If PSD2 were a building, it would be Gaudi’s Sagrada Familia, which has been in the making since 1882 and remains unfinished. With the FCA’s latest six-month extension to the Strong Customer Authentication (SCA) element of PSD2 deadline to 14th March 2022 – delaying things even further here in the UK – here’s hoping that it will not take centuries to complete PSD2.

Striving to understand the implications of the delay, a recent panel discussion by LexisNexis® Risk Solutions invited some leading experts to assess the potential impact that SCA 3DS offers, with discussion centred on improving how remote purchase / Card Not Present (CNP) fraud is being impacted by the SCA regulations that are already implemented in Europe – and are coming into force in the UK next year. 

After the webinar, we caught up with our Panellist’s to gauge their thoughts on what will emerge for CNP fraud into 2022, as the impact of SCA 3DS is felt across the remote purchase ecosystem in the UK. With so many stakeholders, and so much at stake,  in creating the right balance between fraud defence and customer experience (when it comes to CNP fraud activity) our experts have identified some very interesting opportunities, threats and possibilities for new modes of collaboration– as well as trying to understand where fraudsters will go next as the SCA protocols start to make CNP fraud more difficult to pull off.

Seeking inspiration once again from Gaudi who said “man does not create…he discovers” – how has the implementation of the latest SCA regulations impacted CNP fraud in 2021 so far? For Leah Evanski, Global Head of Business Development & Strategic Alliances at Outseer™, SCA implementations are driving adoption of 3DS2 and enhancing fraud detection:

“In the EU, the SCA regulation requirements have pushed merchants and card issuers to accelerate their adoption of 3DS2,”  said Evanski. “At Outseer, we have seen quarter-on-quarter increases in 3DS2 usage throughout the last year, as well as significant growth in the EU from Q4 2020 to Q1 2021, where the share of 3DS2 transactions doubled. This growth is likely related to SCA enforcement dates (1.1.21 in many EU countries).”

“With this growth, we are also seeing consistent improvement in fraud prevention with 3DS2 usage.  In the past two quarters, we’ve seen our global transaction success rates exceed 98%, with fraud rates as low as 0.63%.  As fraud detection continues to improve, issuers are expressing more confidence to amend thresholds, enabling more frictionless transactions and driving greater acceptance,” Evanski concluded.

The positive benefits from SCA are also echoed by Alexander Grebenstein from Targobank AG, who has seen first-hand the real-world impact of SCA implementation following Germany’s SCA regulatory mandate coming into effect at the beginning of the year.

“In Germany, the regulatory mandate to perform Strong Customer Authentication went into effect between January 15th and March 15th 2021 in three stages, reducing the amount allowed to be authorized unsecured to 250 € in January, to 150 € in February and to 0 € in March,” said the Risk Manager for the German bank.

“During the same period and beyond, there was a significant reduction of gross CNP fraud losses, especially in the countries affected by PSD2. There was also a small shift to the UK and US but still, the GFL in May 2021 was at around 25% of the monthly average volume they had in the years before,” said Grebenstein. “However, there is still a significant number of authorisations coming in unsecured, due to acquirers using exemptions which are around 70% of the transaction count and 40% of the transaction amount. In addition, many out-of-scope scenarios can still be exploited by fraudsters, but the general business case involving the use of compromised card data without SCA seems to have shrunk –  so much so that many fraudsters have turned to different methods of compromise and attack.”

So what type of attacks are the fraudsters turning to as they get shut down by SCA regulation? The method they have chosen is nothing new – these kind of confidence tricks have been used in the analogue world for centuries, but in the digital world these kinds of tricks have come into their own – you yourself have even probably received a SMS warning of a new payee added to your bank, or booking a COVID jab – scams are today endemic the world over, as Targobank’s Grebenstein explained:

“The new 3D Secure protocol presents a problem for the fraudster as it communicates a lot of data to the Issuer that can be used to distinguish the real customer from anyone else. This can be the shipping address or the geolocation of the person initiating the authentication.

“We are seeing the return of a rather old method: the scam. The “Nigerian Prince” scam has been around for decades, so has the “Russian Bride” and other similar, nasty stories that are designed to defraud the victim of their money.”

“Something that is relatively new is the “Fake Broker”, where customers are presented with an investment opportunity (usually involving cryptocurrency) with astonishing returns. These, of course, never reach the customer’s account,” warned Grebenstein.

“The big difference between the scam and the data compromise approach is the fact that the customers are made to do everything themselves. It is their input device, their authentication device, their biometrics. Hence, many of the established detection methods will fail.”

Social engineering is a vital component of the fraudster’s toolkit in their efforts to evade SCA, with Stephen Topliss highlighting how fraudsters are using social engineering to not avoid, but complete, step-up authentication in some cases:

“One example we’re seeing is where fraudsters are making eCommerce purchases using stolen credit card data. The fraudsters then convince the real card holders to share one-time-passwords with them to complete step-up authentication and confirm the purchase,” said the Vice President, Fraud & Identity, at LexisNexis® Risk Solutions.

