A journey in ProcessOut's flight journal

PSD2 & 3DS 2.0 - How to manage the transition

by Grégoire Delpit on

When it comes to payments the main topic at the moment is the implementation of 3DS 2.0 and PSD2. If you’re not familiar yet with those concepts you should first have a look at our article: PSD2: How will the new Strong Customer Authentication (SCA) requirements impact your business?

Also if you’re looking for some help while managing the transition do not hesitate to drop us a message, we’re here to help. If you need to update your PSP’s API to be ready it might make sense to look at the product we’ve built (and even more if you need to update several APIs because you use several PSPs).

With ProcessOut, only one API give you access in a click to any PSP’s API and it’s 3DS 2.0 ready!

PSD2 transition

3DS 2.0 - Key elements to keep in mind

3DS 2.0 comes with different challenges:

  • Technical changes
  • Business Impact
  • Change management

From a technical point of view, this new standard changes the way 3DS is working. In most cases, you need to update the integration of your PSP’s API which is never a pleasure. On top of that, not all PSPs are ready…

From a business point of view, the main challenge is that you’re not deciding anymore if you want a transaction with 3DS or without 3DS. Most of the time in the current version of the protocol for low-value transactions you were taking the decision. It changes with this new version. Indeed this decision is taken by the Issuing Bank (the bank of the customer).

This means that if not handled properly it can create friction in your payment process and have a huge impact on your conversion and thus sales. However, there are some exemptions. It depends mainly on the transaction profile and on the fraud rating of your PSP / Acquirer.

Last but not least, keep this date in mind: September 14, 2019. This is the date where you’re supposed to be ready to accept 3DS 2.0.

However, there will be a period of transition and indulgence. All Issuing Banks are not completely ready and thus no one really knows how things will go on the 14th of September. The advice we give to our customers is the following:

Be ready to be in a position where:

  • You can accept the new 3DS 2.0 (also known as Strong Customer Authentication).
  • You can still accept the current version of the 3DS 1

Transition - What do you need to ask & to check

Here are a few elements you should ask your PSP and check internally:

• Ask your PSP to access to the 3DS 100% ready API

As discussed in most cases, you will have to update your integration of the API of your PSP. In that objective, the first step is to discuss with your PSP and ask if their solution is compatible with 3DS 2.0 and then ask for the update that needs to be done on the current version of their API you’ve integrated. Depending on PSPs updates can be more and less complex and important. Be sure to make your PSP confirm that the version you’re about to integrate is 100% ready. Indeed some PSPs have published a new API but it’s not fully ready.

Long story short, some PSPs are fully ready, some have published updates of their API but are not yet fully ready and some have not released anything. If you touch your code you want to be sure to integrate a solution that is 100% ready and which will work.

Ask your PSP what’s your global chargeback rate and how far is it from 0.13% in your main countries

As you may have noticed exemptions will depend partly on the chargeback ratio between the Acquirer & the Issuing Bank. In most cases, it’s not something where you will be in control. However, it might have a terrible impact on your business. For example, let’s take a 15€ transaction. Technically you can ask for an exemption and thus process this transaction without asking the 3DS2 to your customer (see table below).

However, if your PSP’s chargeback ratio with this Bank is over 0.13%, the Bank will probably require it and your customer will have to go through the 3DS2 process. That’s also why we recommend to our merchants to work with at least two PSPs to be sure that they will have more control over this.

• What’s your transaction flow?

The main challenge from a business point of view with 3DS 2.0 is that rules change. Thus some transactions you were historically handling without 3DS might now require a Strong Authentication. It’s thus super important that you spend some time on your transactions to understand which are going to be eligible or not to exemptions and to see how to get access to exemptions.

If you want more info on exemptions, drop us a line or read the article I mentioned at the beginning of this article.

What’s your chargeback ratio?

As you’ve understood, one of the key parameters to get access to exemptions is the chargeback ratio. Even if it’s at a PSP level (meaning that you do not have any control over it), you also want to monitor very closely your chargeback ratio. Indeed as it’s a key element, PSPs who were already paying lots of attention to chargebacks (to avoid VISA and MasterCard fines) will pay even more attention to this.

A merchant with a very low chargeback ratio (X<0,01%) will be in an amazing position to negotiate with its PSP. On the other side, a merchant with a chargeback ratio close to the limit defined by the new regulation (0.13%) will be in a more difficult position.

Life under 3DS 2.0 - The area of the exemption

As already explained, it seems now obvious that for technical and business reasons there will not be a clear cut on September 14th and that there will be a period of transition (some people are talking about September 2019 -> March 2020).

However at some point, you, as a merchant, will have to be 100% compliant with the new rules. The main priority is to go after technical challenges to be ready. Once it’s done, the main point you will have to address is to protect your conversion. It’s key for your business and we will thus make a dedicated article on this very important point but here is a short preview:

To manage and optimize your exemptions and thus maximize the number of transactions where you can decide to require or not a strong authentication (3DS2) you will have to play with :

(i) Your internal billing process
(ii) The exemptions rules
(iii) Different PSPs / solution to ask for the exemptions

In that objective, we think it’s key to be in control of this process. If you want more info on this we have written a dedicated article where we explain our vision on this specific point (see below).

The bigger you are, the more card transactions you have. The lower your average basket is, the more your business model relies on fast checkout without friction. Therefore, the most important is to be flexible and in control, as explained in the following article: PSD2, 3DS2 and how to (really) prepare for it

Conclusion - Get ready & we’re here to help

PSD2/3DS 2.0 is coming and at some point, you will have to be compatible. The official deadline is September 14th and there will be a period of transition. During that period be sure to be able to accept the current version (3DS) and the new version (3DS 2.0).

The sooner you’re ready the better it is because technically after September 14th you need to be able to handle 3DS 2.0. To manage the transition there are technical & business points to investigate. After the transition is managed, exemptions are going to be key.

If you face some challenges in updating your integration of the API of your PSP (because it is not ready, because it’s too complex, because you have too much APIs to update), or if you do not know how to be flexible by accepting the two versions of the 3DS protocol or if you want more info on how to be flexible and optimize exemptions, drop us a message! We’re here to help.

P.S. - We have built a global API, which is 100% 3DS 2.0 ready. From this API any PSP can be activated in a click meaning that you only have to integrate/update ONE API and then you can work with any PSP you want.