I found those links slightly difficult to understand. Am I correct in summarizing these definitions as follows?
PSD2—The EU law requiring your bank/card issuer to establish SCA for online purchases.
SCA—Strong Customer Authentication: something in addition to a credit card number, e.g. your bank account password, a mobile push notification, a SMS code.
3DS—3-Domain secure, the protocol used by online merchants to communicate with the bank in order to establish SCA. This seems to be complicated by the fact that most banks aren't implementing this protocol themselves, but using a third party. So you get redirected to the website of that third party in order to authenticate a transaction.
>SCA—Strong Customer Authentication: something in addition to a credit card number, e.g. your bank account password, a mobile push notification, a SMS code.
I've run into this a few times and it has made me very hesitant. You're effectively being asked to log into your own bank account from a link on a third party website or, even worse, an app.
It makes me uneasy, because I feel like a malicious site or app could intercept this and access the account directly. Or do some other kind of trickery that I cannot foresee.
With the way it currently works people can just charge your credit card with the account number only, more or less (everything publicly printed on your credit card). So by default they can already take money from your account which is probably one of the main bad things that could happen anyways.
I was under the impression that this new system changed where the liability lies. With a credit card I can dispute fraudulent charges. My bank's and my interests don't conflict. With the new system it seems like there's a conflict between my interests and the bank's when fraudulent charges happen.
The size and locus of liability varies by the country of card issue. The US is particularly "generous" in shifting most of the liability onto credit card issuers; few (or any?) other countries do so.
BTW the origin of this legal regime is the card issuers themselves back in the 1960s as people were reluctant to use the cards. It's also good law in the sense that the card companies can modulate the line between reducing friction vs their fraud detection abilities & tolerance for fraud.
Of course one of the downsides is they do this via mass surveillance. That's why I put the quotes around "generous" -- it wasn't out of good will towards customers. Another was pushing quite a bit of responsibility onto merchants.
For online transactions almost all liability is with merchants. Seems like unless chip is used then offline transaction fraud liability is also on the merchant (otherwise that shady convenience store wouldn't have any reason to check your signature/ID all the time).
The article pointed out that with the new system the online transactions liability shifts to the banks. Thus the article claims banks may reject a payment request if they consider the merchant suspicious.
Two things, actually. The credit card number doesn't count as a "thing" anymore.
This is why SMS-OTP alone is not sufficient (representing only possession), but mobile phone app based solutions are (they represent possession of a linked device and usually ask for biometrics or a PIN code).
The tribal knowledge on this one is thick as molasses.
> On 8 October 2015, the European Parliament adopted the European Commission proposal to create safer and more innovative European payments (PSD2, Directive (EU) 2015/2366). The current rules aim to better protect consumers when they pay online, promote the development and use of innovative online and mobile payments such as through open banking, and make cross-border European payment services safer.[10]
> An important element of PSD2 is the requirement for strong customer authentication on the majority of electronic payments.
> The first thing that can reduce conversions is the higher rate of 3DS triggered user abandonment. Since many consumers are not familiar with the 3DS process, there is a higher chance of abandonment during the authentication process.
This would presumably go away once PSD2 is fully implemented and all purchases require it, which is a benefit of requiring it by law rather than letting merchants choose whether or not to require it. Requiring it is a common good in the sense that it reduces the economy's overall loss due to fraud.
Additionally, as the article mentions, using 3DS shifts liability for charge not authorized disputes from the merchant to the bank. Thus, the decreased rate of conversions must be compared against decreased losses due to chargebacks.
It quickly gets complicated. There are many more variables to take into account.
- SCA exemptions
- Prepaid Cards (with no built in 2FA support)
- Banks in less developed markets (No 3DS)
- "We encountered a 3DS processing error" is a common nondescript message which occurs with international payments
For regular merchants, the decrease in conversion (double digit) is VERY far away from any improvements in chargebacks. Bear in mind that most merchants need to stay below 0.75-1% chargeback regardless of conversion/decline ratios.
In a high-value, low-margin business, reducing chargeback losses to almost zero might be worth the cost of a double-digit conversion drop. In other circumstances, the same numbers can be catastrophic.
It should be a choice a business can make based on their circumstances. Instead, the EU legislates conversion loss for everyone.
If you think about it, when was the last time you entered even a CVV2/CVC on Amazon? Compare that to most regular sites which require you to enter CVV. Some allow you to enter the card holder name and address, while others don't and just sent the shipping address you've entered.
And it's not like this is a surefire way to make things better anyway. Like was mentioned before, it makes people that know about these things queasy when a random site redirects you to your bank and wants you to log in. What better way to scrape bank login info than a fake login screen for your bank? It's like when banks introduced TAN numbers. Then indexed TAN, SMS TAN etc. What regular user that fell for the "Please enter 3 TAN numbers to verify your account" will figure out whether a shady site is scraping their logins?
In Norway after the redirect to the payment page from a bank to approve the transaction the only thing one typically types is the phone number and the birthday. The rest happens on the mobile.
A bank in Spain implemented this even better as one does not enter anything on the site. Rather one has to go to the bank app on the phone and approve the purchase there. The latter is very frictionless especially with biometric authentication.
> A bank in Spain implemented this even better as one does not enter anything on the site. Rather one has to go to the bank app on the phone and approve the purchase there. The latter is very frictionless especially with biometric authentication
Same here in France at my two main banks, LCL and Boursorama, the payment screen tells you to open the app and confirm the payment.
I agree, the change needs to be viewed overall. The liability shift is a godsend, it also decreases customer support contacts to verify if the order is fraud or not.
Also, paired with 3DS2's frictionless flow we actually saw a small uptick.
So, some VP at a fraud prevention company recommends merchants to avoid using 3DS and use a fraud detection platform, got it.
I don't know if we can find better data somewhere else but I would assume that abandonment rates will decrease thanks to PSD2:
- SMS tokens are finally on their way out; more and more people are installing their bank's mobile app, which is used as the second factor (you get a push notification, you have to unlock and accept the transaction).
- We'll see some harmonization across EU/EEA merchants. No more cases of "the German website doesn't trigger 3DS but the French one does".
Here in Sweden, some major banks already refused to let you do card transactions without SCA/3DS, before PSD2 was even passed. As a result, PSD2 finally being implemented is a welcome relief for me, because those annoying services that would always cause a card decline are now being forced to show a 3DS prompt instead. That prompt is also pretty convenient here because of the wide deployment of Mobile BankID.
(The experience before was: pray this merchant supports 3DS, discover that it doesn't, fish out your phone and open mobile banking, authenticate with mobile banking, find and use the toggle that temporarily allows non-3DS transactions. Now I just bring up the authentication app when prompted.)
While I mostly agree with you the fact that BankID does not support (desktop or non-android) linux at all or other secure auth methods like U2F for any platform is sad. If you want to be a modern citizen in sweden today you need to use at least one device with a non-free OS just to access basic services.
Meanwhile, Sweden’s response to PayPal, Klarna, “integrate” with your internet bank by logging in to it and pretending to be you. The authentication prompt you get clearly says “you are logging in to $yourBank” when you do it too.
I don’t know payments infrastructure super well, but reading your comment it makes me wonder if what you are talking about is related to the card woes that I had when I lived there in 2018. Not having a Swedish bank account and paying for larger sums with my American credit card would often trigger declines and I would have to contact my card issuer to authorize the payment to go through frequently. I specifically remember having a lot of trouble whenever I would pay a company that used the Swedish company called “DIBS” to authorize my payment.
You were most likely experiencing a problem on the opposite end: the merchant (or their payment processor) rejecting you, rather than your card issuer.
> which is used as the second factor (you get a push notification, you have to unlock and accept the transaction).
This breaks more often than you'd think. I'm still locked out of Facebook on one device because I can't seem to receive the unlock notification and I'm terrified to reinstall Facebook on my phone and then be actually locked out. I'm not a fan of Facebook, but it's the only way to contact some of my friends/family these days via video.
I've also had similar issues with actual banks where the notification appeared and I accidentally tapped "decline" or even dismissed the notification by accident. I've also never received them (mostly with ~Transfer~Wise). Edit to add: I've also been too lazy to walk to the phone charger to press "accept" and just given up.
I think it's a pretty well known phenomenon in ecommerce that the more "clicks" you add to checkout, the less % of people that will make it to the end. I don't see this decreasing cart abandonment at all.
Google, Duo, and Authy all seem to do fine even in low-data (1 bar non-lte 4g) scenarios, so that's probably a bank & facebook issue. They probably rely on the push notification to carry and push state to the user's device with no backup mechanism for when this fails.
These apps are worse. Each of them has its own horrible interface and horrible surveillance functionality. For Android they usually check if you have an officially sanctioned and non-rooted google phone.
