PSD2 - https://en.wikipedia.org/wiki/Payment_Services_Directive#Rev...
3DS - https://en.wikipedia.org/wiki/3-D_Secure
Furthermore, I want to note that the author works for a company that sells products that "eliminate unnecessary 3DS friction" (in their own words).
PSD2—The EU law requiring your bank/card issuer to establish SCA for online purchases.
SCA—Strong Customer Authentication: something in addition to a credit card number, e.g. your bank account password, a mobile push notification, a SMS code.
3DS—3-Domain secure, the protocol used by online merchants to communicate with the bank in order to establish SCA. This seems to be complicated by the fact that most banks aren't implementing this protocol themselves, but using a third party. So you get redirected to the website of that third party in order to authenticate a transaction.
I've run into this a few times and it has made me very hesitant. You're effectively being asked to log into your own bank account from a link on a third party website or, even worse, an app.
It makes me uneasy, because I feel like a malicious site or app could intercept this and access the account directly. Or do some other kind of trickery that I cannot foresee.
Two things, actually. The credit card number doesn't count as a "thing" anymore.
This is why SMS-OTP alone is not sufficient (representing only possession), but mobile phone app based solutions are (they represent possession of a linked device and usually ask for biometrics or a PIN code).
> On 8 October 2015, the European Parliament adopted the European Commission proposal to create safer and more innovative European payments (PSD2, Directive (EU) 2015/2366). The current rules aim to better protect consumers when they pay online, promote the development and use of innovative online and mobile payments such as through open banking, and make cross-border European payment services safer.[10]
> An important element of PSD2 is the requirement for strong customer authentication on the majority of electronic payments.
This would presumably go away once PSD2 is fully implemented and all purchases require it, which is a benefit of requiring it by law rather than letting merchants choose whether or not to require it. Requiring it is a common good in the sense that it reduces the economy's overall loss due to fraud.
Additionally, as the article mentions, using 3DS shifts liability for charge not authorized disputes from the merchant to the bank. Thus, the decreased rate of conversions must be compared against decreased losses due to chargebacks.
- SCA exemptions - Prepaid Cards (with no built in 2FA support) - Banks in less developed markets (No 3DS) - "We encountered a 3DS processing error" is a common nondescript message which occurs with international payments
For regular merchants, the decrease in conversion (double digit) is VERY far away from any improvements in chargebacks. Bear in mind that most merchants need to stay below 0.75-1% chargeback regardless of conversion/decline ratios.
EDIT: Spelling
In a high-value, low-margin business, reducing chargeback losses to almost zero might be worth the cost of a double-digit conversion drop. In other circumstances, the same numbers can be catastrophic.
Also, paired with 3DS2's frictionless flow we actually saw a small uptick.
I don't know if we can find better data somewhere else but I would assume that abandonment rates will decrease thanks to PSD2:
- SMS tokens are finally on their way out; more and more people are installing their bank's mobile app, which is used as the second factor (you get a push notification, you have to unlock and accept the transaction).
- We'll see some harmonization across EU/EEA merchants. No more cases of "the German website doesn't trigger 3DS but the French one does".
(The experience before was: pray this merchant supports 3DS, discover that it doesn't, fish out your phone and open mobile banking, authenticate with mobile banking, find and use the toggle that temporarily allows non-3DS transactions. Now I just bring up the authentication app when prompted.)
This breaks more often than you'd think. I'm still locked out of Facebook on one device because I can't seem to receive the unlock notification and I'm terrified to reinstall Facebook on my phone and then be actually locked out. I'm not a fan of Facebook, but it's the only way to contact some of my friends/family these days via video.
I've also had similar issues with actual banks where the notification appeared and I accidentally tapped "decline" or even dismissed the notification by accident. I've also never received them (mostly with ~Transfer~Wise). Edit to add: I've also been too lazy to walk to the phone charger to press "accept" and just given up.
I think it's a pretty well known phenomenon in ecommerce that the more "clicks" you add to checkout, the less % of people that will make it to the end. I don't see this decreasing cart abandonment at all.
1. My bank now _requires_ SMS 2fa, for many actions like logging in, viewing transaction history > 1 month, or making purchases online.
2. My bank has killed their mobile web page in favour of their app. The desktop web page still works, but if you try visit it with a mobile UA you still get told to use the app.
