PLEASE NOTE: The information in this article is our understanding of PSD2 and 3D Secure 2 - but there is still some confusion over PSD2 so please check directly with your credit card provider with all your questions about whether you (the Merchant) are responsible for fraudulent orders or not.
Update on Deadline Dates
As of 29th Aug 2019, the following are the stances from the following payment providers that we integrate with:
- Realex / Global Payments: "I can confirm that the pushback will be at least to Q1 of 2020"
- Authipay: "AIBMS’ stance on this is available to view on their website here and there is a link to the Visa Toolkit. As far as timelines go, we are still advising 14th September, as this is what is shown on the AIBMS website."
- PayPal: "Good News - We’ll automatically upgrade your online checkout – so you’ll be PSD2 ready. We’ll take care of integration – you’ll just need to log in and check your payment account settings."
What is PSD2?
Our understanding is that the new PSD2 regulation results in the banks taking responsibility for fraudulent transactions from 14th Sept 2019. As part of this, all transactions need to go through 3D Secure 2. 3D Secure has become a lot more usable from the days where the user had to enter a 2nd password to complete their orders (with many not knowing their password as they could not remember it since the last time they used it - so could not complete their orders).
And we would see the PSD2 implementation bringing more security to the internet with people becoming less afraid of their credit card details being used for fraudulent purposes, and more confident in using their credit card on websites that they are less familiar with.
Also, it would be great if the banks took 100% responsibility for fraud so that retailers don't have to worry about losing money on fraudulent transactions anymore as this has been a major obstacle to online selling in recent years.
However, historically, 3D Secure has reduced the percentage of website users that complete their order, so there is a deep concern among businesses that they will see a large drop in sales when this is enforced on them.
What do you need to do to upgrade to PSD2 / 3D Secure 2?
We have already upgraded your website so that it is ready for PSD2 / 3D Secure 2 so all you need to do is the following:
- Agree with your credit card provider when you are going to implement 3D Secure 2.
- Take a snapshot of your Checkout Funnel (see details below) so that you can see the dropout rate before turning on 3D Secure 2.
- Decide whether you want us to turn on the collection of Billing Details (see details below) - you can turn it off initially and then see how many customers are being asked for a pin number - and if it's high, turn on the billing address and see if the dropout rate goes down or up.
- Turn on 3D Secure 2 and test the following all work correctly:
- Put through sample credit card orders for each region you offer to ensure that they work for that region
- Put through sample PayPal orders for each region you offer to ensure that they work for that region
- Put through click and collect orders
- Do the above tests for customers who are not logged in, logged in and making their first order, and logged in and have already made previous orders
How PSD2 works + what does "Challenge the customer" mean?
On AB Commerce, when you are ready to turn on 3D Secure 2, you need to ensure that your credit card provider (either Authipay or Global Payments/Realex) has your account switched on for 3D Secure 2. Once this is done, AB Commerce will send them all your customer information with a "preference for the customer not to be challenged" if possible. The customer information includes their shipping and billing addresses, and for some providers, we also include other information that may help the bank decide not to "challenge the customer".
This information is passed on to your Issuing Bank (the 2 main issuing banks in Ireland are AIB and Elavon - Elavon are Bank of Ireland) who then decide if they will let the order through - or whether they want to "challenge" the customer and ask them to enter a pin number that they send to their phone.
Once the order goes through, it is claimed that the bank are responsible if this is a fraudulent order - and not the retailer.
The checkout funnel + the Dropout Rate
The biggest challenge for PSD2 is can we implement it without affecting sales - or even have it help sales go up. To measure it's effect, you use the CHECKOUT FUNNEL analysis that is built into AB Commerce. The following is an example checkout funnel:
(to view your checkout funnel, just log into your website using your website admin login and go to the checkout)
The dropout rate is the % of users who start the checkout process (i.e. go into the EMAIL screen) but do not finish the checkout process (i.e. dont go as far as the COMPLETE screen).
We are not concerned with the % of users who go from the BASKET page (View Basket) to the EMAIL page (first checkout screen) - as they are only committing to the order once they start the checkout process.
To calculate the success/dropout rate, it is the COMPLETE divided by the EMAIL percentage. In the example above, this is 40% / 54% which is equal to 74%.
As of 29th Aug 2019, the average success rate for AB Commerce websites, is currently 74% (using a pool of well established websites). This means the dropout rate is 26%.
If, by turning on 3D Secure 2, the success rate falls by 10% to 64% (the dropout rate increases by to 36%), this would mean that revenue will go down by 14% (74% - 64% / 74%) - which is a serious drop in revenue.
Collecting Billing Address
AB Commerce has a high checkout funnel success rate - and this is due to the fact that we have a streamlined checkout process. And one of the screens we have turned off as standard is the ENTER BILLING ADDRESS screen. This is because most of our clients don't actually use the billing address and so was not necessary. Some did use them for helping spot possible fraudulent orders, but if PSD2 means that the retailers are not responsible anymore for fraudulent orders, then the billing address may not be needed at all by the retailers.
However, it may help the banks decide not to "challenge the customer" and ask them for a PIN with their order, which would address our concern about increasing the dropout rate above.
So the decision is up to you. You can turn it on anytime by just emailing the help desk and turn it off at anytime too. You can decide to turn it on for "AB Testing" initially and then watch the 2 checkout funnels for group A and group B and then decide whether you want to turn it on or off permanently. Or you can decide to turn it on for "Everyone".
We try and collect their billing address without hindering the checkout process by doing the following:
- If the user has not purchased before, we assume the billing address is the shipping address - and give them the option to change it (i.e. the user does not need to enter any more details if the addresses are the same).
- If the user has purchased before and is logged in, we default the billing address to the one they used when they made their last order. And again, just give them the option to change it.
- For users who have not ordered before and select to COLLECT THEIR ORDER, we do display an additional screen for them to enter their billing address as we don't have a shipping address or a previous order to pull a default address from. To help speed up the entry of the address, we pre-select the country from the dropdown list of countries if possible to the current region country.
AB Commerce Analysis & Recommendations
On 29th Aug 2019, AB Commerce have taken a snapshot of it's average dropout rates across a number of clients + we will monitor the change in dropout rates with the PSD2 and then update this article with it's findings on the the change to the dropout rate with PSD2 and the different options used by it's clients.
As of 29th Aug 2019, the average success rate through checkout is 74% (and the average dropout rate is 26%).
- 14th Sept 2019 - This is the date that all merchants need to be ready to switch over to 3D Secure 2 or else all transactions will be rejected. However, merchants cant switch over until that date (even though all the required fields can be sent through before that date) so there is no full end-to-end testing available before that date (which is one of the reasons why there is confusion around this deadline).
- Central Bank of Ireland Deadline Push - The Central Bank in Ireland made an announcement around the 9th Aug 2019 that they will allow this deadline to be pushed out - and we are awaiting further information as to what this means (in the UK, the Central Bank pushed out the deadline by 18 months).