In our previous blog post, we provided a brief overview of PSD2, outlining its objectives as well as the main areas tackled by the regulation.
We continue our review of PSD2 in this blog with a focus on the safety element of PSD2 that is Strong Customer Authentication. This is our second blog in a six-part series intended to provide a review of PSD2, three years on from its entry into force.
What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a mandate introduced as part of PSD2 to reduce fraud and make card transactions safer for consumers. In order to comply with the mandate, banks must authenticate their customers for each ‘electronic payment transaction’ (The mandate also applies when a customer wishes to access their bank account and transfer funds. See article 97 of Directive (EU) 2015/2366) using at least two of three elements of identification: knowledge, inherence, and possession.
If we abstract beyond the contactless example and turn our attention towards ecommerce, making the checkout process as smooth and frictionless as possible becomes even more important. Ecommerce retailers spend a lot of time and effort crafting smooth checkout experiences to avoid customer cart abandonment. Introducing two-factor authentication introduces friction to the checkout and while it may foil some fraudsters trying to make fraudulent transactions online, it may also cause genuine customers to abandon transactions. Our estimates suggest failure on transactions requiring SCA is not trivial with failure rates as high as 45% in certain countries (CMSPI estimate). We will discuss these estimates further on in the blog. Fortunately, the regulation allows for transactions where SCA is either exempt or out of scope allowing certain transactions to avoid the added friction of two-factor authentication. This will be covered in part 4 of our blog-series.
What do the metrics tell us?
Since September 2020, we have been analysing SCA testing data from some of the largest retailers in Europe and providing insights into transaction failure rates. We have continued to update these numbers monthly to evaluate performance post-enforcement.
As illustrated in the figure below, failure rates across Europe are extremely high with the weighted average failure rate across Europe at 30% (CMSPI estimates).
Transaction Failure Rates
(31% in previous report)
Given that our failure rate estimate focuses on challenged transactions, it could be argued that the impact of this could be minimised with low challenge rates and more frictionless flow transactions through 3DS (i.e. exemptions). While this is true, our estimates suggest that challenge rates on 3DS transactions have remained relatively high. The estimated average challenge rate on 3DS transactions across Europe was 79% in April 2021 (CMSPI estimate), suggesting most transactions currently sent through 3DS are challenged. The effect of this can be seen in the graph below which outlines the evolution of failure rates on challenged transactions as well as estimated failure rates on all transactions going through 3DS (taking into account the rate at which 3DS transactions are challenged). Both metrics show high rates of failure and illustrate that as challenge rates have remained consistently high, failure rates estimated by each metric are very close.
Evolution of Estimated Failure Rate by Metric
Strong Customer Authentication was introduced as part of PSD2 to bring greater levels of security to card payments and reduce fraud. SCA testing data as well as performance data post-enforcement illustrates that failure rates on transactions challenged through 3DS are extremely high. What’s more, the vast majority of transactions sent through 3DS are challenged, suggesting high rates of failure on a significant portion of ecommerce transactions in Europe. Retailers and trade associations have reached out to the European Banking Authority and the European Commission highlighting the need for the high rates of failure on 3DS transactions to be addressed as a matter of urgency (source). Indeed, if transactions failure rates remain as high as they currently are, our estimates suggest merchants across Europe could stand to lose €86 billion on an annual basis. This is particularly frustrating for retailers hoping to start their recovery following an extremely tough year as a result of the pandemic.