New PSD2 regulation and strong authentication

Cyril Blondel
Updated on 23 April 2024 by Cyril Blondel
Reading Time: 7 minutes

How to ensure a smooth and secure payment experience in a post RTS context?

Sasha Pons, Chief Product Officer at Dalenys and Thomas Roth, Head of Fraud and Risk Management at Natixis Payments, share their advice and recommendations for a successful PSD2 migration. They had the opportunity to discuss this topic in the webinar held on 6 April on the initiative of Mercatel and the FEVAD (French commerce organisations). You can catch up with the webinar (in French) using this link.

PSD2 is now coming into full force!

PSD2 (Payment Services Directive 2) is the new European regulation to strengthen the security of online payments and bank transactions. PSD2 is taking full effect in France from 15 May 2021 with the aim of tackling payment fraud as e-commerce continues to expand significantly.

As well as ushering in a paradigm shift, as authentication requests are now initiated by issuers and no longer by merchants, PSD2 will also have key strategic implications.

“It’s time for online merchants to migrate to PSD2 to provide the most seamless customer experience possible”. Bertrand Pineau, who is responsible for consulting and oversight of e-commerce, m-commerce and electronic payments at the FEVAD.

Challenges and implications of PSD2

The PSD2 implementation texts raise three major issues:

  • The creation of a strong authentication mechanism for all payments
  • 3DS v2 and dual authentication is becoming the norm
  • Authentication using 3DS is taking effect on the initiative of the issuing bank (the cardholders’ bank)
Strong authentication is becoming mandatory for all transactions, with two factors among possession (what the customer has), knowledge (what they know) and inherence (what they are).

“We are now at a turning point because from 15 May, all transactions will undergo strong authentication”, Thomas Roth, Head of Fraud and Risk Management at Natixis Payments.

As an e-commerce player, it’s now time to take into account the three main implications of this change for your business:

  • a sharp increase in the volume of transactions requiring authentication
    “Based on our projections, we are looking at an increase of around 40%”
    Sasha Pons, CPO at Dalenys
  • authentication inevitably causes make the customer journey more complex and frictional
  • SCA (strong customer authentication) can negatively impact your turnover by 10% or even 15%1

New authentication methods are now required to approve transactions: online banking app tokens, passwords, temporary codes, voice recognition, fingerprints, etc. on various devices (PC, smartphone, tablet, etc.).

[The new authentication methods] have to be accepted by both customers and merchants. Yet we are currently seeing that this is causing a 10-15% loss of revenue”. Sasha Pons, CPO at Dalenys

The arrival of soft declines

PSD2 gives banks the ability to refuse unauthenticated transactions using two mechanisms: hard declines and soft declines. The soft decline - a less final refusal - has been used as a model to allow merchants to deal with the transition period.

From 15 May 2021, soft decline is becoming the rule for every transaction that has not been subject to strong authentication.

How does the soft decline affect merchants2?

  • In 74% of cases, soft declines result in hard declines; the transaction is then lost
  • For the remaining 26%, the request is submitted again using a “retry” mechanism, this time with 3DS authentication. The transaction is then accepted.

3DS v1 and 3DS v2 authentication

3DS authentication is yet to make its mark

According to figures compiled by Natixis Payments, only 0.08% of transactions over €2,000 were subject to 3DS1 authentication.

Transaction breakdown by range
< €10086.71%
€100 to €2509.50%
€250 to €5002.33%
€500 to €10001.05%
€1000 to €20000.33%
>= €20000.08%

Furthermore, since October 2020, “We have seen that the risk of transactions being refused is increasing over time”. Thomas Roth, Head of Fraud and Risk Management at Natixis Payments.

Increase use of soft decline issued by BPCE

Moreover, we can see 3 trends in overall CITs (Customer Initiated Transactions)1:

  • 68% of transactions are unauthenticated
  • 25% are authenticated with 3DS v1
  • Only 7% are authenticated with 3DS v2

This means that 68% of transactions will have to migrate to the new authentication scheme in order to comply with PSD2.

Migrating to 3DS v2 – a key priority

Authentication using 3DS v1 protocol will end in 2022. It is therefore time to migrate to 3DS v2 which is a solid and efficient system.

There are three questions to take into account:

1. Will it still be possible to perform unauthenticated transactions (without 3DS)?
Yes, but 100% of transactions will be subject to soft declines.

2. How can I get an exemption?
Only 3DS v2 allows you to avoid friction in the customer journey.

3. Will it be more expensive to keep 3DS v1?
Yes, there will be a higher cost premium which is already in place.

“Since 1 January this year, the cost of using v1 is already 3 times higher. This cost is being passed on in the fees paid by merchants”. Sasha Pons, CPO at Dalenys

How to successfully migrate from 3DS v1 to 3DS v2?

As a merchant, now is definitely the time for you to prepare your migration. How can you do this? 

Send the issuer the right data:

  • consumer: billing/shipping address, email, phone number
  • behaviour: type of items in the basket, age of the customer account, etc.
  • device: IP address
  • merchant scoring

The v2 protocol supports an additional 150 data points that can be sent to the issuer. But it is not yet able to fully process them. That’s why at Dalenys we recommend selecting the most efficient and targeted data to the issuer

Sasha Pons
Chief Product Officer @Dalenys

Indicate your preference between:  

  • challenge - you ask for the transaction to be authenticated
  • frictionless - you want the transaction to go through without 3DS authentication
  • “no pref” - you leave it up to the issuer

Of the merchants who are customers of the Dalenys2 platform:

  • 43% request challenges
  • 29% state “no pref”
  • 28% ask for frictionless

Another key figure is that when a merchant sends a “no preference” request, 67% of transactions are challenged by the issuer.

Exemptions to PSD2 are possible

In addition to the TRA (Transaction Risk Analysis), which is the main lever for PSD2 exemption adopted by the issuer, there are also other exemption criteria:

  • recurring payments
  • small amounts (i.e. under €30) are exempt from PSD2

For the TRA, it is important to comply with certain fraud rate thresholds which can be found in this article.

PSD2 and strong authentication: best practices to stay on top

So it’s time to get ready. How can you do this?

  • Test and migrate
  1. start collecting data in 3DS v2 and make sure the fields are integrated by your PSP/PAT
  2. test by creating a test account
  3. gradually send transactions through the new flow
  • monitor and measure the impact on your business

There are several key data points to monitor closely in this respect:

  1. current rate of soft declines with 3DS v1
  2. percentage of frictionless transactions with 3DS v2
  3. merchant fraud rate
  4. acceptance rate
  5. ratio of soft declines to hard declines

Another key to a successful migration: communicate with your customers about the changes relating to PSD2. This will result in better customer engagement and show that you are proactive.

For more information, see also the Practical Guide to PSD2 Migration.

1Source: Natixis Payments Data - March 2021
2Source: Dalenys Merchant Data - March 2021

Share this article
TwitterFacebookLinkedInCopy Link

Other posts that might
interest you