An Analyst’s Perspective: Why the Two Most Common Approaches to PSD2 Compliance Don’t Work
- Nir Maayan, Head of EMEA Analytics at Forter
- 30.05.2022 03:15 pm #compliance
It’s been two months since PSD2 enforcement started in the UK, and we have taken a look at data from merchants to see what patterns are emerging and what we can learn.
As expected, the data shows that the use of 3D Secure (3DS) for strong customer authentication (SCA) has had a significant impact on conversions. Digging a little deeper, we can see that the most common approaches merchants are using for compliance are: (A) using SCA on every transaction (and sending them to 3DS) or (B) attempting to flag every transaction as exempt and only sending to 3DS those transactions that get a “soft decline” from the issuer. Both of these approaches leave much to be desired and, in particular, are reducing revenue.
What happens when Merchants send every transaction to 3DS?
There are definite benefits to be earned by using 3DS on transactions, namely added security for Card-Not-Present (CNP) transactions, the liability shift of any fraud chargebacks away from the merchant to the card issuer, and being compliant with PSD2 regulations.
Surely this is the best approach, right? Sadly not. For all the benefits, merchants using this approach are going to potentially miss out on legitimate transactions worth up to 10% of their revenue.
Why does this happen?
Under PSD2 the use of 3DS, despite improvements in version 2, still gives legitimate customers a poor experience by applying friction at the checkout. Applying friction leads to shopping cart abandonment, whereby customers give up on their transaction to go elsewhere, and 3DS failures, whereby legitimate customers fail to complete the 3DS challenge. We often see these occur in equal measure.
Transaction completion rate potentially dropping by 10%
What happens when Merchants attempt to exempt every transaction under PSD2?
Okay, so sending all transactions to 3DS negatively impacts conversion—but what are other merchants doing?
Some merchants are using a tactic, clued up on what 3DS friction will do to their conversions, to flag every transaction for exemption under PSD2. Sadly, this still relies too much on external factors outside the merchant’s control. The two main setbacks to this approach are issuer behaviour and the fact fraud and 3DS under PSD2 are not separate issues:
Issuer behaviour
When issuers decline a transaction, it isn’t always a ״soft decline״, which would allow the merchant to save the transaction by reprocessing it with 3DS. Of these non-soft declines, Forter estimate that up to 65% could be recoverable if they had been sent to 3DS from the get-go.
Compared to a soft decline, hard declines usually can’t be pushed through with a retry, as the decline isn’t temporary. Issuers are continually changing their policies, with regard to 3DS and PSD2 exemption acceptance. By having a fixed approach across all transactions, merchants are not optimising revenue and conversion.
The data we see shows some card issuers have more stringent 3DS usage than others
Fraud and 3DS under PSD2 are not separate issues
By combining an exempt all approach with inadequate fraud screening, inevitably high-risk and potentially fraudulent transactions may be sent for processing, which could bring about two issues. Either the liability doesn’t shift to the card issuer for exempted traffic and the merchant will foot the bill for the fraud chargebacks, or the payment service provider’s (PSP) fraud rate could be negatively affected by riskier transactions, which lowers the likelihood that future transactions will get flagged for exemption.
On the other hand, by using an overly aggressive pre-authorisation fraud tool, merchants can avoid potential chargebacks but could cause signification conversion issues for themselves. Some PSPs allow an exempt all approach under the condition merchants deploy a pre-authorisation fraud tool, unfortunately, these tools are often rule-based which meaning that perfectly legitimate transactions end up in the crosshairs as well.
It's not only shoppers that are affected negatively by false declines. Even when using a “good” fraud engine, if said engine doesn’t have control over what gets sent to 3DS, merchants will likely lose conversions. Merchants can lose up to 75x more revenue to false declines than they do to fraud. Not all fraud declines are created equal, some fraud declines can be salvaged by 3DS authentication, ignoring that, and preventing the fraud provider from supplying 3DS decisions would cause conversion loss of borderline declines
If pre-authorisation fraud checks don’t inform what gets exempted, expect to decline traffic that could have been legitimate
Considering all the above points, we can confidently say that merchants who approach PSD2 compliance by exempting every transaction will miss out on legitimate transactions worth a minimum of 2- 3% of their revenue.
What can merchants do?
Having discussed the drawbacks of the two most common approaches to PSD2 compliance, the burning question remains: what is the best approach to being PSD2 compliant?
Know the issuers
By using a dynamic engine, a merchant can react much faster to any changes in card issuer behaviour than if they were merely following expected behaviour using rules. A truly dynamic engine will employ automation and machine learning to constantly monitor and react to changes in issuer behaviour with every transaction.
Know you customers
Understanding the customer who is visiting the merchant site is vital to optimising payments. By knowing the customer, the risk of each and every transaction is much better quantified. We are not referring merely to the risk of fraud but also the risk of a customer abandoning or failing to complete a 3DS challenge.
Tie risk and payments together
The best way to do this is to conduct a pre-authorisation fraud check and have that same provider choose which transactions get sent to 3DS or exempted. The best systems make nuanced decisions based on an individual’s likelihood of completing a 3DS challenge, the card issuer’s likelihood of accepting an exemption, and the actual transaction risk itself.
By understanding the full picture, merchants are able to choose when to apply 3DS friction and when to apply for an exemption on a transaction-by-transaction basis, thus boosting their overall conversion.
Using pre-authorisation fraud check engines to choose 3DS or exemptions allow for better-informed decisions
It’s no secret that false declines can be damaging to businesses across the board. In an effort to prevent fraud, many businesses have actually managed to create an equally, if not more detrimental problem in the process.
However, by staying informed and partnering with the right fraud prevention provider to help minimise the occurrences of false declines, businesses can stay ahead of this problem and ensure they are able to approve more good customers.