If I wanted to be patronized by the phone manufacturer, I would buy apple...
I indeed do want to have full control over my phone. It is a freedom we are gradually losing. RMS was right all along...
But if course they do not care about actual security, that means if your phone has current security patch level.
So for old phones with no official patches you can't even install Lineage and you're worse off.
1. My bank now _requires_ SMS 2fa, for many actions like logging in, viewing transaction history > 1 month, or making purchases online.
2. My bank has killed their mobile web page in favour of their app. The desktop web page still works, but if you try visit it with a mobile UA you still get told to use the app.
3. Not 100% sure this is PSD2 related, but my bank have made their password policies less... dumb. It used to be max 8 chars, case insensitive, anything longer was silently truncated. In addition, the signup form used to allow alphanumeric characters, but the change password form only allowed alphabetical.
4. Presumably because of 1, they now no longer randomly decline transactions to smaller vendors. They used to then send you a text asking you to phone the fraud department to clear it. The first couple of times, I thought the text _was_ the fraud.
Now it's entirely possible my bank have just misinterpreted what's required of them, their prior actions show they aren't the most technically competent, but that's not what they were chosen for.
>> more and more people are installing their bank's mobile app, which is used as the second factor (you get a push notification, you have to unlock and accept the transaction
Great - so much for those times where I've been traveling internationally, been able to make a purchase using a web page hosted on a shared computer or one owned by a companion, but don't have mobile phone access to get a push notification.
i get your point, but i can't remember in recent years that there would be any difficulty to get wifi access even if i didn't have roaming, so this feels like a mere inconvenience instead of an impossibility
In a particularly ironic situation, I was trying to log in to my bank's website on a computer from a distant international location so I could pay the credit card bill and, since it was a new browser, the bank required 2FA via my phone in order to log in. Of course, I could not receive the SMS, so could not log in, and could not make the payment.
> some VP at a fraud prevention company recommends merchants to avoid using 3DS and use a fraud detection platform, got it.
Yeah, if PSD2 had an impact as dramatic as the article says then there would be a massive amount of noise from all EU/UK retailers. Instead we get an article from somebody with something to sell.
SMS are not much on their way out. I just got an OTP via SMS for an online credit card payment. Then I had to insert my secret PIN too. Friction friction friction.
Some banks authorize operations with their apps: it's either fingerprints, PINs or codes by SMS. Usually a combination of two of them. One bank also requires a kind of captcha. Of course I'm hating all of this. I wish they pay me for the extra work.
100%. 3DS is for card payments and using Netherlands and Germany as examples here is just plain bad - in these countries bank-based payment methods are more popular: iDEAL in NL (which has used 2FA for years), Sofort and Giropay in DE.
If Mastercard or Visa did an app that would work across all of their cards, that would be ok. But how can a separate app from each bank be considered better than SMS? It's just an annoying lock-in. And the quality of apps from many banks is sub-par.
The main issue to SMS tokens going away are all those people, specially elderly ones, that now are forced to buy a phone they cannot understand how to deal with.
Just like the clever idea some cities have had to initially only offer covid vaccination appointments over their website.
Well...if they use the internet to shop online a mobile app should not be that hard to deal with given it's installed/configured by the bank clerk. All the mobile phones are "smart phones" now anyway.
If she can't handle a smartphone, can she handle internet purchases? If not, the whole discussion is moot because the topic at hand is online payments and their MFA.
Plenty of dumb phones available at the shopping malls over here.
Besides the UX of the Internet is not the same as the phone and these are the kind of users that end up with the browser full of extensions trying to make pesky dialogues go away.
EU did not "introduce" PSD2 this year, it was/should have been in effect since Sept 2019!
However, the member states (and therefore the EU) have cut the banks an inordinate amount of slack to get their shit together, even though they have been heavily involved in the writing of PSD2 and had since 2015 (!) to implement everything. Here in Germany, in September 2019, which should have been the hard end of a one year grace period, practically no bank actually had a working PSD2 API or had implemented 2 factor authorization properly.
So all the whining about PSD2 six years after it passed is ridiculous. Everybody had plenty of warning and time to get their site prepared and checkout processes optimized. And quite frankly, unless the author of the article is running some kind of one-click order scam, I find the drop of up to 50% in conversion highly unlikely. From my experience with dozens of e-commerce site, the drop is negligible. And considering the rampant credit card fraud, 2FA was long overdue.
