Forter finds that fraud is still a problem after one year of PSD2 enforcement.
It’s been almost a year since every merchant across France, Germany, Italy and Spain — the EEA’s largest digital commerce markets — started complying with PSD2. Here at Forter, we analysed our data to determine what merchants are doing to comply with PSD2, asking, “has it reduced fraud rates?”
Origins of PSD2 and the use of 3DS
A key driver of PSD2 regulations has been the desire to protect consumers against fraud by securing the digital payments for Card Not Present (CNP) transactions with Strong Customer Authentication (SCA) . According to the ECB’s 7th Report on Card Fraud, 80% of the value of card fraud in 2019 resulted from CNP transactions, reaching an estimated €1.50 billion in fraud losses..
SCA makes life more difficult for would-be fraudsters by introducing customer identification checks at checkout. While these checks can reduce fraud, they aren’t 100% effective. Sophisticated fraudsters can still find ways to get around two factor authentication (2FA), which is typically enabled by 3-D Secure (3DS). One way bad actors bypass 2FA is by spoofing mobile phone numbers to intercept the one-time passcodes (OTPs) needed to verify transactions.
In the same way that not all fraud is blocked by SCA, not all traffic blocked by SCA is fraud. Merchants are correct in their concern over the adoption of SCA because of the significant friction it adds to the shopping journey. This friction is clearly hurting customer conversion rates. Many legitimate customers won’t continue with a transaction if it means physically getting up to answer a 2FA request on their phone. Also, the 2FA challenge presents customers with another opportunity to rethink their purchase.
PSD2 allows many transactions to be exempted from SCA, when a merchant’s PSP has an effective risk-analysis tool in place — one that determines when certain transactions are low risk. This allows the merchant to offer their customer a frictionless checkout experience.
The method of identifying low-risk transactions is called Transaction Risk Analysis (TRA) and can be very useful when navigating SCA requirements. TRA can be used on transactions below €500 but only when the Acquirer applying the exemption has a low rate of fraud. For transactions under €100, the fraud rate should be below 13bps (in other words, fewer than 0.13% of an Acquirer’s transactions can be fraudulent). The larger the transaction value, the lower the allowed fraud rate. Even after the Acquirer flags a transaction as exempt, following TRA, the final say on whether to approve a transaction (or not) sits with the Issuer. When it comes to exemptions, having more than one PSP to route different transactions can also significantly impact your overall transaction approval rate.
Those merchants optimising their exemptions by using Transaction Risk Analysis (TRA) and multiple PSPs will be able to more effectively navigate the headwinds that PSD2 has started introducing to their business.
What does compliance look like?
The most common way for merchants to comply with the SCA requirements has been to rely on 3DS with friction for in-scope transactions. 3DS makes the customer validate their identity using: something they know (e.g., password), something they have (e.g., smartphone), or something they are (e.g., fingerprint).The two most common approaches merchants have taken to meet the SCA requirement are sending every transaction to 3DS or attempting to exempt every transaction from 3DS. Either of these strategies will produce suboptimal results.
Sending every transaction to 3DS means adding more friction to the shopping journey than necessary, inviting an increasing number of customers to abandon their purchases, and introducing the possibility of 3DS failure.
Attempting to exempt every transaction wrongly assumes that ineligible transactions will only receive a soft decline from the Issuer, allowing the Acquirer to reroute the transaction through 3DS. This is not the case, and it will increase the number of hard declines received, not just soft declines. Payment friction will lower shopping cart conversion rates and lead to an overall loss in completed transactions and revenue.
Forter is the only partner that can help merchants recover declined transactions. Forter’s Smart Payments solution recognises returning shoppers and applies 3DS to the transaction if the shopper has failed in their previous transaction. We have seen a 6-7% revenue boost in some instances from overall optimisation efforts.
3DS is a conversion killer, not an anti-fraud tool
Forter’s research shows that some merchants across France, Germany, Italy, and Spain,are losing almost 40% of their transactions where 3DS is applied. These failed and abandoned transactions will inevitably include attempted fraud that’s been stopped in its tracks, but it begs the question: how many of these transactions are legitimate?
The table below shows the 3DS abandonment rate (where the user does not comply with the 3DS challenge and abandons the transaction) and the 3DS failure rate (where the user cannot complete the challenge, which is sometimes due to technical failure). You can see that in some instances, merchants are losing 26-39% of transactions where 3DS is applied. Not every customer will try their transaction again, therefore this could represent a significant loss of revenue to merchants.
3DS Success Rate By Country
Sometimes legitimate shoppers fail the 3DS challenge because of false declines, which can happen because of human and technical errors. For example, a customer might input the wrong passcode or not receive the OTP before it expires, resulting in a false decline. One survey found that 33% of shoppers will never shop with a retailer again after experiencing a false decline. Our research revealed that merchants can lose up to 75x more revenue to false declines than they do to fraud.
The end of fraud?
PSD2 isn’t a silver bullet when it comes to fraud. When bad actors encounter barriers to one type of fraud, they will focus their attention on other fraud. Their incentive or motivation for committing fraud — their fraud pressure — will change.
We compared data from PSD2 pre-enforcement (2020) transactions to post enforcement (2021) transactions and found that alternative payment methods (APMs) such as gift cards have received 60% more fraud pressure from fraudsters year-over-year (YoY). In addition, item not received (INR) returns have seen a 30% increase in fraud pressure.
It’s clear that when one route to fraud is shut down, fraudsters will shift their focus to other vulnerabilities — which means now more than ever, merchants need to examine and protect the whole customer journey.
As fraud pressures move abroad, 3DS follows
As fraud pressures move to non-EEA countries, we are seeing the use of 3DS becoming more common across the rest of the world. Australia, Turkey, Mexico, Thailand, and Singapore have adopted, or are actively considering, SCA regimes. Even in the U.S. 3DS adoption has increased. In Q2 2021, 37% of CNP transactions in the U.S. had 3DS protection, as opposed to only 10% in Q3 2020.
One of the more attractive features of 3DS is that the liability for fraudulent chargebacks shifts from merchants to the card issuer. Chargebacks under 3DS 2.0 require two criteria to be met: (1) that the transaction was successfully authenticated, and (2) that the filed chargeback is fraud-based.
As previously mentioned, if a merchant applies 3DS to all transactions, their conversions will fall, likely resulting in lower revenue and profit. However, the merchant can use technologies, such as Smart 3DS, which applies 3DS only when necessary. Smart 3DS detects cases where 3DS is likely to result in declined authorisation and will recommend not proceeding with an exemption on those transactions. This allows merchants to create a frictionless shopping experience wherever possible.
Has PSD2 reduced fraud?
PSD2’s impact on fraud has been mixed. First, the SCA requirement adds security to CNP payments (and friction to the shopping journey), but it doesn’t prevent all forms of fraud. Second, given the high number of failed and abandoned transactions we’ve seen, merchants have undoubtedly seen scenarios where they’ve lost more money because of failed and abandoned 3DS transactions than fraud. Finally, we have seen fraud pressure move elsewhere — geographically and by vector — but not reduced substantially as a whole.
PSD2 has introduced friction, not a complete solution for fraud.