Unless you are lucky enough to be spending a two-year sabbatical on a tropical island, you will have noticed that online security, from emails to personal data, is a hot topic. By now, you also know that the essentials of cybersecurity require cooperation between businesses and users, systems must be kept up to date and suspicious links should never be clicked on. Preventing fraud is an important challenge on and offline, whether for merchants, banks, or, most importantly for the average citizen.
We all know that no system is infallible when we human beings are involved. Nobody likes to be told that it is a job for all of us to keep ourselves safe, but it is a job for all of us to keep ourselves safe.
Loyal DisCo blog readers will have seen our recent pieces (e.g., 1, 2) on fraud prevention. These articles lament new European rules that require a particular technique called “Strong Customer Authentication” be used to fight against fraud in online transactions. These rules are close to being finalized and have been scrutinized by the European Banking Authority and sent back to the European Commission for final approval. In autumn they will be sent to the European Parliament and the Council for approval (are you still following?).
The problem is that none of these organisations has apparently yet noticed the new mantra: “Fraud-prevention-is-everyone’s-responsibility.”
Currently, the draft rules require merchants (think online shops, travel agents, etc.) to always use a bank’s Strong Customer Authentication to approve a transaction –regardless of the merchant’s past relationship with the customer, the merchant’s internal fraud prevention efforts and internal authentication methods. Strong Customer Authentication is only one tool in the fraud prevention toolbox and in itself it is not enough to prevent fraud.
A better alternative would be for banks, payment card providers, consumers and merchants to work together in the fight against fraud.
By passing the rules as they currently stand, two things will happen. First, Strong Customer Authentication will be the only technique to fight fraud. Second, since payment service providers and banks are the only ones that decide on Strong Customer Authentication triggers, merchants will have little or no incentive to keep investing in fraud prevention measures.
Relying on a single technique, like Strong Customer Authentication, makes the whole payments ecosystem more fragile. It will encourage fraudsters to focus on overcoming Strong Customer Authentication to figure out how to game the system. And they will figure it out. It would be much better to have multiple fraud prevention systems working together to prevent fraud, some of them devised by merchants with data that only merchants have available.
There is still time for the draft rules to be improved before they are voted on by the European Parliament and the Council. Focus should be placed on allowing merchants with excellent fraud prevention records and systems to use their systems against fraudsters without unnecessarily impacting the customer. This collaboration would stand a greater chance of preventing fraud and allow the best merchants to offer the kind of seamless shopping experience people expect.