Guest blog: Preventing fraud in online payments: punish the fraudster, not the consumer


Imagine that you, the upstanding, law-abiding citizen, walk into a supermarket on a Saturday afternoon and are followed around by a security guard and searched on exit. The reason for your being followed is simply because your bank has a less than perfect record in detecting fraud.

If you went back the next day with a different payment card, issued by a different bank, with a better fraud prevention record, you would not be followed and searched. This doesn’t make much sense.

The risk of fraud or theft relates to the individual. It is better that the supermarket staff make a case by case risk-assessment (buying sweets is different from buying a car) rather than on the track record of the customer’s bank. If a dodgy customer moved to a ‘safe’ bank, they suddenly would not be subject to the same scrutiny; this also does not make sense.

The reason for this torturing vision is that new rules for preventing fraud are moving closer to adoption.

The European Banking Authority (EBA)’s new security standards for online payments are currently being reviewed by the European Commission and are soon to be finalized. After having listened to the extensive feedback given by the industry, the proposals are now much better than they were.

However, the potential for some surreal outcomes remains. The current proposals mean that when paying for something online (may it be flight tickets, groceries or a new dress), whether or not you will have to undergo extensive security procedures would not be based on your behavior, or the fraud-detection track record of the shop you are buying from. It is exclusively the fraud record of the customer’s bank that would eventually count.

Being asked to go through endless procedures to avoid fraud only because your bank has proven to have a poor record will do nothing but frustrate and alienate customers. This law means that your bank’s failures to tackle fraud, makes your life harder and less convenient.

When is a Transaction Not a Transaction?

Sometimes when you buy things online, not everything is ready to be sent to you. It may be that some items are in stock and others will be available soon. In such a situation the customer often pays, including going through any necessary security procedures, on ordering. For the customer’s peace of mind and convenience, the payment card will only be debited once each item ships.

While this may mean multiple small payments are being made, the customer will only have to go through the order process once.

Under the new draft rules, each time an item is being shipped and the customer’s payment card is debited, the customer would have to complete separate security verification procedures for each payment.

This would force you and me back to our computer, mobile phone, or tablet each time an item is ready to ship and a payment must be made. Failure to authenticate each time will result in no payments being made, no item being shipped and eventually unhappy shoppers!

All of these extra steps would become necessary even though the order was originally placed by the same person, with the same payment card, the same bank, and the same risk-profile.

Again, this does not make sense and can easily be avoided. Allowing risk-based assessments in such cases, known in the industry as ‘dynamic linking’, would allow for the appropriate fraud prevention and security prevention measures to be taken once, at the point of order, and once only.

The Best of Both Worlds

We don’t need to choose between security and convenience. Allowing merchants, their banks or payment service providers to apply modern technology to detecting the risk of fraud is effective. Merchants have unique data points to provide warning signs and to prevent fraud whether based on customer behavior, purchase history, or browsing patterns. All of these factors count to fulfil a key objective of the new payment service legislation – the reduction of online fraud rates.

As the  New York Times columnist Thomas Friedman commented:

“The future belongs to those who build webs not walls….”

Detecting suspicious behavior is better than simply building a wall, or indeed asking people to climb a wall, just because they are spending a certain amount of money. The draft rules allow for a risk-based approach for lower value transactions, but never for more expensive ones. This, for example, penalizes airlines and travel agents who would always need to make even well-heeled customers climb over the security wall in their high-heeled shoes.

These new EBA security standards, and indeed all rules in the digital age, should recognize Friedman’s maxim. The best outcomes are achieved through cooperation, not blunt instruments.

The necessary flexibility in the final security standards will allow for a secure and smooth shopping experience, not a frustrating one leaving you screaming at the screen. The European Commission should seize the chance to give  ‘Brussels bureaucrats’ a good name by  amending the final security standards to recognize the modern and good practices online merchants apply in detecting online fraud.


By James Waterworth, Vice-President of CCIA Europe, for ‘The Disruptive Competition Project (DisCo)’.

Ecommerce Europe and CCIA are part of a broad pan-industry coalition of European e-commerce, digital, online payments and FinTech companies and associations highlighting the risks the EBA’s RTS on Strong Customer Authentication pose to the e-commerce sector and the EU’s Digital Single Market.