opinion

PSD2 Progression and Performance Testing

PSD2 Progression and Performance Testing

The latest deadline came and went, and the world still wasn’t ready for the new PSD2 Secure Customer Authentication requirement. It’s not like we didn’t have ample time to get ready; we’ve been talking about it for several years. After all, the December 31, 2020 deadline was the second deadline imposed. Now, as we head into our third month of 2021, more time has been granted to allow everyone to meet the SCA requirement: enforcement will be gradual across the European Union throughout the year.

One of the challenges for many is meeting the requirement through 3D Secure 2.0 (3DS2). Since we already support 3DS2 and had prepared for PSD2, we decided to give it a try, turning it on as a soft launch for two weeks in December. In this month’s column, we thought we’d share what we learned and what you as acquirers, processors and merchants can expect when PSD2 is live and we’re all using 3DS2.

Card schemes are introducing measures to encourage merchants to support 3DS2.

PSD2 Principles

In a nutshell, the PSD2 Secure Customer Authentication (SCA) requirement was designed to make payments safer and increase protection while ensuring a level playing field for all players new and old. For any consumer-initiated electronic transactions like new sign-ups and one-click purchases, the SCA requires double authentication. That means two or more elements of something a person knows, like a pin or password, something only they can possess, such as a credit card, and something that can only identify the person, like their fingerprint or voice recognition.

For internet and mobile purchases, an extra element is needed, typically an authentication code. The most recommended way to handle the SCA requirement is through 3DS2. In fact, we dedicated a large portion of our development resources to upgrading our 3D secure integration from 1.0 to 2.0 as well as making the system support the SCA requirement for only those transactions that were impacted by the PSD2 mandate: EU to EU transactions.

As I said earlier, enforcement of the legislation continues to change. First, it was slated for September 2019, then it was pushed to December 31, 2020. Now, since many of the large issuers are still not ready to support PSD2, processors, acquirers and merchants are playing a guessing game on when this will all be officially enforced.

For now, each European country has its own migration plan, which has different levels of SCA enforcement based on the transaction size and date. It’s predicted that full enforcement across the EU will be in place by summer for most countries. The U.K. has targeted September 14.

The Performance Test

When we gave 3D2 a trial run two weeks before the end of December, we monitored the soft declines to see what was needed to meet the requirements of PSD2. We were able to identify a few interesting things. The 3D secure additional pay page fields displaying the full address and phone number caused some issuers to decline. When we sent them through again without the fields on the 3D rails, the bank approved the transaction without an issue.

From this test, we feel there will be some friction from consumers who don’t want to input those fields on a payment page, especially from merchants in our space. This could potentially lead to losing the customer before any payment attempt is initiated. What has become very clear, is that we will need to have a very detailed rollout plan that follows how many of the EU countries will be implementing 3DS2. It also highlighted that as a processor, you’ll need to review your U.S. merchants’ transactions to determine which 3D rails are the best to process the transactions through.

Call in the Data Doctor

To address these issues and keep things moving forward, we dedicated a team to analyzing this transactional data and help to identify any new issuers that are enforcing the PSD2 3D Secure requirement. For now, we’re utilizing both 3D Secure 1.0 and 2.0. We feel it’s important to analyze the impact of the 3D 2.0 rails vs. the 1.0 rails. By doing this, you can ensure you have the maximum approval rates on all transactions.

Creating this flexible configuration will allow you to manage the results that are being generated by the transactional data: for example, if the PSD2 requirement has been implemented by the merchant, country, acquirer and issuer level and by the price point. This is important, because as each country begins enforcing PSD2, you can turn on your own enforcement, which will make all transactions go down the 3D secure 2.0 rails with the additional pay page requirements.

Card schemes are introducing measures to encourage merchants to support 3DS2. Mastercard is planning to decommission 3DS 1.0 in October of 2022 and Visa will remove liability shift in Europe starting this October. If you’re still not ready for PSD2, the best recommendation is to be ready as soon as possible. Keep working at it and do your own trial run before enforcement is in place. If you need help with PSD2 implementations, we can help point you in the right direction.

Cathy Beardsley is president and CEO of Segpay, a global leader in merchant services offering a wide range of custom financial solutions including payment facilitator, direct merchant accounts and secure gateway services. Under her direction, Segpay has become one of four companies approved by Visa to operate as a high-risk internet payment services provider. Segpay offers secure turnkey solutions to accept online payments, with a guarantee that funds are always safe and protected with its proprietary Fraud Mitigation System and customer service and support. For any questions or help, contact sales@segpay.com or compliance@segpay.com.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Navigating Age-Related Regulations in Europe

Age verification measures are rapidly gaining momentum across Europe, with regulators stepping up efforts to protect children online. Recently, the U.K.’s communications regulator, Ofcom, updated its timeline for implementing the Online Safety Act, while France’s ARCOM has released technical guidance detailing age verification standards.

Gavin Worrall ·
opinion

Why Cyber Insurance Is Crucial for Adult Businesses

From streaming services and interactive platforms to ecommerce and virtual reality experiences, the adult industry has long stood at the forefront of online innovation. However, the same technology-forward approach that has enabled adult businesses to deliver unique and personalized content to consumers worldwide also exposes them to myriad risks.

Corey D. Silverstein ·
opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
Show More