• Platform
    Arrow
  • Industries
    Arrow
  • Resources
    Arrow
  • Company
    Arrow
Make an enquiry
Back
Back

Platform

Interact Application Suite

A suite of pre-built pre integrated easy to configure services that work alongside your system.

Back
Back
Industries

We provide financial services providers, including banks and building societies with the option to greatly enhance their customer-facing digital platforms in an efficient, cost-effective manner.

Back
Back
Resource Centre

Stay in touch with news, views and articles across industry with a technical perspective on digital transformation 

Back
Back
About us

Discover the story behind delivering solutions for the biggest names in financial services for 25 years.

Search the site

Search

Close

Is transaction risk analysis important to anyone except fraud rate geeks?

Without careful oversight, transaction risk analysis, or TRA, could be a get-out clause for the providers, says Clayton Locke.

Without careful oversight, transaction risk analysis, or TRA, could be a get-out clause for the providers, says Clayton Locke.

Paying a restaurant bill with a smartphone

Archive

Date

25th June 2019

Clayton Locke


Strong Customer Authentication (SCA) forms part of the European regulation known as the second Payment Services Directive (PSD2). SCA helps to reduce fraud and make online payments more secure by taking a risk-based approach to authentication before a transaction can be processed. The waters of regulation cloud over a little when it comes to transaction risk analysis (TRA), but let’s tackle what we call progressive security first.

The concept of progressive security is demonstrated best by looking at transaction risk. For instance, buying a coffee requires a low level of authentication, whereas buying a car requires a much higher level of authentication. The updated PSD2 regulation mandates that Strong Customer Authentication is required for “customer-initiated” online payments within Europe, so transaction security is being increased to counter fraud. This means methods of authentication need to be simple to use, fast to implement and incredibly secure.

For instance, here at ieDigital, we adhere to SCA standards for high levels of secure data transfer and customer authentication, and progressive security is a principle that’s built into our digital banking engagement platform, Interact. You can, for example, see your account balance without logging in at all. If you have the app running on your phone and you’ve agreed that you’d like to see the balance before login, this is the lowest level of security. It’s still secure, but the security is absent. Behind the scenes, the app is securely connecting to a server, with all data being encrypted. More detailed transactions require a passcode. If you want to make a payment, you have to provide a passcode and perhaps answer a question, and eventually you progress to a strong credential, which would be a biometric or a one-time password.

So, what’s transaction risk analysis?

With SCA mandated as part of European regulation, the requirement is for more robust measures to counter fraud. An interesting but little-known fact (apart from us geeks, of course) about SCA and PSD2 is that the regulation gives the payment providers a fair amount of leeway on when SCA must be applied. In the regulation, this is called transaction risk analysis (TRA – sorry for yet another acronym). Basically, this is a form of real-time progressive security whereby the system is allowed to compute the risk of a transaction based on a number of factors. The computation combines these risk-based factors to determine if SCA is required.

This is interesting because the whole point of SCA in the regulation is to mandate strong authentication to protect the end consumer from fraud. Without careful oversight, TRA could be a get-out clause for the providers.

One would think that payment providers would want to eliminate fraud even more than end users, but while this may be the ethical stance of most providers, the fact is that the more payments they take, the more money they make. The cost of fraud is significant, but the cost of difficult security mechanisms that result in a reduction in payment transaction volume is higher. People gravitate to easier ways of making a payment. If the security makes it difficult (“I forgot my password”), then the payment isn’t taken, resulting in lost revenue to the payment service provider.

The open question is whether this part of the regulation will create a perverse incentive for a payment provider to use a TRA algorithm that results in more payment transactions, but fewer SCA challenges – and whether that also results in a higher fraud rate. I’m sure fraud rate geeks will enjoy doing the future statistics required to answer this question!


Related Content

You might be interested in...