Originally presented as a PAYMNENTSfn Fireside Chat, listen as Andy Badke (Arc'teryx) and Daniel Pelegero (RPGC) discuss and answer questions about 3DS2 as well as provide the practical lessons learned as Arc'teryx addressed 3DS in their global online store.
Have questions that aren't covered here?
Join us in our Slack community and get your questions answered!
Want more?
You can also watch all of our PAYMENTSfn Fireside Chats here.
Rough Transcript (edited for readability):
Peter Mollins:
Well, hello everyone. My name is Peter Mollins. Welcome to a new PAYMENTSfn Fireside Chat series, a brand new edition of PAYMENTSfn that we're rolling out. Many of you may have attended previous PAYMENSTSfn either physical or virtual events that we did this year. So welcome to this new series. Again, my name is Peter Mollins with Spreedly. And before we get started, if you'd like to submit a question, please just click on the Q&A option that's at the bottom of your screen. And you can also submit questions if you're in the PAYMENTSfn Slack channel by going to Fireside Chat 3DS in a Slack workspace. So we'll do our best to get through as many questions as possible during today's webinar. And if you're not able to stay through the entire webinar, we'll be sending out a viewing link after the event and if you want to share with your colleagues.
Peter Mollins:
So let me then switch over and start introducing today's panelists. So first off Andy Badke, who's the Project Manager for Enterprise Information Systems. Andy welcome. Andy is a multidisciplinary IT professional and he's currently operating as a Project Manager for Arc'teryx Equipment. It’s a global manufacturer and distribution brand. Andy loves traveling the world of technology and large business strategy and operations, and he has 15 years of professional lighting experience, originally starting in software development and evolvinggero to coaching, program leadership and consulting. He is as comfortable discussing new software development paradigms as he is developing DevOps, deployment strategy. So Andy, welcome.
Andy Badke:
Thanks, Peter. Hello, everyone. Happy to be here.
Peter Mollins:
Great. Daniel Pelegero. So Daniel, welcome. Daniel is a familiar face from PAYMENTSfn, which we just had back in May. So welcome Daniel. Daniel is a consultant for Retail Payments Global Consulting, or RPGC. And he's been in the Payment industry for five years, first drowning and now treading water as he says. So having been enlightened by Payment lifers early on, he understands the inadequacies of the fragmented payments ecosystem. And now Daniel advises some of the largest merchants and payment processors on their payments acceptance strategies and platform requirements. So Daniel, welcome.
Daniel Pelegero:
Pleasure to be here.
Peter Mollins:
Also with us is Lee Jacobs. Lee is the Director of Product Management at Spreedly. Lee's responsible for the strategic development of the Payment Orchestration Platform, and he's previously held positions in product management and engineering at Abrigo and Cisco. And prior to his civilian career, Lee served as a captain in the United States Marine Corps where he specialized in communications. So Lee, welcome.
Lee Jacobs:
Well, thank you for having me.
Peter Mollins:
Well, really looking forward to the conversation. So just a bit of background for some of the attendees, so at the PAYMENTSfn virtual conference that we hosted back in May 2020. Andy gave us a first-hand account of how Arc'teryx had to learn, adapt and execute a complex strategy in a very short timeframe in order to meet PSD 2 mandate requirements. And he presented the detail of that story from his team's perspectives including the changes that were required by that mandate, and how the team created and executed their payment strategy, the results and the lessons learned from that initiative. So we're going to build off that presentation for today's discussion. And if you haven't had a chance to see the session, just visit paymentsfn.com for access to that and more than a dozen different sessions that were also presented there.
Peter Mollins:
So with that is context. Again, welcome everyone and let's go ahead and kick it off. So first off, there's an alphabet soup of various different acronyms out there. And Daniel, I'd appreciate it if you kind of give us the lay of the land on, 3DS, SCA, PSD 2, what do those various acronyms mean?
Daniel Pelegero:
Sure. So PSD 2, stands for Payment Services Directive 2. The first one was actually the establishment of SEPA itself, which is a whole another acronym, but it's really bank transfers and the governing structure around how banks and the payment service providers are governed in Europe and SCA is an element of PSD 2, it stands for Strong Customer Authentication. It is that key piece that was allowing the goal of PSD 2 to open up competition to non-bank providers so that they could also safely access accounts. And so with strong customer authentication, the idea is, it should be performed when an electronic payment occurs, when an account is opened, or if someone's doing something suspicious during activity on a digital channel that might look like a bot surfing through product pages as opposed to a human.
