There is no doubt that COVID-19 helped to accelerate digital transformation worldwide. In the MEA region, we also witnessed a massive increase in online purchases.
Research from Ernst & Young (EY) shows that this shift in consumer behavior is most particularly visible in the GCC countries where 92% of consumers in the UAE and Saudi Arabia had changed their shopping habits, with 52% describing the change as significant (Arab News).
Buyers in the region move rapidly from in-store purchases to e-commerce. But the speed of change had zero impact on the demands regarding payment security on webshops. It is still the highest priority. Buyers tend to avoid online shops when they are not comfortable with their security. And these buyer behaviors impact directly the merchants' income. Baymard research from 2019 identified why online buyers abandon purchases during checkout. The reasons are linked with user experience, yet 17% of buyers will mostly leave the cart if they are not satisfied.
Merchants are forced to continually upgrade their webshops, revise purchase processes and checkout flow according to consumer feedback to satisfy those demands and keep the income.
Even though Payment Services Directive (PSD2) is not mandated outside the EEA region, banks in the MEA region are in many ways indirectly impacted with some PSD2 requirements and new business processes. The Directive enabled non-banking and non-financial companies to participate in the payment process, not only solely as a service frontend provider, but as a party independent of the bank (without a contract with the bank), and one that can initiate and carry out payment transactions for its consumer. This opens additional MEA market segments to integrate with banking payments thus resulting in additional transactions and revenues for MEA banks.
Considering that third-party payment providers are not regulated as banks and financial institutions, it was necessary to create business and technical frameworks to ensure a satisfying security level. According to PSD2 nondiscriminatory policy, the Directive also impacted online card payment purchases and 3D Secure by demanding Strong Customer Authentication (SCA) for all transactions except for exempted ones.
PSD2 brought an exemption policy, which enables us to avoid SCA but only under clear and defined rules. This caused a headache to many MEA banks and merchants who were not sure how to apply this to their already established business processes, especially the parts like payments in which e-commerce merchants are not participating as owners and responsible parties, but use third-party service providers. Some banks took the opportunity to widen their MEA payment market segment and enhance the end-user experience.
EMVCo, as the 3D Secure standard owner, has recently upgraded standards to align with PSD2 regulations (EMV 3DS v2.1 and EMV 3DS v2.2), and this directly affected the MEA region. Card schemes established 3D Secure programs for online card payments and applied 3D Secure mandates also to the MEA region. For instance, main card schemes such as MasterCard and VISA issued a liability shift for MEA merchants and mandated 3D Secure for MEA issuing banks for April 2020. This required mutual effort on both issuing and acquiring sides that must be made to achieve full compliance. This is the point where issuing banks come to the stage.
In the 3D Secure process, the major part of authentication and payment flow is orchestrated by issuing banks. The merchant controls the whole consumer experience in general, from entering the online shop, browsing, selecting goods and services, to the checkout. Merchants optimize purchase flow and align it with consumers' expectations. But during the online card payment, the merchant is not solely responsible for the UX, as it lies in the hands of the issuing banks. This phase can harm the full user experience, increase the abandonment rate, and jeopardize the selling rate.
The most efficient way to speed up the checkout and payment process is to skip the SCA and proceed with the frictionless transaction. Issuing banks are more sensitive to the risk than merchants since it’s the issuing banks who will take the liability in case of fraud.
Luckily, card schemes understand the merchants' and banks' pains as well. Hence, they regularly issue announcements with technical and business procedures for issuing banks. Their purpose is to leverage the business process and security requirements with merchants' business needs. The guidelines for merchants’ increased selling rate through ultimate user experience. Card schemes demand issuers to deploy and proceed with Transaction Risk Analysis and to grant SCA exemptions only when risk is acceptably low – i.e., not zero, but acceptably low.
1. By regulating Eligible Merchants List, issuing banks directly impact buyer’s User Experience at the payment phase.
Lately, Merchant White List has become a hot topic. It enables buyers to nominate the merchant for exemption from SCA and enable one-click checkout in further purchases. Even though merchants globally promote this method to their customers, the list of eligible merchants is created by issuing banks. If the issuer does not support this type of SCA exemption or doesn’t nominate the merchant for the list, they will not benefit from this exception.
MasterCard and VISA via their regular operational bulletins and announcements, strongly encourage issuers to nominate merchants to an eligible list with specific processing recommendations and guidance. Additionally, in MasterCard 2.1+ extension, MasterCard provides the issuer with Merchant fraud score, which should be considered for nomination.
For instance, the issuer can allow a merchant to be excluded from SCA if their fraud rate is:
a) lower than 13 bps for purchases of up to 100 USD,
b) lower than 6 bps for purchases of up to 250 USD,
c) lower than 3 bps for purchases of up to 500 USD.
The merchant is required to send minimum data to the issuer necessary for reliable risk scoring. Issuers should implement proper merchant risk assessment engines which will nominate merchants for an eligible list. This requires rule-based risk scoring solutions, but solutions based on AI (Artificial Intelligence) technologies are preferred since they will bring the most benefits. This can be an additional cost for the issuer, which generally does not have a special business benefit out of MWL, but card schemes require it. There are ACS solutions available that have integrated engines for merchant assessment, with flexible parameters to satisfy issuer business models and needs.
Issuers build their eligible lists very slowly, especially in the early stage of 3D Secure adaptation, claiming that they do not have enough historical data acquired through the 3DS v2 message protocol. As a result, buyers cannot add merchants to the White List, and then nobody benefits from the Merchant White List.
3D Secure v2.2 introduced another method for adding Merchant to the White List, the so-called Merchant exemption request. In Authorization, it's a request generated by a merchant. The merchant can trigger the exemption request file. With this request, the merchant nominates themself to the issuer for the eligible merchants' list. Again, card schemes have strong recommendations to issuers that they must accept Merchant exemption request if the Merchant fraud rate is within acceptable ranges, as mentioned above.
Introducing White list as an additional exemption of Strong Customer Authentication, made the Issuer's life even more complicated. Even though Issuers' security goal is to cut the risk, their business goal is also to increase the number of transactions. However, updates to standards and regulations, accompanied by card scheme's announcements, often confuse issuers on how to proceed and which decision - SCA or frictionless - is more appropriate.
One of the major doubts is how to proceed when the merchant is listed on the buyer's white list, but the issuer's transaction risk analysis indicates medium risk. Should the issuer step in with the SCA or remove merchants from the White List, etc.?
Transactions using Merchant White List (MWL) are assumed as low risk because SCA is needed to add merchants to the MWL, issuer considered merchant fraud rate before creating eligible merchants. Also, cardholders should only add trusted Merchants - with whom they have made transactions before. However, the issuer should step in with the SCA when transaction monitoring that is required for MWL transactions finds that the transaction risk is considerable. The risk can be identified if device data (platform, device model, device name, OS name and version, IP and Wi-Fi, MAC address, screen resolution, time zone, and cardholder shipment address) does not match the data used during the initial SCA.
Asseco product portfolio (TriDES) covers all 3D Secure and PSD2 requirements aligned with card scheme programs to make online payments easy and secure. As it has been explained in the previous chapters, optimized security level and User Experience can be achieved when security and UX mechanisms are balanced and mutually utilized by both issuing and acquiring sides. TriDES package fully corresponds with all MEA banks’ needs. It has been recently updated to 3D Secure v2.2, supporting Merchant White List, the creation of Eligible Merchant list, to simplify 3D Secure adaptation for all parties involved.