Many merchants may have thought that the Strong Customer Authentication elements of the European Payment Services Directive 2 (PSD2) would mean that fraud liability would be shifted away from their responsibility.
With a deeper understanding of the regulation, there is a realization that there are still many things which should be considered when managing online fraud attacks.
The deadline for implementation of PSD2 into EU national laws was Jan. 13. One aspect of PDS2 is Strong Customer Authentication, or SCA, whereby a customer needs to authenticate themselves in order to be able to transact. Authentication in itself can cause friction, which is something any merchant is trying to avoid to ensure that they are able to maximize revenues and customer satisfaction on their consumer websites and apps.
As a result of this change, merchants should understand and manage their business to minimize both fraud and the amount of customer friction. The introduction of this new regulation will mean that fraud detection will inevitably need to evolve as the fraudsters find new ways to exploit new loopholes.
One important aspect of SCA is that non-EU issuers do not need to comply with this regulation and therefore liability rules for these cards will remain unchanged. Once SCA is fully enforced in the EU, we expect to see fraudsters to target non-EU-issued cards. This means that there could be an increase in the proportion of non-EU-issued cards making up fraud losses and that number could continue to increase as non-EU cards do not utilize SCA.
Minimizing how often SCA is required is a key objective for many merchants. One way to do that is for a merchant to encourage customers to “whitelist” themselves with their issuer by registering themselves as a trusted beneficiary, so that SCA is not invoked each time they come to pay. However, if fraud is later found on a transaction, the merchant may become liable, so fraud screening tools are still required to mitigate this risk.
Transaction risk analysis is another way to exempt a transaction from authentication. Although a merchant cannot apply the TRA exemption themselves, it can conduct risk analysis preauthorization to ensure minimal fraud attempts are being passed to the acquirer and issuer. This will help keep overall acquirer and issuer fraud rates low and enable a larger number of transactions to be exempted from SCA.
This exemption in itself is likely to mean that the above fraud-rate thresholds will be an influencing factor when determining which acquirers to work with and what alternative payment methods to offer in the future to optimize the level of end-consumer acceptance.
Where there is suspected fraudulent behavior, an issuer will still be able to push liability to other entities in the payment process, including a merchant. Coupled with the fact non-EU issued card processes will remain unchanged, this means merchants will still benefit from having an effective dispute and chargeback representment process.
By automating and prioritizing disputes received, merchants will be able to continue to optimize their profitability through an effective dispute management process.
Merchants will continue to have a role to play in effective fraud management processes in the future. Ultimately, it is the issuer who will determine whether a transaction needs to step up for SCA. After all, they are the ones who are required to do so per the regulation and will take the liability if fraud is found. That said, the issuers and merchants have the same objective — to ensure as many customers as possible are allowed to transact.
Merchants will still need to understand and manage their fraud risks and they will need to update their fraud strategies to ensure that their processes are agile enough to be able to adapt to the changing fraud patterns which will evolve in the coming months.
