Online payments demand a delicate balance between security and user experience. Consumers crave a smooth, frictionless process, but businesses need to ensure online payment methods and transactions are safe from fraud.
Feedzai’s James Hunt recently sat down with Tom Pilling, Chief Risk Officer at Trust Payments, a provider of on-demand payments and Banking-as-a-Service (BaaS) solutions for businesses and merchants. In the Q&A, the pair discuss some of the most frequently asked questions about how merchants can scale their businesses online, in-person and in-store, and on mobile channels.
This article offers insight into secure and seamless user authentication, featuring a Q&A with James Hunt, SME Payments at Feedzai, and Tom Pilling, Chief Risk Officer at Trust Payments.
Feedzai is the market leader in fighting financial crime with AI. They’re coding the future of commerce with today’s most advanced risk management platform powered by big data and machine learning.
Trust Payments is a disruptive fintech leader, providing on-demand Payments and Banking-as-a-Service services to help businesses grow and scale online, in-store, and on mobile.
Tom Pilling, Chief Risk Officer, Trust Payments
James Hunt, SME - Payments, Feedzai
Is it possible to have both robust security and a user-friendly experience?
James Hunt (JH), Feedzai: Security shouldn’t equate to unnecessary hurdles during checkout. Instead, it’s about applying the right controls at the right time based on the transaction’s risk level. For example, extra security checks might be unnecessary if you buy a new avatar skin for Fortnite on your usual device from a familiar location. However, for a high-value TV from a new website with a different shipping address, additional security measures like two-factor authentication (2FA) would be appropriate.
It’s important to assess what a consumer may determine as appropriate levels of security depending on what they intend to purchase. For example, popping into a local food market for lunch and being able to “tap and go” using contactless technology would be a go-to choice. However, when buying a season ticket, consumers generally feel more inclined to insert their card into the Point of Sale device and enter their PIN due to the value of the transaction.
Tom Pilling (TP), Trust Payments: It’s impossible to achieve 100% harmony, but there are certainly ways and means to ensure merchants get to a ‘more than happy’ medium using consumer data. The key to merchant success is understanding its transactional data by working alongside your Acquirer or Payment Processor. Good acquirers will have a solid solution in place to better understand their transaction data.
It’s difficult to see the “wood for the trees” sometimes. Just taking that step back, looking at your transaction data, and spending that time to understand where there could be false positives is a really worthwhile exercise to fully optimise payments.
What security concerns are there around biometric authentication?
JH: The main concern regarding security and biometric authentication that I speak to clients about is data breaches and theft of biometric data. If a consumer’s email and password are compromised in a data breach, these can be easily reset, albeit often inconveniently. Unfortunately, this isn’t the case when it comes to biometric data. Once my fingerprint or iris scan has been compromised, it can be permanently vulnerable.
TP: It is interesting how the “workplace” sees biometrics versus the payments world. Businesses are still reluctant to allow hardware to be authenticated via biometrics.
The trend for supporting these mechanisms continues to grow in the payments world, particularly mobile payments. Through my methods of storing sensitive data, I consistently get warnings that my email address and associated passwords have a possible “compromise” against them.
Whilst my biometric method of authentication seems to be secure. It remains to be seen as to what the future holds about biometric security in this AI-driven world.
Is Two-Factor Authentication (2FA) cumbersome?
JH: There are different types of authentication that fall into the 2FA bracket, either Active or Passive. For example, asking the user to input a password or code would be an example of active authentication.
An example of passive authentication could be something as simple as recognising that the device, either laptop or phone, is the same device the consumer always uses. Active authentication is the one that gets bad press for being cumbersome. If I forget the password I’ve set up on 3D Secure with my bank, or for some reason, I don’t receive a text message containing the code I need to input to complete my transaction.
Another thing to consider is if 2FA is needed at all. Within Europe, where Strong Customer Authentication is mandated, several exemptions can be requested either directly by a merchant or on behalf of the merchant by their Acquirer.
Whilst the consumer’s bank may not always agree to the exemption request, understanding when exemptions can be requested under the Transaction Risk Analysis (TRA) exemption clauses is a great tool to remove the requirement of 2FA and, therefore, the friction it imposes for lower-risk transactions.
TP: The original 3DS allowed cardholders to add merchants to a “positive list” to make the process smoother for certain “approved” merchants. But this element of “self-certification” seems to have disappeared. When a purchase is made against a certain merchant, the option to “always allow” these companies for future purchases without 2FA getting in the way.
Users should be more free to decide what transactions require more security and which don’t. I believe there needs to be a better balance between the two —at the moment, it’s 2FA or forget the transaction, which is ultimately not good for anyone in the payments ecosystem.
Is 2FA effective in preventing unauthorised access?
JH: Fraud isn’t going away. Card Not Present fraud still represents significant fraud within the UK ecosystem, at £360M. The numbers also show that fraud is migrating to other channels, such as Card ID Theft, which has increased 53% in the last year.
While 2FA can be a useful tool to prevent fraud, it’s one of many components that should be combined to create an effective fraud strategy, balancing risk mitigation and a positive customer experience.
TP: This is certainly one of the positives of 2FA. People are increasingly concerned about their security, and I feel that after COVID-19, this truly needed a reset.
People became very confused at the height of the pandemic, with scammers attempting to manipulate the general public, and were generally very confused as to whether their bank or financial institution was communicating with them. Having these additional layers is a vital security step for all consumers.
Achieving a balance between security and user experience can be challenging, but it’s possible. Staying ahead of fraudsters requires continuous vigilance, investment in the right tools, and strong partnerships.
Did you find this article helpful?
Learn more about Trust Payments and Feedzai by following the links on the highlighted text.
