From January 1st 2021, the number one reason for transaction failure will be Failed Authentication.

Failed Authentication is about to become the main reason for failed transactions: When examining failed transactions the focus has always been on the Authorization Stage. What was the reason for the failed transaction ? Was it insufficient funds, was there a technical issue, did the card holder exceed his spending limits (often dictated by a need to limit possible fraud), was it the MCC code, did the Issuer decide it was not worth the risk ?

Failed Card transactions are something that both merchants and cardholders dread. Even under perfect conditions the approval rate for online transactions is significantly lower than approval at point of sale:

A question of Risk: Online transactions by virtue of their anonymity remain a huge risk for the industry. Fraud costs the industry billions every year and the problem has continued to grow.

A solution has been available for almost 20 years, but a lack of technical preparation by the banks, a good amount of obstinacy and a narrative that was hijacked by commercial agendas has contributed to keep the problem going for all these years.

The issuers had no other option than to protect their cardholders and themselves by declining transactions; given the circumstances this was the smartest thing to do – striking a balance between increased business and increased fraud.

And this highlights a general problem with payments, the industry is at its heart a collaborative effort; everyone tries to solve the problem on his own terms and within his boundaries. The fraudsters in the meantime were free to ride across these boundaries like a group of marauding apache braves from the old west, picking off their victims at will.

A blunt tool: The solution was off course 3DSecure Version 1.0. In its initial release, 3DSecure 1.0 was a blunt tool. Static passwords are awkward and vulnerable. The requirement to perform a challenge each time grated many and went against the whole ethos of ecommerce.

But the problems with 3DSecure were ultimately not the protocol’s fault. The ability for banks to communicate with their clients electronically was practically non-existent. It has taken a good twenty years to rectify this problem and it is still work in progress.

Another thing that has happened over the last 20 years is the absolute availability of mobile phones, always-on broadband, reliable internet communication even on mobile devices and off course smart phones; Steve Jobs ushered in the age of the smartphone only in 2007.

The building blocks have finally fallen into place and they are affordable, reliable and pervasive.

3DSecure did adapt over these years; the most significant milestone being the use of One Time Passwords, sent over SMS.

Weakest at our most important task: So back to the original problem. CNP transactions are the biggest growth area both because of changes in lifestyle, ecommerce and new business and services we consume on the go – such as hailing a share ride.

It was time to bring 3DSecure back with a vengeance, this time as a finely honed tool, backed up with the best technology the payments industry can master, including big data, machine learning and biometrics.

And this time, the technology is wearing a tin star, the most notable being the PDS2 with the EU/EEA region. Strong Consumer Authentication is no longer an option, it’s a requirement.

The goals are lofty:

To eliminate fraud, bring up approval rates to the maximum possible, support the growth of new industries and services and do all this without inconveniencing anyone.

The time is nigh:

“The effective date of the second Payments Services Directive (PSD2) on Strong Customer Authentication (SCA) is 31 December 2020 for all EEA countries but the UK, with a low probability that the European Banking Authority (EBA) or any National Competent Authority grants further delays.

As from 1 January 2021 for the vast majority of Customers in the EEA, each and every e-commerce transaction that is not excluded or exempted from the regulation will need to go through strong customer authentication, i.e. two-factor authentication. The underlying protocol used to drive authentications is the EMVCo EMV 3DS or 3DS2.x protocol with PSD2 extension message mandated by schemes.”

Failed Authentication is about to become the main reason for failed transactions: When examining failed transactions the focus has always been on the Authorization Stage. What was the reason for the failed transaction ? Was it insufficient funds, was there a technical issue, did the card holder exceed his spending limits ? (often dictated by a need to limit possible fraud), was it the MCC code ?, did the Issuer decide it was not worth the risk ?

Outside of insufficient funds, most of these questions will now be shifted to the Authentication Stage.

Merchants should be asking themselves WILL I have access to this information? Will I be in a position to influence the outcome and avoid failed transactions ?

A) Soft declines. So any transaction without 3DSecure will get rejected automatically from Jan 1st, this type of decline being called a Soft Decline. Merchants would benefit from receiving this information.

B) Technical Problems. There are many parties involved for the effective conclusion of a payment transaction and each party is running their own IT infrastructure. At any one time, there is bound to be some system with issues. As the central hub that keeps everything flowing, the schemes have made significant efforts in monitoring reliability and stepping in when required to ensure a successful authentication outcome.

The concept of Attempts processing was already introduced in version 1 and it was a way to both create proof of authentication and to shift the liability to the Issuer – but with Version 2 the ability for card schemes to carry out Authentication is greatly enhanced. In fact, it might make sense for an Issuer to work collaboratively with a scheme and allow the scheme to generate the Authentication. At the very least, when an Issuer receives an Authentication Value generated by a scheme either by agreement or as a result of a fail over, the Issuer is presented with a detailed Authentication Value that works with a sophisticated Risk Based approach.

C) Insufficient Information. 3DSecure Version 2 excels in its ability to convey information from the Acquiring environment to the Issuing environment. This is the basis of the risk based approach which will reduce friction in the form of an interruption of transaction flow to perform a challenge.

But it will take time for merchants to learn how to collect information and use it effectively to influence the positive outcome of a transaction and reduce friction. Many merchants probably have not understood that 3DSecure is a paradigm shift in authentication and not just a new mandate they have to live with.

D) Failure to get Exemption. There are cases where 3DSecure is not always applicable. This warrants an article all by itself but ignoring 3DSecure is not an option. The reasons for exemption must be communicated to the Issuer using 3DSecure. This is the genius of the next generation of 3DSecure – that it creates a proper channel to ensure that exemptions are used legitimately; without this the effectiveness of SCA would have been nullified.

E) White Listing. White listing is an important feature in 3DSecure. Security is great but even the most dedicated will soon feel exasperated when they feel it’s not required. White Listing allows a cardholder to add a merchant to its trust list. Merchants can get a confirmation that the cardholder has whitelisted them; it is up to merchants to ensure they have access to this information and make use of it.

F) Rich feedback information on failed authentication. 3DSecure does not only collect information, it returns a lot of information on the authentication process and in particular why it failed. Merchants should ensure they have access to this information; only this way will they ensure their approval rate is uplifted.

In conclusion, PDS2, SCA and 3DSecure are not just an additional regulation to tick off; it is is a paradigm shift in thinking on how to do payments. We at Endeavour have been part of this journey for the last 20 years. Our services combine experience and technology to turn complexity into sophistication.