Here are some details about the security standard required by the Second EU Payment Services Directive (PSD2).
Implemented across several countries, the PSD2 includes an updated Strong Customer Authentication. This authentication version of a 3DS 2.0 protocol reshapes the payments ecosystem.
Let’s discuss what 3DS 2.0 is. Additionally, this feature will share trends and industry concerns with this new protocol. This commentary also features bonus expertise from Straal’s CCO, Chief Risk Officer and VP of Engineering. Enjoy!
A short recap of PSD2 and 3DS 2.0 vs 3DS 1 authentication
The Strong Customer Authentication (SCA) requirement has come into force in most European countries. The Directive indicates that the PSD2 rules should process all transactions independent of the amount by 15th March.
Card schemes have developed a new version of the 3DS process called 3DS 2.0. This process will be used by all merchants for transactions moving forward. 3DS 1.0 was an obligatory requirement on payment providers until the PSD2 was fully enforced.
See the most recent enforcement plans below*
See the most recent enforcement plans below*
The UK Strong Customer Authentication for eCommerce payments was implemented on March 14 2022 by the FCA (Financial Conduct Authority).
But what is 3DS 2.0 anyway? So let’s start from the beginning!
Generally speaking, the 3DS protocol is a fraud prevention mechanism. It adds a layer of verification to ensure the authenticity of online card-based transactions. It looks like this: when a customer makes a purchase and leaves your website, they next go to their bank’s website, where to complete a transaction, they need to enter a password or a code sent to their phone to verify the payment. This process helps protect you (as a Merchant) from fraud and makes payments more secure.
3DS 1.0 (designed by Visa) was created as an additional security layer for online credit card transactions. Visa provided the service to customers, but others like Mastercard have also used this protocol, JCB, American Express and Diners Club International with the services called SecureCode, J/Secure, SafeKey, and ProtectBuy.
According to the news, Visa will stop supporting 3DS 1.0 in October 2022, not 2021. Visa’s revised its previous announcement and tends to give the market more time to prepare. The official statement says that from the 15th of October 2022, Visa will discontinue support of the 3DS 1.0. As a result, from this day on, fraud liability protection for merchants (provided by Visa) will be removed on all 3DS 1.0 fully authenticated or attempted authentication transactions.
We wrote more about the implications for merchants regarding liability shift in Straal’s PSD2 guide.
3DS 2.0 is the newest version of the protocol. It differs from the 1st version of the protocol in many ways. One such way allows the site owner to customise the page and offers authentication methods that suit the customer, like biometrics, text messages, or passwords.
More on this topic: How can you comply with PSD2/SCA requirements?
Key benefits of 3DS 2.0
- Smooth payment process
- Fewer payment disruptions
- Smart fraud detection (to reduce card fraud) – more about the security issues later
- Complete integration in webshop and app
We’ve listed all the benefits in a quick and easy guide
In a nutshell, 3DS 2.0 is more customer orientated and designed with mobile devices in mind (compared to 3DS 1.0).
‘According to Visa, the enhanced 3DS protocol (3DS 2.0) will reduce cart abandonment by 70% and checkout times by 85%’.
Read more about cart abandonment and how to avoid it in this entry.
Industry thoughts about the new security standard 3DS 2.0
Let’s move to the second part of this guide: the industry voice and Straal’s thoughts.
We wouldn’t be exaggerating when we say we expected buzz in the media, but it turns out things seem relatively quiet in the area of the new regulation. As we are now in the middle of the SCA transition journey, we have to wait a little longer for the first serious case studies. Nevertheless, we decided to sum up what we’ve learned so far. Since, in this case, there were so many different moving parts and players, not everything (or every part/company in the chain) was ready.
In some countries, the issuers are more prepared than in others. According to Finextra, “Not all merchants may be ready yet. Some may have completed the site coding needed to enable SCA but haven’t necessarily turned it on or haven’t turned it on permanently. Some issuers in different countries haven’t fully switched on SCA functionalities either. As a result, even if the merchant has launched SCA on its site, its customers may not be receiving the 3DS 2.0 identification challenges that enable SCA from the issuer”.
What will the payments industry market look like in 2021, given the dynamic changes related to 3DS?
As stated in Forbes: “In 2021, we will see a growth of interconnectivity, with accounts listed and payments conducted from within our favourite apps. But we will have to wait for PSD3 for universal bank account access to be every day for most banked people.
As reported by ThePaypers, there has been a considerable risk of market failure since the beginning of 2021. “(…) the transactions authenticated with the new authentication protocol are currently very low. Furthermore, the level of complexity is getting higher with local regulators following different approaches with some proposing or considering soft decline programs and others relying on the EBA timelines.”
3DS 2.0 concerns: errors
Over the last months, there’ve been several tech errors regarding 3DS 2.0, but the situation is slightly improving.
MIT – Merchant Initiated Transactions. For example, collection of subscription payments for a gym membership.
AAV – Accountholder Authentication Value – a specific token that uses the Universal Cardholder Authentication.
DS TRANS ID – The Directory server transaction ID is dedicated to storing and managing data (ID profiles) used for authentication and authorisation.
Learn more in our simple PSD2 guide.
3DS 2.0 transactions
The volume of 3DS2 transactions nearly doubled in 2021 compared to 2020.
To date the UK, Ireland and Sweden are the best-performing markets. This is due to their ‘online payments’ experience and advanced technology.
The last months have shown that errors are mostly related to incorrect flagging on the authorization level (for example, Incorrect SCA exemption). In contrast, other errors are related to the authentication process (merchants sending inaccurate 3DS2 fields, issuers having issues while authenticating customers in mobile apps etc.). In addition, merchants have zero control over the issuers’ authentication method.
