When discussing PSD2 requirements, most stakeholders will have Strong Customer Authentication (SCA) in mind. SCA involves authentication methods that are more advanced than the old-fashioned static PINs and passwords. But this comes with a cost. SCA implementation is much more complex for payment service providers, as well as for the end-user. It requires additional actions on their side, such as a downloaded mobile token, supported biometrics, retyping OTPs, and more.
Yes, PSD2 requirements advocate Strong Customer Authentication, but what does that really mean for the stakeholders? SCA demands authorization which involves two out of three secure elements, namely: possession, knowledge, and inherence. Regardless of the methods chosen, PSD2 brought another tool to increase security measures as well as improve the end-user experience: Risk-Based Authentication. PSD2 makes it clear that the strength of authentication should correspond to the level of risk for a given transaction.
PSD2 requirements and corresponding Regulatory Technical Standards on Strong Customer Authentication specify that SCA exemptions are applicable. The prerequisite to apply any of the exempted scenarios is to conduct a transaction risk analysis. TRA rates a transaction either high, medium, or low risk. Such analysis can be as simple as a Low-Value Payment which presumes that transactions below 30 EUR, even in cases of fraud, pose a low risk and low financial impact.
For non-low-value payment transactions, a more sophisticated risk scoring approach is necessary on the issuer side. Mentioned risk analysis should consider the usual end-user behavior, their habits, channels, and devices they use, common geolocation, known delivery addresses, and more. On the other hand, issuers also need to track relevant merchants, meaning their fraud rate, blacklists, risky currencies, etc. As expected, sophisticated risk analysis requires advanced risk scoring solutions.
The main issuer's concerns are fraud costs and chargeback liability. With 3D Secure 2, acquirers and merchants shift liability to the issuer side. Therefore, issuing banks favor SCA for apparent reasons. It protects them and the cardholders from a wide range of fraudulent online payment activities.
Since merchants are much more fond of frictionless transactions than issuers, PSD2 requirements and the recent 3D Secure protocol enable merchants and acquirers to communicate their authentication preferences in the 3DS transaction flow. However, this does not mean that the authentication is invalid. Merchants who opt for this approach trust that the authentication is valid if they sign in to the merchant's web or mobile shop; i.e. the buyer authenticates during login to the web or mobile shop. This is not Strong Customer Authentication. Still, taking into account transaction amount, common delivery address, type of purchased goods or services, used card data; which is usually visible in the webshop; hopefully following the PCI DSS rules; merchants can be quite sure that the buyer is not a fraudster. Demanding additional authentication by the issuer usually makes end-users irritated and unsatisfied with the lengthy transaction authentication process.
Additionally, if the issuer approves an SCA transaction based on the merchant exemption, in case of fraud, merchant is the one that takes the liability for chargeback costs.
Different regions, merchants, and goods and services result in different buyer preferences when it comes to SCA or SCA exemption. The best option is to let the buyers decide for themselves. With the introduction of Merchant Whitelist in 3D Secure 2.1, which is additionally enhanced in 3D Secure 2.2, buyers are able to choose trusted merchants in order to avoid SCA. Prior, issuing bank analyzed eligible merchants and listed them to be included in the SCA exemption. Contrary to Merchant exemption preference, liability shift for fraud costs and chargebacks moves to the issuer side. To minimize this risk, Merchant Whitelist eligible candidates also need a risk assessment. This is done by using advanced risk scoring solutions regarding the merchant fraud rate.
Biometry is the most applicable, most user-friendly, and the most secure authentication method when talking about 3D Secure authentication in online payments. This is recognized by card schemes, as MC and VISA introduced KPIs for issuers to measure biometry authentication rates. As Juniper research states, already in 2019, facial recognition software was deployed on around 96 million mobiles, forecasting that biometric facial recognition will be present in 90% of smartphones by 2024, making biometric authentication widely applicable. Implementation of biometry solves Dynamic linking as required by PSD2. In the end, applying biometrics is extremely fast and straightforward when combined with push notification during online payment authentication.