Despite a sharp drop in fraud following the introduction of these security systems, fraudsters have developed new techniques and entered the field of social engineering. The aim of social engineering is to manipulate a person in order to obtain confidential information that can be used to commit another offence.
In response to these new forms of fraud, the Observatoire de la Sécurité des Moyens de Paiement (OSMP, the French observatory for the security of payments means) issued a list of 13 recommendations in May 2023. This body, which reports to the Banque de France, has thus drawn up a set of recommendations for players in the payments market. Furthermore, payment service providers operating in France are now obliged to integrate these recommendations, which have an impact on the customer experience and require information and alerts to be sent to consumers.
Of these, 10 are addressed directly at payment service providers.
Treezor has grouped these recommendations into several sections and made them available to you in a detailed summary.
Section 1: Processing claims for reimbursement of fraudulent transactions
Investigations linked to the processing of requests for reimbursement of fraudulent transactions must begin as soon as they are received and be completed within a maximum of 30 days. A refund in favor of the consumer may trigger a subsequent recovery of funds, provided this is carried out within the 30-day time limit. The customer-consumer must be informed of this possibility in advance.
In the event of refusal of reimbursement or return of funds, the customer must be informed of the reasons. Any transaction not subject to strong authentication must result in immediate reimbursement, except in the case of proven fraud on the part of the customer. It should be noted that subsequent recovery remains possible after further analysis.
In the event of a dispute by the customer, the service provider has one working day to carry out an initial analysis and decide on the refund based on three categories of parameters: technical parameters (origin of the transaction, terminal used, geographical location), strong authentication methods (existence of a previous authenticated and uncontested transaction, recency of enrolment) and contextual elements such as alerts and information sent to the user (detailed later in this article).
Section 2: Securing operations
To make payment transactions even more secure, the registration of an e-wallet on a mobile device must systematically involve strong authentication. Every time the customer logs on from a new computer or phone, a strong authentication procedure must be triggered.
Section 3: Binding commitment by service providers to inform their customers of fraud risks
Part of the recommendations advocated by the Observatoire de la Sécurité des Moyens de Paiement requires service providers to communicate, train and raise awareness of fraud risks among their customers. During the strong authentication process, end-users must be informed at every stage of details concerning the nature, amount and beneficiary of the transaction.
Users have the option of refusing the validation process for a sensitive transaction at any time. Access to payment blocking must be easy, free and available at all times. In addition, payment service providers are responsible for informing their customers whether or not they carry out matching checks between a beneficiary’s name and his or her IBAN.
In addition to these recommendations, each time an order is contested on the grounds of fraud, payment service providers are required to demonstrate “gross negligence” on the part of their customers. As case law has not yet precisely defined this term, it is essential to inform buyers at every stage, as soon as the transaction presents a risk of fraud. It is crucial to raise their awareness and alert them to the risk of fraud associated with the ongoing transaction. It is also necessary to obtain their consent, which is an essential element of analysis in the event of a request for reimbursement.
Let’s imagine a concrete situation: you’re a customer of a fintech and you receive a call from someone claiming to be a customer advisor or from the anti-fraud department. This person informs you that your bank card has been hacked and that several purchases have been made in your name. Emphasizing the urgency of the situation, this person suggests that fraud is imminent, in order to destabilize you. Without realizing it, you’re actually the victim of a scam. In the minutes that follow, the fraudster will encourage you to validate transactions, enabling him or her to empty your account. Earlier, another fraudster may have used social engineering through e-mails, SMS messages or phone calls to obtain confidential information from you. Similarly, a fake advisor could exploit urgency and fear to get you to click on a fraudulent link. These scenarios underline the importance of remaining vigilant in the face of attempted scams, and of raising customer awareness of the associated risks.
Anticipating rather than curing: the importance of raising awareness
Malicious actors have integrated Strong Customer Authentication (SCA) into their strategies. The challenge of raising user awareness at times when they are particularly vulnerable to fraud is crucial. Fraudsters are now familiar with most of the warning messages issued by banks, and are equipped with persuasive arguments to counter objections. It’s up to institutions to be innovative and generate relevant alerts, such as: “Only a fraudster would ask you to validate a transaction you didn’t initiate… And would assure you that this alert message means nothing”. This approach aims to “educate” users about the tactics fraudsters use and to reinforce their vigilance in the face of such scam attempts.
There are two ways of dealing with these attempts: alerting and blocking.
Users can be alerted via pop-ups, messages on the application, e-mails or, failing that, SMS messages. Users must be informed clearly and precisely about the operation they are about to validate. This approach aims to make them aware of the incoherent or even dangerous nature of the request. Once an operation has been carried out, it must be confirmed by another channel, such as e-mail or SMS, so that the user doesn’t miss any operations he or she didn’t initiate.
The second way is to offer the user the option of blocking the account or cancelling the ongoing transaction. Users should have the option of blocking their account themselves. Fraudsters often target attacks outside customer support opening hours, counting on the delay between a fraudulent transaction being carried out and the establishment taking action to recover the funds. By offering users the option of blocking their account, this can block the first operation and protect against any subsequent attempts if the fraudster has succeeded in acquiring the rights to initiate operations.
Prevention remains the central element in fraud protection. By incorporating these recommendations and continuing to raise user awareness, the payment services industry can successfully meet the challenge of transaction security and guarantee a reliable user experience in the constantly evolving payments sector.