The new European payment regulation is now fully enforced following the United Kingdom’s March 14 deadline. We talked with Alessandro Bocca, CEO of Axerve, about the long and often arduous PSD2 journey. Axerve is a leading Italy-based payment hub. Its platform processes more than 4 million requests every month and orchestrates payments worldwide.

Table of Contents

At the onset of PSD2

The first high peak season under the regulation

3DS: does it work?

Embracing innovation

As a payment orchestration platform, you have a 360° view of the payment ecosystem. What were the most significant challenges you observed once PSD2 came into force?

Starting in 2019 and throughout the following year, we struggled somewhat. The ecosystem really wasn’t ready, at least in Italy. With Strong Customer Authentication (SCA) requirements, the payment process has become increasingly complex in terms of flow and the number of players involved. We needed to take into account many different types of transactions. All use cases were clearly defined in the Regulatory Technical Standards (RTS) and schemes’ specifications, so we had to make sure in advance that we could meet and manage all of them.

We saw a high level of PSD2 compliance among our merchants, with most of them able to handle two-factor authentication. But we understood that the system wasn’t ready mainly because Italian issuers couldn’t support frictionless payments. In comparison, the British payments industry had a much higher level of maturity and was able to deliver on frictionless authentication. But when you can’t perform this kind of authentication, a 40% drop-off rate is to be expected. And this is exactly what happened!

Portait of Alessandro Bocca, CEO of Axerve and PSD2 expert
Alessandro Bocca, CEO of Axerve

Which actions did you take to mitigate this abandonment rate and support your merchants?

When the Bank of Italy and other central banks decided there should be a grace period to allow the ecosystem to better prepare, we jumped at the opportunity to ramp up our merchants. Once a week, we would meet with all the players to review the data and seek ways to optimize performance.

Those were three complicated months, but things started to improve once issuers reached 20% of frictionless payments – at least for low-value transactions. Because when you have issuers like in the UK, who can provide a frictionless flow for 60% of transactions, you get a 90% conversion rate. But if you barely reach 6%, as was the case in Italy in the beginning, then you end up with 50% to 60% of lost orders.

We looked at these metrics because it was important for us to be able to explain the reality of the situation to our merchants. When you lose 30% of your orders, it’s concerning, but when you see that the entire system is experiencing a 30-40% drop, then you understand it’s a wider issue. And when you see that adopting exemptions leads to higher conversions, it’s easy to grasp the situation. Showing them the data was the best way to convince them. With data, everything is easier – but you know that better than we.

Aside from the drop-off rate, what were your merchants’ most pressing issues, and how did you help solve them?

Very few merchants had a complete view of the entire payment process, so most weren’t even aware of the issues or where the challenges lay. We began reviewing all the transactions and conducted tests with numerous issuers to pinpoint the blockers.

We also wanted to understand where we could be in terms of fraud rate, because looking at the RTS and the technical requirements, there were some gray areas as to how to calculate it. Yet, being able to determine the fraud rate is a must for requesting exemptions. Finally, we worked closely with the Banking Authority to make sure we were counting the right number of transactions and the right value.

Based on all of that, we were able to activate our full Transaction Risk Analysis (TRA) feature by the end of April – a feature built with Riskified. In our view, that was key for the following months. Because for the acquirer and the issuer, TRA really is what performs the best in terms of authorization rate. And at the moment, we hardly apply the low-value exemption and prefer to review every transaction to make sure it isn’t fraud, no matter the amount.

Can you give us some examples of technical issues with the authentication flow that impacted the customer experience?

The authentication providers that issuers were working with couldn’t achieve a few-second verification process. These timeout issues prevented cardholders from completing the SCA challenge. We saw that foreign cards relying on different third parties were performing faster. If only 1 to 2 seconds are needed to redirect and perform the multifactor authentication, the transaction has a higher probability of completion. But when the process takes 10 or 20 seconds, shoppers see a white window in their browsers and nothing else. They think it doesn’t work, so they try again. But once they do that, they increase the number of users attempting to authenticate and everything collapses.

Let’s talk about the holiday season, the first one under PSD2. What was top of mind for you as you were preparing for this peak season?

First of all, I want to say that Riskified’s team did a great job setting up all our merchants that were interested in using exemptions. We didn’t have to concern ourselves with risk models and arrived at the holiday season prepared. We could focus on performance, making sure transactions were properly routed and that the system was set accordingly. And we didn’t have to be worried about over-declining.

That’s why I’m a big fan of Riskified’s solution because it allows us to focus on managing payments. We don’t need to dedicate internal resources and capabilities to work on fraud prevention or review patterns. Instead, we prefer to have good allies in order to be able to focus on what is crucial for us.

