“The frictionless experience above all!” – Major card networks are shifting into second gear

Since PSD2 enforcement in Europe around 2019 the industry moved forward to enhanced strong authentication process and comply with regulation. EMVCO released EMV 3DS protocol, replacing definitively the former version v1.0.2 (October 2022 for the major schemes).

Initially oriented to protect user data and privacy, the regulation led to market disturbance. Issuers latency to ramp up on new technology and processes, and merchants negative impacts due to transaction abandonment, incomplete user authentication and user bad experience, created fragility in the entire ecosystem. (See my post on merchant fraud)

Certainly to react against the increasing market share owned by the transaction account-based frameworks, powered by emerging trends such as open-baking  (XS2A), instant-payment, card networks are working hard to improve user experience on merchant side.

Two paradigms are emerging 1) threshold policy 2) enforce by design

Threshold policy

Card network opting for this manner, are defining thresholds for issuers in their performance programs. Such thresholds encompass EMV 3DS step up rate (challenge = user interaction), frictionless rate (silent authentication), SCA exemption-applied rate (if strong authentication is not necessary according with regulation), SCA delegation-applied rate (if legitimate/controlled merchant requests for SCA delegation does the issuer accept?), and other scheme specific KPI.

After a specific enforcement date, bank not complying with expected thresholds are first warned then,  after an agreed delay, fined in proportion to the amount of months spent exceeding the threshold.

Issuer and acquirer are then motivated to ramp up quickly to avoid penalties. This approach also promotes competition and innovation. Third parties can enter in the loop to provide innovative fraud management system or consulting services.

On another hand, it does not guarantee quick improvement for user experience. Merchant negative impact will surely be reduced, but not instantly.

Enforce by design

Other card networks opt for a different approach. They impose banks to comply with their regulation by taking on their own part of the fraud topology. By doing so, merchant are promised better metrics. For instance, frictionless rate is guaranteed because card network are now solely (or almost) responsible for the decision. Issuer range of action is reduced but yet, liability shifting remains.

By doing so, immediate results can be foreseen. User experience will increase and merchant business will be preserved (at least theoretically). Transactions volume will no longer be jeopardized. However, this approach can lead to reluctance. First, it may not comply with local regulation. For instance, according with GDPR, user data cannot be shared to a third party (even the scheme) so easily. Second, it removes control from the banks and still let them bear the cost of fraud. Bank could refuse to comply and it would fragilize the market from the opposite side.  Last, it lets no (or few) place for innovation and third party market share.

Conclusion

User authentication and privacy concerns remain a challenge for 2023. Even if the industry innovates (see my post on biometric authentication method), stakeholders struggle to adopt technologies and comply with regulations for the pace and stakes of this evolution are unprecedented. Stressed by competition and economic situations, card networks try to empower their affiliates with different approaches.

In addition, other players and trends in digital identity and payment methods are entering the game such as openfinance (see my post on PSD3), eIDAS (Electronic IDentification Authentication and trust Services) and CDBC (central bank digital currency). Let's see what 2023 has in store for us !

#Fime #GDPR #FraudManagement #psd2 #SCA #EMV3DS