[HN Gopher] Payments down 20% in my SaaS after EU introduced PSD2
___________________________________________________________________
Payments down 20% in my SaaS after EU introduced PSD2
Author : rokkk
Score : 80 points
Date : 2021-05-10 20:45 UTC (2 hours ago)
(HTM) web link (www.globalbankingandfinance.com)
(TXT) w3m dump (www.globalbankingandfinance.com)
| xbar wrote:
| Does the EU regulatory environment lead in onerousness or is it
| working well?
| Gravityloss wrote:
| Finland has been an early adopter in internet banking. In general
| it's been working well. I've heard horror stories from other EU
| countries with very very weak authentication schemes.
| Merem wrote:
| Don't have a mobile phone, so I guess I would count towards those
| numbers. A shop branch I used to buy at had 3-D Secure for years
| but after asking nicely, they disabled that authentification for
| me. However, ever since they merged with the main website earlier
| this year, it's no longer possible. So theoretically, it would be
| impossible for me to buy anything anymore...if not for the fact
| that they now allow you to buy "points" via PayPal with which you
| can then buy products in the shop. It's more complicated, takes
| longer and has other disadvantages (such as not buying the
| products directly) but for now, it works. Other websites which
| don't have such a workaround will simply end up with an
| "abandonment".
| hocuspocus wrote:
| So, some VP at a fraud prevention company recommends merchants to
| avoid using 3DS and use a fraud detection platform, got it.
|
| I don't know if we can find better data somewhere else but I
| would assume that abandonment rates will decrease _thanks to_
| PSD2:
|
| - SMS tokens are finally on their way out; more and more people
| are installing their bank's mobile app, which is used as the
| second factor (you get a push notification, you have to unlock
| and accept the transaction).
|
| - We'll see some harmonization across EU/EEA merchants. No more
| cases of "the German website doesn't trigger 3DS but the French
| one does".
| TazeTSchnitzel wrote:
| Here in Sweden, some major banks already refused to let you do
| card transactions without SCA/3DS, before PSD2 was even passed.
| As a result, PSD2 finally being implemented is a welcome relief
| for me, because those annoying services that would always cause
| a card decline are now being forced to show a 3DS prompt
| instead. That prompt is also pretty convenient here because of
| the wide deployment of _Mobile BankID_.
|
| (The experience before was: pray this merchant supports 3DS,
| discover that it doesn't, fish out your phone and open mobile
| banking, authenticate with mobile banking, find and use the
| toggle that temporarily allows non-3DS transactions. Now I just
| bring up the authentication app when prompted.)
| toxik wrote:
| Meanwhile, Sweden's response to PayPal, Klarna, "integrate"
| with your internet bank by logging in to it and pretending to
| be you. The authentication prompt you get clearly says "you
| are logging in to $yourBank" when you do it too.
| cinntaile wrote:
| This is also the result of regulations. Opening up the
| banks "APIs" to outsiders.
| SahAssar wrote:
| While I mostly agree with you the fact that BankID does not
| support (desktop or non-android) linux at all or other secure
| auth methods like U2F for any platform is sad. If you want to
| be a modern citizen in sweden today you need to use at least
| one device with a non-free OS just to access basic services.
| SOLAR_FIELDS wrote:
| I don't know payments infrastructure super well, but reading
| your comment it makes me wonder if what you are talking about
| is related to the card woes that I had when I lived there in
| 2018. Not having a Swedish bank account and paying for larger
| sums with my American credit card would often trigger
| declines and I would have to contact my card issuer to
| authorize the payment to go through frequently. I
| specifically remember having a lot of trouble whenever I
| would pay a company that used the Swedish company called
| "DIBS" to authorize my payment.
| TazeTSchnitzel wrote:
| You were most likely experiencing a problem on the opposite
| end: the merchant (or their payment processor) rejecting
| you, rather than your card issuer.
| Macha wrote:
| So the effects of PSD2 I've noticed:
|
| 1. My bank now _requires_ SMS 2fa, for many actions like
| logging in, viewing transaction history > 1 month, or making
| purchases online. 2. My bank has killed their mobile web page
| in favour of their app. The desktop web page still works, but
| if you try visit it with a mobile UA you still get told to use
| the app. 3. Not 100% sure this is PSD2 related, but my bank
| have made their password policies less... dumb. It used to be
| max 8 chars, case insensitive, anything longer was silently
| truncated. In addition, the signup form used to allow
| alphanumeric characters, but the change password form only
| allowed alphabetical. 4. Presumably because of 1, they now no
| longer randomly decline transactions to smaller vendors. They
| used to then send you a text asking you to phone the fraud
| department to clear it. The first couple of times, I thought
| the text _was_ the fraud.
|
| Now it's entirely possible my bank have just misinterpreted
| what's required of them, their prior actions show they aren't
| the most technically competent, but that's not what they were
| chosen for.
| pjmlp wrote:
| The main issue to SMS tokens going away are all those people,
| specially elderly ones, that now are forced to buy a phone they
| cannot understand how to deal with.
|
| Just like the clever idea some cities have had to initially
| only offer covid vaccination appointments over their website.
| thefounder wrote:
| Well...if they use the internet to shop online a mobile app
| should not be that hard to deal with given it's
| installed/configured by the bank clerk. All the mobile phones
| are "smart phones" now anyway.
| pjmlp wrote:
| Plenty of dumb phones available at the shopping malls over
| here.
|
| Besides the UX of the Internet is not the same as the phone
| and these are the kind of users that end up with the
| browser full of extensions trying to make pesky dialogues
| go away.
| withinboredom wrote:
| > a mobile app should not be that hard to deal with
|
| My grandma can't even use a smart phone to call people
| with. She only answers if you call because she is literally
| terrified of technology.
| estaseuropano wrote:
| 100% agree, this is self-interested drivel with nonsense data
| and no actual evidence. Intention is to sell their product.
| withinboredom wrote:
| > which is used as the second factor (you get a push
| notification, you have to unlock and accept the transaction).
|
| This breaks more often than you'd think. I'm still locked out
| of Facebook on one device because I can't seem to receive the
| unlock notification and I'm terrified to reinstall Facebook on
| my phone and then be actually locked out. I'm not a fan of
| Facebook, but it's the only way to contact some of my
| friends/family these days via video.
|
| I've also had similar issues with actual banks where the
| notification appeared and I accidentally tapped "decline" or
| even dismissed the notification by accident. I've also never
| received them (mostly with ~Transfer~Wise). Edit to add: I've
| also been too lazy to walk to the phone charger to press
| "accept" and just given up.
|
| I think it's a pretty well known phenomenon in ecommerce that
| the more "clicks" you add to checkout, the less % of people
| that will make it to the end. I don't see this decreasing cart
| abandonment at all.
| judge2020 wrote:
| Google, Duo, and Authy all seem to do fine even in low-data
| (1 bar non-lte 4g) scenarios, so that's probably a bank &
| facebook issue. They probably rely on the push notification
| to carry and push state to the user's device with no backup
| mechanism for when this fails.
| withinboredom wrote:
| Of those three, I've never had an issue -- and I pretty
| regularly wander around with 1 bar non-lte quality service.
| summm wrote:
| These apps are worse. Each of them has its own horrible
| interface and horrible surveillance functionality. For Android
| they usually check if you have an officially sanctioned and
| non-rooted google phone. If I wanted to be patronized by the
| phone manufacturer, I would buy apple... I indeed do want to
| have full control over my phone. It is a freedom we are
| gradually losing. RMS was right all along... But if course they
| do not care about actual security, that means if your phone has
| current security patch level. So for old phones with no
| official patches you can't even install Lineage and you're
| worse off.
| andraz wrote:
| If Mastercard or Visa did an app that would work across all of
| their cards, that would be ok. But how can a separate app from
| each bank be considered better than SMS? It's just an annoying
| lock-in. And the quality of apps from many banks is sub-par.
| Rafert wrote:
| 100%. 3DS is for card payments and using Netherlands and
| Germany as examples here is just plain bad - in these countries
| bank-based payment methods are more popular: iDEAL in NL (which
| has used 2FA for years), Sofort and Giropay in DE.
|
| See: - https://www.adyen.com/knowledge-hub/guides/global-
| payment-me... - https://stripe.com/en-us/payments/payment-
| methods-guide#paym...
| lxgr wrote:
| At least the German services also need 2FA these days, though
| (since they access bank accounts, which require 2FA for all
| outgoing payments as well).
| sib wrote:
| >> more and more people are installing their bank's mobile app,
| which is used as the second factor (you get a push
| notification, you have to unlock and accept the transaction
|
| Great - so much for those times where I've been traveling
| internationally, been able to make a purchase using a web page
| hosted on a shared computer or one owned by a companion, but
| don't have mobile phone access to get a push notification.
|
| Thanks, regulators!
| pmontra wrote:
| SMS are not much on their way out. I just got an OTP via SMS
| for an online credit card payment. Then I had to insert my
| secret PIN too. Friction friction friction.
|
| Some banks authorize operations with their apps: it's either
| fingerprints, PINs or codes by SMS. Usually a combination of
| two of them. One bank also requires a kind of captcha. Of
| course I'm hating all of this. I wish they pay me for the extra
| work.
