How Transaction Risk Analysis Can Decrease Friction & Elevate Your ROI
The EU’s revised Payment Services Directive (PSD2) was intended to improve payment security and streamline the payment experience for merchants and consumers.
PSD2 compliance does have an impact on criminal fraud. Does that mean it really pays off in the end, though? Well, as we explained in our main article on the topic, the answer is both “yes” and “no.”
The strong customer authorization guidelines built into the PSD2 mainframe are a necessary measure in many respects. However, they also lead to increased friction and a higher overall rate of false declines for many merchants.
The upshot is that SCA requirements don’t apply to every transaction. There are a number of exceptions that may apply, which is where transaction risk analysis comes into play.
Recommended reading
- What is 3-D Secure? Fraud Prevention Solution Explained
- What are Velocity Checks? How Do They Stop Fraud Attacks?
- ECI Indicators: How to Understand 3DS Response Codes
- What You Should Know About EMV Fraud Prevention in 2024
- Account Takeover Protection: Best Practices for Businesses
What is Transaction Risk Analysis (TRA)?
- Transaction Risk Analysis
Transaction risk analysis, or TRA, is the process of analyzing issuer, acquirer, and merchant risk scores (and other factors) concerning location, time, spending habits, and other behavioral patterns. If a transaction relays any information outside of the historical norm for these factors, an alert system will be triggered, and further authentication will be required.
[noun]/tran • zak • SHən • risk • ə • nal • ə • səs/
We outlined a full list of SCA exemptions in our main article on the topic. In effect, any transaction for which one of these exemptions doesn't apply needs to be subject to strong customer authentication standards.
Using transaction risk analysis (TRA) counts as an exemption. If TRA is deployed, you’re allowed to bypass higher-friction security mechanisms like 3-D Secure. These checks are required under SCA, but can be exempted if TRA shows that the transaction poses little fraud risk.
With TRA, a set of “up-or-down” fraud screening practices are deployed during the transaction process. Based on how the transaction goes, it may be marked as “low risk.” Then, if a transaction is marked “low risk,” an exemption may be requested by the acquirer or payment processor on behalf of the merchant in order to exempt that transaction from SCA.
Eliminate risk. Accept more orders. Get started today.
Can Merchants Deploy TRA?
No. At least, not on their own.
Transaction risk analysis exemptions are applied at the banking level. Whether TRA is allowed to be used is based on the overall transaction amount and the acquirer’s fraud rate, not the merchant's. In other words, merchants need to work with banks that can deploy TRA.
| Issuer/Merchant Fraud Rate | Transaction Exemption Amount |
| Fraud rate below 0.13% | €0–€100 transactions are eligible for SCA exemption |
| Fraud rate below 0.06% | €0–€250 are eligible for SCA exemption |
| Fraud rate below 0.01% | €0–€500 transactions are eligible for SCA exemption |
Acquirers must be able to prove that they conduct regular fraud audits concerning users and transactional data and maintain the ability to report irregularities in real-time. Acquirers are to report their overall fraud scores on a quarterly basis and adhere to regulation standards laid out in the PSD2 guidelines.
Merchants can request transaction risk analysis exemptions for transactions deemed “low risk” by the banks involved. Of course, they would need some internal mechanism to sort these lower-risk transactions from the higher-risk denials. That’s where merchant practices become a factor.
What Qualifies as Transaction Risk Analysis & How Do TRA Exemptions Work?
Remember: only transactions that are both valued at less than €500 and which register as “low risk” in real-time analysis can be exempted (given issuer approval).
The point of all of this is to weed out transactions that are at high risk for fraud in favor of safer, lower-risk transactions. To accomplish this, banks use software to analyze key indicators collected by the merchant during the transaction process. These include:
Behavioral Analysis
Advanced machine learning software will attempt to identify behavioral patterns and compare them with historical data for individual users and transactions. If a buyer’s behavior has recently changed, or is otherwise unusual, this information can be used to determine a risk value.
Device Fingerprinting
Device fingerprintinglets you track activity based on the device used in a transaction. Has the user shopped from the device in question before? If so, is there anything else about the device that doesn’t align with historical records? Each piece of data helps create a unique picture of the device in question, like the lines of a human fingerprint.
Fraud Scoring
Fraud scoringrefers to matching incoming transactions with historical fraud patterns, and generating a simple numeric score to represent relative risk. You can then decide how to proceed based on that individual’s risk score. You may even use an automated process to automatically reject risky transactions.
Location
Certain localities and regions are riskier than others. You can use tools likegeolocationandaddress verificationto validate your buyer’s location. If the transaction is being initiated by a user well outside of their known region, state, or country, the transaction could be flagged for SCA authentication.
These are just a few examples of potential fraud red flags. If any of these are tripped during the authentication process, TRA exemptions should not be requested or granted by your acquiring bank.
Effect of Transaction Risk Analysis on Conversion: Does it Actually Help?
Deploying transaction risk analysis can have a profound impact on your conversion rate.
