Retail in Asia


Beating fraudsters at their game: employ a multi-layer security strategy

Consumer buying behaviours have changed dramatically over the past years due to pandemic lockdowns and prolonged movement controls. As online shopping becomes mainstream, fraud has correspondingly migrated from traditional face-to-face channels to eCommerce.

Payment authentication is no stranger to retailers and consumers. It is the process of confirming a customer’s identity and it is a vital tool in preventing credit card fraud. In the early days of internet payments, Visa enlisted the help of a partner to develop a protocol that would act as an additional layer of security for online transactions. The solution was what we now know as 3D Secure. It creates an authentication data connection between digital merchants, payment networks and financial institutions to be able to analyse and share more intelligence about the transactions.

As more payments moved online, security threats also evolved, which inspired the creation of the one-time-passcode (OTP) – a service made available only on 3D Secure compliant merchant sites. Backed by a real-time SMS-delivery system, the OTP was designed to challenge a customer on their stated identity, which was initially successful. We might say too successful: Over-reliance on a single-verification system has proved dangerous in the face of increasingly prolific and sophisticated fraudsters. The result is millions of dollars lost to scams, an unpleasant user experience and in some cases, the loss of confidence in the card issuing bank.

In the era of digital commerce, mobile payments and borderless transactions, mitigating payment risks has become more important than ever. Alongside the sector’s growth, the number of cases related to online credit card misuse have also jumped, with the number of complaints received in 2021 being 3.7 times more than in 2020. Recent news reports have cited various examples of stolen personal information, identity fraud and phone scams, and the Hong Kong Monetary Authority reported complaints related to unauthorised credit card transactions as of 8 December 2022, already exceeding that of 2021.

A rise in fraudulent use cases and card-not-present transactions is alarming. It is critical to adopt best practices in simplifying checkout processes and offering more secure measures to better protect consumers.

From EMV®3-D Secure 1.0 to 2.0 – Why now

EMV®3-D Secure (3DS 1.0) was built at a time when consumers were carrying out online transactions via their desktops. But in today’s mobile-first era, the 3DS 1.0 protocol no longer provides the optimal user experience nor the level of security needed to mitigate modern day credit card frauds. Today’s multiple-party payments model involves end-to-end secure transactions that are ciphered and protected every step of the way. This brings us to the next phase of payment security, the EMV®3-D Secure 2.0 (3DS 2.0), which is grounded in risk-based authentication.  Better, stronger fraud-detection intelligence, to put it simply.

A risk-based authentication (RBA) process is an intelligent system that uses first-party data to determine the risk-level of a transaction and applies authentication accordingly. It is designed to recognize high-risk scenarios and thwart fraudsters by issuing stringent challenges. It also allows issuers to further combine the interrogation of multiple data elements with best-in-class forms of challenge authentication such as biometrics.  In all other situations, it carries out authentication in the background, enabling legitimate card users to go about their business effortlessly.

For example, small, regular transactions that a customer makes such as online utility payments using a recognised mobile device would be deemed low-risk and as such pass without the need for an extra layer of authentication. By contrast, an expensive online luxury goods purchase with no precedent would trigger the need for personal verification to complete the process.

Don’t stake your reputation on a single security solution

Trust is hard-won and even harder to regain. Research has shown that nearly 90 percent of cardholders would reduce or even abandon electronic payments after suffering an incident of fraud. We are at the stage where 3DS 2.0 is more than a ‘nice-to-have’. Merchants who delay the adoption of the technology will have to bear the consequences should things go wrong. When a cardholder disputes a fraudulent transaction, the merchant is liable and will have to repay the money in full in the form of a chargeback. A more damaging long-term outcome is the likelihood of losing that customer.

EMV®3-D Secure also supports Strong Customer Authentication (SCA) requirements as described in the Second Payment Services Directive (PSD2) by the European Commission by enabling the use of two-factor authentication. This has proven to be vastly more robust as a safeguard against fraud, capitalizing on the availability of real-time data exchanged across multiple devices that now enable the evolving security needs of merchants and consumers alike.

However robust a single security system may be, relying on it in isolation is dangerous. Tokenization adds another layer of security in the fight against fraud, offering protection in both transactions and reward schemes. Substituting sensitive data with tokens renders that data unusable in the wrong hands. Used in conjunction with other fraud prevention solutions, it empowers merchants by diversifying their armoury.

Everyone has a role to play

Visa has led global payments security for more than 60 years, and continuous evolution is central to business success. Its service Visa Advanced Authorization alone has prevented an estimated USD 26 billion in fraud in 2021. Over the past five years, Visa has spent more than USD 10 billion in technology, including to reduce fraud and increase network security.

In this age of digitalization, every business needs to be guided by the principle of responsible innovation. It’s more critical than ever that the industry continue to invest in new approaches to preventing fraud, while maintaining the speed and convenience customers love about online shopping. EMV®3-D Secure is an important advancement in this effort that will help prevent fraud and accelerate digital commerce with fast, secure authentication for all parties.

About the writer

Pavan Muttireddy is the Head of Risk for Hong Kong and Macau at Visa and is responsible for leading risk initiatives with clients, local regulators and business teams. Pavan has over 17 years of Financial Crime Control experience spanning across banking, technology, and payment cards industry.  He has donned various roles across Risk Management, Fraud Prevention and Detection, Card Fraud Analytics, Anti-Money Laundering, Regulatory and Advisory Compliance, Sanctions screening, KYC/CDD and Watch list Management.