„3D Secure 2.0 – Facelift or Quantum Leap?“

3D Secure 2.0 – Facelift oder Quantensprung? 3

„3D Secure 2.0 – Facelift or Quantum Leap?“


The new generation of cardholder authentication “3D Secure 2.0”
3D Secure has often been (and still is being) promoted as the magic miracle cure, which should cure the misery of default on the merchant side. Initiated by VISA in the early years of this millennium and prominently placed as said miracle cure, however, the teething troubles soon showed up – first and foremost the problems with the “conversion rate” among 3D-using traders. The use of 3D Secure caused unintentional payment cancellations by the cardholders and thus reduced the sales of the affected merchants. The conversion rate describes the ratio of the visitors of an online shop based on clicks to the conversions, i.e. the conversion of prospective or interested buyers into buyers.


The problem, on the one hand to minimise the risk of payment default by chargebacks, but at the same time to permit maximum potential sales at the participating merchants, could not be solved in the used variant of the 3D method (version 1.0). When PSD2’s European payment supervisors then demanded strong customer authentication for much of Europe’s well-known card payment traffic, they took pity on the merchants. The major credit card organisations (Visa, MasterCard, AmericanExpress and JCB) formed and defined a new authentication standard, “3D Secure 2.0”, within the joint venture “EMVCo”, which today is largely responsible for the EMV standards. This was to turn the former miracle cure into a remedy that would have to completely eliminate the suffering of the merchants and at the same time meet regulatory requirements.


3D Secure 2.0 is also the answer by card organisations to the requirements of strong customer authentication (the PSD2), which is already to be implemented by September 2019. The new specification also ensures that the international schemes offer a consistent standard for consumers, merchants, issuers and acquirers.


In October 2016 the time had come and the specification of the new standard was published by EMVCo. Looking at the operational steps of the new method from the helicopter perspective, serious changes can not be easily recognised in comparison to the old method. The devil is as always in the detail, and it is precisely these details that give hope that with the 2.0 version one has found a cure. The new procedure has defined different process steps for new (or at least modified) roles. The classic, well-known role from the point of view of the traders in the old procedure, was the role of the Merchant Plug-In Operator (MPI). This is explicitly no longer used in the new specification. It therefore remains to be seen how today’s MPI operators will operate with a technical solution in the 3D Secure 2.0 process (for example as a technical service provider of a “3DS server”).


In addition, the product managers at EMVCo have integrated a new ingredient that reduces payment cancellations in the old 3D process – and even stops them altogether. The so-called “Frictionless Flow”, namely, allows within the new standard an authentication without additional interaction with the person to be authenticated.


Now that the regulations of the two largest credit card organisations (VISA and MasterCard) regarding the new 3D Secure 2.0 procedure have been adapted with the Autumn 2017 release, it is now time to advance the implementation of 3D Secure 2.0 in the (partly new) operational instances.


However, to be able to use the new procedure, each participating entity must implement technical changes in their systems, since the procedure involves some changes compared to the old authentication.


By 01/01/2020 at the latest, however, according to the current plan of the MasterCard, all authentications should be carried out only according to the 3D Secure 2.0 standard. However, Visa has already postponed its April 2018 rollout (dealer-initiated authentications only) to April 2019. The timetable seems very ambitious planned and will then have to be confirmed by reality.


Crucial to the success, however, is the future use of the process by the e-commerce community – that is, the transaction volume using 3D Secure 2.0 authenticated payment transactions. Therefore, assuming that the “3D Secure Weaving Machine” (consisting of Access Control Server and Directory Server) is (or has to be) implemented by the operational specifications and deadlines of the credit card organisations, the merchant remains the same as before – and as in the old procedure – can make or break the success of this innovation. And this is precisely what the teething troubles of the old “miracle cure” know from their own, painful experience, and should therefore show a rather moderate interest in a (from their point of view) imposed renovation.