→ Customers who have had their card on file will fail the next subscription payment. Many are going to discover they have been paying for months/years for something they didn't really need, and walk away.
→ Incorrect 3D-Secure integration will cause payments from EU to fail straight away. Even some payment gateways didn't understand how it worked back when the enforcement loomed for the first time, and this is literally their job. The solution is to read the documentation carefully and fix your stuff.
It's a misconception that people are going to get confused by PSD2. We in Europe, depending on the bank, have had it for two years now. We got used to it and if we really want to pay, we will.
>It's a misconception that people are going to get confused by PSD2. We in Europe, depending on the bank, have had it for two years now. We got used to it and if we really want to pay, we will.
When a (random) app opens a bank login page for me and asks me to type in my back login information in a third party app, then that very much does confuse me. That's one of the ways people get scammed through phishing attacks. And now this is effectively mandated by law.
I've definitely chosen not to pay for a few things, because I didn't trust the app enough with my bank's login information. With a credit card I could easily dispute false charges. With bank authentication, I doubt it'll be as easy.
Consumer protection legislation protecting consumers. I don't see the issue.
> Since many consumers are not familiar with the 3DS process, there is a higher chance of abandonment during the authentication process. Users may also choose to abandon a transaction simply because there are additional steps to complete, giving them more time to contemplate their purchase.
The data here is not really provided so we have no way of verifying they are stating e.g. simply that conversion in Germany went from 80%+ to 40%+ just due to PSD2 requirements to verify identify. 50% of consumers stop their purchase because they have to verify their CC? That seems absurd.
If the reason as cited above is unfamiliarity this means it is a purely temporary impact. If its birthing issues of implementation that too should be temporary. If consumers stop their biy due to reflection or realising that they don't trust the shop that too is a good thing.
Seriously, if having to stand up and get whatever 2FA token thing your bank needs is too much effort for a purchase on your site, then I have strong doubts about how much your service is really worth.
Another explanation would be that customers run into trouble because they don't know how to use secure online payments. In my opinion, those customers probably shouldn't be doing any online banking on their own with the massive fraud risk that comes with stuff like this.
This line says it all, in my opinion:
> Users may also choose to abandon a transaction simply because there are additional steps to complete, giving them more time to contemplate their purchase.
PSD2 saved a lot of people from making bad financial decisions by the sound of it.
Seriously, I'm used to a bit of contemplation before I hit that final "Buy" and proceed to the payment gateway. I like it. I like that I have to enter my billing/shipping addresses. Decide if I want an invoice for a business or an individual. Think again. Go-around hunting for a better option one last time.
Lately, I've had a harrowing experience of misclicking on Amazon. The bastards have put "Add to Cart" and "Buy with 1-Click" so close together that I clicked Buy thinking I was adding to the cart.
I promptly got emails about my order having been finalized. No confirmations, no whatnot. Like those annoying traffic lights on some streets that go straight from red to green, without amber in between. I felt a bit robbed. True, I wanted to buy the stuff, so I didn't cancel, but damn it, not like this.
Those are pretty big transactions as the law will only apply to small ones later. It's really hard to believe people are leaving multiple 1000s of Euro transactions just because they didn't bother to learn how to check an app.
I think it's much more likely that some payment methods became completely unusable, so people are abandoning their transactions to redo them elsewhere. And also, some of those must have been fraudulent, but probably very few.
1) I now have to do the 3DS procedure for amounts as small as 1,80€
2) My bank's 3DS "website" requires me to enter my online banking PIN (the one for my entire account, not just my credit card PIN!) and since that website gets opened in an Android WebView I can't even be sure that the app invoking the WebView doesn't actually obtain my PIN through a key logger. Fantastic.
I’ve personally always found 3DS a bit worrying from a security POV. I’m sure much smarter minds than mine designed it, and had reasons for doing so, but I’ve seen it implemented in iframes on websites I use before. It really doesn’t seem to encourage good security practices in normal users where they’re being encouraged to enter their bank password when the URL they see doesn’t match. Plus the URL itself often refers to Arcot, the company who make 3DS, rather than the bank whose branding is all over the page. Very weird.
If I were cynical I would say that the purpose of 3DS is to make it easier to scam people. It trains users to input their bank login details into third party apps and websites - something that you were told not to do over and over again in the past. I'm also sure that banks will be far less happy to refund fraudulent charges in these cases.