Since we’re talking about our relationship, can you take me back to the day when you understood that Riskified could help on the PSD2 front and what happened to trigger that need?

Back in 2016, when we began our collaboration, I understood that Riskified was the right partner because of your chargeback guarantee model. We believed this would be key in the coming years.

I may look young, but I was there in 2008! At that time, there was a big shift in card-present transactions from chip and signature, to chip and pin. This added level of security pushed fraud online, so the schemes wanted to mandate the adoption of 3DS. We knew that it would cause a drop in conversions and fought against it. Fortunately, it wasn’t adopted then, but the same is happening now: when introducing another step in the checkout process, it leads to lost orders.

But what we also know today is that leveraging exemptions and TRA lifts conversions. However, you need to provide a guarantee for this to work because merchants that adopt exemptions become liable for chargebacks. So for us, Riskified was a good way to add value by first, making the decision to exempt the transaction; and second, by guaranteeing it. Before SCA, we leveraged our partnership to provide fraud analysis with the chargeback guarantee. Now, it also helps make a decision that can increase conversions. If we see that over 90% of orders under Riskified’s TRA enable an exemption, we kept the promise to our merchants.

How did things go during the high-volume holiday season, can you tell us what your day-to-day operations looked like?

When an authentication involves different providers, it can be a challenge. As we’re connected to different acquirers and third parties, we need to ensure that everything is managed correctly based on the cardholder, merchant, payment provider, authentication method, etc., including messages when a transaction is forwarded to another acquirer. This orchestration model requires a lot of focus and consistency along the entire flow.

Another priority was to provide metrics on performance. When we see that a cross-authentication flow performs worse than direct authentication or that a specific provider converts better than another, we can advise our merchants on where to send their transactions.

In other words, you’re making sure your merchants can have an actual multi-PSP strategy and don’t suffer any limitations. From a technical perspective, you’re ensuring that everything is on the highest, most optimized level?

With PSD1 and now with PSD2, competition in the payment industry is driving excellence. And we view as crucial the ability to orchestrate between the best performing acquirers, payment providers, payment methods, and fraud prevention tools.

Now more than ever, strong authentication, fraud prevention, and transactions are strictly connected. It’s not something that you can add on top or at the end of the payment flow, it’s a fundamental part. It determines if you’ll convert, convert a lot, or not convert at all. Because reviewing transactions effectively means low fraud, low chargebacks, and high thresholds for exemptions. And again, having a partner like Riskified or another TRA provider makes all the difference: it allows us to execute the strategy and not just put it on paper.

What can you tell us about the average loss in conversion rate that you observed?

These days, when a transaction requires SCA, it performs at a 60% to 70% success rate on average, including mobile orders. Even if we look at the biggest eCommerce platforms in the world that share their data with the schemes, this is what we’re seeing. So this is a benchmark. If we want to be better than the benchmark, we need to maximize the use of exemptions. That’s the only way. It means low-value or TRA.

We see that TRA leads to more than 90% conversions in the authorization process. So I would say that at the moment, conducting TRA effectively, including issuer TRA, drives conversions because it doesn’t add friction for the customer.

Do you think merchants have learned valuable lessons after this peak season?

Thanks to the schemes, we were able to show our merchants what was going on in the European market. It helped them understand the situation. For instance, once you show them the number of declined transactions due to improperly set payment flows, or that 20% of customers failed to complete an authentication challenge, they realize the value of a smart solution.

We provide exemptions up to €500, the maximum level. You need to have a very low chargeback rate and rely on a high-performing fraud tool to achieve this. For some merchants, such as luxury brands, exemptions up to €250 may not be enough if they weigh the cost against the conversion rate. But when you go up to €500, then it’s a different story, the ROI goes in a different direction.

We achieved higher revenue this season compared to the 2020 holiday season. Under the full implementation of SCA, revenues were higher because our merchants recognized the value of investing in a solution that can assess whether an exemption is possible and also guarantee the transaction. That was the valuable lesson learned.

PSD2 aims at making online transactions safer. Would you say that 3DS is successful at fulfilling its purpose?

The regulator’s goal was to say that the ability to review transactions and the security of the system cannot only depend on the goodwill of the players. Many were doing a good job at reviewing transactions, but we needed to set a minimum level of security. A minimum level of security means two-factor authentication. If you’re not able to do anything better or smarter, then you have to adopt this tool.

It forced the best fraud prevention solutions, PSPs, and others to evolve and find ways to leverage exemptions. This is why they exist! Do you want higher conversions, a better service? Then you need to be very good at it. Otherwise, the regulator will monitor your fraud rate, and if it’s not that good, they’ll know. I think that we haven’t reached the goal yet but we’re on the right path: setting a minimum level of security, providing excellent players with the possibility to work around it, and keeping the system safer.

