With the constant flow of customers coming into stores and checking out at merchant websites, how do merchants know that a customer is legit or fraudulent? In the world of e-commerce, credit card issuers are taking steps on behalf of merchants to validate shoppers' payment credentials amid threats of fraud and identity theft.
Continue Reading Below
One step in recent years was the introduction of Europay, Mastercard, and Visa (EMV) chip cards to make credit card processing more secure. But even that's not enough, according to a study called "State of Retail Payments," by the National Retail Federation and Forrester Research. That's because as in-store payments became more secure with chip card payments, identify thieves have moved on to the online payment space to take advantage of vulnerabilities. No surprise that of 55 percent of retailers surveyed by NRF and Forrester, fraud was their top challenge related to payments.
NuData Security, a Mastercard company, helps merchants figure out if the user behind an online transaction is real or fraudulent. Suspicious activity can include an unauthorized user taking over an account, creating a fake login, or aiming to purchase a product online fraudulently. The fraudulent person may have stolen a library of user IDs and passwords, like a collection of accounts from a retailer.
"Retailers, merchants, and issuers, they're all challenged with how to identify whether it's a real user logging in or is it somebody impersonating that user trying to commit fraud," said Don Duncan, NuData's director of business development.
Through the process of validation, NuData can determine if the device is an iOS or Android device and from where the user is connecting. After it collects telemetry from a device like a PC or mobile phone, NuData then synthesizes it and reports back to merchants. Although the merchants don't receive personally identifiable information, they gain business intelligence on the level of risk a shopper brings.
"What we do is we provide to the retailers and the merchants that visibility in the form of a risk score, not just on login and account creation, but all the way to payments," Duncan said.
These data points include information about the customer's device, IP address, and connection. If issuers believes they need more information about the user to decide if the customer's identity is legitimate, they can request a "step-up," Duncan said. "That merchant or retailer can make a determination in the web or mobile application as to how should they engage with that user going forward," Duncan said.
How EMV 3DS Works
When customers make a purchase, credit card issuers can use a specification called EMV 3-D Secure (3DS) to validate the transaction. EMV 3DS provides a messaging protocol for consumers to get authenticated when making an online purchase without a physical card, called "card not present." This process involves authenticating shoppers in real time before a transaction goes through at the point of sale. In 2016 EMVCo introduced EMV 3-D Secure 2.0 (3DS 2.0), which merchants and issuers must enable in Europe starting in April 2019. The 3DS 2.0 protocol lets issuers collect up to 150 data points to evaluate a transaction compared with the 15 data points EMV 3DS used.
One benefit of using EMV 3DS is to avoid false declines when shoppers are turned down for purchases by mistake, according to a report, called "3-D Secure 2.0: Key Considerations for Merchants" from NuData and research firm Aite Group. And false declines lead to shoppers going elsewhere. Of shoppers interviewed for a survey by Riskified, an e-commerce fraud management vendor, 42 percent said they would abandon their shopping cart completely or purchase a product from another company after a declined payment.
The process of validation involves telemetry using an application such as NuData's NuDetect. "When you're using a mobile app, there is telemetry from the application that can be used as a means to validate who you are," Duncan explained. "As you walk into a store, I may not know your name but I recognize the way you walk, the way you talk, and the way you interact."
Duncan continued, "We look at that interaction of the user with the device, and that interaction gives us the ability to determine whether it's really that user or whether it could be somebody impersonating that user in the form of automation."
Biometrics and Behavioral Analytics
Issuers like NuData provides behavioral intelligence to the retailer or merchant in near real time. On the back end, a payment card issuer uses EMV 3DS to validate users and decide whether further validation is necessary, Duncan explained. If a bank notices that something seems different when buyers come back to purchase something, the merchant will request a biometric fingerprint or some other type of validation.
Security experts can also keep track of the cadence of how a user types to see if an automated system is trying to impersonate a user. This is called passive biometrics. Issuers also study behavioral analytics using indicators like surfing speed and how long a user spends on a webpage.
"We return that intelligence to merchants or retailers, and then they have the ability to use that as a means to determine, especially when you get to payments, whether there's a chance that somebody's trying to commit fraud or not," Duncan said.
Duncan gave an example of how you can study how a driver operates a car to know if it's really that person driving. It works the same way with shopping transactions. As part of this validation process, once a company has validated a user, it can make the purchasing process involve less steps for the consumer to get to purchase. "The more I understand you, I know what you like, I know what you don't like, and eventually you're going to start making that purchasing process very efficient," Duncan said. "And that's what we're trying to do online."
By doing some prechecking of shoppers before they make purchases, the actual shopping experience can be smoother for consumers and they may not get prompted to enter a code when they check out. according to Duncan. As customers are validated through their device ID, browser, and IP address, they'll have less authentication required the next time they come back to a shopping site and won't have to run and get their credit card to validate the transaction.
Going forward, the key challenge for merchants is to keep the buying experience seamless for legitimate shoppers while "making it frustrating for the fraudsters" at the same time.
"Because right now for many merchants and retailers," Duncan said, "they can't differentiate between a good user and a bad user."