As PSD2 Gets Off the Ground, Fraudsters Gear Up

Criminals are always on the hunt for new opportunity. As companies settle into a world governed by Europe’s second Payment Services Directive (PSD2), and as financial institutions (FIs) and FinTech companies explore the possibilities of faster payments and unbundled banking, attention to how to secure those activities is increasing. How exactly fraud attacks and fraud prevention will change in the post-PSD2 world remains unclear, but change is certain, according to observers.

“Although PSD2 has been designed to enhance the overall security of digital payments, it does also bring with it some risk of specific kinds of fraud,” said Dr. Stephen Topliss, vice president of product strategy at ThreatMetrix, in a recent essay.

Call Center Threat

Call centers will likely experience increased activity in the coming months and years, as PSD2 rules calling for “increased demands on consumer authentication could result in higher demand on call centers from blocked payments and/or increased customer friction, as well as [have] an impact on the efficiency of automated monitoring systems, which are not tuned and calibrated to the new payment schemes and fraud scenarios,” he wrote.

In fact, call center fraud already costs companies $0.58 per call, netting major losses as the number of fraudulent calls piled up, according to a recent review of the topic from PYMNTS, which released a Call Center Commerce Tracker report earlier this month. The report covers ways in which call center operations are fighting fraud — including in Europe, the home of PSD2.

In the emerging PSD2 world, fraud prevention experts are finding themselves with an increased sense of job security. The drive to open up APIs and make payment-related data more available to third parties will bring in “more players to the ecosystem,” which, in turn, will drive “a need for a 24/7 operation of fraud investigation teams, along with implementing real-time fraud transaction monitoring systems,” according to Topliss.

Increased Risk

None of what Topliss wrote — and it echoes other recent warnings from payments experts — is exactly new. But these warnings are talking on more heft, given that PSD2 came into effect in Europe earlier this year, with a September 2019 deadline looming for payment service providers being able to adhere to regulatory technical standards regarding security and functionality.

PSD2  along with the European Union’s (EU) newly enacted General Data Protection Regulation (GDPR), which covers online privacy and security  promises to slowly influence the global digital economy in ways that will take time to be seen clearly. Both could provide what amounts to silver linings for criminals, according to recent GPDR and PSD2 analysis that appeared in PYMNTS.

It is still too early to describe the specific ways that criminals and hackers are taking advantage of PSD2 and unbundled banking, but the risk is increasing, argued Sundeep Tengur, a financial crime specialist with SAS.

“Traditional financial organizations have so far enjoyed a bilateral relationship with their customers. Things will soon change … when the TPPs [third-party providers] enter the market with new services,” he said. PSD2 is bringing higher transaction volume for banks, and more demand from consumers for mobile payments and quicker transactions. Those increases result in more pressure being put on fraud detection systems — which, in turn, provide obvious opportunity for businesses that sell fraud prevention technology.

“The window for investigations will be significantly reduced and banks will need to rely on automation and advanced analytics to mitigate the increased fraud risk,” Tengur said.

Biometric Promise

In these early days of PSD2, biometrics — including behavioral biometrics — are popping up frequently in discussions about increased security and fraud prevention. The fuel that the payments directive might provide to new biometrics efforts was recently demonstrated by the announcement from Mastercard that it will test its fingerprint-scanning cards in the U.K. The product combines chip technology with a fingerprint scanner to verify the cardholder’s identity when making purchases in-store or online.

However, biometrics might provide banks another way to secure themselves and still keep up with PSD2. Patterns of typing or computer mouse movements — an area generally known as behavioral biometrics — can help FIs keep guard against account takeovers, new account fraud and other sorts of criminal activity expected to follow the flood of TPPs into the payments world.

Fraud prevention is certainly getting more sophisticated. A PYMNTS webinar on Thursday (July 19), for instance, will discuss how robots and AI can provide defenses against criminals. But every new technological advance or major regulatory change provides new pathways for criminals, and PSD2 will be no different.