We’re currently in the middle of the second quarter of the year and the new security standard required by the Second EU Payment Services Directive (PSD2) has been implemented in several countries for sometime now and others have created their own final deadlines up to the end of 2021. With PSD2 comes the new Strong Customer Authentication, which includes a new version of a 3DS protocol that reshapes the payments ecosystem and this is the part we’d like to focus on the most. But first… we’ll explain what 3DS 2.0 is and then we’ll share our thoughts, concerns and threats which we hear from the industry. There’re also bonus commentaries from Straal’s experts: CCO, Chief Risk Officer and VP of Engineering. Enjoy!
A short recap: PSD2 and 3DS 2.0 vs 3DS 1 authentication
Strong Customer Authentication (SCA) requirement of the revised Directive on payment services (PSD2) has come into force in most countries now, e.g. in Germany all transactions independent of the amount should be processed by the PSD2 rules by 15th March at the latest (see below). In order to comply with the requirements, the card schemes have developed the new version of the 3DS process called 3DS 2.0, which all merchants need to use for their transactions. Until the PSD2 was enforced, 3DS 1.0 was obligatory (more on this later).
See the most recent enforcement plans below*
Update May 2021: we’ve just received the news regarding the UK Strong Customer Authentication for ecommerce payments. The new date for active enforcement is 14th March 2022 – it was set by the UK regulator, FCA (Financial Conduct Authority). Apparently, the delay is due to the exceptional circumstances of the COVID-19 crisis. PSD2’s SCA requirements were originally scheduled to be enforced in the UK on March 14, 2021. Matthijs Pronk, Chief Commercial Officer at Straal, underlines that a postponement of this deadline says something about the complexity of this compliance rule. The complexity is especially felt by merchants who need to make business rules and decisions on regulatory compliance. The unfortunate “non conformative approach” of implementing SCA across the different countries in Europe, puts another layer of complexity to ecommerce merchants. The Internet and card payments in itself are cross border technologies, unfortunately certain elements now force merchants to domestic circumstances.
But what is 3DS anyway? Let’s start from the beginning!
Generally speaking, the 3DS protocol is a fraud prevention mechanism. It adds an additional layer of verification to ensure the authenticity of online card-based transactions and it looks like this: when a purchase is made and a customer leaves your website, he/she is directed to their bank’s website where in order to complete a transaction they need to enter a password or a code sent to their phone to verify the payment. This helps protect you (as a Merchant) from fraud and makes payments more secure.
Speaking of 3DS 1.0, it was designed by Visa who built an additional security layer for online credit card transactions. Visa provided the service to customers but this protocol has also been used by others like Mastercard, JCB, American Express and Diners Club International with the services called SecureCode, J/Secure, SafeKey, and ProtectBuy.
According to the news, Visa will stop supporting 3DS 1.0 in October 2022, not 2021. Visa’s revised its previous announcement and tends to give the market more time to prepare. The official statement says that from the 15th of October 2022 Visa will discontinue support of the 3DS 1.0. As a result, from this day on fraud liability protection for merchants (provided by Visa) will be removed on all 3DS 1.0 fully authenticated or attempted authentication transactions.
We wrote more about the implications for merchants in terms of liability shift in Straal’s PSD2 guide.
3DS 2.0 is the newest version of the protocol. It differs from the 1st version of the protocol in many ways. For instance, it allows the site owner to customize the page and offers various authentication methods that suit the customer like biometrics, text messages, or passwords. More on this topic here: How can you comply with PSD2/SCA requirements?
Key benefits of 3DS 2.0
- Smooth payment process
- Fewer payment disruptions
- Smart fraud detection (to reduce card fraud) – more about the security issues later
- Complete integration in web shop and app
We’ve listed all the benefits in a quick and easy guide
In a nutshell, 3DS 2.0 is more customer orientated in comparison to 3DS 1.0 and is designed with mobile devices in mind.
‘According to Visa, the enhanced 3DS protocol (3DS 2.0) will reduce cart abandonment by 70% and checkout times by 85%’.
Read more about cart abandonment and how to avoid it in this entry.
Industry thoughts about the new security standard 3DS 2.0
We’ve got our way through the basic level of understanding the new requirements and the consequences of implementing them, so let’s move to the second part of this guide: the industry voice and Straal’s thoughts.