Of course, fraudsters will always shift and evolve attacks in response to new approaches to fraud prevention and regulatory reform, and it is positive that so many in financial services have welcomed the sixth-month extension of the deadline to implement SCA for ecommerce transactions. According to a recent poll conducted by LexisNexis® Risk Solutions, 42% of financial services professionals’ plan to use the extra time to improve and enhance the sophistication of their SCA roll out plans – as Thomas Jefferson once said, “delay is preferable to error”.

These extra six months offer a golden opportunity to tap into the unexploited opportunities within the latest SCA regulations to enhance CNP fraud controls of the future.

“There is a fair amount of focus already on enhancing fraud controls by taking advantage of the significantly larger set of data fields passed on by the merchant through 3DS 2.x,” said Stephen Topliss. “I actually think the less explored opportunities right now lie in the delegated authentication options that could enable issuers to delegate authentication to suitably enabled merchants, resulting in a better user experience and lower abandonment rates.”

For Leah Evanski, SCA exemptions will be vital moving forward:

“Although driven by the PSD2 regulatory security requirements, employing SCA has the potential to provide important benefits and supports strategies for multiple layers of protection. The challenge, however, is that SCA is generally known to introduce greater time and friction into the checkout process, so a key opportunity is to make use of SCA exemptions.

“Issuers can differentiate themselves by balancing risk and user experience with 3DS2 solutions that enable strong, more dynamic authentication methods that meet SCA requirements. With greater precision detection, issuers can meet lower fraud rate requirements as defined by the “Transaction Risk Analysis (TRA),” that in turn allow them to employ SCA exemptions and further promote a more seamless user experience.

“For merchants using 3DS2, they too can benefit from SCA exemptions for small ticket and micro-payment transactions, subscriptions and other recurring payments. Merchants can also take advantage of the whitelisting capabilities available with 3DS2,’ said Evanski.

A huge part of the success of PSD2 will ride on effective collaboration – and that is not something which has developed seamlessly, as Outseer’s Leah Evanski pointed out:

“The dialogue and even the alignment between merchants and issuers in the payment’s ecosystem has been slow to develop. Both sides have been fighting the same war, but with little to no coordination.

“The construct and the promise of 3DS2 provides an opportunity to bring merchants and banks together to stop payment fraud.  They each have a role to play and they each benefit from mutual success.

“With greater adoption of 3DS2 in particular and as merchants submit the broader set of new data elements identified in the protocol issuers will be able to perform more accurate risk assessment for CNP transactions and confidently accept more transactions. Better information also results in fewer interventions for genuine users, enabling a better cardholder experience. This in turn will also drive more payment acceptance and revenue for the merchants. 

“While the promise of 3DS2 is clear and ultimately may be self-reinforcing, merchants and banks today remain divided.  This poses an interesting opportunity to fraud solution providers who serve both stakeholders to build the bridge between constituents and deliver solutions that drive greater confidence and value on both sides of the 3DS2 equation.”

Although seamless collaboration between merchants, issuers and banks has not yet been achieved, shared intelligence could provide the answer to alignment between the three big players involved in 3DS2.

“There is a significant opportunity today in a real-time consortium approach to share intelligence to prevent scams,” explained Stephen Topliss. “We’re seeing examples of this already, but increased participation would improve results.” 

When it comes to PSD2 and SCA, the road ahead is long, but we are already seeing gains with CNP fraud dropping where SCA has already been implemented. Yes, fraudsters will evolve and tweak attacks to bypass SCA, with scams currently the most effective tool in their arsenal. This is amidst a landscape where banks and merchants are divided, something that can only be bridged with effective cross-industry collaboration and intelligence sharing, as Targobank’s Alexander Grebenstein concludes:

“Fortunately, the human factor has not only once again become the weakest link in the attack scenario but also the greatest strength in the defense against the attack.

“We still have to discover a lot of useful data points for our monitoring system and there is a lot of room for improvement as far as the current 3DS data quality from the merchants is concerned, but once a taskforce of dedicated and competent analysts have the chance to investigate, they will almost always be able to differentiate the genuine from the fraudulent.

“It’s a good thing then, that we take each and every attack on us very personally.”

The completion of Gaudi’s Sagrada Familia was slated to be finished by 2026, the centenary of the architect’s death, but has since been pushed back because of the global pandemic. PSD2 meanwhile, first floated as a concept in March 2000 at the Lisbon Agenda, is in its 21st year, which begs the question, what will be completed first?

PSD2 or La Sagrada Familia?

Download our CNP fraud defence guide or subscribe today to Fraud and Identity in Focus to receive regular email updates.

Can your business spot the good from the bad?

Detect and prevent ‘Card Not Present’ fraud to protect customers and reduce losses, while maintaining a seamless customer journey.

Learn More