Daniel Pelegero:
Now, 3D Secure is not part of Europe. It is an EMVCo, another acronym. EMVCo is, their members are just a big international card schemes, Visa, MasterCard, American Express, JCB, Discover, UnionPay. And what they have is, what they've put together with 3D Secure is a specification for how to do authentication through card payments. Now, the European regulators don't have any oversight on 3D Secure, but they do regulate the banks that are implementing it. So there is this interesting push and pull as far as how do priorities lay out? And how does all the framework translate into actual plumbing?
Peter Mollins:
Okay, great. And can you just maybe give a context about the timelines that we're seeing here? Because there's been a lot more in the news recently. So maybe just some context on what's happening with timelines?
Daniel Pelegero:
Sure. So, PSD 2 was supposed to be fully implemented last September. Last June, the European regulators passed an opinion saying that 3DS 2 and 3DS 2.1, were actually, they weren't fit for purpose. They didn't meet the inheritance requirements, strong customer authentication. And then the network's then proposed new roadmap saying that no one was ready. Issuers requires card holders, and so at the 11th hour, the European regulators then suggested a new enforcement date of December 31st of this year. Now what we're seeing already is fragmentation in what those roll-out dates will actually be. France and Denmark, for instance have already announced the march 2021 enforcement date and the UKs authority has now announced to September 2021 date, plus there's a lots of lobbying going on.
Daniel Pelegero:
Primarily EPIFF, which is a group that Visa and MasterCard actually co-signed with have asked for a further extension as have the merchant risk council which right now is made up of, Visa group specifically is from payment service providers, issuers and merchants are also lobbying the European regulators.
Peter Mollins:
Okay, terrific. Well thank you for that context. Lee maybe I can turn to you if you don't mind. Why does it matter? Why does PSD 2 matter for merchant?
Lee Jacobs:
Yes, so merchants are concerned about PSD 2, for one thing, there's potential upside from it. There's chargeback liability shift when performing 3DS or 3DS 2, that shift to the issuer. And also the associated fraud reduction that comes along with it. But then there's a lot of concerns, obviously, about the potential downsides of 3DS. So 3DS impacts conversion rates. So anything that has an impact on the checkout experience is going to affect your overall conversion. 3DS, particularly has a lot of risk of creating additional latency, an additional challenge flow. So an entire new page or new model that pops up in the checkout experience. And it can also lead to false declines if players in the ecosystem aren't able to complete the entire 3DS flow.
Lee Jacobs:
And then on the authorization rates side at some point 2020 to 2021. Issuers will start soft declining transactions that are not, that don't support 3DS and they'll request 3DS on that transaction. At that point merchants who aren't able to conduct 3DS are going to end up losing those transactions and seeing authorization rates drop. So really, it's a balance between customer experience and authorization rates that they're trying to optimize for.
Peter Mollins:
Okay, terrific. Well, Andy, let me get you into the conversation here. Arc'teryx drives a lot of revenue from its business in Europe. Did that affect your decision to address PSD 22 or was compliance always important to you?
Andy Badke:
For us, it was primarily the compliance. So for Europe, we wanted to, yet follow the regulations that we had there. The EU versus US markets are different in terms of their adoption of 3DS. So from our studies, we know that the European market was used to it, it was already in flow, there was lots of, this existed a lot already. So that was good. We segmented out the US market just based on that and due to the timelines and that sort of thing, but it was primarily around the compliance piece, we didn't want to do the wrong thing. Obviously we would like to be compliant, there was a lot of benefits that go with that. And then the improvements in reduction of fraud chargebacks and review rights. So I was primarily compliance first.
Peter Mollins:
Okay, great. And now in your presentation that you've done at PAYMENTSfn, you've mentioned that about 70% of transactions could be declined, if your payments didn't address PSD 2. Why is that?
Andy Badke:
So this kind of speaks to the flow of information and how we found out about the mandate. So this came from, what we'd written in there was what the credit manager had put into our system based off a verbal phone call with Worldpay Streamline, which was our payments processor. So they had indicated to us to say, yeah, you'll be seeing approximately 70% decline right now. The assumption on that is what Lee mentioned around self-declines that if banks start implementing this, they'll start declining payments and that's lost revenue. So where that came from was kind of around the risk of decline payments and trying to raise attention to that in our portfolio so we could actually be prioritized to say, hey, business stakeholder group, we're looking at lost money in an entire geographic region, unless we do this.
