What is RBA (Risk Based Authentication) in payments?

Link to the author's page
June 29, 2023
Link to the author's page
What is RBA (Risk Based Authentication) in payments?

Risk-based authentication (RBA) is an essential element of the 3D Secure 2 (3DS2) protocol, which helps merchants differentiate between legitimate and illegitimate transactions while continuing to provide an excellent customer experience.

Merchants don’t have complete control over whether or not RBA is followed, but they can determine rules for how transactions are routed, the conditions that require customers to complete additional authentication steps, and the types of authentication used to verify customer identities.

That’s why, to build a powerful and comprehensive risk strategy, it’s vital to understand what RBA is and how it can be successfully incorporated into your fraud prevention measures.

In this article, we explain how RBA works, why it’s important, and how you can implement it with Checkout.com.

What is risk-based authentication in payments?

Also known as adaptive authentication and step-up authentication, RBA assesses how risky a transaction is to determine an appropriate level of customer authentication. This helps prevent common types of fraud, including account takeover and mobile attacks. RBA is a key component of 3DS2, a security protocol introduced to address the limitations of its predecessor, 3DS1.

With the original 3D secure protocol, merchants relied on simple forms of authentication like passwords and usernames, which criminals could easily exploit, and customers were challenged to provide additional verification regardless of their level of risk. RBA has vastly improved the authentication process because, after taking into account contextual information about the user and the payment, it can precisely match the level of security to an individual transaction. This means less disruption for the customer, and lower cart abandonment, and improved sales for the merchant.

How does RBA work?

RBA takes a holistic view of the context behind each transaction to assess whether there is anything suspicious or unusual about it that should prompt further authentication.

RBA can analyze hundreds, or even thousands, of real-time data points to determine a risk score for each transaction. These data points can include the value of the transaction, the location of the customer, their transaction history, their history of security incidents, the number of login attempts, their IP address and time zone, as well as detailed information about the device being used for the transaction. This wealth of data significantly increases the chance that a fraudster - who could easily beat one data point - will be spotted.

A transaction can be deemed high risk for a variety of reasons. For example, a new card is being used by a customer with no transactional history, the customer is familiar but they are using a new device, they made multiple login attempts to get into the system, or there are inconsistencies in their location/IP address/time zone. In contrast, an existing customer using a familiar device from a familiar location is likely to be deemed low risk.  

Based on the transaction’s risk score, the customer will either be able to continue with the transaction or be prompted to complete a further authentication step. This could be two-factor authentication (2FA), which asks for additional identity verification beyond their username and password - such as a one-time password (OTP) - or biometrics like a fingerprint, facial scan or voice analysis. The more authentication methods used, the more secure the transaction.

Why is RBA important?

Fighting fraud is a constant struggle for merchants, and failure to prevent it can have severe negative consequences, including lost revenue, lost customers, and a damaged reputation. It's particularly important for ecommerce merchants, where secure online payment processing is the first line of defense against bogus transactions.

RBA is a crucial tool in fraud prevention. It helps to prevent theft of data and funds while improving user experience and making digital payments easier and more secure for legitimate customers. By determining the exact level of risk and applying appropriate authentication measures, RBA avoids unnecessary security steps and allows merchants to give their customers a pleasant checkout experience.

An example of this is frictionless flow, the process that determines whether a cardholder needs to provide further verification or not according to data captured by RBA. If no further action is required, the customer can proceed with their transaction, in many cases without even knowing an authentication step took place. If further authentication is required (known as challenge flow), the cardholder is able to verify their identity using advanced measures like biometrics without leaving the app or browser window.

The result of this is improved security, higher acceptance rates, higher sales, and a faster, more effortless checkout experience that can lead to significantly reduced cart abandonment. In fact, according to data from Visa, transaction time has been cut by 85% and cart abandonment by 70% with 3DS2.

How to implement RBA with Checkout.com

With Checkout.com’s integrated 3DS2 solution, you can decide what level of authentication to request from your customers for risky transactions. For example, you can segment customers, products, and regions by risk level to determine whether someone from a particular region experiences challenge or frictionless flow based on RBA.

You also get a centralized view of all flagged transactions, including the contextual data used by RBA to decide how each transaction is routed. This data allows you to analyze the causes of false negatives and positives, refine your approach and finely calibrate your risk strategy to minimize false declines and maximize acceptance rates.

RBA is a fantastic tool and should be part of a multilayered fraud prevention strategy. With Checkout.com’s integrated Fraud Detection solution, you can employ all the tools you need - including machine learning and flexible rules - to fight fraud while growing your business.

Stay up-to-date

Get Checkout.com news in your inbox.

Back to top button
June 29, 2023 12:52
June 29, 2023 13:01