Blog

PSD2 SCA Deadline Nears: How to Comply Using 3DS2 and Phone-Centric Identity™

Post by:
Prove
February 17, 2021
PSD2 SCA Deadline Nears: How to Comply Using 3DS2 and Phone-Centric Identity™

As the end of 2020 draws near, banks and payment service providers in the European Union face yet another PSD2 deadline. Full enforcement of the much-debated Strong Customer Authentication (SCA) across the region will begin from January 1, 2021*. This implementation comes under extraordinary circumstances caused by the pandemic. Much of Europe has moved into another phase of lockdowns, causing a shift in shopping behavior from brick-and-mortar to digital. The change in purchasing habits has also brought in several first-time online shoppers.

As the end of 2020 draws near, banks and payment service providers in the European Union face yet another PSD2 deadline. Full enforcement of the much-debated Strong Customer Authentication (SCA) across the region will begin from January 1, 2021*. This implementation comes under extraordinary circumstances caused by the pandemic. Much of Europe has moved into another phase of lockdowns, causing a shift in shopping behavior from brick-and-mortar to digital. The change in purchasing habits has also brought in several first-time online shoppers.

The questions that are top of mind for merchants, payment processors, and banks are:

  1. Are we SCA-compliant?
  2. How can we ensure high transaction success rates while enforcing multi-factor authentication?
  3. Have we done enough to ensure very low fraud levels to be eligible for higher SCA exemptions?

There are widespread concerns about SCA implementation resulting in transaction declines and creating friction in the payment experience. A combination of 3DS2 and mobile-intelligence-based identity resolution could be the solution to several of these challenges.

SCA Compliance Challenges

While SCA’s fundamental principle is to enhance the security of payment transactions through multi-factor authentication (MFA), it indirectly creates barriers to a smooth consumer purchase experience. Multi-factor authentication (MFA) follows the principle of using multiple user inputs to approve sensitive transactions. These factors are:

  1. Knowledge: Something that a user knows, e.g., PINs and passwords
  2. Possession: Something that a user has, e.g., a device, a token (could be hardware or software)
  3. Inherence: Something that the user is, e.g., biometrics, behavioral characteristics

SCA mandates the use of at least two of the three factors above for all online transactions that exceed certain exemption thresholds (less than or equal to €30 or a cumulative total greater than €100 for unauthenticated transactions). In addition, fraud rates for specific transaction categories as prescribed by the directive’s Transaction Risk Analysis rules determine the eligibility for higher exemption thresholds of up to €500. The onus of performing this risk analysis lies with the issuing and acquiring banks. Given these strict conditions, many digital transactions are likely to breach the exemption threshold and are bound to be challenged with stronger authentication.

Suffice to say that it is in banks and payment processors’ interest to qualify for higher exemption thresholds and ensure higher approval rates without the need for step-up authentication.

SMS-based one-time passwords (OTPs) are arguably the most preferred mode of strong authentication, followed by biometrics considering their ubiquity on mobile devices. A combination of the two is emerging as the most common method of SCA compliance. However, the fact that many consumers do not have their mobile numbers updated in their banking records is likely to complicate SCA implementation. The outcomes are expected to be higher transaction decline rates and an overall erosion of user experience.

All participants in the payments value chain, such as merchants, payment service providers, and issuing & acquiring banks, need to mitigate this issue actively.

A slowdown in cross-border commerce within the region and lack of resources forced by the pandemic negatively impacted compliance efforts during most of 2020. In May, representing consumers, merchants, and other participants in the ecosystem, Payments Europe requested the European Banking Association and the National Competent Authorities to extend the deadline, citing unsatisfactory readiness. In Oct, an Amadeus survey concluded that only a third of the travel industry would be able to meet the current deadline.

An Optimal Solution Using Phone-Centric Identity™ and 3DS2

Is there a way to achieve all aspects of SCA compliance without having to sacrifice transaction completion rates and customer experience? The answer lies in how data can be best leveraged to make an effective transaction-level risk assessment.

The main focus of organizations falling under the purview of PSD2 should be to minimize the need for SCA by fully leveraging all provisions in the directive that allow exemptions. At the same time, transactions, where SCA is invoked, must remain frictionless from a user experience perspective.