Andy Badke:
So it was kind of a two fold, that all of these were assumptions, as we'd sort of found out up until the 11th hour around what the impacts would be for this. It was kind of open to interpretation and trying to find accurate information was difficult.
Peter Mollins:
Got it. Now, Daniel, I don't know if you can provide some color about what would happen behind the scenes in terms of these declines. Why would those declines be happening?
Daniel Pelegero:
There's a laundry list of reasons. So at a high level, what we know is, the primary reason is you have a product to take into market 3DS 2, 3DS 2.1, that simply wasn't ready and there wasn't really a phased approach to launching it. And on top of that, also the issuers haven't been ready, because even if a merchant's fully complain, like we've seen the very sophisticated merchants being ready in 3DS 2.2 for quite some time. And they're trying to initiate one-off tests with issuers. And the transactions are taking long, transactions are dropping. And then when we get in markets that aren't regulated, what we see are a couple of things. First off, we see the liability shift because the way the issuers risk scores are set up, they actually may then sit back and say, "we should decline these transactions.
Daniel Pelegero:
We know it's a good customer, but we want the merchant to deal with this instead because they could have their own logic behind why they're doing so, whether that is, they're using outdated fraud system like FICO Falcon, or whether they simply just don't want to give enough information to the merchant because they think they've stumbled onto some true fraud." Now, even Odeon said that the, when we start looking at the data only flows which is a MasterCard function and supposed to be part of the frictionless flow is that, it's going to lead to additional authentication rejections. And then but the good news honestly is that when there are hard challenges in place, and when the issuer is making the decision and not getting a risk score passed to it such as through the data only flow, we are seeing approvals left. The problem is once the merchant, once the customer gets a hard challenge, it's already affecting the conversion rate.
Daniel Pelegero:
And in all honesty, one of the best places to look for more information on this and to be a part of the conversation if you are a merchant, and this is where I really want to elevate the work that Julie Ferguson and Anna Dillon with the MRC have done, because they've created these merchant issuer committees that merchants and banks can join. And they are asking any merchant that can provide data and any testing that they have are already established to provide that data because they are not just lobbying each year, the European regulators at a large but each of the national conduct authorities as well to demonstrate that the issuers aren't ready even if the merchants are compliant.
Peter Mollins:
Great, and we'll come back to that point about how merchants can get involved in the process and have their voice heard back at the end of the session to make sure that everyone gets that as good takeaway. Lee, so, Daniel mentioned about liability shift. How does that liability shift creates new incentives for merchants and issuers to adopt 3DS 2.
Lee Jacobs:
Yeah, and actually I'm going to answer a question from the audience along with this, too, is related. So some of the anonymous attendee asked, can someone explain liability shift and what it means. So, the basic definition of the liability shift, in a typical non-3DS transaction, in the case of a chargeback, the merchant is responsible for or is liable for that chargeback in the case of friendly fraud. With 3D Secure, specifically version one that liability shift, pretty straightforward shifted to the issuer. So if the cardholder past authentication, the liability shifted to the issuer. So there's that incentive for merchants to reduce their liability for chargebacks. And with version one is very straightforward, either pass authentication or you don't. With version two, there's a lot more complication around it because there aren't challenges on every flow. So the liability shift only applies in version two and or in either version when authentication is successful.
Lee Jacobs:
And issuer essentially has the right of first refusal on authentication. So merchants are collecting more data on the front end, but issuers have to be ready to actually use that data to make intelligent decisions to confirm the identity of that cardholder. And so the issuer incentive here really is to start declining more transactions or rejecting the authentication attempts, because they want to avoid that liability shifting to them in the case that they're not certain of the card holders identity, while the Merchant Center is split between seeking the liability shift and avoiding false declines. So merchant sign off, one is liability shifting from them to issuer, but the other is improving their authorization rates and making sure they're not receiving declines from by requesting 3DS. So they're kind of in a tough position determining when to request three years versus not in order to optimize their transactions.
Peter Mollins:
Great. All right. Thanks and I appreciate you answering that question from the audience. Again, feel free to use the Q&A button that you should see at the bottom of your screen for additional questions. So now let's switch gears and talk more about what's going on in practice. So Andy, again, great session from PAYMENTSfn. Again, please do go to paymentsfn.com to watch that that session, but as I was rewatching it again over the weekend, I was seeing how that you and your team, were addressing the mandate. And one thing that really stood out for me, other than the great Halloween costumes that were on display, which is fantastic, was the number of different teams that were involved. So can you tell me a little bit about that and about which teams were involved in that process?