The acquirer as a liable entity in the 4-party model must inevitably have an immense interest in the use of the new procedure, because only in this way can he comprehensively get rid of the liability in the case of a chargeback case back to the issurer by means of a liability-shift. So that the acquirer can use the new procedure effectively at the merchants connected to him, the problem of the conversion rate must be solved. This in turn can be eliminated by definition within the new standard only if the majority of the authenticated transactions are processed via the newly defined “Frictionless Flow”, in which an additional security query in the authentication process with the cardholder becomes superfluous. However, this “Frictionless Flow” implies that the merchant directs enough information about the cardholder and the transaction to be authorised in the authentication process to the issuer, who then “favourably” agrees to this authentication without further request from the cardholder, based on their own risk assessments.


It is therefore quite unclear as to what percentage, at the end of the day, authentication in “Frictionless Flow” is processed. And this is precisely where the credit card organisations have left their acquirers in the cold, since on the one hand they do not make binding stipulations to the issuer regarding the risk assessment in-house, but on the other hand they do not provide the acquirers with any support for using the new standard.


Operationally, 3D Secure 2.0 brings many new features with it and is also well-equipped for regulatory purposes. The status of a “facelift” of this tool can therefore be safely attested. However, if 3D Secure 2.0 is to trigger a “quantum leap in authentication” – and the potential for doing so is given by the new specification – further definitions or restrictions are needed to get rid of forever the old teetthing problems of the “Conversion Rate”.


[pissc number=20 cat=”Articles” the_more=”Read the full post →”]

„Banking is necessary, Banks are not“

Der Zahlungsverkehr als bedrohte Kernkompetenz

„Banking is necessary, Banks are not“



Das Zitat „Banking is necessary, Banks are not“ bietet ein gutes Entre, wenn es um die Zukunftsgestaltung von Banken geht und ist daher fester Bestandteil von PowerPoint-Slides, die vor der Führungsebene in Banken und Sparkassen gehalten werden. Es lässt sich in diversen Artikeln und Magazinen wiederfinden und wird häufig im Zusammenhang mit der Disruption im Finanzsektor genannt. Die Worte stammen von Bill Gates und wurden vom selbigen bereits 1994 kundgetan. Zu der Zeit befand ich mich in der vierten Klasse und war schlicht über die Einfachheit des Bankensystems verblüfft. Wenn man Geld brauchte, ging …

Download (only available in German) >


[pissc number=20 cat=”Articles” orderby=”date” order=”DESC”  the_more=”Read the full post →”]

„Options for PSD2 implementation“

Optionen zur PSD2 Umsetzung

„Options for PSD2 implementation“


Although in force since January of this year, in the eyes of many PSD2 will only become really relevant and complex with the final entry into force of the RTS (Regulatory Technical Standards for PSD2) on 14th September 2019.

In addition to Strong Customer Authentication (this is worth a separate contribution…), the RTS will above all, but not only, lay the regulatory basis for the much, and in part hotly, debated services „Payment Initiation Services“ (PIS) and „Account Information Services“ (AIS) newly created by PSD2. PIS stands for a payment initiation service such as Klarna already offers with SOFORT. AIS means an account information service such as is already available, for example, as part of Deutsche Bank‘s multibanking service. Examples already show that PSD2 does not enable new, revolutionary services, but rather regulates existing activities (with the consequence that companies operating in this area now require a regulatory license) and obliges banks to provide access to their customers‘ accounts according to defined rules.

Now it is correct that due to PSD2 the competition for a customer burns more strongly than before; besides the established players, the banks and savings banks, other enterprises are competing more and more frequently – in the PSD2 context these are the so-called Third Party Provider (TPP) – to gain the favour of the customers. However, unlike the usual one, this distribution battle is not about better conditions for individual products, but about the big picture – the customer himself. Whoever succeeds in making a convincing offer in the sense of user experience will represent the front end for the customer and thus become the access for this customer to the banking offers (regardless of which bank). And those who occupy the front end will ultimately also be able to influence the services and products offered and thus have a correspondingly larger share of the added value.

