by James Hunt
4 minutes • • July 23, 2024

A Guide to Secure, Seamless User Authentication in Payments

Online payments demand a delicate balance between security and user experience. Consumers crave a smooth, frictionless user authentication process. However, merchants must ensure that online payment methods and transactions are safe from fraud.

Feedzai’s James Hunt recently joined Tom Pilling, Chief Risk Officer of Trust Payments. The pair discussed how businesses and merchants can deliver an online payment experience that achieves the delicate balance of security and a seamless user authentication experience.

Read an excerpt from the conversation below. Find the full Q&A here.

Tom Pilling (TP), Trust Payments: Is it possible to have both robust security and a user-friendly experience in online payment checkouts?

James Hunt (JH), Feedzai: Security shouldn’t equate to unnecessary hurdles during checkout. Instead, it’s about applying the right controls at the right time based on the transaction’s risk level.

Extra security checks might be unnecessary if you buy a new Fortnite avatar skin on your usual device from a familiar location. But when buying a TV from a new website and a different shipping address, an additional level of security measure like two-factor authentication (2FA) is appropriate.

TP: It’s impossible to achieve 100% harmony. However, there are certainly ways and means to ensure merchants reach a “more than happy” medium using consumer data. The key to merchant success is understanding its transactional data by working alongside your Acquirer or Payment Processor. Good acquirers will have a solid solution in place to understand their transaction data better.

Sometimes it’s challenging to see the “wood for the trees.” Taking a step back, looking at your transaction data, and spending time to understand where there could be false positives is a really worthwhile exercise to fully optimise payments.

Unlock New Revenue with Fraud Prevention

Secure merchant operations effectively with Value-Added Services(VAS). Fight fraud and open new revenue streams.

Download eBook

TP: Is Two-Factor Authentication (2FA) cumbersome?

JH: Different types of user authentication methods fall into the 2FA bracket, either Active or Passive.  For example, asking the user to input a username and password or code would be an example of active user authentication.

An example of passive user authentication could be something as simple as recognising that the device, either a laptop or phone, is the same device the consumer always uses. Active user authentication is the one that gets bad press for being cumbersome. If I forget the password I’ve set up on 3D Secure with my bank, or for some reason, I don’t receive a text message containing the code I need to input to complete my transaction.

Also, consider if 2FA is necessary. In Europe, where Strong Customer Authentication (SCA) is mandatory, merchants or their acquirers can actively request several exemptions.

While a consumer’s bank might reject a request to remove 2FA, it’s helpful to understand Transaction Risk Analysis (TRA) exemptions. These exemptions eliminate the need for 2FA on low-risk transactions, streamlining the process for such purchases.

TP: The original 3DS allowed cardholders to add merchants to a “positive list” to make the process smoother for certain “approved” merchants. But this element of “self-certification” seems to have disappeared. For instance, if you buy from a trusted store, you might be able to set it up so you don’t need to use 2FA for future purchases.

Users should be more free to decide what transactions require more security and which don’t. I believe there needs to be a better balance between the two. Currently, it’s 2FA or forget the transaction. Ultimately, this is not good for anyone in the payments ecosystem.

The Right Mix of Enhanced Security and Strong User Authentication

JH: According to the latest UK Finance Fraud Report, Remote Purchase Fraud (Card Not Present / CNP Fraud) has continued to fall since the rollout of Strong Customer Authentication in the UK, with losses at their lowest level since 2014.

Unfortunately, fraud isn’t going away. Remote Purchase Fraud still represents a significant value of fraud within the UK ecosystem, at £360M. The numbers also show that fraud is migrating to other channels, such as Card ID Theft, which has increased 53% in the last year.

While 2FA can be a useful tool to prevent fraud, it’s one of many components that should be combined to create an effective fraud strategy that balances risk mitigation and a positive customer experience.

Increased security doesn’t have to mean a bad consumer experience. Instead, it’s about using the right verification methods at the right time, appropriate to the risk involved.

2FA doesn’t have to be cumbersome, but its implementation often depends on it. Again, it is critical to use the right methods at the right time, appropriate to the risk involved.

Whilst 2FA can be effective, it doesn’t spell the end of fraud. Consider the rise of APP fraud (specifically, scams) after SCA debuted.

In summary, 2FA can effectively stop fraud. However, it should be one out of many layers of security to help maximise the consumer experience.

All expertise and insights are from human Feedzians, but we may leverage AI to enhance phrasing or efficiency. Welcome to the future.

Page printed in December 12, 2024. Plase see https://www.feedzai.com/blog/a-guide-to-secure-seamless-user-authentication-in-payments for the latest version.