Almost a year ago, the European Economic Area’s (EEA’s) largest digital commerce markets began their compliance with PSD2 which aims to protect consumers against fraud by securing the digital payments for Card Not Present (CNP) transactions using Strong Customer Authentication (SCA).
Many U.S.-based companies that do business in the EEA are also required to maintain compliance with the new regulation. Unsurprisingly, 3DS adoption has increased in the US. In Q2 2021, 37% of CNP transactions in the U.S. had 3DS protection, as opposed to only 10% in Q3 2020.
After nearly a year of enforcement, has the regulation actually reduced fraud rates? Based on our data, not quite.
Origins of PSD2 and the use of 3DS
According to the ECB’s 7th Report on Card Fraud, 80% of the value of card fraud in 2019 resulted from CNP transactions. This resulted in an estimated €1.50 billion in fraud losses.
As a part of the solution, SCA was enacted to make fraud more difficult by requiring customer information validation at checkout. While this authentication lessens the impact fraudsters could have, it still is not 100% effective. Some sophisticated fraudsters can find ways around two-factor authentication (2FA), due to the nature of 3DS. For example, bad actors can bypass 2FA easily by spoofing mobile phone numbers, then proceeding to intercept the one-time passcodes (OTPs) needed to verify transactions.
Not all fraud is blocked by SCA, yet not all blocked traffic is fraudulent. Merchants have seen SCA add friction to the shopping journey and impede customer conversion rates. Think about what’s happening in real time. In the middle of the purchase, many legitimate online customers won’t continue with a transaction if it means physically getting up to answer a 2FA request on their phone. The process also presents customers with more time, meaning they have longer to rethink their purchase.
How merchants have complied:
Over the year with PSD2, merchants have most commonly complied with the SCA requirements by relying on 3DS solutions for in-scope transactions. 3DS makes the customer validate their identity using a few extra steps. For example, when a customer is shopping and 3DS is prompted, they are required to provide something they know (e.g., password), something they have (e.g., smartphone), or their identity (e.g., fingerprint).
In practice, the two most common approaches merchants have taken to meet the SCA requirement are:
- Sending every transaction to 3DS or
- Attempting to exempt every transaction from 3DS.
Sending every transaction to 3DS means adding more friction to the shopping journey and introduces the possibility of 3DS failure. However, exempting every transaction assumes that the Issuer will always be correct in their judgment for the purchase and, after soft declines, then the Acquirer can reroute the transaction through 3DS. Yet this increases the number of hard and soft declines received. Important to note, sending fraudulent or high risk transactions to exemption will lead to higher chargebacks. This can lead to acquirers disabling the exemption option for the merchant. Payment friction lowers shopping cart conversion rates and leads to an overall loss in completed revenue.
How many legitimate transactions are denied?
The 3DS abandonment rate (when the user abandons the transaction) and the 3DS failure rate (when the user fails to complete the challenge) show that in some instances, merchants are losing 26-39% of transactions where 3DS is applied. The lost customers from the denial of the transaction could represent the significant loss of revenue to merchants. One survey found that 33% of shoppers will never shop with a retailer again after experiencing a single false decline. Our research revealed that merchants can lose up to 75x more revenue to false declines than they do to fraud.
Alternative solutions
PSD2 allows many transactions to be exempted from SCA if merchants implement fraud prevention software. When a merchant’s PSP has an effective risk-analysis tool in place that determines when certain transactions are low risk, the checkout is relatively painless on the user end.
This works by identifying low-risk transactions through Transaction Risk Analysis (TRA), which can ease the burden of SCA requirements on the consumer. TRA can be used on transactions below €500, but only when the Acquirer applying the exemption has proven a low rate of fraud. For transactions under €100, fewer than 0.13% of an Acquirer’s transactions can be fraudulent. The larger the transaction value, the lower the allowed fraud rate. Following TRA, when the Acquirer flags a transaction as exempt, the final say on whether to approve a transaction sits with the Issuer. When it comes to exemptions, having more than one PSP to route different transactions can also significantly impact your overall transaction approval rate. Those merchants optimizing their exemptions by using Transaction Risk Analysis (TRA) and multiple PSPs will be able to more effectively navigate the headwinds that PSD2 has started introducing to their business.
Where is fraud now?
When bad actors encounter barriers to one type of fraud, they will focus their attention on other forms of fraud. Compared to the data from PSD2 pre-enforcement (2020) transactions to post enforcement (2021) transactions, alternative payment methods (APMs) such as gift cards have received 60% more fraud pressure from fraudsters year-over-year. In addition, item not received (INR) returns have seen a 30% increase in fraud pressure. When one route to fraud is shut down, fraudsters will shift their focus to other vulnerabilities which means now, more than ever, merchants need to examine and protect the whole customer journey.
Thus, PSD2’s overall impact on fraud has been mixed. First, the SCA requirement adds security to CNP payments (and friction to the shopping journey), but does not guarantee the prevention of all forms of fraud. Second, given the high number of failed and abandoned transactions (26-39%) from the study, merchants have seen some higher loss from the failed and abandoned 3DS transactions than that from fraudsters. Finally, we have seen fraud pressure move into other arenas — geographically and by payment type — but has not been reduced substantially as a whole.
In conclusion, PSD2 has introduced friction for not only fraudsters but merchants as well. Unfortunately, it’s not a complete solution to guarantee fraud prevention.