|
| We were better off when things were worse /s
| bjohnson225 wrote:
| > some VP at a fraud prevention company recommends merchants to
| avoid using 3DS and use a fraud detection platform, got it.
|
| Yeah, if PSD2 had an impact as dramatic as the article says
| then there would be a massive amount of noise from all EU/UK
| retailers. Instead we get an article from somebody with
| something to sell.
| unilynx wrote:
| How many of these 3DS failures switch to an alternative payment
| method?
|
| A drop in EU e-commerce sales between 20% and 50% would be big
| news we wouldn't have missed, so where are these sales going ? Or
| are these transactions still a tiny bit of the overall e-commerce
| value? If users opt for a cheaper (and not easily clawed back)
| payment method because they can't complete the 3DS challenge, the
| merchants may still win.
| codethief wrote:
| I absolutely hate 3DS, for two reasons:
|
| 1) I now have to do the 3DS procedure for amounts as small as
| 1,80EUR
|
| 2) My bank's 3DS "website" requires me to enter my online banking
| PIN (the one for my entire account, not just my credit card PIN!)
| and since that website gets opened in an Android WebView I can't
| even be sure that the app invoking the WebView doesn't actually
| obtain my PIN through a key logger. Fantastic.
| Jolter wrote:
| Does your bank not have a phone app? Consider switching to one
| that has.
| opheliate wrote:
| I've personally always found 3DS a bit worrying from a security
| POV. I'm sure much smarter minds than mine designed it, and had
| reasons for doing so, but I've seen it implemented in iframes
| on websites I use before. It really doesn't seem to encourage
| good security practices in normal users where they're being
| encouraged to enter their bank password when the URL they see
| doesn't match. Plus the URL itself often refers to Arcot, the
| company who make 3DS, rather than the bank whose branding is
| all over the page. Very weird.
| AnssiH wrote:
| I've noticed that domestic Finnish online stores (most of
| which have had 3DS for over a decade now) generally do not
| use iframes and I can see my bank's domain on the address bar
| when performing 2FA for card transactions, whereas most
| international stores (most of which only recently have
| started using 3DS) seem to almost always use iframes, hiding
| my bank's domain.
|
| However, it doesn't matter that much with my bank nowadays
| since I don't have to enter anything on the browser - I just
| accept the transaction details shown by the bank app on my
| phone.
| 988747 wrote:
| Before 3DS I had my credit card details memorized, so I could
| shop online conveniently. Now I have to keep my phone around
| and type in SMS passwords everywhere.
| estaseuropano wrote:
| 3DS should do the exact opposite, away with SMS.
| robert_foss wrote:
| It doesn't have to be SMS password. Some banks are way more
| convenient. I only need my phone+fingerprint.
| mattmanser wrote:
| In the UK they introduced it ages ago, and have now changed it
| so it remembers your IP and browser, so it never, ever asks for
| the pin now.
|
| Kinda defies the point, and makes it very easy to forget the
| code as I put it in like once a year.
|
| But there is less friction, you click buy, it redirects
| somewhere else (fairly slowly, perhaps by design), then done.
| estaseuropano wrote:
| For me it opens the bank app which shows amount, seller,
| subject line and asks me to confirm with pin or fingerprint,
| taking all of 2 seconds. No more entering bank card numbers.
| Not sure what bank youi are using but this seems like bad
| implementation not bad idea.
| bjohnson225 wrote:
| 1 could be a bad implementation from the merchant. There is an
| exemption for low value (<EUR30) transactions and you can do
| five low value transactions before needing re-authentication.
| robert_foss wrote:
| Switch to a more modern bank. I've got both a crappy German one
| and a good one. The difference in friction is big.
| RicoElectrico wrote:
| Meanwhile in Poland I use BLIK [1]. Simple and reasonably secure,
| the downside being no chargeback facility.
|
| The bonus is that Przelewy24 is often presented as a payment
| option in global shops like Steam or AliExpress, so I can use it
| there as well.
|
| [1] https://blik.com/en
| globile wrote:
| We developed an internal 3DS attempt strategy to try to remedy
| this [0], but it is not ideal.
|
| Basically, try 3DS (with no authentication), then try regular
| charge (NON 3DS), then if all else fails try a full 3DS charge.
| You'd be surprised by the disparity, especially internationally,
| and we do recoup some charges at the expense of triggering some
| unintended blockage.
|
| When asking our provider (Stripe in our case) about the best
| strategy for this, it always comes down to , "Let SCA (Strong
| Customer Auth) rules and logic handle everything", but this
| simply doesn't work well.
