Starting on January 1st 2021, the payment card-emitting banks in Spain will be obligated to implement Strong Customer Authentication (SCA) systems in their payment processes as mandated by PSD2. The goal of this change is to increase the security of online payments, and the protocol that will be used to do so is known as 3D-Secure 2.
Because of this, all businesses that accept card payments will have to do so under the new protocol, but are they ready for this challenge?
The arrival of 3D Secure 2
The 3D Secure 2 authentication protocol was created with the intent of reducing fraud and improving the security of online payments. This version improves on the previous 3DS1 protocol by transmitting more data from the card issuer at the moment of payment, which makes it easier to authenticate the payment and increases security. This information exchange includes a dynamic, automated risk analysis process that assesses the risk of the transaction in real time and determines if the user must provide further authentication to complete the payment, doing so only for those transactions that have higher risk levels.
Therefore, if the issuer considers that the risk of the transaction is low, the payment will be frictionless, with no additional verification required by the user.
However, if the transaction is flagged as risky, the user will be required to complete a second verification to complete the payment.
This ties in with PSD2, which mandates the use of strong customer authentication systems (SCA) in online payments. In other words, for a transaction to complete successfully, the user will need to be identified by a combination of two of the following authentication factors:
- Knowledge: something only the user knows, such as a password or PIN code
- Possession: something the user owns, such as a phone or smartwatch
- Inherence: something the user is, such as a fingerprint or a facial scan
Therefore, adapting to the 3DS2 protocol is practically an essential requirement to comply with PSD2 regulation, and doing so will affects an entire chain in the payments ecosystem, including:
- Card issuing entities
- Payment service providers
- E-Wallet providers
- Payments technology providers
- Any business that accepts card payments online
The Impact of 3DS2 in Spain
According to the IAB Spain Annual eCommerce Study, currently 85% of online payments in Spain are made by card, due to its high effectiveness rate in terms of user experience. Non-secured payments, those in which the client must not provide additional information beyond the card details, have an acceptance rate of over 90% and enable services such as “one click”, where no form of authentication is required from the user.
This elevated acceptance rate balances out the negative traits of card payments, namely fraud, chargebacks, fees, and speed. All of these issues are significant, but card payments are very low friction and positive user experience has a greater impact on business results than the negatives we outlined.
However, this situation is changing and there are reasons to be alarmed
Starting on December 31st 2020, all organizations that manage online payments will be required by law to have 3D Secure 2 implemented to fulfill the requirements of PSD2 and SCA. This applies to all payment methods, including credit cards.
An Amazon study has revealed how the changes are being implemented in different countries. Given this, Marc Nieto, Adigital’s Advisor of Payments & Fraud, comments: “The data in Spain is worrying from the point of view of the merchants, because the authentication rate of cards using 3DS 2.2 is low”
And the same study also points to a very alarming fact: the abandonment rate when the user is redirected to the bank’s page to authenticate the payment is 88%.
This is just a small sample of the situation of uncertainty which Spanish businesses will be forced to deal with very soon.
At present, just two months before the entry into force of the standard, 70% of providers are still in the initial testing phase, and only 13% of them are conducting tests with second authentication factors. These tests have revealed the worst case scenario.
As things stand right now, payment abandonment under 3DS2 sits at around 60%. Going back to the earlier discussion of the advantages of card payments (mainly UX) vs their drawbacks (many), 3DS2 swings the balance towards the negative fairly clearly.
The Report on the Evaluation of the Economic Impact of Strong Customer Authentication (SCA) reveals that in Spain, 59% of transactions could fail, a percentage that would mean some 20.2 billion euros in lost sales. Spain has the highest failure rate of the twelve countries included in the report, and it accounts for almost a fifth of all sales that are considered to be at risk.
Furthermore, according to the report, only 7% of Spanish banks are ready to implement this new authentication system, compared to an average 65% elsewhere in Europe.
These changes won’t only affect ecommerce payments but rather many other types, such as subscription services and recurring payments. These will become much more difficult, making it harder for certain types of non-user initiated payments to function as they have up until now.
The outlook for January 1st 2021 is worrisome, with alternative payment methods that aren’t ready yet, lacking information on fraud and risk, and hundreds of businesses that are still in the early testing stage with systems that aren’t ready to go live yet.
An alternative to card payments: payment initiation
But not everything is negative. In addition to creating new compliance requirements, PSD2 has also enabled new types of payment services such as direct bank transfers using payment initiation.
Payment initiation is one of the services regulated by PSD2 and which can be provided by licensed PISPs (Payment Initiation Service Providers). It’s an alternative payment method in which the user makes a bank transfer directly from their bank account to the account of the merchant receiving the payment instead of using their credit card.
Making bank transfers can be cumbersome and under ordinary circumstances wouldn’t be suited to online shopping, but payment initiation removes these issues by automating all the manual parts of the process and making it faster and easier for the user.
In Spain, payments by bank transfer still have a negligible presence in the market (12%), in the Netherlands or Germany they are the preferred method, well above credit cards, with usage rates of 67% and 37% respectively.
Following the trend of northern European countries, it is a matter of time before alternative payment methods take center stage to the detriment of credit cards, including direct bank transfers. This method offers significant advantages such as lower cost, greater speed, and less vulnerability to fraud, so if providers are able to find formulas to make this method more attractive to users, it will end up becoming the favored method of payment eventually.