Preventing Fraud in Online Payments: Punish the Fraudster, Not the Consumer  

Imagine that you, the upstanding, law-abiding, DisCo blog reader walk into a supermarket on a Saturday afternoon and are followed around by a security guard and searched on exit. The reason for your being followed is because your bank has a less than perfect record in detecting fraud.

If you went back the next day with a different payment card, issued by a different bank, with a better fraud prevention record, you would not be followed and searched.

This doesn’t make much sense. The risk of fraud or theft relates to the individual. It is better that the supermarket staff make a case by case risk assessment (buying sweets is different from buying a car) rather than on the track record of the customer’s bank. If a dodgy customer moved to a ‘safe’ bank suddenly they would not be subject to the same scrutiny; this also does not make sense.

The reason for torturing you with the vision, as I did back in 2016 with a story of a plan to turn shopping into a hellish experience, is that new rules for preventing fraud are moving closer to adoption.

The European Banking Authority (EBA)’s new security standards for online payments are now being reviewed by the European Commission. They are soon to be finalised. Having listened to feedback, the proposals are now much better than they were.

But the potential for some surreal outcomes remains. The current proposals mean that when paying for something online (flight ticket, groceries, new dress) whether or not you need to follow extensive security procedures would not be based on your behaviour, or the track record of the shop you are buying from in detecting fraud. The fraud record of the purchaser’s bank is what would count.

Being asked to go through endless procedures to avoid fraud only because your bank has proven to have a poor record will frustrate customers—the law would require that your bank’s failings make your life harder.

When is a Transaction Not a Transaction?

Sometimes when you buy things online, not everything is ready to be sent to you. It may be that some items are in stock and others will be available soon. In such a situation the customer often pays, including going through any necessary security, on ordering, but the payment card is only debited once each item ships.

This may mean multiple small payments being made, but the customer only having to go through the order process once.

Under the new draft rules, each time an item shipped and the customer’s payment card is debited, the customer would have to complete separate security verification for each payment.

This would force you and me back to our computer, mobile phone, or tablet each time an item is ready to ship and a payment must be made. Fail to authenticate each time and there is no payment and no item—unhappy shopper!

All of these extra steps would be necessary even though the order was originally placed by the same person, with the same payment card, the same bank, and the same risk profile.

This is also something that can easily be avoided. Allowing risk based assessments in such cases, known as ‘dynamic linking’ in the jargon, would allow for the appropriate fraud prevention and security prevention measures to be taken once, at the point of order, and once only.

The Best of Both Worlds

We don’t need to choose between security and convenience. Allowing merchants to apply modern technology to detecting the risk of fraud is effective. Merchants have unique data points to provide warning signs and to prevent fraud whether based on customer behaviour, purchase history, or browsing patterns. These count to ensure a key objective the new payment service legislation—a reduction in fraud rates.

As the New York Times columnist Thomas Friedman commented:

“The future belongs to those who build webs not walls….”

Detecting suspicious behaviour is better than simply building a wall, or indeed asking people to climb a wall just because they are spending a certain amount of money. The draft rules allow for a risk-based approach for lower value transactions, but never for more expensive ones. This penalises airlines and travel agents, for example, who would always need to make even well-heeled customers climb over the security wall in their high-heeled shoes.

These new EBA security standards, and indeed all rules in the Internet age, should recognise Friedman’s maxim. The best outcomes are achieved through cooperation, not blunt instruments.

The necessary flexibility in the final security standards will allow for a secure and smooth shopping experience, not a frustrating one leaving you screaming at the screen. The European Commission should seize the chance to give ‘bureaucrats’ a good name by amending the final security standards to recognize modern good practice in detecting fraud.