of online payments. Luckily, 3D Secure 2 is fully aligned with the PSD2 directive and includes SCA as a key feature that promotes safer-than-ever online payments.
As a part of the PSD2 regulation launched in September 2019, Strong Customer Authentication (SCA) requirement came to life. The regulation covers types of payments that are impacted by SCA, as well as exempted payment scenarios that are not subjected to the new requirement. To learn more about this topic, we prepared a short read covering the definition of SCA, how it works, and online payment scenarios in which SCA is not necessary.
Strong Customer Authentication (SCA) is defined as an additional layer of security for online payments. To make this definition more precise, we have to mention that the SCA is based on at least two pieces of information from the following categories:
What this means in practical terms, consumers will perform additional checks in order to verify their authenticity.
SCA is additionally enhanced with Dynamic Linking, which aims to prevent social engineering attacks such as the ''man-in-the-middle'' attack.
To ease the online payment process for both cardholders and merchants, PSD2 includes SCA exemptions, online payment scenarios that are not subjected to the new requirement. It is important to emphasize that not all SCA exemption qualified transactions will be automatically exempted. The issuing bank is the one that has the last word on whether the exemption is granted or not. In other words, even if the transaction meets all the criteria to be classified as an SCA exemption, the cardholder might still be obligated to authenticate themself using the standard SCA method if the issuing bank requires such an approach.
Following transactions are classified as SCA exemptions:
Low-value transactions – online payments under 30 euros (limited by a certain number of possible low-value transactions in a day or by a cumulative value spent in a predefined time period).
Subscriptions and recurring payments – transactions whose value is the same each time a payment is being processed.
Transaction risk analysis – transactions that are deemed low risk based on predefined technical criteria rather than the transaction's value.
Whitelisting – a cardholder is enabled to flag individual online merchants as ''trusted'' with their issuing bank in order to avoid SCA during the checkout process.
Luckily for merchants and issuing banks, 3D Secure 2 is fully aligned with the PSD2 directive and includes SCA as a key feature that promotes safer-than-ever online payments.
Security concerns are not the only ones being taken care of by implementing the new 3D Secure 2 protocol. This upgrade solves the issue of high cart abandonment rates, promotes ''frictionless authentication'' and does not interfere with user experience during the online checkout process.
With PSD2 came Strong Customer Authentication, and with SCA came Dynamic Linking, a key component designed to prevent social engineering attacks during the processing of a transaction. It enhances SCA and is covered by the latest 3D Secure 2 upgrade.
SCA is an additional layer of security, based on at least two elements from the following categories: knowledge (something the cardholder knows, e.g., PIN, password), possession (something the cardholder owns, e.g., smartphone, token), and inherence (something the cardholder is, e.g., fingerprint, facial recognition, voice pattern).
Dynamic Linking aims to specifically link each transaction to its amount and the recipient of the payment. The end goal is to prevent social engineering attacks such as ''man-in-the-middle'' attack, where the fraudster attempts to interrupt the connection established between the payer and the payee and hijacks the authentication code in order to authorize fraudulent transactions. If Dynamic Linking is applied, a ''man-in-the-middle'' attack won't be successful because the authentication code will automatically fail if either one of the transaction details, transaction amount, or the payee, has been altered.
Article 5 of the Regulatory Technical Standards (RTS) specifies the requirements for Dynamic Linking. Four main requirements need to be taken into account when discussing Dynamic Linking, and those are the following:
Implementation of SCA enhanced with Dynamic Linking impacts many participants involved in the online payment chain. To conclude, the main goals of these heightened security measures affecting the payment chain can be summarized as follows: