How Transaction Risk Analysis Can Decrease Friction & Elevate Your ROI
The EU’s revised Payment Services Directive (PSD2) was intended to improve payment security and streamline the payment experience for merchants and consumers.
PSD2 compliance does have an impact on criminal fraud. Does that mean it really pays off in the end, though? Well, as we explained in our main article on the topic, the answer is both “yes” and “no.”
The strong customer authorization guidelines built into the PSD2 mainframe are a necessary measure in many respects. However, they also lead to increased friction and a higher overall rate of false declines for many merchants.
The upshot is that SCA requirements don’t apply to every transaction. There are a number of exceptions that may apply, which is where transaction risk analysis comes into play.
Recommended reading
- Verified by Visa: How Much Protection Does It Really Offer?
- The Top 10 Fraud Detection Tools You Need to Have in 2024
- ECI Indicators: How to Understand 3DS Response Codes
- Proxy Piercing: How Merchants Can Use it to Prevent Fraud
- Card Verification Values: What Are CVVs & How Do They Work?
- Payment Authentication: How to Verify Buyers Before a Sale
What is Transaction Risk Analysis (TRA)?
- Transaction Risk Analysis
Transaction risk analysis, or TRA, is the process of analyzing issuer, acquirer, and merchant risk scores (and other factors) concerning location, time, spending habits, and other behavioral patterns. If a transaction relays any information outside of the historical norm for these factors, an alert system will be triggered, and further authentication will be required.
[noun]/tran • zak • SHən • risk • ə • nal • ə • səs/We outlined a full list of SCA exemptions in our main article on the topic. In effect, any transaction for which one of these exemptions doesn't apply needs to be subject to strong customer authentication standards.
Using transaction risk analysis (TRA) counts as an exemption. If TRA is deployed, you’re allowed to bypass higher-friction security mechanisms like 3-D Secure. These checks are required under SCA, but can be exempted if TRA shows that the transaction poses little fraud risk.
With TRA, a set of “up-or-down” fraud screening practices are deployed during the transaction process. Based on how the transaction goes, it may be marked as “low risk.” Then, if a transaction is marked “low risk,” an exemption may be requested by the acquirer or payment processor on behalf of the merchant in order to exempt that transaction from SCA.
Can Merchants Deploy TRA?
No. At least, not on their own.
Transaction risk analysis exemptions are applied at the banking level. Whether TRA is allowed to be used is based on the overall transaction amount and the acquirer’s fraud rate, not the merchant's. In other words, merchants need to work with banks that can deploy TRA.
| Issuer/Merchant Fraud Rate | Transaction Exemption Amount |
| Fraud rate below 0.13% | €0–€100 transactions are eligible for SCA exemption |
| Fraud rate below 0.06% | €0–€250 are eligible for SCA exemption |
| Fraud rate below 0.01% | €0–€500 transactions are eligible for SCA exemption |
Acquirers must be able to prove that they conduct regular fraud audits concerning users and transactional data and maintain the ability to report irregularities in real-time. Acquirers are to report their overall fraud scores on a quarterly basis and adhere to regulation standards laid out in the PSD2 guidelines.
Merchants can request transaction risk analysis exemptions for transactions deemed “low risk” by the banks involved. Of course, they would need some internal mechanism to sort these lower-risk transactions from the higher-risk denials. That’s where merchant practices become a factor.
What Qualifies as Transaction Risk Analysis & How Do TRA Exemptions Work?
Remember: only transactions that are both valued at less than €500 and which register as “low risk” in real-time analysis can be exempted (given issuer approval).
The point of all of this is to weed out transactions that are at high risk for fraud in favor of safer, lower-risk transactions. To accomplish this, banks use software to analyze key indicators collected by the merchant during the transaction process. These include:
These are just a few examples of potential fraud red flags. If any of these are tripped during the authentication process, TRA exemptions should not be requested or granted by your acquiring bank.
