CyberSource appreciates the opportunity to provide comments to the European Banking Authority’s Consultation Paper on the draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication under the PSD2.
CyberSource is active in the area of payments management and offers technology solutions to support online payments, streamline fraud management, and simplify payment security, without entering into possession of funds or otherwise providing any payment services (we do not offer payment initiation or account information services).
CyberSource, a wholly-owned subsidiary of Visa Inc. (Visa), was founded in 1994 and was acquired by Visa Inc. in 2010. Visa Inc. is a public company, which acquired Visa Europe earlier this year. Visa has submitted a separate response to the Consultation Paper providing the company’s overarching comments to the draft RTS. The purpose of this response is to specifically focus on how different participants in the payments ecosystem are working together in an integrated way to both grow electronic payments, as well as to manage the security challenges of the digital age. CyberSource believes the ultimate success of the EBA’s objectives underlying the draft RTS are best realized by building on the achievements already achieved in the marketplace.
In general, CyberSource agrees with the principles underlying the Second Payment Services Directive (PSD2), as mentioned in recitals 95 and 96, to promote electronic payments and reduce fraud, where “security measures should be compatible with the level of risk involved in the payment system.” CyberSource further shares the EBA’s objectives, as set forth in PSD2, in ensuring a high level of security and safety in the payments system, and agrees that the EBA’s standards should strike an appropriate balance between security and safety and user-friendliness through a technological and business-model-neutral approach.
However, we are concerned that the EBA’s proposed standards on strong customer authentication do not sufficiently take into account alternative authentication methods which may have the unintended consequence of restricting innovative forms of payment and the growth of electronic commerce in the future. These concerns are further addressed in our responses to the EBA’s questions below.
In general, CyberSource agrees with the reasoning provided by the EBA on the requirements for strong customer authentication as articulated in PSD2. CyberSource is satisfied that the RTS have been developed at a high, rather than granular level, since this will allow all participants in a transaction to flexibly adapt to the ever-changing nature of fraud risk.
However, CyberSource disagrees with the resultant provisions that have been proposed in the draft RTS based on the EBA’s interpretation of PSD2 requirements, especially on the RTS’ limitations on the use of alternative authentication methods. As detailed below, Cybersource believes that the EBA should take a holistic approach to security by leveraging all of the information, tools and technology that exist within the larger payments ecosystem. This comprehensive approach is particularly critical as new participants enter this market, and is certainly consistent with the EBA’s goal of fostering innovation in the payments and security arenas.
In addition, CyberSource does not agree with the statement in Paragraph 41, that “exemptions to SCA as defined in the RTS under consultation constitute a part of the authentication procedures performed by the payer’s PSP (also referred as ASPSP) and should therefore be applied by the PSP only”. CyberSource strongly encourages the ability of payees to adopt alternative authentication methods, as explained below.
In the opinion of CyberSource, a payee can have more information about a payer than the payer’s PSP, as they can have access to previous purchases, line item detail, device used and other pieces of data that can be used to assess the risk of a particular transaction. Some payees use their own internal systems to assess this risk, while other payees use third parties to process this data.
The use of alternative authentication methods also enables the use by payees of “card-on-file” solutions, which is undoubtedly one of the enablers of electronic commerce in recent years. These solutions enable payers to register their cards with payees, without the need to type them again in future purchases, reducing the time to make a purchase and facilitating payment through smartphones, where introduction of payment details may be limited by screen size.
If the payee determines that a transaction is not risky or decides to utilize other risk mitigation tools, it should be allowed to proceed to request authorisation from the issuer, without the need to request strong customer authentication and thereby unnecessarily introduce friction at checkout which could result in a poor customer experience and lower sales. This is a decision that the payee should make as it is their business’ investment and reputation which is at risk, and which the RTS should not impede. In those cases where the payee has at its discretion opted not to use strong customer authentication, the liability of this transaction should rest with the payee.
The use of tools to assess risk can bring enormous benefits to payees when managing fraud. One of our customers, a major retailer selling across Europe and the rest of the world, was suffering from a 7% fraud to sales ratio when they contacted us. Some months after implementing Decision Manager, the CyberSource tool which allows merchants to analyse transactions and score them for risk, the fraud to sales ratio fell to 0.08%, without implementing strong customer authentication.
In other cases, if the payee determines a particular transaction is risky, they should be able to request that the payer’s PSP authenticate the customer. It should then be up to the PSP to determine the risk of the transaction based on shopping patterns, use of the payment instrument, information about the customer device and any other piece of data that they have available. If the PSP determines this transaction is low risk, then it should be exempt from requesting strong customer authentication, and bear the liability of the transaction. Only if the PSP determines the transaction is risky, should they need to perform strong customer authentication, following the process outlined by the RTS.
