PSD2 exemptions,SCA frictions and Risk-Based authentication

Why merchants should focus on data to reduce SCA friction

There has been a lot of talks and discussions around PSD2 during the last years and a lot of attention has been paid to what are the best ways to minimize SCA friction, the number of challenges that will be presented to cardholders in order to complete payments and how to maximize Risk-Based Authentication (RBA).

One of the biggest fears is that the introduction of stricter requirements related to Strong Customer Authentication (SCA) will increase cart abandonment (SCA friction) and negatively impact conversion rates as it has been experienced historically in some specific european markets such as Germany, Spain or Italy .

In order to be compliant with PSD2 Strong Customer Authentication requirements, EMVCo came up with 3DS2, considered as the  new authentication protocol to answer to the regulation. One of its key aspects is the considerably increased amount of data points which is being shared through the payment authentication chain, allowing issuers to recognize more easily normal and trusted customer behavior without the necessity of requesting cardholder intervention to authenticate transactions.

With this improvement, better Risk Management allow both issuers and acquirers to request PSD2 exemptions in scenarios where the transaction risk is being identified as low and the transaction amount is not higher than 500 Euro. This Low Value Exemption is applicable based on issuer/ acquirer fraud rates ( up to 100 Euro if fraud below 13bps, up to 250 if fraud below 6bps, up to 500 Euro if fraud below 1bps). This is a very important topic for merchants looking to reduce SCA friction  and improve their acceptance rates. 

PSD2 offers different exemption possibilities such as Transaction Risk Analysis (TRA) and Low-Value Payments (LVP)

At Payment Universe, we can help you identify the best market solutions to implement the most efficient Exemption strategy, maximizing conversion rates while reducing your financial liability exposure. 

When issuers apply RiIsk Based Authentication, the liability shift remains on their side as the customers are authenticated thanks to the data pattern recognition. In order to make this happen, the quantity and quality of data is fundamental and there are some essential data points which can help to increase the amount of authenticated transactions without SCA. Some of the data points that can help achieve better risk assessment on issuers side are ‘billing address’, ‘shipping address’ information, cardholder information such as ‘phone number’ or ‘account password changes’, counter data points such as ‘count of transactions’ within last 24 hours or last year . Additional data such as ‘email address’, ‘cardholder name’ and ‘device fingerprint’ are already available with 3DS2 transactions as required data points.

Worth to mention is that card schemes are implementing several monitoring programs for issuers  to ensure good 3DS2 performances and push for more data authenticated transactions (i.e. Visa program to monitor cardholder abandonment rate to be kept below 5%).

To implement the best PSD2 exemption strategy, the issuers’ behavior is a key point to be considered in the TRA models. The models should consider the application of risk-based authentication on issuer and BIN level as it would not make much sense to request Acquirer TRA exemptions if issuers are already prone to apply an exemption on their side. Proper monitoring and data analysis are fundamental in those cases. Choosing the right provider to do this is also a key point.

Are you looking for assistance to implement the best PSD2 optimization strategy, reduce Strong Customer Authentication friction and maximize Risk-Based Authentication? Take a look at our SCA packages.