At Riskified, we know that fraudsters find ways to bypass 3DS. We’re monitoring and collecting information about the post-3DS chargeback rate. What behaviors are you seeing?

Yes, there is fraud after 3DS. The TC40 and SAFE reports support this. Generated by the schemes, they present the acquirer with the transactions that the issuer has considered fraudulent, and we do see some post-SCA. So it’s not entirely fraud-free. But it’s important to say that it’s a good way to prevent fraud for merchants who don’t have any other solution.

SCA does ensure a minimum level of security, but with the low conversion rate that can be expected. So for merchants with a good fraud prevention system and a provider that allows them to benefit from exemptions, I advise using them as much as possible. Otherwise, you’re just losing a lot of money.

With 3DS 2.2, issuers rely on risk-based authentication to ensure a frictionless flow. But it seems only a small percentage of transactions actually undergo this type of flow and merchants still see a 40% drop-off rate, or 45% failures. Do you think that this will change?

For now, we have specific thresholds that don’t work for certain merchants or industries because they exceed them. But I think this will change with delegated SCA. For them, the only solution is to be able to perform the authentication themselves. Like with an Apple Pay transaction, where the wallet provider conducts the authentication, not the issuer.

3DS 2.2 is the first step to getting there. The cooperation between players certified for managing schemes’ tokens, like Axerve, is the next step. Tokens are the first requirement for SCA delegation. Providers and fraud prevention solutions working together to assess the most effective two-factor authentication – whether username and password, voice, or other elements – would be the final step to ensure both security and conversions.

Would you say that overall, the ecosystem is now ready to handle big volumes of orders under PSD2 without negative consequences? And since we’re talking about next steps, what do you think should be done from this point on?

If we count the overall number of transactions in Italy, more than 96% are below €250. So if we’re able to exempt most transactions up to €250, I’d say we’re ready. But again, the players who can’t match the thresholds are forced to apply SCA. So it’s a good way to see who’s performing well and who isn’t.

In other words, it’s a natural selection! How did your merchants’ opinion on exemption strategies evolve during this past year?

First, merchants understood that exemptions are key. For those who sell goods that require merchant-initiated transactions, or other recurring transactions with fixed or variable amounts, we see that now they want more: they want schemes’ tokens.

If you compound the logic of exemptions with the logic of multiple providers, the effect is exponential. As an Italian acquirer, I may be able to convert 90% with authorization. But if I manage transactions in the UK and have an acquirer there that performs at 95%, then by combining my ability to review transactions, my services in terms of schemes ’ tokens, plus a local provider, I can achieve an additional 2%, 3%, or 5% in conversions.

It’s an incremental optimization: it starts with exemptions, continues with streamlining SCA even for mobile and different user interfaces, up to the end of the value chain.

Do you think regulations like PSD2 accelerated the ecosystem’s digital transformation rather than inhibiting it? And what about the banks?

It all depends on how you approach it. If you view a regulation as just a compliance issue, you’re in trouble. But if you strive to understand the regulators’ goals, how they’re trying to benefit the consumers and the ecosystem, then in my view, it’s usually an opportunity. What happened with SCA and digital identity is a clear demonstration: A whole new market was created with account aggregation or payment initiation.

For banks, however, it remains challenging. They can either decide to evolve or let new players take business away from them. Simply being compliant while doing business as usual is probably not going to be enough. Akin to the airline industry or the tech sector in the 90s, banks won’t be able to generate revenue from their current activities. They will have to find new ways because everything else will be a commodity – yet many are rising to this challenge.

The technology required to deliver digital identity exists today. Who do you think will lead the charge in establishing a functional cross-border digital identity platform?

Good question! If we’re talking about open banking and the access to accounts, we’re now seeing two approaches: on one hand, pure enablers for all business cases who just provide access and then the product is up to you; and on the other hand, players that provide a full end-to-end service, not only the connection but also the output and the outcome. So the market is growing, with providers that work at different levels. In my view, open banking actors will play a key role in the adoption of digital identity, at least by creating solutions for companies interested in providing this digital identity platform or related services, such as Buy Now Pay Later (BNPL).

Based on your experience and the market feedback, what would be your key takeaways and recommendations today?

When it comes to global payment acceptance solutions, competition is already here in my industry. The players are big, they are good, and they can cover many countries and many regions. What’s still missing is sharing these benefits with the merchants, for them to be able to embrace this excellence that competition drives. Often a merchant is willing to adopt a certain provider but can’t due to effort allocation. So I see facilitating access to this network of excellence as the next trend and Axerve will be at the forefront.

If you’re interested in learning more about PSD2: