Who decides which transactions require authentication

A

ardmacha

Registered User
Messages
260
I have been having problems with authentication. I have two BOI customer numbers and if I haven't selected one or other of these before the authentication then I seem to end up in mid air, even if I select the correct one afterwards. In renewing my car insurance, I did not receive the authentication message and then ended up having to go through the whole process again, as there was no resend option. In the customer feedback form to Allianz I noted this, although the fault mainly lies with BOI. Allianz said that they did not decide who required authentication, the bank did.

Today I wanted to pay my Panda domestic bin bill and had a similar problems. I ended up paying with Revolut.

My question is how is it decided that authentication is needed. Renewing car insurance on the same car at the same address as is on the card is not a suspicious transaction and even if it were the insurance company could just cancel the insurance. Likewise who is going defraud Panda by using a dud card for bin charges, after all they know where you live! In the past I was asked to authenticate an annual car park subscription to my employer, who both knows where I live, where I work and what my car number is.
Buying resaleable goods online might well have opportunity for fraud. Subscription to services which can be cancelled does not seem to me to be major cause of fraud.

The point is that these authenticators are increasingly time consuming, but it also seems that they are used unnecessarily. Who makes this decision?
 
It's becoming a right nuisance recently. I was attempting to book Munster rugby tickets on Ticket master at the time they became publicly available and had got my 2 preferred tickets only to lose them due to verification process as I did not have my mobile phone beside me. When I tried again a few minutes later I ended up with less preferred tickets
 
I booked Ryanair flights with my EBS debit card last week, no problem. Today I am trying to book a hotel. I cannot do this because I have not downloaded their security App. I thought that I could phone them and they could override this requirement. No. I must download their App.

Tried to download their App and it will not let me. Problems with customer ID or something.

I was on to EBS during the week about something different. 30 minutes waiting for someone to answer their phone.

Today I was 45 minutes waiting for their phone to answer.
 
Algorithims will decide normally what does and doesn't get flagged for MFA. Whilst the rules will generally be different between banks, the norm would be
  • First transactions with a person/business
  • Transactions over a certain amount
  • Transactions where a previous transaction was some time ago
  • Transactions after you have changed your card
  • transactions "not the norm". If for example, the system suddenly saw transactions to a bank in the Caribbean that were not the norm for you.
  • transactions where potentially what you are buying could be easily resold.
should be said no alogrithim is perfect, banks are really trying to minimise risk.

Note it would also be quite common for fraudsters to carry out low value transactions on "normal" sites to see if a credit card has been blocked or not. I recall a while back looking at a merchant sales report where the person was changing the last digit in a card number (so they had 15 of the 16 and probably the CSV and date) and we were rejecting it. Once they got one through eventually, they disappeared and we've not seen them since (and have blocked the card)
 
Peanuts

That is very interesting and makes sense.

I had thought that the ID of the merchant would be key.

Paying a big Irish retailer would be flagged less often that a small foreign retailer?

Brendan
 
I pay for groceries online weekly with a major retailer. I havent analysed it in detail but I think the authentification kicks in for transactions above ~€100
 
The authentication limits gradually changed since sca came in last April.

I think it's now at the final plan of every transaction over €100 and random under €100.
 
Bear in mind that some level of authentication is almost always happening in the background, which the card holder may not even be aware of.

The payment providers (so Stripe would be an example) can request exemptions to SCA for low risk transactions. Think when you are shopping using contactless cards in a shop. Most times, if the value is under the threshold limit then you won't be asked for a PIN to be keyed but on occassions you will be. That decisions can be based on the number of previous transactions which did not require a PIN (often set at 5) or once the overall value of transactions since the previous time you keyed your PIN hit a certain value. Same principle applies to online shopping.

Likewise, once the merchant has you down as a "saved card" and you have authenticated once, most of your transactions should not require subsequent authentication, but it all depends on the banks and payment providers risk appetite.
 
Peanuts20 said:
Algorithims will decide normally what does and doesn't get flagged for MFA. Whilst the rules will generally be different between banks, the norm would be
  • First transactions with a person/business
  • Transactions over a certain amount
  • Transactions where a previous transaction was some time ago
  • Transactions after you have changed your card
  • transactions "not the norm". If for example, the system suddenly saw transactions to a bank in the Caribbean that were not the norm for you.
  • transactions where potentially what you are buying could be easily resold.
should be said no alogrithim is perfect, banks are really trying to minimise risk.
Click to expand...

I accept banks minimising risk and I have even worked on algorithms at the company level to examine data to identify risk. i fully see the point of the last two items on your list and this has identified real fraud on my card in the past. However, your list does not say anything about the business of the merchant or where it is. Payments to insurance companies or bin collection operators intrinsically are less risky than many other sorts of transaction. A payment once a year to an insurance company may be more than €100, but it there is nothing unusual about it.
Perhaps part of the solution is for the merchant to take part of the risk and not subject every customer to this authentication when the merchant sees nothing of concern about the transaction. There is no reason for an insurance company to seek bank confirmation for an insurance renewal for the same car with same card at the same address which also has house insurance with the same company and where I have lived for almost 30 years (with the same car insurer all along).
Is a hands off data protection type approach causing unneccessary authentications for customers doing regular stuff?
 
ardmacha said:
I accept banks minimising risk and I have even worked on algorithms at the company level to examine data to identify risk. i fully see the point of the last two items on your list and this has identified real fraud on my card in the past. However, your list does not say anything about the business of the merchant or where it is. Payments to insurance companies or bin collection operators intrinsically are less risky than many other sorts of transaction. A payment once a year to an insurance company may be more than €100, but it there is nothing unusual about it.
Perhaps part of the solution is for the merchant to take part of the risk and not subject every customer to this authentication when the merchant sees nothing of concern about the transaction. There is no reason for an insurance company to seek bank confirmation for an insurance renewal for the same car with same card at the same address which also has house insurance with the same company and where I have lived for almost 30 years (with the same car insurer all along).
Is a hands off data protection type approach causing unneccessary authentications for customers doing regular stuff?
Click to expand...
Merchants already accept part of the risk due to the Chargeback process being very loaded in favour of the cardholder. I've suffered chargebacks in the past where we have clearly shown that the cardholder goods were sent out and received and yet the bank has gone in favour of the Cardholder. That's a loss merchants need to write off and those write offs getting added to the pricing the rest of us pay. Loading more risk on the merchant will only drive prices up further and to me, it's worth pressing a couple of buttons to avoid that.

The payment providers already classify businesses, for example, some will be classed as a higher risk of fraud and chargebacks, often based on their past record so what you are suggesting is already in place. Could it be refined further?, I assume it can and will but SCA is realtively new. Having said that, I have seen plenty of examples of the dullest most innocuous business providers providing the most mundane services you can imagine being used by fraudsters to test card numbers to see what will and won't get through. When something does get through, the fraudsters are off to more lucrative sites and the first site holder is left with a write off due to a chargeback
 
You must log in or register to reply here.
Back
Top