In Europe, the 2016 figures triggered the introduction and mandating of strong customer authentication (SCA) under PSD2. SCA is a security measure that helps reduce fraud and makes online payments more secure by adding an additional layer of authentication.
In Australia, things are also starting to move, with the introduction of AusPayNet’s CNP Fraud Mitigation Framework strategy. This outlines two approaches to reducing online payments fraud loss: risk-based authentication and/or deploying SCA.
Understanding the new AusPayNet framework
Both issuers and merchants are – understandably – asking themselves how they can work within the new AusPayNet framework, while also ensuring they deliver a positive customer experience and engender customer loyalty. To understand their challenge, it’s worth considering what SCA and risk-based authentication are, and how they might best be combined to achieve these desired goals.
SCA is essentially two-factor authentication. The SCA check requires authentication using two of the following three factors:
- Something the customer has, e.g., a card, token or phone
- Something the customer knows, e.g., a PIN or password
- Something the customer is, e.g., biometrics – fingerprint or face recognition
Under Australia’s CNP Fraud Mitigation Framework, SCA does not have to be used for all online payment transactions; it is only universally applicable to those issuers and merchants whose fraud numbers exceed certain levels each quarter. It is under these conditions that friction could occur, as customers will be required to provide two-factor authentication at the point of checkout, which may lead them to abandon their online transactions.
Risk-based authentication essentially involves analyzing various parameters relating to each transaction and buyer against a large dataset of similar transactions – determining whether or not further authentication is necessary. Such parameters include:
- Transaction value
- Buyer’s transaction history
- Whether the buyer is a new or returning customer
- Information about the buyer’s location
Risk-based authentication has the potential to ensure a streamlined customer journey with fewer friction points, while still minimizing fraud.
Given the respective strengths of SCA and risk-based authentication, the best way to optimize the online customer experience, while remaining below the CNP Fraud Mitigation Framework thresholds, is to combine them. This approach is especially advantageous if a best-in-class, risk-based authentication solution is available.
Optimizing risk-based authentication performance
What defines a best-in-class, risk-based authentication solution? One key component is a very large database of transaction samples, drawn from across multiple business sectors (sometimes referred to as “consortium data”). To stay abreast of the latest fraud techniques, this database should also be updated in near real time.
A further advantage of a very large database of this type is that it is ideally suited for machine learning (ML) techniques. The challenges faced in fighting CNP fraud make it a space where ML presents abundant opportunity.
In practice, best-in-class, risk-based authentication will probably apply a multi-dimensional approach when analyzing data, incorporating ML, complex rules, shared consortium data and customer profiling. Assuming that data is sufficiently rich (i.e., includes multiple data points for each transaction, buyer and seller, as well as broad-based comparative samples across multiple business sectors), risk-based authentication will be able to provide a low-friction eCommerce experience, while simultaneously minimizing CNP fraud.
However, risk-based authentication cannot be optimized with just a generic solution; it must also be customizable so that merchants can tailor it to the specific needs of their organization. A key part of achieving this is if a risk-based authentication solution gives users convenient access to their own historic transaction and benchmark data (either online or by download) for analysis. Doing this in collaboration with a solution provider’s in-house fraud analysts allows for the best possible fine-tuning of risk-based authentication.
Best of both worlds for holistic fraud prevention strategy
In short, for those merchants and acquirers anxiously eyeing the fraud thresholds in AusPayNet’s CNP Fraud Mitigation Framework, risk-based authentication coupled with automated SCA (where risk-justified), offers a painless and solid means of compliance. The obvious advantage of this holistic approach is one of the reasons why ACI has put it at the core of its own solution
Contact us to talk further about AusPayNet’s CNP Fraud Mitigation Framework in Australia, or find out more about ACI Fraud Management for Merchants.
1 https://www.auspaynet.com.au/sites/default/files/2019-06/CNP_Fraud_Mitigation_Framework_Summary.pdf
2 https://www.globalbankingandfinance.com/the-transaction-security-landscape-new-mandates-new-challenges/