Andy Badke:
I'm glad the presentation was exciting because it was fairly chaotic for that time period, during that project, we were hustling. So there was a lot going on with the groups that we were working with. Arc'teryx 2, HQ Saris in Vancouver. So we had pretty much everybody centralized that we are a global operation dealing with iMA sports that are based out of Europe. And then we also have North American arm. So it's a very global enterprise, but the group that we worked with, were all fairly co-located. So we had internally, two completely separate departments, which was business solutions or Enterprise Services, which do the integrations between ERPs and all the internet and those sorts of things. And then also the Omni Channel Group, which we're looking at the website and then feeding into that buyer and integration layer.
Andy Badke:
So we had two separate groups there. I was on the integration side with business solutions and enterprise. And we had extra team that was around Omnichannel and web experience. So those were the two internal IT teams that we had to work with. And our primary stakeholders were finance and fraud. So we had the Director of Finance, the credit manager, and then also our fraud, employee ease as well that were our primary stakeholders around this, they were communicating and getting these compliance issues around that. Externally, the team also had to deal with in quite close proximity Cybersource. We had to call with Worldpay streamline in a way Cardinal Cruise appeared later when we were trying to set up 3DS to say, Oh, Cybersource were working with them. So that sort of name entered the mix to say, what am I doing, and then as well with Spritely, so is Spritely being our partner, they were enabling us as the payment gateway to go to Cybersource, our payment processor.
Andy Badke:
We also had to in some instances core with local banks around our testing pace to see what we could do around there. So that was the project landscape that we were primarily dealing with.
Peter Mollins:
Okay, great. And now with all the diversity of teams, there's many teams, probably was a lot of different benefits that each of these different players were seeing. So when we're talking before in sort of the context setup, we were talking a lot about avoiding declines and transactions. And, one of the things that I think jumps to mind with folks is PSD 2. Is this just a nuisance, but it's not intended to be it's certainly more than that. So when you think about the benefits that Arc'teryx broadly, or maybe for specific groups saw, how did you think about those benefits?
Andy Badke:
So we saw, we've actually realized some of those benefits now in the data that we've seen after release. So this happened back in September last year. But we've seen, so the liability shift that Lee had mentioned. The payment security is a good thing for customers and there's that balance, when you see the talk around if you have to hire security level that actually starts checking your revenue stream and you want to have that balance in there of one or 2%. But we've increased our security. So we're seeing an improvement in our review rates, and also improvement in fraud chargebacks. So being the reduction of those, and our review rates being much better. So they're the real benefits that we've seen from that saying that it's best practice, it's a good thing for us to do. It has increased the time to complete a little bit, but also negligible in terms of order completion.
Andy Badke:
So from post-implementation, we're comparing the numbers to how we were before just in that period before we obviously had global recession and rigid reduction in sales based on what's going on. But it was negligible in terms of impacts to completion. So we saw that the orders were sustained. And we realized all those benefits in the fraud sector. So it was a good implementation in terms of our metrics. We were measuring successful.
Peter Mollins:
Great, and so Daniel When you think about PSD 2 I mean, the first thing pops to mind from a geographic perspective is Europe. But if there's an impact on fraud, are you seeing or hearing of companies and other regions trying to deploy that standard?
Daniel Pelegero:
Well, I mean, this kind of comes back to 3D Secure at large, because well, it's driving the conversation in Europe, and compliance in Europe, because you have the US that's also such a heavy cards market in Canada, such a heavy cards market. It's driving the same implementation deadlines in these markets as well. And then you already had these markets where fraud was already higher, such as India and Brazil, which has had 3D Secure 1 mandated for quite some time. But ultimately, the largest success story has been, I think, out of Australia with their CNP fraud mitigation framework. It just turned one year old. But there's some subtle nuances though, that differentiates it from what the FCA in Europe is for why it sort of working out better.
Daniel Pelegero:
They had faced lead times and is almost, if you exceed your fraud rates, then we have the risk control, you're supposed to have the risk controls in the process or you're regulated to or you start taking fines. And what this actually is led to, what the group, the regulators in Australia have reported is that they're experiencing their first decline in card fraud rate since 2006.
Peter Mollins:
Wow. Interesting. Yeah. I mean, it's certainly, like there's a temptation, I think. To think about to immediately leap to the technical implementation idea and when really, there's a business context that's surrounding that. When you think about 3DS or PSD 2, these are in the context of a business goal or just the business in general, I mean. Would you agree?
