PSD2's identity requirements are the toughest hurdle for merchants
There have been major efforts by the card schemes, issuers and acquirers to get ready for the Strong Customer Authentication deadline in Europe, a tricky and challenging compliance challenge.
As of Sept. 14, 2019, merchants will have to adapt to Strong Customer Authentication (SCA), which aims to increase payment security and protect sensitive consumer payment data. SCA is a requirement under the PSD2 directive which came into effect in January 2008.
Over the last few weeks, the European Banking Authority (which wrote the rules) and some national regulators (which have to enforce them) have recognized that there remains a big risk of disruption for merchants and consumers—and are considering various ways of mitigating this. Merchants need to know what their options are, and how they can best navigate this step change in the industry.
The updated requirements of the PSD2 mandate present both challenges and opportunities for merchants. The directive includes several new requirements, but SCA stands out as the most significant for many online merchants.
SCA, often known as two-factor authentication, requires merchants to validate that the person making the purchase is who they say they are. It involves the use of two out of three authentication factors: inherence (something you are, like a fingerprint), knowledge (something you know, like a PIN), and possession (something you own, like a mobile device). In general, merchants will now need to authenticate all electronic transactions, though there are some important exceptions that can significantly impact both payments processes and current fraud trends.
The most common method for achieving this authentication, in the e-commerce space, will be via EMV 3D Secure (3DS). This authentication specification enables merchants to authenticate customers by providing details to the card issuer, who then confirms the authentication. One widely used aspect of this method is the “step-up,” i.e. having the cardholder provide an answer to a challenge question, enter a code on a pop-up window or authenticate in another way. Also, many of the most useful exemptions, such as where consumers can "whitelist" merchants (i.e., say they don’t want to have to apply SCA for every transaction from that merchant), also will be enabled through 3DS.
Here are a few things that merchants should be aware of before SCA goes into effect:
Shift to mobile payments. Given that smart mobile devices can easily accommodate two factor authentication by virtue of the fact that fingerprint or retina scanning is simple and widely used already, we expect to see an increase in customers shifting to mobile payments. This will allow them to more seamlessly transact without the interruptions caused by step-ups to challenge questions/PINs.
Fraud will migrate to out-of-scope transactions. Primarily, out-of-scope transactions include non-European Economic Authority (EEA) issued cards, non-EEA acquired merchants, and certain types of transactions (mail order/telephone order). While not being required to authenticate these transactions can help prevent disruptions to the checkout process, it is expected that fraudsters will increase their focus on these specific transactions. Identifying suspicious activity will be especially important when processing out-of-scope transactions.
Exemption management. Under SCA, there is some relief from authentication requirements through several exemptions. Merchants can request exemptions based on such things as low-value transactions, low risk transactions (based on either the issuer or acquirer fraud rates) and being a whitelisted merchant (customers can indicate during the 3DS process that this is a trusted merchant which will significantly reduce the likelihood of a step-up challenge on future transactions). Having the ability to identify these types of transactions, and utilizing a dynamic 3DS-enabled solution to manage them, will become powerful tools through which a merchant can ensure that it is providing both the most streamlined customer experience at checkout, and minimize cart abandonment.
Even though the challenges of SCA are significant, those merchants who understand the regulatory complexities and also ensure they have the right processes and solutions in place will likely see a reduction in their fraud rates. They will also probably offer consumers less friction at checkout, and benefit from the liability shift provided through the use of 3DS.