I found those links slightly difficult to understand. Am I correct in summarizing these definitions as follows?
PSD2—The EU law requiring your bank/card issuer to establish SCA for online purchases.
SCA—Strong Customer Authentication: something in addition to a credit card number, e.g. your bank account password, a mobile push notification, a SMS code.
3DS—3-Domain secure, the protocol used by online merchants to communicate with the bank in order to establish SCA. This seems to be complicated by the fact that most banks aren't implementing this protocol themselves, but using a third party. So you get redirected to the website of that third party in order to authenticate a transaction.
>SCA—Strong Customer Authentication: something in addition to a credit card number, e.g. your bank account password, a mobile push notification, a SMS code.
I've run into this a few times and it has made me very hesitant. You're effectively being asked to log into your own bank account from a link on a third party website or, even worse, an app.
It makes me uneasy, because I feel like a malicious site or app could intercept this and access the account directly. Or do some other kind of trickery that I cannot foresee.
Two things, actually. The credit card number doesn't count as a "thing" anymore.
This is why SMS-OTP alone is not sufficient (representing only possession), but mobile phone app based solutions are (they represent possession of a linked device and usually ask for biometrics or a PIN code).
The tribal knowledge on this one is thick as molasses.
> On 8 October 2015, the European Parliament adopted the European Commission proposal to create safer and more innovative European payments (PSD2, Directive (EU) 2015/2366). The current rules aim to better protect consumers when they pay online, promote the development and use of innovative online and mobile payments such as through open banking, and make cross-border European payment services safer.[10]
> An important element of PSD2 is the requirement for strong customer authentication on the majority of electronic payments.
> The first thing that can reduce conversions is the higher rate of 3DS triggered user abandonment. Since many consumers are not familiar with the 3DS process, there is a higher chance of abandonment during the authentication process.
This would presumably go away once PSD2 is fully implemented and all purchases require it, which is a benefit of requiring it by law rather than letting merchants choose whether or not to require it. Requiring it is a common good in the sense that it reduces the economy's overall loss due to fraud.
Additionally, as the article mentions, using 3DS shifts liability for charge not authorized disputes from the merchant to the bank. Thus, the decreased rate of conversions must be compared against decreased losses due to chargebacks.
It quickly gets complicated. There are many more variables to take into account.
- SCA exemptions
- Prepaid Cards (with no built in 2FA support)
- Banks in less developed markets (No 3DS)
- "We encountered a 3DS processing error" is a common nondescript message which occurs with international payments
For regular merchants, the decrease in conversion (double digit) is VERY far away from any improvements in chargebacks. Bear in mind that most merchants need to stay below 0.75-1% chargeback regardless of conversion/decline ratios.
In a high-value, low-margin business, reducing chargeback losses to almost zero might be worth the cost of a double-digit conversion drop. In other circumstances, the same numbers can be catastrophic.
I agree, the change needs to be viewed overall. The liability shift is a godsend, it also decreases customer support contacts to verify if the order is fraud or not.
Also, paired with 3DS2's frictionless flow we actually saw a small uptick.
So, some VP at a fraud prevention company recommends merchants to avoid using 3DS and use a fraud detection platform, got it.
I don't know if we can find better data somewhere else but I would assume that abandonment rates will decrease thanks to PSD2:
- SMS tokens are finally on their way out; more and more people are installing their bank's mobile app, which is used as the second factor (you get a push notification, you have to unlock and accept the transaction).
- We'll see some harmonization across EU/EEA merchants. No more cases of "the German website doesn't trigger 3DS but the French one does".
Here in Sweden, some major banks already refused to let you do card transactions without SCA/3DS, before PSD2 was even passed. As a result, PSD2 finally being implemented is a welcome relief for me, because those annoying services that would always cause a card decline are now being forced to show a 3DS prompt instead. That prompt is also pretty convenient here because of the wide deployment of Mobile BankID.
(The experience before was: pray this merchant supports 3DS, discover that it doesn't, fish out your phone and open mobile banking, authenticate with mobile banking, find and use the toggle that temporarily allows non-3DS transactions. Now I just bring up the authentication app when prompted.)