Daniel Pelegero:
Absolutely. And I think I have to credit Brian Penny at American Express with this framework because it really comes down to four key elements. If you're a merchant, you're trying to figure out, okay, what type of an authentication framework? What kind of a restoring framework makes the most sense for me? And you're looking at the costs, because with 3D Secure, there is a cost attached to sending every single one of those transactions, you're looking at the latency because right now what we know about the 3D Secure protocol is it takes much longer in a way that other payment methods may not necessarily but then it also comes back to what does that mean for your system if you're then enabling something like a push payment, which is inherently SCA. But then is your system prepared to receive those type of requests.
Daniel Pelegero:
The third piece then, of course, is integration, because this comes back to enable a 3D Secure transaction, you need also to be able to pass the pan and if you don't have the ability to pass the pan by either having access to it within your own token vault or leveraging a provider that gets you the connection to your then 3DS provider that you need. Or you may have to unwind quite a bit. Just to be able to give yourself that business flexibility again, as well as the redundancy. And then the last piece is fulfillment, because the use cases are incredibly different for an instant fulfillment where you're leveraging a marketplace such as the Uber model, versus having a couple of days before shipping goods to someone.
Peter Mollins:
Right, yeah.
Lee Jacobs:
I'm going to interject where the question from the audience and so there's a couple of questions similar in nature. Do we have some details around which EU countries would go for 3DS 2 first over others kind of a stack ranking?
Daniel Pelegero:
So what we know right now is we know what the implementation dates is set for several different countries, some are still keeping that December 31st, 2020 deadline. Those countries are definitively not the UK, France and Denmark. But what I will say though, is the UK is showing the most amount of readiness at the moment. And that's, I think, unveiled in the data that Amazon and Microsoft have publicly shared. And this comes back to the UK already having implemented an open banking framework. And then I think the other element that's really important to note within each one of these countries is if the banks are already cooperating to leverage these financial services, beyond just the 3D Secure framework piece, that then indicates to me that it's a mature banking model that the country is going to be better suited to actually meeting whatever implementation deadline that they eventually get aligned with their National Conduct Authority.
Peter Mollins:
Well, great. Thanks for that. Andy, let's take a little more look at, another deeper look at your implementation and what you and the team did. You decided to take a staged approach to PSD 2 and then part of it, from your presentation, it was because you had multiple payments systems that you're working with. Can you give us a bit more context about that?
Andy Badke:
So this is definitely, it's a little bit of an artifact from the corporate history, I suppose, because we had a payment, it's how the company is legally structured. But we essentially had different payment gateways for different regions. So Europe has one, North America has the other. That was sort of how we had to do it around legal underwriting and all those sorts of things as we mentioned. We had a very tight deadline in terms of trying to avoid the fines and, basically to just be compliant. So pull that European site into that. So we decided to take the staged approach to it. During the 3DS for the EU only sort of mitigated areas because we only had to deal with one payment processor instead of two and also geographically because we had North America as an entire different region, which essentially would have doubled our effort to look at in terms of testing scenarios, currencies and things like that.
Andy Badke:
So trying to minimize that was a good thing for us in terms of project delivery to that super tight deadline that we were working to.
Peter Mollins:
Great. And as you started to move through that process in your staged role, you had to make a decision about how you were going to address PSD 2. So like as Daniel and Lee mentioned about 3DS is a way to address PSD 2, and you chose to start with 3DS 1, I believe, is your starting point, correct?
Andy Badke:
Yes. So the thought pattern as we started, so we essentially gathered the team, said, Let's go. We had some research that we'd done prior around the auctions in the past that we were going to take so we were looking at partners and how we could execute on this. So then it was trying to just say, all right, what is a very phased approach in terms of mitigating this risk and getting something out that's going to move us towards that compliance piece in a timely manner. So just trying to iterate on our releases. So we knew the PSD 2 required strong customer authentication. After I research we saw the 3DS 1, which was the known option, it was already in the field, that was probably our best solution to go with, we didn't really have a huge amount of time to sort of go between... There was 3DS 1, 3DS 2, at the time information wasn't specific around what version would actually be covered properly under the PSD 2 and strong customer authentication experience.
