A PSD2 Refresher
In September of 2019, the European Commission put the second Payment Services Directive (PSD2) into effect. However, the lack of market readiness for Strong Customer Authentication (SCA) – to better protect online customer data and to reduce online transaction fraud – has led to the enforcement being pushed to December 31, 2020 (2021 in the UK & France).
SCA is a PSD2 requirement that applies to all online payments within the European Economic Area (EEA) – unless a relevant exclusion or exemption applies. SCA requires that businesses use two (out of three) independent authentication elements to verify payments:
- Knowledge – Something only the unique user would know (e.g. password)
- Possession – Something to which only the user has access (e.g. mobile phone)
- Inherence – Something the user “is” (e.g. fingerprint)
3-D Secure (3DS – the protocol developed by EMVCo) – is currently the standard protocol for complying with PSD2’s SCA requirements. If 3DS authentication is enabled and successful, liability shifts from the merchant to the issuing bank.
Ensuring the market is prepared for the new PSD2 enforcement deadline requires merchants, customers, and payment service providers, including the issuing and acquiring banks to prepare. For merchants in particular, it is important to underscore readiness in order to minimize revenue loss during the transition.
Less Than 100 Days Away…Are You Prepared?
With the December 31st enforcement date quickly approaching, merchants must have their PSD2 strategy in place. The following are questions merchants need to ask before PSD2 goes live:
1. Are you going to 3DS all of your transactions?
Not all of your transactions should go through 3DS. Up to 30% of all 3DS transactions are lost in Europe. 3DS adds additional friction into the customer experience, and not every customer should be subjected to 3DS (and every transaction to 3DS authentication). Some merchants may be preparing to apply 3DS to all transactions as it allows them to have a liability shift. However, this actually translates into a massive drop in conversions, which hurts their bottom line and harms the customer experience and potential lifetime value. 3DS is still new in some jurisdictions and the added verification processes are likely to increase cart abandonment rates. Merchants should therefore not treat all transactions equally.
2. How are you going to leverage PSD2 exclusions (when transactions are “out-of-scope”)?
To ensure that 3DS is only applied to transactions when absolutely necessary, it is recommended that merchants ensure they can detect transactions that can be excluded from PSD2. It is important to note that merchants will be liable for fraud on all excluded transactions, so merchants should have a strong fraud solution in place and consider using a provider who offers a liability shift. It is essential that merchants are able to correctly identify and flag “out-of-scope” transactions so that they may flow through the path of least possible friction to improve customer experience and capture the most potential revenue.
3. Do you have a mechanism for handling PSD2 exemptions?
Merchants should have an accurate fraud prevention solution that can apply an exemption mechanism, with a focus on Transaction Risk Analysis (TRA) exemptions, in order to avoid 3DS when possible. Merchants should aim to demonstrate to their acquirers that they are capable of making the right decision when asking for exemptions which means keeping their fraud rates as low as possible and requesting TRA exemption only in cases that the risk level is indeed low. This will:
- Ensure that exemptions are supported by the acquirer
- Ensure that payment authorization rates remain high
- Make sure the merchant is not left liable for the financial cost of fraud on transactions that meet exemption requirements
Without the proper exemption mechanisms in place merchants will see more declines, and more chargebacks. Acquirers will block their ability to ask for exemptions if they are requested later and there is a chargeback. Additionally, merchants’ customer experience will depend on their TRA mechanism. A merchant’s efficacy at conducting TRA will also impact their customers’ experience and overall conversions.
4. Are you able to comply with Transaction Risk Analysis (TRA) requirements to avoid SCA?
Keeping fraud rates low will allow merchants to maximize their ability to avoid SCA on eligible transactions. This means that merchants will need to have an accurate and comprehensive fraud prevention system in place to qualify for TRA. To streamline fraud prevention and ensure compliance with the six fraud screening elements required by the PSD2 regulations for TRA eligibility, merchants need to partner with a provider that is knowledgeable and proven at executing these aspects across Europe.
5. How are you going to handle failed transactions to ensure the highest conversion rates while minimizing cart abandonment and unsuccessful authentication?
When transactions are declined due to an issuer or acquirer refusing the exemption request, merchants should always attempt to authenticate via 3DS and try to re-process the transactions. In addition, it is very important to have a decline recovery mechanism to salvage legitimate transactions to ensure higher approval rates. Example for decline recovery can be to offer a local payment method such as online bank transfer which is very popular in many european countries, or refer the consumers to a call center where they can complete the payment.
Even with an excellent exemption strategy in place, it is inevitable that some transactions will be required to go through SCA. The added friction that coincides with this process will mean that some customers will abandon their carts and may even be less likely to return to the merchant’s site. Additionally, poor or inaccurate authentication processes can lead to lost transactions.This results in potential lost revenue that can be quite costly to merchants. As such, merchants should have a decline recovery strategy. Forter offers a decline recovery product which ensures that all legitimate transactions are successfully authenticated.
6. How are you planning to monitor your performance?
Data is critical for payments. Merchants must understand how their various processors handle different requests, what their 3DS abandonment rate is, etc. Merchants also still need to track chargeback rates – merchants can still receive fines for excessive chargebacks, even if they leverage 3DS. Merchant payments teams should be tracking performance for approval rate by processor, by region, etc., and much in the same vein, should also prepare now to analyze 3DS performance as well.
Forter’s Recommendations for PSD2 Prep
While merchants prepare their businesses for PSD2 enforcement from a regulatory and compliance perspective, they must also ensure that their business will not be affected by the regulation resulting in a lower approval ratio and lost revenue. Merchants should partner with a fraud prevention provider that protects their transactions without adding friction to the process, and that can help them maximize TRA exemptions. Online retailers can integrate Forter’s PSD2 Solution for Merchants, thereby streamlining these requirements and ensuring that transactions needing to undergo SCA, will be dynamically routed accordingly. Forter automatically evaluates the risk of each transaction and routes it through the path of least possible friction. Merchants will be able to protect their approval rates (and revenue), reduce drop-off rates, and minimize fraud – all through a single integrated platform.
Reach out to us at firstname.lastname@example.org for more details about how Forter’s PSD2 Solution for Merchants can help your business.