There are two broad paths that banks (both acquiring and issuing) and merchants should take to ensure the optimal balance between security and user experience:

  1. Support 3DS2 protocol in their workflows to ensure compliance and yet retain a smooth purchase experience
  2. Reinforce identity authentication using mobile intelligence to establish identity

3DS2 to Drive Frictionless and Modern Authentication Experiences

The 3DS2 protocol is an upgrade from 3DS1, which has been in existence for the last two decades. Designed to remove friction from the payments flow, 3DS2 collects and transports 10X more data and supports in-app authentication. In the past, the absence of granular data prompted most issuers to err on the side of caution and decline genuine transactions. With far more data available to assess the authenticity of a transaction and its initiator, 3DS2 can reduce the volume of false declines dramatically.

According to VISA, the adoption of 3DS2 can reduce cart abandonment by 70% and reduce checkout time by 85%.

3DS2 also removes consumers’ need to pre-register their cards and credentials, which is a common barrier to clean transaction approvals. 3DS2 is also designed for mobile-first experiences. This means that additional inputs required from the consumer in the form of a one-time password or a biometric scan can be completed in-app without the need for clumsy redirections, as was the case with 3DS1.

In summary, the design of 3DS2 makes the implementation of two types of payment transaction flows possible, both fully compliant with PSD2 SCA norms:

  1. A ‘frictionless’ flow without stepped-up authentication for transactions not requiring an SCA and
  2. A ‘challenge’ flow that requires strong authentication while retaining a native in-app experience

Reinforcing Authentication Using Mobile-Related Parameters

A recent study by Prove establishes how MFA-protected FinTech transactions carry 2X higher risk than the average risk level across all industry verticals. One of the most significant contributors to this low level of trust is the risk of SIM swap-related fraud. SIM swap is now a standard modus operandi of fraudsters to steal identity, and it can go undetected despite having step-up authentication in place. The eventual outcome is potentially higher fraud levels despite SCA compliance.

Higher fraud rates would imply a higher number of transactions being subject to step-up authentication. Therefore, banks must have a robust risk-scoring model to ensure stringent fraud assessment while minimizing false declines and maximizing transaction approvals.

Mobile device and carrier data-related intelligence play a vital role in this reinforcement. This model may analyze behavioral and phone intelligence signals to measure the fraud risk and identity confidence of a potential transaction. Such an approach will thwart SIM swap fraud and other account takeover schemes. It can keep SCA-invoking fraud levels well below the regulated thresholds, thereby making acquirers and issuers eligible for higher SCA exemptions.

Conclusion

Successful and non-disruptive compliance with PSD2 SCA is all about maintaining the optimal balance between security and frictionless user experience. 3DS2, in combination with risk analysis augmented by mobile intelligence, is an optimal solution for compliance. At the same time, it ensures that the purchase experience is frictionless, and the incidence of stepped-up authentication for payment transactions is kept at a minimum. Merchants would like to ensure higher transaction approval rates without stepped-up authentication and thereby lesser purchase abandonment. It is imperative that acquiring and issuing banks have the best transaction risk analysis infrastructure in place to meet the desired objectives of both merchants and consumers.

For more information on fulfilling SCA through 3DS2 and phone-centric identity, click here.

*With the exception of France and the UK, which have an extended deadline until March 2021 and September 2021, respectively.

Create secure frictionless customer experiences using modern identity solutions

Join 1,000+ companies and 500 banks, including 9 of the top 10 US financial institutions, that are already using Prove to accelerate revenue, mitigate fraud, and enhance customer experience. Contact us today.

Accelerate your onboarding

Contact us to learn how leading companies are using Prove Pre-fill to modernize the account creation process by shaving off clicks and keystrokes that kill conversion.

Create frictionless customer experiences

Get in touch to find out how we can help you identify your customers at every stage of their journey and offer them seamless and secure experiences.

Schedule a demo

Let our expert team guide you through our identity verification and authentication solutions. Select a date and time that works for you.

Schedule a demo

Find out how we can help you deliver seamless and secure customer experiences that comply with PSD2/SCA. Select a date and time that works for you.