PSD2 won’t solve fraud completely. Here’s why—and what U.S. online merchants should do.
In the United States, e-commerce has surged due to the maturity of companies’ digital platforms, innovative payment models, and the ongoing impact of the pandemic. U.S. e-commerce sales are expected to reach $933.3 billion in 2021, representing 17.9% year-over-year growth and 15.3% of total retail sales.
However, online retail fraud losses are expected to top $20 billion globally in 2021, an increase of 18% over 2020.
Payment Services Directive 2 (PSD2), a European regulation, is designed to reduce online fraud by improving buyer authentication. While PSD2 primarily affects countries in the European Economic Area (EEA), it also governs any U.S. company that has European customers, is expanding into Europe, or has entities in Europe.
The regulation has already come into force in most of the EEA, with the United Kingdom pushing enforcement to March 14, 2022. Many U.S. retailers will be impacted and will need to ensure their European businesses are PSD2-compliant.
A Closer Look
Let’s take a closer look at how PSD2 impacts U.S. e-commerce firms and how it could damage these retailers if they don’t fully understand the impact of this regulation.
On the surface, PSD2 looks like a boon to U.S. retailers. The regulation introduces an obligation for strong customer authentication (SCA) to make online payments more secure. When SCA is applied, liability for fraud passes from the merchant to the card issuer, decreasing losses. But is this completely true?
Fraudsters are constantly evolving their strategies. For example, they can spoof mobile-phone numbers and provide one-time passwords, appearing legitimate to identity-verification systems. If issuers approve these transactions, they’ll issue chargebacks against merchants.
As a result, merchants will still need to shoulder some fraud costs, may be required to enter chargeback-monitoring programs, and could experience lower approval rates from banks if they develop poor risk reputations.
So PSD2 and SCA can strengthen user authentication, but they are not fraud-prevention programs. And U.S. retailers governed by PSD2 may experience other challenges.
To become PSD2-compliant, merchants must build additional identity-authentication measures into their checkout flow. Most are implementing a process called 3D Secure (3DS), a protocol that enhances security by creating a data connection for authentication. As a result, digital merchants, payment networks, and financial institutions can confirm or reject a user’s identity and share intelligence about a transaction.
Process Friction
However, 3DS can add steps for consumers. For example, 3DS may appear as a pop-up window asking consumers for an additional piece of information, and thus may not seem legitimate. Or 3DS authentication can take the form of a one-time passcode via text message that consumers must input.
If all goes well, these transactions are verified and completed. Merchants are then protected from fraud, including chargebacks for these transactions. However, in addition to potential fraud techniques that escape detection, merchants are experiencing added process friction that can result in transaction failure. In our work with global merchants, we’ve noticed that:
– Cart abandonments are increasing. E-commerce cart abandonment is already a major issue, with more than two in three consumers (69.57%) failing to complete transactions. These numbers are growing. Our research has found that 8% of willing buyers in the UK and 24% in France will abandon carts at the point of purchase due to the 3DS challenge.
– 3DS failure rates are growing. If users are unable to complete the 3DS challenge by providing the required information, the transaction will fail. Issuers may also fail these transactions if they perceive that they create undue risk. As a result, Forter has witnessed 3DS failure rates ranging from a low of 7% in France to a high of 18% in both Germany and Italy.
PSD2 is here to stay, and affected merchants must comply. However, there are ways to ensure compliance by creating less friction for the end user—while protecting your online business. Here are three strategies you can use right now to limit cart abandonment, 3DS failures, and declining authorization rates:
- Take advantage of low-value transaction exemptions. Merchants with transactions under €30 are eligible for exemptions. However, multiple orders from the same card without authentication will require SCA, limiting this exemption’s usefulness.
- Conduct low-risk transactions. Payment-service providers (PSPs) may exempt transactions from SCA if they meet regulatory determinations of being low-risk. To meet this requirement, merchants must prescreen transactions for fraud, send PSPs clean transaction traffic, and maintain good standing—a difficult, and ongoing, undertaking.
- Use delegated authentication. Merchants will soon be able to delegate consumer authentication to a third party if the third party is using the latest version of 3DS. These third parties then determine when exemptions are possible and which authentication methods to use in real time, while absorbing financial liability for any fraudulent transactions they approve.
The Options
U.S. merchants should be concerned about what PSD2 will do to their business and whether they’ll be able to evaluate the full impact of lost business, given that transactions cross payment networks. Their options are: adopt 3DS and hope for the best; add transaction screening; or simply delegate authority and responsibility to a third party.
Still, given that e-commerce is growing faster than ever, the best option for most businesses could be to partner with expert solution providers. That way, the business can focus on customer experience while a solution provider handles back-end compliance and processing.
Taking action now removes the risk of business disruption for businesses that are growing their global business and want to sell profitably in Europe.
—Galit Shani-Michel is vice president of payments at Forter Inc., New York, N.Y.