Visa takes a strong line against EU regulator’s strong customer authentication
Visa repeats arguments from 2015 position paper
Frictionless 3DS has the same fraud rate as 3DS with customer authentication
3DS fraud is less than 5bp in Europe
Overall CNP fraud is 14bp in Europe
Summary: New regulations in Europe may significantly affect online payments both in terms of source and security. Visa is concerned that a blanket approach to customer authentication requirements will lead to a slowdown in the growth of e-commerce. Better data on the types of CNP fraud may allow this assertion to be verified.
Point of View
PSD2 aims to transform payment services in the EU and increase competition by opening up payments markets, while at the same time aiming to increase payments security, particularly for online transactions. The European Banking Authority (EBA) is tasked with defining the approach that ensures payment service providers meet the regulations. Current EBA requirements state that strong customer authentication (SCA) is needed for almost all payment transactions, only relaxing the requirement online for transactions under €10.
Visa Europe is pushing back against the lack of flexibility for more risk based authentication, largely repeating its arguments set out in a position paper from November 2015. The key point in Visa’s response is that in the use of 3-Domain Secure (3DS) risk based authenticated e-commerce (called frictionless) does not have higher fraud than customer authenticated e-commerce and that requiring all transactions to use SCA will lead to significantly higher drop out rates (using UK and Spain as evidence).
Visa’s paper uses statistics to support individual points, but does not use these from a consistent base. For example, some points use data for authenticated e-commerce transactions from a specific market, while in other cases data from CNP transactions from across Europe are quoted.
Visa is quoted in the Finextra article as saying that fraud for authenticated e-commerce transactions is less than 5 basis points for both frictionless and customer authenticated 3DS transactions, and in its position paper states that all CNP fraud is 14 basis points across Europe. This data is only available by combining different sources at different times.
CNP fraud is growing and represents the majority of card fraud in most markets. Fraud has a wider societal impact than the financial loss and, as industry has not arrested fraud growth, the regulator has felt the need to step in.
As Visa figures show, transactions with the highest fraud rates are not those with authenticated e-commerce. Information is not public as to what types of CNP transactions suffer most fraud. It seems that the regulator has taken a broad brush approach by making almost all transactions require SCA. Perhaps regulators would have been able to make more informed decisions if more granular data was published for the different types of CNP fraud rather than combining all CNP fraud in a single figure. This argument also applies to the Australian market where CNP fraud represents the vast majority of card fraud.
The opinions and views expressed in this publication are those of the authors exclusively and do not purport to reflect the opinions, views or official policy position of AusPayNet or its members.