While I mostly agree with you the fact that BankID does not support (desktop or non-android) linux at all or other secure auth methods like U2F for any platform is sad. If you want to be a modern citizen in sweden today you need to use at least one device with a non-free OS just to access basic services.
Meanwhile, Sweden’s response to PayPal, Klarna, “integrate” with your internet bank by logging in to it and pretending to be you. The authentication prompt you get clearly says “you are logging in to $yourBank” when you do it too.
I don’t know payments infrastructure super well, but reading your comment it makes me wonder if what you are talking about is related to the card woes that I had when I lived there in 2018. Not having a Swedish bank account and paying for larger sums with my American credit card would often trigger declines and I would have to contact my card issuer to authorize the payment to go through frequently. I specifically remember having a lot of trouble whenever I would pay a company that used the Swedish company called “DIBS” to authorize my payment.
> which is used as the second factor (you get a push notification, you have to unlock and accept the transaction).
This breaks more often than you'd think. I'm still locked out of Facebook on one device because I can't seem to receive the unlock notification and I'm terrified to reinstall Facebook on my phone and then be actually locked out. I'm not a fan of Facebook, but it's the only way to contact some of my friends/family these days via video.
I've also had similar issues with actual banks where the notification appeared and I accidentally tapped "decline" or even dismissed the notification by accident. I've also never received them (mostly with ~Transfer~Wise). Edit to add: I've also been too lazy to walk to the phone charger to press "accept" and just given up.
I think it's a pretty well known phenomenon in ecommerce that the more "clicks" you add to checkout, the less % of people that will make it to the end. I don't see this decreasing cart abandonment at all.
Google, Duo, and Authy all seem to do fine even in low-data (1 bar non-lte 4g) scenarios, so that's probably a bank & facebook issue. They probably rely on the push notification to carry and push state to the user's device with no backup mechanism for when this fails.
These apps are worse. Each of them has its own horrible interface and horrible surveillance functionality. For Android they usually check if you have an officially sanctioned and non-rooted google phone.
If I wanted to be patronized by the phone manufacturer, I would buy apple...
I indeed do want to have full control over my phone. It is a freedom we are gradually losing. RMS was right all along...
But if course they do not care about actual security, that means if your phone has current security patch level.
So for old phones with no official patches you can't even install Lineage and you're worse off.
1. My bank now _requires_ SMS 2fa, for many actions like logging in, viewing transaction history > 1 month, or making purchases online.
2. My bank has killed their mobile web page in favour of their app. The desktop web page still works, but if you try visit it with a mobile UA you still get told to use the app.
3. Not 100% sure this is PSD2 related, but my bank have made their password policies less... dumb. It used to be max 8 chars, case insensitive, anything longer was silently truncated. In addition, the signup form used to allow alphanumeric characters, but the change password form only allowed alphabetical.
4. Presumably because of 1, they now no longer randomly decline transactions to smaller vendors. They used to then send you a text asking you to phone the fraud department to clear it. The first couple of times, I thought the text _was_ the fraud.
Now it's entirely possible my bank have just misinterpreted what's required of them, their prior actions show they aren't the most technically competent, but that's not what they were chosen for.
>> more and more people are installing their bank's mobile app, which is used as the second factor (you get a push notification, you have to unlock and accept the transaction
Great - so much for those times where I've been traveling internationally, been able to make a purchase using a web page hosted on a shared computer or one owned by a companion, but don't have mobile phone access to get a push notification.
i get your point, but i can't remember in recent years that there would be any difficulty to get wifi access even if i didn't have roaming, so this feels like a mere inconvenience instead of an impossibility
> some VP at a fraud prevention company recommends merchants to avoid using 3DS and use a fraud detection platform, got it.
Yeah, if PSD2 had an impact as dramatic as the article says then there would be a massive amount of noise from all EU/UK retailers. Instead we get an article from somebody with something to sell.
SMS are not much on their way out. I just got an OTP via SMS for an online credit card payment. Then I had to insert my secret PIN too. Friction friction friction.
Some banks authorize operations with their apps: it's either fingerprints, PINs or codes by SMS. Usually a combination of two of them. One bank also requires a kind of captcha. Of course I'm hating all of this. I wish they pay me for the extra work.
