Following the “PSD2 as seen by an acquirer and an issuer” webinar on 11 February, this article presents the highlights from the session. Find out key figures and practical advice for optimising your conversion with our two experts: Sasha Pons, Chief Product Officer at Dalenys, and Thomas Roth, Head of Fraud and Risk Management at Natixis Payments.
NB: the dates have been updated since the webinar in order to take account of the Payment Method Security Observatory calendar, which indicates new levels of soft declines in France.
Stepping up efforts to tackle fraud: PSD2 matters and timetable
Amid a rise in e-commerce, authorities have had to scale up their fight against fraud. The PSD2 brings two major developments:
- First, we are shifting from an obligation of means to an obligation of results, being required to comply with fraud rate thresholds.
- Second, it is no longer the merchants who are in control, but the issuers who decide to apply strong authentication.
Fraud rate thresholds to comply with
With the publication of this new PSD2 regulation, the idea of strong authentication has evolved with the new 3DSv2.1 protocol, and the fraud thresholds are now as follows:
Migration to Strong Authentication: Deployment of soft decline in France
Focus on soft declines of transactions
With the increasing implementation of soft declines, some acceptance platforms have reacted and are now offering “retries”, whereby the rejected transaction is resubmitted while directly including 3D Secure authentication. But not all of them do, far from it: out of 100 soft declines, only 18 undergo retries (Natixis data, January 2021). Of the remaining 82%, customer journeys are therefore random, with inevitably complex workarounds needed to finalise and approve the transaction.
“At Dalenys, 100% of soft declines are retried. Thanks to this mechanism, the acceptance rate remains positive: at 81.49%”, Sasha Pons announced.
To find out more about Dalenys’ soft retry mechanism, read this article.
Practical tips for optimising the relationship between fraud prevention and conversion
Positions to adopt depending on the transaction
Merchants may choose to notify the issuer of their preference for each transaction they receive, based on their fraud analysis. There are three possible positions:
- “no preference”: I let the issuer decide
- “challenge”: I want the transaction to be challenged with strong authentication
- “frictionless”: I would like a frictionless transaction
Merchants’ choice in January 2021
Today (editor’s note: January 2021), 67% of transactions are subject to a “no preference” position. It is in the merchant’s interest to indicate “no preference” when they have no opinion, and “challenge” where they have doubts as to the customer’s legitimacy. The merchant will only be liable for fraud if they ask for “frictionless” and if this is granted by the issuer.
“No preference” on the other hand means the issuer is doubly penalised: you ask it for an exemption, and ask it to take financial responsibility for the transaction”, Thomas Roth pointed out, speaking from his perspective as an issuer.
As the fight against fraud becomes tougher, it is logical to expect a migration of fraud patterns, to which close attention must be paid. There will be more “friendly fraud” and more fraud carried out with non-European cards (since PSD2 is for European cards). To find out more about friendly fraud, read our article.
- The cost
Authentication has a cost for both the issuer and the merchant. Costs of authentication through card networks are increasing, and fees on 3DSv1 have been raised, which serves as an incentive to move to V2.
There are several levers to optimise seamless authentication:
- Make sure you benefit from a retry in the event of a soft decline
- Give your preference (frictionless/challenge/no preference)
- Enrich the data exchanged with your PSP
- Properly label your transactions to benefit from the exemptions associated with transactions outside the scope of PSD2 (MIT – Merchant initiated transaction, or MO/TO – Mail Order/Telephone Order).
To optimise conversion, frictionless is key: the authentication channel is used, but the cardholder is not challenged. Here we’re talking about the TRA (Transaction Risk Analysis) lever: this is the final lever to be enabled once the others have been used.
Innovations at the service of PSD2: Machine Learning and frictionless guaranteed
Natixis is equipped with Machine Learning, carrying out cluster-by-cluster analyses so as not to erroneously reject transactions. This work is carried out with the “Data X-HEC Business Analytics for Future Banking” chair, as part of a case-study challenge involving 50 students.
“The work on machine learning authorisation allows us to project ourselves in this authentication loop, with impressively accurate results. There is still a way to go on this challenge, but we are well underway”, Thomas Roth said enthusiastically.
Natixis Payments handles more than 2 billion transactions each year, all of which are subject to the real-time Machine Learning system.
The links between the Groupe BPCE and Dalenys create an interesting position.
“This allows us to be more creative in helping merchants ensure this rate of frictionless and, in turn, their conversion. Innovative projects are being set up to exchange data between the merchant and issuer (cardholder and payment context information)”, stated Sasha Pons.
The teams are currently testing kinematics to avoid the 3DS flow, which would be exchanged directly with the issuer, rather than via traditional protocol channels.
“Guaranteed frictionless is made possible thanks to this two-fold analysis of the transmission platform and acceptance platform”, Thomas Roth summarised.
Thanks to its control over the entire payment value chain, the TRA analysis carried out on the merchant side is given an immediate response from the issuer, enabling it to offer the highest number of frictionless payments.
“All of our work ultimately focuses on conversion, with a view to identifying all possible blocks from issuers. We believe that the TRA initiatives – with the support of Data – will enable us to ensure simple and secure payments for our customers in the vast majority of cases in the future. Amid a new regulatory framework, our challenge is to optimise the Fraud / Customer Journey / Transformation triangle for the merchant”, Thomas Roth concluded.
Lastly, below is a check-list for merchants to be proactive in their fight against fraud:
- Decide whether the risk analysis will be internal or external (PSP, Technical Acceptance Provider (TAP), other stakeholders, etc.)
- Gradually migrate to 3DS v2
- Start collecting data in 3DS v2 mode
- Ensure that your PSP/TAP integrates the new 3DS v2 fields
- Gradually send transactions through these new flows.
- Follow the evolution of soft declines and their impact on the acceptance rate.
- Identify applicable exemptions.
See also our PSD2 dedicated webpage: http://dalenys.annarenaudin.net/fraud-management/fraud-and-psd2/