The move to chip cards in the United States has been touted as the trigger for the movement of fraud from card-present to card-not-present channels. The country’s dominant approach to combating this type of fraud is risk-based authentication. Is this because it has proven to be successful in preventing fraud, or is risk-based authentication’s attractiveness based on other considerations?
Because so few of them use 3-D Secure, US merchants have been bearing the brunt of the increase in e-commerce fraud. This is because they carry all the liability for transactions where 3-D Secure was not used, even if all the provided information matches what the bank has, and even if the bank provided authorization. Historically, issuing banks have not been highly motivated to invest in changes that primarily benefit merchants. So why is risk-based authentication rapidly on the uptake?
Security and ease of use: never the twain shall meet?
Banks that try to craft security strategies that impose less friction on the user often find themselves unable to identify fraudulent transactions accurately. The current high decline rate on e-commerce transactions is a result of banks’ attempts to use only the information available in the back-end message to determine the legitimacy of a transaction, minimizing user input.
If a legitimate customer is declined as a result, however, they are unlikely to attempt the same transaction again with the same card, which places that particular issuer at the risk of losing their “top of wallet” status. To reduce false declines, banks need more information – such as device and behavioral data – to enable better risk decision-making.
Then there is the fact that banks cannot get the additional detail they want, in order for their risk engines to make more accurate decisions, from e-commerce transactions unless the merchants open up a channel that allows them to do so. Banks are realizing that they may need to help enable low-friction user authentication by accepting some of the liability, as an incentive to merchants to gather and transmit more user data for risk assessment.
In a world where user experience is becoming more essential to success in digital services, banks that were not willing or able to pursue a frictionless e-commerce user experience now hope that partnering with merchants on risk-based authentication will be an answer. Time will tell.