Global Payment Regulation & Authentication 2020 Update

New data from the first three months of 2020 reveals an improvement in acceptance rates using 3D Secure (3DS) in most of Europe - what could be behind this? We take a look at the new data and the current payments climate. Check out the full results and comparison with 2019 data in the map and download the full report here.

Businesses are using authentication more than last year

In the run up to the original PSD2 deadline for implementing Strong Customer Authentication (SCA) in September 2019, many merchants were not using authentication on a large proportion of their transactions. In fact, most merchants were only sending the most risky transactions to 3DS due to the well known negative customer experience and dropout associated with 3DS1.

Fast forward to Q1 2020, and the original September 2019 deadline for SCA has been extended. Despite the extension, many merchants had already put in a significant amount of work to get ready to use 3DS2. Despite the delay in deadlines, many of the merchants in this analysis are currently already sending a larger proportion of their traffic to 3DS, including many more genuine customers. This can partially explain why more transactions are being authenticated successfully.

3DS2 could be as good as it’s promised to be

Many of the merchants in this analysis are using 3DS2 when the issuer can support this, and only reverting to 3DS1 as a last resort. Although a lot of transactions were still authenticated using 3DS1, we know that a greater proportion of transactions analysed in Q1 2020 were authenticated using 3DS2. In contrast, almost no transactions were authenticated using 3DS2 in Q2 2019, except when some forward-thinking challenger banks were using 3DS2-style authentication methods. We can expect the move to 3DS2 to continue.

On the surface, it looks like 3DS2 could help deliver an improved user experience. Globally, the average time to authenticate has reduced from 42 seconds to 37 seconds, with the majority of the EEA countries seeing an even more dramatic improvement. Interestingly, the assumed percentage of frictionless payments (which take 5 seconds or less to authenticate) has also increased across many European countries.

This evidence of a better experience with 3DS2 is really encouraging for merchants who are currently sending or plan to send more transactions to authentication.

Consumers are more used to authentication

It’s also very likely that consumers are getting used to authenticating online more often, and have got better at doing it. This is supported by the widespread communications campaigns from issuing banks and merchants to consumers. We also saw coverage of PSD2 in the mainstream media at the end of 2019 during the peak shopping period around Christmas.

The current situation with the Covid-19 outbreak has also led to more people staying at home and a rise in ecommerce transactions. This could also mean consumers are getting more experience using different authentication methods. High demand and limited supply in some markets may also mean consumers are more invested in a purchase if they do not have the option to buy it in store or on another website, which can also improve authentication success.

We're also aware that this pressure on demand has led some merchants to restrict orders only allowing orders from low-risk regular customer accounts, and blocking or limiting orders from new accounts. This could also mean that a greater proportion of online transactions being authenticated were low risk - but as the restrictions ease up this is likely to change.

What does this mean for merchants?

The improvement in 3DS acceptance is great news for merchants!

This is especially true for merchants operating in Europe who have started the move or who have a solid strategy to move to 3DS2. It’s important to make sure that you are ready to use the most advanced 3DS2 versions as soon as possible, in order to optimise your payment authentication to get the best possible acceptance rate.

The acceptance rate for Australian-issued cards has also improved, likely as a result of the similar regulation changes. Interestingly, the 3DS acceptance rate for US-issued cards has decreased from 71% to 58%, meaning over two-fifths of payments sent to 3DS fail. This could be a result of the tightened measures elsewhere leading fraudsters to focus on the less secure US market.

It’s important to keep in mind that although the acceptance rates have improved, they are not at 100%. The global average acceptance rate of 87% means 13% (or 1 in 7) payments sent to 3DS are lost. Of course this will include some fraud, but there are also a number of factors which could be behind this other than fraud - such as customer drop off, server error, 3DS1 experience. The ultimate goal is to get as close to 100% acceptance as possible.

Even if it is a vast improvement, 3DS still carries a cost and applying it on every transaction will add up fast. Even with the improvements we’ve seen, leading merchants will benefit from using exemptions from authentication.

Next steps - keep tabs on issuers and prepare for exemptions

Issuing banks are going to be ready with the 3DS versions at different stages, and it’s critical to know what the issuer can support when sending the authentication request. For example, if you have enough data to prove a transaction is low-risk and the issuer is offering 3DS2, it’s far better to use an exemption and avoid authenticating. Likewise, if the issuer has a history of rejecting low-risk exemption requests, sending the transaction to 3DS will save you from incurring a soft-decline and speed up the checkout process.

It’s likely that exemptions will be the next big focus for leading merchants who want to optimise their authentication and derive the most benefit. It’s now common for card schemes to ask a consumer if they want to whitelist specific merchants after transactions - we expect to see more activity like this. At Ravelin, we’re busy collecting valuable issuer intelligence to inform our client’s decisions and support authentication requests with reliable data.

See the interactive map and download the full report here.