The Payment Services Directive, or PSD2, will have a major impact on determining the scope of fraud, which will require retailers and payment service providers to step up their security risk management.
Retailers and their PSPs will not want to exceed specific fraud levels to minimize the impact of Secure Customer Authentication on customers. Advanced fraud systems, using the latest machine-learning technology, will achieve this, but retailers and PSPs need robust reporting in place to provide reassurance on fraud levels and early warning about trends that are going to take fraud levels in the wrong direction.
To meet this exemption, institutions will need to report on at least a quarterly basis on performance against the reference fraud rates, total value of fraudulent payment transactions compared with the total value of all payment transactions, segmented by several factors.
The reporting figures and methodology needs to be assessed by auditors and shared with regulators upon request. But the Secure Customer Authentication reporting is based on the same terms as fraud reporting, we have already covered, and therefore leaves itself open to the same misinterpretation and ambiguity among PSPs. This ambiguity is likely to be much more of a differentiator as it could impact on the ability for a PSP to apply exemption from SCA on certain transactions or not.
Two stated objectives of the EBA for PSD2 were to make the playing field for payment service providers (including new players) more level and to make payments safer and more secure.
The highlighted issues show that for fraud reporting at least, and potentially for SCA, these objectives may be under threat.
To reduce timescales, effort and error in producing reports, retailers and PSPs need a robust solution that can link directly with the fraud solutions detecting fraudulent activity.