As merchants gear up for the Revised Payment Services Directive (PSD2), many find themselves wondering if they need a fraud prevention tool in the post-PSD2 world.
PSD2 aims to protect businesses and consumers by adding an additional layer of security to online transactions. To comply, businesses must add Secure Customer Authentication (SCA) and incorporate 3D-Secure (3DS) as part of the checkout process.
As a result of the multi-factor authentication, many merchants believe that the PSD2 will reduce fraud entirely, eliminating the need for a fraud vendor.
That, however, could not be further from the truth.
Fraudsters Still Exist
Online payment fraud loss is drastically increasing worldwide, particularly in Europe, and the impact of fraud is expected to double by 2023 compared to 2018. A majority of the losses are the result of card-not-present fraud.
In fact, the most recent data revealed that card-not-present fraud “accounted for 66% of the EUR 1.44 billion in fraudulent card transactions” in the European Union alone. This is problematic for eCommerce brands, particularly as the current global pandemic drastically altered consumers’ shopping habits, driving them to purchase online at rates never seen before.
While the PSD2 aims to reduce fraud through multi-factor authentication and 3DS, those authentication tools are not fail-proof; certainly not in the eyes of sophisticated fraudsters. As more and more consumers turn to online shopping, the rise of attempted fraud is only expected to rise, and 3DS will not deter them.
This is because 3DS is not a fraud prevention tool.
While 3DS adds an additional layer of friction to the checkout process, if a criminal has access to a victim’s phone or wallet – something they often do – then they will be able to bypass the 3DS with ease. If the 3DS process is frictionless, the criminals won’t have a problem at all.
As the methods of fraudsters continue to evolve, 3DS will not reduce fraud rates. If anything, it will make it harder for merchants to protect themselves from fraudsters without a dedicated fraud protection solution in place.
There is Still a Chargeback Risk
Another common misconception about 3DS is that it eliminates chargeback risk. The reality is that merchants in the European Union (EU) and European Economic Area (EEA) who must comply with the new directive, will find themselves increasing their use of 3DS, and as a result, will be exposed to fraud and chargebacks that the 3DS cannot prevent.
When a fraudulent transaction occurs, even if the liability falls on the bank, the bank will count the chargeback against the merchant, increasing their fraud-ratio. As the fraud-ratio increases, merchants may find themselves paying high fines, transaction fees, or even risk losing their merchant account.
Additionally, 3DS does not protect merchants against other types of fraud, such as policy abuse and account fraud. When consumers claim dissatisfaction with a purchase or claim that they did not receive items ordered, this will lead to a service level chargeback, and that is a chargeback merchants are liable for.
A robust fraud vendor will also offer policy abuse protection and account protection, exposing serial policy abusers, coupon abusers, and ill-behaving resellers and shippers who violate business policies.
Fraud Prevention Enables SCA Exemptions
The use of 3DS significantly increases declines and cart abandonments, impacting roughly 25% of transactions in Europe. Under PSD2, the use of 3DS is expected to rise even more, and as a result, merchants will experience more declines and abandonment rates.
3DS failure and abandonment occur due to a variety of reasons; consumers may regret their purchase over the course of the checkout process as a result of the increased friction, the consumer may not know how to complete the authentication and a technical failure may prevent completion (such as not getting a bank SMS), and more. Even if a 3DS process is completed successfully, it may still be declined at the authorization stage due to technical issues, insufficient funds, or issuers limiting their financial risk of chargeback liability.
When all transactions are processed using 3DS to comply with the PSD2, not only will customers have a poor online shopping experience (reducing their brand loyalty and lifetime value to the merchant), but merchants’ profitability will also decline.
To reduce SCA’s impact and the overall friction consumers encounter, merchants can apply for an exemption. The most common type of exemption is called a Transaction Risk Analysis (TRA) exemption and requires a low fraud-risk ratio.
When requesting a TRA exemption, or even one of the other types of exemptions available under PSD2, merchants must prove that they have a low-risk ratio. Merchants who do not have a fraud vendor and rely solely on 3DS will likely see an increase in their fraud ratio, and as a result, will not be eligible for exemptions.
In addition to needing a low fraud-ratio to be granted an exemption, the liability for exemptions falls on the merchants, making it risky to request them without a fraud prevention tool in place.
Never Process Risky Transactions
Regardless of whether the chargeback liability falls on the issuer or merchant, businesses should never process risky transactions.
This is true for transactions that go through full SCA with 3DS and frictionless transactions that do not require 3DS at all. With PSD2 going into effect, merchants must be wary of relying on 3DS as it was never designed to be a fraud prevention tool and will not protect merchants from fraudsters.
Those merchants that believe 3DS will deter fraudsters will find themselves suffering from increased fraud rates and chargebacks, reduced exemption approvals, and a decline in revenue generation.
On the other hand, merchants that choose to act now and find a fraud prevention vendor before PSD2 goes into effect will discover that they can grow their operations with ease, even with PSD2, without worrying about the risk of fraud.
Are you looking for a fraud protection vendor? Do you want to make sure your existing solution will protect your business under PSD2? Ask them the following questions:
- How does your solution determine when to apply 3DS and which type?
- Which points in the customer journey do you check? (i.e. at the point of transaction only, or also at account opening, login, etc?)
- How will your solution help me increase the number of exemptions under 3DS?
- Can you guarantee me a specific approval ratio?