Many online merchants fear that strong customer authentication leads to purchase cancellations and lower conversion rates. In addition, more than 80 percent of credit card misuse is attributable to card-not-present transactions (especially in e-commerce). The need for action seems more than obvious. The challenge for online merchants and their acquirers is now to find the right strategy for dealing with the PSD2 and its exemptions, and to ensure the highest possible acceptance rate for card payments with a simultaneously low fraud rate.
Which exemptions are possible for acquirers?
In order to process as many transactions as possible without strong customer authentication, acquirers can use the following exemptions: low value transactions, transaction risk analysis and recurring transactions.
Low value transactions are payments with a value of less than 30 euros. At the same time, the total value of all transactions since the last Strong Customer Authentication must not exceed EUR 100 and no more than five transactions in total may have taken place since the last authentication. The problem is that acquirers cannot correctly track the number of total transactions and the cumulative value of a card. Only the card issuer has the necessary data.
In the transaction risk analysis, the exemption rule depends on the acquirer's abuse rate in combination with certain transaction values. For transactions of more than 500 euros, the Transaction Risk Analysis no longer applies. For transaction values between 250 and 500 euros, the acquirer must prove an abuse rate of no more than 0.01 percent in order to be allowed to process a transaction without strong customer authentication. For lower transaction values, slightly higher abuse rates are tolerated (up to a maximum of 0.13%).
Only transactions in which the amount and the payment recipient match the first transaction are recognized as recurring transactions. The problem here lies in the very complex implementation requirements.
If an acquirer uses these exceptions, the elimination of strong customer authentication will certainly reduce the number of abandoned purchases and improve conversion. In most cases, the liability lies with the acquirer. They therefore have to find the right balance between security and profitability based on their risk assessment and the possibilities of the exemptions. This requires a continuous analysis of transaction and abuse data as well as a continuous improvement of risk management.
Netcetera has developed the Netcetera eCom Exemption Advisor for acquirers and payment service providers as a new solution. Based on various customer-specific parameters, this solution supports the decision whether a transaction can benefit from one of the exemptions or whether strong customer authentication is needed.
Delegated authentication offers a fundamentally different variant, namely that the merchant already carries out strong customer authentication. This enables an even better customer experience, where a PSD2 and SCA compliant one-click checkout is possible. Kurt Schmid: "I see delegated authentication as one of the best ways to provide a seamless user experience for customers. This can be used by merchants of all sizes and it greatly simplifies transaction processing".