Turn PSD2 compliance into better payments performance - how to make strong customer authentication work for your business
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Turn PSD2 compliance into better payments performance how to make strong customer authentication work for your business April 2020
Contents
5 Introduction: It’s time to make PSD2 work for you
6 Fighting fraud with strong customer authentication
8 Delivering higher authorization rates for greater
customer satisfaction
10 Taking the next step with 3DS V2.2
16 Conclusion: You say regulation, we say innovation
18 Appendix: Data used to authenticate transactions
under the latest 3D Secure versions
2 Ingenico ePayments | Turn PSD2 compliance into better payments performance Turn PSD2 compliance into better payments performance | Ingenico ePayments 3Introduction: It’s time to
make PSD2 work for you
With PSD2, most payment companies talk about what
is ‘required’ and a need to ‘comply’. This year, however,
merchants have an extraordinary opportunity to use PSD2
to better control the data that drives their businesses.
This means they can test new authentication processes
that will enable them to cut their fraud risk, while
continuing to improve the customer’s shopping experience.
EMV 3DS is a game changer for authenticating transactions. It makes it easier
for merchants to authenticate transactions, so they can benefit from transferring
the fraud risk to card issuers, while protecting the customer experience.
It also introduces exemptions that enable merchants to choose, in certain
circumstances, whether to authenticate the transaction.
EMV 3DS Version 2.1 (V2.1) is available today, and supersedes the original 3D
Secure 1.0. By the end of 2020, EMV 3DS V2.2 will have been introduced by
card issuers, bringing new enhancements and including exemptions that will
enable merchants to get the best out of EMV 3DS. Mastercard is also introducing
an intermediate version called EMV 3DS V2.1+, which introduces exemptions
earlier and gives issuers more time to get ready for EMV 3DS V2.2.
By the end of 2020, the second Payment Services Directive (PSD2) will come
into action and merchants will be required to authenticate all transactions,
except where exclusions or exemptions apply. By running pilot projects
now, merchants can gather the data they need to steer their authentication
strategy and optimize their conversion rates. EMV 3DS introduces a number
of opportunities for merchants to optimize their check-out process, including
seamless authentication and mobile app integration.
In this paper, we’ll outline these opportunities, and tell you how you can get
ready to implement and succeed with strong customer authentication, which all
payment card issuers will introduce by the end of 2020.
4 Ingenico ePayments | Turn PSD2 compliance into better payments performance Turn PSD2 compliance into better payments performance | Ingenico ePayments 5Fighting fraud with strong
Transactions will require strong
authentication when the following apply:
customer authentication • The acquirer (merchant’s bank) and card
issuer (customer’s bank) are both in the
European Economic Area. If only one
party is in the EEA, they are expected
to use their best efforts to apply strong
The anonymity of online Ultimately, if merchants are not able to
customer authentication, but the other
transactions has made ecommerce support strong authentication, card issuers
party is not obliged to comply.
will decline transactions.
a target for cybercriminals.
• The payer initiates an electronic
Transactions will need to be authenticated payment. Payments initiated by the
According to Juniper Research, card-not- using two out of three of the following: merchant are excluded from strong
present fraud is expected to cost retailers authentication, as long as the payment
$130 billion between 2018 and 20231. • Something the customer knows, such as isn’t taken in response to a specific
It’s a complex problem, and the solution a password; customer action. Setting up the original
will require the cooperation of merchants, payment agreement remotely would
• Something the customer has, such as a
payment service providers (PSPs), card require authentication, though. Orders
device or token; and
schemes and card issuers. placed using email, phone, fax or
• Something the customer is, which might interactive voice response (categorized
During 2020, strong customer authen- be their fingerprint or voiceprint. as MOTO – Mail Order/Telephone
tication (SCA) will become a requirement Orders) will ultimately use decoupled
for most online transactions. There will be Figure 1 shows some examples of authentication, but issuers are not
a ripple effect, in which PSD2 will mandate authentication elements in each category. expecting to have this ready in 2020.
that card issuers use strong authentication, The factors need to be independent of each MOTO transactions are therefore out of
and they in turn will require merchants to other (as all of these are), so that breaching scope until further notice.
support it. one factor does not compromise the
• The merchant does not request one of
reliability of the other factor.
the exemptions that are allowed under
PSD2. Exemptions give merchants a
Password powerful tool for optimizing conversion
PIN rates, as we explain later in this paper.
