PSD2 implementation in the EU: one year on

Despite being a huge regulatory step forward and merchants fearing PSD2 implementation would cause huge disruption to their businesses, more than one year after adoption, things appear to be running relatively smoothly in the European Union (EU). VISA has reported 95% approval rates for European eCommerce transactions, suggesting that merchants and financial institutions have found a solution to be both PSD2 compliant and maintain positive customer user experiences (UX). The key to success is to incorporate behavioral biometrics into the process, a key element of advanced fraud detection and prevention systems, ensuring SCA or its exemptions are processed. It’s easier to implement than all the technical jargon may suggest.

There’s more good news. Despite the delays and fears surrounding PSD2 implementation into payment flows, the main goal has always been to significantly reduce fraud rates, which is exactly what has happened in the EU. In the first 4 months of 2021, fraud rates fell by a whopping 20%, compared to global fraud rates which actually increased during the ongoing COVID-19 pandemic. One of the main reasons for this rise has been the huge increase in Global eCommerce rates caused by merchants and consumers moving into the online realm. This has provided fraudsters with the perfect opportunity to hide their activities in the vast ocean of new transactions where they use tried and tested tactics on those previously avoided online shopping experiences.

From a technical point of view, every business, and every country, will have its own approaches to eCommerce and combating fraud. It is important to note that not all global merchants, for instance, use 3DS2 (3D Secure 2.0) payment authorisation protocols for online payments, choosing instead to remain on version 1.0. They may also be unwilling or feel they cannot afford to deploy advanced fraud solutions within their businesses, opting instead to use ineffective rules-based fraud solutions, which fraudsters can bypass.

Amidst all this fervour, the UK’s PSD2 implementation deadline of 14 March is drawing ever closer - but this does not mean UK financial institutions and merchants are completely unprepared. The UK has generally been a global leader in the adoption of new rules, regulations and technologies (despite delays in the case of PSD2). In light of this, as of June 2021, card issuers/banks began stepping up SCA requirements for high-risk transactions by 50%, aiming for 100% by the UK PSD2 deadline. So far, so good, but as for eCommerce merchants, not all have been as proactive in finding an adequate solution to their perceived worries. Of course, there are SCA exemptions in place to help, but certain crucial anti-fraud conditions must be met in order for payments to be approved.

UK merchants should take note. SCA exemptions are accepted, but only in certain circumstances. The Transaction Risk Analysis, in particular, allows for transactions of low risk and value that can be exempted only in situations where a merchant ensures the safety of the payment service user's funds and personal data. In practical terms, payments under €30 are deemed low risk/value, while payments up to €100 are accepted as long as the fraud threshold remains within 0.06-0.13% and €500 transactions have a very slim threshold of <0.01%.

Rewarding negative behavior is never a great approach, and the same applies to fraud thresholds for eCommerce merchants. If a company opts for an ineffective fraud management system, choosing positive customer UX at checkout over safety, the result may be that fraud rates will increase. And this is key, for with higher fraud rates, merchants will not be eligible for SCA exemptions, instead, being required to process almost every payment only after customers verify their identity through potentially invasive authentication methods that can inevitably cause friction, frustrate customers and result in checkout abandonment.

SCA is strong. It works. But fraudsters are always looking for ways to beat fraud management systems. This doesn’t necessarily mean trying to crack fraud detection, but rather bypassing it or finding gaps in the system. With the rise of eCommerce during the COVID-19 pandemic, many new online users are still not fully aware of the dangers that the online realm can pose. Some of the most successful attempts at fraud have been accomplished through social engineering techniques to entice online users to download malware through phishing emails and SMiShing phone message scams to enable account takeovers (ATO). Once a fraudster has access to an account, they can go unnoticed for an indefinite period of time - unless merchants use advanced fraud detection and prevention solutions.

An increase in fraud rates leads immediately to lost revenue, unhappy customers, and potentially negative online reviews. All of these things alone can be detrimental to the long-term prospects of a company, but together, they can cause a snowball effect. Many merchants, especially small/medium-sized businesses that do not have the same deep pockets of larger companies, may neglect or forego effective fraud solutions that can ensure frictionless and safe payments that meet SCA requirements. But this is not a viable long-term solution, and in reality, is not a heavy financial burden despite the cutting-edge technology that is deployed. It’s never too late to make the transition to ensure effective anti-fraud measures, maintain a positive customer UX and aid continued sales growth.

Challenges will always remain in the fight against fraud, however, behavioral biometrics are key to SCA compliance and risk management. But this is just one part of an overall solution - one that can be aided with the help of companies such as Nethone that are continuously adapting to stay steps ahead of cybercriminals.

At Nethone, our advanced fraud detection and prevention solution can be implemented relatively quickly to meet all business requirements for eCommerce merchants. We use device fingerprinting and behavioral biometrics combined with ML models that quickly assess the risk of every login attempt or online transaction. Nethone’s proprietary Know Your User™ (KYU) ML profiling models use passive behavioural biometrics to identify over 5000 unique digital attributes of every user making a payment. The result is that SCA TRA exemptions are granted by remaining well within fraud thresholds, which can only lead to enhanced UX and contribute to cutting operational costs.

If you are interested in effective PSD2 implementation, Nethone has an advanced fraud solution with frictionless customer UX that can help you. Schedule a call with us by clicking 'book a call' at the top of this page. Alternatively, you can contact Patrick directly via email at patrick.drexler@nethone.com or via LinkedIn.