back to insights


March 2, 2021

Enhancing 3D Secure with Risk-Based Authentication

To further increase the security of 3D Secure payments, Risk-Based Authentication (RBA) is introduced. Consider the following: a fraudster with your credit card information wants to process a payment, but the system recognizes that something is odd, and the transaction is automatically terminated or additional authentication is required. How so? Let's explore RBA and find out which benefits it brings.

What is Risk-Based Authentication (RBA)?

Risk-Based Authentication is a dynamic, parameter-driven system that determines the risk level of an individual transaction and appoints an appropriate customer authentication method accordingly. By applying such an approach, RBA helps prevent various types of attacks present during the processing of online payments.

To score a transaction, data about typical user behavior is necessary. RBA collects and analyzes parameters such as:

  • Device: checks if the customer is using a known device to process a payment
  • Location: checks the user's geolocation/time zone
  • Network: checks if the IP address is familiar
  • Transaction amount: checks for deviations in regards to transaction amount history
  • Number of transactions: checks for deviations in regards to the number of transactions history
  • Delivery address: checks if the delivery address is familiar based on previous transactions

Based on mentioned parameters, a transaction is deemed either low, medium, or high risk.

In case of a low-risk transaction, the customer is able to process a payment without applying further authentication.

In case of a medium risk transaction (e.g., unknown device), the customer is asked to provide additional information in order to process a payment.

In case of a high-risk transaction (e.g., unusually high transaction amount, unfamiliar location), the user is automatically denied access and cannot process the payment.

Benefits of implementing RBA

Risk-Based Authentication does not only help prevent unauthorized processing of transactions but significantly impacts customer experience by eliminating user friction. That being said, RBA promotes a smooth user experience for legitimate customers while making things difficult for fraudsters.

The end goal regarding the user experience is to determine the level of risk for each individual transaction in order to avoid unnecessary authentication steps for low-risk transactions. By doing so, user friction is removed from the equation, making the processing of a transaction both secure and enjoyable for the customer.

With better customer experience comes customer loyalty. Studies have shown that banks that approached digital transformation by implementing RBA enabled quality engagement with their customers making them less likely to switch.

RBA is responsible for cutting fraud-related losses. By implementing Risk-Based Authentication, banks are able to detect and prevent fraudulent activities, resulting in a decrease of chargeback costs. 

RBA as a setting stone for SCA exemptions

Strong Customer Authentication required by the PSD2 directive implies verification by selecting two out of three authentication elements: something you know (e.g., PIN, password), something you own (e.g., smartphone, HW token), and something you are (e.g., fingerprint, face recognition).

Thanks to RBA, not all 3D Secure payments demand SCA. SCA exemptions are based on Risk-Based Analysis, enabling less friction without compromising on security. In other words, RBA allows the customer to avoid an authentication step while keeping the transaction secure.

SCA exempted scenarios relying on RBA are the following:

Low-value payment – Transactions below 30 euros are considered low value and do not require an additional authentication step during the processing of a transaction. However, if a customer initiates more than five such transactions or the cumulative value of the transaction exceeds 100 euros, SCA will be applied.

Merchant whitelist / Trusted beneficiary - A cardholder is enabled to flag individual online merchants as ''trusted'' with their issuing bank in order to avoid SCA during the checkout process.

Transaction Risk Analysis exemption – The most sophisticated exemption involving several different factors that need to be taken into account (e.g., overall fraud rate for that particular type of transaction).

Secure Corporate Payment exemption – A transaction initiated by a legal person rather than a customer that does not require an additional authentication step.

For more information, contact our team at [email protected] to get a free, zero-obligation consultation or try our DEMO to see 3D Secure in action.


download datasheet
try our demo

Interested in TriDES2?

Subscribe to our newsletter
© Asseco South Eastern Europe 2018. All rights reserved
clouddownload linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram