As stated by the official summary of the PDS2 directive, the main goal of the regulation is to provide a legal foundation for the further development of electronic payments within the EU. It is a comprehensive set of rules aiming to make payments within the EU simple, efficient, and secure. Motivated by offering a broader set of choices and better prices for consumers, PSD2 advocates opening up payment markets to new participants in order to create more competition, leading to greater efficiency and strengthening consumer's trust.
The directive strives to enhance the existing set of EU rules regarding electronic payments, emphasizing innovative and emerging payment services, such as internet and mobile payments. Rules stated in the directive concern security requirements, i.e., safeguarding consumer's financial data, promising secure authentication, and reduction of online payment fraud rates. Transparency is another key point that PSD2 advocates in order to provide accurate and timely information about requirements regarding the payments services. PSD2 establishes the rights and obligations of participants involved in the online payment environment, the users, as well as providers of payment services.
Several notable suggestions regarding leveling the payments playing field are pointed out, and those are the following:
The first payment services directive dates from 2007, and while it set out good practices and regulated guidance on rules regarding payment services, as of today, it is obsolete. With the rapid evolution of ''all things digital'', new e-commerce trends, authentication methods, and the overall innovative approach to payment markets, PSD was outdated and needed an upgrade. Now that we had a brief history lesson let's get back to our main topic.
With new regulation came new terminology, and below are the ones concerning PSD2:
AISPs (Account Information Service Providers) – Providers that can ask for permission to connect to a bank account using an API and use that bank account information in order to provide a service. Having access to such data implies a ''read-only'' approach, i.e., they can't move the fund from the account.
ASPSPs (Account Servicing Payment Service Providers) – A customer's issuing bank that provides and maintains payment accounts. They publish APIs so that the customers are able to share their account data with TPPs in case they want them to initiate payments on their behalf.
PISPs (Payment Initiation Service Providers) – Authorised PISPs are able to move funds on the customer's behalf upon connecting to the bank account. An example of a practical use case is the automatic transfer of funds to a customer's savings account.
TPPs (Third-Party Providers) – Third-Party Providers are either/both Payment Initiation Service Providers (PISPs) and/or Account Information Service Providers (AISPs).
PSUs (Payment Service Users) – Users of any of the above mentioned service providers.
As mentioned above, PSD couldn't foresee trends in the payment industry ten years in advance, and that is why PSD2 steps in. It brings a fresh set of rules in an effort to enable modern, innovative payment services to users and provides them with the highest level of security in terms of online payment fraud, which is constantly present. A comprehensive list of the most important payment threats published by the Europen Payments Council makes you think twice before entering your card data to process an online payment, and it should. Take a look.
The 2019 Payment Threats and Fraud Trends Report provides an overview of the most important threats in the payments landscape, including:
In order to combat fraud, PSD2 introduced Strong Customer Authentication (SCA). PSD2's weapon of choice protects customers by demanding them to authenticate with two out of three authentication elements, namely:
Initially, this put pressure on issuers and merchants because they were wary of the effects it will have on the overall traffic because of added authentication steps that could potentially drive away the customer from their purchase. But there is a cure for this disease, and it comes in the form of SCA exemptions within the scope of the SCA mandate.
SCA exemptions include various scenarios where SCA is not necessary, and the customer is not asked for an additional authentication step during the processing of a payment. SCA exemptions are the following:
There are other scenarios that are out of the scope of the SCA requirement but are not classified as SCA exemptions.
3D Secure is a protocol that enables Strong Customer Authentication and protects online payments by adding an additional layer of security. It is the main determinant for PSD2 compliance and enables both payment service providers and merchants to achieve alignment. You can get more insight on the latest version of the 3D Secure protocol in our blog post.
If you're a merchant or a PSP, main question of the day is: Am I PSD2 compliant? If not, how do i become PSD2 compliant?
Merchants need to decide between two options. One option suggests that they pick a PSD2 compliant PSP. This relieves them from all the administrative aspects of compliance and enables them to focus on their primary business. The second option advises merchants to integrate authentication into their checkout process. This requires more effort financially and time-wise but enables them to be PSD2 compliant and in charge of the customer's checkout experience.
If you're an issuing ar an account-holding institution, you want to follow the following steps: create APIs in order to enable transactional payment data access, provide access to accounts to TPPs, make sure you have a Consumer Identity and Access Management solution set up in place, and finally implement the network and API security infrastructure.