|
| I really wish the likes of Adyen, Stripe, etc...would help out
| with better decline ratio strategies.
|
| I think we are all plagued by "do_not_honor" and
| "transaction_not_allowed" codes that do little to move us in any
| direction...
|
| [0] https://medium.com/@globile/using-stripe-to-sell-
| internation...
|
| EDIT: Fixed the order of actions...
| ojagodzinski wrote:
| In Poland we have something called "Blik"
| (https://en.wikipedia.org/wiki/Blik) state of the art internet
| payment system. https://blik.com/ Sadly it has to be supported by
| bank (to be specific their mobile app) so not usable by all EU
| customers. But since it is also operated by banks (they share
| cost of IT infrastructure) commission is much lower than
| Visa/MasterCard and milion times easier to use.
|
| In 2020 Blik had 7 million users and processed 424 million
| transactions. In 2019, the number of Blik transactions exceeded
| the number of transactions made on the Polish Internet with
| payment cards.
|
| In PSD2/3DS world paying with card is real pain in the ass, only
| advantage is transaction insurance and chargeback.
| arthurcolle wrote:
| is that per calendar year or in total?
| isbvhodnvemrwvn wrote:
| It's probably worth noting that online transactions with
| payment cards were never the dominant form of payment, many
| people preferred to send a bank transfer directly (with delay
| until next payment session) or use a number of services which
| work as middle men to settle these transactions instantly.
|
| Card payments are often seen as the least secure way of paying
| for stuff, but they are mildly more convenient than sending a
| bank transfer.
| kjagiello wrote:
| Sweden has adapted something similar, Swish[1]. Co-owned by
| banks and so far without any fees for private entities. The
| adaption rate has been really incredible. Already 75% of the
| population has signed up for it and, in 2020, made over 600
| million transactions.
| the_mitsuhiko wrote:
| On the other hand PSD2 improved the quality of 2FA flows
| tremendously. I can now use face id to approve creditcard
| transactions where previously I had to go through an awkward text
| based flow.
| gray_-_wolf wrote:
| > Users may also choose to abandon a transaction simply because
| there are additional steps to complete, giving them more time to
| contemplate their purchase.
|
| Why is it a bad thing that people have more time to think about
| things?
| dr_faustus wrote:
| EU did not "introduce" PSD2 this year, it was/should have been in
| effect since Sept 2019!
|
| However, the member states (and therefore the EU) have cut the
| banks an inordinate amount of slack to get their shit together,
| even though they have been heavily involved in the writing of
| PSD2 and had since 2015 (!) to implement everything. Here in
| Germany, in September 2019, which should have been the hard end
| of a one year grace period, practically no bank actually had a
| working PSD2 API or had implemented 2 factor authorization
| properly.
|
| So all the whining about PSD2 six years after it passed is
| ridiculous. Everybody had plenty of warning and time to get their
| site prepared and checkout processes optimized. And quite
| frankly, unless the author of the article is running some kind of
| one-click order scam, I find the drop of up to 50% in conversion
| highly unlikely. From my experience with dozens of e-commerce
| site, the drop is negligible. And considering the rampant credit
| card fraud, 2FA was long overdue.
| WesolyKubeczek wrote:
| The practical outcome looks more like:
|
| - Customers who have had their card on file will fail the next
| subscription payment. Many are going to discover they have been
| paying for months/years for something they didn't really need,
| and walk away.
|
| - Incorrect 3D-Secure integration will cause payments from EU to
| fail straight away. Even some payment gateways didn't understand
| how it worked back when the enforcement loomed for the first
| time, and this is literally their job. The solution is to read
| the documentation carefully and fix your stuff.
|
| It's a misconception that people are going to get confused by
| PSD2. We in Europe, depending on the bank, have had it for two
| years now. We got used to it and if we really want to pay, we
| will.
| bjohnson225 wrote:
| Subscription payments are exempt. Only payments initiated by
| the customer require authentication.
| Aerroon wrote:
| > _It 's a misconception that people are going to get confused
| by PSD2. We in Europe, depending on the bank, have had it for
| two years now. We got used to it and if we really want to pay,
| we will._
|
| When a (random) app opens a bank login page for me and asks me
| to type in my back login information in a third party app, then
| that very much does confuse me. That's one of the ways people
| get scammed through phishing attacks. And now this is
| effectively mandated by law.
|
| I've definitely chosen not to pay for a few things, because I
| didn't trust the app enough with my bank's login information.
| With a credit card I could easily dispute false charges. With
| bank authentication, I doubt it'll be as easy.