100%. 3DS is for card payments and using Netherlands and Germany as examples here is just plain bad - in these countries bank-based payment methods are more popular: iDEAL in NL (which has used 2FA for years), Sofort and Giropay in DE.
If Mastercard or Visa did an app that would work across all of their cards, that would be ok. But how can a separate app from each bank be considered better than SMS? It's just an annoying lock-in. And the quality of apps from many banks is sub-par.
The main issue to SMS tokens going away are all those people, specially elderly ones, that now are forced to buy a phone they cannot understand how to deal with.
Just like the clever idea some cities have had to initially only offer covid vaccination appointments over their website.
Well...if they use the internet to shop online a mobile app should not be that hard to deal with given it's installed/configured by the bank clerk. All the mobile phones are "smart phones" now anyway.
EU did not "introduce" PSD2 this year, it was/should have been in effect since Sept 2019!
However, the member states (and therefore the EU) have cut the banks an inordinate amount of slack to get their shit together, even though they have been heavily involved in the writing of PSD2 and had since 2015 (!) to implement everything. Here in Germany, in September 2019, which should have been the hard end of a one year grace period, practically no bank actually had a working PSD2 API or had implemented 2 factor authorization properly.
So all the whining about PSD2 six years after it passed is ridiculous. Everybody had plenty of warning and time to get their site prepared and checkout processes optimized. And quite frankly, unless the author of the article is running some kind of one-click order scam, I find the drop of up to 50% in conversion highly unlikely. From my experience with dozens of e-commerce site, the drop is negligible. And considering the rampant credit card fraud, 2FA was long overdue.
→ Customers who have had their card on file will fail the next subscription payment. Many are going to discover they have been paying for months/years for something they didn't really need, and walk away.
→ Incorrect 3D-Secure integration will cause payments from EU to fail straight away. Even some payment gateways didn't understand how it worked back when the enforcement loomed for the first time, and this is literally their job. The solution is to read the documentation carefully and fix your stuff.
It's a misconception that people are going to get confused by PSD2. We in Europe, depending on the bank, have had it for two years now. We got used to it and if we really want to pay, we will.
>It's a misconception that people are going to get confused by PSD2. We in Europe, depending on the bank, have had it for two years now. We got used to it and if we really want to pay, we will.
When a (random) app opens a bank login page for me and asks me to type in my back login information in a third party app, then that very much does confuse me. That's one of the ways people get scammed through phishing attacks. And now this is effectively mandated by law.
I've definitely chosen not to pay for a few things, because I didn't trust the app enough with my bank's login information. With a credit card I could easily dispute false charges. With bank authentication, I doubt it'll be as easy.
Consumer protection legislation protecting consumers. I don't see the issue.
> Since many consumers are not familiar with the 3DS process, there is a higher chance of abandonment during the authentication process. Users may also choose to abandon a transaction simply because there are additional steps to complete, giving them more time to contemplate their purchase.
The data here is not really provided so we have no way of verifying they are stating e.g. simply that conversion in Germany went from 80%+ to 40%+ just due to PSD2 requirements to verify identify. 50% of consumers stop their purchase because they have to verify their CC? That seems absurd.
If the reason as cited above is unfamiliarity this means it is a purely temporary impact. If its birthing issues of implementation that too should be temporary. If consumers stop their biy due to reflection or realising that they don't trust the shop that too is a good thing.
Seriously, if having to stand up and get whatever 2FA token thing your bank needs is too much effort for a purchase on your site, then I have strong doubts about how much your service is really worth.
Another explanation would be that customers run into trouble because they don't know how to use secure online payments. In my opinion, those customers probably shouldn't be doing any online banking on their own with the massive fraud risk that comes with stuff like this.
This line says it all, in my opinion:
> Users may also choose to abandon a transaction simply because there are additional steps to complete, giving them more time to contemplate their purchase.
PSD2 saved a lot of people from making bad financial decisions by the sound of it.
Seriously, I'm used to a bit of contemplation before I hit that final "Buy" and proceed to the payment gateway. I like it. I like that I have to enter my billing/shipping addresses. Decide if I want an invoice for a business or an individual. Think again. Go-around hunting for a better option one last time.
Lately, I've had a harrowing experience of misclicking on Amazon. The bastards have put "Add to Cart" and "Buy with 1-Click" so close together that I clicked Buy thinking I was adding to the cart.
