The second Payment Services Directive regulation, known as PSD2, represents one of those generational changes for the world of European banking and transactions that inspires fear, dread and the human impulse to wait for greater clarity before taking decisive action towards compliance.
And while many of the stories of PSD2 fear and loathing have centered on the financial sector, another sector vital to economic health — retail — is confronting its own anxiety over the coming regulations.
In a March survey, Mastercard found that only 25% of online merchants in Europe were even aware of the Strong Customer Authentication (SCA) requirements contained in PSD2 and another defiant 24% of those surveyed said they had no intention of supporting SCA, despite the requirement.
Ignoring PSD2 will not make it go away. Neither will relying on the hope of permanent delays for all or parts of the regulation beyond the original 14 September deadline — though there will be temporary delays for enforcement in the UK, as recently announced by the Financial Conduct Authority (FCA). And we expect that more jurisdictions will follow as retailers and payment providers are simply not ready.
A winning PSD2 strategy requires rethinking what PSD2 is all about — it’s a long-term consumer protection initiative that requires innovation to make it work as intended. Relying on loopholes won’t make life easier for merchants or their customers.
The technology to build a successful PSD2 solution, fully compliant with SCA requirements, is available today. Instead of banking on exceptions, retailers should fix the problems that don’t protect their customers’ payment information and provide a better defence against fraudulent actors.
The truth is, leveraging the three elements of SCA is an effective safeguard against fraud. Requiring authentication based on something the consumer is (biometrics or behaviour, or “inherence”), something the consumer alone knows (a password from before the transaction, or “knowledge”) and something the consumer possesses (a digital device as evidenced by a token, or “possession”), is a robust and secure method. For an effective SCA provider, even if a fraudster breaches one of the three elements required by SCA, that breach doesn’t compromise the other two identifiers.
Some keys to understand about the technology required to achieve the necessary level of authentication is available in the EBA’s 21 June Opinion, which rightly stated that implementing 3D Secure 2.0 is not the same as implementing SCA. (The protocol doesn’t even have the ability to pass information regarding the inherence element of SCA.)
The EBA stated plainly in its June 21 memo that, “communication protocols such as EMV 3-D Secure version 2.0 and newer would not currently appear to constitute inherence elements, as none of the data points, or their combination, exchanged through this communication tool appears to include information that relates to biological and behavioural biometrics.”
The EBA went on to say that SCA purposefully allows for multiple “authentication approaches in the industry, in order to ensure that the regulatory technical standards remain technology-neutral and future-proof.”
Authentication systems that rely on 3D Secure, with their communication among the merchant, gateway, at least two banks, the consumer and often back around again can take an eternity on the web — think 15 seconds or more. There is no better way to kill conversions.
The way to completely sidestep the problems with 3D Secure as a protocol is to take ownership of SCA by building or buying a holistic approach to meeting PSD2 obligations. We expect that the best customer experience under PSD2 will involve a machine-learning-based SCA provider conducting dynamic fraud analysis for online retailers, who then passes the SCA decision down the 3D Secure rails to eliminate delays in approval, minimise customer friction, and maximise authorisation rates.
This holistic approach allows for nearly instantaneous SCA review and more accurate decisions based on vast amounts of data processed across multiple retailers. The system should have the added advantage of shifting all liability from the merchant, either onto the issuing bank in the case of 3D-Secure-authorised transactions, or onto the SCA provider for any transaction that would require a step-up or be declined.
E-tailers planning to bank on exemptions to PSD2 will fail miserably, as the most commonly cited exemptions are only sometimes applicable to small value baskets, and are ultimately dependent on the acquiring and issuing banks’ low fraud rates. Retailers can’t control either of these factors.
Embracing PSD2 gives control to retailers and provides a competitive advantage. When e-tailers take a proactive approach to the directive, it’s possible for them to implement a robust system which meets the aims of PSD2 whilst also maintaining the online customer experience. The future belongs to e-retailers who have the ingenuity and foresight to treat PSD2 as an opportunity, not something to be feared, dreaded or avoided.