Effective Transaction Risk Analysis Requires Machine Learning

Effective Transaction Risk Analysis Requires Machine Learning

August 15, 2019

Sponsored Content

The EU’s revised Payment Services Directive (PSD2) includes several technical requirements by which payment service providers (PSPs) in European markets must soon abide. Many of the technical requirements included in PSD2 aim to reduce payment-related fraud and improve the security of online payments. One of the mandates of PSD2 is that PSPs must apply two-factor authentication (2FA) to remote card-based payment transactions. However, PSPs may forgo 2FA under certain circumstances. One of those circumstances is when a transaction qualifies for a transaction risk analysis (TRA) exemption. Effective transaction risk analysis will be crucial for PSPs as it plays a key role in reducing fraud and applying TRA exemptions to transactions.

When Customers Complain About 2FA

No merchant wants to add more friction to the checkout process, or any part of the customer journey for that matter. Requiring 2FA at payment is a barrier to checkout that will annoy many customers. Seventy-four percent of companies that use 2FA receive complaints about it from users, according to a SecureAuth Corporation 2FA survey. The same survey found that nearly 10 percent of users “hate” 2FA.

Under PSD2, it is up to PSPs to decide when an exemption should be requested for a transaction. Merchants will want PSPs to request TRA exemptions for as many transactions as possible. Qualifying for TRA exemptions means less friction for customers and fewer complaints from customers about 2FA.

TRA Exemptions Included in PSD2

If a PSP maintains low enough fraud rates, they may secure payments through transaction risk analysis instead of 2FA. The fraud rates of merchants are included in the calculations of TRA exemptions. So, PSPs must monitor and assess payment transactions submitted by merchants in real time. TRA exemptions are based on the below fraud levels and Euro amounts:


Transaction Value

Fraud Rate for Remote Card-Based Payments

< 500 Euros


< 250 Euros


< 100 Euros


< 30 Euros



PSPs with robust, machine learning-driven fraud prevention systems may require that a transaction goes through 2FA even if it qualifies for a TRA exemption. For example, if a transaction or user is deemed suspicious by the PSP’s fraud detection system, the PSP may go ahead and require 2FA.

Traditional Fraud Detection Systems

Some industries, such as banking and e-commerce, use traditional fraud detection systems that are rules-based: the system assesses the risk of each transaction by applying a set of rules. For example, the system might include a rule where a transaction is rejected if the cardholder is currently in a high-risk location. Most rules-based systems consist of hundreds, often thousands, of rules. The rules are typically added manually by fraud prevention teams. Fraudsters constantly find new ways to commit fraud—so many ways that it’s difficult, if not impossible, to keep up. Teams must constantly add or update rules to reflect new forms of fraud. Also, rules-based systems analyze accounts on an individual basis. Fraud detection systems must analyze accounts as a whole and identify patterns of fraud among accounts with shared attributes, which requires machine learning.

Machine Learning is Needed

Modern fraud is increasingly complex and coordinated. Rules-based systems are not designed to handle fraud rings that constantly change their tactics. PSPs must ensure that the risk analysis for every transaction is accurate and fast. Machine learning enables a fraud detection system to analyze massive volumes of data quickly and learn to recognize sophisticated patterns of fraudulent behavior. Machine learning also enables the system to detect linkages and shared attributes among accounts, information that could be incorporated into every transaction risk assessment.

Previous-Article-CNP Next-Article-CNP

Ekata Authentication Month

  • Share this Article:

Lastest Fraud News