PSD2 compliance challenges continue to roll in, with strong customer authentication (SCA) requirements headed merchants’ way next month.
This month’s PYMNTS PSD2 Tracker explores the biggest challenges around SCA, not least of all is a lack of awareness among sellers. That can lead to confusion and misunderstandings, with the latest analysis from Ekata revealing 25 percent of merchants across the European Union unaware of the upcoming SCA requirements. So far, only 40 percent of EU merchants say they are ready for SCA.
According to PYMNTS, that could be a costly mistake: the estimated cost of SCA noncompliance is about $55.8 billion.
As Peter Robinson, EuroCommerce payments adviser, told PYMNTS in the PSD2 Tracker, businesses are looking toward their card acquirers to fill the education gap.
“With the deadline fast approaching, merchants are largely dependent on their card acquirers to inform them, liaise with them and help them achieve compliance to whatever the requirements are,” he said.
Clearing Up The Confusion
Key to understanding SCA requirements is clarifying which transactions are exempt from them. As the PSD2 Tracker notes, card issuers have the final say in deciding which transactions are exempt.
Called transaction risk analysis (TRA) exemptions, exempt transactions are considered to have extremely low fraud risks, with experts pointing to the opportunities for machine learning and other intelligent technologies to enhance the sophistication of risk analysis.
According to analysis from Aphix Software published last week, there are several categories of transactions that are automatically exempt from PSA requirements, including payments below €30, subscription payments of a fixed value, and, importantly, commercial card payments.
But as an April report from Edgar, Dunn & Co. explained, the U.K. Financial Conduct Authority recently published SCA compliance guidance that noted EU’s PSD2 regulations leave it up to national authorities to determine whether corporate payment service protocols meet the threshold of security required under SCA. Payment service providers must ensure their security is equivalent to SCA requirements in order to be exempt, and that includes corporate payments — so long as local regulators concur.
According to the FCA, virtual corporate cards used within access-controlled corporate travel management or corporate procurement systems would assumedly qualify for that exemption.
However, the watchdog said, p-cards and B2B transactions aren’t necessarily all exempt.
“In our view, the use of physical corporate cards issued to employees for business expenditure in circumstances where a secure dedicated payment process and protocol is not used … would not fall within the scope of this exemption,” it said in its guidance, according to Edgar, Dunn.
Further, if payment service providers wish to exempt corporate payments from SCA requirements, they must provide a comprehensive risk assessment and outline of risk mitigation measures to the FCA each year at least three months before the exemption can be applied.
Separate reports in Cash & Treasury Management File in 2017 pointed to the European Banking Authority’s comments on the matter that support the exemption for corporate payments initiated from a dedicated corporate payments process or protocol. However, that does not automatically exempt all B2B payments.
“The EBA understands the exemption as focusing on specific existing practices involving business-to-business and machine-to-machine payment transactions using specific protocols, rather than as an exemption for all corporate transactions,” the EBA said in a statement at the time, according to reports.
Considering the lack of awareness and clarity around SCA requirements, it’s not surprising that the effect of SCA on corporate transactions would similarly lack clarity. What is clear is that in order for any transaction to qualify for an exemption, it must meet the fraud mitigation threshold that SCA requires nonexempt transactions — and that includes corporate transactions.