This article in PaymentSource suggests that PSD2 will drive more use of AI to fight payment fraud, but Mercator argues in its upcoming report “Securing E-Commerce: Competing Technology Crowds The Market” that AI may be less important for reducing fraud than 3D Secure 2.0:
“In recent years, new machine learning algorithms and big data have reduced fraud losses to an extent — however, their impact has been relatively limited, in part because the industry has been reluctant to use them. But the use of such technology is soon likely to become far more widespread in the U.K., and across the EU.
Nearly half of all fraud incidents are made possible by a lack of advanced anti-fraud controls in the businesses targeted, according to a 2018 study conducted by the Association of Certified Fraud Examiners. This problem will likely be addressed by new PSD2 regulations, which come into effect in the second half of 2019 and require all transactions over £30 to have stronger authentication measures.
In particular, all payment providers will now be required to conduct real-time risk analysis on transactions to assess a range of factors including any abnormalities in behavior or spending, previous purchase patterns, and location of the customer and business.
“As this legislation is implemented, it will lead to the roll-out of more sophisticated solutions across organizations on both sides of e-commerce transactions,” said Dave Excell, founder of Featurespace, an analytics company developing anti-fraud solutions for a range of companies including WorldPay.
These regulations are particularly hoping to reduce unauthorized fraud — where the account holder does not provide authorization for a payment and the transaction is carried out by a third party — which increased by 10% last year, according to the latest U.K. Finance data. As a result, numerous surveys have shown that the confidence of customers in e-commerce is steadily eroding, with Paysafe finding that 65% of online consumers now regard payments fraud as an inevitable part of shopping online.”
But if a merchant can shift the liability for fraud to the card issuer, how much extra intelligence do they require? In particular, if the merchant and the issuer have a very high level of confidence that the person initiating the transaction is indeed the account owner, risk is greatly diminished and primarily resides in sufficient funds or credit risk of the individual. Enter 3D Secure 2.0.
Nailing down the identity of the individual making the transaction will require a combination of tokenization, 3D Secure 2, and perhaps behavioral biometrics (which utilizes machine learning).
Payment tokens will increasingly be provisioned into not just smartphones but also browsers, watches and other payment enabled devices. During the provisioning process significant information will be collected about the device, such as screen size & color depth, manufacturer, unique ID, and other attributes that, while not impossible to spoof, increases the degree of difficulty substantially. This device information collected during the provisioning process can then be confirmed when a payment transaction is made using 3D Secure.
The merchant and merchant acquirer will collect the device data and send it to the issuer with the payment authorization request. The issuer compares the data collected by the merchant with the data collected during the provisioning process. Attributes of the token can also be updated in the device and then tested by the issuer to add additional confidence. Then, if there is any doubt about the transaction, the issuer can test the person making the purchase. The issuer can send a challenge that might be a One Time Password or better yet a biometric request via the issuers banking app.
In the future, 3D Secure may also be capable of collecting behavioral biometrics from the device held by the individual making the purchase and those can be compared to the original account holder’s biometrics, further proving the person making the purchase is properly identified and matches the account holder.
3D Secure 2.0 utilizes an entirely new payment infrastructure component and it better links the user and the user’s device to the merchant to prevent 3D Secure from creating cart abandonment. This is complex technology and a complex process, but all of the networks recognize how important it is to get right and so while adjustments may need to be made, I have little doubt the networks will do everything they can to make this work, otherwise we may lose the confidence of consumers and regulators.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group