Ai Editorial: How Amtrak ensured 3D Secure worked in its favour

First Published, 1st April 2016

Ai Editorial: Amtrak took a cautious, slow approach to 3D Secure deployment due to wide industry perception of negative customer impact. Ai’s Ritesh Gupta understands how the company eventually succeeded in its endeavour.

How can one astutely balance the benefits of 3D Secure and at the same curtail the risk of checkout abandonment?

In order to understand how Amtrak, the U. S-based passenger rail service provider with the reputation of carrying more than 30 million passengers for each of the past five years, has gone about embracing 3D Secure, we spoke to Amtrak’s Payment Security Manager, Rick Ziolkowski. He was joined by CardinalCommerce’s VP, Consumer Authentication, Michael Roche for a detailed insight into the journey and experience of handling 3D Secure.

Ai: Can you share the experience of deploying 3-D Secure? What did you discover, learn and how you ended up having a desired control over the situation?

Rick Ziolkowski: The one thing I learned to appreciate about 3D Secure is that it is unlike other payment fraud prevention solutions. Its code is embedded in the authorization message all the way through settlement. The process transits across multiple parties and servers. It’s imperative to have a vendor with deep experience in overseeing the development, troubleshooting and monitoring of the service and as an advocate between various third parties.

Michael Roche: The data elements retrieved from the authentication are sent across the networks to the Issuer. This allows Issuers to adjust their authorization risk settings and tie the authorization to the authentication. Issuers who have deployed a Risk Based Authentication (RIBA) system will challenge transactions that seem suspect. This allows them to flush out fraudsters and avoid false-positive declines. What this means is that before authorization they can identify risk. Based on the risk level they are then able to challenge the consumer with knowledge based questions or one-time pin numbers sent via SMS.

Fraud isn’t the biggest problem online. Just ask yourself, how many times has your card been stolen to make online purchases. Now, compare that to the times your card was declined incorrectly and maybe even locked while trying to buy online. The fraud problem is causing the false positive problem at astronomical levels. Merchants, Acquirers and Issuers decline far more good transactions than bad. The end to end interoperability of 3D Secure eliminates the speculation once associated with CNP commerce.

No industry is affected more by false-positives than the travel industry. High ticket items along with the high potential for fraud results in the highest false-positives averages online. Amtrak was able to lean on this new found component of the 3D Secure protocols to not only cut fraud but also increase sales. There’s a way to do this, but you need to have the right tools. You can't just go to market with a vanilla 3-D Secure MPI provider and expect it to work.

Ai: So can you talk about Amtrak’s approach?

Rick Ziolkowski: Amtrak took a cautious, slow approach to 3-D Secure deployment due to wide industry perception of negative customer impact. Unlike most fraud service solutions that focus on risk, we focused primarily on the customer impact as our deployment model.

We used the BIN behavior model from CardinalCommerce to identify those issuers who would never challenge (roughly 30% of volume). We expanded to risked based authentication issuers who rarely challenge (increasing to around 60%). The results were so compelling that we eventually phased in 100% processing after our first year.

Michael Roche: Amtrak was an early adopter of our Cardinal Consumer Authentication (CCA) Services+ system. With a phased approach we slowly introduced Cardinal Consumer Authentication (CCA) and the 3-D Secure protocols to their consumer base. Using advanced analytics we were able to hone in and the optional rule sets which would result in the best possible consumer experience, highest levels of liability shift, and the maximum net/net increase in sales. That increase in sales was a result of increased authorizations at the issuers and fewer declines within their internal risk systems.

We recently hit our goal of complete roll out.

Unfortunately even many of our travel clients are going at a much slower pace because of infrastructure problems within the legacy travel booking systems.

Rick Ziolkowski: The key to full 3D Secure optimization and effectiveness is to take advantage of the liability shift rule and to front load 3D Secure into your risk model.

Michael Roche: Correct. There are vanilla 3D Secure MPI providers out there, they promote a RIBA approach at the merchant. This means they advise their merchants only to send through high-risk traffic they flag to the 3D Secure networks. RIBA is a useful approach with issuers but an ineffective approach with merchants.

Our Cardinal Consumer Authentication (CCA) product runs on a Rules Based Authentication (Merchants) backbone where merchants only send us all their traffic to us before any fraud screening has been done. We then take each transaction and compare it to a predetermined rule set created by the merchant based on the issuer and what authentication approach being used.

There is still massive problem globally with many issuers who have not implemented the RIBA approach being pressured from the networks. Our solution eliminates these from the merchant domain. In essence, what many vanilla MPI providers are doing is only reducing the historical problems with the 3D Secure protocols to a smaller set of high-risk transactions. This is evident in their numbers as their travel merchants get less and less benefit and are sending fewer transactions to the networks.

Our merchants “front-end” load 3D Secure and use its result within their risk engines, to create superior risk assessment because we can ascertain the risk level from a RIBA issuer. This yields the highest amount of benefits minus the historical problems associated with cart abandonment that has plagued the protocols courtesy of less advanced issuers.

