The PSD2 regulation came into force in the UK on 14 March 2022, a full two years after it was implemented in France, Germany, Spain and Italy. Central to the directive is the requirement for merchants to conduct Strong Customer Authentication (SCA) unless an exemption or exclusion can be granted. However, although this, in theory, means less fraud, it introduces excessive friction into the payment journey and can result in losses for the merchant.

The advantage of the UK’s late PSD2 implementation is that considerable data is available on the regulation’s impact on merchants in other European countries. Unfortunately, Forter’s analysis of PSD2’s effect across all EEA countries shows cause for concern. Our projections warn that merchants who apply 3-D Secure (3DS) authentication to all of their UK transactions are likely to lose 8-10% of revenue due to 3DS authentication failure, and authorisation failure.

In an environment where every transaction counts, merchants need to work closely with their Payment Service Provider (PSP) on a PSD2 strategy to find the right balance between frictionless customer experience, protecting revenues, and fraud prevention.

Crossing the data delta

One of the critical issues facing merchants right now is the imbalance of knowledge – and therefore power – between themselves and their PSP. Merchants lack the ability to collect and analyse their own data, which means they are dependent on the information their PSP provides. PSPs tend to struggle with identifying trends outside of payments fraud because they lack visibility into the entire customer journey resulting in poor reporting (generally reliant on account managers for insight) and the inability to cover end-to-end risk.

This can mean unusual patterns, such as account takeover or policy abuse, go undetected. Consequently, in terms of fraud prevention and ecommerce optimisation, merchants end up settling for what may be “good enough,” without understanding what “good” can really look like in terms of potential conversions and revenue.

A case in point is the issue of abandonment. Merchant systems often cannot differentiate between cart abandonment – which can occur for many reasons – and the specific issue of 3DS technical failure or abandonment. This means they have limited visibility of how their PSD2 strategy is truly affecting revenues and consequently cannot intelligently address the problem. Instead, they must rely on the data the PSP provides, and this does not always add up.

For example, if a PSP provides data showing a 20-30% decline rate, the merchant needs to be able to confidently question why declines are so high. To do this, they must benchmark the PSP-provided data against industry-wide information, and also compare it to their own harvested data. This requires merchants to invest in better in-house data capabilities so they can robustly challenge PSPs.

Unfortunately, merchants’ dependence on PSPs means many are being incorrectly advised to tackle PSD2 with an all-or-nothing approach, sending every eligible transaction for exemption. However, when merchants request exemptions on everything, this is a tacit statement to the issuer that they believe every transaction is low risk. When this proves not to be the case and chargebacks result, it is a clear indication that they are failing to detect fraud. Consequently, their PSP may refuse to permit exemptions in the future.

3DS decision is a risk-based decision first. The only way to make a correct decision is to look first into the risk level and ensure that only low-risk transactions will be sent as low risk. This decision relies on the vendor that the merchant trusts to make the fraud decision not on the PSP. However, just understanding what a low-risk transaction is, is not enough, it’s also critical to understand the issuer preference and ensure that if an issuer is not likely to accept exemption, the transaction should be sent to 3DS.

At the other extreme, the additional friction created when every transaction is sent to 3DS has a devastating effect on revenues, reducing them by between 6% - 8%. Clearly, merchants need a more nuanced PSD2 strategy to avoid revenue loss and customer frustration.

The PSD2 questions merchants should ask their PSPs

Understanding where the transaction process is failing means merchants can make targeted improvements. Therefore, a key question to ask PSPs is: how many transactions that were sent to 3DS were successful?

Of the transactions that failed, the merchant should ask how many were the result of authentication errors, authorisation declines or cart abandonment. This is the only way to fully understand and optimise the customer experience.

A second key area is Transaction Risk Analysis (TRA) exemptions. Making effective use of these is vital to reducing customer friction, so merchants must understand the levels of TRA exemptions that their PSP can offer and how they are requesting exemptions on their behalf. This information can help merchants understand whether all exemptions are being handled properly by the PSP and,When merchants ask PSPs to handle exemptions it is important that they can double-check that the PSP has followed the rules requested; if they don’t and instead send transactions to 3DS this can lead to a high rate of soft declines.

Again, this comes down to merchants having independent data to compare with PSP-provided data so they can query any mismatches from a position of authority.

Looking to the future, merchants should ask how PSPs are preparing to approach delegated authentication. This offers a way for merchants to handle authentication more seamlessly by having the user set up strong authentication – such as biometric – during sign-up and requiring 3DS for the first checkout. Subsequent transactions then only require biometric authentication. Merchants should seek to work with PSPs that are up to speed with developments such as delegated authentication to ensure they are ready to take advantage of the customer experience benefits such innovations can deliver.

How to work with PSPs on PSD2 strategy

Ultimately, PSD2 is an effective weapon in the fight against fraud. However, merchants need to be more proactive around managing their PSP relationship to ensure they aren’t losing out due to high rates of 3DS declines and/or over-use of exemption requests. To do this effectively, merchants need a more holistic understanding of their customer ecosystem achieved by greater visibility of key performance data. Furthermore, this should also enable merchants to be able to challenge the PSP and ensure that they see the full picture.

Engaging with a partner that has dedicated fraud expertise can help merchants cross the data delta and gain the objective insight and analysis needed to put them in a position of strength in their PSP relationship. Then they can work together to balance fraud prevention and customer experience by deploying the optimal combination of TRA exemptions, 3DS, and decline recovery tools to ensure that genuine transactions are successful and fraud risk is controlled.