Meeting The New Challenge Of Rolling Out PSD2 And SCA

Long before anyone had ever heard of the coronavirus or social distancing, eCommerce was slowly and steadily making progress and eating into the physical retail share of the shopping landscape.

As of the end of 2019, eCommerce was about 15 percent of total commerce, Ekata Vice President of Strategy and Operations Arjun Kakkar told PYMNTS in a recent conversation. Had 2020 been a normal year, it might have risen to about 17 percent by the time we were ringing in the New Year on Dec. 31.

The COVID-19 outbreak, Kakkar noted, has more or less strapped a rocket onto that growth, as consumers have rerouted their commerce, working and social lives onto digital channels as they ride out social distancing in their homes. And although some of that will ebb when consumers have the option to head back out into the world, not all of it will. Consumers are getting used to their new commerce behaviors, he said, and when the crisis is over, they might not be so quick to give all of them up. The coronavirus pandemic, for all its horrors, is going to be an opportunity for eCommerce merchants large and small.

Unfortunately, he added, data is already rolling in that indicates it will also be an opportunity for fraudsters and cybercriminals looking to take advantage of a target-rich field. And for all the brilliant modeling, artificial intelligence (AI) and machine learning (ML) technology we have to throw at the problem of fraud, he said, the good guys are operating at something of a disadvantage when it comes to detecting the scams that are to come. They simply don’t have enough historical patterns.

“There is no way to model here because you don’t know what’s the pattern as nothing like this has ever happened before,” Kakkar said. “Some of the methods will be different than what we are used to seeing, and we will not even know what those methods are until 60 to 90 days after they’ve started to appear.”

It takes that long to get feedback from consumers on credit card fraud.

It is a tricky environment worldwide for merchants, issuers and payment service providers (PSPs) in an ongoing arms race with fraudsters. It is even more tricky in Europe where the PSD2 Strong Customer Authentication (SCA) deadline looms large at the end of 2020 (after a significant delay of over a year). Officials have thus far remained firm on their March resolution that there will be no more extensions. That, Kakkar noted, is likely going to change given the magnitude of the disruption to the global economy currently unfolding amid the pandemic. But Ekata is advising its clients to keep charging toward the end of the year as though the deadline is unchanged.

That’s because, in the long run, PSD2 and SCA will strengthen and secure an eCommerce economy that is getting much bigger and much faster than anyone’s previous timetable indicated. The challenge will be navigating the short-term bumpiness that will ensue.

Building A New Balance

The challenge of fighting fraud, Kakkar said, is usually a question of striking the right balance between making it hard for fraudsters to get in while making it easy for customers to get through. While historically that balance has been something determined in-house, PSD2 and SCA are essentially setting a standard by which all transactions have to pass.

In the short run, he noted, that means more friction is likely coming to the consumer side of the journey, in the name of making the fraudsters’ journey more onerous.

“Whenever you are tightening up the fraud rates, usually you’re increasing the amount of customer friction, you’re increasing the amount of false declines,” Kakkar said. “These are not independent parameters. They are all tied together.”

And the short-term effects, particularly if consumers one day wake up and experience a much more friction-filled journey, will be a lowering of consumer trust. But, he noted, it is possible to get ahead of these problems right now such that they are leveraging the PSD2 SCA change not just as an opportunity to bolster security, but also to improve the customer experience.

The Three Pillars Of Navigating The SCA Switch

When Ekata talked to acquirers and processors in the field in Europe, Kakkar said, they came across two very curious data points. The first is that 80 percent of those they surveyed planned to use the upgrade as a strategic lever to gain advantage in the market. But, he noted, there is often a gulf between what firms say they are doing and what they are actually investing time and talent in.

“What we found is only about half are making the changes and developing the products that will help merchants meet the guidelines and improve the customer experience,” Kakkar said, noting that those who are walking the walk to go along with the talk are going to emerge in the post PSD2 SCA environment with a major competitive advantage over those who are merely talking about it.

But to really capture that advantage, he said, there are essentially three things, or three pillars, that every payments player in Europe needs to erect to support their efforts in this arena.

The first, he said, is basic hygiene — and making sure one is ready to nail down the requirements on day one, simply by knowing them and executing well. By way of example, he noted that the rules include tagging something called merchant-initiated transactions that allow a customer to go through the more friction-filled secure customer authentication once, but never again on subsequent transactions. Another example, he said, is building in biometrics, which meet authentication requirements but greatly speed up the process. For PSPs, he said, there is a significant opportunity to help their merchants out and help them set themselves up for success.

The second pillar, he said, is data sharing — and leveraging standards like 3D Secure 2 to make sure that issuers can see the maximum amount of data necessary to make the risker transactions comfortable enough to be approved.

“The third big pillar that I feel is perhaps the biggest differentiator is data and the specific way that data is used in something called Transaction Risk Analysis,” Kakkar said. “The important thing here to understand is that to make good transaction risk analysis models, we need to get better data and build better models. We strongly advocate using all the data that you have on the consumer and also use third-party data like Ekata’s to make better decisions. That’s the way to decrease your fraud rate while improving the consumer experience.”

It won’t be easy work, particularly for small merchants. While big players — the Amazons of the world — are doing all of those things in-house for themselves, small- and medium-sized businesses (SMBs) will need a lot of support and guidance from their PSPs, he said.

And while making a continent-scale shift to tightened fraud-fighting standards is likely not anyone’s first choice while also figuring out how to ford the COVID-19 calamity, in the long run, Ekata said it is a move that will pay off for the entire commerce ecosystem.

“PSD2 and SCA have strong intentions behind them — to make online commerce better and safer for the consumer,” he said. “And it is up to us as an industry to provide that.”