Follow Us! ThumbsUp 20 8089 2900
Meeting PSD2 SCA requirements with SEON;

Meeting PSD2 SCA requirements with SEON

Author avatar

by Florian Tanant

The EU’s new SCA requirements (strong customer authentication) can be worrying for businesses. Let’s see how fraud authentication tools can help.

The European Union created the PSD2 regulation, to further promote positive competition and innovation within the payments industry as well as further secure transactions.

We’ll go over what your risk management team should keep an eye on, how the different elements work including 3DS2 and how SEON can support you in ensuring compliance.

The Second Payment Service Directive?

The latest directive from the European Union. This Second Payment Service Directive forces banks to share their collected user data. If you, as a customer, authorise data sharing, third party services can use it for a variety of services and financial products.

The directive also pushes for Payment Initiation Services (PIS). These online services can access a users’ payment account to initiate payment directly, as long as authentication is checked and consent is given.

What is the goal of PSD2?

Financial products and services vary greatly across Europe, both in quality and price. PSD2 directive aims to reduce domestic frameworks and harmonise local regulations. This will help third party financial services scale across the continent, foster International eCommerce, and attract new ventures wishing to tap into a larger, unified market.

PSD2 also simplifies the current payment chain. PIS will cut down on middlemen by potentially removing bank card companies, acquirers and payment gateways, allowing banks to deal directly with merchants. It will significantly reduce transaction costs.

What Does PSD2 Say About SCA?

“Payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions.”

All online payments made by customers in the EU need to be secured through the appropriate technology. In PSD2, it is referred to as strong customer authentication (SCA).

Article 2(1) of the PSD2 clearly stipulates that: “payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions”.

The minimum requirements for payment transaction analysis are further explained in Article 2(2). These include:

  • Checks against lists with compromised or stolen authentication elements
  • Checks against known fraud scenarios
  • Detection of malware infection of the authentication device
  • Deviations in the amount of the transaction
  • Analysis of the device/software, when provided by the PSP

How Does 3-D Secure 2.0 Fit Into the Picture?

US merchants report decreased conversion rates of up to 45% because of the friction 3-D Secure (1.0) creates for users. Click To Tweet

3-D Secure is the standard designed by EMVCo and major credit card schemes. 3-D Secure 1.0 usually required a static token (like a password) to complete a card payment, but 3-D Secure 2.0 increases the number of data point checks to improve payment security.

The previous version was notoriously clunky. US merchants reported decreased conversion rates of up to 45% because of the friction it creates for users. So yes, it might help reduce chargeback fraud, but also overall profits.

The 2.0 version will enable a more frictionless payment method by enabling dynamic 2FA which provides multiple data points from the merchant to the issuer. So these data points can reduce fraud for PSD2 based payments while meeting requirements.

However, contrary to popular belief, 3-D Secure is not mandatory to pass the SCA requirements. Firstly, there are a number of exemptions (low value or low-risk transactions, subscriptions, whitelisted merchants etc..).

Secondly, the right fraud authentication tool can help you achieve the same – if not more – than 3-D Secure to meet PSD2 authentication standards without going into manual reviews.

Below is our breakdown of the SCA requirements, and how a risk management tool like SEON can meet them.

Checks against lists with compromised or stolen authentication elements.

What does it mean?

Account takeovers must be spotted to ensure neither customer credentials nor other data points have been compromised.

How SEON covers it:

  • User behaviour rules: our Scoring Engine sets up relevant rules to mitigate the risk of account takeovers. User behaviour rules allow fraud and risk managers to alter the classification in case a user is trying to transact with an unknown authentication element (eg. new ISP, new device, new IP address).
  • SEON’s Proxy API: it generates a risk score associated with a single IP address, revealing anomalies related to IP spoofing/masking. The IP address is also validated by the spam blacklist check process in order to identify prior anomalies from a specific connection.
  • SEON’s Device Fingerprint tool collects insights about devices associated with a user. Account takeovers and various anomalies can easily be avoided by implementing the Device Fingerprinting module.
  • Lastly, our data enrichment process takes the user email address and checks it against a database of known compromises or data breaches.

Checks against known fraud scenarios.

What does it mean?

Known fraud scenarios should be set up in a fraud monitoring tool as pre-set rules. Furthermore, Machine Learning can help define unforeseen fraud scenarios.

How SEON covers it:

  • Fully customisable Scoring Engine: admins can create rules based on any relevant logic. All existing rules are listed on one page with the option to modify or delete them. Known fraud scenarios can easily be defined using the Scoring Engine, and unspotted fraud patterns are flagged by the automatic Machine Learning module. The ML generates complex rule suggestions on its own.

Detection of malware infection of the authentication device

What does it mean?

Malware or botnets attempting to spoof the identity of the customer (account takeover) must be spotted.

How SEON covers it:

  • The Device Fingerprinting module can identify virtual machines, emulators or advanced fraud tools (e.g. AntiDetect, FraudFox, Multiloginapp).
  • Using the proxy analysis tool, the open ports of the IP address are pinged r to enhance identification of Proxy, VPN or Tor usage and to see whether the router is communicating with other servers.
  • Machine Learning: automatically generates rules that improve the precision of account takeover detection.

Deviations in the amount of the transaction.

What does it mean?

If the customer is trying to transact in a way that is out of the ordinary, the anomaly has to be spotted.

How SEON covers it:

  • In the Scoring Engine, managers can use rule parameters to compare past and present input fields value within a certain time frame. Past fields are linked through a matching data point, which may also be selected.
  • Velocity rules allow fraud managers to set up triggers based on unusual recurring actions measured in a certain timeframe. This means certain deviations in average spending patterns can easily be spotted and classified accordingly.

Analysis of the device/software, when provided by the PSP.

What does it mean?

The customer device has to be identified and validated to ensure safe customer authentication and full risk assessment.

How SEON covers it:

  • Our Device Fingerprint tool collects insights about devices associated with a user. Account takeovers and device spoofing anomalies can easily be avoided, as it accurately identifies returning visitors based on their previously used device. Even if the user deletes their browser and reinstalls it, the system still identifies the matching data-points.

Conclusion – PSD2, SCA and Fraud Authentication

PSD2 is a strongly consumer-focused directive from the European Union. Everyone, on paper, should benefit from decreased transaction fees, reduced payment friction, and increased authentication security.

However, this security point may be challenging for Risk Ops teams in the same way the GDPR and fraud detection appear at odds with each other.

It might require you to train fraud managers, who might feel they have to jump through hoops to help remain their organisations compliant. Luckily, at SEON, we firmly believe implementing our series of fraud authentication tools can cover all those legal requirements, while future-proofing your business.

Share article

See a live demo of our product

Click here

Author avatar
Florian Tanant
Communication Specialist

Get our latest newsletter

Join over 6000 companies in getting the latest fraud-fighting tips