Knowledge-based challenge questions
Knowledge Passphrase
“what I know” Memorised swiping path Crucially, the approach is shifting from one
where the merchant can decide whether
Device evidenced by an OTP (generated or received) or by a
to authenticate a transaction, to one where
signature generated or through a QR code externally scanned every transaction must be authenticated
(unless exemptions or exclusions apply).
App or browser with possession evidenced by device binding
Possession Card evidenced by a card reader or by a dynamic card security
In addition, strong authentication will be
“what I have” code or through a QR code externally scanned
required when the customer accesses their
payment account online, or carries out any
Fingerprint scanning Retina and iris scanning other action online that might result in
Voice recognition Keystroke dynamics payment fraud, such as adding a payee to a
Vein recognition Heart rate or other body movement pattern whitelist, or setting up a payment agreement
Inherence with a merchant.
Hand and face geometry Angle at which the device is held
“what I am”
Figure 1: Examples of authentication elements that meet the requirements for PSD2
1 Press release: Retailers to Lose $130bn Globally in Card-Not-Present Fraud over the Next 5 Years, Juniper Research, 2 January 2019
6 Ingenico ePayments | Turn PSD2 compliance into better payments performance Turn PSD2 compliance into better payments performance | Ingenico ePayments 7Delivering higher
authorization rates for
greater customer satisfaction
The means through which An intermediate version, EMV 3DS V2.1+,
the industry will meet the will be used by Mastercard to bring some of
the benefits and requirements of EMV 3DS
requirements of PSD2 is
V2.2 to market earlier.
the 3D Secure protocol for
Date Event
authentication. 3D Secure 1.0 Figure 2 shows the current timetable,
was originally created in 2001, following an extension of the PSD2 deadline 18th October 2019 Mastercard mandate of EMV 3DS V2.1 for card
but was not widely adopted. to the end of 2020. We don’t expect these issuers.
Mastercard issuers must now support EMV
dates to slip, because through our work 3DS V2.1. Mastercard issuers can now reject
3D Secure 1.0 required merchants to with issuers and acquirers, we have seen authorization without 3DS authentication.
pass the customer over to the bank to that they are all working to this timeline. All
14th March 2020 Visa mandate of EMV 3DS V2.1 for card issuers.
authenticate the transaction during check- merchants, including those using 3D Secure
Visa card issuers must now support EMV
out, and many merchants decided they 1.0, should begin migrating to EMV 3DS now. 3DS V2.1. Visa card issuers can now reject
would rather keep the fraud liability than The sooner merchants start incorporating authorization without 3DS authentication.
risk complicating the check-out process. the latest secure authentication protocols
1st July 2020 Mastercard mandate of EMV 3DS V2.1+ for card
in their payment processes, the longer they issuers
Now, EMV 3DS V2.1 is available. It can will have for testing, and the earlier they Mastercard now supports exemptions, and
Mastercard issuers must now support EMV 3DS
authenticate most transactions in the can start to reap the rewards. Ingenico
V2.1+.
background without interrupting the recommends that merchants that have not
customer, thanks to data provided by the yet adopted 3D Secure skip version 1.0 and 14th September 2020 Visa mandate of EMV 3DS V2.2 for card issuers
merchant. This approach helps to improve go straight to EMV 3DS V2.1. Visa card issuers must now support EMV 3DS
V2.2.
conversion rates while also reducing
the merchant’s exposure to fraud. When We recommend that merchants support 31st December 2020 Current deadline for compliance with PSD2
the consumer is authenticated during a the highest version of 3D Secure that the All online transactions will need to use 3D
card issuers are using at any given time. Secure unless exemptions or exclusions apply.
transaction, card issuers will assume the
liability for any fraudulent transactions If merchants are not ready or willing to
14th March 2021 Mastercard mandate of EMV 3DS V2.2 for card
that do slip through. Merchants can expect incorporate secure authentication in their issuers
to experience fewer chargebacks and normal payment workflow, they should be Merchants now need to support EMV 3DS V2.2
for Mastercard transactions.
fraudulent payments, and a lower cost of able to “step up” by resubmitting and using
processing fraudulent transactions. 3D Secure to authorize transactions if they
are declined. Ingenico, as your payment
This year, card issuers are gearing up to service provider (PSP), can automatically do
Figure 2: The timetable for introducing strong customer authentication
introduce EMV 3DS V2.2. It will introduce this resubmission for you when it detects
decoupled authentication for channels a soft decline of the transaction. Find out
such as telephone and email, as well as more about Ingenico’s product portfolio for
exemptions that allow merchants to not PSD2 here.
authenticate certain transactions. customer segments.