False declines are a very real side effect of PSD2 and SCA regulations. For instance, if a customer doesn’t remember their 3-D Secure passcode, they may be unable to complete a purchase. These false declines can be a serious headache, and cause around 20% of failed transactions. Then, there’s the added checkout friction.
Adding that 2-factor authentication step required by SCA introduces more friction for consumers. This inevitably leads to higher rates of cart abandonment.
Customer authentication doesn't have to be a drag on your revenue.
According to the Merchant Risk Council, the average online store rejects 2.6% of all transactions under the claim they might be fraudulent. Also, the higher the price, the higher the decline rate; merchants decline around 3.1% of orders over $100.
Thankfully, TRA can help resolve these issues.
Mastercard reports a marked correlation between frictionless transactions and conversion rates. The company explains that TRA exemptions could help reduce industry reliance on touchy 3DS authentication responses. TRA reduces authorization processing costs and optimizes existing payment flows.
TRA is a great asset. However, it’s only useful if both the merchant and their acquiring bank have effective fraud prevention systems in place. This means looking at the matter holistically, and taking chargebacks into account.
Common QuestionWhat is an Exemption Engine?
eCommerce merchants can speed up the exemption process by deploying automated exemption engine software. These programs are able to automatically sort lower-risk transactions from the herd to determine their TRA exemption status.
Exemption engines, like other risk scoring systems, will analyze user profiles and transaction patterns to determine intent. If the transaction scores poorly, it will automatically be subject to SCA guidelines, and 3DS authentication will be deployed. If the transaction is lower-risk, it will automatically pass through TRA analysis.
The beauty of an exemption engine is that the system is designed to prioritize frictionless customer journeys, which limits churn and decreases cart abandonment, saving merchants time and money.
Reducing Overall Fraud Risk: 5 Best Practices
One way to help yourself with respect to transaction risk analysis is to limit your exposure to fraud, whenever and however possible. Acquirers will only grant exemptions to merchants with low fraud rates. This is why it is in your best interest to deploy the right fraud prevention tools at checkout.
The best approach is to craft a multi-layered strategy that helps you fight incoming fraud threats. Your strategy should also target illegitimate chargebacks resulting from first-party fraud.
Of course, this is easier said than done. Most merchants simply don’t know where to start with building out an effective strategy. However, you can simplify the process for yourself by adopting the following best practices:
Combine Fraud Tools
It’s important to recognize that fraud is not a static problem. It is constantly evolving and becoming more sophisticated every day. To get the most out of your fraud solutions (AVS, CVV, geolocation, fraud scoring, etc.), try deploying multiple tools in tandem. Fraudsters are often prepared to overcome one fraud detection source.. not multiple tools at once.
Conduct Manual Reviews
Some orders may need more in-depth screening to verify the buyer’s identity. Machine learning software and other automated fraud detection platforms lack the ability to review questionable transactions. First-party fraud, for example, often requires human oversight to identify and resolve.
Update Your Software
Outdated fraud prevention solutions may fail to intercept new threats. They may even be exploited by fraudsters and become an asset intheirarsenal, instead of yours. Keep up with all software updates and patches, and implement them as soon as possible.
Conduct Regular Audits
Regular audits of all internal operations help ensure they’re running at peak performance. This might include staying up-to-date on tech changes and ensuring employees abide by fraud prevention protocols. Ongoing training might be the key to stopping new and developing threats.
Learn to Recognize Fraud “Red Flags”
Fraudsters are too smart to leave a “smoking gun.” They are skilled at covering any evidence that would indicate a problem. That’s why you should give extra oversight to any transaction that is larger than normal, comes from an unfamiliar customer, ships to an address that can’t be verified using AVS, or raises other fraud red flags.
Ultimately, effective fraud and chargeback management requires you to pay attention to incoming threats and work to resolve disputes in real-time. That’s why most merchants find a much greater ROI in outsourcing key facets of risk management.
Chargebacks911® uses proprietary tools and processes to help merchants identify fraud sources and reduce occurrences, enabling long-term chargeback reduction. Contact us today to learn more.
FAQs
What does TRA mean in payments?
A transaction risk analysis, or TRA, is the process of analyzing issuer, acquirer, and merchant risk scores (and other factors) concerning location, time, spending habits, and other behavioral patterns. If a transaction relays any information outside of the historical norm for these factors, an alert system will be triggered, and further authentication will be required.
What is a TRA exemption?
The strong customer authorization guidelines introduce friction into the checkout process, but SCA requirements don’t apply to every transaction.
If transaction risk analysis (TRA) is deployed, you’re allowed to bypass higher-friction security mechanisms like 3-D Secure. These checks are required under SCA, but can be exempted if TRA shows that the transaction poses little fraud risk.
How does Strong Customer Authentication work?
In simple terms, the rule requires an extra layer of authentication during checkout for all transactions conducted in the European Union or the United Kingdom. Limiting verification to card numbers, billing addresses, and CVV are no longer enough. Merchants must now verify the buyer’s identity according to at least two of the following three factors: knowledge, possession, or inherence.
What are the three factors used for authentication?
According to Strong Customer Authentication requirements, customer identities must be affirmed according to at least two of the following three factors: knowledge, possession, or inherence.
