hexagonshexagons

PSD2 Optimization: A Better Way to Comply with Payment Regulations

Morgan Ackley | Wednesday, June 19th, 2024 | 7 minutes

To do business within the European Union (EU) and the European Economic Area (EEA), you have to follow the rules laid out in the PSD2 directive. Solutions to help protect consumers and keep you compliant may come with unexpected costs — in fees and loss of sales. However, there is an alternative way to ensure you’re following PSD2 rules that saves you money and boosts your sales.

What is PSD2?

The revised Payment Services Directive (PSD2) is the second iteration of a European Union directive to regulate payment services and payment service providers. It applies to all payments made and received within the EEA.

First introduced in 2007, the directive was designed to make EU payments more efficient, improve competition amongst third party service providers, enhance protection for EU businesses and consumers, and make payments safer. However, it can present some challenges for banks and merchants.

For example, banks must comply with the following requirements in order to process payments.

  • Offering transaction and device monitoring to identify unusual payment activity.
  • Using an open application programming interface (API) that gives third-party payment service providers access to consumer payment accounts.

Merchants must comply with the following requirement. If you fail to do so, your acquirer may decline your transactions.

  • Implementing Strong Customer Authentication (SCA) tools to ensure that payments are sent and received by the correct parties.

SCA is essentially two-factor authentication. It requires customers to provide two of the following three kinds of identity confirmation:

  • Something they have (a pin)
  • Something they know (a card)
  • Something they are (biometric identifiers)

What are TRA Exemptions?

Transaction Risk Analysis (TRA) exemptions allow businesses to bypass SCA requirements for transactions that meet certain conditions. Although SCA is generally good for both consumers and businesses, it has some drawbacks. For example, it adds an extra verification step to the payment process, which increases customer friction.

TRA exemptions apply to low-risk transactions below a certain threshold. As a merchant, you can show your acquirer that a transaction meets the requirements for an exemption, but it’s up to the acquirers or issuers to make the request. Exemption amounts are limited by your acquirer’s fraud rate.

Here’s a breakdown of the requirements for a TRA exemption.

Transaction Amount

€0 - €100

€0 - €250

€0 - €500

PSP Fraud Rate

Up to 0.13%

Up to 0.06%

Up to 0.01%

So, for example, if a transaction is less than €100 and the acquirer’s fraud rate is.13% or less, SCA will not be enforced. However, if a transaction is more than €500 or the acquirer’s fraud rate is higher than 0.13%, SCA will be enforced.

The European Banking Authority also requires that acquirers use fraud prevention technology to detect high-risk behavior and known patterns of fraud.

Where Does 3DS2 Fit Into the Picture?

3-Domain Secure 2.0 (3DS2) an authentication protocol that banks and financial institutions use to authenticate online transactions. It is widely used as a solution for SCA that satisfies PSD2 requirements in Europe. Visa and Mastercard created 3DS2 jointly in October 2016 to update 3DS regulations. It can also be used on its own outside of Europe for customer authentication; however, many non-european merchants have yet to adopt the protocol.

How 3DS2 Works

3DS2 allows payment providers to send 150 data points — including device and order history — to a customer’s bank so that the bank can determine if the purchaser is the actual cardholder. The additional data helps the bank passively authenticate the cardholder rather than asking for a password.

For example, if the data provided matches the bank’s requirements, the transaction can continue without additional verification. If the data does not match, customers will need to authenticate themselves using a thumbprint, app-based authentication, or one-time password.

Why 3DS2 is Used

Most businesses located within the EEA send every transaction through 3DS2 to comply with PSD2. And that’s because it reduces fraud and shifts the chargeback liability back to the issuer. For example, if a lost or stolen card is successfully used to complete a transaction, the card issuer is liable for any chargebacks instead of the merchant.

3DS2 is an easy, hassle-free solution that’s been widely adopted by EU merchants. However, it’s not the only way to comply with PSD2 requirements. And it may not be the most efficient, cost-effective method either.

5 Challenges with 3DS2 Authentication

The liability shift is a major benefit of 3DS2; however, it comes with some drawbacks.

1. Cart abandonment.

3DS2 creates customer friction with any transaction that requires step-up authentication. Too much of this friction can discourage customers and lead to cart abandonment — costing you sales and revenue.

2. Limited fraud protection.

3DS2 only protects against fraud at the point of payment. It doesn’t protect against other threats — such as first-party fraud (or friendly fraud), refund or return fraud, or account takeover fraud. Unfortunately, there are fraud risks throughout the customer journey, so you need more than just pre-authorization protection.

