Knowing how the changes to payment services directive (PSD2) will affect you is very difficult to forecast. In a world of unknowns and acronyms, where do you start? How do you estimate the impact? And how do you communicate it to your customers and the rest of the business?
This is the first of two blogs on PSD2. This one will focus on what we’ve done or are planning to do before PSD2 goes live in September. The second later on the year after the rollout will then examine what we learnt, what worked and what didn’t, and what we plan to do in the future. Hopefully you will be able to use this information yourself in preparing for PSD2.
The Impact of SCA
The largest risk of PSD2 for Jagex is the need to use Strong Customer Authentication (SCA) on our European transactions. SCA needs you to check the customer has two of the following:
- Something they have e.g. USB key, phone
- Something they know e.g. passwords, PINs
- Something they are e.g. fingerprints
For e-commerce you would likely use something they have like the credit card, and something they know which will is a 3DS password. So this would mean we need to ask for 3DS for all our European transactions. But the problem is we have a 5% conversion drop when using 3DS, which makes for a big problem.
Most of our work in preparation for PSD2 is how we can mitigate the risk of SCA negatively impacting our payment conversion. We’ve done this in several ways:
- 3DS2, better SCA
- Out of scope transactions
- Exemptions and TRA
- Customer communication
- Help from our acquirer
And I also go into and how we’re forecasting the risk from SCA to the business.
3DS2, better SCA
As we’re going to have to use SCA for a lot of our transactions, to reduce the drop-off we want to offer the best experience possible. Therefore the first thing we did is integrate 3DS2.
3DS2 allows you to send more data to the banks allowing them to make a better decision on the risk of the transaction. If they're happy with it they don't need to challenge the payment so it goes through and is a frictionless experience.
Some of this new data is required to make the system work, so it requires some integration work to support 3DS2. Some of the data can be added extras that you think would help the banks make their decision so you can get more frictionless payments through.
However, not many banks appear to be ready to use this extra data yet so we haven’t invested any engineering effort to provide it. Something to investigate next year.
User flow improvements
3DS2 is designed to be mobile optimised and can be incorporated into your own payment flow using an iFrame. This allows us more control of the experience around the 3DS2 request to give information and understanding to our customers.
We are running A/B tests in our payment flow to test how and what is the best information we can give, and if they are having issues completing SCA, recommending other payment options which maybe more successful to them.
Issuing banks can use many ways of getting authorisation from their users. 3DS1 just used a password, and as this was used so infrequently, many people forgot it. 3DS2 allows banks to create mobile experiences which allows the use of their phones fingerprint scanner or face recognition.
We’ve completed our 3DS2 integration and we’re ready to start testing it with customers, but most banks aren’t supporting it yet. We will continue to test what we can, but this has really slowed our ability to prepare for PSD2.
To make matters worse, as most banks aren’t ready for 3DS2, it is looking more and more likely that they will use 3DS which doesn’t have all the benefits of 3DS2. Even more reason for us to try and avoid SCA altogether.
Out of scope transactions
Some of our transactions are completely out of scope of needing SCA because they are Merchant Initiated Transactions (MIT).
MITs are a series of transactions which have been agreed and initiated by the customer, but subsequent payments take place without the cardholder. So subscriptions, basically.
But we had to meet a few requirements to use MIT:
- The cards need to be correctly tokenised with your acquirer. Check with them if you’re unsure if yours are.
- The first transaction initiated by the customer needs to have SCA, unless it was taken before the release of PSD2 which we will be doing.
- We need to process a transaction on that agreement every 6 months or get SCA again.
Exemptions and TRA
For all our transactions that aren’t MIT, we’re going to be using SCA exemptions wherever we can. These fit into two main categories for us:
- Low Value/Risk Transactions - low value is any transaction that is less than €30, but that threshold increases based off how low your acquirer’s chargeback rate is
- 0.13% to exempt transactions below €100
- 0.06% to exempt transactions below €250
- 0.01% to exempt transactions below €500
- Trusted Beneficiaries - your customers can ask for you to be whitelisted, but rumors are that no banks will be ready to support this in 2019 as it requires 3DS2, so we’re not going to worry about this until 2020.
However, exemptions have two major problems which make them less valuable than out of scope MITs:
- Using the exemption is completely up to the bank. They can still ask for SCA if they want. There are suggestions that 80% of banks may do this, some say 20%. It’s impossible to predict until PSD2 goes live.
- If the transaction is either the fifth transaction that the bank has seen without SCA, or is the transaction that takes the total spend on the card over €100 since the last SCA, you can’t use an exemption. Both of these are measured by the bank, so you’ll have no idea when you submit the payment if this is going to happen.
So, although 99% of our transactions can be covered by low value/risk transaction exemption, we will always have to support good SCA processes.
Knowing that 3DS2 may not be ready for a lot of banks, we have to think about communicating with our customers to prepare them for any changes.
We plan to start this process over the next couple of months, in combination to the guidance in the user flow we’re A/B testing with the aim of reducing the abandonment rate as much as possible. We will also post guides on our websites and send emails to our affected European customers.
Help from our acquirer
The first place for all merchants should be working with their acquirers.
Our acquirer is well on the way to finishing their PSD2 preparations and has given us lots of information on PSD2 via our Account Manager and training sessions. There are a few key points you should be talking to your acquirer about:
- What is PSD2 and how will it affect your business?
- When will they support 3DS2?
- What work do you need to do on your side to use 3DS2?
- What data do you need to send?
- How will it change your user flows?
- What is your acquirer’s chargeback rate and what level of Transaction Risk Analysis (TRA) threshold will they have?
- How will they support SCA exemption requests to the issuers?
- Are they covering this for you or do you have to do it?
- How will it be configured?
- Who decides what exemption you ask for?
Measuring the cost of SCA
Predicting how SCA will impact Jagex and our customers is very challenging.
The first piece of information we needed was a guess - how many banks around Europe will use the exemptions we provide, and how times will our transactions be the fifth transaction or the one to take it over €100?
Using this guess and our European volume gave us a range of transactions from best case to worst case which would need SCA.
Our tests with 3DS showed a 5% drop in conversion when using SCA, but we don’t know if 3DS2 will have a similar drop off, so we’re taking assuming this is a worst case.
Of the 5% who dropped out, we assessed how many used another payment method (ignoring transaction costs and basket values as we thought this was a variable too far).
The end value gives us a forecasted best to worst case predictions, and this is what we have shared with our exec and finance teams.
It remains to be seen how close our estimate is.
For more details on PSD2 you can check out the official information form the Financial Conduct Authority and the European Banking Authority at the links below.