MRC London 2019 – it is all about PSD2 readiness…

As the digital commerce landscape innovates at a lightning pace, constantly shifting and presenting new opportunities and challenges alike, The Paypers team joined MRC London 2019 as key media partner in order to discover how the culture and nuances of payments and fraud are adapting to this transformation.

There have been three full days filled with lively and informative discussions. Still, the topic that dominated the event’s agenda by far was getting ready for the 14th of September 2019 deadline, when new requirements for authenticating online payments will be introduced in Europe as part of the second Payment Services Directive (PSD2). There are less than 4 months for issuers and merchants to get ready for the Regulatory Technical Standards (RTS) imposed by PSD2, which demand the application of Strong Customer Authentication (SCA) to all payments, where both the issuer and acquirer are inside the EEA (including the UK).

3D Secure in a nutshell

SCA should apply each time a payer initiates an electronic payment transaction, or carries out any action through a remote channel, which may imply the risk of payment fraud, or other abuse. For online card payments this means 3D Secure.

3D Secure is an XML-based protocol designed to be an additional security layer for online credit and debit card transactions, which enables consumers to confirm who they are when buying online. The first version of this protocol was called 3D Secure 1.0 (3DS 1.0), which was not great for user experience. Also, referring strictly to security, it provided a greater surface area for phishing and a shift of liability in the case of fraudulent payments. On top of this, international businesses also faced many challenges with 3DS 1.0 due to the way payments are processed in different markets. As every region has different security requirements and legislation, the adoption of the 3DS 1.0 protocol was inconsistent from bank to bank and country to country.

To handle some of these issues, 3D Secure 2.0 was released in 2016, which - by bringing a new approach to authentication through a wider range of data, biometric authentication and an improved online experience - it is much more than a redirect. With 3DS 2.0 it is possible to share data between banks and merchants silently in the background.

Payment-specific data, such as shipping address, coupled with contextual data, like the customer’s device ID or previous transaction history, are shared with issuing banks to enable better risk decisions for transactions that support the authentication cases and boost the number of payment authorisations. For instance, if the data is enough for the bank to trust that the real cardholder is making the purchase, the authentication is completed without any additional input from the cardholder (“the frictionless experience”). However, if the bank decides it needs further proof, the customer is asked to provide additional input to authenticate the payment (the transaction is sent through the “challenge” flow).

Overall, payments that require SCA will need to go through the “challenge” flow, whereas transactions that can be exempted from SCA can be sent through the “frictionless” flow.

What is a merchant supposed to do (for its customers)?

The ecommerce industry expects that issuing banks will start declining payments that have not been authenticated, starting with September 2019. Therefore, merchants are left with some options: they can either do nothing, which could lead to the decrease of acceptance rates as declines spike; or implement 3D Secure and apply exemptions. And here are the most relevant exemptions for internet businesses:

Payments below EUR 30 – however, banks will need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds EUR 100. As such, the cardholder’s bank will need to track the number of times this exemption has been used and decide whether authentication is necessary.

Low-risk transactions - a payment provider (PSP) will be allowed to do a real-time risk analysis to determine whether to apply SCA to a transaction. This may only be possible if the PSP’s or bank’s overall fraud rates for card payments do not exceed the following thresholds:

0.13% to exempt transactions below EUR 100

0.06% to exempt transactions below EUR 250

0.01% to exempt transactions below EUR 500

Fixed-amount subscriptions - This exemption can apply when the customer makes a series of recurring payments for the same amount, to the same merchant. SCA will be required for the customer’s first payment and subsequent charges; however, it may be exempted from SCA.

Whitelists of beneficiaries – When completing authentication for a payment, customers may have the option to whitelist a business they trust to avoid having to authenticate future purchases. These businesses will be included on a list of “trusted beneficiaries” maintained by the customer’s bank or PSP.

Corporate payments - This exemption may cover payments that are made with “lodged” cards (eg, where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers (which are also used in the travel sector).

However, some transactions are completely out of scope of SCA. These are:

One leg out transactions – payments where the issuer or the acquirer are based outside of the EEA.

Merchants initiated transactions – transactions initiated by the payee such as mobile phone payments, and fixed and variable amount subscriptions and instalments, where SCA needs to apply to the first transaction/mandate.

Phone sales - Card details collected over the phone fall outside the scope of SCA and do not require authentication. This type of payment is sometimes referred to as “Mail Order and Telephone Orders” (MOTO).

What happens if an exemption fails?

While exemptions will be very useful, merchants should not forget that it is ultimately the cardholder’s bank (issuer) that will decide whether or not to accept an exemption. Therefore, banks might return new decline codes for payments that failed due to missing authentication. These payments will then have to be resubmitted to the customer with a request for SCA.

How much of the directive can be delivered in September by issuing banks? “Somewhere between something and nothing”

As PSD2 means that 3D Secure is mandatory, some questions remain unanswered. For instance, if merchants can decide not to do anything regarding this directive, issuing banks should be ready to analyse/authorise transactions in September. Therefore, will 3D Secure 2.0 be supported by all banks? If not, when will they be ready? Although the first banks have started supporting 3D Secure 2 for their cardholders, most probably wider implementation will take time and vary by country and region, according to some of the event’s participants.

According to Stripe, in Europe, it is expected that some banks will start upgrading to 3D Secure 2.0 between April and September 2019, with banks in other regions to gradually start supporting 3D Secure 2.0 in late 2019. In addition, 3D Secure 1.0 and 3D Secure 2.0 might coexist until at least 2020.

Another point raised by attendance was regarding customer education towards this topic – do consumers know about PSD2 and how will September deadline impact their shopping experience? Will they get confused when an authentication window pops up? Who should announce/educate them about these changes: merchants, issuers, should there be a collaborative effort on both parts?

One thing is for sure, Helene Oger-Zaher from the Conduct, Payments and Consumer (COPAC) Unit at the European Banking Authority (EBA) and Nilixa Devlukia, Head of Regulatory at Open Banking (ex-UK Financial Conduct Authority and EBA) assured us that the 14th of September deadline won’t be extended as the authorities’ agenda is busy with the 2019 European Parliament elections scheduled for the end of this month and the selection of the next Commission President.

Surely, there have been three full days of positive energy, live debates and productive meetings in sunny London, and we would like to thank the MRC team for having us and for organising such a complex event. And since summer is just around the corner, let’s conclude by quoting one of the merchants I met: “PSD2 can come, but until then, I am busy with my summer sales”.

About Mirela Ciobanu

Mirela Ciobanu is a Senior Editor at The Paypers and has been actively involved in covering digital payments and related topics, especially in the cryptocurrency, online security and fraud prevention space. She is passionate about finding the latest news on data breaches, machine learning, digital identity, blockchain, and she is an active advocate of the need to keep our online data/presence protected. Mirela has a bachelor degree in English language and holds a Master’s degree in Marketing.