| WheelsAtLarge wrote:
| There's always going to be a decline in sales when new friction
| is added to a process. But, as people get used to the process
| those sales come back. The idea that nothing can change because
| it will hurt sales is short sighted. It leads to a stagnated
| system where competition will beat you out of existence.
|
| PSD2 is a process that's system wide and needed so if things need
| to change this is the best way to do it where everyone takes the
| hit together as a way to move forward.
| estaseuropano wrote:
| Consumer protection legislation protecting consumers. I don't see
| the issue.
|
| > Since many consumers are not familiar with the 3DS process,
| there is a higher chance of abandonment during the authentication
| process. Users may also choose to abandon a transaction simply
| because there are additional steps to complete, giving them more
| time to contemplate their purchase.
|
| The data here is not really provided so we have no way of
| verifying they are stating e.g. simply that conversion in Germany
| went from 80%+ to 40%+ just due to PSD2 requirements to verify
| identify. 50% of consumers stop their purchase because they have
| to verify their CC? That seems absurd.
|
| If the reason as cited above is unfamiliarity this means it is a
| purely temporary impact. If its birthing issues of implementation
| that too should be temporary. If consumers stop their biy due to
| reflection or realising that they don't trust the shop that too
| is a good thing.
| Jiocus wrote:
| Doesn't sound too strange considering it's a change consumers
| need to adjust to, maybe set up proper 2FA. Just give it some
| time, if that's the case. Another way to see it, is that 3-D
| Secure works, but they don't want to see it that way.
|
| From the tone of the article, I imagine the author was resisting
| 3-D Secure from the beginning and settled their minds already and
| so, they will only see their own negativity reflected back on
| them when trying to make sense of it.
| opheliate wrote:
| Should the title of this submission be changed? It's not the
| title of the original article, and the author doesn't even seem
| to run a SaaS, it seems like it might be the experience of the
| OP?
| thegeomaster wrote:
| >Users may also choose to abandon a transaction simply because
| there are additional steps to complete, giving them more time to
| contemplate their purchase.
|
| Good. Means you've manipulated people into spending their money
| very intensely if they will abandon the transaction once the
| first rational thought comes in. I would personally add a third
| factor for good measure.
| foepys wrote:
| I had my first encounter with a PSD2 measure the other day. It
| was very straightforward with my bank. The shop redirected me to
| my bank's website where I logged in with MFA and clicked OK.
| Done.
|
| A subsequent order worked by just entering my CC details.
| morpheuskafka wrote:
| > The first thing that can reduce conversions is the higher rate
| of 3DS triggered user abandonment. Since many consumers are not
| familiar with the 3DS process, there is a higher chance of
| abandonment during the authentication process.
|
| This would presumably go away once PSD2 is fully implemented and
| all purchases require it, which is a benefit of requiring it by
| law rather than letting merchants choose whether or not to
| require it. Requiring it is a common good in the sense that it
| reduces the economy's overall loss due to fraud.
|
| Additionally, as the article mentions, using 3DS shifts liability
| for charge not authorized disputes from the merchant to the bank.
| Thus, the decreased rate of conversions must be compared against
| decreased losses due to chargebacks.
| razius wrote:
| I agree, the change needs to be viewed overall. The liability
| shift is a godsend, it also decreases customer support contacts
| to verify if the order is fraud or not.
|
| Also, paired with 3DS2's frictionless flow we actually saw a
| small uptick.
| globile wrote:
| It quickly gets complicated. There are many more variables to
| take into account.
|
| - SCA exemptions - Prepaid Cards (with no built in 2FA support)
| - Banks in less developed markets (No 3DS) - "We encountered a
| 3DS processing error" is a common nondescript message which
| occurs with international payments
|
| For regular merchants, the decrease in conversion (double
| digit) is VERY far away from any improvements in chargebacks.
| Bear in mind that most merchants need to stay below 0.75-1%
| chargeback regardless of conversion/decline ratios.
|
| EDIT: Spelling
| lxgr wrote:
| Depends on the business though, right?
|
| In a high-value, low-margin business, reducing chargeback
| losses to almost zero might be worth the cost of a double-
| digit conversion drop. In other circumstances, the same
| numbers can be catastrophic.
| aza05001 wrote:
| what is PSD2?
| scrollaway wrote:
| A set of directives by the EU to make online payment
| transactions more secure and reduce fraud. Some of those
| directives impact UX, including 3DS requirements, which is a
| form of 2fa for payments.
| red_trumpet wrote:
| https://en.wikipedia.org/wiki/Payment_Services_Directive?wpr...