3. Not 100% sure this is PSD2 related, but my bank have made their password policies less... dumb. It used to be max 8 chars, case insensitive, anything longer was silently truncated. In addition, the signup form used to allow alphanumeric characters, but the change password form only allowed alphabetical.
4. Presumably because of 1, they now no longer randomly decline transactions to smaller vendors. They used to then send you a text asking you to phone the fraud department to clear it. The first couple of times, I thought the text _was_ the fraud.
Now it's entirely possible my bank have just misinterpreted what's required of them, their prior actions show they aren't the most technically competent, but that's not what they were chosen for.
Great - so much for those times where I've been traveling internationally, been able to make a purchase using a web page hosted on a shared computer or one owned by a companion, but don't have mobile phone access to get a push notification.
Thanks, regulators!
Yeah, if PSD2 had an impact as dramatic as the article says then there would be a massive amount of noise from all EU/UK retailers. Instead we get an article from somebody with something to sell.
Some banks authorize operations with their apps: it's either fingerprints, PINs or codes by SMS. Usually a combination of two of them. One bank also requires a kind of captcha. Of course I'm hating all of this. I wish they pay me for the extra work.
We were better off when things were worse /s
See: - https://www.adyen.com/knowledge-hub/guides/global-payment-me... - https://stripe.com/en-us/payments/payment-methods-guide#paym...
Just like the clever idea some cities have had to initially only offer covid vaccination appointments over their website.
However, the member states (and therefore the EU) have cut the banks an inordinate amount of slack to get their shit together, even though they have been heavily involved in the writing of PSD2 and had since 2015 (!) to implement everything. Here in Germany, in September 2019, which should have been the hard end of a one year grace period, practically no bank actually had a working PSD2 API or had implemented 2 factor authorization properly.
So all the whining about PSD2 six years after it passed is ridiculous. Everybody had plenty of warning and time to get their site prepared and checkout processes optimized. And quite frankly, unless the author of the article is running some kind of one-click order scam, I find the drop of up to 50% in conversion highly unlikely. From my experience with dozens of e-commerce site, the drop is negligible. And considering the rampant credit card fraud, 2FA was long overdue.
→ Customers who have had their card on file will fail the next subscription payment. Many are going to discover they have been paying for months/years for something they didn't really need, and walk away.
→ Incorrect 3D-Secure integration will cause payments from EU to fail straight away. Even some payment gateways didn't understand how it worked back when the enforcement loomed for the first time, and this is literally their job. The solution is to read the documentation carefully and fix your stuff.
It's a misconception that people are going to get confused by PSD2. We in Europe, depending on the bank, have had it for two years now. We got used to it and if we really want to pay, we will.
When a (random) app opens a bank login page for me and asks me to type in my back login information in a third party app, then that very much does confuse me. That's one of the ways people get scammed through phishing attacks. And now this is effectively mandated by law.
I've definitely chosen not to pay for a few things, because I didn't trust the app enough with my bank's login information. With a credit card I could easily dispute false charges. With bank authentication, I doubt it'll be as easy.
> Since many consumers are not familiar with the 3DS process, there is a higher chance of abandonment during the authentication process. Users may also choose to abandon a transaction simply because there are additional steps to complete, giving them more time to contemplate their purchase.
The data here is not really provided so we have no way of verifying they are stating e.g. simply that conversion in Germany went from 80%+ to 40%+ just due to PSD2 requirements to verify identify. 50% of consumers stop their purchase because they have to verify their CC? That seems absurd.
If the reason as cited above is unfamiliarity this means it is a purely temporary impact. If its birthing issues of implementation that too should be temporary. If consumers stop their biy due to reflection or realising that they don't trust the shop that too is a good thing.
Or integrate with Android Pay/Apple Pay.
Cry me a river, but I rather prefer to be in control about who gets to withdraw money from my card, and how much.
Another explanation would be that customers run into trouble because they don't know how to use secure online payments. In my opinion, those customers probably shouldn't be doing any online banking on their own with the massive fraud risk that comes with stuff like this.
This line says it all, in my opinion:
> Users may also choose to abandon a transaction simply because there are additional steps to complete, giving them more time to contemplate their purchase.
PSD2 saved a lot of people from making bad financial decisions by the sound of it.
Lately, I've had a harrowing experience of misclicking on Amazon. The bastards have put "Add to Cart" and "Buy with 1-Click" so close together that I clicked Buy thinking I was adding to the cart.
