Do merchants have anything to fear from 3DS 2.0?
The new industry standard for authorising card payments to comply with Strong Customer Authentication requirements is going to have a significant impact on merchants. So should they be concerned?
As we mentioned in our previous article, 3DS 2.0 is set to launch in April to ensure that all merchants are able to integrate by September 2019 to meet their obligations under the Payment Services Regulation. One of the biggest changes is the new, more stringent requirements for Strong Customer Authentication (SCA) which are a concern for many merchants, who fear increased cart abandonment due the friction that SCA could introduce.
We believe there are reasons to be optimistic as not only does the introduction of 3DS 2.0 help merchants meet the regulatory obligation and help reduce fraud, but it also has some very clear enhancements to promote a friction free customer experience.
Designed with mCommerce in mind
Rather than being a burden, 3DS 2.0 has been designed to fit more easily into merchants’ day-to-day operations. Crucially, it has been built specifically with eCommerce and mCommerce in mind.
For a start, the improved passive data sharing between merchant and issuer under the new rules enhance security without adding unnecessary layers of authentication to the payment process. This helps to minimise payment friction for consumers, reducing the risk of cart abandonment, all while protecting merchant and customer from the repercussions of payment fraud.
In addition, the new requirements introduce multi-factor authentication for both eCommerce and mCommerce. This means that, while passwords – a factor called “what you know” – are still acceptable, issuers can also implement other factors, such as “what you have” (an iPhone or a tablet for example) and “who you are” (fingerprints and other biometrics).
Implementing these last two factors can allow the removal of passwords entirely, enhancing security while streamlining the payment process for consumers. This is an enormous boon to merchants with mobile retail channels in particular – everyone has experienced the difficulty of trying to type in passwords on a mobile keypad. With biometrics in place of passwords, all consumers will need to do is scan their fingerprint on their own smart device to purchase something.
Exemptions take the pain out of compliance
Further enhancing the experience of 3DS 2.0 is the leveraging of exemptions and out of scope transactions. Taking these into account, it is expected that only a fraction of transactions, maybe as a low as 5%, will be subject to authentication requirements under 3DS 2.0.
So how can merchants tell which transactions are not subject to Strong Customer Authentication? The following are the categories of payments that are either ‘out-of-scope’ or exempted from enforcement through the SCA regulatory technical standards:
- Out-of-scope A few key types of transaction are considered “beyond the scope” of the requirements laid out by the strong customer authentication regulatory technical standards. Hot off the press is the confirmation by the European Commission’s Directorate General for Financial Stability, Financial services and Capital Markets Union that out of scope includes “merchant-initiated payments”. This is where a merchant submits a transaction using previously stored details without the cardholder's participation. Also included in this category are: purchases by anonymous prepaid cards; mail order and telephone order transactions; and “one leg” transactions where the payer’s or the recipient’s PSP is based outside of the EEA. Non-card payments, such as Direct Debits, are also beyond the scope, as are payee-initiated transactions. It is worth noting that the first transaction mandating subsequent merchant-initiated transactions will be subject to Strong Customer Authentication requirements, although existing payments can be ‘grandfathered’ in.
- Exemptions There are transaction types that don’t need authentication, regardless of who the merchant’s payment partner is. These include: secure corporate payments; recurring transactions; and low-value transactions of under €30 if there is a counter limitation. White lists of trusted beneficiaries are also exempt for all PSPs; the issuer manages this list on behalf of the customer but as an acquirer it is possible to see if the merchant is registered to allow the merchant to pro-actively ask the customer to register them.
Finally, low-value purchases up to €30, as well as contactless payments up to €50, are also largely exempt – only needing explicit customer authorisation for one in every five transactions or once the total value of the transactions reaches €100 (this total is €150 for the €50 contactless limit). As a result, the bulk of these transactions will flow smoothly and without friction for consumers. The value limit for a purchase that is exempt from SCA is higher for low fraud PSPs, and can be as high as €500 depending on the PSP’s basis points.
Time to prepare
3DS 2.0 is still in its early days, and the card schemes have yet to release a lot of their guidance to the payments industry to help it implement the new requirements.
Nevertheless, even at this stage, it is clear that 3DS 2.0 has a lot to offer merchants. The SCA exemptions, for instance, will go a long way towards helping to enable the most frictionless customer user experience for merchants whilst improving transaction security. More, the burden of managing the fraud risk needed to qualify for exemptions is being taken by PSPs – the people with the most expertise in this area – helping merchants to concentrate on the rest of their business.
PSPs like Paysafe are still exploring the ins and outs of the new protocol, analysing clarifications and guidance as they are published. As such they are best placed to provide merchants with the advice they need to comply with 3DS 2.0. By talking to PSPs, merchants can be confident they are able to protect themselves and their customers from fraud while offering the best possible payment experience in the future.