The latest deadline came and went, and the world still wasn’t ready for the new PSD2 Secure Customer Authentication requirement. It’s not like we didn’t have ample time to get ready; we’ve been talking about it for several years. After all, the December 31, 2020 deadline was the second deadline imposed. Now, as we head into our third month of 2021, more time has been granted to allow everyone to meet the SCA requirement: enforcement will be gradual across the European Union throughout the year.
One of the challenges for many is meeting the requirement through 3D Secure 2.0 (3DS2). Since we already support 3DS2 and had prepared for PSD2, we decided to give it a try, turning it on as a soft launch for two weeks in December. In this month’s column, we thought we’d share what we learned and what you as acquirers, processors and merchants can expect when PSD2 is live and we’re all using 3DS2.
PSD2 Principles
In a nutshell, the PSD2 Secure Customer Authentication (SCA) requirement was designed to make payments safer and increase protection while ensuring a level playing field for all players new and old. For any consumer-initiated electronic transactions like new sign-ups and one-click purchases, the SCA requires double authentication. That means two or more elements of something a person knows, like a pin or password, something only they can possess, such as a credit card, and something that can only identify the person, like their fingerprint or voice recognition.
For internet and mobile purchases, an extra element is needed, typically an authentication code. The most recommended way to handle the SCA requirement is through 3DS2. In fact, we dedicated a large portion of our development resources to upgrading our 3D secure integration from 1.0 to 2.0 as well as making the system support the SCA requirement for only those transactions that were impacted by the PSD2 mandate: EU to EU transactions.
As I said earlier, enforcement of the legislation continues to change. First, it was slated for September 2019, then it was pushed to December 31, 2020. Now, since many of the large issuers are still not ready to support PSD2, processors, acquirers and merchants are playing a guessing game on when this will all be officially enforced.
For now, each European country has its own migration plan, which has different levels of SCA enforcement based on the transaction size and date. It’s predicted that full enforcement across the EU will be in place by summer for most countries. The U.K. has targeted September 14.
The Performance Test
When we gave 3D2 a trial run two weeks before the end of December, we monitored the soft declines to see what was needed to meet the requirements of PSD2. We were able to identify a few interesting things. The 3D secure additional pay page fields displaying the full address and phone number caused some issuers to decline. When we sent them through again without the fields on the 3D rails, the bank approved the transaction without an issue.
From this test, we feel there will be some friction from consumers who don’t want to input those fields on a payment page, especially from merchants in our space. This could potentially lead to losing the customer before any payment attempt is initiated. What has become very clear, is that we will need to have a very detailed rollout plan that follows how many of the EU countries will be implementing 3DS2. It also highlighted that as a processor, you’ll need to review your U.S. merchants’ transactions to determine which 3D rails are the best to process the transactions through.
Call in the Data Doctor
To address these issues and keep things moving forward, we dedicated a team to analyzing this transactional data and help to identify any new issuers that are enforcing the PSD2 3D Secure requirement. For now, we’re utilizing both 3D Secure 1.0 and 2.0. We feel it’s important to analyze the impact of the 3D 2.0 rails vs. the 1.0 rails. By doing this, you can ensure you have the maximum approval rates on all transactions.
Creating this flexible configuration will allow you to manage the results that are being generated by the transactional data: for example, if the PSD2 requirement has been implemented by the merchant, country, acquirer and issuer level and by the price point. This is important, because as each country begins enforcing PSD2, you can turn on your own enforcement, which will make all transactions go down the 3D secure 2.0 rails with the additional pay page requirements.
Card schemes are introducing measures to encourage merchants to support 3DS2. Mastercard is planning to decommission 3DS 1.0 in October of 2022 and Visa will remove liability shift in Europe starting this October. If you’re still not ready for PSD2, the best recommendation is to be ready as soon as possible. Keep working at it and do your own trial run before enforcement is in place. If you need help with PSD2 implementations, we can help point you in the right direction.