I promptly got emails about my order having been finalized. No confirmations, no whatnot. Like those annoying traffic lights on some streets that go straight from red to green, without amber in between. I felt a bit robbed. True, I wanted to buy the stuff, so I didn't cancel, but damn it, not like this.
I think it's much more likely that some payment methods became completely unusable, so people are abandoning their transactions to redo them elsewhere. And also, some of those must have been fraudulent, but probably very few.
1) I now have to do the 3DS procedure for amounts as small as 1,80€
2) My bank's 3DS "website" requires me to enter my online banking PIN (the one for my entire account, not just my credit card PIN!) and since that website gets opened in an Android WebView I can't even be sure that the app invoking the WebView doesn't actually obtain my PIN through a key logger. Fantastic.
However, it doesn't matter that much with my bank nowadays since I don't have to enter anything on the browser - I just accept the transaction details shown by the bank app on my phone.
It's more common to get a one-time-use code via SMS or a notification in an app for transactions with a higher risk.
Both of those make it possible for the bank to provide the consumer with information about the transaction that should be hard to spoof.
Kinda defies the point, and makes it very easy to forget the code as I put it in like once a year.
But there is less friction, you click buy, it redirects somewhere else (fairly slowly, perhaps by design), then done.
What is PSD2?
What is 3DS?
Why do these exist and what did they solve?
Edit: Thanks for the responses everyone!
3DS stands for 3 Domain Secure. Payment processing requires a lot of service providers to co-ordinate; card issuer, merchant acquirer, card network to name a few.
The three domains in 3D refers to the domains of Issuer (the bank that issued the your card), Acquirer (the bank that the merchant has their account in), and the Network (Visa, Mastercard etc., which connects Issuing banks and Acquiring banks).
I'm vastly simplifying because now a days there are new entities which are difficult to typecast into one of Issuer/Acquirer/Network because depending on the scenario they can act as any or all three.
Unlike the Internet which has reasonably well defined protocols/services to provide end user services (HTTP, SMTP, DNS etc.,) online payment processing has evolved by monkey-patching systems as newer challenges have arose. There are no well defined protocols or standards so you have these vast network of systems that somehow work-together to process online payments. Once in a while it fails exposing its innards like how people came to learn about T + 2 settlement during Gameshop saga.
> Why do these exist and what did they solve?
3DS is kind of a protocol that'll enable a card holder to authorise a payment while minimising the number of service providers that have access to their card details. A typical implementation of 3DS requires card holder to authorise a payment through PIN. Another is through second factor auth such as SMS OTP, or RSA tokens, Apple's Face ID.
> What is PSD2?
This is a European specific regulation to make payments more secure. 3DS is one of its requirements.
Strong customer identification is required. In Denmark we handle this with our national identity system NemID (soon to be mitID). Which is a national two-factor system, that we previously mainly used for stuff like online banking or interacting with the public sector but is now also required when you buy something online.
Releasing the ownership of your financial data from the banks. Meaning that you can give third party companies access to your banking data. In Denmark this has revolutionised budgeting because the area was disrupted by companies that saw a gap in the age old online banking systems. As an example, my “overview” in my netbank was basically just a table of the data they used to physically mail me, today it offers all sorts of BI like tools to show me how I spent my money because an app named Spir or Spiir or something like it completely revolutionised the area. As you may be able to tell, I’m still doing my budgeting in my own spreadsheet, but the spiir app is one of the most popular apps in Denmark.
Over all it has been pretty well recover in Denmark. Having to utilise two-factor identification when you buy stupid shit online is annoying, and it’s likely costing some sales as people have a few more seconds to think while they pick up their phone, but over all people are happy with the increased protection it also offers them.
PSD2 is the Second Payment Services Directive from the EU. A directive is required to be implemented in national law no more than two years after it is passed and whilst there have been delays, the past 12 months have seen a ramping up of banks implementing Strong Customer Authentication.
3DS (3D Secure) is like 2FA for debit/credit cards. In my case, I bank with Monzo and if a transaction requires 3DS, I have to open the Monzo app on my phone and confirm it. There are other aspects to SCA e.g. if I have used contactless payment frequently, I am more likely to be prompted to enter my PIN to confirm I still have my card.
[1] https://stripe.com/gb/payments/strong-customer-authenticatio... [2] https://leavetrackapp.com/
The only things missing from their testing arsenal are a debit card that triggers SCA past X amount, and a debit card that has limited funds.
