Published by D.D.Garbis in PSD2 SCA CSC · 18 January 2019
Tags: #PSD2, #SCA, #CSC, #FraudMonitoring, #Payments
Tags: #PSD2, #SCA, #CSC, #FraudMonitoring, #Payments
One of the new rules introduced by the PSD2 is mandatory transaction monitoring. As defined in the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC), transaction monitoring will become mandatory for all payment services providers.
One of the new rules introduced by the PSD2 is mandatory transaction monitoring. As defined in the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC), transaction monitoring will become mandatory for all payment services providers (PSPs).
Under certain conditions and to allow more friendly operations, the RTS defines cases where specific transactions may be exempted from SCA, provided that proper transaction monitoring is in place and various conditions are met.
Transaction Fraud Monitoring Systems
Transaction Fraud Monitoring is a system designed to identify and prevent fraud. It is controlled and operated by Fraud Analysts. In the past Fraud Monitoring systems were dedicated to a specific transaction channel like transactions from credit cards on eft/pos or e-Commerce sites. As the operations and technology in Banks was siloed so it was Fraud Monitoring.
Today, Fraud Motoring systems trend to be more complex and cover the majority if not all the electronic transaction channels. Contemporary Fraud Motoring systems automate processes, work proactively but have to remain agile and easy to use. Fraud Monitoring systems is not a single tool, but rather a solution integrating different tools and technology that intended to work together.
PSD2 Strong Customer Authentication and Transaction Fraud Monitoring
In the context of the PSD2/RTS and according to Article 2 of the RTS, the term “transaction monitoring” refers to mandatory mechanisms that enable payment service providers (PSPs) to detect and prevent unauthorized or fraudulent payment transactions while, as per Article 97 of PSD2, also applying strong customer authentication.
One of the key elements of PSD2/RTS is the need to perform strong authentication (SCA) of customers using the electronic payment services. There are specific criteria that have to be fulfilled in order the SCA mandate to be achieved and the PSPs to be PSD2 compliant. We can distinguish five (5) key elements:
- Two-factor authentication
- Transaction Monitoring Mechanisms & Transaction Risk Analysis
- Independence of authentication elements
- Dynamic linking
- Replication protection
The second element, Transaction Fraud Monitoring, as defined by PSD2/RTS, is realized by two complementary approaches:
- End Point Assessment and
- Transaction History.
This means that real time mechanisms combining end point assessment and transaction history shall be used during authorization processes to guarantee that the consumer is the legitimate owner of the credentials.
As a consequence, the transaction monitoring mechanisms will to take into account at a minimum, and on a real-time basis:
- The previous spending patterns of the user
- The transactions history of the user
- The location of the payer and of the payee
- The abnormal behavioral payment patterns of the user in relation to the payment transaction history
- A log of the use of access the device or the software provided to the user
In general the transaction monitoring mechanisms should consider several risk-based elements, such as:
- Checks against lists with compromised or stolen authentication elements
- Checks against known fraud scenarios
- Deviations in the amount of the transaction, abnormal spending or abnormal behavioral pattern
- Analysis of the device/software and device/software access when provided by the PSP
- Device Identification
- Device Configuration
- Device Security Level Assessment
- Device Profiling
- Detection of malware infection of the authentication device
- Proxy/TOR Detection
- Bot/Automation Detection
- Detection of the payer and payee locations
- IP Intelligence/Geo Location
- User Behavior
- Behavioral biometrics
- User Reputation
- Mobile Operator Data
- Bank’s Data
The transaction monitoring mechanisms with the use of multi-layered fraud prevention services, taking into account multiple factors to assess the overall risk associated with a particular transaction, will allow PSPs to assess online banking operation risks in real-time and integrated with the transactional risk score will allow PSPs to make the right choice to minimize fraud, to allow a transaction, to block a transaction or to challenge the customer with a step-up authentication.
Related PSD2/RTS Articles
PSD2 generic objectives for the PSPs:
- Having a framework that mitigates risk (PSD2 Art. 91 and 95-1)
- Applying security measures adapted to the level of risk (PSD2 Art. 96 and 98-2)
- Running user friendly means of payment (PSD2 Art. 96)
To reach these objectives, PSPs are required to:
- Have transaction monitoring mechanisms in place that enable them to detect unauthorized or fraudulent payment transactions (RTS Article 2.1)
- The transaction monitoring mechanisms shall be based on the analysis of payment transactions taking into account elements which are typical of the payment service user in the circumstances of a normal use by the payment service user of the personalized security credentials (RTS Article 2.1)
- The transaction monitoring mechanisms enable the payment service provider to perform a real-time risk analysis of the electronic payment transaction which takes into account, at a minimum, the risk factors set out in paragraphs 3 and 4 of Article 2 and to combine them in a detailed risk scoring enabling the payment service provider to assess the level of risk of the payment transaction (RTS Article 16.2.b)
[Link] [Doc] Final draft RTS on SCA and CSC under PSD2 (EBA-RTS-2017-02) [EN]
More information on CubeIQ solutions and services @ www.cubeiq.gr