We wouldn’t be exaggerating when we say we expected buzz in the media but it turns out things seem rather quiet in the area of the new regulation. As we are now in the middle of the SCA transition journey, we have to wait a little longer for the first deep case studies, nevertheless, we decided to sum up what we’ve learned so far.Due to the fact that in this case there were so many different moving parts and players… not everything (or every part/company in the chain) is ready. In some countries the issuers are more ready than in others. According to Finextra “Not all merchants may be ready yet. Some may have completed the site coding needed to enable SCA, but haven’t necessarily turned it on, or haven’t turned it on permanently. Some issuers in different countries haven’t fully switched on SCA functionalities either. This means even if a merchant has launched SCA on its site, its customers may not be receiving the 3DS 2.0 identification challenges that enable SCA from the issuer”.
The question is… what will the payments industry market look like in 2021 given the dynamic changes related to 3DS?
As stated in Forbes: “In 2021 we will see a growth of interconnectivity, with accounts listed and payments conducted from within our favorite apps. But we will have to wait for PSD3 for universal bank account access to be everyday for the majority of banked people.
As reported by ThePaypers, there is a huge risk of market failure since the beginning of 2021. “(…) the transactions authenticated with the new authentication protocol are currently very low. Furthermore, the level of complexity is getting higher with local regulators following different approaches with some proposing or considering soft decline programs and some others fully relying on the EBA timelines.”
3DS concerns: errors
Over the last months there’ve been several tech errors regarding 3DS2 but the situation is slightly improving.
MIT – Merchant Initiated Transactions. For example: collection of subscription payments for gym membership.
AAV – Accountholder Authentication Value – a specific token that uses the Universal Cardholder Authentication. Generated by the issuer and showed to the merchant in the authorization request as a proof of a fully authenticated transaction.
DS TRANS ID – Directory server transaction ID – a server dedicated to storing and managing data (ID profiles). The data can be used for an authentication and authorization process in order to allow the access to, for example, online services.
Learn more in our simple PSD2 guide.
It’s been said that the volume of 3DS2 transactions has nearly doubled compared to the end of 2020. Even though issuer performances have been different in January and some technical issues were detected (of course these ones are being fixed ASAP by the different providers within the payment chain). Meanwhile, the UK, Ireland and Sweden are the best performing markets right now probably due to their ‘online payments’ experience and advanced technology.
The last months have shown that errors are mostly related to incorrect flagging on the authorization level (for example, Incorrect SCA exemption) while others are related to the authentication process (merchants sending inaccurate 3DS2 fields, issuers having issues while authenticating customers in mobile app etc). In addition, merchants have absolutely zero control over the issuers’ authentication method.
Going forward, according to Raluca Constantinescu, the Secretary General of Ecommerce Europe, entry on The Paypers, the level of transaction failure rates across the EU increases and it’s highly likely that the new cliff-edges will show up in the nearest future. For sure, with the broader implementation of 3DS 2.0 the market will be hit by other growing issues: enrollment, availability challenges, the SCA exemptions usability and more.
With possible new cliff-edges coming with gradual enforcement if certain issues are not addressed. While the penetration and use of 3D Secure continues to grow, network issues, challenges with enrollment, challenges with availability and usability of exemptions, and other identified issues continue to impact the market.
“The focus of the next months should be on gathering data on performances, costs of implementation of SCA, and the impact of SCA implementation on fraud, rather than focusing solely on compliance data.“The Secretary General of Ecommerce Europe
From a broader point of view, merchants will have to continue adapting to the demand for seamless payments, especially with the continued growth of mobile and wearable payments.
Conversion rates might be secured if merchants focus on the adaptation of the seamless payments, seamless authentication, data-driven offerings and most importantly authorisation through digital identity.
According to the latest updates on PSD2 and 3DS 2.0 implementation notes from MPE Virtual 2021, each member of the payment chain is going through a transition period. As a result it causes implementation issues and the risk of cart abandonment for merchants.
Let’s look at the recent data showing transactions and success rate per merchant country
But let’s try to look at this matter from a more positive perspective, shall we? Spencer McLain (Ekata) claims the process should be perceived as a strategic opportunity to every part of the payment realm:
“For issuers, it’s about staying front of wallet and monitoring compliance risks, for merchants is about minimizing friction and maximizing conversion, while acquirers have a big role to play, as they are facilitating exemptions on behalf of the merchants, which means developing new capabilities and differentiating themselves from their competition in an increasingly commoditized space. And all these strategies are enabled with the use of rich data, and real-time fraud prevention”Spencer McLain (Ekata)
On the other hand, there is still work to do in “the consumers field”. They may still be unaware of the new requirements and don’t really understand the process. They’ll only see another “step” added to the customer journey and may find it disturbing. More education in this area is required.
