The Impacts of PSD2, SCA, and 3DS on E-commerce

Interview with Galit Shani-Michel, VP Payments at Forter

PSD2, the directive to regulate payment services and providers in the European Union, became mandatory on December 31st, 2020. One of the most relevant changes coming from PSD2 is the Strong Customer Authentication (SCA) requirement. SCA dictates that consumers must authenticate their payments with additional parameters, which is made possible through 3-D Secure. To better understand how regulations and methods can impact merchants, consumers, and financial institutions we spoke with Galit Shani-Michel, VP of Payments at Forter.

Hi, Galit! Can you tell us a little about your background and your journey in the payments industry?

I started my journey in payments in fraud. I managed a fraud department at a gaming operator when online fraud was still very new. I was fascinated by it. For my next role, I joined Safecharge (which is now Nuvei) as their Head of Risk. Then I became head of payments for a large gaming operator. I was really surprised to see how big of an impact you can have on revenue via payment optimization — choosing the right processors, having the right payment options, and routing payments to the right place. When Forter approached me about joining the company, I was excited to have the opportunity to build the products that I wish I would have had at my disposal as a VP Payments.

Having experienced working on the merchant side, especially in the gaming industry, and on the solution provider side, how have you seen the payment industry evolve over the past years?

The payment industry has changed a lot over the past ten years. I think the biggest change ever is PSD2 coming into effect two months ago. But there have been other significant changes. Where in the past credit and debit cards were the only payment methods, there is now an incredibly diverse range of options — Paypal, Google Pay, Apple pay, Amazon Pay, and a whole host of buy now, pay later solutions like Klarna and Openpay. What this means is that merchants must be more flexible than ever — if customers don’t see their preferred payment method, they are more likely to abandon their transactions. This creates more complexity for payments teams to manage, and the best performing merchants are those that realize that payments are no longer just a technical function, but an important revenue and profitability driver, and those who are building professional teams who can help them drive additional profitability from well-designed, well-managed payment flows.

How do you think the pandemic context and acceleration of online shopping reflected on payments fraud this year? Which industries have been more affected?

It doesn’t take a genius to be able to observe that the pandemic has moved everything online, and lots of consumers who never purchased online before are now shopping online. People are getting used to buying products online that they would have always bought in the store, and it is incredibly convenient for them. This influx of new customers that merchants haven’t seen or decisioned before has forced merchants to be much more sophisticated in how they manage fraud, as their systems are 5–7 times more likely to decline a new customer than a returning one. In addition, the higher than usual transaction volumes mean it is no longer scaleable to handle this as a manual review process. Consumers expect rapid delivery, so everything needs to be automated.

Fraud risk is particularly high for merchants where the window between order and collection or delivery is the shortest. We have seen a 55% increase in click and collect fraud. “Item not received” fraud has also increased during the pandemic. We find that merchants are often not well equipped to manage fraud beyond the checkout page, as they often only have tools that support decisioning at the point of transaction, and fraudsters are quick to take advantage of the opportunity this affords.

What are the impacts on checkout experience with the implementation of 3DS?

PSD2 forces transactions to go through 3DS unless a transaction can be successfully flagged for exemption, and the 3DS friction results in 20–30% revenue loss due to failures and abandonment. This is why it is incredibly critical to use exemptions, particularly TRA (Transaction Risk Analysis) exemptions.

Most of the issuers in Europe by now have moved from 3DS1 to 3DS2, and although 3DS2 is a much better product, it still creates friction during the checkout process. The customer who was previously used to just typing in his card number and pressing “buy now” is now required to authenticate himself.

This gives the customer more time to reflect on their transaction and perhaps have second thoughts. Even if the customer decides to proceed, in many cases, the authentication is not completed — perhaps the customer doesn’t receive the SMS, doesn’t know how to complete the authentication, or otherwise fails to successfully respond to the challenge. This results in lost revenue for the merchant, and a terrible experience for the customer, making them less likely to shop with that merchant in the future. Merchants should take into account the loss of the whole lifetime value of a customer when weighing up this cost, not just the basket value from the single failed transaction.

Are issuers and acquirers doing enough to smooth the impact on merchant accounts? What can merchants do to reduce the impact on acceptance rates?

This is a good question and the source of a lot of tense conversation. We are still seeing issuers that are not ready for PSD2 and are instead resorting to stand-in processing, resulting in a lower authorization ratio for merchants. We are also seeing acquirers that recommend to the merchant the application of 3DS on all transactions or others that expect the merchant to know when they should apply 3DS and ask for exemption.

Merchants should make sure that they are avoiding 3DS whenever possible by making use of all relevant exemptions and exclusions. But at the same time, they should know to apply 3DS in cases where the issuer expects to see a 3DS transaction. Partners like Forter can help to automate this process and increase the number of transactions that can be exempted from 3DS.

I cannot emphasize enough how critical it is for merchants to be using effective fraud prevention tools and processes in order to keep their traffic as clean as possible and maximize their ability to avoid 3DS using TRA exemptions, as this will be key to reducing revenue loss.

What regions worldwide have been having more difficulty preventing payment fraud? And which ones, besides Europe, are making efforts towards SCA?

My attention has been very much focussed on Europe recently, with all the changes that are taking place, this gives me more than enough problems to solve! Forter has a global presence and a global merchant network, and we see fraud as a global problem. Some of the highest fraud rates are in APAC, particularly in China, but fraud types and rates vary by country and by industry.

Outside of Europe, I would say we see most efforts towards SCA coming from APAC — and mainly in Australia and New Zealand, where 3DS is becoming more popular. Whether this will lead to global adoption remains to be seen, but it is still early days.

In the European market, is PSD2 compliance enough to tackle the current paradigm of online fraud?

Simply put, no. One of the major misconceptions I see when speaking to merchants is that they believe PSD2 is an effective fraud prevention solution. They think that if they apply 3DS to a transaction, they will not be exposed to fraud. In reality, this is not true at all.

Sophisticated fraudsters can successfully complete a 3DS challenge. Merchants often don’t realize that even if 3DS is applied, even if they don’t have liability, they must avoid processing fraudulent transactions, as this counts towards their fraud rate and can leave them exposed to fines or sanctions. Sending fraudulent transactions through your payment processing account harms your authorization ratio performance and makes it more difficult to obtain TRA exemptions.

You can learn more about the 3DS authorization method in our article: The 3DS V2.2.0 Transition and Why You Should Get On It Now