December 3, 2020

One of the most common complaints from Card Fraud Managers at issuing banks is ‘Why can’t I see what the merchant sees on their website to make a fraud decision.’ As we will go into detail, 3DS 2.x specifications make steps to support this fraud challenge. But what if we took it one step further and asked? ‘How do I join my view of customers in E-Commerce to what I already know about their Online Banking activity?’

‘How can I create a holistic online customer view?’

Using LexisNexis® ThreatMetrix® a bank can more confidently link a user’s trusted online banking persona to their online shopping persona.

By leveraging shared intelligence across a single Digital Identity Network®, card issuing banks can bring cross-channel online banking data points into the online card experience and vice-versa to recognise the bona fide card holder and shut out the fraudster.

Conflicting problems in Card Fraud

The industry has introduced several measures such as Strong Customer Authentication (SCA), Card Validation Value (CVV) or tokenisation to increase the security of e-payments. The lack of user-friendly methods for authenticating a payment has led to confusion, frustration and the bottom-line cart abandonment.

This is not only impacting the relationship between the shopper and the merchant, it’s impacting the relationship between the consumer, merchant and card issuing bank. To improve the user experience, merchants choose to adopt a risk-based approach to authentication, pleasing their customers and improve their conversation rate. Consequently, by doing this they are more prone to attract fraudsters.

In the last ECB report on card fraud[1], Card-not-present (CNP) fraud amounts to 73% of the total card fraud losses. A more recent report from UK Finance[2] validates the data with 76% in 2019 (up from 62% in 2010). This report also provides a more detailed view on e-commerce specific CNP-fraud amounting to 58% of all UK card fraud losses.

What can be done to anticipate CNP fraud and get merchants to choose a more secure method?

Due to PSD2 regulations coming into force, merchants and payment service providers (PSP) are required to enhance security and introduce stronger customer authentication for online payments. Of course, there are exceptions to the rule – the reduced requirements to use SCA on eligible transactions for PSPs:

  1. Low value
  2. Secure Corporate cards
  3. Whitelisted Merchants or Trusted Beneficiaries
  4. Merchant-initiated transactions
  5. If a PSP can demonstrate capabilities to assess and score transaction risk and detect unauthorised or fraudulent payments
    • Fraud rates must be retained under the guidance fraud rates

Card issuing banks have had an answer at hand for the last two decades to not just address regulatory requirements but mitigate the fraud risk. The solution even offers to shift the liability of chargebacks, which is a substantial benefit for merchants. 3D-Secure is a secure protocol designed to ensure enhanced security and stronger authentication for consumers when they use their debit or credit cards for online purchases.

The Three-Domain Secure (3DS) protocol was first introduced in 2001 by Visa, as technology evolved shortcomings in the protocol became apparent:

  • No consistency in the authentication pages,meaning they could easily be mistaken for phishing attacks
  • No native mobile support
  • Due to additional authentication checks dropout rates increased, jeopardizing the conversion rates of the merchants
  • Only limited data, making it difficult for issuers to make good authentication decisions

3DS 2.x was developed by EMVCo to address the 1.x shortcomings, and contains developments that include:

  • Consistency in the way in which authentication screens are presented to the card holder
  • Frictionless user authentication journey
  • mobile friendly options
  • Additional data can be supplied by the merchant to the issuer in the authentication request (Areq)
  • Ability for issuers to gather additional contextualized data

The improvements in the second iteration of the 3DS protocol offer a great chance for card issuers to increase the amount of data on which they are able to make an authentication risk assessment.

As part of the protocol enhancement, merchants are required to share not only data about the purchase amount or billing address, they’re also obligated to provide consumer device and browser data, if available. A non-exhaustive list of captured data from the cardholder browser include Browser IP Address, Browser Language, Browser Screen Colour Depth, Browser Screen Height & Width, Browser Time Zone and Browser User-Agent. These enhancements are a step into the right direction and enable an issuer to make a more educated risk decision. Conversely the data fields provided are still limited in the extent of sufficiently identifying a good returning customer or unmask a fraudster.

This is where another immensely important, often overlooked development of the new specification fills the void. Issuers can gather additional contextual data for each 3DS 2.x transaction to augment the data provided by the merchant. If the issuer chooses to register this method with the card schemas, the merchant is required to support the technique even before making the authentication request.

For the card holder it’s fully frictionless without adding additional interactions or pop-ups, offering a slicker, uninterrupted authentication flow.

Our customers utilise LexisNexis® ThreatMetrix® device and digital identity intelligence to migrate Trust, Risk and Confidence across different end user devices and channels.

There are multiple options for leveraging LexisNexis® ThreatMetrix® in the CNP risk assessment journey.

  1. ThreatMetrix® digital identity intelligence augmenting the 3DS contextual data: Issuers are able to increase the data points provided by merchant with the intelligence of the ThreatMetrix® solution to ten times or more. With this vast, combined data set an issuer can make the most educated risk decision. This includes migrating both Trust and Risk from their Internet Banking channel, e.g. to if the card holder is using the same trusted device as for his only banking
  2. Leverage the ThreatMetrix® authentication capabilities:
    • Reduce the reliance on traditional, costly methods such as SMS in the challenge journey by a flexible authentication platform offering modern authentication options including biometrics or device authentication using public key cryptography to reduce customer friction and increase security
  3. Create an additional layer of fraud protection based on ThreatMetrix® global shared intelligence:
    • The ThreatMetrix® Digital Identity Intelligence is built from a crowd-sourced network of over 6,000 businesses with a well-established footprint in banks and e-commerce merchants. The shared intelligence provides information for example about devices that have been associated with CNP fraud previously or customers can benefit from machine learning for specific industry use cases.

At LexisNexis® Risk Solutions we work with leading banks and card issuers to utilise the boosted contextualised data and implementation options to bring together what belongs together. Banks get a 360º view for improved fraud decisioning, higher detection rates and fewer false positives for fighting CNP fraud.

Migrating trust from online banking to ecommerce is improving the card holder’s payment experience and the conversation rates for merchants without sacrificing security.

Subscribe today to Fraud and Identity in Focus to receive regular email updates.

[1] https://www.ecb.europa.eu/pub/cardfraud/html/ecb.cardfraudreport201809.en.html

[2] https://www.ukfinance.org.uk/policy-and-guidance/reports-publications/fraud-facts-2020