MRC Barcelona 2023: The Success of PSD2 and the Cost of Safety

The impact of PSD2 regulation on eCommerce in Europe was the most prominent topic at the MRC Barcelona conference that took place at the end of May.

The verdict: the Revised Payment Services Directive (PSD2) significantly reduced online payments fraud in European (including the U.K.) markets but at a huge cost in terms of implementation and in sales lost to increased customer friction due to the strong customer authentication (SCA) requirement of the regulation.

PSD2 Summarized

PSD2, in a nutshell, is a European Union directive designed to foster innovation and competition in financial services by opening access to payment systems and customer account data, while also enhancing the security of online transactions.

A key facet of PSD2 discussed at MRC Barcelona 2023 was the requirement of Strong Customer Authentication (SCA), a protocol that mandates at least two-factor authentication for online transactions. SCA has been instrumental in enhancing online transaction security, subsequently reducing e-commerce fraud across Europe. However, this added layer of security has come with its own set of challenges and costs.

Merchants Flocking to SCA Exemptions

The cost of implementing PSD2 across the financial ecosystem has been substantial. Estimates suggest the financial industry has spent billions of euros on compliance, with significant resources dedicated to technology development, system integration, regulatory compliance processes, and staff training.

Merchants, in particular, have been hard-pressed to strike a balance between enhanced security measures and a seamless customer experience. It's a tightrope walk, and any misstep could lead to abandoned carts and lost sales. To mitigate these concerns, many have turned to SCA exemptions, a provision within PSD2 that allows certain low-risk transactions to bypass two-factor authentication. According to the MRC’s 2023 Global Fraud and Payments Report, there has been a significant increase in merchant use of SCA exemptions in Europe as a means of reducing the cost of PSD2 over the past year or two.

These exemptions are based on various criteria such as low-value transactions (under EUR 30), recurring transactions, and transactions deemed low-risk based on real-time risk analysis. While these exemptions are a lifeline for merchants, they are not without their own complexities. Implementing them requires a deep understanding of the directive, a robust risk assessment mechanism, and close cooperation with acquirers and payment service providers.

The Impact of 3DS 2.1 Implementation Problems

For merchants, the costs have been particularly high. Aside from the direct costs associated with updating payment systems and processes, there are indirect costs that are often unaccounted for. These include the potential loss of business due to increased transaction friction, investments in understanding and applying SCA exemptions, and the expense of dealing with increased chargebacks due to failed or disputed SCA attempts.

"In terms of transaction friction, the 3DS 2.0 authentication solution widely used to meet the conditions of the SCA mandate takes on average 60 seconds from identity challenge to completed authentication"

said Renan Renner, Product Lead of Authentication at Adyen.

Of course, if true, that is an awful lot of friction to add to the customer’s checkout experience!

Part of the pain merchants are feeling when it comes to PSD2 compliance may be directly tied to failures or weak spots in the implementation of 3DS 2.0. Mastercard acknowledged at the conference in a session titled “Leveraging the PSD2 Momentum for Better Performance” that 3DS 2.0 was meant to provide better data sharing between issuers and merchants, but that has  not happened yet. The card network said that merchants are not sharing all the data they could through 3DS 2.0 and that this reduces the effectiveness of the solution.

According to Mastercard, even in cases where the card issuer is incapable of digesting the additional transaction data provided by the merchant, Mastercard itself uses the additional data to provider issuers with a risk score, impacting authorization rates. The card network also said that the new version of 3DS 2.2, as opposed to 3DS 2.1, will address friction points to increase authorization rates.

However, the costs of PSD2 must be weighed against the benefits. While the transition has been challenging, PSD2 and SCA have played a significant role in reducing e-commerce fraud, providing a safer transaction environment for consumers and fostering trust in online commerce. PSD2 and its SCA requirement have led fraud rates in Europe to drop 40% following implementation, said Rohan Jain, senior product manager for payment optimization at Worldpay from FIS, at the conference.

What does the Future of PSD2 look like?

Looking to the future, the successor to PSD2, aptly dubbed PSD3, is already on the horizon. While specifics remain hazy, the next iteration is expected to continue the trend towards increased security, open banking, and innovation.

For online merchants serving the European market, PSD3 will likely present both challenges and opportunities. On one hand, they may face increasing complexity and regulatory scrutiny. On the other hand, they stand to benefit from an evolving ecosystem that promotes innovation and consumer trust.

Moreover, as machine learning and artificial intelligence continue to advance, PSD3 might incorporate these technologies to further refine risk assessments and fraud detection. This could potentially streamline SCA exemptions, reducing friction for consumers while maintaining security.

The journey from PSD2 to PSD3 will undoubtedly require further investment and adaptation from all stakeholders. However, the ultimate goal remains constant: creating a more secure, efficient, and competitive payments ecosystem that benefits consumers, merchants, and financial institutions alike.