With PSD2, Strong Customer Authentication becomes systematic… but not for everyone!

Cyril Blondel
Updated on 23 April 2024 by Cyril Blondel
Reading Time: 4 minutes

Our advice for e-merchants to ensure their compliance, without having to use 3DS on all transactions

PSD2 adds new requirements concerning Strong Customer Authentication (like 3D-Secure), by making it mandatory for all payments!

If it was to be implemented as it stands, this measure would strongly impact the customers’ journey, and it would risk the deterioration of merchants’ conversion rates.

RTS final drafts (Regulatory Technical Standards), which will come into effect by the end of 2019, clarify the implementation modalities of the 2nd Payment Services Directive and plan specific exemption cases.

From a merchant point of view, it is urgent and essential to anticipate the impact of this new regulation, in order to maintain conversion rates and to continue to offer a seamless user experience.

How to get the exemptions planned by the RTS?

Issuers and acquirers are now the only actors able to declare these exemptions

PSD2 is planning that all transactions above €30 are to apply strong customer authentication. Exemptions can nevertheless be granted to only two types of actors, as long as they can prove their capacity to make real-time risk analysis:

  • Cards issuers (like BPCE group for instance, 1st issuer in France with 25% of cards issued and also 1st issuer in Europe for VISA cards)
  • Acquiring institutions (like Dalenys who was recently acquired by Natixis, a subsidiary of BPCE group).

After a real-time risk analysis, acquirers or issuers can declare exemptions, and thus choose to trigger or not a 3DS journey on a transaction.

Actors who are only PSP won’t be able to get exemptions

Simple PSPs (Payment Service Providers) are put aside from this responsibility and won’t be able to assist merchants in this matter! Those who devolve the collection of their transactions to more traditional acquiring banks will be totally dependent of the 3DS processing made by these actors, who are not always agile. In other words, if their acquiring partner doesn’t have real-time risk analysis tools, they will be forced to apply systematic strong authentication and to depend on another arbitration on the issuer side.

The choice of a solution like Dalenys, who is both acquirer and PSP, becomes once again more valuable to optimize merchants’ performance.

A risk-based approach to be compliant, while optimizing merchant’s turnover

A risk-based approach customized for each merchant, as offered by Dalenys, enables to avoid a systematic application of 3DS in e-commerce, and thus guarantees the best ratio between fraud prevention and conversion.

With Dalenys, this approach consists in the implementation of a mechanism called “Smart 3DS”. It means 3DS is triggered only for transactions that were detected as risky by a sophisticated rules engine combining Dalenys’s expertise – in particular data analysis – with the merchant’s experience and business specificities.

To go even further, Dalenys teams have launched a Machine Learning R&D program, which gets impressive results:  -24% of chargebacks, and a 3D Secure trigger volume divided by 4!

What are concretely the exemption cases possible with a risk-based approach?

  • For transactions under €30, strong authentication is optional (as long as the aggregation of previous transactions doesn’t exceed €100 or 5 transactions);
  • For transactions between €30 and €500, strong authentication is optional, provided the fraud rate of the acquiring or issuing bank who makes the risk analysis is under a certain threshold.*

*Tolerated fraud thresholds – source: RTS draft of 11/27/2017

Other exemption cases concern e-commerce:

  • For recurring transactions of the same amount, after a first 3DS transaction succeeded;
  • For payments towards trusted beneficiaries, whitelisted by the cardholder at his own bank (under mechanisms which remain to be further specified).

The choice of an acquirer who is agile and who is a fraud prevention expert like Dalenys becomes all the more critical, to ensure a sharp and appropriate implementation of strong authentication which protects the merchants’ interests.

3DS 2.0 protocol, successor of current 3DS, which will be deployed progressively within banks starting second semester of 2018, will offer more options to customize the authentication process, by generalizing enriched transaction data like device, delivery address… Data that are in fact already collected and used by Dalenys.

You want to know more about our payment cinematics and our fraud prevention tools? Our expert team answers all your questions, contact us: hello@dalenys.com


You are a developer, data scientist, account manager… You want to disrupt financial services with new technologies… You are convinced, like us, that payment is not just a matter of pipes but on the opposite an unlimited marketing data source. So join us! [See all available positions]

Share this article
TwitterFacebookLinkedInCopy Link

Other posts that might
interest you