Since it was published in 2015, the Second Payment Services Directive (PSD2) — an industry-wide regulation for EU member states and the UK, that was introduced to make online transactions more secure — continues to prove a headache for online merchants.
According to a recent study commissioned by Riskified, a fraud management platform enabling frictionless eCommerce, and conducted by Forrester Consulting, entitled, “E-Commerce Fraud Prevention: What Is The Post-PSD2 State Of Play?”, nearly half (45%) of online retailers are either still resolving issues related to PSD2’s rollout or are only just managing to follow its minimum requirements. This is in part because many businesses did not take advantage of the time given to implement the necessary changes in the most effective way.
But this is just the tip of the iceberg, says Roman Korobkov, Product Marketing Manager at Riskified. Ecommerce merchants are struggling with a lack of data on PSD2 market performance and trends, meaning they don’t always know where to expand their efforts. 3D Secure (3DS), an industry standard for meeting the SCA (Strong Customer Authentication) requirements, is not as fraud-proof as anticipated. And online retailers also feel limited in choosing the partners that can help them optimise their payments under PSD2.
It’s well-known that fraud rates across the EU and the UK are decreasing despite some of these issues. Many online merchants who have a handle on PSD2 have reduced fraud and gained happier customers in the process. However, the overall landscape for PSD2 is mixed. To get the lowdown on PSD2 in 2022, we asked Korobkov to share his take on the findings in Riskified’s new Forrester study.
Why are businesses struggling with PSD2?
A key part of the puzzle lies with the rollout of PSD2. The regulation was published in December 2015, followed by a long process of defining the standards and requirements necessary for its implementation. Later in March 2018, the regulatory technical standards (RTS) for strong customer authentication (SCA) were released, to allow EU and UK merchants and other players within the payments ecosystem time to adopt the new regulation, both from a business and technical perspective. Although ‘true’ compliance wasn’t required until December 2020 for EEA states, with the UK joining the PSD2 family in March 2022, Korobkov says the run-up period was not used wisely enough.
“PSD2’s launch was rough, and for some countries and merchants this continues today,” says Korobkov. “A recent workshop run by the EPIF [European Payment Institutions Federation] on the RTS on SCA had some interesting insights. In Italy, some merchants are seeing cart abandonment rates reach 50%, and for less advanced banks this rate jumps to 60%. In Portugal, the challenge rate can reach 80%, with a cart abandonment rate of 50% or more.
“It’s unfortunate, but many businesses opted for a wait-and-see, reactive approach to PSD2 regulation when they could have been proactive.”
Another key issue is how many online merchants are using 3D Secure (3DS), a protocol designed to be an additional security layer for CNP (Card-Not-Present) transactions, as their sole solution for fraud prevention. Korobkov says it’s now clear that 3DS alone is not enough to ensure a comprehensive fraud prevention strategy.
“For some, 3DS works well and is the right option,” he says, “but it’s not a one-size-fits-all solution. 3DS must be used wisely. It should be used in a way that is right for your business, your customer base, your fraud rate, your average order volume, and for your buyers’ behaviour. All these things must be considered when implementing your strategy for PSD2.”
Riskified’s Forrester study also found that many online merchants are facing limitations when attempting to optimise their payment strategies under PSD2. Almost one-third (31%) said they had been feeling locked into specific tools offered by payment partners and it’s making it difficult to leverage solutions available in the market that could boost their performance.
“3DS solutions and exemption engines are often offered by PSPs as part of a packaged offering, and for some e-commerce merchants these are the only options,” Roman says. “If a PSP is not ready to open their ecosystem up and collaborate with other solution providers, having a multi-focused PSP strategy can be a great way to optimise the payment processes. This also allows merchants to use PSP-agnostic tools, bringing value regardless of who the main payment partner is. Together with gaining more flexibility, optimising costs, improving authorization rates, and getting more orders exempted from SCA, eCommerce merchants can have access to more data and independently choose partners and solutions tailored to their specific needs.”
Despite the expectation that PSD2 would reduce fraud, merchants instead say that fraud remains prevalent. In the study commissioned by Riskified, merchants reported that PSD2 is making fraud prevention more expensive while not 100% effective at reducing fraud. 57% of merchants who reported increasing their fraud prevention costs say costs are up between 25% to 100% when compared to pre-PSD2 spending.
Additionally, according to the study, more than a third (39%) say that — alongside increased friction and cart abandonment — they are seeing more fraudulent chargebacks on 3DS-authenticated transactions, which negatively affects their overall fraud rate.
“Fraudsters are becoming increasingly sophisticated,” says Korobkov. “Once 3DS became the industry standard for customer authentication, fraudsters immediately started looking for ways to bypass it. Criminals are sharing knowledge on the dark web, including online courses, explainers on how to use bots and how to make use of malware, as well as social engineering scenarios, and other ways to take over the authentication process.”
In its aim to make online purchases easier, frictionless authentication is also making fraud easier in some cases. On occasions when payment authentication services know enough details about a particular customer and transaction, they may choose to skip the challenge. Fraudsters know this and are building up the knowledge and skills to attack these soft spots in the payment ecosystem.
Advice for businesses
Ecommerce merchants should look closer at their data and collaborate with their PSPs on possible areas for optimisation.
“To optimise payments under PSD2, merchants must look to performance-based indicators and not just take the word of their provider,” says Korobkov. “If your current partners are not ready to share the bigger picture with you, make sure to talk openly about your needs and more flexibility.”
Korobkov reiterates that 3DS should not be taken as a standalone solution. PSD2 requires a full-scale holistic approach that combines payment optimisation and fraud prevention. This is primarily because it makes the online buying experience safe and convenient, and combines the best elements of both worlds.
Another finding from the study was that 65% of respondents surveyed said that more data is needed around payment processing fees, regular updates on market performance, and reviews of available solutions to help businesses advance their PSD2-related strategy. Improvement in data transparency is needed so that merchants can make better judgements on their payment strategies.
“Instead of chasing down your partners for better and more detailed information, you should be looking for a provider that speaks to you and helps establish transparency across your payment flows,” says Korobkov. “Knowing why an authentication request or an exemption has been declined and what can be done to change this in the future will help to streamline the process. Helping merchants get to the root of these issues is key.”
Reaping the rewards of PSD2
PSD2 optimization helps online merchants stand out from the crowd. More than half of respondents (53%) in Riskified’s Forrester study reported that they hope PSD2 optimization results in improved customer experience, and half said they hope it results in higher conversion rates and increased customer retention.
“Merchants are seeing it as an opportunity to gain a competitive advantage by building trust with their customers. They understand when they provide a safe, secure, and frictionless checkout environment for the end-users, that they will gain more customers in return,” says Korobkov.
“I hope in the future we will see a payments ecosystem that is more open, with the freedom to choose partnerships based on your payment needs, and where access to data is easier so that businesses can make better-informed decisions. The fastest way to achieve this potential reality, in my opinion, is for eCommerce merchants to establish more transparent relationships with payment providers and invest in new solutions. It’s really about openness, collaboration, and building on your existing knowledge while being able to share it with the others.”
To find out more about the current state of PSD2 for online merchants, download the study below