PSD2 continues to transform online payments. Proactive merchants are identifying fresh opportunities to innovate and are taking control of the data that drives their businesses. One significant area of opportunity in 2020 is strong customer authentication (SCA), which is set to become a requirement for most online transactions by the end of this year.
By acting now, you can deliver secure, compliant transactions without compromising the user experience. This means you’re able to turn payment security into customer convenience. This article is designed to help merchants looking to understand how 3D Secure 2.2 impacts fraud liabilities – and how they can best prepare.
The latest version of 3D Secure (3DS), the industry-standard means for achieving SCA compliance, is designed to deliver the game-changing, intuitive customer experience previous versions lacked. How? By integrating seamlessly into customers’ payment journeys to protect online credit card transactions against fraud, while also complying with SCA.
Liability shift occurs when the responsibility for fraud-related chargebacks on a payment transaction changes from the default liability holder. In an ePayments context, it means the liability shifts from the merchant to the card issuer.
For merchants, the latest version of 3D Secure, 3DS 2.2, has many advantages. One key area of debate, however, has been around where the buck stops when it comes to transaction fraud – when does responsibility sit with the issuer, and when with the merchant? Previously, merchants without 3D Secure would always be liable. But with 3DS 2.2, the rules are shifting.
The good news is that in most cases, when 3D Secure is implemented correctly, transaction fraud liability will automatically shift from the merchant to the issuer. So, when an issuer authenticates a payment via 3D Secure, it becomes liable for fraud-related chargebacks. This represents a huge incentive for businesses to adopt 3DS 2.2.
However, issuer liability is subject to a few exceptions, and will depend on the version of 3D Secure merchants implement.
1. The merchant requests an exemption
If this exemption is accepted by the issuer and no SCA is performed, liability shifts back to the merchant.
2. After the first Merchant Initiated Transaction
In a repeat payment, such as subscriptions, the merchant is liable for subsequent transactions. However, with 3DS 2.2, some schemes like Mastercard will ‘authenticate’ ongoing transactions initiated by the merchant and liability will shift to the issuer.
3. For mail order/ telephone order (MOTO) transactions
Liability for a MOTO transaction lies with the merchant, unless 3DS 2.2 is used with decoupled authentication (where the authentication and the payment are processed at different times).
In practice though, online transactions cover a huge range of different scenarios, which can make liability confusing. Ingenico has compiled an overview of three key outcomes and when they might apply, so merchants know where they stand when it comes to fraudulent transactions.
The issuer is always liable, unless the merchant is using 3DS 2.2 and is granted an exemption by the issuer.
When it might apply:
The issuer is generally liable for transactions.
When it might apply:
The issuer is liable for the first collection of a Merchant Initiated Transaction payment. The merchant is liable for subsequent payment collections, unless 3RI was used (Mastercard only) – only available with 3DS 2.2
When it might apply:
You can find a detailed breakdown of different payment scenarios in Ingenico’s PSD2 guide.
Frictionless authentication through 3DS 2.2 largely shifts fraud liability away from merchants, without any impact on the customer experience. Plus, it presents a fantastic opportunity for businesses to capture and communicate customer information, which can be used to evolve business models.
To leverage the full benefits of these changes, Ingenico recommends that merchants review their payments strategy and processes to make sure they are fully compliant well ahead of the December 2020 deadline. Using Ingenico’s PSD2 roadmap, merchants can see what they need to do – and when – to be sure they are on track. That way they can gather and test the data they need before authentication becomes a mandatory requirement.
Early adoption of 3DS 2.2, which supports the main exemptions of regular online payments and offline authentication, will put merchants in a strong position to make the best of all the opportunities that 3D Secure offers.
Ingenico can help with every aspect of 3D Secure implementation. Plus, merchants can benefit from unrivalled support and expert insight into how best to use customer data to streamline authentication processes.
From developer to Product Manager, Paula Costa has been working in the Payments Industry for 15 years. She started the journey in a PSP in Argentina and joined Ingenico ePayments HQ in 2016. Paula specializes in Card Payments; she has a solid experience in CP and CNP within Retail and Travel as well as issuing banks. In her PM role Paula aims to support the merchants in understanding the complexity of rules and regulations of the different markets to maximize conversion and keep compliance at the same time.