I agree with you that it’s bad practice to enter your login date into an arbitrary app.
However, you and the gp should complain to your bank because it’s their job to provide a secure confirmation method. My banks push the confirmation to their app that has separate without the possibility of stealing my bank credentials (in trivial ways).
I've noticed that domestic Finnish online stores (most of which have had 3DS for over a decade now) generally do not use iframes and I can see my bank's domain on the address bar when performing 2FA for card transactions, whereas most international stores (most of which only recently have started using 3DS) seem to almost always use iframes, hiding my bank's domain.
However, it doesn't matter that much with my bank nowadays since I don't have to enter anything on the browser - I just accept the transaction details shown by the bank app on my phone.
1 could be a bad implementation from the merchant. There is an exemption for low value (<€30) transactions and you can do five low value transactions before needing re-authentication.
Before 3DS I had my credit card details memorized, so I could shop online conveniently. Now I have to keep my phone around and type in SMS passwords everywhere.
For me it opens the bank app which shows amount, seller, subject line and asks me to confirm with pin or fingerprint, taking all of 2 seconds. No more entering bank card numbers. Not sure what bank youi are using but this seems like bad implementation not bad idea.
3DS stands for 3 Domain Secure. Payment processing requires a lot of service providers to co-ordinate; card issuer, merchant acquirer, card network to name a few.
The three domains in 3D refers to the domains of Issuer (the bank that issued the your card), Acquirer (the bank that the merchant has their account in), and the Network (Visa, Mastercard etc., which connects Issuing banks and Acquiring banks).
I'm vastly simplifying because now a days there are new entities which are difficult to typecast into one of Issuer/Acquirer/Network because depending on the scenario they can act as any or all three.
Unlike the Internet which has reasonably well defined protocols/services to provide end user services (HTTP, SMTP, DNS etc.,) online payment processing has evolved by monkey-patching systems as newer challenges have arose. There are no well defined protocols or standards so you have these vast network of systems that somehow work-together to process online payments. Once in a while it fails exposing its innards like how people came to learn about T + 2 settlement during Gameshop saga.
> Why do these exist and what did they solve?
3DS is kind of a protocol that'll enable a card holder to authorise a payment while minimising the number of service providers that have access to their card details. A typical implementation of 3DS requires card holder to authorise a payment through PIN. Another is through second factor auth such as SMS OTP, or RSA tokens, Apple's Face ID.
> What is PSD2?
This is a European specific regulation to make payments more secure. 3DS is one of its requirements.
PSD2 is an EU directive that changed how online payments can take place within the EU. The key points are basically these:
Strong customer identification is required. In Denmark we handle this with our national identity system NemID (soon to be mitID). Which is a national two-factor system, that we previously mainly used for stuff like online banking or interacting with the public sector but is now also required when you buy something online.
Releasing the ownership of your financial data from the banks. Meaning that you can give third party companies access to your banking data. In Denmark this has revolutionised budgeting because the area was disrupted by companies that saw a gap in the age old online banking systems. As an example, my “overview” in my netbank was basically just a table of the data they used to physically mail me, today it offers all sorts of BI like tools to show me how I spent my money because an app named Spir or Spiir or something like it completely revolutionised the area. As you may be able to tell, I’m still doing my budgeting in my own spreadsheet, but the spiir app is one of the most popular apps in Denmark.
Over all it has been pretty well recover in Denmark. Having to utilise two-factor identification when you buy stupid shit online is annoying, and it’s likely costing some sales as people have a few more seconds to think while they pick up their phone, but over all people are happy with the increased protection it also offers them.
I'll link up Stripe's docs for SCA[1] as they have been very helpful for me in getting Leavetrack[2] set up for SCA.
PSD2 is the Second Payment Services Directive from the EU. A directive is required to be implemented in national law no more than two years after it is passed and whilst there have been delays, the past 12 months have seen a ramping up of banks implementing Strong Customer Authentication.
3DS (3D Secure) is like 2FA for debit/credit cards. In my case, I bank with Monzo and if a transaction requires 3DS, I have to open the Monzo app on my phone and confirm it. There are other aspects to SCA e.g. if I have used contactless payment frequently, I am more likely to be prompted to enter my PIN to confirm I still have my card.
PSD2 is an initiative/set of laws that force banks to have some kind of API available to trusted parties so other companies can access customers' financial data (with explicit consent by the user, of course). This allows the banking app from bank A to work with the bank account of bank B, if bank A implements bank B's API. It also includes some other stuff, like adding security requirements to online payments, like the 3DS system is doing.
