There’s not long to go now until the deadline for the Second Payments Directive (PSD2). Like it or not, online sellers are facing the reality of forced authentication on most payments from customers.
This is a complete reversal of the current situation. Now, sellers are only sending the very highest fraud risk payments to authentication, after 14th September they will only be able to avoid authentication on payments with the least risk.
Many online sellers are concerned about the added friction of authentication costing them business. Rightly so… one in five payments authenticated through 3D Secure is lost.
Smooth, sensible authentication is on the horizon
To achieve better security without making a huge dent in the online economy, the method for authentication is getting an upgrade to 3D Secure 2. The newest version will enable exemptions from authentication, allowing you to avoid adding friction for your genuine customers.
But this is still a long way off, and heavily dependent on card issuer actions. At Ravelin, we’re only expecting card issuers to support specific exemptions from late 2019 or maybe even later. Three different versions of 3DS will coexist until the end of 2020 with a wide variation in adoption until then.
So what should you do in the meantime to manage the next 12-18 months of uncertainty?
For now, watch how issuers handle payments
Until you have full access to exemptions, you need a short-term strategy. As the card issuer has the final say on payment authorization, knowing how they’re likely to act will be critical to giving customers a smooth journey.
Immediately after the deadline, card issuers are likely to either put a blanket authentication requirement on everything, or simply carry on as normal. If a card issuer accepts your authorization without authentication, they have given an implicit exemption on that payment.
At first, we’re expecting most issuers to be at either end of the scale.
Exemptions won’t be relevant until later, so the best course of action is to straight authorize and avoid authenticating as many payments as possible.
But - if you try to authorize a payment and the issuer soft-declines and requests authentication, this gives your customer a bad experience, plus it might end up costing you more. How can you make sure you authenticate only the right payments before an issuer forces your hand?
Keep an eye on how individual issuers handle payments and avoid unnecessarily asking genuine customers to authenticate. Closely monitor and report on your authorisation acceptance rates by card issuer so you can stay ahead of their changing behavior trends.
Of course, issuers will gradually move into the middle ground - the grey area between authenticating everything or nothing. When these issuers do start changing how they handle payments, you need to make sure you avoid a rise in soft declines.
2020 and beyond: what’s the future for payment routing?
Over time, things will become less black and white as issuers establish which payments they’ll require authentication for. After the dust settles on PSD2, you want to use the authentication method with the least possible friction every time.
As issuers migrate to a new 3DS version, you need to know as soon as possible so you can start sending all the extra data and using exemptions as soon as you can. Leading businesses will be keeping a close eye on issuers and preparing for the changes early on. To learn more about how we’re collecting issuer intelligence and optimizing payment routes check out Ravelin Accept.
The forced authentication under PSD2 will have a huge effect on the EU’s 300 million online shoppers, and the online businesses that serve them. These tighter controls will also cause a ‘Frexit’: a ripple effect as fraudsters move to the easier targets of less secure payments made by non-European issued cards.
As the deadline approaches, have you done all you can to prepare your business for the change?