Almost a month has passed since the September 14 PSD2 deadline. But as we know, a lack of market readiness has meant that the new legislation may not be enforced consistently across Europe until December 2020. In this post, I will go through some of the key steps online businesses should be taking to ensure continued eCommerce growth and control over customer experience once PSD2 is in force.

1. Don’t let PSD2 enforcement delays catch you off-guard

While many European merchants are pleased about the delay in PSD2’s enforcement, the resulting lack of alignment between banks might impact customer experience for the worse. Specifically, it could lead to friction and a spike in declined transactions. You need to take into consideration that even if you are based in a country where enforcement has been officially delayed, unless you intend to restrict sales to domestic customers only, you must keep track of PSD2’s status across European markets. It’s also important to note that issuers may choose to enforce PSD2, even if their country doesn’t.

This period of uncertainty has led to a dilemma for eCommerce merchants – they want to comply with the regulation, but don’t want to unnecessarily expose all their orders to friction by sending them to Strong Customer Authentication (SCA) if the issuer has not yet implemented it. Some merchants have adopted a strategy of experimentation – turning 3DS on for some orders and tracking the results to establish when an issuer has started enforcing the directive. While this approach has its benefits, it can, however, leave merchants open to the risk of non-compliance.

2. Take advantage of SCA exemptions

So once PSD2 is live, how can you reduce customer friction? Merchants should strive to receive as many SCA exemptions as possible. Particularly beneficial, given their wide scope, are exemptions designed for ‘low risk’ transactions between €30 and €500. 

But there’s been some conjecture regarding the use of exemptions as a means for maximising frictionless transaction risk analysis (TRA). Will acquiring banks be willing to push for them? Can fraud exemption thresholds realistically be met? Are issuers even going to grant them? Should merchants let their gateways take control of the exemption process?   

Will issuers grant exemptions and will acquirers be willing to push for them? To begin with, given that issuers are liable for chargebacks on orders that go through SCA, it seems logical that approving exemption requests will be in their best interests. Every exemption request issuers approve shifts liability away from them, and less friction for shoppers will keep their payment method ‘top of wallet’.  Acquirers also stand to gain from pushing exemptions through, as they want to capture as many transactions as possible and remain appealing to their merchants. If you haven’t done so already, speak with your acquiring banks to familiarise yourself with their intentions regarding SCA exemptions. 

Can fraud exemption thresholds be met? The regulation requires that acquirers meet certain fraud thresholds in order to request low-risk SCA exemptions. Acquirers therefore won’t want to put their fraud ratings in jeopardy. Because these rates are aggregated across merchants, maintaining very low fraud rates over the next 12 months will help your acquirers lower their rates and increase chances of obtaining exemptions once PSD2 is in force.

Should merchants let their gateway manage exemption requests? Because merchants have an established relationship with their gateways, relying on them to manage exemptions may be tempting. However, accurate fraud detection isn’t a core focus of most payment gateways. The majority also won’t assume liability for orders that are exempt, leaving merchants in a situation where they risk losing revenue to friction and/or chargebacks. 

View the Forrester Report: E-Commerce Fraud Prevention to learn insights on how merchants are seeking to optimize their PSD2 payment flows to overcome obstacles and gain a competitive advantage.

3. Adopt a holistic approach to CNP fraud prevention

The availability of exemptions is an acknowledgement of the friction that comes with SCA, and there have certainly been grim predictions regarding the potential drop-off associated with this type of authentication. But there ‘s also optimism regarding SCA’s benefits, namely that it’s multi-prong approach will prove to be an effective way to prevent online fraud.

The truth lies somewhere in the middle: SCA may yield positive results, but there are limitations to the extent to which it can ultimately prevent fraud on its own. While many merchants are putting their fraud prevention strategies “on hold”, waiting patiently to see what PSD2 will bring, fraudsters are busy finding ways around new safeguards. A brief skim of the Dark Web demonstrates just how astute they are:  

Screen Shot 2019 08 18 at 17.02.35

Fraudsters have proven themselves to be resourceful and adaptive, and with PSD2 potentially making their lives harder, they will continue to attack wherever they perceive the weakest link. One such weak point is the account login stage of the online shopping journey. An account takeover (ATO) attack occurs when credentials are stolen by a bad actor who logs into a good customer’s account, with the goal of committing CNP fraud.

Screen Shot 2019 08 18 at 17.23.08

So why could ATO attacks become more prevalent under PSD2?
Firstly, a lot of damage can be done before SCA even enters the flow at checkout – for instance fraudsters can steal the account holder’s PII (personally identifiable information).  Another example of vulnerability might also result from whitelisting. If a fraudster gains access to a customer’s account, they could purchase goods from the whitelisted merchant. It’s also important to keep in mind that one of PSD2’s aims as we head into the future is to regulate innovation in payments. A large part of this is encouraging open banking, which means more players will have the freedom and flexibility to provide payments. Non-traditional methods of payment are therefore set to become far more common over the next few years, and many of these are vulnerable to ATO attacks.    

Unfortunately, not only are ATO attacks tough to spot, they can also cause a lot of harm beyond stolen goods and chargebacks. Customers hold merchants responsible for failing to protect their online accounts  – regardless of who’s at fault, meaning that ATO attacks not only lead to backlash from upset shoppers, but have the potential to seriously impact brand reputation.

The best way to prevent ATO attacks isn’t to decline the order at checkout – it’s by blocking the fraudster’s attempt to login to the account. It’s also critical to detect bots, which fraudsters use to test credentials before a heist. Moreover, by blocking the attack at login, merchants can weed out the fraud before the order is even sent to the banks, which improves their reputation and will ultimately result in increased SCA exemptions. To learn more about how to identify and effectively prevent ATO attacks, download our comprehensive guide. 

Riskified & PSD2 Optimization

Riskified uses powerful machine-learning algorithms to recognize legitimate customers and help them complete their purchases. Our suite of products lets merchants safely approve more orders, expand internationally, and offer omnichannel flows while providing a frictionless customer experience. 

PSD2 Optimization is an integral part of this suite.  It works by conducting TRA on every single transaction. Our AI platform identifies good orders instantly and recommends these for SCA exemption, minimizing drop-off and filtering out fraudulent orders before payment authorization. Merchants can also use our risk assessment to reclaim revenue from good customers who fail SCA. Finally, because we gain issuer insights across our merchant network, Riskified is able to guide merchants through this period of uncertainty. To learn more about our PSD2 product, contact [email protected].