So at least the general theory…

As a result, it is insufficient for banks and savings banks to implement the requirements of the PSD2 RTS in order to be „compliant“. Rather, either defence mechanisms must be developed from these in order to be affected as little as possible by the TPP, or strategies must be devised as to when an institute can benefit from the regulations of PSD2. Defensive mechanisms will not work, since customers of a bank or savings bank cannot now be persuaded that SOFORT or PayPal are „evil“. On the contrary, customers use these services unremitingly because they have advantages over their own bank‘s services. As a sensible answer that remains to PSD2, is therefore, a progressive handling of this and, for example, a positioning of the institution as a central interface to the customer‘s banking and thus also to the customer‘s accounts with other banks. In fact, this does not require a TPP; a bank or savings bank can also offer this directly to its customers. Deutsche Bank, for example, will certainly and consistently expand its multibanking offer, which is currently only an account information service, to include the possibility of triggering payments at other institutions. Deutsche Bank customers would be able to manage all their payment transaction accounts without having to log into online banking at other institutions.

Consequently, not only in Germany but all over Europe the consulting companies are chasing after their (target) clients, by the way we, too, from OSTHAVEN, and spreading the message that the houses have to position themselves according to PSD2 and design offers in order to represent the central front end of the client for banking even after 14/09/2019 and not lose this to a TPP or another bank. PSD2 represents the end game around the clients for all banks and savings banks, if necessary.

For everyone? No, at this point we expressly disagree! Not with regard to the requirement that all banks that maintain „payment transaction accounts“ (here the market still lacks a clear definition) must have implemented the requirements of the RTS by 14th September 2019. But we are of the opinion that the PSD2 is not strategically relevant for all banks beyond compliance. It is undisputed that retail banks and banks with a high proportion of retail customers and a focus on checking transactions will be massively affected by the PSD2, but in return strategic advantages can also be drawn from the rules and regulations. In addition to retail banks, there are also many institutions that will not be able to benefit spontaneously from the implementation of PSD2 or will not experience any direct competitive disadvantages. We include banks here that are active exclusively in corporate banking. Triggering payments plays hardly any role for these customers and multibanking is already a reality thanks to the use of software. Even banks that focus on financing and deposit products can only benefit from the PSD2 with a lot of imagination. We could go on… It should become clear that the establishment of ecosystems or the convergence of banking and non-banking based on PSD2 rules is not meaningful or necessary for all banks. We consultants also have to operate with a sense of proportion here.


[pissc number=-1 cat=”Articles” orderby=”date” order=”DESC”  the_more=”Read the full post →”]

„The Future in Banking & Payment“

Startpage Slider - Pay with your tongue!

„The Future in Banking & Payment“


Trends come and go – this also applies to payment transactions. The drivers of innovation are often technological progress, regulations, costs and the customer. But what are the latest developments and research in this area? An OSTHAVEN perspective on the future in banking and payment.

Now, be honest, how many different passwords do you actually use for your everyday business? Studies have shown that a typical behaviour for users, on many devices, Internet portals or even online banking, is to use the same password. The human brain likes it easy and is lazy. So, the name of grandmother’s dog in connection with the own landline phone number as a password is very tempting. The risk of misuse of this password, however, is very high. A big trend is starting right here, and using new technologies, it is looking for ways to measure or identify the biological uniqueness of people and thereby enable a secure recognition. The science behind it is biometrics. First solutions have long since spread into everyday life. Unlocking a smartphone via a fingerprint has made it unnecessary for years to enter a code or password. In the meantime, entire payment transactions are triggered by means of a fingerprint. Apple has determined an error rate of 1:50,000 in the process of the Touch ID (apple.de). With the birth of the new generation of smartphones, face recognition has become socially acceptable and works very well. With the Face ID the error rate of 1:1,000,000 on devices with an apple in the logo is still clearly below the rate of Touch ID. The appearance of the mouth, nose, eyes and ears as well as the individual head shape and other features are unmistakable in combination and are ideal for authenticating. In addition to the techniques and procedures that have already appeared in everyday life, there are other possibilities that once sounded like science fiction but have now arrived in the midst of reality. In the search for distinctive human biometric features, a person‘s voice is as unique as its appearance. Barclays Bank has recognised this fact for itself. Customers can register via a voice scan. As soon as a customer‘s voice can be heard in the call centre, it is automatically identified based on numerous voice characteristics. The method of voice identification pays attention to another trend in the field of payment and banking. We are talking about „Voice Banking“. Since Amazon’s Alexa, Apple‘s Siri and other digital assistance systems have spread out in the living room and have simplified many things of everyday life, the desire of customers is to manage their bank account by voice and make payments almost by tongue.

