As PSD2 Looms, SCA Waits In The Wings

Across the pond, eCommerce is about to weather a sea change that begins in September. PSD2 is almost here, and with it Strong Customer Authentication (SCA), which governs online checkout for CNP transactions. Spencer McLain, Whitepages Pro VP of EMEA, delves into who is ready (and who is not) to tackle SCA — and why ripple effects may touch our own shores here in the U.S.

Europe’s sea change in transaction security will have ripple effects on U.S. shores as well, as the Strong Customer Authentication (SCA) guidelines take effect in September. Simply put, SCA, which bows with PSD2, is required to be built into checkout flows for transactions that originate in Europe. If payments are deemed non-compliant with SCA, issuers and banks will reject payments (except in certain cases, which we’ll get to in a moment).

To that end, Spencer McLain, VP of EMEA at Whitepages Pro, said that as stakeholders in the payments ecosystem move closer to September, acquirers stand largely ready, and others less so.

“From what we’ve seen, most merchants are still not focusing on SCA,” he said, though they may be aware of its tenets.

There’s at least some semblance of a silver lining here: Most of the heavy lifting tied to authentication will be borne by the merchants’ service providers, including primary acquiring payment service providers (PSPs). He said larger merchants have been working with acquirers and card schemes to minimize the friction that might be experienced by consumers — where the friction would stem from transactional risk analysis (TRA).

Against that backdrop, he noted, these merchant partners are doing customized PSD2 work specific to transaction analysis, and may commercialize it for the rest of the eCommerce ecosystem.

“Every acquirer I talk to is hyperfocused on getting ready for PSD2,” he said, and a lot of that involves supporting the newest version of 3D Secure, the technical standard created by Visa and Mastercard that helps secure [card-not-present (CNP)] transactions done online. From an acquiring perspective, he told PYMNTS, at least those links in the payments chain stand ready for PSD2 (in past discussions with PYMNTs, McLain has delved into who isn’t ready for PSD2).

The Three Elements

In terms of mechanics, as noted by Whitepages Pro, SCA should include at least two of three elements: something the customer knows (e.g. a password or PIN), an item the customer has (e.g. a phone or hardware token) and/or something the customer is, or a biometric identifier (e.g. fingerprint or face recognition).

When asked by PYMNTS as to which of the elements might represent “low-hanging fruit” for gauging transaction risk, and approving transactions with the least amount of friction, he pointed to the fact that most everyone has a phone, which are increasingly wielded in CNP transactions. With two-factor authentication and a password, the “what you know” requirement is satisfied, and the device itself, of course, satisfies “what you have.” In addition, he noted, the growth in biometric features housed within phones (through fingerprint or facial recognition) can satisfy the “something the customer is” requirement.

The Quest To Avoid

In the quest to offer the most seamless transactions to the end users, ensuring that sales are completed and revenues get a boost, it makes sense that merchants would seek to avoid the SCA whenever possible. There are exemptions in place, noted the executive, which can be requested by merchants that show evidence of low fraud rates. For example, transactions under €30 ($33.93 USD) are exempt, while merchants with fraud rates between one basis point and six basis points for remote, card-based payments are also exempt.

“The transactions that are most at risk of being rejected are the ones that are [exempt] from SCA,” McLain told PYMNTS, and he estimated that a range of €100 and €500 would most often be scrutinized.

To catch fraud more efficiently, he said the issuers must examine all the supplemental data about what is on offer, all that can be captured and examined. For the 3D Secure protocols (the 3D refers to the issuer, acquirer and processing network), there is an “order of magnitude more data” than ever before moving through the rails. The issuers will be able to boost approval across the transactions that fall into “buckets” that are exempt from SCA.

Gaming The System?

McLain noted that some industry observers are concerned that acquirers might “game the system” (even in an environment where it is rare for acquirers to reject transactions on behalf of a merchant), and create two of the aforementioned transaction buckets. Those buckets could conceivably be segmented into merchants deemed as risky and, well, not risky. The less-risky bucket would get the exemptions, McLain theorized.

By and large, he said it is far likelier that acquirers will invest more heavily in technologies, such as machine learning, and outright decline transactions before sending them down to the issuers to try to maximize exemptions for the rest of their network. He also observed that, in years past, PSPs invested in machine learning and risk modeling to help merchants make better decisions. More recently, these same PSPs have focused on core competencies, which include enabling payments and outsourcing fraud-related services.

What Issuers Need To Do

Elsewhere in the eCommerce continuum, said McLain, issuers are arguably the slowest-moving pieces in the ecosystem.

It is possible, he told PYMNTS, that issuers are “just going to check the box” and do the bare minimum needed to comply with PSD2. To gear up for a changing payments landscape, he said, issuers should be gathering data and making sure they are complying with GDPR, and that “they’re at least storing all of this supplemental data so they can do some analysis on it in six to 12 months.”

What We Might See

PYMNTS asked what we might see as PSD2 takes shape across the pond, and what ripple effects may be felt in the U.S. McLain said big card schemes — Visa and Mastercard are primarily working with regulators to interpret transaction risk analysis, with the possibility of building out risk scoring systems as a way to address exemptions.

“I think, between now and September, if everything goes well,” said McLain, “we might see the regulators add more opportunities to get exemptions by emphasizing the [data] and intelligence that the merchant and the card scheme have built into transactions,” which can be shared across rails — even though such activities are not yet codified through regulations. Payment providers, he added, are increasingly global in their reach.

“We’ll see some semblance of consistency in regards to the service offerings,” he told PYMNTS. “I think we’ll see, over time, the U.S. market adopt similar regulations to the GDPR and PSD2 at some level. I think it can take a few years … and I think that there’s ambiguity there that does need to be sorted out.”