3. Restricted liability shift.

The liability shift for 3DS2 is limited to certain instances of fraud and occurs only in the case of fraudulent chargebacks from stolen or counterfeit cards. It does not apply to recurring transactions, so merchants are still responsible for chargebacks that occur due to firsty-party fraud.

4. Dispute and chargeback risks.

While 3DS2 can prevent some fraud use cases, it doesn’t completely stop customer disputes and chargebacks. You still need to have a separate strategy to manage non-fraud disputes — such as customers claiming items were never delivered or arrived damaged.

5. Additional fees.

3DS2 authentication is not free. Each card issuer has a fee structure for their 3DS2 protocol. Fees are established on a transaction basis or a percentage of a transaction. So each time you send a transaction through 3DS2, you pay a fee to authenticate it. The problem is that you don’t need to do this. There are other ways to fulfill this requirement.

How to Save Sales and Maintain PSD2 Compliance

3DS2 is a great tool. There’s no doubt about it. However, you don’t need to send every single transaction through it in order to be compliant. You can supplement 3DS2 with a fraud prevention tool — giving you better, complete protection and saving you money.

Partner with a fraud prevention solution provider.

Did you know that a fraud solution can fulfill the SCA requirement and reduce the need for further customer authentication protocols? Well, you can. And it comes down to finding the right solution provider — one that can meet all your business needs.

How does a fraud solution fulfill the SCA requirement?

Fraud technology collects and analyzes user data whenever a customer makes a purchase. It then decides if the data provided — such as device, location, address, etc. — matches the cardholder’s data. Through this process, the technology authenticates the necessary elements of SCA requirements.

How does a fraud solution solve the challenges with 3DS2?

There are a variety of ways fraud technology can help solve the challenges that come with 3DS2.

1. It provides complete fraud protection.

Payment fraud isn’t the only threat you’re going to encounter. But 3DS2 only covers you at the point of payment. However, fraud technology — like Kount — can protect you at every stage of the customer journey. From account creation to post-purchase, you can protect your business from unfair chargebacks and disputes.

2. It reduces customer friction and cart abandonment.

3DS2 requires customers to complete a two-factor authentication — such as entering a password and providing a code sent to a phone. This amount of friction could turn away many good customers — costing you legitimate sales. You can bypass this friction for certain orders, but figuring out what orders apply can be complicated and time-consuming.

Fortunately, a fraud solution can simplify the whole process. For example, if the technology marks a transaction as low-risk, you can leverage TRA exemptions and bypass additional authentication steps. In doing so, you can eliminate unnecessary friction applied to good customers and avoid cart abandonment.

3. It cuts costs and unnecessary fees.

Right now, you likely send all your transactions — even ones you highly suspect are fraud — through 3DS2, right? That’s kind of a waste.

For example, say you get hit with a card testing attack. Over 100 transactions are processed, all fraudulent. You have to pay a fee for each transaction to go through 3DS2. If you had a fraud solution in place, you could outright decline those orders because the technology easily identifies them as fraudulent.

Send only necessary transactions through 3DS2.

Implementing a fraud solution is only one half of the equation to better risk management. It’s still a good idea to use 3DS2, but only when necessary.

For example, if an order is flagged as suspicious by a fraud solution — that is, it’s not automatically accepted or declined — you should send it through 3DS2. There may be elements of the order that look legitimate and others that don’t. 3DS2 can help provide extra security in these instances so you aren’t responsible for a potentially fraudulent transaction.

By sending fewer transactions through 3DS2, you wind up only paying for what you truly need. Thus, saving you from a huge drain on revenue. Additionally, when you take care of fraudulent orders upfront, your business looks safer and more secure to banks and card brands. So you can improve your reputation and relationships with issuers and acquirers.

Want to Learn More About Your Options?

3DS2 isn’t your only option. It’s great to use, but you can achieve better results by combining 3DS2 with a fraud prevention solution. And Kount can help you find the balance that works best for your business. If you want to learn more about creating a better risk management strategy, contact us. We’d be happy to help.

Request a demo

AUTHOR

Morgan Ackley

Content Strategist

Morgan has worked in the tech industry for over 5 years. Her breadth of knowledge and curiosity about technology and all things fraud-related drive her to craft compelling, educational pieces for readers seeking answers.