I promptly got emails about my order having been finalized. No confirmations, no whatnot. Like those annoying traffic lights on some streets that go straight from red to green, without amber in between. I felt a bit robbed. True, I wanted to buy the stuff, so I didn't cancel, but damn it, not like this.
Those are pretty big transactions as the law will only apply to small ones later. It's really hard to believe people are leaving multiple 1000s of Euro transactions just because they didn't bother to learn how to check an app.
I think it's much more likely that some payment methods became completely unusable, so people are abandoning their transactions to redo them elsewhere. And also, some of those must have been fraudulent, but probably very few.
1) I now have to do the 3DS procedure for amounts as small as 1,80€
2) My bank's 3DS "website" requires me to enter my online banking PIN (the one for my entire account, not just my credit card PIN!) and since that website gets opened in an Android WebView I can't even be sure that the app invoking the WebView doesn't actually obtain my PIN through a key logger. Fantastic.
I’ve personally always found 3DS a bit worrying from a security POV. I’m sure much smarter minds than mine designed it, and had reasons for doing so, but I’ve seen it implemented in iframes on websites I use before. It really doesn’t seem to encourage good security practices in normal users where they’re being encouraged to enter their bank password when the URL they see doesn’t match. Plus the URL itself often refers to Arcot, the company who make 3DS, rather than the bank whose branding is all over the page. Very weird.
If I were cynical I would say that the purpose of 3DS is to make it easier to scam people. It trains users to input their bank login details into third party apps and websites - something that you were told not to do over and over again in the past. I'm also sure that banks will be far less happy to refund fraudulent charges in these cases.
I've noticed that domestic Finnish online stores (most of which have had 3DS for over a decade now) generally do not use iframes and I can see my bank's domain on the address bar when performing 2FA for card transactions, whereas most international stores (most of which only recently have started using 3DS) seem to almost always use iframes, hiding my bank's domain.
However, it doesn't matter that much with my bank nowadays since I don't have to enter anything on the browser - I just accept the transaction details shown by the bank app on my phone.
1 could be a bad implementation from the merchant. There is an exemption for low value (<€30) transactions and you can do five low value transactions before needing re-authentication.
Before 3DS I had my credit card details memorized, so I could shop online conveniently. Now I have to keep my phone around and type in SMS passwords everywhere.
For me it opens the bank app which shows amount, seller, subject line and asks me to confirm with pin or fingerprint, taking all of 2 seconds. No more entering bank card numbers. Not sure what bank youi are using but this seems like bad implementation not bad idea.
Readit News
PSD2 - https://en.wikipedia.org/wiki/Payment_Services_Directive#Rev...
3DS - https://en.wikipedia.org/wiki/3-D_Secure
Furthermore, I want to note that the author works for a company that sells products that "eliminate unnecessary 3DS friction" (in their own words).
PSD2—The EU law requiring your bank/card issuer to establish SCA for online purchases.
SCA—Strong Customer Authentication: something in addition to a credit card number, e.g. your bank account password, a mobile push notification, a SMS code.
3DS—3-Domain secure, the protocol used by online merchants to communicate with the bank in order to establish SCA. This seems to be complicated by the fact that most banks aren't implementing this protocol themselves, but using a third party. So you get redirected to the website of that third party in order to authenticate a transaction.
I've run into this a few times and it has made me very hesitant. You're effectively being asked to log into your own bank account from a link on a third party website or, even worse, an app.
It makes me uneasy, because I feel like a malicious site or app could intercept this and access the account directly. Or do some other kind of trickery that I cannot foresee.
Two things, actually. The credit card number doesn't count as a "thing" anymore.
This is why SMS-OTP alone is not sufficient (representing only possession), but mobile phone app based solutions are (they represent possession of a linked device and usually ask for biometrics or a PIN code).
> On 8 October 2015, the European Parliament adopted the European Commission proposal to create safer and more innovative European payments (PSD2, Directive (EU) 2015/2366). The current rules aim to better protect consumers when they pay online, promote the development and use of innovative online and mobile payments such as through open banking, and make cross-border European payment services safer.[10]
> An important element of PSD2 is the requirement for strong customer authentication on the majority of electronic payments.
