PSD2: The Elephant in the E-tailer’s Room
Many of the conversations about PSD2 and its online security requirements have revolved around the financial sector, with the implications for banking and increased scrutiny on FinTech being the main talking points. That focus is probably correct: when the directive comes into force, it’s expected to increase competition by opening up the payments infrastructure to third-party providers – allowing them to arrange payments for consumers and provide financial products.
PSD2 is undoubtedly going to have a major impact on the future of payments in the European Economic Area (EEA), says Stefan Nandzik, VP of Corporate Communications at Signifyd.
Yet, big conversations need to be had about the impact PSD2 will have on other industries. E-commerce heavily relies on the payment transactions which PSD2 aims to improve, so why is the sector skirting around it?
In fact, so little of the PSD2 discussion has revolved around retail that some merchants are still unaware that the regulation will apply to them, while others wonder just what the new rules will mean for their online operations.
So, let’s be clear: ignoring PSD2 will not make it go away. Neither will relying on the talk of delays for all or parts of the regulation beyond the regulation’s 14 September deadline -- though there will be delays and frameworks for compliance in the UK, as recently announced by the Financial Conduct Authority (FCA), and we expect that more jurisdictions will follow.
There is a sense of deja vu in European retailers’ reaction to PSD2. Remember businesses’ response to GDPR as its consumer-privacy requirements were barrelling toward them? It’s not that unfair to characterise some retailers’ GDPR strategy at the time as: “Let’s ignore it and hope it goes away”.
However, it didn’t and PSD2 won’t either. But just as forward-thinking enterprises embraced GDPR and turned implementation of the consumer protections into a competitive advantage, smart retailers have the opportunity to do the same with PSD2.
A winning PSD2 strategy requires rethinking what PSD2 is all about.
In order to turn PSD2 requirements into a competitive advantage, retailers need to find a way to provide seamless customer experiences while still measuring Strong Customer Authentication’s (SCA) three elements of possession, inherence and knowledge, ideally without ever prompting their customers to take additional checkout steps or turning over the checkout flow to the card brands.
The infrastructure that will tell the issuing banks that SCA has been completed — think 3D Secure — will be upgraded and improved, but the substance of the regulation and its requirements will be with us going forward.
Counting on the regulation’s burden to be eased by the EBA’s recent opinion, is not a winning strategy. Neither is looking for loopholes through exemptions, whitelists or convoluted payment paths that will move issuers or acquirers out of the EEA (the so-called ‘one leg out exemption’).
In fact, those aren’t strategies at all, if, for no other reason than the fact that none of the exceptions provided will help even the likes of Stripe, Amazon or Worldpay prevent conversion drop off.
A winning PSD2 strategy requires rethinking what PSD2 is all about. PSD2 is a long-term consumer protection initiative that requires innovation to make it seamless. It is not a problem looking for a quick fix. Workarounds that seek to be clever — relying on loopholes and half-measures — won’t make life easier for merchants or their customers. In fact, they will lead to more misery for both.
Nearly 48% of consumers told polling firm Survata, in a Signifyd customer experience survey, that they felt frustrated by checkout experiences that redirect them to another site for credit card verification, a feature of 3D Secure. The Baymard Institute found that 28% of consumers abandoned their carts because checkout took too long or was too complex.
Fortunately, the technology to build a successful and sustainable PSD2 solution, fully compliant with the requirements for SCA, is available today. Instead of banking on exceptions, retailers should fix the problems that don’t protect their customers’ payment information. Let’s break down an optimal system into its pieces.
SCA and its three elements of measuring possession, inherence and knowledge are at the core of the regulation applicable to retailers. It is also the focus of much of the anxiety around PSD2, because, for most retailers, SCA was considered to be part and parcel with 3D Secure, a safeguard that historically has led to cart abandonment and customer dissatisfaction.
The truth is, leveraging the three elements of SCA is an effective safeguard against fraud. SCA is powerful. It works. Requiring authentication based on something the consumer is (biometrics or behaviour, for instance), something the consumer alone knows (a password from before the transaction, for instance) and something the consumer possesses (a digital device as evidenced by a token, for instance), is a robust and secure method. Even if a fraudster breaches one of the three identifiers, that breach doesn’t compromise the other two identifiers.
The key development for retailers to keep in mind here is the EBA’s June opinion that rightly stated that implementing 3D Secure 2.0 is not the same as implementing SCA. (The protocol doesn’t even have the ability to pass information regarding the inherence element of SCA.)
The truth is, leveraging the three elements of SCA is an effective safeguard against fraud. SCA is powerful.
The EBA stated plainly in its 21 June memo that: “communication protocols such as EMV 3-D Secure version 2.0 and newer would not currently appear to constitute inherence elements, as none of the data points, or their combination, exchanged through this communication tool appears to include information that relates to biological and behavioural biometrics”.
The EBA went on to say that SCA purposefully allows for multiple “authentication approaches in the industry, in order to ensure that the regulatory technical standards remain technology-neutral and future-proof”.
We’ve looked at what’s in place and tested the existing protocol and its infrastructure. Authentication systems that rely on 3D Secure, with their communication among the merchant, gateway, at least two banks, the consumer and often back around again can take an eternity on the web — think 15 seconds or more.
And, of course, we know what an eternity on the web does to conversions — slow and cumbersome checkout processes are a conversion killer. Nearly 48% of consumers told polling firm Survata, in a Signifyd customer experience survey, that they felt frustrated by checkout experiences that redirect them to another site for credit card verification, a feature of 3D Secure. The Baymard Institute found that 28% of consumers abandoned their carts because checkout took too long or was too complex.
The way to completely sidestep the problems with 3D Secure as a protocol is to take ownership of SCA by building or buying a holistic approach to meeting PSD2 obligations. We expect that the best customer experience under PSD2 will involve a machine-learning-based SCA provider conducting dynamic fraud analysis for online retailers, then passing the SCA decision down the 3D Secure rails to eliminate delays in approval, minimise customer friction, and maximise authorisation rates.
Such a system, relying on a vast amount of transaction data, provides the right degree of scrutiny for each order to protect consumers and retailers from fraudulent credit card transactions while avoiding the added friction brought on by a one-size-fits-all, legacy 3D-Secure-powered system.
The holistic approach allows for nearly instantaneous SCA review and more accurate decisions based on the significantly more data processed by the system’s learning machines, as opposed to passing down that data all the way to the issuing banks and back. The system should have the added advantage of shifting all liability away from the merchant, onto the issuing bank in the case of 3D-Secure-authorised transactions, or onto the SCA provider for any transaction that would require a step-up or be declined.
While the details of this innovative approach to PSD2 are important, it’s the underlying approach that is vital to executing a successful PSD2 strategy. It starts with embracing the new SCA requirements rather than trying to avoid them through a pretzel of exemptions.
E-tailers who are planning to bank on exemptions to PSD2 will fail miserably as said exemptions are only sometimes applicable to small value baskets, and are ultimately dependent on the acquiring and issuing banks’ low fraud rates. And retailers can’t control either of these factors.
Embracing PSD2 gives back control to retailers, giving them a real opportunity to build a competitive advantage. When e-tailers take a proactive approach to the directive, it’s possible for them to implement a robust system which meets the aims of PSD2 whilst also maintaining the online customer experience. The future belongs to e-retailers who have the ingenuity and foresight to treat PSD2 as an opportunity, not as the elephant in the room.