Andy Badke:
So we actually believe the 3DS 1 would cover us in terms of saying, yep, this will be fine, we'll be good to go. It was only way as we approached the launch date, where we started seeing more research and more articulated information coming out which Daniel had mentioned to say, actually 3DS 2.1 is going to be the standard now. So we were saying, Okay, we will go with 3DS 1 first. When you're doing a 3DS 2 solution, the fallback is to go to 3DS 1, if some of those things fail or go through. So we thought, okay, this is good. We'll implement an initial measure, it can be the fallback and then we can extend and enhance into 3DS 2, which is supplying all of those other pieces and parameters of information. The first one was kind of straightforward, unknown quantity, there are already packages and products available that we could use. 3DS 2 was still even with some of our gateway pieces, the integrations between what we were trying to do.
Andy Badke:
We're also kind of, Hey, this is in, data we're still working on this. So that, from a mitigating risk perspective, we'd say, Okay, let's go with 3DS 1 in EU that will get us on a step along our roadmap. So we've got a lot more than we need to do still around adding extra currencies and things like that. But this one was purely. We've got a timeframe, we need to meet that we don't want to be fine. Let's start with a step in that direction.
Peter Mollins:
And speaking of mitigating risks, you mentioned about testing, like how did you approach testing for that solution?
Andy Badke:
With great difficulty. We could talk about this one a fair bit. I can speak on behalf of our developers and testers. They wanted really clear documentation. We needed scenarios, we had seven currencies, which was seven different merchant IDs inside the source of payment processor. We had three different sandbox environments. So we had testing environment, we had, in this case, Spreedly testing environment, and we had Cybersources testing environment. Plus, we needed to test out rollback measures in the instance that we didn't get these operating, which was to ship orders through PayPal. So we needed to check our PayPal accounts across each of those currencies as well. So we had to test for all of those scenarios. Then we had to do our end-to-end testing and doing that outside of the production environment was tough. I mean, because that's where each one will say, okay, we can test in our sandbox, but then does that sandbox connect to the other sandbox?
Andy Badke:
So talking with Spreedly. If you support all of these different payment gateways, there is a difficulty in an overhead. We've tried to support all the testing environments because they're all changing in their testing environment and all sort of a proper ship from staging. So dealing with the integration across those, we were doing testing to say, Yes, we can confirm if we call this one that will get that result, but we could only do it across certain currencies without actually into like kicking off the integration flow. So it was really when we was getting to the end-to-end piece. The [inaudible 00:30:19] were learning in the implementation as well. So the documentation of the API's and things to call was extremely important when we're trying to pick up this information. The difference between a clear and concise wiki page to say this is the order that you call, these are the results you're expecting versus say a 70 page PDF that has a massive things in it. And so we have to read all of these, how do I digest this information very quickly?
Andy Badke:
So in terms of testing, those were very key to us. And then the final piece around the 3DS challenge to say, okay, we couldn't test and I'm interested in opening this to the group have further discussion on the best practice way. To do integration testing, we can go through the entire flow touching all entities to say this is going to be a confirmed experience. Because we were trying to not use real cards. That was the main thing. We'd say, Okay, we've got Canada, which is where we are, then we say we won't be enabling our 3DS transaction through this. If we call a Canadian bank and say, are you using 3DS, you've got varied responses as to whether that was actually used or not. So we had to find somebody who had a UK credit card, and then use that as a sample test one to say, there was also a $50 minimum. Sorry, I've gotten mixed up whether it was four pounds and conversion, but there was a minimum that was applied before it actually kicked off a 3DS transaction as well.
Andy Badke:
So we'd say okay, let's have a credit card with this. We'll put in an order as a pre off and then we'll cancel it. So we were at authorization, not the capture, to see if we could go through some of these things, but it's still an open case for us to say, we didn't have a full test harness where we could fully complete end to end testing scenarios of all the currencies. So that was definitely an issue and still an open issue for us in terms of what's a sustainable way of doing full and complete testing for this. We had only tested one or two, fully. And then when we went live, we sat there as a team watching the data to say, We're not leaving here until we could see a successful order appearing in all of the currencies that we support.
Peter Mollins:
So vital to have that view into the data and to see transactions as they're coming through. And I don't know, Lee, if you have any comments on that.
Lee Jacobs:
Yeah, sorry. I had to unmute myself there. Yeah, especially, with version one, of course, testing was very complicated, then moving into to version two, even more complicated. So more players involved in a more complicated flow and more data being collected. And so the end-to-end test that's required, is really a dance happening between the various entities in the ecosystem. So the merchant obviously is the one running the testing within their connecting with three servers, connects with the card network and ultimately to the issuers ACS server. And communication kind of goes in a triangle between those three major entities, the 3DS Server, the ACS and the merchant flowing in various directions before authentication is actually approved and then transaction, and then authorization happens with the issuer. So this dance that's happening requires some pretty sophisticated testing on the merchants and to make sure it is going to work both across the board.
