March 26, 2017
As we speedily approach 2018, the deadline looms for countries in the EU to implement the EBA’s PSD2 strong customer authentication requirements. Banks, payment providers and merchants are in a heated discussion on which proposals will help or hinder their business.
The EBA has recognized that indiscriminate authentication negatively impacts the user experience as well as the adoption rate of mobile wallets. In response, it has recommended a risk-based approach to authentication and has eliminated the necessity for strong customer authentication for payments up to €30. Payments between €30 and €500 will be subject to meeting fraud thresholds set by the EBA. This will create different risk profiles that will need to be managed by the issuers.
While we applaud the EBA’s new recommendations, we feel that there still remains more to be done.
Strong customer authentication has been applied by banks for many years already and is a part of most online banking security controls. Despite these controls, we’ve seen that fraudsters are successful in cashing out. Mobile payments offer weaker security controls since passwords, PIN codes and even biometric authentication can be more easily circumvented while most devices don’t even have the basic defenses such as antivirus and firewall. Fraudsters are always seeking the weakest links to infiltrate, and mobile payments has become the next in line. As a result, mobile wallet fraud is on the rise.
The problem is that current mobile payment controls still don’t allow for the visibility that banks desperately need. In other words, they still don’t know if the payment device is connected to the consumer using it for that particular transaction. Was the device stolen and now being used by a fraudster? Did the fraudster succeed in onboarding using the customer’s stolen identity? Or did the customer simply take their mobile device abroad and decide to splurge on luxury items in Europe? Currently, banks struggle to differentiate between these scenarios with their existing fraud detection system and instead rely on cumbersome and costly operations (call centers, OTP, KBA) to contact the consumer directly to validate the transaction.
What banks need is the ability to detect fraud on the mobile device itself in the pre-transaction phase. With better visibility into the payment activity of the user through in-depth behavioral mapping, they can accurately identify fraudulent attempts and trigger authentication only upon these suspicious and risky transactions. This solution is a big improvement compared to current legacy systems which create friction and have a high number of false positives in their fraud detection.
As a leading payment provider, PayPal also recognizes banks’ lack of visibility. Their recommendation to the EBA suggests that factors beyond the value of transactions also pose additional levels of risk, and should be included in the EBA assessment, including the type of device used and the user’s usual pattern of behavior. The risk presented by the value of the transaction can be mitigated using technologies that analyze all of the information the user provides.
On-device fraud detection is based on acquiring behavioral data from multichannel sources, whether it be mobile, plastic card, web or the device itself. This approach to mobile-based fraud detection combines individual spending activity with advanced machine learning to differentiate between fraudulent purchases and legitimate transactions.
This frees banks from constant worry about whether or not they are meeting the levels of fraud standards the EBA requires of them.
Mobile wallet payment adoption is growing at a frantic pace. With more than 450 million users today using their mobile devices, Gartner has projected a figure of $720 billion in annual global mobile payment transactions by 2017. Mobile payment fraud is currently over six times that of card fraud, according to Droplabs, a leading mobile payments and e-commerce strategy and advisory firm, a number that is expected to rise significantly as mobile payments increase.
In response to the rise in mobile wallets and PSD2, disruptive banks will need to become early adopters of API-enabled payment systems that allow payments to be initiated from customer accounts by third-party providers. In order to mitigate this new risk, this disruptive approach requires applying effective on-device security controls to combat the increasing risk of mobile payment fraud.
Banks already use risk-based systems today and they won’t be taken out of the mobile payment playing field due to PSD2. That’s a relief to banks, retailers and consumers alike, but no single authority alone can stop fraud. It must be a multi-layer approach, and the industry has learned its lesson from their experience in the web bank channel, where fraudsters’ MITB attempts were successful at bypassing security solutions which included strong customer authentication.
Banks should decide whether this time they choose to be better prepared in the mobile payments arena.