Companies that make use of these APIs need to fulfil some requirements so that not just any shitty company can ruin your life by hiring shit developers that accidentally add zeroes to the amount of your transactions.
3DS probably refers to "3D secure", a way to secure credit card payments online. I don't use a credit card for anything but paying for American services so I don't know the details of it, but it seems to be a way to redirect credit card users to the checkout page of their bank so that extra security (like 2FA) can be added to online payments.
Just kidding, 3DS is short for 3D-Secure and is an approach to make payments with credit cards more secure. Things like 3DS are mandated by the PSD2 which came into effect a while ago.
PSD(2) is short for payment services directive, its a set of rules to make online payments more secure and reduce the risk of fraud. It has some requirements, such as two factor authentication (3DS) etc for basically any service that is processing payments online.
3d-Secure is basically a form of 2FA for payments. It has been around for almost two decades. US banks seem to have happily ignored it, as well as EMV/NFC cards even when good ol' magstripe had been shown to be hackable with a potato, and thus companies who lived in the US come to do business in Europe, find an "impenetrable wall" of having to integrate correctly with a 2FA process they don't understand. Same as GDPR, really. "How come it's opt-in and not opt-never?"
We developed an internal 3DS attempt strategy to try to remedy this [0], but it is not ideal.
Basically, try 3DS (with no authentication), then try regular charge (NON 3DS), then if all else fails try a full 3DS charge. You'd be surprised by the disparity, especially internationally, and we do recoup some charges at the expense of triggering some unintended blockage.
When asking our provider (Stripe in our case) about the best strategy for this, it always comes down to , "Let SCA (Strong Customer Auth) rules and logic handle everything", but this simply doesn't work well.
I really wish the likes of Adyen, Stripe, etc...would help out with better decline ratio strategies.
I think we are all plagued by "do_not_honor" and "transaction_not_allowed" codes that do little to move us in any direction...
How many of these 3DS failures switch to an alternative payment method?
A drop in EU e-commerce sales between 20% and 50% would be big news we wouldn't have missed, so where are these sales going ? Or are these transactions still a tiny bit of the overall e-commerce value? If users opt for a cheaper (and not easily clawed back) payment method because they can't complete the 3DS challenge, the merchants may still win.
Kind of a side point, but I think it could be argued that some transaction friction is a good thing at a societal level. (So long as the friction is agnostic to demographic or income level.)
My spending, consumption and general wasteful consumerism is healthier when I don't have Amazon Prime. I'm more thoughtful about what I need and will batch up purchases, often removing a portion of the cart.
>Users may also choose to abandon a transaction simply because there are additional steps to complete, giving them more time to contemplate their purchase.
Good. Means you've manipulated people into spending their money very intensely if they will abandon the transaction once the first rational thought comes in. I would personally add a third factor for good measure.
In Poland we have something called "Blik" (https://en.wikipedia.org/wiki/Blik) state of the art internet payment system. https://blik.com/en Sadly it has to be supported by bank (to be specific their mobile app) so not usable by all EU customers. But since it is also operated by banks (they share cost of IT infrastructure) commission is much lower than Visa/MasterCard and milion times easier to use.
In 2020 Blik had 7 million users and processed 424 million transactions. In 2019, the number of Blik transactions exceeded the number of transactions made on the Polish Internet with payment cards.
In PSD2/3DS world paying with card is real pain in the ass, only advantage is transaction insurance and chargeback.
It's probably worth noting that online transactions with payment cards were never the dominant form of payment, many people preferred to send a bank transfer directly (with delay until next payment session) or use a number of services which work as middle men to settle these transactions instantly.
Card payments are often seen as the least secure way of paying for stuff, but they are mildly more convenient than sending a bank transfer.
Sweden has adapted something similar, Swish[1]. Co-owned by banks and so far without any fees for private entities. The adaption rate has been really incredible. Already 75% of the population has signed up for it and, in 2020, made over 600 million transactions.
Don't have a mobile phone, so I guess I would count towards those numbers. A shop branch I used to buy at had 3-D Secure for years but after asking nicely, they disabled that authentification for me. However, ever since they merged with the main website earlier this year, it's no longer possible. So theoretically, it would be impossible for me to buy anything anymore...if not for the fact that they now allow you to buy "points" via PayPal with which you can then buy products in the shop. It's more complicated, takes longer and has other disadvantages (such as not buying the products directly) but for now, it works. Other websites which don't have such a workaround will simply end up with an "abandonment".
