Over the past few years, the evolution of standards such as 3D Secure 2 (3DS2) and regulations such as the Strong Customer Authentication requirements in Europe’s Payment Services Directive 2 has helped to contain the growth of card-not-present (CNP) fraud. Yet with online transactions growing at a rapid rate, the payments sector can’t afford to be complacent.
According to the Nilson Report, payment card fraud losses worldwide exceeded $32 billion in 2021, with the industry projected to lose an accumulated $397 billion worldwide over the next 10 years. Continued growth in CNP losses as transactions on apps and websites rise is one of the factors fuelling the growth in payments fraud losses, according to Nilson.
In addition to the financial and reputational impact of fraud on merchants and issuers, there are also the cost associated with high levels of false declines. Declining a legitimate transaction not only costs the merchant by resulting in an immediate lost sale — it hurts its long-term relationship with the customer. False declines also harm consumers’ perceptions of and relationship with issuers.
Recognising that there is a need to tighten the security of CNP transactions without introducing further friction for customers, Visa and Mastercard have both introduced new authentication programmes to streamline the processing of 3DSecure Transactions. What these programmes have in common is that they move much of the responsibility for authentication from issuers to merchants.
In both instances, the goal is to remove some of the friction consumers experience when a transaction is submitted to 3D-Secure for authentication. This, in turn, will help merchants to reduce sales lost after a false decline. Importantly, the aim is to protect consumers and merchants alike from financial losses while eliminating much of the inconvenience associated with authentication.
Visa’s Digital Authentication Framework
Visa introduced the Digital Authentication Framework (DAF) from April 2023 in an effort to incentivise issuer identification and verification (ID&V) and token-to-device binding across all token types. DAF offers a set of authentication and fraud performance requirements to improve security performance of CNP transactions across the payments ecosystem.
With DAF, the issuer may only require authentication — such as an emailed or texted PIN — upon the first use of the payment credential at the merchant. Thereafter, the issuer may not challenge any transactions using the same merchant, customer and payment account information, provided the merchant and token requestor (TR) meet the DAF’s requirements.
These requirements include presenting a device-bound token generated during ID&V; performing risk-based cardholder verification at the time of purchase, including data such as token cryptogram, merchant or TR information or device information to support issuers’ decision-making and maintaining fraud rates at or below minimum thresholds. Importantly, liability is not shifted to the merchant.
Because issuers are expected to provide fraud dispute protection and optimised approval rates for DAF transactions, it is imperative for them to review and strengthen ID&V practices to mitigate fraud from transactions using fraudulently provisioned tokens. Implementation varies between markets, with DAF mandatory for merchants and issuers in some countries such as South Africa.
Mastercard’s Token Authentication Framework
Mastercard is expected to roll out its Token Authentication Framework (TAF) in 2024. There are few details, as yet, about the implementation plans for TAF. However, Mastercard says the framework will increase security and reduce friction via tokenisation of payment credentials stored on file with a merchant or digital wallet and authentication of cardholders in the acquiring domain.
In some markets, merchants may be liable for fraud and in others they may benefit from fraud liability protection. According to Mastercard, TAF is based on three pillars:
- An ID&V process performed with issuer authentication to verify tokens before using them in a transaction.
- Authentication of tokens during a transaction using a Mastercard-qualified multi-factor authentication (MFA) method.
- Securing transactions with a Digital Secure Remote Payments (DSRP) cryptogram, returned as part of the Checkout response.
Towards more secure payments with less friction
DAF and TAF represent the latest steps in the digital payments journey of enhancing the customer experience and intend to be more seamless and secure for merchants and customers alike. DAF and TAF require issuers and merchants alike to reduce friction in card tokenisation. Issuers will be liable for fraud when they issue a token, meaning they need to ensure that the request is legitimate.
Keeping up with this fast-moving landscape can be challenging for payments companies and issuers who still have a significant investment in legacy technologies. Platforms such as Stanchion’s Verto solution accelerate agile change and rapid integration in fast-changing payment environments. Verto is payment environment agnostic, which enables it to implement new functionality to complement existing payment capabilities.
Verto facilitates an issuer’s interactions with the token service provider (TSP) and any events on the issuer card management system that need to be actioned with the TSP. The Verto platform is built to be efficient at integration and rapid development, mitigating integration risks and the management of unforeseen requirements across the token life cycle, from checking if the card is eligible for tokenisation onwards.
Through Verto, customers can avoid or minimise any impact on existing systems. The Verto platform combines frameworks, toolkits, building blocks and accelerators to specifically meet future-facing companies’ needs. It modernises and extends the life and value of existing core systems, while enabling companies to adapt to changes such as DAF and TAF.
Get in touch to find out how Verto mitigates the risk associated with changes in your payments landscape.