Ai: What would you like to highlight in terms of performance metrics with 3D Secure?  

Rick Ziolkowski: Traditional fraud prevention solutions are evaluated on a balance between fraud reduction, at the cost of customer friction (also known as the insult rate). The fraud department was in a constant battle with the sales department over finding the right balance to the company’s risk tolerance. The more that the fraud solution expanded into overall sales volume, the more that valid customer insults would typically occur.

That all changed in 2012 when the card brands provided full liability protection on fraud chargebacks for successful 3D Secure transactions. As a result, the fraud prevention rate became a known constant at 100%. This allowed us to focus solely on the customer friction area and control this tolerance level.

CardinalCommerce has developed a BIN behavior profile on how issuers react to 3D Secure transactions. They have developed several behavior ranges from “never challenge, no friction” to “new activation, high friction”. Amtrak deployed its 3D Secure service in a phased approach from lowest to highest customer friction.

A key tool to our success was the development of a fraud rule bypass when we received full 3DS authentication. Taking advantage of the full fraud liability protection, we simply ignored all legacy fraud rules. The result was a 99.85% acceptance rate, significantly better than the airline industry 96.3% acceptance rate.

And the fraud prevention results? We are now below one basis point of fraud to sales when using 3D Secure. 

Michael Roche: Essentially Amtrak outsources their fraud screening to issuers and by doing so, they get full liability shift from fraud, higher authorizations levels with that issuer, and a superior data set that allows them to reduce their friction they expose to the consumer. All of this results in eliminating the massive false-positive problem. In the US especially there are several antiquated friction-inducing fraud tools like AVS and CVV2 checks. For certain traffic, merchants remove these checks and lean on issuers to screen the transactions. Amtrak did this, and their fraud rates didn't increase, they went down even further. Far below any other travel merchant globally.

Ai: How did Amtrak chose to deploy 3D Secure differently?

Rick Ziolkowski: Front loading 3D Secure into the risk model and creating a fraud rule bypass were the two critical elements of our success. Using the BIN behavior model also allowed us to carefully manage and evaluate the program’s deployment cycle. Additionally, we developed some customized Key Performance Indicators (KPI) reporting to provide more detail into both the chargeback and the customer impact areas.

Ai: So why many merchants are not seeing a certain level of success?

Rick Ziolkowski: Merchants need to recognize that 3D Secure is unlike any other fraud prevention tool in the merchant’s arsenal. They need to fully take advantage of the 100% fraud liability shift and front load it into their overall fraud risk modeling ecosystem. There is no need to apply any additional friction to a fully authenticated 3DS transaction. The benefits realized are a low cost, streamlined and low maintenance process for merchants. Legacy rules and their costs can be greatly reduced or eliminated, adding further value to 3D Secure. Challenge units, analysts and risk model areas can have staff migrate to other areas of fraud prevention.

Merchants also need to ensure that their KPI accurately reflects only 3D Secure service results. There is opportunity for KPI results to become cross pollinated with other fraud screening tools or rules, especially if the service is only being utilized based on risk rules. We take great care to ensure that all risk rules are evaluated independently via A/B testing and detailed reporting.

Ai: How can 3D Secure be applied only to high-risk transactions, based on data customized to the airline?

Rick Ziolkowski: The traditional fraud risk management model was to apply various fraud rules and solutions from the highest risk transactions down to a level of acceptable risk tolerance versus customer friction. These would generally be applied in a waterfall/cascading design from the most effective solutions downward. The assumption being that what might have been missed by the first pass would be detected in preceding ones. At some point, you reach a point of diminishing return in which the rule has less effective and more harmful to card acceptance.  3D secure turns that traditional concept on its head.  Due to the 100% liability shift for merchants, there is no need to incorporate other fraud prevention tools or rules. Also, the expanded customer data provided to issuers during authentication makes many of these legacy tools redundant.

I want to emphasize that if a merchant is only applying 3D Secure to high risk transactions, or applying after other fraud screening tools, they will not see the full benefit of reducing customer impact. In turn, they will never achieve full optimization of 3D Secure because their legacy model will be holding it back from reducing customer friction.

Ai: It is said that 3D Secure is not a complete fraud management program. Your comments on this?

Rick Ziolkowski: Although an e-commerce merchant using a fully optimized 3D Secure will see industry leading results on both fraud reduction and card acceptance, there is still the need for robust monitoring, detection and prevention. Merchants should always look at fraud risk in a holistic, enterprise wide view. Criminals will always exploit the weakest link. Where 3D Secure protects transaction fraud and should be considered a cornerstone of any payment security program, a merchant still needs to focus on other aspects of revenue abuse such as refunds, loyalty rewards, coupons, gift certificates, etc.

Learn more about the latest developments in the arena of digital payments at the upcoming 10th Annual Airline & Travel Payments Summit, scheduled to place in Barcelona, Spain (26-27 April, 2016)

For more information, click here