Companies that make use of these APIs need to fulfil some requirements so that not just any shitty company can ruin your life by hiring shit developers that accidentally add zeroes to the amount of your transactions.
3DS probably refers to "3D secure", a way to secure credit card payments online. I don't use a credit card for anything but paying for American services so I don't know the details of it, but it seems to be a way to redirect credit card users to the checkout page of their bank so that extra security (like 2FA) can be added to online payments.
Just kidding, 3DS is short for 3D-Secure and is an approach to make payments with credit cards more secure. Things like 3DS are mandated by the PSD2 which came into effect a while ago.
PSD(2) is short for payment services directive, its a set of rules to make online payments more secure and reduce the risk of fraud. It has some requirements, such as two factor authentication (3DS) etc for basically any service that is processing payments online.
Basically, try 3DS (with no authentication), then try regular charge (NON 3DS), then if all else fails try a full 3DS charge. You'd be surprised by the disparity, especially internationally, and we do recoup some charges at the expense of triggering some unintended blockage.
When asking our provider (Stripe in our case) about the best strategy for this, it always comes down to , "Let SCA (Strong Customer Auth) rules and logic handle everything", but this simply doesn't work well.
I really wish the likes of Adyen, Stripe, etc...would help out with better decline ratio strategies.
I think we are all plagued by "do_not_honor" and "transaction_not_allowed" codes that do little to move us in any direction...
[0] https://medium.com/@globile/using-stripe-to-sell-internation...
EDIT: Fixed the order of actions...
A drop in EU e-commerce sales between 20% and 50% would be big news we wouldn't have missed, so where are these sales going ? Or are these transactions still a tiny bit of the overall e-commerce value? If users opt for a cheaper (and not easily clawed back) payment method because they can't complete the 3DS challenge, the merchants may still win.
My spending, consumption and general wasteful consumerism is healthier when I don't have Amazon Prime. I'm more thoughtful about what I need and will batch up purchases, often removing a portion of the cart.
Good. Means you've manipulated people into spending their money very intensely if they will abandon the transaction once the first rational thought comes in. I would personally add a third factor for good measure.
In 2020 Blik had 7 million users and processed 424 million transactions. In 2019, the number of Blik transactions exceeded the number of transactions made on the Polish Internet with payment cards.
In PSD2/3DS world paying with card is real pain in the ass, only advantage is transaction insurance and chargeback.
Card payments are often seen as the least secure way of paying for stuff, but they are mildly more convenient than sending a bank transfer.
PSD2 is a process that's system wide and needed so if things need to change this is the best way to do it where everyone takes the hit together as a way to move forward.
This is not my article, I just found it when searching for any data on the subject. I'm aware of the article author's bias on the subject.
We run a B2B SaaS and 20% is the drop we've seen (comparing to monthly numbers of the last 5 years). This still needs to be analyzed better but it's taking time due to our messy system of multiple carts using different payment service providers.
Personally as an EU citizen I'm very in favor in these changes. I think the UX will become even more of a differentiator for banks and related products which is great. Banks FINALLY being forced to open APIs is also great for the fintech industry, so I'm not bitter at all. Just curious to see what other SaaS businesses have seen in their Euro traffic.
The bonus is that Przelewy24 is often presented as a payment option in global shops like Steam or AliExpress, so I can use it there as well.
Previously you had to use an ancient SMS based SIM app on your phone or use a dongle to authenticate, took over a minute usually.
A way for retailers to "bypass" 3DS is to use Klarna or similar (free in-app invoice that needs to be paid within 14 days). Even though it's usually quite simple to use my debit card, it's still more of a hassle than paying whenever I want within 14 days, so that's what I choose when I'm in a hurry.
From the tone of the article, I imagine the author was resisting 3-D Secure from the beginning and settled their minds already and so, they will only see their own negativity reflected back on them when trying to make sense of it.
3DS is merely a positive marker for antifraud system. This means a 3ds transaction is less likely to trigger antifraud rejection, and antifraud declines are the reason for user abandonment - you can't simply retry a payment attempt in that case.
A subsequent order worked by just entering my CC details.
Why is it a bad thing that people have more time to think about things?
Basically a popup that will request some extra form of security verification for relevant transactions.
I'm not saying it's frictionless nor perfect, but things were worse earlier. Card and identity fraud is increasing, and will continue to be a valuable target, not least because we're moving towards a cashless society (some say).