Lastly, Third-Party Providers must take care of their PISP or AISP license, establish a trust framework with banks and financial institutions, develop secure apps including user consent and fraud monitoring, and lastly, implement a consumer IAM solution.
Although PSD2 is causing a stir in the online payments industry by demanding fast onboarding and regulatory compliance, it brings an array of new opportunities for new players in the payments environment. Increased competition most definitely increases efficiency and boosts customer trust. By introducing innovative approaches in regards to online payment security, it reduces payment card fraud, as well as opens doors for further improvement in the risk assessment department enabled by extensive data sharing. Even though PSD2 enforces strict rules and binds the participants to comply, it is done in an effort to assure more quality services that do not compromise on security.
False declines are legitimate transaction attempts that are declined because of suspected fraud. They are the so-called ''false positives'', fully valid transactions classified as invalid, and rejected by the Access Control Server (ACS).
Picture this - you're determined to purchase something online, let's say a new smartwatch. You spend some time researching all of the functionalities, as well as the best deals offered to you from various merchants. That's it! After hours, maybe even days of researching online, you are finally ready to make a purchase and treat yourself to a brand new gadget. You enter all of the required details necessary to finalize your purchase, and – your order is declined. Frustrating would be an understatement for this situation. Now let's examine the next steps. The cardholder will most likely turn to the competition or use a different credit card in order to process their order successfully. Either way, there will be a loser at the end of this story. The cardholder will keep this unpleasant situation in their mind, and chances of them using the same declined credit card or returning to the ''problematic'' merchant are slim to none.
And there it is; a missed sale, reduced revenue, and an unhappy customer - the three horsemen of false declines.
The occurrence of false declines is closely connected to the anti-fraud solution used by the merchant, issuer, or acquirer. The cardholder is usually presented with a generic message such as ''transaction refused'', which offers no additional information that explains the decline or guides the cardholder to take the next step.
Common reasons for false declines involve the following:
Also, anti-fraud solutions based on behavioral analysis might classify a transaction as fraudulent, while it is, in fact, a valid one. Let's say that the cardholder has a pattern of purchasing low-value items online, not more than 10 EUR per transaction. All of a sudden, that same cardholder decides to book an all-inclusive trip online. Regardless of sufficient funds and correct card information provided during checkout, the transaction might be blocked because the pattern is unusual, and the system flags it as suspicious or fraudulent activity.
There is a fine line when it comes to configuring the ACS solution in order to identify suspicious transactions correctly. False negatives represent transactions that are fraudulent but were granted by the system. On the other hand, we have false positives, which represent valid, honest transactions that are rejected. Configure the system ''too loosely'', you're going to end up with false negatives. Set it up ''too strictly'', you are risking a high number of false positives, i.e., false declines.
If we examine the end impact of fraudulent transactions, we need to keep in mind that the loss is not equal to the amount of the processed fraudulent transaction. It can be anywhere from 100% (gold) to 0% (digital goods) of the amount displayed in the web store. If we take sneakers as an example, the total cost of loss will be equal to the manufacturing cost, usually as low as 5% of the displayed price.
When talking about false declines, the end impact is much more significant. After receiving a notification about a rejected transaction, the cardholder is left on their own, without any guidance on the next steps. They will most likely use a different credit card or look for the same product/service in the neighbor's yard, the competition. Either way, they are leaving with an unpleasant experience with the overall service, and it is not likely that they will use the same rejected credit card or revisit the same merchant.
Riskified surveyed 5000 US-based consumers in order to find out more about their online shopping experiences and fraud. Regarding our topic, the survey discovered that almost one third of shoppers in every segment were wrongfully rejected during a purchase, resulting in a false decline. After being rejected, 42% of shoppers abandon their cart immediately and move on to the next best thing. If we look at the big picture, that means that all acquisition costs and efforts went through the window because of a ''single'' false decline.
False positives are extremely expensive. The Global Fraud Survey published by the Merchant Risk Council states that the average online store rejects 2.6% of all transactions under the claim they might be fraudulent. The pricing pattern says that the higher the price, the higher the percentage of declines (e.g., merchants decline around 3.1% of orders over 100$).
3D Secure 2 enables issuers to access ten times more transaction data than before, which results in more precise risk analysis and profile creation of the cardholder. The end result? Less false declines, among other benefits, of course. Both merchants and issuers are able to increase profits and keep their customers satisfied and returning to use their service.
