Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
FRAUD SPECIAL<br />
Strong-arm tactics<br />
More than £4 billion was stolen as a result of online<br />
card fraud last year, but help is at hand.<br />
AUTHOR – Adam Bernstein<br />
EUROPE has, for some<br />
time, been worried about<br />
online card fraud. As part<br />
of the fight back, from<br />
14 September <strong>2019</strong> a new<br />
process known as Strong<br />
Customer Authentication (SCA) made<br />
under the Revised Directive on Payment<br />
Services (PSD2) will be in place which<br />
itself came into force in January 2018.<br />
SCA is effectively an extra layer of<br />
security designed to prevent payment<br />
fraud. It ensures that online card<br />
transactions become more secure through<br />
‘multi-factor authentication’ – a second<br />
check to demonstrate that both the<br />
transaction and card holder are genuine.<br />
The aim of SCA is to be the ‘chip and pin’<br />
of the online world; and be applied to<br />
transactions over a certain value – €30.<br />
But while SCA targets the online<br />
transaction, Mark Nelsen, Senior Vice<br />
President, Risk and Authentication<br />
Products at card processor Visa, says that<br />
banks and merchants may also need to<br />
regularly check that contactless payments<br />
are made by the correct cardholder too<br />
– by asking for a PIN. “This,” he says,<br />
“might occur after a contactless card has<br />
been tapped five times in succession,<br />
or when €150 has been spent using only<br />
contactless taps.”<br />
SCA could mean any one of numerous<br />
authentication methods such as an online<br />
PIN or password, a device that only the<br />
cardholder can authenticate – say a<br />
smartphone, or a biometric trait such as<br />
a fingerprint or facial recognition that is<br />
clearly very personal.<br />
For some retailers, there are worries<br />
that this extra layer of protection will<br />
add unnecessary complexity which will<br />
irritate customers who subsequently<br />
abandon their ‘shopping carts’ part way<br />
through the buying process – leading to<br />
lost sales.<br />
Just as the GDPR revolutionised<br />
how data protection is managed and<br />
individuals access their information, so<br />
SCA is going to change how retail works.<br />
WHAT IS PSD2?<br />
As the name suggests, PSD2 is an update<br />
on the original Payment Services Directive<br />
(PSD) that was brought into force in 2007.<br />
Its stated goal was for a single market for<br />
payments with easier and more efficient<br />
cross border payments, so that it mattered<br />
not if a payment was made to another<br />
within the same member state or to a<br />
party in a different member state.<br />
PSD2 expands on PSD by permitting<br />
third-parties to access an individual’s<br />
account information via the ‘Open<br />
Banking’ protocol; enhancing consumer<br />
rights, especially in relation to currency<br />
charges; and enhancing card holder<br />
security via SCA.<br />
Change was clearly needed as both<br />
credit and debit card usage is dramatically<br />
on the increase, and with a rising level<br />
of card use comes increasing risks of<br />
fraud. The European Central Bank, in<br />
its Fifth report on card fraud, published<br />
September 2018, found that that cards<br />
issued within Europe saw fraudulent<br />
transactions to the tune of €1.8bn in 2016<br />
and that 73 percent of that sum related to<br />
card not present transactions.<br />
Not everyone is in favour of SCA. In<br />
2016, card processor Visa argued that the<br />
new process would risk disrupting online<br />
shopping while not necessarily increasing<br />
security. The point is well made from<br />
its perspective as its fortune naturally<br />
depends on transaction volume.<br />
MANDATORY COMPLIANCE<br />
Compliance with the new regime is<br />
mandatory. If the online trader doesn’t<br />
comply then all transactions will be<br />
automatically declined by the cardholderʼs<br />
bank when they attempt to make a<br />
purchase. Further, by not planning ahead<br />
and developing authentication processes<br />
that offer the least friction to consumers<br />
traders could see huge falls in sales as<br />
consumers switch off and march with<br />
their feet.<br />
Considering that, according to<br />
Ecommerce Europe in its European<br />
Ecommerce Report 2018 Edition, the<br />
European business-to-consumer online<br />
economy is worth around €602bn in<br />
2018 (up from €307bn in 2013), if only<br />
ten percent of consumers – let alone<br />
a potential 25 percent that could walk<br />
– abandon a transaction because of<br />
complexity or irritation then firms stand<br />
to lose huge sums.<br />
But with new rules comes opportunity<br />
– a chance to market themselves to<br />
customers as both being secure and<br />
trustworthy, as well as having the simplest<br />
way possible of complying with the<br />
new rules. Of course, consumers want<br />
protection, but in today’s modern world,<br />
they also want simplicity and they want it<br />
now.<br />
The rollout won’t be easy. While EU<br />
demands compliance, every member<br />
state will see different interpretations<br />
of PSD2. Whether that’s from the banks,<br />
card issuers or central bank, there will be<br />
differences. On top of this there is the €30<br />
exemption to take into account.<br />
FORWARD PLANNING<br />
The first step for any online trader is<br />
to set their systems to recognise when<br />
transactions need to abide by SCA (i.e.<br />
above the €30 threshold) or when they<br />
don’t. Further, recurring payments will<br />
also be exempt so that needs noting by<br />
the system. Allied to this is the option<br />
The Recognised Standard / www.cicm.com / <strong>July</strong>/<strong>August</strong> <strong>2019</strong> / PAGE 24