A little more than a year on from the enforcement of PSD2, Galit Shani-Michel, VP of Payments at Forter, writes on how the landscape for fighting fraud has evolved.
During the year span, every merchant across France, Germany, Italy and Spain — the EEA’s largest digital commerce markets — started complying with PSD2. Here at Forter, we analysed our data to determine what merchants are doing to comply with PSD2, asking, “has it reduced fraud rates?”
Origins of PSD2 and the use of 3DS
A key driver of PSD2 regulations has been the desire to protect consumers against fraud by securing the digital payments for Card Not Present (CNP) transactions with Strong Customer Authentication (SCA). According to the ECB’s 7th Report on Card Fraud, 80% of the value of card fraud in 2019 resulted from CNP transactions, reaching an estimated €1.50 billion in fraud losses..
SCA makes life more difficult for would-be fraudsters by introducing customer identification checks at checkout. While these checks can reduce fraud, they aren’t 100% effective. Sophisticated fraudsters can still find ways to get around two factor authentication (2FA), which is typically enabled by 3-D Secure (3DS). One way that bad actors bypass 2FA is by spoofing mobile phone numbers to intercept the one-time passcodes (OTPs) needed to verify transactions.
In the same way that not all fraud is blocked by SCA, not all traffic blocked by SCA is fraud. Merchants are correct in their concern over the adoption of SCA because of the significant friction it adds to the shopping journey. This friction is clearly hurting customer conversion rates. Many legitimate customers won’t continue with a transaction if it means physically getting up to answer a 2FA request on their phone. Also, the 2FA challenge presents customers with another opportunity to rethink their purchase.
PSD2 allows many transactions to be exempted from SCA, when a merchant’s PSP has an effective risk-analysis tool in place — one that determines when certain transactions are low risk. This allows the merchant to offer their customer a frictionless checkout experience.
The method of identifying low-risk transactions is called Transaction Risk Analysis (TRA) and can be very useful when navigating SCA requirements. TRA can be used on transactions below €500 but only when the Acquirer applying the exemption has a low rate of fraud. For transactions under €100, the fraud rate should be below 13bps (in other words, fewer than 0.13% of an Acquirer’s transactions can be fraudulent). The larger the transaction value, the lower the allowed fraud rate. Even after the Acquirer flags a transaction as exempt, following TRA, the final say on whether to approve a transaction (or not) sits with the Issuer. When it comes to exemptions, having more than one PSP to route different transactions can also significantly impact your overall transaction approval rate.
Those merchants optimising their exemptions by using Transaction Risk Analysis (TRA) and multiple PSPs will be able to more effectively navigate the headwinds that PSD2 has started introducing to their business.
What does compliance look like?
The most common way for merchants to comply with the SCA requirements has been to rely on 3DS with friction for in-scope transactions. 3DS makes the customer validate their identity using: something they know (e.g., password), something they have (e.g., smartphone), or something they are (e.g., fingerprint). The two most common approaches merchants have taken to meet the SCA requirement are sending every transaction to 3DS or attempting to exempt every transaction from 3DS. Either of these strategies will produce suboptimal results.
Sending every transaction to 3DS means adding more friction to the shopping journey than necessary, inviting an increasing number of customers to abandon their purchases, and introducing the possibility of 3DS failure.
Attempting to exempt every transaction wrongly assumes that ineligible transactions will only receive a soft decline from the Issuer, allowing the Acquirer to reroute the transaction through 3DS. This is not the case, and it will increase the number of hard declines received, not just soft declines. Payment friction will lower shopping cart conversion rates and lead to an overall loss in completed transactions and revenue.
Forter is the only partner that can help merchants recover declined transactions. Forter’s Smart Payments solution recognises returning shoppers and applies 3DS to the transaction if the shopper has failed in their previous transaction. We have seen a 6-7% revenue boost in some instances from overall optimisation efforts.
3DS is a conversion killer, not an anti-fraud tool
Forter’s research shows that some merchants across France, Germany, Italy, and Spain, are losing almost 40% of their transactions where 3DS is applied. These failed and abandoned transactions will inevitably include attempted fraud that’s been stopped in its tracks, but it begs the question: how many of these transactions are legitimate?
The table below shows the 3DS abandonment rate (where the user does not comply with the 3DS challenge and abandons the transaction) and the 3DS failure rate (where the user cannot complete the challenge, which is sometimes due to technical failure). You can see that in some instances, merchants are losing 26-39% of transactions where 3DS is applied. Not every customer will try their transaction again, therefore this could represent a significant loss of revenue to merchants.