One of the most hotly anticipated parts of the EU’s Second Payment Services Directive (PSD2) is its provisions for Strong Customer Authentication (SCA). After some delays, and whilst the deadline of 31st December 2020 came into force in the EU, the UK delayed its implementation yet again, this time by a further 15 months to March 2022. The irony is that consumers and payments players now need the protections, as well as the flexibility, it promises more than ever.
The good news is that the latest 3D-Secure (3DS 2.2) protocol version is SCA-ready. By rolling it out, merchants can minimise fraud without adding customer friction. But it won’t be as easy as flicking a switch: there’s no time to waste before 14 March 2022.
The past 18 months have witnessed an explosion in e-commerce activity as consumers surged online during the pandemic and businesses built out their digital infrastructure to stay operational. As a result, internet sales grew by a massive 46% in 2020 versus the previous year, according to the ONS. However, fraudsters are never far away from such large-scale changes in human behaviour. They’ve been looking ever since to take advantage not only of novice internet users but smaller merchants who perhaps aren’t as clued-up on cybersecurity and fraud protection.
Yet, simplified and secure payment interactions is the world that SCA is designed for. It will require banks to perform additional checks when users pay, designed to root out the scammers — primarily through multi-factor authentication (MFA), as well as through exemptions tailored to particular scenarios and fraud profiles.
Fortunately, 3DS 2.2 can help merchants meet these requirements.
Now 3DS has come a long way from its launch back in 2001. Back then there was little flexibility, and no support for mobile devices or biometrics to improve the customer experience. A lot has changed. Having travelled through a second iteration in 2016, the current version (2.2) features:
Perhaps the most important feature is SCA exemption support. This allows the merchant to waive customer use of SCA in certain circumstances to enhance the user experience — e.g. if the transaction is under €30 or is made with a “trusted beneficiary”. One exemption is particularly relevant to e-commerce and relates to transactions deemed “low risk”: Transaction Risk Analysis (TRA).
In theory, because 3DS 2.2 collects more contextual transaction data from the merchant, it’s able to make a millisecond decision to calculate risk and allow without SCA or to require the customer to add verification. According to Visa, the latter only account for around 5% of transactions.
However, to take advantage of the TRA exemption, merchants need to know their fraud rates and thresholds for PSPs. In other words, they will need a particularly good grasp on their fraud profile and have adequate transaction monitoring in place. And in many cases, they will need to rethink processes relating to their fraud strategies.
Merchant Service Providers (MSPs) have an important role to play here in educating the market and working hand-in-hand with their clients, especially smaller merchants, to ensure they have everything in place for a seamless transition to SCA early next year without adversely affecting the customer experience. 3DS 2.2 in itself will not necessarily give merchants all the benefits it promises if its deployment is not carefully planned and processes modified to take best advantage of the many features it offers. There’s plenty left to do before 14 March 2022. So spend the next nine months wisely.
Providing an end-to-end merchant portfolio risk management system to help MSPs manage effective PCI DSS compliance programs at scale.
ZeroRisk provides much needed insights that Merchant Service Providers (MSPs) can use to enhance security and reduce risk across their entire portfolio. Learn more.