By Ralf Gladis, CEO, Computop
The digital payment landscape hit a milestone in October. From the middle of the month, leading credit card companies including Visa and Mastercard stopped accepting 3-D Secure (3DS) version 1 transactions across the world. This is the final nail in the coffin for 3DS1, which in the UK was phased out in March, in a global move to improve security and enhance frictionless online and in-store shopping experiences for consumers.
The move to 3DS2, the main method of card authentication to meet the Strong Customer Authentication (SCA) requirements under the second Payment Services Directive (PSD2), has already seen a 73 percent decline in online payment fraud, according to a recent report about SCA from Barclaycard. However, the company also said that 28% of businesses are still not fully compliant with the regulation. Its own data shows that £2.07 million in sales are being declined daily due to payments being routed through non-secure channels.
Retailers have had a long time to ensure they are ready for 3DS2. In May 2021, the Financial Conduct Authority extended its deadline for compliance by six months, which was a further six month extension, owing to the impact of the pandemic. While it said that it still expected firms to take robust action to reduce the risk of fraud, it wanted to minimise the disruption to customers and merchants.
Why is 3DS2 important?
3DS2 is aimed at improving consumer rights and enhancing online security and delivers significant advantages to both retailers and customers. It relies heavily on two-factor authentication in each transaction, which is based on the use of two or more elements categorised as: ‘knowledge’, something that only the user knows such as a password; ‘possession’, something that only the user possesses such as a smartphone; and inherence, something that is a personal or physical aspect of the user, for example, a fingerprint or retina. These must be independent from each other.
From a security perspective, a password could be discovered during a phishing attack, or a smart device could be stolen, for example, but the biometric feature can only ever be linked to the person, which is why biometrics make a major contribution to the secure payment process and are vital to 3DS2.
Reasons for compliance
It has clearly been a challenge for many merchants to invest the time and money in the resources that are needed to comply with the protocol, and it is not surprising that so many are still struggling to administer it correctly. What retailers need to consider now is the balance between the perceived inconvenience and cost of 3DS2 and the very real prospect of losing precious sales.
The other issue that non-complying retailers will have to face is reputational damage. Customers whose payments are refused because a retailer is not compliant will not hesitate to quickly move their business elsewhere. If they choose to vent their frustrations online, the ripple effect could be potentially devastating.
Retailers who are compliant are reporting significant drops in fraud since the rollout, according to the Barclaycard study, and because consumers in the UK have become accustomed to two-factor authentication during transactions, fewer are abandoning online baskets, which, in turn, is increasing sales.
It’s important for compliant retailers to deliver as much information as possible to enable frictionless checkout. Rather than just providing a response to the basic data points that are demanded by 3DS2, if they put more into their payment string, they will be rewarded with less frequent authentication requests. It might require a few further tweaks to their ERP and shop systems, but in the long run, and to encourage more conversions, it is worth it.
Exemptions are few
While 3DS2 processes are not mandatory in the UK, SCA is, and 3DS2 is regarded as the easiest and most effective solution to comply with it. For retailers who are still resisting compliance, it is worth knowing which payments are exempted – although these are few. They include: merchant-initiated transactions which are initiated by retailers at a later date with the consumers consent; low value payments, under £45, but only if the retailer doesn’t ordinarily struggle with fraud, or their payment service provider has demonstrably low levels of fraud on its platform; if a consumer regularly uses an eCommerce site, for example to do their weekly grocery shop, and ‘whitelists’ the site; corporate payments made between companies, but not individuals or cards issued to employees; and direct debits, such as subscription payments, which typically will only require SCA for the first payment.
Seismic impact on consumer payments
In the broader ecosystem it is not only retailers, but payment service providers and banks that have had to make changes to accommodate and support 3DS2. It is widely acknowledged that this introduction has been as seismic to consumer payments as Chip & PIN were when introduced in the UK in 2006. That is why there have been delays, and why the FCA has been lenient in forcing all parties to comply. Ultimately, however, 3DS2 is designed to benefit all consumers, and retailers. It promises to drastically reduce fraudulent payments and make shopping a safer experience, so it is vital that the 28% of businesses that are still not fully on-board, take the final steps before their sales start to plummet and customers begin to question why their payments are being declined.
