Delegated authentication: Boost your conversion rates while complying with PSD2 SCA

The application of PSD2 SCA standards across the EU in 2021 brought some growing pains with it for issuers, acquirers, merchants, and customers, notably added friction in the payment process. However, delegated authentication is making leaps and bounds as an alternative to traditional long-winded authentication processes. Growing trust between merchants and issuers means that there is a shift in previously rigid authentication processes, leading to faster checkout and less friction for customers. We take a look at what this could look like in the near future, with insight from Netcetera’s Kurt Schmid and Suzana Kordumova Nikolova.

A PSD2 payment puzzle

The revised Payment Service Directive, or PSD2, entered into effect in 2016 with the goal of strengthening the European online payment network and encouraging competition among PSPs. As a result, SCA, or Strong Customer Authentication standards became applicable, aimed at reducing fraudulent online transactions. These became binding for most European countries in 2021, causing payment players to scramble to put stronger authentication measures into place, usually accompanied by migrating to EMV 3-D Secure protocols (aka version 2.x). However, these additional security measures also cause friction in the payment process by adding extra steps for the customer, first to enrol in SCA and then perform strong customer authentication. As Kurt Schmid says, ‘Every extra step is a step where you might lose the customer on the journey’. Customers do not always understand this extra measure, which can sometimes lead to them abandoning the purchase as well as a lower rate of successful transactions.

Simplifying the process

So how do we balance added security and optimum customer experience? Enter delegated authentication. In the traditional payment flow, authentication is carried out by the issuer. Delegated authentication means that the merchant can directly authenticate the customer, skipping the redirection to the issuer and facilitating the ‘one-click purchase’ experience. It is logical that customers would make purchases more often when the payment process is simplified using delegated authentication, leading to higher conversion rates.

It seems like such an obvious solution that one wonders why it was not in use before. There were, however, significant barriers to putting it into practice. Since issuers were the only parties able to authenticate customers and authorise transactions in the past, this new form of authentication requires agreements between the respective merchant and issuers. Depending on where customers are located, this could be a laborious process involving many (international) issuers or banks. Recently however, major card networks such as Visa and Mastercard have started offering a brokerage programme where merchants who partner with them only need to have bilateral agreement instead of concluding contracts with a long list of issuers. This greatly simplifies the process for merchants, while increasing trust between them and issuers, as Visa and Mastercard provide credibility and validity to the authentication. Schmid commented on this shift in the market, saying ‘Delivery of trust, understanding that the issuer will refrain from authentication and believe in the authentication merchant-side, and how this trust is communicated from the merchant to the issuer is newly defined in the protocols and is now being implemented as we speak’.

Future implementation of delegated authentication would require several criteria to be fulfilled, depending on scheme and issuer. Here we will look at one possible use case with Mastercard Identity Check Express. Merchants and e-wallets must be enrolled with their respective payment scheme, then follow the process for initial registration and then checkout. Initial registration consists of 3 main steps:

1. Identification and verification (ID&V). The consumer must be validated as the legitimate cardholder, using an approved mechanism such as 3-D Secure. In the 3DS 2.2 protocol, the 3DS Requestor authentication information needs to be correctly sent in the first ID&V 3DS Authentication Request.

2. Device authenticator enrolment. The merchant or e-wallet must obtain consent from consumers to use device authentication for their card, using a device authenticator. This step can take place before or after step 1.

3. Binding of device. The device authenticator will then be associated to that card.

After this process is completed, the consumer can proceed to checkout. Instant authentication is used in this case.

A boon for customers and merchants alike

The implementation of delegated authentication with the newest protocols brings enormous benefits for customers, but above all, merchants who can continue to conform with the PSD2 SCA while offering customers a smooth, one-click checkout experience. Previous friction from extra authentication steps is eliminated, as the customer is not redirected to the issuer site but stays in the merchant domain. New options for authentication such as Face ID and biometric fingerprints also cater to customers shopping from their mobile phones, making it easier and faster for them to identify themselves. Easy authentication means easier purchases, and the conversion rate will increase accordingly.

The COVID-19 pandemic has of course caused havoc in Europe and the world at large, but it has also highlighted the need to change purchasing and payment methods, especially in ecommerce. An 18% global increase  in first-time ecommerce consumers shows that shopping online is seeing intense growth and is a viable long-term opportunity for merchants. Delegated authentication is an excellent way for merchants to provide frictionless payment to customers while complying with PSD2.

About Kurt Schmid

Since 2020, Kurt Schmid is the Marketing & Innovation Director for Secure Digital Payments at Netcetera. Previously he was responsible for the Digital Payment Division of Netcetera since the beginning of 2017. This resulted from the takeover of Nexperts GmbH, an Austrian mobile payment and NFC specialist of which Schmid was the CEO and founder.

About Suzana Kordumova Nikolova

Suzana Kordumova Nikolova is Senior Product Manager in Netcetera’s Secure Digital Payments division. She is leading the development and maintenance of 3DS SDK and Delegated Authentication products. In her 11 years at Netcetera, she has worked on mobile software applications and payment security, and is especially interested in the payment domain with all the complexity it offers.

About Netcetera

Netcetera is a global software company with cutting-edge IT products and individual digital solutions in the areas of secure digital payment, financial technologies, healthcare, and insurance. Netcetera is headquartered in Zurich, Switzerland, with locations across Europe, Asia, and the Middle East.