As we advance, according to Raluca Constantinescu, the Secretary-General of Ecommerce Europe, an entry on The Paypers, the level of transaction failure rates across the EU increases, and the new cliff-edges will likely show up in the nearest future. Furthermore, with the broader implementation of 3DS 2.0, the market will be hit by other growing issues: enrollment, availability challenges, the SCA exemption and usability.
While the penetration and use of 3D Secure continue to grow, network issues, enrollment challenges, availability and usability of exemptions, continue to impact the market.
“The focus of the next months should be on gathering data on performances, costs of implementation of SCA, and the impact of SCA implementation on fraud, rather than focusing solely on compliance data.“The Secretary General of Ecommerce Europe
Global view of 3DS 2.0
From a broader point of view, merchants will have to continue adapting to the demand for seamless payments, especially with the continued growth of mobile and wearable payments.
Conversion rates may be secured if merchants focus on adapting seamless payments and authentication, data-driven offerings and most necessary authorisation through digital identity.
According to the latest updates on PSD2 and 3DS 2.0 implementation notes from MPE Virtual 2021, each member of the payment chain is going through a transition period. As a result, it causes implementation issues and the risk of cart abandonment for merchants.
Let’s look at the recent data showing transactions and success rates per merchant country.
But let’s try to look at this matter from a more positive perspective, shall we? Spencer McLain (Ekata) claims the process should be perceived as a strategic opportunity for every part of the payment realm. He adds:
“For issuers, it’s about staying front of wallet and monitoring compliance risks, for merchants is about minimizing friction and maximizing conversion, while acquirers have a big role to play, as they are facilitating exemptions on behalf of the merchants, which means developing new capabilities and differentiating themselves from their competition in an increasingly commoditized space. And all these strategies are enabled with the use of rich data, and real-time fraud prevention”Spencer McLain (Ekata)
On the other hand, there is still work in “the consumer’s field”. They may still be unaware of the new requirements and don’t understand the process. They’ll only see another “step” added to the customer journey and may find it disturbing.
A recent survey by Netcetera shows that almost 30% of users still don’t understand rules and regulations regarding PSD2 and Strong Customer Authentication requirements.
3DS threads: security
The most significant risk of PSD2/ SCA is that stricter regulations may result in increased fraud outside of the EU. Fraudsters will target less secure non-EEA cards. Need more information about the SCA and the exemptions? Check PSD2 guide here. Payment providers (and merchants) outside the EEA will be at greater risk.
According to researchers, in 2021, cyber-criminals will remain active and share tips and advice on bypassing the 3D Secure (3DS) protocol to commit payment fraud. Discussions on the dark web concern ways to break through security measures for card payments. Usually, the most common methods include a clever combination of a phishing attack (to circumvent the 3DS) and social engineering. Instead of a direct attack, cybercriminals slowly make their way around and craft the right kind of social engineering campaign.
Straal vs 3DS: our thoughts
As expected, there are already significant variations between countries when it comes to 3D Secure adoption rate and success. At Straal, we did everything we could to prepare, and we’ll operate in the new SCA reality.
Stephen Buechner, our Chief Risk Officer & Managing Director of UAB Straal Financial Services, comments: “we, therefore, offered a user-friendly training and awareness solution, and within the CS team, we shared feedback and challenges shared by individual clients to build an inclusive SOPs. Of course, this required ‘real-time’ support’, which is a crucial component of the eCommerce industry we are in.
Our commitments to our service partners and our client base resulted in a smooth transition into the new environment defined by PSD2; however, we recognise that the ongoing evolution to secure the payment environment has only one constant: change. The growing base of transaction solutions & channels, the expectations of the next generation of shoppers, and the innovation in fraud and fraud prevention solutions will continue to keep us on our feet.”
Straal Engineering on Implementing 3DS V2.0
According to Tomasz Boboli, VP of Engineering at Straal, in 2020, Straal’s Technical Team worked on implementing full 3DSv2 support. Extending Straal API with additional parameters required to perform 3DSv2 authorization and update integrations with acquiring banks was necessary. Straal enables processing transactions in many acquiring banks and gateways, and each of them implemented 3DSv2 in their API in a slightly different way. Therefore, it was necessary to update each of our integrations separately.
“Changes on the merchants’ side were also required. So we had to have our implementation done in advance and be ready to support our customers. Therefore, we conducted an information campaign among our partner merchants about 3DSv2 itself and the changes necessary in their integrations with Straal,” says Tomasz.
Tomasz adds that a problems was the lack of clarity as to if cards registered before the 3DSv2 entry could be further charged in recurring payments. This led to the consideration of if cards would need to be re-registered. As the first weeks of 2021 showed, most transactions did not require the re-registration of cards. However, some banks began to reject transactions over time and started requiring the re-registration of cards with 3DSv2.
“The whole transition period went rather smoothly. We monitor authorisation levels. Current rates are comparable to those observed in Q4’2020, but we are ready to act if needed,” sums up the VP of Engineering at Straal.
Will we observe “the blame game” in the upcoming months/years? More competitiveness across ACQ/Issuers/Merchants? What about the out of scope transactions and failed authorizations? It’ll probably take a good few years to see the real implications of PSD2 and 3DS in the payments landscape. One of the problems with PSD2 and 3DS, in general, is it is ambiguous and open to interpretation.
Feel free to reach out to our Sales Team to learn all about Straal!
Food for thought:
Want to learn more about payments? Check out the basics:
- In Search of an International Payment Gateway
- How to Prepare Your Website for Online Payments
- 3 Tips to Grow Your Online Business