This will cause two additional years of possible headaches for issuing banks, knowing that those two protocols coexist independently and demand separate infrastructures. Most of the Access Control Server (ACS) software providers have built a new ACS compatible with 3DS2, so issuing banks are mostly turning to ACSs for the next two years.
Running two ACSs is not the most critical point, even though it makes additional operational costs for issuers. One card can be enrolled (in fact, it should be enrolled according to MC/VISA suggestions) on both 3DS platforms. This is necessary for supporting authentication on the merchant side in cases when the merchant has not upgraded to 3DS2. Statistics show that most non-EU merchants did not upgrade to 3DS2.
3DS2 offers a much broader set of functionalities and authentication methods (e.g., push notification, Risk-Based Authentication, frictionless authentication, Merchant Whitelist, etc.), which is the result of efforts put into providing the cardholder with the best User Experience possible. All of the mentioned features were not supported in 3D Secure v1, which means that buyers might encounter a very different user experience when purchasing from different merchants (the ones which upgraded to 3DS2, and those that did not).
3D Secure solutions, which have a modular architecture (ACS core, Authentication Service, Risk Scoring Service built as separate but interoperable modules), enables integration of those modules with 3DS1 platform as well, i.e., ACS that runs 3D Secure v1. This architecture brings two significant enhancements for buyers:
Knowing that adoption of 3DS1 was not well received by the cardholders because of poor User Experience, in the following two years of the transition period, cardholders will be able to process more frictionless transactions, and thus, transaction abandonment rates will be reduced.
As mentioned above, the most notable User Experience benefit of 3D Secure v2 is Risk-Based Authentication and frictionless flow enabled by transaction risk analysis. Transaction risk assessment is based on the cardholder's transaction history and previously created a behavioral profile. In case of any deviations which are not aligned with the cardholder profile, the issuer will require Strong Customer Authentication in order to be sure of the cardholder's authenticity.
Separation of 3DS1 and 3DS2 transactions in situations where a significant number of transactions is still in 3DS1 means that the customer profile in 3DS2 is not completed, due to the fact that behavioral data is not jet evaluated. To override this issue, issuers can deploy a single risk scoring service for both ACS1 and ACS2 to complete the buyers' profile and make a more precise risk assessment.
Having two coexisting 3D Secure protocols is not an easy task to handle on the issuer side, but there are solutions that help overcome this challenge. Technical issues are being handled with a modular architecture, allowing issuers to adapt to any protocol being used to successfully process a given transaction, whether it is protected with 3DS1 or 3DS2. The most notable challenge is to ensure a smooth and uniform user experience in both cases, making the cardholders confident in the security of their online purchases. Different experiences during checkout might make the buyers wary during the processing of online payments, possibly causing cart abandonment rates to soar.
Online payments have been around for quite a while but the last year, marked with the ongoing Covid-19 pandemic, caused a big spike in the number of stakeholders who went online as well as in revenue obtained by selling online. For reference, Office for National Statistics states that online sales in the UK accounted for 35,2% of all retail in January 2021.
A 2021 report from Retail Economics and Natwest reports that 46% of UK consumers bought goods and services online that they, prior to the pandemic, only ever purchased online. What makes this a new trend is the fact that 32% of consumers state that they plan to continue with their new shopping habits in the future.
Such numbers pose new opportunities as well as threats. As more and more people turn online to purchase goods and services in the comfort of their homes, those with ill intentions do not waste time. Security questions regarding online payments have popped up, and that is where 3D Secure steps in. In order to provide ultimate security in the online payments ecosystem, EMVCo's specification reflected on current and future market trends to support security, performance, and user experience.
Issuers are still on the fence when it comes to adopting new 3D Secure versions, but there is no doubt about the benefits they bring to the table. From security matters to user experience improvements, 3D Secure ties it all together. Key benefits the protocol provides are the following:
Since the previous 3D Secure v1.0, there had been a lot of changes in the online payments industry, demanding more significant improvements. One of those major changes was extending to mobile apps and securing mobile payments, impacting both security and user experience positively. Secondly, since mobile emerged as one of the alternative online payment channels, alternative authentication methods, which are becoming today's standard, were introduced. We're talking about supported biometric authentication, which provides a high level of security without tampering with user experience during the checkout process. Following, 3D Secure v2.1 collects ten times more data than the previous version, allowing issuers to conduct a more precise risk analysis, resulting in fewer step-ups and false declines. A new feature introduced in this version enables Merchant-Initiated Transactions, such as subscriptions. The first payment requires SCA, but the following identical payments do not. One of the most essential upgrades revolves around the PSD2 SCA requirement, making the 3D Secure v2.1 a fully compliant solution.