This would presumably go away once PSD2 is fully implemented and all purchases require it, which is a benefit of requiring it by law rather than letting merchants choose whether or not to require it. Requiring it is a common good in the sense that it reduces the economy's overall loss due to fraud.
Additionally, as the article mentions, using 3DS shifts liability for charge not authorized disputes from the merchant to the bank. Thus, the decreased rate of conversions must be compared against decreased losses due to chargebacks.
- SCA exemptions - Prepaid Cards (with no built in 2FA support) - Banks in less developed markets (No 3DS) - "We encountered a 3DS processing error" is a common nondescript message which occurs with international payments
For regular merchants, the decrease in conversion (double digit) is VERY far away from any improvements in chargebacks. Bear in mind that most merchants need to stay below 0.75-1% chargeback regardless of conversion/decline ratios.
EDIT: Spelling
In a high-value, low-margin business, reducing chargeback losses to almost zero might be worth the cost of a double-digit conversion drop. In other circumstances, the same numbers can be catastrophic.
Also, paired with 3DS2's frictionless flow we actually saw a small uptick.
I don't know if we can find better data somewhere else but I would assume that abandonment rates will decrease thanks to PSD2:
- SMS tokens are finally on their way out; more and more people are installing their bank's mobile app, which is used as the second factor (you get a push notification, you have to unlock and accept the transaction).
- We'll see some harmonization across EU/EEA merchants. No more cases of "the German website doesn't trigger 3DS but the French one does".
(The experience before was: pray this merchant supports 3DS, discover that it doesn't, fish out your phone and open mobile banking, authenticate with mobile banking, find and use the toggle that temporarily allows non-3DS transactions. Now I just bring up the authentication app when prompted.)
This breaks more often than you'd think. I'm still locked out of Facebook on one device because I can't seem to receive the unlock notification and I'm terrified to reinstall Facebook on my phone and then be actually locked out. I'm not a fan of Facebook, but it's the only way to contact some of my friends/family these days via video.
I've also had similar issues with actual banks where the notification appeared and I accidentally tapped "decline" or even dismissed the notification by accident. I've also never received them (mostly with ~Transfer~Wise). Edit to add: I've also been too lazy to walk to the phone charger to press "accept" and just given up.
I think it's a pretty well known phenomenon in ecommerce that the more "clicks" you add to checkout, the less % of people that will make it to the end. I don't see this decreasing cart abandonment at all.
1. My bank now _requires_ SMS 2fa, for many actions like logging in, viewing transaction history > 1 month, or making purchases online.
2. My bank has killed their mobile web page in favour of their app. The desktop web page still works, but if you try visit it with a mobile UA you still get told to use the app.
3. Not 100% sure this is PSD2 related, but my bank have made their password policies less... dumb. It used to be max 8 chars, case insensitive, anything longer was silently truncated. In addition, the signup form used to allow alphanumeric characters, but the change password form only allowed alphabetical.
4. Presumably because of 1, they now no longer randomly decline transactions to smaller vendors. They used to then send you a text asking you to phone the fraud department to clear it. The first couple of times, I thought the text _was_ the fraud.
Now it's entirely possible my bank have just misinterpreted what's required of them, their prior actions show they aren't the most technically competent, but that's not what they were chosen for.
Great - so much for those times where I've been traveling internationally, been able to make a purchase using a web page hosted on a shared computer or one owned by a companion, but don't have mobile phone access to get a push notification.
Thanks, regulators!
Yeah, if PSD2 had an impact as dramatic as the article says then there would be a massive amount of noise from all EU/UK retailers. Instead we get an article from somebody with something to sell.
Some banks authorize operations with their apps: it's either fingerprints, PINs or codes by SMS. Usually a combination of two of them. One bank also requires a kind of captcha. Of course I'm hating all of this. I wish they pay me for the extra work.
We were better off when things were worse /s
See: - https://www.adyen.com/knowledge-hub/guides/global-payment-me... - https://stripe.com/en-us/payments/payment-methods-guide#paym...
Just like the clever idea some cities have had to initially only offer covid vaccination appointments over their website.
