Strong customer authentication

Initial results, observations, and recommendations

Strong Customer Authentication (SCA), which the European Payment Services Directive PSD2 requires for card payments in e-commerce, is now mandatory. The last transition periods for implementation have just expired in many European countries. This is a good time for an initial interim assessment. What developments can be observed and what conclusions can be drawn? Netcetera’s Experts Kurt Schmid, Marketing & Innovation Director Secure Digital Payments, and Biljana Kuzeska Ivanoska, Senior Product Manager Secure Digital Payments, provide answers.

Netcetera made evaluations based on the transaction data of the operated 3-D Secure Issuer Services, all figures mentioned refer to these measurements.

The first striking fact is that the approval rate for card transactions (authentication approval rate) processed according to PSD2 rules is 85.5 percent, while it is around 89 percent for transactions not covered by PSD2. This leads to the key question of how online merchants and payment service providers (PSPs) can meet PSD2 requirements while improving conversion.

Transactions and Success Rate per merchant country
Transactions channel and its success rate

Conversion describes the rate of successfully completed purchase transactions from those customers who clicked the checkout button. There are various hurdles to overcome for a successful completion: The customer must correctly enter the data for the selected payment method, this data must be processed correctly, the customer must successfully complete the authentication process, and finally, there must be a positive authorization response. At all these points, an abort can occur - with the corresponding negative impact on conversion.

Purchase transactions are aborted, for example, if the customer finds it too cumbersome to enter the card data, if his card has not yet been approved for e-commerce transactions or if the card validity has expired, if the customer's authentication fails, or if the authorization cannot take place due to an incorrect CVV or a limit being exceeded.

Broad data base

"We can use data from our own Access Control Server (ACS) for such measurements and thus describe the developments from the card issuers' point of view," explains Biljana Kuzeska Ivanoska. From July to December 2020, certain data was considered on a monthly basis, and from January 2021 on a weekly basis. Transactions where one of the parties came from outside Europe were filtered out, as well as test and non-payment transactions. In total, the data set of the sample contained about 2.5 million data records, each with about 50 attributes.

One important result: On average, only 91 percent of the cards are registered for Strong Customer Authentication, whereas for the best issuer only 0.5 percent of the cards were not registered accordingly. At the same time, an average of 2.8 percent of cards are blocked. Unregistered and blocked cards lead to a deterioration in conversion of about 12 percent. This is unsatisfactory for issuers and merchants alike.

Total number of transactions and % challenged

Using the data from the ACS, it is also possible to track the development of the various versions of 3-D Secure. It is noticeable that there has been a significant increase in version 2.1, but that more than 50 percent of transactions are still processed via version 1.0. The use of version 2.2 is still at the beginning of its development of a wide use.

Protocols used by the merchants
The share of the EMV® 3DS transactions is increasing

Another interesting finding is that the number of transactions processed via 3-D Secure has been steadily increasing since the fall of 2020. At the same time, the number of transactions requiring SCA from customers is decreasing. This is due to the fact that one of the exceptions to the SCA is being claimed in more and more transactions. Transaction Risk Analysis (TRA) is used in 87 percent of cases. The exemption for small amounts applies to 11 percent of transactions. Whitelisting, in which customers flag trusted merchants with their card issuer, has yet to play a significant role, although it could strongly contribute to the success rate.

Most of the exempted transactions use TRA
The share of transactions with exemption is increasing
In which amount range the exemptions are applied
% of issuing banks processing all, some or none of the exemptions

Communication and cooperation

Overall, it can be said that card issuers can take action in several places to improve conversion. In particular, this starts with making the onboarding process for strong customer authentication as user-friendly as possible. It is also helpful to consistently take advantage of exceptions to minimize the need for cardholders to confront Strong Customer Authentication. In addition, offering whitelisting can be a relatively simple way to significantly increase conversion.

Kurt Schmid comments: "Such measures work particularly well when card issuers maintain intensive communication with their customers. In addition, 3-D Secure states that three parties (three domains) are involved here. So the cooperation of all parties is required. And finally, as with all new technologies, the key here is to test, test, test."

EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

Do you want to learn more about PSD2 SCA first results?

More stories

on this topic