The rollout of PSD2's Strong Customer Authentication (SCA) has been a bit bumpy, to say the least. A year ago (when the rollout was still officially on the calendar for September of 2019), merchants, acquirers and issuers all over the European Economic Area (EEA) were widely confused over what the new regulations entailed, and how exactly they were supposed to prepare for them.
As the Sept. 14 deadline grew close, it became obvious that the European commerce ecosystem as a whole was not ready for the change. In response, the Financial Conduct Authority (FCA) changed course, and agreed to a phased implementation of the SCA rules that would span an 18-month period.
The change, according to an FCA press release, “reflects the recent opinion of the European Banking Authority (EBA), which set out that more time was needed to implement SCA, given the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers.”
That time, Ekata Vice President and General Manager of EMEA Spencer McLain told Karen Webster in a recent conversation, is sorely needed because, “in general, merchants aren’t ready.”
The issue, he said, isn’t lack of interest or awareness that SCA is looming. Transition issues are common in major regulatory changeovers, something recently demonstrated by the GDPR rollout. However, what sets SCA apart is how narrow the margin for error is upon implementation — on day one, any lack of compliance with the pre-authentication guidelines will result in declined transactions, something that no European merchant wants.
“They’ve done all the initial preparation work, and they know that this is getting done and that they need to be ready for it,” McLain said, noting that actually getting there in terms of readiness will be a collaborative effort, both in Europe and beyond.
Marshalling The Data
If one looks back at the recent history of GDPR, McLain said, in the early days, there was a knee-jerk reaction to try to tie down data, and keep it in-house as a protective measure. The exact opposite must happen in the switch-over to SCA, though. Today, there is relatively light data sharing between merchants and acquirers — only what is absolutely necessary for post-authorization. What merchants must do now is take a deep inventory of what they are currently sharing with their payment service providers (PSP), and figure out how to widen that data channel.
“Merchants should look at the data they have in-house, make sure it is clean and constantly available in a consistent manner, with embedded validation so it can be shared with a PSP [that] can use [the] data to do the transactional risk analysis required by SCA, and pass a recommendation along to the issuer,” McLain said.
That recommendation sounds simple and direct, he noted. However, it can, in fact, be tremendously and operationally challenging for many merchants, and take a rather significant investment of time and talent.
What tends to get lost in the discussion of the compliance costs, he said, is the opportunity built into them. The long-term potential of the pre-authentication paradigm created by SCA is that, as data aggregates over time, overall approval rates for digital transactions go up. That is why many larger merchants have already switched over to this model, entirely independent of the regulatory changeover.
“When we look at the merchants already using it, and all of these regulations, the changes we are seeing are really around one common goal, which is to increase authorization rates,” he said.
The changeover, however, and the ability to discern patterns around fraud rates and merchants, will take time. The short-term issue that causes more concern is friction, he noted, and the hit that the customer experience will take as the time to transact goes up in a pre-authorization world.
The friction in the consumer experience, McLain said, is a relevant — but often overstated — concern in the process. For example, European consumers as a whole aren’t quite as averse to it as their American counterparts. In the Netherlands, where he lives, to transact online with a debit card, one is required to insert a card into a device, and input a series of codes back and forth on a website to purchase items.
That, he noted, is considered a normal operating procedure among the Dutch. Therefore, the idea that European citizens would suddenly be frightened off en masse because of a five-second wait to authorize their transactions is probably overblown.
There are, however, concerns around friction. The smoother experience will persuade consumers, he noted. So large, frequently traversed merchants like Amazon enter the process with an advantage: They interact frequently with their customers, and are likely to be white-labeled by consumers with a trusted merchant exemption that allows them to bypass SCA with a large number of customers. That edge with customers is relevant over time, and merchants must be mindful.
Moreover, he noted, large global firms build to global regulations, which means that, though it isn’t the law of the land in the U.S., it will start to influence the commerce journey of American consumers. That means a friction conversation that isn’t quite relevant now — as this is largely a European concern — could easily become more relevant as it has a greater effect on global commerce.
“It is when it starts to creep into the U.S. that the friction question will start to have a much bigger impact on the conversation,” he said.
There are many more conversations still to be had, he added. Merchants and PSPs need to work together — which means, practically speaking, that PSPs must become much more direct in their guidelines on what merchants need to do specifically to prepare.
Issuers remain a major wild card in this equation, he noted, particularly smaller ones, as there is a legitimate concern that they won’t be ready by the end of 2020. If past implementations are a guide, McLain told Webster, large issuers will likely be ready to go by the end of the implementation extension. However, their smaller and even medium-sized counterparts are far more of an open question — and that will have real consequences for commerce when PSD2's SCA goes into effect.
“It could be another year after the full launch of PSD2 before we actually have the majority of issuers in line and taking it seriously,” he said.