Interviews, insight & analysis on digital media & marketing

PSD2: Merchants must regain checkout control delegated authentication

By Galit Michel, VP of Payments,  Forter

For the past ten years, globalisation and digitalisation have changed the way companies connect with consumers around the world, enabling consumers to shop across borders seamlessly. The COVID-19 pandemic accelerated this change as consumers steadily turned away from bricks-and-mortar shops and towards online brands. 

This has forced merchants to change the way they operate.

Today, merchants stay up to date on eCommerce trends, both from the payment and consumer perspective, optimising the checkout process to meet the needs and expectations of their consumers. They personalise every part of the shopping experience from onboarding to conversion, which brings increased liability.

However, they still do not have full control when it comes to deciding what type of authentication is best suited for their customers. 

PSD2 and its impact on conversions and revenue generation have forced merchants to re-examine the control they have over authentication and increased the urgency to prepare for delegated authentication. 

The struggle for a seamless checkout experience 

Merchants operating within the European Union (EU) and European Economic Area (EEA) must comply with PSD2 and execute a higher standard of Strong Customer Authentication (SCA). This includes requiring their consumers to undergo multi-factor authentication, most frequently executed through 3D-secure (3DS).

The problem with 3DS is two-fold:

  • For consumers, 3DS adds friction to the checkout process, increasing abandonment and negatively impacting the customer experience. 
  • Within the payment ecosystem, 3DS adds an additional verification step, complicating the authorisation journey and increasing the chances of a legitimate transaction being declined. 

The result is a direct negative impact on revenue generation, profitability, and customer satisfaction. 

To reduce the impact of PSD2, and particularly 3DS, on their operations, many merchants have optimised their payment solution suite and integrated payment optimisation products to increase authorisation rates and provide consumers with a better checkout experience. Such products enable merchants to reduce the impact of SCA on their consumers by creating a seamless checkout experience that is still PSD2 compliant. This is most often done through exemptions. 

If a merchant has an exemption engine in place, they can leverage it to override SCA requirements and continue providing their consumers with the seamless checkout experience they have become accustomed to. 

The most common type of exemption, Transaction Risk Analysis (TRA) is based on the transaction’s risk. This is calculated by considering the consumer’s behavioural patterns, the transaction amount, and the merchant fraud ratio. 

However, not every transaction is eligible for an exemption. 

When a merchant has non-exemption eligible transactions, consumers must still undergo full SCA verification, increasing the friction they encounter, negatively impacting customer experience, and increasing decline rates. This is because the payment ecosystem looks at each transaction individually, while the merchant can consider behavioural factors, such as whether or not the customer is a repeat customer, strengthening their confidence in the legitimacy of the transaction as well as their desire to make the checkout process as seamless as possible for their consumer. 

What will delegated authentication do for merchants? 

Issuers recognise that merchants want to provide their consumers with a seamless checkout experience, even if the transaction is not eligible for an exemption. That is why many card networks, such as Visa and MasterCard, have launched Delegated Authentication programs. 

Delegated authentication programs, which are PSD2 compliant, provide issuers the ability to ‘delegate authority’ to a third-party, such as the merchant or someone acting on their behalf, and let the third party manage SCA. This provides merchants with the ability to continue offering a seamless checkout experience to consumers since they would no longer be redirected to complete a 3DS challenge through the issuers’ network, all while ensuring the transaction meets regulatory requirements. 

PSD2 requires all transactions to undergo SCA authentication; a responsibility that falls on the issuer. If delegated authentication is enabled, the merchant, or the party acting on their behalf, would be able to determine what type of authentication to use based on their unique knowledge of the consumer, their behavioural habits, and more. For example, merchants could choose to authenticate transactions for consumers who are logged in to their account and have already performed a type of authentication. This would create a frictionless checkout process that does not rely on 3DS, thereby increasing conversion and optimising customer experience, all while ensuring PSD2 compliance.

It is important to note that when merchants assume responsibility for authenticating transactions, the chargeback liability shifts to them. As a result, it is critical for merchants to ensure they only request delegated authentication for transactions they are confident about, otherwise they risk suffering from increased chargebacks.

