PSD2 SCA: The Strategic Value of 3DS2 and Phone-Centric Identity

The much-debated PSD2 Strong Customer Authentication (SCA) in the European Union fully came into effect on January 1, 2021*. This implementation comes under extraordinary circumstances caused by the pandemic. Much of Europe has moved into another phase of lockdowns, causing a shift in shopping behavior, i.e., from brick-and-mortar to digital. The change in purchasing habits has also led to the emergence of first-time online shoppers.

Here are the key priorities for merchants, payment processors, and banks:

  1. Compliance with all the strong authentication rules prescribed by the RTS
  2. Ensuring high transaction success rates while enforcing multi-factor authentication
  3. Keeping fraud levels as low as possible to be eligible for higher SCA exemptions

Widespread apprehensions about SCA implementation are leading to transaction declines and creating friction in the payment experience. A combination of 3DS2 and mobile intelligence-based identity could overcome several of these challenges.

SCA - Challenges and Impact on Participants

The fundamental principle of SCA is to enhance the security of payment transactions through multi-factor authentication (MFA). However, it indirectly hampers a smooth consumer purchase experience. MFA follows the principle of using multiple user inputs to approve sensitive transactions. The inputs are as follows: 

  1. Knowledge: Something that a user knows, e.g., PINs and passwords
  2. Possession: Something that a user has, e.g., a device, a token (could be hardware or software)
  3. Inherence: Something that is intrinsic to a user, e.g., biometrics, behavioral characteristics

SCA mandates the use of at least two of the three factors mentioned above for all online transactions that exceed certain exemption thresholds (less than or equal to €30 or a cumulative total greater than €100 for unauthenticated transactions). In addition, fraud rates for specific transaction categories as prescribed by the directive’s transaction risk analysis rules determine the eligibility for higher exemption thresholds of up to €500. The onus of conducting risk analysis lies with issuing and acquiring banks. Given these strict conditions, many digital transactions are likely to breach the exemption threshold and are bound to be challenged with stronger authentication. 

Therefore, it is in the interest of banks and payment processors to qualify for higher exemption thresholds and ensure higher approval rates without the need for step-up authentication.

A combination of SMS-based one-time passwords (OTPs) and biometrics is emerging as the most common method of SCA compliance. However, the fact that many consumers do not have their mobile numbers updated in their banking records is likely to complicate SCA implementation. The outcomes are expected to be higher transaction decline rates and an overall erosion of user experience. 

All participants in the payments value chain, including merchants, payment service providers, and issuing and acquiring banks, need to actively mitigate this issue.

An Optimal Solution Using Mobile Intelligence and 3DS2

Organizations mandated with PSD2 compliance must minimize the need for SCA by fully leveraging the directive provisions that allow exemptions. At the same time, transactions that invoke SCA must ensure a frictionless user experience.

Here are two broad paths that banks (acquiring and issuing) and merchants can take to ensure an optimal balance between security and user experience:

  1. Support 3DS2 protocol in their workflows to ensure compliance and yet retain a smooth purchase experience
  2. Reinforce identity authentication using phone-based intelligence to establish and assert identity

3DS2 - Frictionless Payments Coupled with Modern Authentication Experiences

Designed to eliminate friction from the payments flow, the revised 3DS2 protocol collects and transports 10X more data than 3DS1 and supports in-app authentication. The absence of granular data in 3DS1 prompted most issuers to play safe and decline genuine transactions. With far more data available to assess a transaction's authenticity and its initiator, 3DS2 can significantly reduce the volume of false declines.

3DS2 eliminates the need for the pre-registration of consumers’ cards and credentials, a common barrier to clean transaction approvals. 3DS2 is also designed for mobile-first experiences. This means that additional inputs (a one-time password or biometric scan) required from a consumer can be completed within the app without the need for clumsy redirections, as was the case with 3DS1.

In summary, the design of 3DS2 makes the implementation of two types of payment transaction flows possible, both fully compliant with PSD2 SCA norms:

  1. A ‘frictionless’ flow without step-up authentication for transactions not requiring SCA
  2. A ‘challenge’ flow that requires strong authentication while retaining a native in-app experience

Augmenting Authentication Using Phone-Based Intelligence

A recent study by Prove establishes how MFA-protected FinTech transactions carry 2X higher risk than the average risk level across all industry verticals. One of the most significant contributors to this low level of trust is the risk of SIM swap-related frauds. SIM swap is now a standard modus operandi of fraudsters to steal identity, and it can go undetected despite having step-up authentication in place. The eventual outcome is potentially higher fraud levels despite SCA compliance.

Higher fraud rates imply that a higher number of transactions would be subject to step-up authentication. Therefore, banks must have a robust risk-scoring model to ensure stringent fraud assessment while minimizing false declines and maximizing transaction approvals. 

Mobile device and carrier data-related intelligence play a vital role in this reinforcement. This risk-scoring model may analyze behavioral and phone intelligence signals to measure the fraud risk and identity confidence of a potential transaction. Such an approach will thwart SIM swap frauds and other account takeover schemes. It can keep the level of SCA-invoking frauds well below the regulated thresholds, thereby making acquirers and issuers eligible for higher SCA exemptions.

Conclusion

An optimal balance between security and a seamless user experience is the key to successful and non-disruptive compliance with PSD2 SCA. 3DS2, in combination with risk analysis augmented by phone-centric intelligence, has a strategic value that goes beyond compliance for enterprises. It ensures that the purchase experience is frictionless, and the incidence of step-up authentication for payment transactions is kept to a minimum. Merchants can ensure higher transaction approval rates without MFA and thereby reduce cart abandonment. To this end, it is imperative for acquiring and issuing banks to have the best transaction risk analysis infrastructure in place.

Watch this video on how 3DS2 and mobile intelligence is a powerful combination that fulfills SCA requirements.

*With the exception of France and the UK, which have an extended deadline until March 2021 and September 2021, respectively