Payment by „laying on of hands“ is also no longer a utopia. Another method that can be used for payment procedures is the so-called vein scan. Customers of the British supermarket chain, Costcutter, can pay for their purchases with this new biometric procedure. The vein pattern of their fingers is scanned and connected to the bank data. At the supermarket checkout, the stored data is then compared with the scan data. The customer actually pays by a „laying on of hands“.

OSTHAVEN is convinced that biometrics will become an increasingly important topic in banking and payment transactions. The new authentication methods especially impress with their high security factor and convincing practicability in everyday life. Another trend in payment and banking is Artificial Intelligence (AI). This is known by many as the „new industrial revolution“. AI does not stop at the financial sector. Since banking is more about services than about a physical product, and personnel is a significant cost factor, it makes sense to use artificial intelligence to automate processes more. Thus, in the past few years the Chatbot service has been introduced in direct customer contact in many houses. With the help of a good AI solution, the majority of customer inquiries can be answered directly around the clock, without human interaction. For banks there is a huge savings potential and more opportunities to increase customer satisfaction. However, AI is not only used in customer interfaces, but also in sales analysis. AI in combination with big data enables a customer to analyse and evaluate his data in a matter of seconds. In addition, we see possible applications of AI in fraud prevention or individual product recommendation based on the comprehensive analysis of customers‘ financial position. Especially in the financial industry there is a wide range of applications.

It is obvious that there are many parallel technical developments in all areas of human life. The potential benefits and theoretical applications seem to be unlimited. In addition to individual innovations and the use of different devices in the daily lives of users, the networking of these different technologies will become increasingly important in the future. The Internet of Things describes the rapid growth of Internet-connected, intelligent devices. The networking of physical and virtual objects is in the foreground. In the target vision, these objects should work seamlessly together through information and communication

technologies. There will be completely new application scenarios for payment transactions in the future. Imagine that every networked device can be used for cash transactions and thus become its own, individual Point of Sale. It is conceivable that garage parking and toll fees and petrol station tab could be paid contactless by means of „Connected Car“. The driver can stay comfortably in the car and save himself the trip to the cash register or to the ticket machine. What happens in this case with the petrol station shop sales? Car manufacturers, however, go one step further and change their business model by offering custom features, accessories and digital services in the connected car as „pay-as-you-go“ services. The resulting opportunities for car manufacturers are enormous and also the benefits of cost reductions and efficiency gains in production.

OSTHAVEN sees the increased customer requirements for the most secure but noiseless authentication as an opportunity to drive forward the bank‘s own digital payment solutions. In the context of new technical developments such as AI and regulatory framework conditions such as the PSD II, which encourage the design of new products, innovative forces can be released from traditional players on the market. What all approaches have in common, however, is the fact that the „customer“ and his needs for simplicity remain as the foci of interest and are drivers or obstacles to possible developments.


[pissc number=-1 cat=”Articles-en” the_more=”Read the full post →”]

David Kruse

David Kruse

Senior Consultant


David holds a Master in Innovation Management & Entrepreneurship from the TU Berlin after completing his BSc in Psychology and a Master in International Business Administration from the University of Twente.


He worked as a product manager at orderbird AG, gaining experience in the area of ​​iPad POS cashier systems at the interface to payment as well as agile project and IT development. Before joining OSTHAVEN as a consultant, he worked as product manager at the Concardis Payment Group dealing with market and customer requirements on mobile payment and omni-channel solutions.

David Kruse - Consultant at Osthaven

Already during my studies at orderbird I came into contact in the product development area with agile development and payment. At my second station, the Concardis Payment Group, I was able to deepen this knowledge in many areas. In addition, I got to know structured work in a large corporation. Now I can bring the best of both worlds to OSTHAVEN. Already from the beginning I knew all colleagues and felt directly arrived. At OSTHAVEN I am inspired by the direct and effective communication and the knowledge to work with absolute dedicated support. Independent work is here not just a phrase.