Why online merchants must implement 3DS2 now
Feb 26, 2020
The deadline for compliance with Strong Customer Authentication isn't until the end of 2020, but issuers will ramp up card declines for transactions that are not 3DS2-authenticated in the near future.
In late 2019 the European Banking Authority (EBA) announced a delay to the enforcement of Strong Customer Authentication (SCA) for online card transactions as required by PSD2 regulation. The delay allowed the National Competent Authority (NCA) of each country under the jurisdiction of PSD2 to implement a phased roll out of the new systems required to comply with the legislation, up to a final deadline of December 31 2020.
Practically this means the implementation of 3DS2, the new cross-scheme authentication standard that complies with the regulation.
This has already begun, but to-date there has been limited buy-in from merchants, perhaps due to a concern about increased cart abandonment stemming from a change in how payments are authenticated.
However, it is imperative that merchants engage with their payments provider to discuss migrating to 3DS2 as soon as possible, as the reasons for doing so are compelling.
The financial impact of not migrating to 3DS2 immediately
Even though businesses that accept online payments are not specifically required to implement 3DS2 in the new Strong Customer Authentication regulation, compliance still isn’t optional for processing card payments via an online checkout. European payment providers and banks are legally required to enforce SCA for card-not-present payments from December 2020 (and are subject to heavy fines or even having their licence revoked for not doing so). Merchants that resist adopting the 3DS2 requirements are going to suffer a severe loss of transaction volume as their card decline rate for non-3DS2 authenticated payments rapidly increases.
This increase in card declines will culminate at the SCA deadline; at this point a merchant will not be able to process any card transactions without having integrated 3DS2. Issuers will not be adopting a risk-based approach to authorisation from that date; in order to comply with the regulation all online card payments that aren’t Strong Customer Authenticated via 3DS2 will be declined without consideration.
And even though the deadline for compliance with SCA isn’t until the end of this year, its impact is visible already. For merchants, especially those that operate in sectors considered high risk by issuers, there will be noticeable financial implications of not implementing 3DS2 in the very near future.
This is because SCA compliance is being rolled out by the card schemes and issuers on an agreed phased implementation timetable between now and the SCA deadline, to ensure that the deadline is fully met as no further delay will be granted.
For merchants, this means not being able to take a ‘wait and see’ attitude to implementation between now and the deadline without suffering financial loss.
We’re already seeing the volume of card declines increase as a small number of issuers switch to mandatory 3DS2 authentication ahead of the phased implementation deadlines. And while the increase in declines may not be significantly impacting merchants now, this will not be the case for much longer.
The next key date in the phased roll out is March 14 2020. By this date VISA is mandating that all issuers enable their 3DS2.1 solution in Europe, meaning that issuers will be in the position to request Strong Customer Authentication for all card-not-present payments. We are fully expecting the volume of card declines for non-3DS2 authenticated payments to increase significantly from that date, especially for merchants that issuers consider to be high risk, which is why we are strongly encouraging all merchants to adopt 3DS2 by this date.
The Mastercard 3DS2.1+ mandate deadline follows on July 1 2020, and the VISA 3DS2.2 mandate comes into effect September 14 2020, so the longer a merchants waits to migrate to 3DS2, the greater the percentage of its card transactions being declined will be.
There are benefits to merchants
Avoiding a dramatic increase in card declines is a key reason for merchants to integrate a 3DS2 solution into their checkouts, but there are also additional benefits to merchants and consumers that should persuade businesses to implement the new authentication protocol sooner rather than later.
This can broadly be summarised as enabling merchants to offer consumers a more seamless, convenient checkout experience while also significantly increasing the security of their payments. Merchants that upgrade to offering this improved service now will have a competitive advantage over those that elect to wait.
According to our research, 70% of online small-to-medium-sized businesses currently struggle to find a balance improving security processes and making the online customer journey as quick and easy as possible. 3DS2 makes considerable strides in combatting this for card-not-present payments in a number of ways:
1. Unlike the current 3DS authentication, 3DS2 is optimised across all eCommerce devices including mobile. This is critical as, according to our research, more Millennial (79%) and Gen Z (72%) consumers shop regularly via their smartphone than any other device including a laptop or desktop computer.
2. 3DS2 improves customer experience by giving consumers more choice over how they authenticate payments.
3. Passive sharing of more than 100 data points (10x the current volume) for each transaction enables issuers to perform better risk analysis, which will result in significant improvements in fraud prevention without compromising a consumer’s checkout experience.
4. 3DS2.2 also enables issuers to offer a seamless, secure payment experience by utilising the exemptions list for Strong Customer Authentication as laid out in the regulations such as trusted beneficiaries. Two further exemptions that merchants should be particularly aware of are ‘one leg out’ transactions, where either the customer’s issuer or the merchant’s acquiring bank is located outside of the European Economic Area, and recurring transactions. For recurring transactions, the initial payment must be authenticated via 3DS2 but all subsequent payments do not so long as these transactions reference the initial authentication. This is also true for irregular recurring transactions, also known as merchant initiated transactions. For more information on which payments will be exempt from authentication under SCA click here.
Currently 3DS2 is only being mandated by the card schemes in Europe, in order to comply with the European SCA regulation. But that doesn’t mean that merchants outside of Europe shouldn’t strongly consider migrating to 3DS2 in the near future as well.
The benefits listed above extend beyond Europe, and there is little doubt that 3DS1 will be retired globally in due course. So although there is no direct mandate for merchants in regions such as North America to adopt the new protocols now, this should be on the radar for merchants accepting card-not-present payments that want to upgrade their checkout experience.
Paysafe customers: next steps
We are automatically enrolling all our Paysafe acquiring merchants with the relevant card schemes and our 3DS2 service. Integration guidelines have been published to enable you to start integrating https://developer.paysafe.com/en/3d-secure-2/api/. We are of course on hand to provide support where required.
To find out more about preparing for 3DS2, visit our website.