A recent survey by Netcetera shows that almost 30% of users still don’t understand rules and regulations when it comes to PSD2 and Strong Customer Authentication requirements.
3DS threads: security
Ironically (given that the main aim of the SCA is strengthening the payment network and reducing risk of fraud for all electronic payment) the biggest risk of PSD2/ SCA is that… stricter regulations may result in increased frauds outside of the EU. Fraudsters will target less secure non-EEA cards (then SCA won’t be triggered. Need more information about the SCA and the exemptions? Check PSD2 guide here ) – payment providers (and merchants) outside the EEA will be at greater risk.
According to researchers in 2021 cyber-criminals remain active and share tips and advice on how to bypass the 3D Secure (3DS) protocol to commit payment fraud. Discussions on the dark web have been detected concerning ways to break through security measures for card payments. Usually the most common ways include a clever combination of phishing attack (to circumvent the 3DS) and social engineering. Instead of a direct attack, cybercriminals slowly make their way around and craft the right kind of social engineering campaign.
On the other hand, experts from Gemini assure that 3DS 2.0 is more resistant to fraud due to over a hundred key data points (and merchant’s contextual data) that validate the nature of the transaction.
Straal vs 3DS: our thoughts
As expected, it looks like there are already significant variations between countries when it comes to 3D Secure adoption rate and success. At Straal, we did everything we could (and continue to do so) to be prepared and we’ll operate in the new SCA reality.
Stephen Buechner, our Chief Risk Officer & Managing Director of UAB Straal Financial Services comments: “we therefore offered a user-friendly training and awareness solution, and within the CS team we shared feedback and challenges shared by individual clients to build an inclusive SOPs. This of course required ‘real-time’ support’ which is of course a key component of the eCommerce industry we are in.
Our commitments to our service partners and our client base resulted in a smooth transition into the new environment defined by PSD2; however, we recognise that the ongoing evolution to secure the payment’s environment has only one constant: change. And the growing base of transaction solutions & channels, the expectations of the next generation of shoppers, as well as the innovation in fraud and fraud prevention solutions will continue to keep us on our feet.”
According to Tomasz Boboli, VP of Engineering at Straal, in 2020, Straal’s Technical Team worked on implementing full 3DSv2 support. It was necessary to extend Straal API with additional parameters required to perform 3DSv2 authorization and update integrations with acquiring banks. Straal enables processing transactions in many acquiring banks and gateways and each of them implemented 3DSv2 in their API in a slightly different way. Therefore, it was necessary to update each of our integrations separately.
“Changes on the merchants’ side were also required, so we had to have our implementation done in advance and be ready to support our customers. We conducted an information campaign among our partner merchants about 3DSv2 itself and the changes necessary in their integrations with Straal” says Tomasz.
Tomasz adds that one of main problems was the lack of a clear answer to the question whether cards registered before the 3DSv2 entry could be further charged in recurring payments, without the need to re-register these cards. As the first weeks of 2021 showed, the vast majority of transactions did not require re-registration of cards, however, over time, some banks began to reject transactions and started requiring re-registration of cards with 3DSv2.
“The whole transition period went rather smoothly. We are monitoring authorization levels and current rates are comparable to those observed in Q4’2020 but we are ready to act if needed.” sums up the VP of Engineering at Straal.
Will we observe “the blame game” in the upcoming months/years? More competitiveness across ACQ/Issuers/Merchants? What about the out of scope transactions and failed authorizations? It’ll probably take a good few years until we start seeing real implications of PSD2 and 3DS in the payments landscape. One of the problems with PSD2 and 3DS in general, is that so much of it is ambiguous and open to interpretation.
So far for our summary of the key 3DS insights we’ve seen over the last months. We’d like to know if this is in line with what you’re seeing, or if there are other aspects we should look at for the next update. Please, feel free to reach us via LinkedIn or email to share your feedback!
Are you interested in smart payment gateway services? Feel fre to reach out to our Sales Team
More food for thought:
- Want to learn more about the payments? Check the basics:
In Search of an International Payment Gateway
How to Prepare Your Website for Online Payments
3 Tips to Grow Your Online Business