PSD2: Enabled but not yet excelling

PSD2 is a hot topic for the UK market. How can we tackle it?

We take a look at challenges and solutions for the UK payment ecosystem in complying with PSD2 requirements.

With PSD2 now live in most European countries, being 5 months past the December 31, 2020 deadline, the UK is next, as the deadline for March 2022 is approaching. In order for the cardholder and merchant to properly adopt additional authentication without abandoning the transaction, the main focus is eliminating as much friction as possible. Testing data¹ from merchants such as Amazon, Google and Microsoft has shown that although Strong Customer Authentication has been enabled for most of the UK ecosystem, it is still grappling with several issues. Examples of this are relying on Risk Based Authentication for lower challenge rates, issuer readiness on latest protocols, issuer latency and lastly confusion on what exemptions to properly utilize.

Issuer readiness and stability

In order for a transaction to be compliant and successful the Issuer and Acquirer domain both need to enable SCA and apply the 3DS2 protocol. Due to the mandated adoption of 3DS 2, UK issuers have seen an increase in 3DS 2 transactions into their platform. This is adding challenges when it comes to response times, scalability and stability. The data on Netcetera’s platform is in line with the schemes reporting an increasing number of 3DS2 transactions and this will only increase once the UK goes fully live. This is likely to put additional strain on Access Control Server (ACS) providers and lead to potential outages.

A reason for these outages can be attributed to some ACSs lacking major overhaul and scalability since 3DS was introduced in 2000. Changes made in the last 21 years to the protocol have been added onto what are now archaic systems lacking flexibility. As a result of these outages large merchants have reported looking to the schemes stand-in service as alternatives to ensure transactions are not affected. This however comes at additional cost and is not widely implemented, therefor this can merely be a temporary workaround that lacks sustainability.

Navigating the exemption jungle

Up until now merchants have benefitted from the UK ecosystem using sophisticated Risk Based Authentication which allowed them to keep challenge rates to cardholders low. With the pending deadline this is not an option anymore as bypassing SCA will lead to higher declines on transactions from issuers.

Now that the increasing volumes have brought the first issues to light, it would benefit merchants and acquirers to look at SCA exemptions based on their portfolio of cardholders and customers to eliminate friction to the cardholder where it is not needed.

SCA exemptions are defined based on the level of risk, amount, recurrence and the payment channel used for the execution of the payment. These exemptions allow PSPs to achieve the right balance between convenience of the payment experience and fraud reduction.

Data from Netcetera on SCA exemptions so far show that Transaction Risk Analysis and Low Value Payments are the most adopted² (87% for TRA and 11% on Low Value according to Netcetera figures) and it will be interesting to see the impact of further exemptions introduced in version 3DS 2.2 such as recurring transactions, merchant whitelisting and delegated authentication.

The road ahead

With Brexit in the rear-view mirror and the world looking to get back to normal there is an added incentive to ensure issuers, acquirers and merchants are ready come September. Sectors that rely heavily on ecommerce such as travel and hospitality will also look to benefit from 3DS 2.x. The key differentiator in readiness is defined as having the motor running or to have it finely tuned for maximum performance. A prime example of this would be exemptions being enabled on the issuer and acquirer side to see proper results in successful transactions.

Now more than ever, the results in testing have exposed a need for 3DS solutions to be flexible and modular in order to fit into a hierarchy of existing fraud strategy and authentication providers. Initially this would be an investment but is more sustainable than dealing with fraud, scheme fines or an abnormal rate of declines.

References

1 D. Jordaan, SCA Performance - April 2021, Available at: https://www.linkedin.com/pulse/sca-performance-april-2021-dean-jordaan?trk=public_profile_article_view

2 Netcetera (2021), Webinar: PSD2 SCA being effective - First results,observations and recommendations, Available at: https://pnt.netcetera.com/20210324_PSD2_results

About our experts

Jeffrey Reinders

Jeffrey Reinders has been working in the payments industry for the last 6 years and currently responsible for the UK & Ireland division of Netcetera’s Digital Payments Division. He previously worked in the acquiring space at FiServ-EMS and was involved in consulting merchants on growing their business by simplifying their payments stream.  Jeffrey joined Netcetera in 2020, spearheading UK sales. He is responsible for helping financial institutions, payment players, issuers, processors, banks and fraud providers with their 3DS challenges.

https://www.linkedin.com/in/jeffreyreinders/

Christian Huesch

Christian Huesch is a seasoned payment security expert, with 20 years of experience in authentication and payment security. His passion for client-focused problem solving helped solution providers and vendors like SafeNet, Arcot, Pointsec and Sectigo as well as Visa and Mastercard, to sell, innovate and develop products and roll out propositions Christian has recently joined the pre-sales consulting team of the Secure Digital Payments division at Netcetera, looking after customers in the UK and Ireland.

https://www.linkedin.com/in/chuesch/

More stories

On this topic