3D Secure v2.2 includes all features provided in the v2.1 upgrade, plus some extra benefits which make the solution even more adaptable. Supported SCA exemption flags allow for a more flexible approach, thanks to enhanced risk analysis which resulted in low-value payment exemptions as well as merchant whitelisting. The cardholder is in control when it comes to choosing the authentication method they want to apply during check out, making the solution more user-friendly and the authentication process straightforward. Moreover, decoupled authentication introduced in this version allows authenticating the transaction at a time different from when the transaction occurred, which comes in handy in scenarios such as recurring payments or split shipments. Another feature included in the v2.2 is delegated authentication, which means that issuers can enable third parties (merchants, acquirers, etc.) to conduct the authentication on their end. This method eliminates unnecessary friction and provides a better customer experience.
A considerable leap happened between 3D Secure 1 and 3D Secure 2, influenced by the fast-moving global digitalization, demanding more security and less friction. New versions of the 3D Secure protocol successfully overcame all of the obstacles 3D Secure 1 encountered, making the solution compliant, flexible, secure, and user-friendly.
Yes, PSD2 advocates Strong Customer Authentication, but what does that really mean for the stakeholders? SCA demands authorization which involves two out of three secure elements, namely: possession, knowledge, and inherence. Regardless of the methods chosen, PSD2 brought another tool to increase security measures as well as improve the end-user experience: Risk-Based Authentication. PSD2 makes it clear that the strength of authentication should correspond to the level of risk for a given transaction.
Having this in mind, PSD2 and corresponding Regulatory Technical Standards on Strong Customer Authentication specified that SCA exemptions can be applied. The prerequisite to apply any of the exempted scenarios is to conduct transaction risk analysis, deeming a transaction either high, medium, or low risk. Such analysis can be as simple as a Low-Value Payment which presumes that transactions below 30 EUR, even in cases of fraud, pose a low risk and low financial impact.
For non-low-value payment transactions, a more sophisticated risk scoring needs to be done on the issuer side. Mentioned risk analysis should consider the usual end-user behavior, their habits, channels and devices they use, common geolocation, known delivery addresses, and more. On the other hand, issuers also need to track relevant merchants, meaning their fraud rate, blacklists, risky currencies, etc. As expected, sophisticated risk analysis requires advanced risk scoring solutions.
The main issuer's concerns are fraud costs and chargeback liability. With 3D Secure 2, acquirers and merchants were granted a liability shift to the issuer side. Therefore, issuing banks favor SCA for apparent reasons. It protects them and the cardholders from a wide range of fraudulent online payment activities.
Since merchants are much more fond of frictionless transactions than issuers, PSD2 and the recent 3D Secure protocol enable merchants and acquirers to communicate their authentication preferences in the 3DS transaction flow. However, this does not mean that the user is not authenticated. Merchants who opt for this approach trust that the buyer can be trusted if they sign in to the merchant's web or mobile shop, i.e. the buyer is authenticated during login to the web or mobile shop. This is not considered Strong Customer Authentication. Still, taking into account transaction amount, common delivery address, type of purchased goods or services, used card data (which is usually stored in the webshop, hopefully following the PCI DSS rules), merchants can be quite sure that the buyer is known and can be trusted. Demanding additional authentication by the issuer usually makes end-users irritated and unsatisfied with the lengthy transaction authentication process.
Additionally, if the issuer approves an SCA transaction based on the merchant exemption, in case of fraud, merchant is the one that takes the liability for chargeback costs.
Different regions, merchants, and goods and services result in different buyer preferences when it comes to SCA or SCA exemption. The best option is to let the buyers decide for themselves. With the introduction of Merchant Whitelist in 3D Secure 2.1, which is additionally enhanced in 3D Secure 2.2, buyers are able to choose trusted merchants in order to avoid SCA. Prior, issuing bank analyzed eligible merchants and listed them to be included in the SCA exemption. Contrary to Merchant exemption preference, liability shift for fraud costs and chargebacks is moved to the issuer side. To minimize this risk, Merchant Whitelist eligible candidates also need to be assessed from the risk perspective, using advanced risk scoring solutions regarding the merchant fraud rate.
