How PSD2 and 3DS2 are shaping everyone’s payment strategies.

By Marco Conte

14 September 2019. 

 This day was supposed to be Payments Armageddon for merchants in Europe. I remember the weeks leading up to that day. There was pure panic in the payments industry.  

For those who weren’t working in payments in 2019, the date 14 September was when Strong Customer Authentication (SCA) requirements officially went into effect across Europe. 3-D Secure 2 (3DS2) is the main method for authenticating online card payments in accordance with SCA requirements. 

By August 2019, very few large payment service providers (PSPs) had the tech ready to accept 3DS2 or EMV 3-D Secure. That’s why national authorities — e.g. FCA in the United Kingdom and BaFin in Germany — introduced gradual rollouts so everyone in the industry could catch up.  

 It’s been three years since that original deadline, and merchants across Europe and elsewhere are still learning how to live the SCA requirements. They’re all exploring different strategies for optimizing payment acceptance rates in a Payment Services Directive (PSD2) SCA environment.  

 On paper, this sounds easy enough. In reality, that kind of optimization work takes a ton of effort as well as a deep understanding of what business can and cannot do. Further, card schemes are moving away from the old 3DS1, which will be sunset October 2022. 

Below is an overview of the strategies merchants are deploying to remain compliant with SCA requirements while ensuring payments are optimized. 

Managing PSD2: 4 challenges facing merchants. 

The latest live version of 3-D Secure (v2.2 now, with v2.3 coming soon) incorporates much more data and introduces different authentication flows. 

This means merchants must have a deep understanding of those new data fields on both the request and response sides. There are four specific issues that emerge from this: 

1. 3DS2 request data.

Sending a 3-D Secure request does not automatically mean that a cardholder will get an action request from their bank. During a 3DS2 authentication, issuers use risk-based authentication that it can calculate on its own by assessing things like the customer’s behaviors (e.g. the IP address used, the billing and shipping information, frequent purchases from the same merchant).  

That’s why it’s important for merchants to send as much information as possible during a 3-D Secure authentication request (or “ARes,” as it’s technically called).   

2. Risk-based authentication from issuers.

When a transaction can be approved successfully without the customer receiving a challenge (i.e. frictionless authentication), then there is no need to redirect or send the customer to an authentication screen. 

The technical implementation of 3DS is important in such a scenario. Often, Payment Server Providers have created a 3DS router to communicate with 3DS servers. When that’s the case, the system might always redirect to an intermediate page, even when doing so is unnecessary. 

3. Strong Customer Authentication is required.

When a response is received in which a challenge is required, there are hard-to-foresee scenarios that could lead to more failures.  

To preempt such failures, merchants should make sure each challenge is presented correctly to customers. This is complicated by the fact that each authentication method presented to the customer could perform differently.   

4. 3DS declines.

In the latest 3DS protocol, some declines might not be purely related to customer authentication or technical processing. There are some instances in which transactions get declined due to issues such as: 

• Recognized risk of fraud (e.g. a stolen card or suspected fraud).  
• Authentication attempt limits. 
• Supported 3DS version.  

It is important to monitor such declines.   

PSD2 SCA exemptions: Key for payment optimization strategies.  

For merchants, SCA exemptions have become the next level of payment optimization strategies in the European market.   

PSD2 allows for some transactions to fall outside of the scope of SCA. These include: 

• Mail order and telephone orders. 
• Merchant-initiated transactions. 
• One-leg-out transactions. 
• Anonymous card transactions. 
• Commercial card transactions. 

Further, exemptions are available for low-value payments (LVP exemptions) below a certain threshold and transaction risk analysis (TRA exemptions) in which no abnormal spending behaviors have been detected. 

Here, again, technical challenges emerge: 

• In order to apply TRA and LVP exemptions, merchants often have to rely on third-party solutions from the PSP, or tools from dedicated fraud solution providers.  
• Those merchants, then, have to be sure that the solutions apply the right business logic, risk scoring and machine learning models.  
• On top of that, they must continuously monitor exemption performance because that can impact conversion rates and chargeback rates. (Keep in mind that a successfully exempted transaction shifts liability to the acquirer or merchant, not to the issuer.) 

Optimize your payment strategy accordingly. 

Payment managers struggle to create their PSD2 SCA exemption strategies because they get bogged down in trying to make sense of the data they receive from their PSPs and other sources. 

Additionally, the technologies that shape the SCA environment are evolving. New solutions such as Secure Payment Confirmation, based on FIDO technology, are to be included as part of the 3DS 2.3. protocol. 

At Congrify, we have been working with this kind of data for years, and we speak with merchants every day about how to turn that data into business intelligence. Our platform has a dedicated section for 3DS2 and PSD2 to help those merchants. 

If you would like to learn about how Congrify can help you get your payment strategy ready for the future, contact us today.