Lee Jacobs:
So with 3DS version 2, you have your frictionless and challenge flows that you need to ensure working both in browsers and mobile apps. You need to be looking at your application of exemptions. So for merchant initiated transactions, for instance, ensuring that those transactions are being passed through and you're not trying to challenge a cardholder who is no longer there. And then ultimately looking at the bottom line impact on authorization. If you're doing it, right, theoretically, authorization rates should increase at some point from applying 3DS to the transactions.
Peter Mollins:
And Daniel's laughing. Well, let me bring it back to you, Daniel. And so when talking to your clients, how do you encourage them to plan for addressing compliance issues like these?
Daniel Pelegero:
Well, that's the thing is compliance as part of the larger business issue, right? Because on the one front, I can be compliant and not have any transaction through and I'm out of business. And that's the big piece that almost has to be separated out here, is there's the PSD 2 perspective, and there's 3D Secure perspective. And we have to remember that 3D Secure is not PSD 2, it's just a proposed solution for achieving the strong customer authentication part of PSD 2. What the regulated entities, the acquirers and the issuers are most concerned about, are being able to pass a cryptographic signature across so that they can present it to their national Conduct Authority upon their request, and so that they can prove compliance. For a merchant that's here in the US, it just comes down to how is the bank going to accept my transactions?
Daniel Pelegero:
Now there is an entirely different facet to that conversation as far as how, as an eCommerce merchant, if I can't accept visa cards, I don't accept mastercards and I'm not in business. And so yes, this comes back to developing the flows that make sense. But will it comes with the part that I almost, I'm coming back to is, what does your architecture look like? And I think my favorite terminology I've heard from this is, what would it look like in your environment to authenticate everything upfront, regardless of whether you're achieving delegated authentication, or you have some direct link or don't have that direct thing with the issuer? But what does that ultimately mean? Not just for your systems and your security, but also for your customer experience? Because the part that [inaudible 00:35:56] to simplify to some degree is, do you want to manage 15 different flows? Do you want to trigger in place, the moment that a transaction exceeds its limit?
Daniel Pelegero:
Or if one of your acquires, for instance, exceeds their fraud rate across their portfolio with an issuer. How do you How can you be flexible to account for any of these things and have the appropriate sniffers in place? So that when one thresholds exceeded, that you can reroute traffic somewhere else, and then have the tools and the intelligence to do so accordingly, or be able to spit the appropriate customer messaging back. And so it's right now because things are so uncertain. And because everyone in the industry is asking the European Commission in the VA to push the deadline across continental Europe, even farther back. Right now it's almost sprint as fast as you can to achieve 3D Secure compliance. And we'll get into the dates of what's going on there in a moment. But the bigger issue is, this is the goal ultimately.
Daniel Pelegero:
Don't get handcuffed by your providers as well, because this is a core dependency that the industry at large is putting on in their use, and it's being backed by regulation in Europe. But that doesn't mean that if I have one acquire that gives me 3D Secure, that I'm not going to be able to migrate my traffic if I ever need to do so for whatever business reason whether that acquire has an outage, or whether there's something or whether there's a breach of terms of service, or even worse, a wirecard situation. And so all of those elements are the things that have to play into the calculus of making these decisions and ultimately freeing up as much ability to choose your own future.
Peter Mollins:
Terrific. Well, we're in the final couple minutes here. So I'll just wrap up with just to two questions. And the first one, Daniel, since you were talking about timelines, maybe, can you give us just a sense of where these timelines are headed for PSD 2?
Daniel Pelegero:
For PSD 2, we're still looking at the December 31st 2020 deadline across the board. I've already called out the countries that are potentially going to, that have already announced their extensions. But as far as for American merchants, I think something that is also going to be important to note here is what are the 3D Secure deadlines. And for instance, as of yesterday, or maybe a couple weeks ago, issuer server supposed to update the exact type of authentication messaging that the fields they were supposed to be able to receive, as well as also support for like dynamic linking, which is part of the FCA requirements, which means that that's something that's going live now, and at the same time because of COVID. I know a lot of companies just haven't been putting that type of development work in place because they've been putting out other fires.