Biometry is the most applicable, most user-friendly, and the most secure authentication method when talking about 3D Secure authentication in online payments. This is recognized by card schemes, as MC and VISA introduced KPIs for issuers to measure biometry authentication rates. As Juniper research states, already in 2019, facial recognition software was deployed on around 96 million mobiles, forecasting that biometric facial recognition will be present in 90% of smartphones by 2024, making biometric authentication widely applicable. Implementation of biometry solves Dynamic linking as required by PSD2. In the end, applying biometrics is extremely fast and straightforward when combined with push notification during online payment authentication.
Cart abandonment rate is a common KPI for measuring the performance of your web store. It indicates how many customers added an item to your web store shopping cart but never finalized the purchase.
In other words, it showcases the rate of customers who showed interest in a particular product/service by adding it to the cart but left without making the purchase compared to the total number of completed transactions.
Industry benchmark based on a number of studies states that the average cart abandonment rate is 69.80%. An abandonment rate greater than the industry benchmark can be induced by a variety of reasons, some of them being shipping costs, required sign-up, limited payment options, or checkout processes that are hard to follow.
By tracking their cart abandonment rates, merchants can better understand how their customers behave during their online shopping experience. Also, it is a helpful tool for determining why visitors are not converting into customers.
Security threats in the online payments environment are as real as they get, but the simple truth is that most cardholders did not encounter such unpleasant situations. From their perspective, additional security layers are seen as an inconvenience during the checkout process, making the cardholder abandon the purchase because of long checkout time or unfamiliarity with the screens presented. The first version of the 3D Secure protocol provided sufficient security. Still, it did not consider the user experience, especially when discussing mobile versions of the web stores, because the protocol was introduced long before such channels of eCommerce stepped to the scene.
This resulted in a spike in cart abandonment rates because cardholders had to deal with more friction in order to process a single payment, although that meant a more secured transaction. From the cardholder's perspective, heightened security measures were seen as irritating rather than looked positively upon.
Luckily, the newest version of the protocol, 3D Secure 2, introduced Risk-Based Authentication, enabling frictionless transactions while further improving the payment's security.
Risk-Based Authentication calculates the level of risk for a particular transaction. Upon scoring the transaction as either high, medium, or low risk, the cardholder is challenged with additional authentication steps if needed. It is a dynamic, parameter-driven system that appoints an appropriate authentication method according to an individual transaction's risk score.
Some of the mentioned parameters include the device, location, network, transaction amount, number of transactions, delivery address, behavioral history, new or existing customer, and more.
To better understand how Risk-Based Authentication works, let's use a real-life example. Suppose a new customer is processing a purchase. In that case, the system detects that there is no previous transaction history connected to the card being used, and the cardholder will likely be challenged in the form of an additional authentication method. However, suppose an existing customer is processing a transaction with an, e.g., known device, and the transaction is within the transaction amount average. In that case, the cardholder won't be asked for any additional authentication, and a frictionless transaction will be processed.
Risk-Based Authentication promotes the so-called frictionless transactions, i.e., a transaction that does not require additional authentication on the cardholder side because the transaction is deemed low risk. It allows issuers to approve a transaction without interacting with the cardholder. By eliminating friction, the user experience is automatically improved.
A complete flow, enabled because of Risk-Based Authentication, is the following:
Benefits for the cardholders are obvious, a secured transaction with minimum effort regarding authenticating themselves. But the business benefit for merchants lies in reduced cart abandonment rates caused by reduced friction during the processing of online payments. It allows merchants to protect themselves and their customers from fraud while increasing revenue and customer satisfaction due to the frictionless experience enabled by Risk-Based Authentication.
As of right now, issuers are not confident in granting frictionless transactions, i.e., transactions that do not require additional authentication. The reason being is the fact that the issuing banks are the ones who take the liability in case of a fraud attempt. However, risk scoring services are acquiring more and more data by the minute and working on enhanced AI data analytics that are being applied to that same data in order to create and analyze customer profiles. This will result in detecting even the smallest deviations from the standard profile and the issuer can step in with SCA to confirm the authenticity of the cardholder.