May 27, 2020
With the current surge in eCommerce, there is a greater need to authenticate the identity of users during transactions and banking activities. The following article takes a deep dive into new regulations for authenticating online payments introduced in September 2019.
3D Secure 2.0 (3DS2) is the globally accepted security protocol designed to protect a cardholder’s credit card against unauthorized use online. It adds a layer of authentication to online credit and debit transactions at checkout. The purpose is to verify cardholder identity prior to authorization, to reduce online fraud, comply with international regulations, and increase cardholder confidence in the safety of their data in digital transactions.
3DS2 meets the Strong Customer Authentication (SCA) requirement under the second Payment Services Directive (PSD2). There is a lot to unpack here – let’s start with PSD2: This is a European directive designed to make payments safer, increase consumer protection, and foster innovation and competition by helping third party financial service companies to scale. A purpose of PSD2 is to foster international ecommerce.
Many businesses are getting up to speed on these new regulations and it is important to note that enforcement on the requirements will take place over the course of 2020 and 2021.
Here is a breakdown of PSD2 and 3DS2 with important details of each, and how they are connected.
What is PSD2?
The Payment Services Directive (PSD) is the second iteration of a European Union (EU) directive first introduced in 2007 to regulate payment services and payment service providers (PSPs). It requires stronger fraud prevention checks by merchants and issuers.
PSD2 impacts the merchant, issuer, and consumer differently. Consumers will see benefit around security and data protection. Issuers and merchants will face new challenges by becoming PSD2 SCA compliant and learning to comply with these new regulations in their online business practices.
There are two components of the directive:
- Open APIs
Banks must create open APIs for new players to access bank accounts with the consent of the consumer. New players must be registered, licensed, and regulated. These new players access the consumers payment account to make payments on their behalf (via credit transfers) and to provide them an overview of their various payment accounts.
- Strong Customer Authentication (SCA)
PSD2 requires SCA, which in turn requires two independent means of authentication. The goal of SCA is to reduce fraud by requiring merchants and issuers to validate consumers when they use electronic payment methods in the European Economic Area (EEA).
What are the SCA requirements?
SCA requires two or more of the following independent authentication elements for all electronic transactions:
- Knowledge: Something you know (e.g., your PIN)
- Possession: Something you have (e.g. your card)
- Inheritance: Something you are (e.g. biometric ID)
While SCA does reduce the risk of fraud, therefore protecting customer data, it also adds significant customer friction and disrupts the payment process. However, there are certain exemptions.
What are the Transaction Risk Analysis (TRA) Exemptions?
TRA identifies low-risk transactions under PSD2. TRA exemptions allow those transactions to bypass the SCA process. This enables a frictionless journey for low-risk customers who would otherwise experience unwarranted friction.
SCA exemption policies are based on the issuer’s fraud rates across their cards, and the acquirer’s fraud rate across their portfolio. PSPs must meet specific fraud thresholds tied to the value of individual transactions.
How does 3DS2 connect with PSD2?
3DS 2.x (3DS2) was jointly created by Visa and Mastercard in October 2016 as an update to 3DS, and EMVCo owns the specifications. EMVCo is overseen by EMVCo’s six member organizations: American Express, Discover, JCB, Mastercard, UnionPay, and Visa. Each brand adopts the current 3D secure protocol into their services, and has branded this service differently, for example: Verified by Visa, Mastercard SecureCode, American Express SafeKey, etc.
3DS2 is promoted as a solution for SCA in order to satisfy the requirements under PSD2 in Europe, but it can also be used on its own outside of Europe to provide customer authentication. The European SCA requirement means that the electronic payment service must be secure, and guarantees that the buyer is authenticated safely, and that the risk of fraud is reduced.
How does 3DS2 work?
3DS2 enables payment providers to send 150 data points to the customer’s bank, including device and order history, as a way for the bank to determine if the purchaser is the actual cardholder. The additional data enables the bank to passively authenticate the cardholder, rather than asking for a password every time. If the data provided matches the bank’s requirements, the transaction can continue without friction and will not need user input. If user input is required, then customers have more flexible ways to authenticate than they did with 3DS, such as by thumbprint, app-based authentication, or one-time password.
An advantage for merchants is that when 3DS2 is used for authentication, the chargeback liability is shifted from the merchant to the issuer. For example, if a lost or stolen card is successfully used to complete a transaction where 3DS2 is in place, there is a liability shift from the merchant to the card issuer for that transaction.
What are the challenges with 3DS2 authentication?
While there is an upside in using 3DS2 authentication, including compliance with PSD2 and a liability shift for merchants, there are also some limitations to using 3DS2 that merchants should be aware of as they research integrating the technology.
- The biggest limitation is that unfortunately, 3DS2 creates customer friction because any transactions that require 3DS2 step up authentication will require the customer to verify their identity, which could result in cart abandonment for good customers. The average eCommerce abandonment rate is 67.4%. When understanding why shoppers abandon, 10% cite a lengthy checkout process as the primary reason, with most unwilling to wait longer than three seconds and 3DS2 authentication isn’t instantaneous.
- The second challenge is that while 3DS2 protects fraud at the point of payment, it does not protect against friendly fraud or policy fraud, nor does it protect fraud that occurs on the rest of the customer journey, including account takeover and new account creation.
- Not only does 3DS2 not protect against all instances of fraud, the liability shift for 3DS2 is also conditional on certain instances of fraud and occurs only in the case of fraudulent chargebacks from stolen or counterfeit cards. Friendly fraud, return abuse, marketing affiliate fraud, promo abuse, and loyalty abuse are not covered in the liability shift.
- Another big limitation is that while 3DS2 can prevent some fraud use cases, it doesn’t stop chargebacks and the resulting consequences. Even though the liability shifts from the merchant to the issuer, when merchants have excessive chargebacks, they will be penalized and potentially placed in high risk programs that result in fines. This can happen when a business lacks a fraud prevention solution. Examples of these programs are Visa’s high fraud rate programs – VFMP, and MasterCard’s high fraud rate programs – EFM. In a worse case scenario, the business can be blocked from processing payments with certain card issuers.
- It should also be noted that 3DS2 authentication is not free. Each card issuer has a fee structure for their 3DS2 protocol, based either on a transaction basis or percentage of a transaction.
- In addition, while the larger card brands have adopted 3DS2 protocols, newer fintech payments and smaller card brands aren’t guaranteed to use it.
Does 3DS2 replace the need for a fraud prevention solution?
While the update to 3DS2 is an improvement over 3DS to protect the security of transactions, and does screen out some instances of fraud, 3DS2 does not replace the need for a fraud prevention solution. If using 3DS2 to authenticate customers, an effective fraud solution is also recommended to solve for these limitations.
An effective fraud prevention solution will protect all points of the customer journey and will protect merchants from known and emerging fraud attempts. To prevent the liability in the instances of fraud not covered, a fraud and risk management solution or chargeback guarantee is needed to reduce fraud and the resulting chargebacks.
How can Kount help?
A layered approach is recommended when using 3DS2 for customer authentication: one in which businesses use Kount to protect against fraud at all points of the customer journey, and 3DS2 to authenticate customers.
Kount acts as the first line of defense in a transaction to prevent fraud before the transaction is approved and avoid placement in high fraud rate programs.
When Kount and 3DS2 are used jointly, customer friction is reduced. In combination, when Kount screens for multiple types of fraud prior to checkout, and 3DS2 passively authenticates more customers, the need for step up verification is greatly reduced. The result is lower friction and lower cart abandonment rates.