Ravelin has released an update to its Global Payment Regulation & Authentication Report, with analysis of billions of transactions during Q1 2020.
In the run up to the original PSD2 deadline for implementing Strong Customer Authentication (SCA) in September 2019, many merchants were not using authentication on a large proportion of their transactions.
In fact, most merchants were only sending the most risky transactions to 3D Secure (3DS) due to the well known negative customer experience and dropout associated with 3DS1.
Fast forward to Q1 2020, and the original September 2019 deadline for SCA has been extended. Despite the extension, many merchants had already put in a significant amount of work to get ready to use 3DS2. Despite the delay in deadlines, many of the merchants in the analysis are currently already sending a larger proportion of their traffic to 3DS, including many more genuine customers.
This can partially explain why more transactions are being authenticated successfully.
3DS2 could be as good as it’s promised to be
Many of the merchants in the analysis are using 3DS2 when the issuer can support this, and only reverting to 3DS1 as a last resort. Although a lot of transactions were still authenticated using 3DS1, we know that a greater proportion of transactions analysed in Q1 2020 were authenticated using 3DS2.
In contrast, almost no transactions were authenticated using 3DS2 in Q2 2019, except when some forward-thinking challenger banks were using 3DS2-style authentication methods. We can expect the move to 3DS2 to continue.
On the surface, it looks like 3DS2 could help deliver an improved user experience. Globally, the average time to authenticate has reduced from 42 seconds to 37 seconds, with the majority of the EEA countries seeing an even more dramatic improvement. Interestingly, the assumed percentage of frictionless payments (which take five seconds or less to authenticate) has also increased across many European countries.
This evidence of a better experience with 3DS2 is really encouraging for merchants who are currently sending or plan to send more transactions to authentication.
Consumers are more used to authentication
It’s also very likely that consumers are getting used to authenticating online more often, and have got better at doing it. This is supported by the widespread communications campaigns from issuing banks and merchants to consumers. The report also saw coverage of PSD2 in the mainstream media at the end of 2019 during the peak shopping period around Christmas.
The current situation with the COVID-19 outbreak has also led to more people staying at home and a rise in e-commerce transactions. This could also mean consumers are getting more experience using different authentication methods.
High demand and limited supply in some markets may also mean consumers are more invested in a purchase if they do not have the option to buy it in store or on another website, which can also improve authentication success.
What does this mean for merchants?
The improvement in 3DS acceptance is great news for merchants. Especially those operating in Europe who have started the transition, or who have a solid strategy to move to 3DS2.
The acceptance rate for Australian-issued cards has also improved, likely as a result of the similar regulation changes. Interestingly, the 3DS acceptance rate for US-issued cards has decreased from 71% to 58%, meaning over two-fifths of payments sent to 3DS fail.
This could be a result of the tightened measures elsewhere leading fraudsters to focus on the less secure US market. It’s important to keep in mind that although the acceptance rates have improved, they are not at 100%. The global average acceptance rate of 87% means 13% (or 1 in 7) payments sent to 3DS are lost.
Of course this will include some fraud, but there are also a number of factors which could be behind this other than fraud – such as customer drop off, server error, 3DS1 experience. The ultimate goal is to get as close to 100% acceptance as possible.
Even if it is a vast improvement, 3DS still carries a cost and applying it on every transaction will add up fast. Even with the improvements noted in the report, leading merchants will benefit from using exemptions from authentication.
Next steps – keep tabs on issuers and prepare for exemptions
Issuing banks are going to be ready with the 3DS versions at different stages, and it’s critical to know what the issuer can support when sending the authentication request. For example, if you have enough data to prove a transaction is low-risk and the issuer is offering 3DS2, it’s far better to use an exemption and avoid authenticating.
Likewise, if the issuer has a history of rejecting low-risk exemption requests, sending the transaction to 3DS will save you from incurring a soft-decline and speed up the checkout process. It’s likely that exemptions will be the next big focus for leading merchants who want to optimise their authentication and derive the most benefit.
It’s now common for card schemes to ask a consumer if they want to whitelist specific merchants after transactions – we expect to see more activity like this.