In addition to urging that the EBA permit the use of alternative authentication measures, CyberSource does not agree with the interpretation in Paragraph 19b that Article 74 (2) of PSD2 (which allows the option to not accept SCA) only applies during the transitional period until the application date of the RTS (October 2018 at the earliest). The application of Article 74 (2) of PSD2 should not be limited to the transitional period between the application date of PSD2 and the application date of the RTS under consultation. This is what card schemes’ rules and related contracts between card scheme participants already provide: the allocation of liability between the different parties in a transaction (issuer, acquirer or merchant). The RTS should therefore include sufficient flexibility to allow merchants to bear the risk of the transaction, without any impact on the payer’s rights in the event that the transaction turns out to be fraudulent, and not limited to a transitional period.
CyberSource recommends that the RTS reflect that application of Article 74 (2) is definitive and not only through a transitional period. CyberSource also recommends that the RTS take into consideration paragraph 7.5 of the “Final Guidelines on the Security of Internet Payments”, “PSPs offering acquiring services should require their e-merchant to support solutions allowing the issuer to perform strong authentication of the cardholder for card transactions via the internet. The use of alternative authentication measures could be considered for pre-identified categories of low-risk transactions, e.g. based on a transaction risk analysis, or involving low-value payments, as referred to in the PSD” and specifically allow for payees to have the ability to perform risk assessment as an alternative to SCA.
In addition to the comments contained in Visa’s response, Cybersource believes that “dynamic linking” should only take place when strong customer authentication is performed by the PSP, and not when a payee performs risk assessment or when a PSP performs risk based authentication.
The payee of the transaction can perform an assessment of the risk of the transaction through the use of additional information about it, like the device being used, line item details, previous orders, etc. This information should be able to be used to determine whether it is necessary to pass the transaction to the PSP to request strong customer authentication. These transactions would not be subject to “dynamic linking”.
The main threat that CyberSource is aware of is the attempts by fraudsters to gain access to personal customer data through social engineering attacks or other phishing attempts. A tool that has the potential to be more effective than strong customer authentication in protecting consumers (ie. payers) from these attacks are the current models that some payees use, which leverage on data analytics to understand customer behaviour, and also PSP risk-based authentication models, because, while credentials or other information can be compromised through social engineering attacks or other phishing attempts, purchasing behaviour cannot be easily replicated.
Although Cybersource appreciates the difficulty of the balance that the EBA is attempting to strike between security and convenience in payments, we believe the current draft’s exemptions from strong customer authentication are too restrictive and may end up harming the Digital Agenda of the European Commission, by making it difficult to conduct online purchases through current processes such as one-click shopping and preventing payees from making an assessment of the risk of a transaction to facilitate business.
The risk of a transaction is not only limited to its amount. In the age of big data, payees gather information from multiple data points, within the boundaries of data protection, and assess each piece of information individually and also collectively to determine the risk of the transaction. For example, a particular customer, with a specific delivery address and email, may be a loyal customer to merchant X, having made many previous purchases without initiating a chargeback in any of them. If this customer, with the same delivery address and email, then made a new purchase, be it for €5 or €200, the merchant should be able to decide to bear the risk of the transaction, instead of risking losing them because of friction at checkout. If, however, some of the customer details changed, like a new delivery address, or a new device, the merchant may then decide to step up authentication.
The authentication elements included in a transaction should be proportional to the risk involved, as mentioned in recital 96 of the PSD2. The two parties that are better positioned to assess the level of risk involved are the payee and the payer’s PSP. Both the payee and the PSP can assess risk by leveraging the information collected about the payer, within the boundaries of data privacy.
As discussed above, CyberSource believes that the payee should be able to first conduct an assessment of the risk of the transaction through the information available from the customer. If the payee determines the transaction is risky, this assessment should be then performed by the PSP, through risk based authentication – at least in the first instance. Card issuers in Europe have invested large amounts of money in these risk based authentication methods, which allow faster checkout times and less cart abandonment at checkout, while at the same time keeping low fraud rates . Further details on risk based authentication can be found in Visa’s response to this Consultation Paper.
There should be close monitoring of both payee performance in conducting risk assessments and PSP performance in conducting risk based authentication, so that there are benchmarks and compliance programmes that allow all participants to reach certain standards. There are currently compliance programmes conducted by the card schemes which establish remediation periods for poor performers.
CyberSource recommends that the RTS should take into consideration paragraph 7.5 of the “Final Guidelines on the Security of Internet Payments”, “PSPs offering acquiring services should require their e-merchant to support solutions allowing the issuer to perform strong authentication of the cardholder for card transactions via the internet. The use of alternative authentication measures could be considered for pre-identified categories of low-risk transactions, e.g. based on a transaction risk analysis, or involving low-value payments, as referred to in the PSD”. There should be specific mention within the RTS to allow PSPs to perform risk based authentication to payers and to allow payees have the ability to perform risk assessment as an alternative to SCA.
CyberSource is concerned that the current list of exemptions is too restrictive. CyberSource believes it should be up to the payee first, and then to the PSP, to decide whether to implement SCA on transactions.