The second Payment Services Directive (PSD2) groundwork laid out in 2016 is about to come to fruition in a few months – Sept. 14, 2019, to be exact. The deadline is looming for merchants and payments providers to comply with new requirements for authenticating online payments in Europe.
Firms must soon put more stringent fraud decisioning processes in place, and strong customer authentication (SCA) protocols must be built into checkout flows for online transactions that begin in Europe.
While regulatory and governmental bodies are still debating PSD2’s full reach, the latest PSD2 Tracker looks at how retailers are approaching SCA as they face potential losses under the rule.
In a recent Mastercard study, it was revealed that only 25 percent of online merchants were aware of SCA requirements, and of that group, 24 percent said they have no plans to support the requirements by the deadline.
Dragging their heels could have serious financial implications, according to a separate study by Stripe. Per these findings, European businesses could lose as much as $57 billion in economic activity in the year after SCA debuts. Additionally, only 40 percent of businesses aware of SCA felt prepared to meet its requirements.
Spencer McLain, vice president, EMEA at Ekata (formerly Whitepages Pro), explained why he thinks there has been a disconnect among European merchants. PSPs (payment service providers) and issuers are up-to-date on the regulations tied to SCA, because they are the ones ultimately on the hook if they are not compliant. “The PSPs could do a better job of educating merchants,” he said. “I think we will see a lot more of that over the coming months.”
The cost of compliance has also been a potential barrier for many merchants, which has motivated some to partner with third parties to meet compliance regulations.
For example, U.K.-based eCommerce marketplace OnBuy is partnering with players like PayPal. Cas Paton, OnBuy founder and managing director, discussed the challenges of SCA compliance in an interview with PYMNTS.
“The new [SCA] legislation highlights the importance of working with the right payment solutions that invest in [user experience] and ECR optimization,” he noted. “Customers will need to complete extra information to [make a] purchase, but it’s made clear that this additional requirement ultimately protects them.”
OnBuy is using PayPal for Marketplaces to integrate SCA and PSD2 compliance measures into its platform.
Regulations like GDPR, which give customers a greater say over how their data is used, have already been changing the customer relationship. “GDPR, to us, is less about rules and more about a standard of how businesses should handle, store and be accountable for customers’ information,” said Paton.
These new regulations potentially benefit customers by giving them control over their data, but lost in discussions about merchant unpreparedness is how much consumers are aware of PSD2’s impending enactment.
Ultimately, the impact is not just about declines, but also about conversions, as sales may drop out of a retailer’s funnel.
In a survey of European consumers by FICO, it was discovered that most have heard something about PSD2, but many were unaware that they could expect to see more demands for authentication in the near future.
Additionally, a majority thought there were already too many security checks regarding card payments.
So, are their grounds for retailers’ fears about potential losses due to SCA?
To some degree. When consumers were asked what action they would take if pushed to provide a mobile phone number to authenticate payments, a majority (53 percent) said they would provide it, while 11 percent said they would refuse and wait to see what happened, and 11 percent would refuse and look for a new provider.
This reluctance underscores the importance of not just educating merchants about SCA, but also consumers.
Some merchants have been exploring possible exemptions to SCA, which could be granted in cases of subscriptions and low-risk or low-value transactions. Customers might also be given an option to whitelist a trusted business, so authentication wouldn’t be required for future purchases. These businesses will be included on a list of “trusted beneficiaries” maintained by the customer’s bank or payment service provider.
Rob Eleveld, CEO of Ekata, recommended creating better online user experiences and personalized payment choices that reduce the need for SCA. “Excellent user experiences inspire consumer trust, and is the path to the ‘trusted beneficiary’ status under PSD2,” he said.