Advances in online payment security
Updated: Jan 30
Online purchases have increased rapidly in the past few years, bringing with it an increase in online fraud. In order to protect users of digital payment services from falling victim to fraud, EU regulators will start enforcing new technical requirements in early 2021. One of the more important pieces of regulation is the Commission Delegated Regulation (EU) 2018/389, or more commonly referred to as the “SCA”, which is an important part of the EU PSD2 rules. The SCA requires payment service providers to implement additional safeguards at the point of sending or authorising a transaction. Most of us have likely experienced this while making purchases online. In short, what the SCA does is to oblige companies to apply additional verification methods at the point of transaction. There are a number of exemptions that are related to transaction value, the fraud rate that a company has experienced, subscription-based transactions of a recurring nature as well as transactions with “whitelisted” recipients. For example, if company experiences a higher fraud rate it will be expected to apply SCA more often. The SCA requirements also take aim at transactions above EUR 30, where transactions below that value is seen as low value transactions, and may likewise be subject to exemptions from applying SCA.
The SCA requirements while very detailed still leave room for company-specific approaches, as also neatly summarised in this 11:FS primer, as long as 2 out of the 3 following elements are represented in the process:
In effect this means that different online payment processes are managing their SCA requirements in a variety of ways, leaving customers confused as to when and what kind of verification it will need to perform. On top of this, there are also a wide variety of re-authentication measures being developed by the industry as to when they will require a transaction to be re-authenticated. Some firms have taken a hard-line approach and require re-authentication for all payments while others are taking a more flexible approach. For example, NatWest is developing a behavioural biometrics technology that would seek to prevent payment fraud by analysing the unique ways a customer interacts with their device when making an online transaction. That information is then used to confirm the identity of the payee as well as ensure that the cardholder is the one authorising the payment. While the success of the project still remains to be seen, it is developments like these that ultimately will be able to deliver a seamless experience while ensuring a high level of security. And at some point it is likely that an industry standard will organically emerge.
The SCA requirements are still in its infancy and some markets across Europe do not enforce the rules today, as it has been postponed differently by each respective local regulator, but in the next few months it is likely to be enforced across Europe. At Yoba we are closely monitoring developments in SCA solution that could provide a seamless customer experience but at the same time adequately protects them against fraud. It is a balancing act that also must take into account the individual complexities of each customer.