| nsxwolf wrote:
| It is the Revised Payment Services Directive requirements for
| Strong Customer Authentication. An EU directive that applies to
| credit cards issued by EU merchant banks for transactions that
| occur within the European Economic Area.
|
| Basically a popup that will request some extra form of security
| verification for relevant transactions.
| ballenf wrote:
| Kind of a side point, but I think it could be argued that some
| transaction friction is a good thing at a societal level. (So
| long as the friction is agnostic to demographic or income level.)
|
| My spending, consumption and general wasteful consumerism is
| healthier when I don't have Amazon Prime. I'm more thoughtful
| about what I need and will batch up purchases, often removing a
| portion of the cart.
| [deleted]
| cabirum wrote:
| 3DS is a type of 2FA that makes stolen card credentials harder to
| use. It does not replace but augments existing antifraud
| techniques.
|
| 3DS is merely a positive marker for antifraud system. This means
| a 3ds transaction is less likely to trigger antifraud rejection,
| and antifraud declines are the reason for user abandonment - you
| can't simply retry a payment attempt in that case.
| willeh wrote:
| Purely anecdotal but I have never had any problems with increased
| authentication for purchases. It feels safe to digitally sign
| every single purchase I make and with a good UX on the store
| front it can be a great experience.
| vineyardmike wrote:
| Very interesting to hear about the impact of this regulation on
| industries many here work in but I have many questions that were
| answered...
|
| What is PSD2?
|
| What is 3DS?
|
| Why do these exist and what did they solve?
|
| Edit: Thanks for the responses everyone!
| moooo99 wrote:
| The 3DS is a handheld console by Nintendo.
|
| Just kidding, 3DS is short for 3D-Secure and is an approach to
| make payments with credit cards more secure. Things like 3DS
| are mandated by the PSD2 which came into effect a while ago.
|
| PSD(2) is short for payment services directive, its a set of
| rules to make online payments more secure and reduce the risk
| of fraud. It has some requirements, such as two factor
| authentication (3DS) etc for basically any service that is
| processing payments online.
| lrem wrote:
| 3DS is 2FA for credit card transactions. PSD2 is the law
| requiring it in EU.
| WesolyKubeczek wrote:
| 3d-Secure is basically a form of 2FA for payments. It has been
| around for almost two decades. US banks seem to have happily
| ignored it, as well as EMV/NFC cards even when good ol'
| magstripe had been shown to be hackable with a potato, and thus
| companies who lived in the US come to do business in Europe,
| find an "impenetrable wall" of having to integrate correctly
| with a 2FA process they don't understand. Same as GDPR, really.
| "How come it's opt-in and not opt-never?"
| robinjfisher wrote:
| I'll link up Stripe's docs for SCA[1] as they have been very
| helpful for me in getting Leavetrack[2] set up for SCA.
|
| PSD2 is the Second Payment Services Directive from the EU. A
| directive is required to be implemented in national law no more
| than two years after it is passed and whilst there have been
| delays, the past 12 months have seen a ramping up of banks
| implementing Strong Customer Authentication.
|
| 3DS (3D Secure) is like 2FA for debit/credit cards. In my case,
| I bank with Monzo and if a transaction requires 3DS, I have to
| open the Monzo app on my phone and confirm it. There are other
| aspects to SCA e.g. if I have used contactless payment
| frequently, I am more likely to be prompted to enter my PIN to
| confirm I still have my card.
|
| [1] https://stripe.com/gb/payments/strong-customer-
| authenticatio... [2] https://leavetrackapp.com/
| WesolyKubeczek wrote:
| Stripe has one of the best pieces of API documentation out
| there, and their sandbox actually simulates SCA to the
| fullest extent possible.
|
| The only things missing from their testing arsenal are a
| debit card that triggers SCA past X amount, and a debit card
| that has limited funds.
| slaymaker1907 wrote:
| The biggest thing with PSD2 seems to be the introduction of
| mandatory 2FA (CVC code/card number are not sufficient).
| thefounder wrote:
| cvc has alaways been a joke
| jeroenhd wrote:
| PSD2 is an initiative/set of laws that force banks to have some
| kind of API available to trusted parties so other companies can
| access customers' financial data (with explicit consent by the
| user, of course). This allows the banking app from bank A to
| work with the bank account of bank B, if bank A implements bank
| B's API. It also includes some other stuff, like adding
| security requirements to online payments, like the 3DS system
| is doing.
|
| Companies that make use of these APIs need to fulfil some
| requirements so that not just any shitty company can ruin your
| life by hiring shit developers that accidentally add zeroes to
| the amount of your transactions.