There's always going to be a decline in sales when new friction is added to a process. But, as people get used to the process those sales come back. The idea that nothing can change because it will hurt sales is short sighted. It leads to a stagnated system where competition will beat you out of existence.
PSD2 is a process that's system wide and needed so if things need to change this is the best way to do it where everyone takes the hit together as a way to move forward.
This is not my article, I just found it when searching for any data on the subject. I'm aware of the article author's bias on the subject.
We run a B2B SaaS and 20% is the drop we've seen (comparing to monthly numbers of the last 5 years). This still needs to be analyzed better but it's taking time due to our messy system of multiple carts using different payment service providers.
Personally as an EU citizen I'm very in favor in these changes. I think the UX will become even more of a differentiator for banks and related products which is great. Banks FINALLY being forced to open APIs is also great for the fintech industry, so I'm not bitter at all. Just curious to see what other SaaS businesses have seen in their Euro traffic.
I'm really glad my bank got FaceID 3DS right as PSD2 were introduced, it's really quite painless to do the 2FA (just tap the notification, look at your phone and put it back).
Previously you had to use an ancient SMS based SIM app on your phone or use a dongle to authenticate, took over a minute usually.
A way for retailers to "bypass" 3DS is to use Klarna or similar (free in-app invoice that needs to be paid within 14 days). Even though it's usually quite simple to use my debit card, it's still more of a hassle than paying whenever I want within 14 days, so that's what I choose when I'm in a hurry.
Purely anecdotal but I have never had any problems with increased authentication for purchases. It feels safe to digitally sign every single purchase I make and with a good UX on the store front it can be a great experience.
Doesn't sound too strange considering it's a change consumers need to adjust to, maybe set up proper 2FA. Just give it some time, if that's the case. Another way to see it, is that 3-D Secure works, but they don't want to see it that way.
From the tone of the article, I imagine the author was resisting 3-D Secure from the beginning and settled their minds already and so, they will only see their own negativity reflected back on them when trying to make sense of it.
3DS is a type of 2FA that makes stolen card credentials harder to use. It does not replace but augments existing antifraud techniques.
3DS is merely a positive marker for antifraud system.
This means a 3ds transaction is less likely to trigger antifraud rejection, and antifraud declines are the reason for user abandonment - you can't simply retry a payment attempt in that case.
I had my first encounter with a PSD2 measure the other day. It was very straightforward with my bank. The shop redirected me to my bank's website where I logged in with MFA and clicked OK. Done.
A subsequent order worked by just entering my CC details.
> Users may also choose to abandon a transaction simply because there are additional steps to complete, giving them more time to contemplate their purchase.
Why is it a bad thing that people have more time to think about things?
On the other hand PSD2 improved the quality of 2FA flows tremendously. I can now use face id to approve creditcard transactions where previously I had to go through an awkward text based flow.
Should the title of this submission be changed? It’s not the title of the original article, and the author doesn’t even seem to run a SaaS, it seems like it might be the experience of the OP?
A set of directives by the EU to make online payment transactions more secure and reduce fraud. Some of those directives impact UX, including 3DS requirements, which is a form of 2fa for payments.
It is the Revised Payment Services Directive requirements for Strong Customer Authentication. An EU directive that applies to credit cards issued by EU merchant banks for transactions that occur within the European Economic Area.
Basically a popup that will request some extra form of security verification for relevant transactions.
This sounds wonderful to me. 20% of would-be buyers were saved from mindlessly consuming and paying for stuff they don't need — by just a tiny little UI friction. Imagine what a mandatory essay about the reason for your purchase would accomplish.
You actually have a point. I think 3-D Secure both fulfills it's purpose to increase consumer protections when paying online, while at the same time, as you suggest, it's acts as a soft obstacle reminding the consumer to maybe re-evaluate their purchase.
I'm not saying it's frictionless nor perfect, but things were worse earlier. Card and identity fraud is increasing, and will continue to be a valuable target, not least because we're moving towards a cashless society (some say).
PSD2 - https://en.wikipedia.org/wiki/Payment_Services_Directive#Rev...
3DS - https://en.wikipedia.org/wiki/3-D_Secure
Furthermore, I want to note that the author works for a company that sells products that "eliminate unnecessary 3DS friction" (in their own words).