PSD2: Regaining Checkout Control Through Delegated Authentication

As the payment sector continues to adjust to the implementation of PSD2 Galit Michel, VP of Payments at Forter spoke to Payment Expert about how it has evolved the landscape. 

Payment Expert: Can you tell us more about the impact PSD2 has had on conversions? 

Galit Michel: For months, the payment ecosystem speculated what impact PSD2 will have on conversions. Many merchants feared that PSD2 would harm their conversion rates and customer checkout experience, leading to a decline in revenue generation and profitability.

While the FCA has recently announced that it is extending the UK deadline for SCA compliance by 6 months, to 14th March 2022, PSD2 has already been enforced throughout Europe’s major ecommerce marketplaces. This has significantly impacted conversion rates, and subsequently, merchants’ bottom lines. 

For example, ecommerce merchants in France and Spain have experienced on average a 25% reduction in conversion rates, a 30% reduction in Germany, and up to 40% of transactions are being lost in Italy, costing merchants millions of Euros per month. Many of these transactions can be exempted or excluded from the scope of PSD2 – Forter has been able to restore approval rates for several large merchants to a level very close to their pre-enforcement baseline, but this involves sophisticated technical solutions that not all merchants can take advantage of.

PSD2 and its impact on conversions and revenue generation have forced merchants to re-examine the control they have over authentication and increased the urgency to prepare for delegated authentication. 

PE: How significant is the friction on the payment journey when it comes 3DS? 

GM: For consumers, 3D-Secure (3DS) adds friction to the checkout process, increasing abandonment and negatively impacting the customer experience. Within the payment ecosystem, 3DS adds an additional verification step, complicating the authorisation journey and increasing the chances of a legitimate transaction being declined. 

Looking further at the negative impact of 3DS on conversions reveals how unprepared the payment ecosystem and the consumers are for the regulation.

In Germany for example, 17-20% of transactions are lost due to customer abandonment during the 3DS process, and another 20-22% of transactions fail 3DS authentication. The high customer abandonment rates and 3DS failure rates show that consumers are not prepared for the new regulation and are not handling the increased friction well. High 3DS authentication declines are the result of technical failure or issuer decline. This indicates that the payment ecosystem is not fully prepared to handle the new regulation.

In other countries, such as France and the UK, 3DS has a higher success rate (80% and 85% respectively), however, even there, merchants are still losing out on transactions and their revenue generation is impacted. The result is a direct negative impact on revenue generation, profitability, and customer satisfaction. 

PE: Can you tell us about some of the key differences between 3DS2.1 and 3DS2.2?

GM: The 3DS protocol has undergone significant changes since its development. The original version of 3DS, also known as 3DS1, was created in 1999 by Visa when the only way to complete digital transactions was via a personal computer. 3DS1 is extremely unfriendly towards users, is not mobile-friendly, and is the least desired version of 3DS. 3DS1 also does not support exemptions. 

3DS2, on the other hand, is the latest version of 3DS that was designed to reduce customer friction and meet PSD2 SCA compliance requirements. The way 3DS optimises customer experience is by sending more data to the issuing bank. This enables dynamic 3DS and reduces friction for consumers.

In the coming months, issuers are expected to roll out the new version of 3DS2, also known as 3DS2.2. The new iteration will enable merchants to request exemptions via the 3DS rails, getting a direct response from the issuer in the event of exemption approval. It will also enable merchants to open the 3DS challenge if a transaction is not approved. This will increase the ability to leverage transaction risk analysis (TRA) exemptions to their benefit as well as to establish themselves as a trusted merchant. 

Another key difference between 3DS2.1 and 3DS2.2 is the ability to support delegated authentication. Under 3DS2.2, issuers can enable delegated authentication and shift authentication to merchants or selected third parties.

Merchants that want delegated authentication to be part of their PSD2 SCA strategy need to ensure that their payment ecosystem is prepared to support 3DS2.2 when it goes into effect. 

PE: Has the importance of fraud protection with delegated authentication increased following the pandemic?

GM: If merchants want to take transaction authentication upon themselves or delegate it to a third-party of their choice, they must realise that in doing so, they, or the third party acting on their behalf, will assume full chargeback liability. This, in turn, will increase a merchant’s risk exposure. 

To mitigate that risk, merchants need to ensure they have a strong fraud protection solution in place. This is particularly crucial when dealing with transactions that are not low value or low risk. If a merchant wants to process high-value transactions, the authentication they need to use must match the risk level of the transaction, and as a result, their need for a powerful fraud prevention solution will increase. 

As more consumers shift to online and merchants continue to expand to new channels, services, and markets, fraudsters have become more innovative, finding new and more efficient ways to commit fraud and abuse, as well as new vulnerabilities in under-protected areas of the buying journey. Merchants need to prepare for more sophisticated and automated forms of fraud, as fraudsters look for vulnerabilities at every point of the customer purchasing journey. 

Having a strong fraud solution will enable merchants to effectively ensure that they take authentication liability upon themselves for transactions that do not pose a financial risk. A strong fraud protection solution is also crucial for exemption requests, and as a result, should be part of a merchant’s payment optimisation suite.

Fraud prevention solutions will enable merchants to analyse each transaction in real-time and determine the best course of action per consumer. This will automatically direct each consumer to a checkout experience best suited for them reducing risk and liability exposure. 

Many fraud prevention solutions will even be prepared to take liability upon themselves, making it a true win-win for merchants who want to leverage exemptions, reduce risk and utilise delegated authentication. 

PE: Have we seen merchants take a more heightened role in the Checkout process and why do you think this is? 

GM: In the past, many merchants effectively outsourced the payment and checkout part of their business; for example, having a checkout page that was completely hosted by a third-party. But merchants have now realised that a seamless checkout experience is not just a commodity, but can be a competitive differentiator that has a significant impact on revenue generation and profitability. As a result, they are thinking about it much more strategically and investing in the resources to be able to effectively manage it in-house. 

The ability to delegate authentication to merchants is part of this ongoing trend that increases merchants’ role in the payment experience, giving them back control of the customer experience throughout the checkout journey. The independence that delegated authentication provides merchants is in line with PSD2 and issuers’ role. As a result, it is a great strategy for merchants who prioritise their customer needs and payment expectations.

To ensure they are ready to take upon themselves authentication responsibility when delegated authentication is feasible, the entire payment ecosystem must shift, and issuers must release 3DS2.2 to merchants. Merchants that have low-risk levels, strong fraud protection and advanced payment infrastructures should be in touch with their PSP or 3DS provider and ensure they are notified when 3DS2.2 is released, if their payment ecosystem supports it, and if they will be able to take advantage of delegated authentication. 

Merchants that want to continue providing their customers with a user-friendly seamless checkout experience must argue for delegated authentication from their issuers.