Call it the chain of doubt.
When new regulations take effect, especially sweeping ones that impact eCommerce, at least some firms take a “wait-and-see” approach.
But as PSD2 looms, with new requirements for customer authentication, “wait and see” may hit merchants and other European firms right in the bottom line.
As Spencer McLain, vice president, EMEA at Whitepages Pro, told PYMNTS, data privacy regulations like GDPR and compliance mandates like strong customer authentication (SCA), which is part of PSD2, are reshaping the way companies interact with their end customers — and there are critical privacy and verification requirements that need attention for companies across all verticals, sooner rather than later.
As McLain noted, when it comes to privacy and GDPR for merchants, “at the end of the day, it’s about allowing consumers to exercise their rights under that regulation.” Those rights are fairly well-established now, a bit more than a year after GDPR went live. Consumers, he said, have the right to access the data an eCommerce company has on them, demand that the firms erase that data, modify it or stay informed as to how the data is being used and where it is being sent.
As McLain put it, GDPR represents an exercise in communication with the consumer, laid out through terms of service and pop-up boxes that enable the individual to opt in or out depending on the type of data being shared.
By way of contrast, regarding payments and merchants and PSD2, said McLain, “it’s all about customer authentication requirements.” As has been noted in this space, the open banking legislation means firms face a Sept. 14 deadline to put more stringent fraud decisioning processes in place, with strong customer authentication guidelines taking effect. SCA protocols must be built into checkout flows for online transactions that begin in Europe.
The impact may be relatively swiftly felt, as merchants will start seeing declines on those European-based transactions if they are not exempt by falling under certain thresholds, or if they do not apply 3D Secure authentication methods to verify card-not-present transactions.
The threat of looming declines is there, and yet, as Mastercard found in a recent study, only 25 percent of European online merchants were aware of SCA mandates as of this spring. And a significant number, 24 percent, said they have no plans to support SCA — at least not ahead of the deadline. Separately, a study commissioned by Stripe and carried out by Fahrenheit 451 found that European businesses could lose as much as $57 billion in economic activity in the year after SCA debuts. That study found that only 40 percent of businesses aware of SCA felt prepared to meet its requirements.
Asked why there is a disconnect between action and consequence, McLain said there are varying levels of education as to what’s waiting in the regulatory wings. PSPs (payment service providers) and the issuers are fairly well-educated about the regulations tied to SCA, he noted, because they are the ones ultimately on the hook to be fined by regulators if they are not compliant.
“The PSPs could do a better job of educating merchants. I think we will see a lot more of that over the coming months,” he said.
The Chain of Doubt
But there’s also a chain of doubt in the system that needs to be overcome.
McLain pointed out that some merchants appear skeptical that the issuers will be ready for SCA, which makes them less likely to scramble to adopt SCA and other PSD2 requirements. “Merchants, like any organization, have a road map — and it takes a lot of IT resources to update their frameworks with their PSPs,” he said.
Initially, once SCA does take effect, PSPs might spring into action. Even if the merchant is not fully ready, “for transactions that are eligible for an SCA exemption, we might see PSPs apply for the exemption on behalf of the merchant,” said McLain. “It’s in the PSP’s best interest to minimize friction, even if the merchant isn’t there yet.”
As noted in this space previously, merchants can apply for a variety of SCA exemptions, the most prevalent of which are the fraud rate exemptions. If a PSP’s aggregate fraud rate is below certain thresholds, merchants that use that PSP can apply for an exemption. For example, transactions under €30 ($33.93 USD) are for the most part exempt. Transactions between €30 and €500 are eligible for exemptions if the PSP’s fraud rate is below various thresholds.
The Initial Impact
As McLain told PYMNTS, the greatest impact is likely to be felt by merchants that garner transactions running into the hundreds of euros — and thus retailers with higher-value transactions may see the most scrutiny and friction come September and beyond. In addition, retailers that get a significant portion of business from consumers transacting across mobile devices may see the impact of new frictions introduced into the checkout process. As McLain pointed out, 3D Secure 1.0 is less than optimal when used across mobile devices (and issuers have yet to embrace the second iteration of the protocol, dubbed 2.0).
Ultimately, the impact is not just about declines, but also about conversions, as sales may drop out of a retailer’s funnel, said McLain. Picture the European citizen who is walking to work and transacting across a mobile device when two-factor authentication is suddenly demanded, or the individual is asked to log into their bank account.
“The high euro transactions and the mobile environment are going to be the areas where merchants feel the pain more quickly than others,” McLain predicted.
Thus, the pursuit of a frictionless experience may bring merchants quickly to 2.0, as it has more than 100 data elements that aid in authentication (along with consumer-chosen ID methods, such as biometrics), whereas 1.0 only has, roughly, a dozen data elements.
The Impact Beyond Europe
As PSD2 and GDPR reshape eCommerce on the continent, there’s no avoiding a ripple effect on these shores. There are parallels between what is happening in Europe and what might transpire in the States. As McLain noted, the impetus for GDPR stemmed from the fact that several European countries had been creating their own data privacy laws, and the European Union opted for a comprehensive framework.
In the United States, he predicted, over the next five years, “we’ll see more states implementing these privacy laws, and then we will see the U.S. federal government as a whole doing the same thing the European Union did, which is to create a larger privacy scheme.”
Some companies, McLain said — especially some larger Fortune 500 firms — have been proactive in this regard, applying relatively conservative approaches to data management that anticipate what states (and, later, the federal government) may mandate in the future.
McLain predicted a geographic shift similar to what was seen in recent years with card present fraud — namely, as fraud gets harder to pull off in Europe, the bad guys will ply their trade elsewhere. “Maybe some of them will hang up their laptops,” he said, tongue in cheek, “but this is their job” — and so they will try to exploit weaknesses elsewhere.