In Payments Security, Hunting For The Goldilocks Effect

Think Goldilocks is just about getting the porridge and the beds and the chairs just right, and avoiding the three bears? Think again.

Goldilocks is also about payments.

To put it another way, the theme of the fairy tale applies to the transactional world in which we live — getting it all just right and in balance, a crucial concept when it comes to the consumer experience and security in card-not-present (CNP) transactions.

So opened a May webinar moderated by PYMNTS’ Karen Webster and featuring CA Technologies’ Vice President of Payment Security Strategy, James Rendell, and Vice President of Data Science, Paul Dulany.

“Consumers want to be Goldilocks,” said Webster, “getting the experience that they want, not too hard and friction-free.” Issuers and merchants are tasked with a way to do that — not so hard that they have to decline good customers or too easy that the fraudsters have a wide berth.

Against that backdrop, the two CA Technologies executives discussed the evolution of CA Technologies’ own Transaction Manager and Risk Analytics Network and its 3D Secure protocol engine.

It’s no secret that eCommerce is growing rapidly. The industry is slated to be at $3.6 trillion by 2019, noted James Rendell. There will be 2.9 billion smartphones by 2020, when 50 percent of transactions will be done via mobile.

Amid all this embrace of mobile commerce, half of all chargebacks come from the online channel, and the cost for online retailers tied to fraud is 8.6 percent of revenues. The key is to harness those mobile trends, Rendell said, offering up the 3D Secure 2.0 protocol as a way to promote eCommerce-specific data than might be typical in the payment authorization and cardholder authentication processes.

At a high level, the information conveyed includes the user, the merchant, the goods description and the device being used for the transaction. Recognizing the device and patterns of usage, he said, turns out to be useful tools and effective predictors of potential fraud in an eCommerce environment.

Against this backdrop, there is a balancing act between customer acceptance, fraud prevention and operational costs. Balance is the only way to boost card revenue.

“You have the option to challenge the cardholder,” said Rendell, if it is suspected that the transaction might be an unusual one for that consumer. This may result, for example, in sending a one-time use code that must be presented by the would-be consumer.

Challenging every transaction, or challenging them even frequently, of course, tips the balance toward caution. But given the insight into devices and the global consortium of issuer networks, it isn’t necessary to challenge every transaction, and so the focus can lean toward making the shopping experience optimal for consumers.

The 3D protocol’s evolution is one that began in 2001 and sought to establish that the person trying to transact really was the legitimate owner of a card. “That was as far as it went in those days,” said Rendell. Merchants remained wary of the process, as it seemed like it would add friction and disrupt checkout flow.

The evolution since then has been one marked by machine learning and predictive models that can operate in real time. Said Paul Dulany, the initial iterations of 3D Secure did not have all the fields that might have been desired to combat fraud. Now, “one of the nice things about 3D Secure 2.0” is that it has indeed been built with fraud detection and prevention in mind, with analytics on top.

“The data has always been available, but the harnessing of the data to improve the user experience has been a key development,” said Rendell, noting that his firm provides strong, mobile-based authentication options. The Risk Analytics predictive model, he said, leverages the global consortium’s historical data across billions of transactions.

The model spots fraud in ways that “may not be possible if you are looking through the lens of just one issuer in the network.” In one example offered by Rendell: When would-be fraudsters try to use stolen card data at two banks in rapid succession, the predictive model can head off suspicious transactions that are tied to a certain device.

“We each have our own unique behaviors, and [the model] measures those by how frequently you transact, what merchants you go to, what kinds of amounts you normally [spend]. And when I say, ‘you,’ it’s an anonymized version of you,” said Dulany, adding that the company (and the model) does not know the identity of the consumer, “but I do know whether it is the same device or the same card.”

Offering up some illustration of a single year’s worth of data, Dulany said the Risk Analytics Network gathers information from 500 million transactions across 30 million cards and 90 million devices. With all that data, the company creates more than 110,000 variables, with the model constantly learning new behavior of individuals and devices.  Scoring goes from 1 (very unlikely to be fraud) to 999 (quite likely to be fraudulent).

The end result is that risk control and user experience in CNP transactions find common ground right in the middle with the Risk Analytics network model — a.k.a. Goldilocks territory, said Dulany: “By being able to understand the device context as well as the card context, you can reduce the losses — those that get through the model by 25 percent. Or we can reduce those legitimate people who get impacted by the model by 35 percent. Most institutions will choose between those two, a balance of the two to get it just right.”