Considering the rapid evolution of consumer behavior and the surge in payments made through digital channels like tablets, mobile phones and the Internet of Things in recent years, along with the increased fraud rates observed since the implementation of PSD1 in 2009, the European Payment Service Directive (PSD) has introduced an updated version of the directive, known as PSD2. The new directive requires banks to open their customer data assets to third parties and also includes new safety requirements. It also led to the development of an enhanced security protocol known as 3-D Secure 2.0. PSD2 also introduces new transaction security measures such as Strong Customer Authentication (SCA), Risk Based Authentication (RBA) and Transaction Risk Analysis (TRA).
3DS 1.0 vs. 3DS 2.0
Most shoppers have experienced, at least once, the limitations of the 3DS 1.0 protocol through non-browser e-commerce transactions; paying on mobile devices or in-app can sometimes be a frustrating experience and not quite user-friendly.
The 3DS 2.0 protocol – created, owned and managed by the EMVCo and its six-member organization that include American Express, Discover, JCB, Mastercard, UnionPay and Visa – has been developed with the goal of improving the overall performance of the 3DS program and supports the payments industry in delivering a global, inter-operable and consistent user experience across all e-commerce channels and connected devices.
The biggest differences in PSD2 and the new protocol include merchant liability shift in case of fraud, reduced interchange fees and authentication upgrades – all of which can result in benefits like higher approval rates and reduced friction due to improved risk-based authentications and a richer exchange of data.
Understandably, businesses may initially be concerned that more authentication elements will inevitably mean more friction points, thus affecting the overall customer experience which will have a negative impact on conversion rates – but in fact, it will likely have the opposite effect. While drafting the PSD2, regulators kept these as central considerations and included a number of provisions that will allow merchants to maintain, and even improve, speed and user-friendliness.
With increased usage and popularity of these types of transactions, the new version of 3DS specifications is designed to deliver better integration with the merchant – widening the limitations of 3DS 1.0, curbing cart abandonment rates and improving the user experience, all without compromising security. Let’s break down some of the key changes in 3DS 2.0 and what they'll mean for your business.
What is Strong Customer Authentication (SCA)?
The new PSD2 introduces Strong Customer Authentication (SCA) which is an upgraded security measure that will be used to authenticate online payments which will require a combination of a minimum of two of the following authentication elements:
- Something the consumer knows: One-time password, SMS code, PIN, password, personal information or security question.
- Something the consumer owns: Credit or debit card, key fob, mobile device, token, or wearable device.
- Something the consumer is: Biometric data like a fingerprint, iris scan, or facial or voice recognition.
However, in some instances, merchants may be exempt from the requirement to implement SCA. Here are some SCA exemptions:
1. Low-value transactions
Transactions valued at less than €30.00 will be exempt unless one of the following limits related to a low-value transaction is reached:
- The total value spent on the card without SCA exceeds €100.00 within a 24-hour period
- The transaction count exceeds 5 within a 24-hour period.
In either case, SCA may be triggered by the issuer.
2. Low-risk transactions
Low-risk transactions may also be exempt from SCA. Low-risk transactions will be determined by assessing the average fraud levels of the card issuer and the acquirer that is processing the transaction. Depending on the degree of their risk and fraud levels, the transaction could be exempt from SCA, even when one of the low-value limits listed is reached:
- The fraud level is below 0.13% and the transaction value is less than €100.00
- The fraud level is below 0.06% and the transaction value is less than €250.00
- The fraud level is below 0.01% and the transaction value is less than €500.00
Some transactions under PSD2 are exempt from the SCA requirement and some others are simply out-of-scope.
3. Recurring plans and subscriptions
When a cardholder sets a recurring payment with a merchant, only the first transaction will have to be authenticated under SCA. SCA is not required for recurring transactions or returning customers unless the transaction amount changes, the returning customer interactions have hit the issuer count threshold, or if the transaction is considered a Merchant Initiated Transaction, meaning that the cost is usage-dependent such as a minibar bill or a parking fee.
What is Risk-Based Authentication (RBA)?
An important advantage of 3DS 2.0 is that it facilitates a richer exchange of data between the cardholder’s device and the issuer – essentially, enabling the issuer to perform Risk-Based Authentication (RBA). 3DS 2.0 will allow for an exchange of over 100 data elements on each transaction, factoring data points like a shipping address, device ID, and previous transaction history, in order to assess the risk level of each transaction. Depending on the issuer’s decision, the authentication will then either go through a frictionless flow, when the transaction is perceived as secure or through a challenge flow, where the user may be prompted to provide further verification.
According to Mastercard, through this data validation measure, it is expected that 90% of all transactions will not require a challenge to authenticate the user thus reducing overall friction and cart abandonment rates. Even better, users will not need to provide a password or SMS in order for the merchants to benefit from the liability shift.
With 3DS 1.0, there is a security protocol in which a bank page appears and confirms that there is no need to authenticate for this transaction – this can be an unnecessary friction point. However, with 3DS 2.0, the redirect or bank page will no longer be displayed to the user which will create a smoother, faster flow toward checkout completion.
What is the user experience when there is a challenge?
The new protocol encourages frictionless authentication where possible and delivers a better use of dynamic one-time passcodes when it is required.
For example, the new protocol allows merchants to embed the authentication process in their checkout flow, rather than displaying the bank page, resolving the clunky user experience that 3DS 1.0 sometimes delivers.
With a growing number of cardholders now using their bank’s mobile apps, the authentication process through the challenge flow will detect the presence of the banking app and open it, optimizing the authentication flow.
What is Transaction Risk Analysis (TRA)?
Last but not least, the new protocol introduces Transaction Risk Analysis (TRA) which is the proprietary risk fraud analysis that issuers and acquirers will apply on each transaction. It is based on an algorithm built to detect the cardholder’s spending or behavioral patterns. Other risk factors analyzed include cardholder location, merchant location, monetary threshold, and real-time fraud rates for e-commerce transactions.
3DS 1.0 and 3DS 2.0 will continue to coexist for some time. Merchants will have to support both until the mandate rolls out in all regions in order to remain protected under the Fraud Liability shift. The challenge for merchants will be to apply both protocols efficiently in such a way that optimizes security, conversion, and liability shifts.
To simplify, use 3DS 1.0 only when the issuer does not support 3DS 2.0. Use 3DS 2.0, and provide as much data as possible to the issuers to perform RBA, even if not required, in order to obtain higher approval rates, higher conversion rates, and reduced interchange. If a challenge is expected that may adversely impact the conversion rate, an exemption can be requested.
In case of out-of-scope transactions, it’s best to use a combination of Checkout.com’s built-in risk settings and weighing between using 3DS 1.0 or 3DS 2.0 to get the transaction approved – ideally implementing 3DS 2.0 protocol even if it’s not required in order to increase the likelihood of a successful transaction.
To make it easy for merchants to navigate these new and evolving regulations, working with a payments processor like Checkout.com, which has the ability to manage both protocols and help manage exceptions and out-of-scope transactions, will help simplify compliance and operations while improving your company's overall performance, security and conversion rates.
Key dates to know:
April 2019 - Issuing banks are encouraged by schemes to get 3DS 2.0 ready. Early merchant adopters may take advantage of 3DS 2.0 and get a liability shift in any case.
September 14, 2019 - SCA goes into effect for all European e-commerce transactions under PDS2.
October 11, 2019 - EMV 3DS 2.0 Scheme mandate for Europe goes into effect.
Written on by