Friction versus Fraud

Share this post

Project Transaction Insights is supported by our Benefactor, The Chargeback Company

Fraud exists – has always existed.  Whatever the method of payment or the value attached, there is a way to steal.

Our job should be to make it as hard as possible to steal… but at the same time we are pressured to make it easy to pay for things.

From cardholders to merchant to banks, card payments are a fantastic and easy way to make stuff happen like buying a coffee, booking a dream holiday or that late night takeaway.  Where we need to introduce friction into the buying journey the industry has been thoughtful, methodical but not always entirely sensible in making payments easy. Let’s break this down into card present and card not present:

Card Present Fraud

Magnetic stripe is decades old technology – a £5 card reader and a little bit of creativity could create a counterfeit card which could spoof the system undetected.  As card payments had grown, so did the prevalence of this type of fraud.  The solution was simple, upgrade to Chip to prove the card is genuine and then enforce PIN to ensure the cardholder is genuine.  Pretty expensive at the time and now historic in the UK, but a very live issue in markets like the US.

The fraud migrated to markets which did not enforce Chip – mainly the US or Asia. Moving the liability for this fraud to the least secure party has achieved global Chip roll out and very low fraud rates.

Card Not Present Fraud

As card not present transactions become a mainstream method of payment, fraud ballooned. All a fraudster needed is a card number and an expiry date and the deed is done.  So the industry came up with solutions.

First – you can now ensure that the person paying has the card by printing a card verification value (CVV) on the signature panel.  This generally works great, but then these have a value to fraudsters and can be bought, sold, traded and so the value as a fraud prevention tool is diminished.  CVV is not terribly disruptive to cardholders other than them either remembering it or pulling their card out of their wallet when paying online.

Secondly, in instances when CVV became less helpful or reliable, the industry came up with 3D Secure – commonly known as Verified by Visa or Mastercard Securecode.  This technology does introduce a disruption in the payment process as the cardholder has to enter a credential of some kind when paying online. 3D Secure is not well loved: customers hate it (they have to remember a password), merchants hate it (interruption of the checkout flow and associated drop out outflanks any chargeback shield they get) and banks don’t especially like it because, despite fraud being low, it costs money to administer and some customers just don’t like it.  3D Secure is evolving in that most issuers are using data to make smart decisions about when to challenge or disrupt the cardholder.  With that said, and online payments becoming easier, the regulator got involved.

The introduction of Strong Customer Authentication (SCA) as a requirement of the updated Payment Services Directive is game changing.  Most transactions will need a two factor method of authentication – meaning that banks need to demonstrate that the customer really is who they say they are when paying remotely.  This could mean disrupting the payment journey with an SMS one time passcode, a banking app prompt or even a phone call.  It can be said with certainty that SCA will subtract a substantial amount of fraud from the payments ecosystem – but at what price?  The introduction of a myriad of authentication methods into the transaction process is viewed as confusing for all parties and will mean poorer customer and merchant experiences.  The regulator in the UK has recognised that the market is not entirely ready and so the September 2019 deadline for compliance has been relaxed.

This allows for some breathing room for sensible thinking on how to ensure a common experience online (think back to I ♥ PIN), and make transactions even more secure but without making consumers spend more time authenticating than enjoying the experience of buying.

More on SCA to come in our next blog on 23rd July

More To Explore


Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?