Risk-based authentication

Ensuring security & customer-friendliness in online payments

The challenge for online merchants, acquirers, and card issuers is to offer secure and customer-friendly online payments, while meeting all the requirements of local and international payment processes. One possible solution is to implement intelligent end-to-end risk management in real time. By performing appropriate risk analysis at every step of a payment transaction, a system can be established that all parties can trust. Roger Burkhardt, Product Manager at Netcetera, and Markus Navratil, Senior Consultant in the Risk & Fraud Division at INFORM, explain how this works.

A particular challenge poses the European Payment Services Directive PSD2 that requires Strong Customer Authentication (SCA) and only allows waivers in exceptional cases. However, the card organizations now expect card issuers and acquirers to exploit the PSD2 exceptions as far as possible to be able to offer consumers the smoothest possible checkout processes. At the moment, this is made more difficult by the fact that various versions of the 3-D Secure security process are still running in the market, not all of which sufficiently support the use of the exemptions form SCA.

Anyone who wants to make the most of the exemptions cannot get around the Transaction Risk Analysis (TRA) – a regulation that involves a particularly large amount of work. It is based on the current misuse rate at the card issuer or acquirer in question. In addition, each transaction has to be checked for certain risk characteristics, such as conspicuous spending behavior on the part of the customer, unusual information about the customer's terminal device or the software used, or purchases from particularly high-risk merchants.

Complex tasks for merchants, acquirers, and issuers

For merchants, Delegated Authentication offers an attractive new way to authenticate their customers in a PSD2 compliant manner, thus avoiding strong authentication during the payment process. However, this requires customers to be securely registered, for example with the FIDO Alliance (Fast Identity Online) solutions. The challenge here is to convince customers of this procedure.

Acquirers have to solve a whole range of complex tasks. These include coordination between payment service providers, merchants, and their own platform. In addition, acquirers are required to protect both their merchants from fraud and themselves from fraudulent merchants.

Issuers must determine how they will organize risk-based authentication of their cardholders. Another challenge for them is to be able to distinguish between the different acquirer exemptions (e.g. TRA or LVP/ Low Value Payment) during authentication.

Real-time risk management

For real-time risk management, Netcetera's Access Control Server solution (ACS) and INFORM's risk management solution Riskshield are aligned. Every incoming transaction is forwarded from the ACS to Riskshield. There, the risk assessment takes place and the result is reported back to the ACS, where the appropriate further processing of the transaction takes place. The last two steps are important: The ACS sends the results of the authentication to Riskshield, which is then used to further improve risk management as part of an automatic learning process.

The more data available, the better Riskshield's results become. This, in turn, is helped using 3-D Secure in version 2.x, which can process significantly more relevant data than the previous version 1.0. In particular, the combination of transaction data from different purchasing channels (e.g. desktop, mobile, in-app) enables better risk management.

Roger Burkhardt: "An end-to-end approach to risk management allows for a high user experience with the fewest interruptions in the purchasing process, while reducing losses due to misuse. Quite crucial to this is data: The more data available, the more accurate risk management can be."

Roger Burkhardt

Principal Consultant of Secure Digital Payments at Netcetera

More stories

On this topic