8 Ingenico ePayments | Turn PSD2 compliance into better payments performance Turn PSD2 compliance into better payments performance | Ingenico ePayments 9Taking the next step
Information such as the IP address might
be difficult for merchants to capture, but
payment providers such as Ingenico can help
with 3DS V2.2 with this. Data points such as this can be used
to create a fingerprint for the device that is
being used, to help authenticate the customer.
A recurring payment has no agreed end date,
EMV 3DS brings a number of faster experience. This is likely to increase
so it may be challenging to complete the
opportunities for merchants customer satisfaction and may increase
expiration date field in this case. As 3D Secure
repeat business and conversion rates.
to streamline their payments is adopted throughout the year and into 2021,
workflow, while reducing their The appendix shows the data points
there may be refinements in how card issuers
exposure to fraud. These include request and use data like this.
included under EMV 3DS. Some of this data
the use of richer data, optional is mandatory, such as the cardholder name
As well as data quantity, data quality will matter.
exemptions that help to optimize and billing address. Some other fields are
If existing data will be repurposed for payment
conversion rates, and better easy to complete, such as the shipping
authentication you may wish to spend some
mobile integration. address, which merchants engaged in selling
time checking it is good enough, in particular
physical goods will have on record for
with regard to its completeness and formatting.
delivery purposes.
Ingenico can help you with this.
Sharing data for frictionless authentication
In the past, merchants were able to process Some fields might be difficult to complete
Another strategy merchants can use to
transactions using a card number, expiry because merchants are not collecting
ensure a frictionless payment flow involves
date and card verification code (CVC). Under or calculating the appropriate data yet,
the card issuer lifting key data points
EMV 3DS, there are around 100 data points such as the number of transactions a
directly from the customer’s browser. This is
that card issuers can use to authenticate year. Merchants may be able to increase
highlighted through the payment process to
the customer and assess the risk of the the likelihood of frictionless approval by
ensure it is frictionless and doesn’t require
transaction. This data can be supplied by the updating their systems to capture these
additional approvals from the customer. This
merchant with each payment request. metrics now. By requiring customers to log
is included as part of 3D Secure V2.1.
in to accounts, rather than using a guest
Providing this data increases the chance of checkout process, merchants can increase
a frictionless flow. Once the TRA (transaction the amount of data they capture. It is
risk analysis) on the issuer side has been important that this is done in a way that
determined as ‘low risk’, the payment is meets the merchant’s obligations under the
authenticated and the card issuer assumes General Data Protection Regulation (GDPR).
the fraud liability, without the customer Frictionless authentication in brief
needing to take any additional action. If the Customers must be notified of how their
issuer cannot categorize the transaction Frictionless authentication brings all the
data will be used and give their consent.
as ‘low risk’, due to insufficient data, or benefits of EMV 3DS, including transfer of
Merchants that offer checkout without an
if the data indicates that the transaction fraud liability away from the merchant,
account are likely to find their customers are
falls outside the customer’s usual behavior, without any impact on the customer
more likely to be challenged, and conversion
they may require the customer to provide experience. It presents a fantastic opportunity
rates may be lower as a result. As an added
additional authentication, e.g. a one- for those merchants that can capture and
bonus, customers that create accounts may
time password. While this authentication communicate more complete information.
prove to be more loyal, and will be able to
process is not onerous for customers, a Merchants have an opportunity to prepare
enjoy a faster ordering process because some
frictionless flow will offer a simpler and and test their data capture systems now.
of their data can be stored in the account.
10 Ingenico ePayments | Turn PSD2 compliance into better payments performance Turn PSD2 compliance into better payments performance | Ingenico ePayments 11Requesting exemptions whitelisting may benefit from greater Exemptions will be supported in EMV 3DS
In certain circumstances, merchants can stickiness, by making it easier for V2.2. In addition, Mastercard’s EMV 3DS V2.1+
request an exemption to skip the secure customers to shop with them. will support the exemptions for low value
customer authentication requirements. While transactions, whitelisting, TRA, and a different
• Transaction Risk Analysis (TRA): If the
most payments can be approved seamlessly, implementation of delegated authentication.
