Authentication update March 2021: rocky start for PSD2 across Europe

Incredibly, it’s now six years since we heard about PSD2 - Europe’s Second Payment Service Directive, and five years on from the release of 3D Secure 2. You might be wondering how so many years have passed so quickly - particularly during the past year of lockdown!

Despite the many (many) delays to the roll-out of Strong Customer Authentication (SCA) across Europe, 1st January 2021 marked the passing of the official European Banking Authority (EBA) recommended SCA enforcement date. However, multiple countries have released their own roll-out plans with a range of final deadlines up to the fourth quarter of 2021.

So what’s really happening with European payments? Have there been any changes yet, and what are the variations between country performance? We’ve collected insights from transaction data, regulators, card schemes, and feedback from merchants during the first two months of the year to share what we’re seeing.

Country variations in 3D Secure adoption and success

As expected, it looks like there are already significant variations between countries when it comes to 3D Secure adoption rate and success. Our recent webinar with Marco Conte, Co-founder of Payment Universe, revealed some of the differences in early January. We also heard from merchants directly about unusual performance from several European countries, so we took a closer look at performance for some of these.

Transaction data

Based on merchant feedback, we looked at our transaction data for January - February 2021 in Denmark, France, Spain and Germany. It’s important to keep in mind that we’re only looking at a subsection of transactions, so we can’t know the full story. We are only reporting on transactions on cards issued by the above four countries where we know:

• If 3DS was attempted

• If 3DS was successful

• If the transaction was successful

Across all four countries, we found:

• 97% of transactions were sent to 3DS for the authentication process to be attempted

• 5% were successfully authenticated through frictionless authentication (no challenge to the cardholder)

• 26% of all 3DS challenges failed authentication

Next, let’s look at the variations between countries on failed transactions.

Failed authorization for selected European country issued cards

There are some significant differences here - and especially worrying performance from Danish-issued cards. What could be behind this?

The Danish Financial Supervisory Authority had previously set the SCA enforcement date for March 2021, and then later announced that it had changed to 11th January at the last minute. It’s likely that this has caused a lot of confusion and disrupted payments for Danish-issued cards, and we’re seeing the consequences in failed transactions.

To learn more about where 3DS was successful but authorization failed, we looked at which 3DS version is failing more to see if there are any lessons here.

Failed authorization rates for 3DS v1.0.2 and 3DS 2.1.0

Surprisingly so far, successfully authenticated 3DS2 payments have failed authorization at a much higher rate than 3DS1. From speaking with merchants, we understand that 3DS is being initiated for transactions paid with alternative payment methods, including ApplePay, which indicates something has gone wrong.

We’ve also been hearing that the implementation work around 3DS2 is causing problems for merchants, with some saying it’s the most confusing they’ve seen in years! This could be behind the failure rate for 3DS2 transactions, with many issuers rushing preparations and mass confusion across the market.

So far, 3DS2 doesn’t look ready to deliver on its promise of improved customer experience and higher authorization rates. This is a reminder that it’s critical to monitor issuer behavior, enable dynamic authentication and avoid 3DS whenever possible to maximize acceptance rates.

Insights from the EBA and local regulators

European Banking Authority call on National Competent Authorities to enforce PSD2

The EBA released an opinion calling on NCAs to take action to ensure banks remove any remaining obstacles that prevent third party providers from accessing payment accounts, which restrict EU consumers’ choice of payment services.

This is in line with the wider goal of PSD2 to contribute to a level playing field across the EU. It calls for consistent application and supervision of PSD2 requirements and EBA Regulatory Technical Standards on SCA and common and secure communication. This could be a sign that the EBA will try to encourage NCAs to enforce PSD2 more evenly moving forwards.

Post-Brexit, will the UK diverge from PSD2?

Although the UK has left the European Economic Area, the UK wrote PSD2 into local law. But the UK can now diverge from PSD2 with the approval of the UK's national competent authority, the Financial Conduct Authority (FCA). The FCA released a paper proposing changes to the SCA-RTS (Strong Customer Authentication - Regulatory Technical Standards).

The FCA’s proposed changes are:

- Adding a new exemption from SCA for when customers access their account information through an account information service provider (AISP)

- Increasing the single and cumulative transaction thresholds for contactless payments from £45 up to £100 (or potentially a maximum of £120), and from £130 to £200

The increase in contactless payment limit was announced in the budget on Wednesday 3 March. Although an increased contactless limit brings speed and convenience benefits, it also raises questions about whether this could open the door to more fraud in the UK. It also raises the question: is this a sign that the UK may choose to diverge from PSD2 even further later?

Card scheme updates

Visa to stop supporting 3D Secure 1 in October 2022, not 2021

Visa previously announced that it would remove merchant fraud liability protection on 3DS1 transactions in October 2020. Now, Visa has revised this to allow the market more time to prepare - perhaps partly due to the problems with 3DS2 above. Effective 15th October 2022, Visa will discontinue support of the original 3D Secure version 1.0.2 and related technology.

Updates to dispute rule language due to pandemic

Visa will be updating dispute rule language and making additional revisions for clarity and consistency, based on client feedback during the Covid-19 pandemic (coming into effect 16th October 2021).

PSD2 SCA update for UK / non-EEA regions

The UK plans to enforce SCA on 14th September 2021. Visa believes that EEA/UK issuers are close to being fully enabled on 3D Secure 2, with approximately 97% of EEA/UK ecommerce payment volume now presented to live 3DS2 account ranges.

Visa shares ATO guidance

Visa released guidance and information on account takeover (ATO). ATO is the second top threat to merchants and the fastest growing form of fraud according to our recent survey of 1000+ merchants.

Summary

That’s our summary of the key payment authentication insights we’ve seen in January and February this year! We’d love to hear if this is in line with what you’re seeing, or if there are other trends we should look at for the next update - please get in touch to share your feedback and suggestions!