Risk Based Authentication (RBA) in eCommerce

When eCommerce customers commit to a checkout payment process, both they and merchants wish to have peace of mind that everything can and will run as smoothly as possible. Prevent fraud. Ensure a smooth customer UX. These are a simple set of steps for a merchant to ensure all goes well - but what mechanisms work in the background to ensure a safe and frictionless transaction? A lot goes on, including the triggering of risk based authentication (RBA) principles, but undoubtedly this is where behavioral biometrics and machine learning (ML) models prove their weight in gold.

RBA can be interpreted as an extra set of prompts that work in the background of 3DS2 (3D Secure 2.0 for authenticating credit card payments). It acts like an exemption to prevent repetitive authentication measures per transaction, with such measures only triggered if RBA determines that a transaction poses a medium to high risk of fraud. In other words, if the current transaction shows irregular or suspicious activities and behaviours different to those in a user’s account payment history, additional verification will be necessary. For the transaction to proceed, multi-factor authentication is required. But this is where advanced fraud solutions can aid a smooth process, negating the need for invasive authentication as ML-backed fraud solutions incorporate digital fingerprinting and behavioral biometrics that can effectively perform 3-factor authentication in a non-invasive manner.

With so many rules and regulations in place (the EU’s PSD2, payment services directive 2.0) and payment security protocols being updated in 3DS2 to limit global fraud cases and protect customer details, it can be difficult for merchants to find the perfect solution to ensure their fraud management systems adhere to all requirements and live up to customer expectations for a quick and easy payment process. But we are at least heading in the right direction with a number of key initiatives.

Both 3DS2’s RBA and PSD2’s TRA (transaction risk analysis) offer very similar exemptions for transactions that are deemed low-risk. The aim is to prevent frequent customers from having to repeatedly go through invasive 2FA (two-factor authentication) procedures for low-value goods. To manually verify payments each time would cause unnecessary friction and potential loss of custom through checkout abandonment.

The principle of multi-factor authentication (or SCA, strong customer authentication) exemptions are offered only when the following criteria are met:

• The value of the item being purchased is low (usually below $30).
• A merchant has been flagged as a trusted beneficiary by the cardholder.
• Shopping behaviors and spending amounts remain similar to previous transactions.
• Has the payer’s hardware/software changed since the last transaction?
• Is the user’s location high risk?