While part of the payment industry is alarmist, assessing an additional 57% of 3DS triggering starting last quarter of 2019, Sophie Rousset is reassuring. Fraud Manager at Dalenys, she shares her thoughts on the fraud rates set by the Regulatory Technical Standards (RTS) within PSD2 and how to respect them. Interview.
The OSMP report published July 9th, 2019, reveals a rise in the fraud rate in 2018 (+0.4 bsp compared to 2017) on French credit cards. How do you explain it?
This increase is to be compared to the evolution in the share of credit card: more traffic on credit cards brings more fraud in terms of volume. On the other hand, despite the steady growth of e-commerce, the fraud rate is only slightly increasing. The fraud remains well controlled.
Moreover, this surge in 2018 is to be replaced in a longer period from 2015 to 2017. Before 2015, the fraud rate increased proportionally to online growth, whereas in 2016-2017, the fraud rate significantly declined. It then went from 0.074% (in 2015) to 0.058% (in 2017). French merchants are becoming increasingly aware of fraud protection benefits.
How does this awareness of French e-merchants, in terms of fraud, materialize in your opinion?
With the precision offered by the current tools, it is now possible to control fraud without impacting conversion. This approach, addressing both challenges of generating revenue and optimizing fight against fraud, has brought the attention of e-merchants. Some merchants now invest or select a payment solution based on its ability to manage fraud.
While being fully autonomous in fighting online fraud remains possible, it requires dedicated resources and coding. E-merchands tend now to be equipped with specialized solution, or a PSP with dedicated tools. At Dalenys, our knowledge of DATA and the combination of cutting-edge tools at the service of a team of experts allow us to work constantly on the optimization of acceptance once fraudulent behavior has been stopped.
What is the method adopted by your team?
Fraud is shifting. Fraudsters adapt to evolution of technology and quickly detect the anti-fraud thresholds to circumvent them. This requires having an agile fight against fraud rule engine to quickly block new fraudulent behavior and have real-time tracking to react quickly. At Dalenys, we have a constant granular management of the data and this. A new delivery address, a new IP address, a new device, these are all criteria helpful to detect fraud. We ask for these meta-data to enrich already identified potentially risky information. Moreover, these fields already intuitively collected by Dalenys will be imposed by the PSD2 to feed the observation of the issuer and help him better detect fraud. For example, we can detect a client account hijacking by observing a new delivery address, registered on a historical customer account and combined by the use of a new device and IP address.
Some data are imposed by the issuer, which are already shared by e-merchants to their PSP. Dalenys capitalizes on DATA since we have already developed more than 60 new non-mandatory fields to foster knowledge of the issuer decision and fuel its decision engine.
How these 60 new fields key within the context of PSD2?
Dalenys has always been a partner of choice for a merchant wanting to control his fraud. We remain confident towards the implementation of this new regulation thanks to our TRA, our experts and, if we go into detail, our approach refined by the data. First, Dalenys is a full-service payment solution, both PSP and Acquirer. Our dataset is enriched by this double positioning. The solution gained experience since 2013 and we’ve identified critical data for each vertical, each market specificity.
With the implementation of RTS on September 14th, 2019, new fields will be imposed and many are already developed and required by our integration. On the development side, the migration from 3DS v1 to 3DS v2 is made easy on Dalenys. The test environment has been available since June. The premium fraud support that we offer also help our merchants being confident. The merchants’ fraud rate is under control and they should not experience an increase of 3DS triggering rate.
Will the market be able to easily reach the fraud thresholds imposed by RTS to request frictionless payments?
The RTS oblige Acquirers and Issuers to respect fraud thresholds in terms of fraud volume. Merchants with high fraud rates should be aware that investing in fight against fraud is necessary. Some merchants already have very good results, including on sectors particularly targeted by fraudsters. The thresholds will be achieved, but the merchants who took action to reduce fraud will undergo a smooth transition, while the others will suffer the decisions of the issuers. When the thresholds are reached, merchants will then be able to benefit from TRA exemptions and offer passive authentication. At Dalenys, we’ve been collaborating with merchants far from the thresholds from the beginning of the year.
The thresholds from 0 to 100 € (0.13% fraud rate) and from 100 to 250 € (0.06%) seem achievable, especially with Premium plan at Dalenys. From 250 to 500 €, the fraud rate threshold stands at 0.01%. This seems more difficult to reach as only a few ad hoc frauds would overcome the rate. It is assumed then that the Challenge flow will be systematic on these transactions.
Which sectors will be most affected by RTS?
Merchants will be more or less affected, not according to the sector, but according to their average basket. If it turns out to be in the range of 250 to 500 €, it may be more affected by the outbreak of 3DS v2. As a result, the Travel or Furniture sectors, which are experiencing transactions in this range, are likely to suffer.
Fortunately, the increase in strong authentication will be temporary. Once all the stakeholders in the industry are ready and the issuers process the additional data and have refined their scoring, the fraud thresholds will be achieved. More passive authentication should then be observed. Issuers will have a 360 vision on the entire payment process indeed, allowing them to authenticate the cardholder without action on his part. Mastercard announces 57% additional SCA triggering, while CB predicts a 19% increase. At Dalenys, we are expected an intermediate value but temporary increase. This optimism also leads us to reassure on the transactions failed after the triggering of the 3DS v1 (failure rate of 11% according to the report of the OSMP): with the 3DS v2, this percentage should decrease and promote authentication passive.
How could fraud evolve as a result of all these changes?
Fraud amounts relating to MOTO / One-leg out / MIT transactions are not included in the calculation of the TRA fraud rates reported to the EBA (European Banking Authority), used as reference by the regulator. This rate determines whether the Acquiring or Issuing PSP is able to request an exemption to avoid challenge authentication. Outside the RTS scope, fraud generated by MOTO transactions does not arouse any expectation from the European Bank. We assume that some merchants will pay less attention, while the fraudsters are already very active on this channel.
Transactions outside Europe are also out of scope of the RTS, while the fraud rate is particularly high on cards issued internationally. While we may expect fraudsters will fall back to this type of card to avoid European anti-fraud measures, Dalenys already increased surveillance so that the merchants remain protected.
Discover our special folder to prepare your company to new European requirements and anticipate the impacts on your turnover.