That is why merchants that want to be eligible for delegated authentication, must do two things: 

1) Ensure their payment ecosystem supports the latest version of 3DS, namely 3DS2.2

2) Have a strong fraud protection solution in place. 

The different versions of 3DS and what they mean for merchants 

The 3D-Secure (3DS) protocol has undergone significant changes since its development. The original version of 3DS, also known as 3DS1, was created in 1999 by Visa when the only way to complete digital transactions was via a personal computer. 3DS1 is extremely unfriendly towards users, is not mobile-friendly, and is the least desired version of 3DS. 3DS1 also does not support exemptions. 

3DS2, on the other hand, is the latest version of 3DS that was designed to reduce customer friction and meet PSD2 SCA compliance requirements. The way 3DS optimises customer experience is by sending more data to the issuing bank. This enables dynamic 3DS and reduces the friction consumers undergo.

In the upcoming months, issuers are expected to roll out the new version of 3DS2, also known as 3DS2.2. The new iteration will enable merchants to request exemptions via the 3DS rails, getting a direct response from the issuer in the event of exemption approval. It will also enable merchants to open the 3DS challenge if a transaction is not approved. This will increase the ability to leverage TRA exemptions to their benefit as well as to establish themselves as a trusted merchant. 

Another key difference between 3DS2.1 and 3DS2.2 is the ability to support delegated authentication. Under 3DS2.2, issuers can enable delegated authentication and shift authentication to merchants or selected third parties.

Merchants that want delegated authentication to be part of their PSD2 SCA strategy need to ensure that their payment ecosystem is prepared to support 3DS2.2 when it goes into effect. 

The importance of fraud protection with delegated authentication 

If merchants want to take transaction authentication upon themselves or delegate it to a third-party of their choice, they must realise that in doing so, they, or the third party acting on their behalf, will assume full chargeback liability. This in turn will increase a merchant’s risk exposure. 

To mitigate that risk, merchants need to ensure they have a strong fraud protection solution in place. This is particularly crucial when dealing with transactions that are not low value or low risk. If a merchant wants to process high-value transactions, the authentication they need to use must match the risk level of the transaction, and as a result, their need for a powerful fraud prevention solution will increase. 

Having a strong fraud solution will enable merchants to effectively ensure that they take authentication liability upon themselves for transactions that do not pose a financial risk. 

A strong fraud protection solution is also crucial for exemption requests, and as a result, should be part of a merchant’s payment optimisation suite.

Fraud prevention solutions will enable merchants to analyse each transaction in real-time and determine the best course of action per consumer. This will automatically direct each consumer to a checkout experience best suited for them reducing risk and liability exposure. 

Many fraud prevention solutions will even be prepared to take liability upon themselves, making it a true win-win for merchants who want to leverage exemptions, reduce risk and utilise delegated authentication. 

The power is in the hands of the merchants

In the past, merchants focused predominantly on customers’ onboarding experience, investing heavily in retargeting, personalised campaigns, email marketing, UI/UX, etc. 

Over the years, merchants have taken a more significant role in the checkout and payment process, recognising that revenue generation and profitability may suffer without optimised checkout. 

The ability to delegate authentication to merchants is part of this ongoing trend that increases merchants’ role in the payment experience and gives them back control of the customer experience throughout the checkout journey. The independence delegated authentication provides merchants is in line with PSD2 and issuers’ role. As a result, it is a great strategy for merchants who put their customer needs and payment expectations as a priority.

To ensure they are ready to take upon themselves authentication responsibility when delegated authentication is feasible, the entire payment ecosystem must shift, and issuers must release 3DS2.2 to merchants. Merchants that have low-risk levels, strong fraud protection and advanced payment infrastructures should be in touch with their PSP or 3DS provider and ensure they are notified when 3DS2.2 is released, if their payment ecosystem supports it, and if they will be able to take advantage of delegated authentication. 

Merchants that want to continue providing their customers with a user-friendly seamless checkout experience must argue for delegated authentication from their issuers.