|
| 3DS probably refers to "3D secure", a way to secure credit card
| payments online. I don't use a credit card for anything but
| paying for American services so I don't know the details of it,
| but it seems to be a way to redirect credit card users to the
| checkout page of their bank so that extra security (like 2FA)
| can be added to online payments.
| moksly wrote:
| PSD2 is an EU directive that changed how online payments can
| take place within the EU. The key points are basically these:
|
| Strong customer identification is required. In Denmark we
| handle this with our national identity system NemID (soon to be
| mitID). Which is a national two-factor system, that we
| previously mainly used for stuff like online banking or
| interacting with the public sector but is now also required
| when you buy something online.
|
| Releasing the ownership of your financial data from the banks.
| Meaning that you can give third party companies access to your
| banking data. In Denmark this has revolutionised budgeting
| because the area was disrupted by companies that saw a gap in
| the age old online banking systems. As an example, my
| "overview" in my netbank was basically just a table of the data
| they used to physically mail me, today it offers all sorts of
| BI like tools to show me how I spent my money because an app
| named Spir or Spiir or something like it completely
| revolutionised the area. As you may be able to tell, I'm still
| doing my budgeting in my own spreadsheet, but the spiir app is
| one of the most popular apps in Denmark.
|
| Over all it has been pretty well recover in Denmark. Having to
| utilise two-factor identification when you buy stupid shit
| online is annoying, and it's likely costing some sales as
| people have a few more seconds to think while they pick up
| their phone, but over all people are happy with the increased
| protection it also offers them.
| vishnugupta wrote:
| > What is 3DS?
|
| 3DS stands for 3 _D_ omain _S_ ecure. Payment processing
| requires a lot of service providers to co-ordinate; card
| issuer, merchant acquirer, card network to name a few.
|
| The three domains in 3D refers to the domains of Issuer (the
| bank that issued the your card), Acquirer (the bank that the
| merchant has their account in), and the Network (Visa,
| Mastercard etc., which connects Issuing banks and Acquiring
| banks).
|
| I'm vastly simplifying because now a days there are new
| entities which are difficult to typecast into one of
| Issuer/Acquirer/Network because depending on the scenario they
| can act as any or all three.
|
| Unlike the Internet which has reasonably well defined
| protocols/services to provide end user services (HTTP, SMTP,
| DNS etc.,) online payment processing has evolved by monkey-
| patching systems as newer challenges have arose. There are no
| well defined protocols or standards so you have these vast
| network of systems that somehow work-together to process online
| payments. Once in a while it fails exposing its innards like
| how people came to learn about T + 2 settlement during Gameshop
| saga.
|
| > Why do these exist and what did they solve?
|
| 3DS is kind of a protocol that'll enable a card holder to
| authorise a payment while minimising the number of service
| providers that have access to their card details. A typical
| implementation of 3DS requires card holder to authorise a
| payment through PIN. Another is through second factor auth such
| as SMS OTP, or RSA tokens, Apple's Face ID.
|
| > What is PSD2?
|
| This is a European specific regulation to make payments more
| secure. 3DS is one of its requirements.
| WesolyKubeczek wrote:
| Then make your service compelling enough for me to go through the
| motions of confirming the payment in my banking app.
|
| Or integrate with Android Pay/Apple Pay.
|
| Cry me a river, but I rather prefer to be in control about who
| gets to withdraw money from my card, and how much.
| marcosdumay wrote:
| Those are pretty big transactions as the law will only apply to
| small ones later. It's really hard to believe people are
| leaving multiple 1000s of Euro transactions just because they
| didn't bother to learn how to check an app.
|
| I think it's much more likely that some payment methods became
| completely unusable, so people are abandoning their
| transactions to redo them elsewhere. And also, some of those
| must have been fraudulent, but probably very few.
| jeroenhd wrote:
| Seriously, if having to stand up and get whatever 2FA token
| thing your bank needs is too much effort for a purchase on your
| site, then I have strong doubts about how much your service is
| really worth.
|
| Another explanation would be that customers run into trouble
| because they don't know how to use secure online payments. In
| my opinion, those customers probably shouldn't be doing any
| online banking on their own with the massive fraud risk that
| comes with stuff like this.
|
| This line says it all, in my opinion:
|
| > Users may also choose to abandon a transaction simply because
| there are additional steps to complete, _giving them more time
| to contemplate their purchase_.
|
| PSD2 saved a lot of people from making bad financial decisions
| by the sound of it.
| WesolyKubeczek wrote:
| Seriously, I'm used to a bit of _contemplation_ before I hit
| that final "Buy" and proceed to the payment gateway. I like
| it. I like that I have to enter my billing/shipping
| addresses. Decide if I want an invoice for a business or an
| individual. Think again. Go-around hunting for a better
| option one last time.
