Secure digital payment

Risk-based authentication

Ensuring security & customer-friendliness in online payments

The challenge for online merchants, acquirers, and card issuers is to offer secure and customer-friendly online payments, while meeting all the requirements of local and international payment processes. One possible solution is to implement intelligent end-to-end risk management in real time. By performing appropriate risk analysis at every step of a payment transaction, a system can be established that all parties can trust. Roger Burkhardt, Product Manager at Netcetera, and Markus Navratil, Senior Consultant in the Risk & Fraud Division at INFORM, explain how this works.

A particular challenge poses the European Payment Services Directive PSD2 that requires Strong Customer Authentication (SCA) and only allows waivers in exceptional cases. However, the card organizations now expect card issuers and acquirers to exploit the PSD2 exceptions as far as possible to be able to offer consumers the smoothest possible checkout processes. At the moment, this is made more difficult by the fact that various versions of the 3-D Secure security process are still running in the market, not all of which sufficiently support the use of the exemptions form SCA.

Anyone who wants to make the most of the exemptions cannot get around the Transaction Risk Analysis (TRA) – a regulation that involves a particularly large amount of work. It is based on the current misuse rate at the card issuer or acquirer in question. In addition, each transaction has to be checked for certain risk characteristics, such as conspicuous spending behavior on the part of the customer, unusual information about the customer's terminal device or the software used, or purchases from particularly high-risk merchants.

Complex tasks for merchants, acquirers, and issuers

For merchants, Delegated Authentication offers an attractive new way to authenticate their customers in a PSD2 compliant manner, thus avoiding strong authentication during the payment process. However, this requires customers to be securely registered, for example with the FIDO Alliance (Fast Identity Online) solutions. The challenge here is to convince customers of this procedure.

Acquirers have to solve a whole range of complex tasks. These include coordination between payment service providers, merchants, and their own platform. In addition, acquirers are required to protect both their merchants from fraud and themselves from fraudulent merchants.

Issuers must determine how they will organize risk-based authentication of their cardholders. Another challenge for them is to be able to distinguish between the different acquirer exemptions (e.g. TRA or LVP/ Low Value Payment) during authentication.

Real-time risk management

For real-time risk management, Netcetera's Access Control Server solution (ACS) and INFORM's risk management solution Riskshield are aligned. Every incoming transaction is forwarded from the ACS to Riskshield. There, the risk assessment takes place and the result is reported back to the ACS, where the appropriate further processing of the transaction takes place. The last two steps are important: The ACS sends the results of the authentication to Riskshield, which is then used to further improve risk management as part of an automatic learning process.

The more data available, the better Riskshield's results become. This, in turn, is helped using 3-D Secure in version 2.x, which can process significantly more relevant data than the previous version 1.0. In particular, the combination of transaction data from different purchasing channels (e.g. desktop, mobile, in-app) enables better risk management.

Roger Burkhardt: "An end-to-end approach to risk management allows for a high user experience with the fewest interruptions in the purchasing process, while reducing losses due to misuse. Quite crucial to this is data: The more data available, the more accurate risk management can be."

Roger Burkhardt

Principal Consultant of Secure Digital Payments at Netcetera
Zürich Secure digital payment
Published on:
Share page:

More stories

On this topic

Introducing the right challenge process

Banks need to rethink their approach to authentication

Improving the online payment process

Deliver a compelling payment experience

3DS certification by eftpos Australia

3DS Server enables access to Australian merchants & commerce

14 June 2023

EMV 3DS 2.3.1 : New opportunities

The latest 3DS version provides new opportunities

Ready for the Visa DAF program

Advancing digital payment for a seamless customer journey

12 May 2023

Netcetera 3DS Server compliant with MADA

Netcetera ready for MADA specifications on EMV® 3-D Secure

04 April 2023

Helping issuers reduce fraud & friction

Helping issuers reduce fraud and friction

04 April 2023

Nurturing optimal customer experience

Certification of 3DS Directory Server for EMVCo 2.1. and 2.2

04 April 2023

MPE 2023 Award for Netcetera

MPE 2023 Award for Netcetera’s 3DS Server and 3DS SDK soluti

04 April 2023

Netcetera and DPG partnering

Partnership aims towards easier customer adoption of PSD

16 March 2023

Zemen Bank and Netcetera partner up

Driving digital payment in Africa

15 March 2023

Introducing biometric reading in MENA

Cooperation for a new era of online payment authentication

27 February 2023

SumUp and Netcetera team up on ACS

Protecting merchants from online fraud

14 February 2023

Safeguarding the online transactions

How to keep consumers safe in times like these

Authentication for secure digital future

How strong authentication will secure the digital economy

Strong partners: DKB and Netcetera

Smooth and convenient online payments with Visa Debit

18 October 2022

Netcetera - Mastercard Engage partner

Digital First partner in the Mastercard Engage program
MORE STORIES