Conquering the complexities of 3DS

We caught up with three experts at the coalface of change to explore the impact that PSD2 and a post-3DS world will have on the European payments industry

In order for payments services providers to meet SCA regulation, card schemes have recommended they use an updated 3D Secure (3DS) protocol. The protocol, managed by EMVCo and known as EMV 3DS (also referred to as 3DS2), is optimised for mobile use, it is designed as an additional security layer for online card transactions but with less interruption in the customer journey, particularly with mobile transactions, than previous iterations. The 3DS references the three domains that interact in using the protocol: the merchant/acquirer domain, there is, then, some understandable nervousness about how best to comply when SCA becomes mandatory. For instance, should all payments be submitted under the EMV 3DS protocol by default if some fall within exemption rules for SCA laid down by PSD2, such as those of low value (under €30), or those deemed that are deemed low-risk?

It’s a complicated area, so we invited Caroline Birchinall, head of authentication at Visa in Europe; Noam Grinberg, VP of risk management at payment processor Nuvei; and Galit Michel, VP of payments, with Forter, a specialist in e-commerce fraud protection, to gauge the industry’s direction of travel.

the issuer domain and the interoperability domain. 3DS allows customers to self-authenticate payments, so that transactions can be processed securely without an increased risk of fraud liability resting on the card issuer.

EMV 3DS allows businesses and their payment providers to send more data on each transaction to the cardholder’s bank, in order to carry out a risk-based authentication (RBA). Those payments considered higher risk will automatically generate a request for the customer to provide two out of three pieces of information to complete their transaction. Those are something the user is (e.g. a biometrically-collected fingerprint), something the user has (e.g. a mobile phone), and something the user knows (e.g. a password). What and how those pieces of information are conveyed depends on which version of the protocol is employed – 3DS2.2, for example, is a significant improvement on the user experience delivered by 3DS2.1, where merchants have found that shortcomings in user experience design resulted in consumer confusion and high levels of checkout abandonment. Given all this,

CAROLINE BIRCHINALL: There are many different parties that need to come together. Trying to make change happen, relatively quickly, is challenging. Everybody wants to make sure things

Despite short-term challenges, EMV 3DS points a way forward

happen smoothly, without teething problems but we never anticipated we would have this to deal with in the middle of a global pandemic.

That said, at Visa we’re making excellent progress. We have more than 90 per cent of all e-commerce enabled for EMV 3DS, so that’s fantastic and it brings some significant benefits to the ecosystem. It enables the use of mobile and other devices, for example, and there’s lots of data that can be used for risk-based decisioning. We’re trying to provide the support, insight and infrastructure that the whole ecosystem needs.

GALIT MICHEL: Our main focus at the moment is to understand what is the right thing to do with every transaction – whether to submit to EMV 3DS or do an exemption, just to ensure that PSD2 is not harming the conversion for our merchants. times, there has to be a certain amount of friction in the purchase flow for transactions deemed to be potentially high risk, or where the regulation identifies that they need to happen.

But you’re right. In Europe, we’ve seen the proportion of merchants selling online for the first time increase from 27 per cent to 43 per cent since June 2020, so there’s been a huge increase in new merchants entering the digital payments arena. And they’re entering at a time when lots of disruption and change is happening, so we’ve been doing a lot to raise awareness among merchants of exactly what they need to do.

Based on our modelling, we believe levels of 3DS usage shouldn’t increase enormously. Because if, as a merchant, you can take advantage of the exemptions, and flag out-of-scope transactions for EMV 3DS correctly, you’re left with transactions you probably would have put through 3DS anyway. So, the system works well.

Some big digital merchants are opting to use EMV 3DS in the UK before they have to, from a regulatory point of view, and we’re seeing abandonment rates below two per cent.

The way 3DS works in the mobile apps causes a lot of failures still; often, I think, it’s just the consumer thinking they’ve finished the purchase process and missing the authentication window, or just not seeing it properly on their device.

Generally, we’re seeing a 20-30 per cent failure rate when sending transactions to 3DS. This varies by market. In the Nordic countries, for example, it’s working well, while, in Italy, it’s creating a negative effect. But I think, as time goes by, consumers will get better at it, issuers will get better, and the mobile products themselves will improve.

CB: SCA is designed to reduce fraud and, in order to do so, at

NOAM GRINBERG: For the long term, I’m optimistic; for the short term, it’s a challenge. Authentication is currently reducing some of the conversion rates, but we’re really enthused by EMV 3DS, which will make things more widespread and we’ll be able to start whitelisting with issuers and merchants. This will have a huge impact on merchants’ repeat users, doing multiple transactions, and help to remove more friction.

We’re also working on ways to keep conversion rates high – for example, we’re exploring technical problems across different sites. If we see that EMV 3DS is failing due to a technical glitch, we are automatically downgrading to 3DS to smooth the process in the short term. We are doing the maximum to make sure that we’re not missing any transactions that are out of scope, and that everything is being flagged correctly as SCA evolves.

GM: I do think, in general, EMV 3DS works better [than 3DS], and will improve further, as Noam says, when whitelisting is optimised. I think it will allow us to pass an exemption when we believe it’s the right thing to do, and will create a more comprehensive view of the transaction for all parties.

We still see a lot of merchants that think PSD2 is simply about sending everything through 3DS. They don’t understand the important relationship between having a very good fraud vendor and avoiding 3DS when it’s a good idea to do so, for example, when the transactions are low risk, and allowing good repeat users not to have to go through authentication every time.

CB: Consumers are creatures of habit and, generally, if you’re shopping at a merchant frequently, particularly a merchant that’s low risk, there’s no reason why your bank shouldn’t be happy to put that merchant onto a trusted beneficiary list. So that’s an interesting development. It’s not been rolled out widely just yet,

because initially the push from everybody was to get the exemption flagging, the out-of-scope flagging, over the line. That’s been the priority. But I think, from now on, you’ll start to see a lot more of those trusted beneficiary solutions rolling out.

NG: At the end of the day, if a cardholder wants to make a purchase that’s important to them, they will complete it. But I would advise merchants to choose a provider that has a really flexible solution, one capable of doing the transaction risk analysis and optimising the interplay between 3DS, EMV 3DS and SCA.