payment acquirer falls below fraud rates
merchants cannot know in advance
determined by the European Banking
whether the bank will require additional American Express (Amex) is not planning
Authority (EBA), the transaction may be
authentication. Merchants may prefer to to support any exemptions, so it will be
exempt from authentication. The fraud
request an exemption, to avoid interrupting particularly important to improve the
rates are shown in Figure 3. To use this
the customer’s order process. Merchants quality and quantity of data shared to
exemption, the merchant needs to carry out
will be liable for any resulting fraud on the achieve a frictionless payment process for
a risk assessment on the transaction before
transaction, but it might help to improve Amex cardholders.
submitting the payment for approval.
conversion rates. Requesting an exemption
Ingenico can provide risk assessments so
is not a guarantee that it will be granted. By introducing EMV 3DS now, merchants
merchants can take advantage of this.
can take the opportunity to test when it is
Here are the exemptions that may apply: in their interests to use secure customer
Threshold Reference CNP fraud rate authentication and when it is not, so they can
• Low transaction value: Strong EUR 500 0.01 see whether exemptions are attractive for
authentication may not be required for EUR 250 0.06 them. There is a balance to be struck between
transaction values of less than EUR 30. conversion rate and fraud risk, and merchants
EUR 100 0.13
This exemption applies if there have been can only reach an informed decision by
no more than five payments since the last gathering data that compares authenticated
strong authentication, with a total value Figure 3: Reference fraud rates for card-not- and non-authenticated transactions.
present (CNP) fraud. If the acquirer is below these
of less than EUR 100.
thresholds, secure customer authentication may
• Corporate payments: Business-to- be exempt.
business transactions do not require
strong authentication where there are • Delegated authentication: Although
dedicated payment processes and the not strictly speaking an exemption,
reference fraud rate is less than 0.005%. delegated authentication has much the
This exemption applies for corporate and same effect. Participating merchants
lodged cards. that use strong authentication when
customers log in to their accounts may
• Recurring payments: Setting up a
not need to use it when the payment is
recurring payment agreement requires
processed. Merchants will need to work
strong authentication because the Exemptions in brief
with the card schemes for permission to
customer is present and it is the only
use delegated authentication, and card
payment initiated by the consumer of Exemptions enable merchants to request that
schemes will notify issuers that they
the series. Each individual payment secure authentication is not used in certain
should not authenticate the merchant’s
under the agreement does not require circumstances. Using exemptions reduces
transactions. Mastercard will consider
authentication. the risk of the customer being challenged
allowing delegation for merchants that
• Whitelisting: Payers can choose to add follow the authentication standards of the to authenticate the transaction, which may
merchants to a list of trusted payees for FIDO Alliance, an industry body dedicated increase conversion rates. Merchants carry the
whom they do not wish to use secure to authentication standards. If you’re cost of fraud when an exemption is granted,
authentication. Setting up the whitelist or interested in delegation, we recommend though, so they should begin testing now to
changing it does require authentication, discussing it with card issuers and your work out the optimum balance between sales
but customers can then shop without payment service provider today, so you conversion and fraud risk.
authenticating each purchase. Merchants have time to put the necessary measures
that give customers the option of in place.
12 Ingenico ePayments | Turn PSD2 compliance into better payments performance Turn PSD2 compliance into better payments performance | Ingenico ePayments 13Improving mobile payment processes
Mobile phones now account for more than
half of online transactions globally2. 3D
Secure 1.0 predated both Android and iOS
by several years, and was designed for
desktop browsers, so it wasn’t working well
for mobile workflows.
With EMV 3DS V2.1, the industry has taken
the opportunity to create a mobile software
development kit (SDK) so that payments can
be integrated within your mobile app. EMV
3DS V2.2 will further enhance the SDK by
integrating with banking apps so they can
be used for authentication.
In most cases, the authentication will be
frictionless and automatic. Where the
customer is challenged to provide additional
authentication information, it will be
possible to do this from within the app,
without having to redirect to a browser.
EMV 3DS V2.1 also introduces support for
other devices such as gaming consoles,
so merchants can take advantage of the
reduced fraud risk of 3D Secure in those
channels too.
Ingenico is working with EMVCo, the industry-
wide technical body responsible for EMV 3DS,
to incorporate EMV 3DS, including exemptions,
in its mobile payment SDK. The SDK helps
merchants to easily build PSD2-compliant
payments within their apps. The SDK abstracts Mobile payment processes in brief
away the complexity, with Ingenico taking
care of how EMV 3DS is implemented, and EMV 3DS gives merchants an opportunity
managing the payments in the background. to improve their mobile conversion rates,
When step up authentication is required, enhance the experience of in-app payments,
Ingenico is able to do that automatically, and reduce their exposure to fraud. Using EMV
and as new features are added to EMV 3DS, 3DS, authentication challenges can be built in
Ingenico will update its processes and systems to the mobile app, and most authentication can
to shield merchants from the complexity as be carried out in the background seamlessly.
much as possible. Ingenico’s mobile SDK is being enhanced to
support EMV 3DS, to make it easier to build
authentication into apps.