Effect of Transaction Risk Analysis on Conversion: Does it Actually Help?
Deploying transaction risk analysis can have a profound impact on your conversion rate.
False declines are a very real side effect of PSD2 and SCA regulations. For instance, if a customer doesn’t remember their 3-D Secure passcode, they may be unable to complete a purchase. These false declines can be a serious headache, and cause around 20% of failed transactions. Then, there’s the added checkout friction.
Adding that 2-factor authentication step required by SCA introduces more friction for consumers. This inevitably leads to higher rates of cart abandonment.
According to the Merchant Risk Council, the average online store rejects 2.6% of all transactions under the claim they might be fraudulent. Also, the higher the price, the higher the decline rate; merchants decline around 3.1% of orders over $100.
Thankfully, TRA can help resolve these issues.
Mastercard reports a marked correlation between frictionless transactions and conversion rates. The company explains that TRA exemptions could help reduce industry reliance on touchy 3DS authentication responses. TRA reduces authorization processing costs and optimizes existing payment flows.
TRA is a great asset. However, it’s only useful if both the merchant and their acquiring bank have effective fraud prevention systems in place. This means looking at the matter holistically, and taking chargebacks into account.
eCommerce merchants can speed up the exemption process by deploying automated exemption engine software. These programs are able to automatically sort lower-risk transactions from the herd to determine their TRA exemption status.
Exemption engines, like other risk scoring systems, will analyze user profiles and transaction patterns to determine intent. If the transaction scores poorly, it will automatically be subject to SCA guidelines, and 3DS authentication will be deployed. If the transaction is lower-risk, it will automatically pass through TRA analysis.
The beauty of an exemption engine is that the system is designed to prioritize frictionless customer journeys, which limits churn and decreases cart abandonment, saving merchants time and money.
Reducing Overall Fraud Risk: 5 Best Practices
One way to help yourself with respect to transaction risk analysis is to limit your exposure to fraud, whenever and however possible. Acquirers will only grant exemptions to merchants with low fraud rates. This is why it is in your best interest to deploy the right fraud prevention tools at checkout.
The best approach is to craft a multi-layered strategy that helps you fight incoming fraud threats. Your strategy should also target illegitimate chargebacks resulting from first-party fraud.
Of course, this is easier said than done. Most merchants simply don’t know where to start with building out an effective strategy. However, you can simplify the process for yourself by adopting the following best practices:
Ultimately, effective fraud and chargeback management requires you to pay attention to incoming threats and work to resolve disputes in real-time. That’s why most merchants find a much greater ROI in outsourcing key facets of risk management.
Chargebacks911® uses proprietary tools and processes to help merchants identify fraud sources and reduce occurrences, enabling long-term chargeback reduction. Contact us today to learn more.
FAQs
What does TRA mean in payments?
A transaction risk analysis, or TRA, is the process of analyzing issuer, acquirer, and merchant risk scores (and other factors) concerning location, time, spending habits, and other behavioral patterns. If a transaction relays any information outside of the historical norm for these factors, an alert system will be triggered, and further authentication will be required.
What is a TRA exemption?
The strong customer authorization guidelines introduce friction into the checkout process, but SCA requirements don’t apply to every transaction.
If transaction risk analysis (TRA) is deployed, you’re allowed to bypass higher-friction security mechanisms like 3-D Secure. These checks are required under SCA, but can be exempted if TRA shows that the transaction poses little fraud risk.
How does Strong Customer Authentication work?
In simple terms, the rule requires an extra layer of authentication during checkout for all transactions conducted in the European Union or the United Kingdom. Limiting verification to card numbers, billing addresses, and CVV are no longer enough. Merchants must now verify the buyer’s identity according to at least two of the following three factors: knowledge, possession, or inherence.
What are the three factors used for authentication?
According to Strong Customer Authentication requirements, customer identities must be affirmed according to at least two of the following three factors: knowledge, possession, or inherence.
