How New Authentication And Privacy Regulations Affect Retail

How are European Union (EU) merchants and payment providers faring one month post-strong customer authentication (SCA) implementation?

According to a study by Barclaycard, some of the fears about false declines due to SCA were unfounded. There were no increases in transaction declines or abandonment within the first two days that SCA was active.

The latest PSD2 Tracker analyzes the impact of SCA in its first several weeks, as well as how merchants, PSPs, banks and other members of the EU payments and eCommerce worlds are responding.

Pressure was relieved to a degree by some regulators inside the EU extending the amount of time that online retailers and partners have to adjust to the new rule.

A recent survey found that 31 percent of businesses said the biggest SCA challenge was dealing with the technical complexities around new regulations; in second place, at 23 percent, was the impact on the client experience.

Despite some of SCA’s challenges, PSD2 approval is relatively high, with 72 percent of U.K. institutions reporting that the regulation represents an opportunity for further growth.

The Retail Perspective 

SCA’s deadline passed with little fanfare and a lot of hand-wringing for EU eCommerce participants. In fact, payment service providers (PSPs), banks and merchants that deal with online transactions still have many compliance questions, and businesses and consumers aren’t necessarily on the same page.

According to a new survey of consumers and retailers in the U.K., Germany, France and Spain, 88 percent of retailers believe consumers are “somewhat” or “very aware” of PSD2.

Yet 76 percent of consumers say they have never heard of PSD2. Additionally, roughly one-third (32 percent) of European consumers say they would rather cancel their online purchase and go elsewhere than go through PSD2 verification measures. More concerning is that 22 percent of retailers have yet to take any steps to minimize the negative impact of PSD2 on their revenues.

Some of the disconnect might stem from complex requirements. In an interview with PYMNTS, Nicolas Adolph, chairman of the European Association Of Payment Service Providers For Merchants (ESPM), explained how merchant response to SCA has been slow and a little challenging, as many EU merchants still do not fully understand the rule’s implications.

Retailers might need guidance on variables like how SCA applies to cross-border transactions, which version of 3D Secure to implement and how to manage exemptions.

And a full rollout could possibly take longer – especially for the travel and hospitality industry, which might have complex IT systems and many partners.

All online transactions over €30 ($33 USD) are subject to SCA, which means customers and merchants alike will be spending a lot more time authenticating purchases. Mobile authentication provides necessary convenience to the process, but there are still kinks to work out.

“The retailers that can provide the best SCA-less or low-friction SCA experiences are the ones that will convert more payments and retain more loyal customers,” said Dan Jiao, payment risk solutions manager at Ekata.

Lessons from GDPR

Many businesses are still adjusting to the General Data Protection Regulation (GDPR), a framework implemented in 2018 that sets guidelines for the collection and processing of personal information from consumers who live in the EU.

GDPR has changed how companies approach data collection and services, which could serve as a model for handling SCA. A recent study found that 80 percent of companies were having difficulty implementing GDPR’s data privacy and security requirements, and 54 percent said integrating such changes took longer than anticipated. Only 38 percent achieved compliance before the 2018 deadline, while around one-third (31 percent) say they will achieve compliance sometime in 2019.

The regulation is having effects on security concerns for a number of industries, with another recent study finding that 58 percent of marketers stated it has affected their approaches.

While PSD2, SCA and other regulations affect EU businesses more than U.S.-based companies, 46 percent of U.S. companies said GDPR compliance has helped to define strategies and approaches to compliance in light of upcoming California Consumer Privacy Act (CCPA) and other state privacy laws.