However, the member states (and therefore the EU) have cut the banks an inordinate amount of slack to get their shit together, even though they have been heavily involved in the writing of PSD2 and had since 2015 (!) to implement everything. Here in Germany, in September 2019, which should have been the hard end of a one year grace period, practically no bank actually had a working PSD2 API or had implemented 2 factor authorization properly.
So all the whining about PSD2 six years after it passed is ridiculous. Everybody had plenty of warning and time to get their site prepared and checkout processes optimized. And quite frankly, unless the author of the article is running some kind of one-click order scam, I find the drop of up to 50% in conversion highly unlikely. From my experience with dozens of e-commerce site, the drop is negligible. And considering the rampant credit card fraud, 2FA was long overdue.
→ Customers who have had their card on file will fail the next subscription payment. Many are going to discover they have been paying for months/years for something they didn't really need, and walk away.
→ Incorrect 3D-Secure integration will cause payments from EU to fail straight away. Even some payment gateways didn't understand how it worked back when the enforcement loomed for the first time, and this is literally their job. The solution is to read the documentation carefully and fix your stuff.
It's a misconception that people are going to get confused by PSD2. We in Europe, depending on the bank, have had it for two years now. We got used to it and if we really want to pay, we will.
When a (random) app opens a bank login page for me and asks me to type in my back login information in a third party app, then that very much does confuse me. That's one of the ways people get scammed through phishing attacks. And now this is effectively mandated by law.
I've definitely chosen not to pay for a few things, because I didn't trust the app enough with my bank's login information. With a credit card I could easily dispute false charges. With bank authentication, I doubt it'll be as easy.
> Since many consumers are not familiar with the 3DS process, there is a higher chance of abandonment during the authentication process. Users may also choose to abandon a transaction simply because there are additional steps to complete, giving them more time to contemplate their purchase.
The data here is not really provided so we have no way of verifying they are stating e.g. simply that conversion in Germany went from 80%+ to 40%+ just due to PSD2 requirements to verify identify. 50% of consumers stop their purchase because they have to verify their CC? That seems absurd.
If the reason as cited above is unfamiliarity this means it is a purely temporary impact. If its birthing issues of implementation that too should be temporary. If consumers stop their biy due to reflection or realising that they don't trust the shop that too is a good thing.
Or integrate with Android Pay/Apple Pay.
Cry me a river, but I rather prefer to be in control about who gets to withdraw money from my card, and how much.
Another explanation would be that customers run into trouble because they don't know how to use secure online payments. In my opinion, those customers probably shouldn't be doing any online banking on their own with the massive fraud risk that comes with stuff like this.
This line says it all, in my opinion:
> Users may also choose to abandon a transaction simply because there are additional steps to complete, giving them more time to contemplate their purchase.
PSD2 saved a lot of people from making bad financial decisions by the sound of it.
Lately, I've had a harrowing experience of misclicking on Amazon. The bastards have put "Add to Cart" and "Buy with 1-Click" so close together that I clicked Buy thinking I was adding to the cart.
I promptly got emails about my order having been finalized. No confirmations, no whatnot. Like those annoying traffic lights on some streets that go straight from red to green, without amber in between. I felt a bit robbed. True, I wanted to buy the stuff, so I didn't cancel, but damn it, not like this.
I think it's much more likely that some payment methods became completely unusable, so people are abandoning their transactions to redo them elsewhere. And also, some of those must have been fraudulent, but probably very few.
1) I now have to do the 3DS procedure for amounts as small as 1,80€
2) My bank's 3DS "website" requires me to enter my online banking PIN (the one for my entire account, not just my credit card PIN!) and since that website gets opened in an Android WebView I can't even be sure that the app invoking the WebView doesn't actually obtain my PIN through a key logger. Fantastic.
However, it doesn't matter that much with my bank nowadays since I don't have to enter anything on the browser - I just accept the transaction details shown by the bank app on my phone.
It's more common to get a one-time-use code via SMS or a notification in an app for transactions with a higher risk.
Both of those make it possible for the bank to provide the consumer with information about the transaction that should be hard to spoof.
Kinda defies the point, and makes it very easy to forget the code as I put it in like once a year.
But there is less friction, you click buy, it redirects somewhere else (fairly slowly, perhaps by design), then done.