2 Worldwide Retail and Ecommerce Sales: eMarketer’s Updated Forecast and
New Mcommerce Estimates for 2016—2021, eMarketer, 29 January 2018
14 Ingenico ePayments | Turn PSD2 compliance into better payments performance Turn PSD2 compliance into better payments performance | Ingenico ePayments 15Conclusion: You say regulation,
we say innovation
Implementing EMV 3DS as part of PSD2 compliance efforts
presents a number of opportunities for merchants.
They can transfer the liability for fraud to card issuers while enhancing their
customer experience, by enabling frictionless authentication in the background.
Some merchants may choose to absorb the fraud risk and request exemptions
to secure authentication. As the mobile phone is an increasingly important
shopfront, merchants will welcome the opportunity to integrate authentication
tightly with their apps for a better user experience.
To make authentication a better experience for their customers, it’s important
that merchants can make an informed decision. Beginning pilot projects now will
enable them to gather the data they need before authentication is a mandatory
requirement.
EMV 3DS is a huge transformation for the payments industry – and the potential
rewards are there for merchants that can see them. By working with Ingenico,
you can abstract away much of the complexity of implementing 3D Secure, and
benefit from expert insight into how your data can be used to streamline your
authentication processes.
Contact us
16 Ingenico ePayments | Turn PSD2 compliance into better payments performance Turn PSD2 compliance into better payments performance | Ingenico ePayments 17Appendix: Data used to authenticate transactions
under the latest 3D Secure versions
Providing these data items can help the card issuer to identify
a transaction as low risk, so it can be authenticated seamlessly
Card Information Merchant risk information (all required if available)
Card/Token Expiry Date (M) Information related to the delivery
Cardholder Account Identifier (Required if available) Shipping Indicator
Cardholder Account Number (M) Delivery Timeframe
Delivery Email Address
Cardholder information Reorder Items Indicator
Cardholder Email Address (M) Pre-Order Purchase Indicator
Cardholder Home Phone Number Pre-Order Date
Cardholder Mobile Phone Number Gift Card Amount
Cardholder Work Phone Number (Required if Gift Card Currency
available) Gift Card Count
Cardholder Name (M)
Consumer Information (all required if available)
Cardholder Billing Address (all Mandatory) This information is usually part of the consumer
Cardholder Billing Address City account in the merchant’s website
Cardholder Billing Address Country Cardholder Account Age Indicator
Cardholder Billing Address Line 1 Cardholder Account Date
Cardholder Billing Address Line 2 Cardholder Account Change Indicator
Cardholder Billing Address Line 3 Cardholder Account Change
Cardholder Billing Address Postal Code Cardholder Account Password Change Indicator
Cardholder Billing Address State Cardholder Account Password Change
Shipping Address Usage Indicator
Shipping Address (all required if available) Number of Transactions Day
Cardholder Shipping Address City Number of Transactions Year
Cardholder Address Country Number of Provisioning Attempts Day
Cardholder Shipping Address Line 1 Cardholder Account Purchase Count
Cardholder Shipping Address Line 2 Suspicious Account Activity
Cardholder Shipping Address Postal Code Shipping Name Indicator
Cardholder Shipping Address State Payment Account Age Indicator
Payment Account Age
Merchant Basic Information (all Mandatory)
Merchant Category Code Browser Information (all mandatory with exceptions)
Merchant Country Code Browser Accept Headers
Merchant Name Browser IP Address (Required if available)
Browser Java Enabled
Purchase information Browser Language
Purchase Amount (M) Browser Screen Color Depth
Instalment Payment Data (Required if available) Browser Screen Height
Purchase Currency (M) Browser Screen Width
Purchase Date & Time (M) Browser Time Zone
Recurring Expiry (Required if available) Browser User-Agent
Recurring Frequency (Required if available)
Transaction Type (M) For mobile app integrations there is similar
information required that the issuer can use to
display the challenge correctly
www.ingenico.com/global-epayments
18 Ingenico ePayments | Turn PSD2 compliance into better payments performanceYou can also read
