Is your payments provider 3DS2 ready?

As the mid-September deadline fast approaches, there has been a lot of talk about the EU Payments Services Directive (PSD2) and how it will impact merchants and shoppers alike. The directive is broad, and one area of interest is how strong customer authentication can reduce fraud without disrupting shoppers’ user-experiences.

While the intention is to improve consumer protection by closing a number of loop-holes currently exploited by fraudsters, the fear is that if shoppers are required to use two-factor authentication by providing something they ‘are’ (facial or fingerprint recognition), something they ‘have’ (a card) and something they ‘know’ (a password) for every transaction, that there will be an increase in cart abandonment, which will cost merchants money.

But this doesn’t have to be the case. 3D Secure 2 (3DS2), the new EmvCo standard for securing ‘card not present’ transactions, introduces “frictionless authentication” as a way to mitigate this risk. By allowing merchants to send more payment-specific data with each transaction (shipping address, device data, transaction history, etc.) and using smart technology like AI and ML, it is possible to create exemptions that will ensure a frictionless payments experience most of the time.

Another key feature offered by the new 3DS2 standard is the seamless user experience. Merchants can now integrate the standard into native Mobile experiences without the fear for drop-offs due to a bad UX. Payment Service Providers (PSPs) must be able to adapt their APIs in order to facilitate this integration. 3DS2 enables you to also be acquirer agnostic. Merchants can authenticate their transactions with one acquirer, through a PSP, while authorising it with another acquirer, using a different PSP.

But as PSPs are preparing to roll out 3DS2 compliant capabilities in line with Strong Consumer Authentication (SCA) rules, it has become apparent that there are still a number of hurdles that need to be overcome. In a recent press release, the European Banking Authority (EBA) confirmed that ‘national competent authorities (CAs) may decide to work with PSPs and stakeholders such as merchants and consumers to provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA... and acquirers to migrate their merchants to solutions that support SCA’.

So, let’s get back to the exemptions that will make sure that consumers are not negatively impacted by all these changes, because they allow a frictionless and seamless experience for the shopper.

Exemption acceptance policies can be applied by the issuer, but this may not be standardised. An easier way for merchants to ensure frictionless shopping for all the consumers, regardless of which issuer they use, is to use an exemption service from their selected payment service provider.

When evaluating a PSP exemption service and payment filtering capabilities, there are a number of factors to consider:

- Is the exemption service cognitive? The use of Machine Learning and AI to process risk analysis requires a large data set, so PSPs need to either hold that data or have access to it, in order to ensure accurate predictive models.
- What payment methods is each acquirer willing to accept? Does the PSP exemption service cover all the nuances between issuers?
- Does the PSP provide a simple way (like and SDK for example) for merchants to collect and store the device data necessary on behalf of the merchant? Needing to do this at a merchant level would be complex and expensive.
- Is the rule base robust? There is a complex list of requirements that must be met in order to ensure that the right payments are qualifying for an exemption.
- Are they providing merchant guides to help keep merchants compliant?

Given that there are only a few months left before PSD2 takes full effect, it is important for merchants to feel confident that they are working with the best possible payments provider to ensure business continuity. And for PSPs, it is important to know that they have covered all their bases and designed and built a platform that can handle the requirements of 3DS2 at scale.