Are Merchants Ready For PSD2 And SCA’s 150-Millisecond Learning Curve?

PSD2 will change – indeed is changing – online commerce in Europe and beyond. In a podcast with PYMNTS’ Karen Webster, Rob Eleveld, CEO of Whitepages, took note of how PSD2 and its strong customer identification (SCA) guidelines (which take effect in September) will shift checkout flows for transactions in Europe.

Some verticals, such as online travel companies, will be impacted more visibly, and perhaps earlier, than other niches, he said.

As has been well-documented in these digital pages, SCA mandates that some 300 million consumers will need to confirm their identities for most of their online purchases using two of the following: something they know (e.g., a password), something they possess (e.g., a phone) or something they are (e.g., a fingerprint).


Writ large, said Eleveld, the payments industry will likely see card-not-present fraud shift from Europe to more distant shores, where less strict authentication processes are in order. We might see a repeat of what happened when chip and PIN debuted in Canada and Europe, where fraudsters moved to easier channels, such as online. Geographically speaking, in a post-PSD2/SCA world, eCommerce fraud may shift, he said, to places like Latin America and the Asia Pacific region.

Sea Change for Travel Firms

Drilling down a bit, one vertical – online travel – is instructive in showing how PSD2 may give rise to a whole new way of thinking about risk and authentication. As PSD2 takes effect, travel companies will most immediately see an impact, as there is a ban on surcharges tied to card-based transactions.

Eleveld said the ban on surcharges is an action that reflects the mindset of PSD2 – one that seeks to “level the playing field so that innovation can happen, [and so] big players cannot effectively crowd out the market of smaller players.”

Surcharges were initially just meant to cover the interchange rates an acquirer has to pay to an issuer for authorization – and where that cost was passed through the chain of commerce itself. The acquirers pass on those interchange rates to their merchants, and then the merchants pass them onto their customers.

The ban, said Eleveld, ultimately is “going to affect the behavior of travel companies. Every time they submit a transaction, they are going to bear the cost of the interchange payment” – and thus will be careful not to pass along a transaction that will be declined at the point of authorization. In the event of such a decline, said Eleveld, the travel firm will have to bear the cost of that interchange and will not be able to pass it along.

“This is going to move more eCommerce companies – starting with travel companies, given the direct impact – to assess things, including pre-authorization of the payment, as opposed to post-authorization, which is traditionally where these eCommerce companies’ merchants have looked at decisioning,” he told Webster.

Against that backdrop, illuminating, say, the (hypothetical) 5 percent of transactions that might not pass muster early in the payments process will help save money (in the form of those interchange costs).

“And it will also reduce fraud rates in terms of basis points, which the PSP (payments service provider) is going to be happy with,” Eleveld told Webster. As was noted during the podcast and has been explained through other PYMNTS coverage, merchants (and PSPs) benefit from low fraud rates, as they can get SCA exemptions. For example, transactions under €30 ($33.93 USD) are exempt, while merchants with fraud rates between one basis point and six basis points for remote, card-based payments are also exempt.

Those exemptions, joked Eleveld, tongue in cheek, “are tattooed on the foreheads of risk management teams at the merchant and the payment service provider levels … They will be deciding upfront what they want to pass through or what they want to send along to authentication” through 3DS 2.0, which he termed “one of the main ways that merchants meet SCA standards.”

The PSPs will reward merchants that are more vigilant about which transactions they pass through, he said, and those same PSPs will blacklist the merchants that are less vigilant, making it more expensive for them to do business.

If the process of decisioning during payments flows will change, what might be the ripple effect experienced by consumers? According to Eleveld, the supposition is that, at least for online travel customers, they will pay less. The jury is out on that eventuality, he said, noting that in the absence of surcharges, travel companies may just elect to jack up their ticket prices a bit.

But for eCommerce activity in general, the overall consumer experience is not likely to be impacted much, he pointed out, save for the marginal or first-time consumer who may see a bit of friction early in their relationship with a travel merchant.

As Eleveld noted, the companies in the travel space – and well beyond that vertical – are likely to be a bit more vigilant about assessing the risk upfront in a transaction.

On a grander scale, and as PSD2 and its mandated SCA become law in Europe, “at the ground level, you are going to see more precision in every risk decisioning system,” said Eleveld.

The 150-Millisecond Rule

That precision will be driven by machine learning models, and not the rules-based systems that are so pervasive in combating fraud, he pointed out. Speed is of the essence here, as there is a 150-millisecond requirement window when it comes to decisioning (defined as decisioning in a pre-authorization setting).

The 150-millisecond requirements are in place, but are the merchants ready? Said Eleveld: “There’s going to be a learning curve. Some of the merchants are ahead of the curve, and most of them aren’t” ready to make the call – in 150 milliseconds or less – whether to send a transaction to authorization.

“That is not a trivial change,” he said, because eCommerce is rooted in an age where manual review of transactions has dominated.

“Everyone knows that … two-factor authentication and extra forms … all can affect conversion rates,” Eleveld told Webster. “Everybody in the chain is going to work through the SCA requirements while introducing as little friction as possible inside the operating envelope of PSD2.”

Amid this learning curve will come the opportunity for innovation. “A lot of that innovation will be on technology that already existed, but there was not yet a business driver to implement it,” he said. Before, noted Eleveld, there may not have been much focus on the friction inherent in the signup process, but that’s changing.

“What we’re starting to see,” Eleveld said, in reference to a shift in eCommerce mindset among merchants and providers, is “’hey, we might want to check who is signing up first,’ as a first line of defense.” Getting consumers at scale and whitelisting them is a process that will take time and education, he noted.

One upshot: Friction may diminish as merchants gain a better handle on their end customers and as whitelists grow alongside pre-authorization. Eleveld said there may even be “financial incentives” in place to get consumers to create accounts or use a particular card on file. “I can see a much quicker path to transactions done at scale” in such scenarios, he noted.