Online Card Not Present payment, which includes payment by credit/debit cards and digital wallets, has become the primary payment method for online shopping. But such methods are fertile ground for fraudsters, resulting in a rise in online payment fraud of 73% in 2019, according to Sift.
Buyer is King
PSD2 and Regulatory Technical Standards (RTS) requirements, which are implemented in EMV 3D Secure, are the best method for significantly reducing unauthorized payments, related fraud, and disputed costs when it comes to E-Commerce and M-Commerce online payments. But even in the early adaptations of 3D Secure back in the last decade, when online customers were not as demanding as today, buyers were not satisfied with additional authentications activities that took place in the checkout process. Therefore, the critical point is to keep a balance between security and user experience.
All involved parties such as regulators, card schemes, and banks are working towards satisfying buyers, but also keeping fraud risk at a minimal level. No one expects fraud to be reduced to zero. However, by staying up to date with the newest technology, PSD2 regulative, and 3D Secure, you can create the best possible experience for your buyers with the minimum fraud risk level.
The rise in the number of smartphone users with enabled fingerprint or even face recognition has made this type of authentication simple and intuitive. Users are not even aware that they are authenticating themselves. In fact, this is Strong authentication: something you have – a smartphone, and something you are – your fingerprint.
Regulators and card schemes strongly support biometry, so banks are adopting it in their online channels to a significant degree. Therefore, for you, as a merchant, there will be a big chance that your customer will have a simple and intuitive authentication method at your check out. Yes, indeed, merchants' checkout UX depends on your client's bank, which will credit your account, but they, as well as merchants, are risking online fraud. On the other hand, frictions caused by using the "wrong" authentication method required by your buyer's bank might cause your clients to abandon checkout.
This is another tool that can improve merchants' UX, but it is driven by issuing banks. According to card scheme requirements, all issuers must have their 3DS systems compliant to EMV 3DS 2.2 by 14 September 2020, and the acquirer mandate is 16 October 2020 for EMV 3DS 2.2 adoption. This new version supports the merchant whitelist, which will enable your buyer to add you to their whitelist as a trusted merchant.
When enabled, we can expect that most buyers who favor UX will add their favorite merchants to the whitelist. But this again depends on the issuing banks; first, they have to support the merchant whitelist and, in the end, accept the buyer’s suggestion to add this merchant to the whitelist. In this process, issuing banks will rely on their risk scoring assessments, but also the card scheme merchant fraud rate.
What can you do as a merchant to ensure risk mitigation and to reduce friction for your buyer? PSD2 and 3D Secure give you a very powerful tool: Merchant exception.
What is Merchant Exception?
EMV 3DS 2.2 supports Merchant Exception. This means that you as a merchant or acquiring bank, can ask the issuer to omit SCA (Strong Customer Authentication), which will make payment faster and frictionless.
Of course, the goal is not to ask for an exception for each transaction. If you are asking for an exception and the issuer accepts it, you, as a merchant or acquirer, will be liable for potential fraud. But, according to the European Payments Council, you most likely will not be able to fight even non-fraud-related chargebacks. They anticipate that "the payer can claim full reimbursement from their PSP (Payment Service Provider) in case of payment if there was no SCA measure in place and if the payer did not act fraudulently."
Therefore, before requesting Merchant Exception in the checkout process, merchants and acquirers must evaluate the risk of that transaction. To ease this process you can deploy the Risk Assessment Solution which will enable you to use KYC (Know Your Customer) by creating their profile based on their habits, geolocation, IP address, transaction history, etc. But, most importantly, your credentials as an online merchant will play a huge role. Card schemes analyze fraud rates for each merchant, and through 3D Secure, those are available to issuers. When a merchant or acquirer requests a Merchant Exception, the issuer's decision is the final one. The issuer will consider your fraud rates and your credentials together with transaction details, customer data and scored fraud risk to decide whether to grant an exception or not. There was a potential risk that issuers would not accept SCA exceptions in order to maximally reduce fraud risk. However, card schemes also encourage banks to allow frictionless transactions by providing their risk scoring, which can help banks in the final decision. In addition, the VISA/MasterCard goal is to reach up to 80% of frictionless transactions.
The Asseco 3DS Server, which is a necessary component for merchants and acquirers to support the 3D Secure program, can be deployed with the Risk Scoring Engine for smart management of Merchant Exception requests: to evaluate and balance benefits of exceptions, such as increasing the Conversion Rate, versus the potential risk of fraud due to the lack of Strong Customer Authentication.