Daniel Pelegero:
Now from a MasterCard perspective, it's almost a little bit scarier in a sense, because 3D Secure 2.1 on the MasterCard Rails is supposed to be fully mandated for the issuers this month. But we haven't seen a date for 2.2, which is by the [ENVICO 00:39:04] specification of 2.2 is actually what will meet the inherent requirements for that frictionless flow by the EVAS guidance. Now, as far as 3D Secure 1 is concerned, there is supposed to be a fee increase in December, that got pushed back into October. So, to send a 3DS 1 message, you're going to see your fee about double I believe, and I know that both Visa and MasterCard plan on deprecating their 3DS 1 support at the earliest, I think 2021, whether it be a liability shift or the product at large.
Peter Mollins:
Okay, great. Thanks to him. Andy I want to give the last word to you. When we think about, all we've been talking about was 3DS and PSD 2, compliance in general is not going anywhere. It's not going to be stopping, right? I mean, this is just one example of the type of regulation. So whether it's PSD 2 or PSD 102? How do you feel this kind of initiative has gotten you prepared for the next compliance initiative or the next compliance challenge?
Andy Badke:
Let's say, well, there was learnings that we had from our previous experience, and then preparations for the next one, I'd say how prepared are we? We know what to look for, but in terms of preparation, it's just things around. The learnings and the lessons that we took were things like engaging our external partners early and often and having really good quality relationships with our external partners, with Spreedly and with Cybersource, so that we could actually do that dance of the data around, that was key. And being able to support us as a merchant whilst we were going through that process, we may have been asking a lot of questions and huge shout outs to Daniel [inaudible 00:40:55], as well for having to deal with this, with all the questions saying, where are we at with this or that?
Andy Badke:
So we had a weekly sync up pretty much. And we were tracking the notes on that. So that was a lesson that we had. That was essential for us. Having the time to implement. So we were kind of driven to that, and it was kind of, I guess we could talk about the benefit of a government deadline or not. The reality of the situation is the deadline causes everybody to come along kicking and screaming in a way. But it's trying to figure out how to sell that value properly. So for us, we still have that issue around how do we prioritize this next deadline versus the other things that we've got going on, we've got stuff how Daniel mentioned which is putting out fires. So we're trying to sell all the inventory and get that out. So we're creating like a new website outlet, .arc'teryx.com to try and push all the inventory through that at a discount to keep orders coming in, whilst we're going through all these crazy periods.
Andy Badke:
So we've also got a future strategy that we're trying to implement around consolidation of things. Moving to new ERPs. So there's lots of pieces that are in play right now. And how does this compliance piece fit into that is still around who do we need to convince, in order to get these properly considered in our Technology Roadmap. So really trying to focus on the value proposition and the direction of these and getting really good quality information and having that broadcast, the transparency around it. It's kind of difficult when we had the opinion that came out from the European Union, which was an opinion and then there was every single industry outlet that we were looking at signing up to finance magazine saying, here's the opinion that how you actually interpreting that. So they were the biggest lessons and in terms of preparation, that's the kind of things we need to look out for. But are we prepared for December? Nope.
Andy Badke:
We haven't really got that one under control yet on our radar in terms of what we're doing, and so it's there, but in terms of hitting that deadline when they set a specific date, we will be around that area, we'll have to sort of dance around, but we've got a lot of considerations that we need to take into account. Like I'm sure every other merchant does right now. So the good thing is at least if we all slowly move in that direction, and we need to try to keep ourselves accountable, its one way to do it with the deadline date, but that's, I guess the answer in terms of preparation is kind of.
Peter Mollins:
Great. Well, this has been fascinating. I really appreciate the [inaudible 00:43:17] discussion on what's happening with PSD 2. So Andy Badke thank you, Daniel Pelegero, thank you very much, Lee Jacobs and to all the listeners and participants who've ask questions I very much appreciate it. So as I mentioned, this is going to be an ongoing series. We're going to have our next one coming up. Next one, we've got four already scheduled going out through the fall. So our next one is coming up in August. And the next one is with Joel Taylor from TaskRabbit. We'll be talking a little bit about technical debt within the Payments application. So that should be a fascinating one. So, we'll be getting some more information about that out to you for how you can register for that one.
Peter Mollins:
And if you'd like to participate as well if you feel like there's a technical topic or a product related topic around Payments that you feel passionate about, you'd love to talk about, then feel free to join the PAYMENTSfn Community, the Slack Community and we'd love to hear your thoughts and want to see how we could get you involved. So again, to all our panelists, to all the attendees, thank you so much. I hope you enjoyed it.
Download the PCI Compliance eBook Below
.png)
.svg){kind=icon}
.svg)
.png)
.png)