|
| Lately, I've had a _harrowing_ experience of misclicking on
| Amazon. The bastards have put "Add to Cart" and "Buy with
| 1-Click" so close together that I clicked Buy thinking I was
| adding to the cart.
|
| I promptly got emails about my order having been finalized.
| No confirmations, no whatnot. Like those annoying traffic
| lights on some streets that go straight from red to green,
| without amber in between. I felt a bit robbed. True, I wanted
| to buy the stuff, so I didn't cancel, but damn it, not like
| this.
| karatinversion wrote:
| If you don't cancel the purchase on principle, it was the
| correct (revenue maximising) design.
|
| Not that I can talk, this is how I started my print
| subscription.
| underyx wrote:
| This sounds wonderful to me. 20% of would-be buyers were saved
| from mindlessly consuming and paying for stuff they don't need --
| by just a tiny little UI friction. Imagine what a mandatory essay
| about the reason for your purchase would accomplish.
| [deleted]
| Jiocus wrote:
| You actually have a point. I think 3-D Secure both fulfills
| it's purpose to increase consumer protections when paying
| online, while at the same time, as you suggest, it's acts as a
| soft obstacle reminding the consumer to maybe re-evaluate their
| purchase.
|
| I'm not saying it's frictionless nor perfect, but things were
| worse earlier. Card and identity fraud is increasing, and will
| continue to be a valuable target, not least because we're
| moving towards a cashless society (some say).
| warkdarrior wrote:
| That's nice of you to decide for the would-be buyers that they
| didn't need the stuff they wanted to buy. Do you offer this as
| a service?
| hnarn wrote:
| What's the alternative? As a customer, I find the idea of
| loosening transactional security for the benefit of companies
| mildly nauseating.
| kristofferR wrote:
| I'm really glad my bank got FaceID 3DS right as PSD2 were
| introduced, it's really quite painless to do the 2FA (just tap
| the notification, look at your phone and put it back).
|
| Previously you had to use an ancient SMS based SIM app on your
| phone or use a dongle to authenticate, took over a minute
| usually.
|
| A way for retailers to "bypass" 3DS is to use Klarna or similar
| (free in-app invoice that needs to be paid within 14 days). Even
| though it's usually quite simple to use my debit card, it's still
| more of a hassle than paying whenever I want within 14 days, so
| that's what I choose when I'm in a hurry.
| Denvercoder9 wrote:
| This article would be significantly better if it introduces what
| PSD2 and 3DS actually are, for those unaware of the
| abbreviations.
|
| PSD2 -
| https://en.wikipedia.org/wiki/Payment_Services_Directive#Rev...
|
| 3DS - https://en.wikipedia.org/wiki/3-D_Secure
|
| Furthermore, I want to note that the author works for a company
| that sells products that "eliminate unnecessary 3DS friction" (in
| their own words).
| Matthias1 wrote:
| I found those links slightly difficult to understand. Am I
| correct in summarizing these definitions as follows?
|
| PSD2--The EU law requiring your bank/card issuer to establish
| SCA for online purchases.
|
| SCA--Strong Customer Authentication: something in addition to a
| credit card number, e.g. your bank account password, a mobile
| push notification, a SMS code.
|
| 3DS--3-Domain secure, the protocol used by online merchants to
| communicate with the bank in order to establish SCA. This seems
| to be complicated by the fact that most banks aren't
| implementing this protocol themselves, but using a third party.
| So you get redirected to the website of that third party in
| order to authenticate a transaction.
| lxgr wrote:
| > something in addition to a credit card number
|
| Two things, actually. The credit card number doesn't count as
| a "thing" anymore.
|
| This is why SMS-OTP alone is not sufficient (representing
| only possession), but mobile phone app based solutions are
| (they represent possession of a linked device and usually ask
| for biometrics or a PIN code).
| jameshart wrote:
| This is an accurate summary, yes.
| Aerroon wrote:
| > _SCA--Strong Customer Authentication: something in addition
| to a credit card number, e.g. your bank account password, a
| mobile push notification, a SMS code._
|
| I've run into this a few times and it has made me _very_
| hesitant. You 're effectively being asked to log into your
| own bank account from a link on a third party website or,
| even worse, an app.
|
| It makes me uneasy, because I feel like a malicious site or
| app could intercept this and access the account directly. Or
| do some other kind of trickery that I cannot foresee.
| chrischen wrote:
| With the way it currently works people can just charge your
| credit card with the account number only, more or less
| (everything publicly printed on your credit card).
___________________________________________________________________
(page generated 2021-05-10 23:01 UTC)