A year ago this month, the second Payment Services Directive (PSD2) of the European Commission went into effect. Lack of market readiness for Strong Customer Authentication (SCA), however, led to enforcement being pushed to December 31, 2020 (2021 in France & the UK). This is the final stretch to prepare for implementation to minimize revenue loss during the transition.
Whether a market is ready for PSD2 enforcement depends on three actors: the payment service providers, including the issuing and acquiring banks; the merchants; and the customers. Issuing banks govern the authentication request process, and according to industry standards are considered to be prepared when they have migrated to 3D Secure 2 (3DS2). According to an Amazon study, 86% of issuers in the UK and 84% in France have migrated to 3DS2. In many other markets, however – including Sweden, Spain, Portugal, and Poland – issuers are still far behind.
Customer preparedness, in turn, is inversely related to authentication abandonment rate – the percentage of customers who, when challenged with 3DS, drop off and abandon their purchase. While 5% is considered the target abandonment rate, a Microsoft study found that the reality across Europe is 2-7X higher, from 13% in the UK and 14% in France, up to 34% in Germany and 35% in Greece.
The payments ecosystem is dependent upon the preparedness of all three actors for a smooth transition. And while trends over time indicate that both issuer and customer readiness is expected to improve, merchants must have a PSD2 strategy in place to secure their revenue. That’s why we put together this list:
The 7 Questions Merchants Should Answer Before the End of 2020
1: Are you correctly flagging ‘out-of-scope’ transactions to benefit from a frictionless flow?
Some transactions are out-of-scope of the PSD2 mandate and exempt from SCA. Rather than automatically challenging all customers, adding friction to the checkout, it is best to have a strategy in place to recognize out-of-scope orders and avoid routing them to authentication. Check that your out-of-scope transactions (such as MOTO, MIT, etc.) are correctly flagged and routed directly to authorization.
2: Are you tracking authorization response codes, and have you set out a specific operational flow for ‘soft declines’?
Soft declines happen when a merchant sends a transaction without going through authentication (3DS), but the issuer determines that it is required. These soft declines have new, unique response codes that differ from scheme to scheme (e.g. A1 for Visa, 65 for MasterCard). Following a soft decline, a merchant is allowed to send the transaction back for authentication and then resubmit it for authorization. If the merchant doesn’t recognize soft declines, they may be mistaken for hard declines (and those transactions will be lost). Make sure your systems recognize these response codes and that you have a flow set up to have them resubmitted.
3: Are you testing and monitoring the impact on your 3DS outcomes?
UK Finance reported that transactions sent to 3DS2 currently experience higher challenge rates than 3DS1. Inconsistencies in data collection have caused issuers to falsely identify these transactions as high risk for fraud. According to MasterCard, it takes 3 to 5 months to detect and fix issues with 3DS2. Therefore, it is suggested that you review how effectively you currently capture and submit the data required for 3DS2, and take the steps to resolve and monitor any issues as soon as possible.
4: Have you adjusted risk thresholds to achieve a consistently low fraud rate in order to apply for exemptions?
Merchants will benefit from their acquirers pushing for maximum SCA exemptions, as it will allow them to deliver a fast, frictionless checkout experience. For this to happen, fraud rates must be kept as low as possible. Fraud prevention is an ongoing effort, so to make sure that you are well-positioned to capitalize on exemptions once PSD2 enforcement takes full effect, the time to act is now.
5: Does your risk analysis comply with the six Transaction Risk Analysis (TRA) requirements?
In order to avoid SCA on eligible transactions, merchants must be able to conduct robust fraud screening in order to qualify for the friction-free alternative, Transaction Risk Analysis (TRA). According to PSD2, six fraud screening elements are necessary to qualify for TRA, including information about the spending and behavioral patterns of customers and their location. To conduct the fraud screening, merchants must decide whether to build an in-house solution or engage with a third party vendor, either a payment gateway or fraud prevention provider. When partnering with a vendor, it’s important to cut through the buzzwords: make sure your vendor addresses each of the six regulatory elements, and has sufficient experience analyzing CNP orders, particularly across Europe.
6: Did you engage with your acquirers to test for exemptions?
By now, forward-looking merchants have already set out their plans for a robust and holistic exemption strategy. Make sure you have mapped available exemptions. Decide with your PSP on who initiates exemptions, and test them well before the enforcement deadline. Merchants able to maximize exemptions will gain a competitive advantage.
7: Do you have a plan in place to address the drop-off due to abandonment or unsuccessful authentication?
Even with the best exemption strategy, some orders will ultimately go through SCA. As a result, some customers will drop off due to the friction or fail authentication. The potential for revenue loss is steep; merchants should have a solution in place to reclaim these orders, particularly given that many of them could be over €500.
For more information on third-party solutions, check out our PSD2 Solution Buyer’s Guide.
A market’s preparedness for PSD2 enforcement depends on the banks, the merchants, and the customers. During the transition, it is important not to lose sight of the fraudsters who are already hard at work looking for loopholes in the authentication and payment processes. The below screenshot of a dark web forum shows fraudsters discussing methods of bypassing 3DS. Others are focused on maximizing the fraudulent potential of out-of-scope transactions or even more sophisticated fraud MOs like Account Takeover (ATO). In the end, SCA may yield positive results in terms of fraud management, but there are limitations to the extent to which it can prevent fraud on its own.
Riskified’s PSD2 Optimization is the latest in our suite of AI-based products designed to provide merchants with holistic fraud prevention. To hear more about how it can help you comply with PSD2, while keeping legitimate customers moving along the path to purchase, contact us at email@example.com.