PSD2 and Strong Customer Authentication – What's in Store for Merchants?
With the final pieces of the Payment Services Directive (PSD2) puzzle coming together, payments businesses are highly focused on meeting their compliance obligations. But the forthcoming changes will affect everyone in the payments chain – and it’s important for merchants and PSPs to understand the practical implications for their businesses and customer relationships.
The directive is intended to drive greater choice and security for consumers, and one of its key elements is Strong Customer Authentication (SCA). This is designed to reduce fraud and ensure consumer credentials are properly validated for all electronic payments. While the EBA's latest opinion paper does grant national competent authorities some flexibility in applying the new rules to PSPs, effectively opening a welcome window for a deadline extension, the entire industry remains focused on correct interpretation of the complex legislation and meeting the September 14 deadline.
Strong Customer Authentication obliges card issuers will be obliged to perform an SCA check for every electronic payment transaction unless it qualifies for an exemption. This SCA check is essentially a two-factor authentication process – and it has important implications for merchants.
Out of merchant hands?
Merchants cannot fend off the SCA requirement for card payments – because their bank will no longer have a free choice on whether or not to perform SCA. In cases where the issuer is required to perform SCA, the merchant must also support it, or the issuer is likely to soft decline the authorization request.
There are some ways around the process, but these are not steps that merchants themselves can take. A cardholder can apply to have a particular merchant ‘whitelisted’ with their card issuer, but the decision will ultimately be the bank’s. Similarly, issuers and acquirers may exempt low-risk transactions under €500 provided they maintain sufficiently low levels of fraud. To do this, transaction risk analysis (TRA) has to be in place to prove that fraud is being kept below set thresholds. It makes sense that issuers will look to apply the TRA exemption as much as possible to reduce friction in the checkout process, but this remains outside the merchant’s direct control.
Merchants must also be wary of fraud liability risks. For transactions that are subject to SCA, liability rests with the issuer or acquirer (whoever applies the exemption) if the transaction turns out to be fraudulent. But, in some circumstances, where an exemption is applied, acquirers will likely pass liability back to the merchant.
Finally, although PSD2 requires that fraud rates are assessed at the issuer or acquirer level, it is still important for each merchant’s fraud rate to remain low, to avoid pushing the issuer or acquirer’s overall fraud rate over the threshold. If that happens, every eCommerce transaction, regardless of amount and regardless of individual merchant performance, will have SCA applied and exemptions will not be allowed. This means issuers and acquirers are likely to come down hard on individual merchants who allow their fraud rates to rise.
Merchants can still protect their interests
Merchants need to continue to manage fraud to secure SCA exemptions and deliver a fast, simple payments experience to loyal customers. By keeping a firm grasp on fraud rates and knowing when and how to request exemptions, merchants can protect their businesses and help to ensure that the new regulations are a benefit, and not an impediment, to genuine consumers. Here are a few guiding principles:
- Don’t neglect fraud screening
Fraud screening remains vital for merchants to ‘de-risk’ transactions and protect customer relationships. Merchants understand the business and behaviors of their own customers better than anyone else – arguably, they are best placed to protect those customers from fraud. It isn’t enough to rely on issuers and acquirers to carry out risk analysis, any more than it is enough to rely on 3D Secure when authenticated fraud remains an issue for many merchants.
- Cover off the contingencies
Achieving low fraud rates can help merchants avoid scheme fines and build good relationships with acquirers. Merchants should actively engage with their acquirers to discuss their authentication strategy, pushing for the exemptions they want and ensuring there is a back-up plan or fallback position if customer authentication fails. There may be situations in which a merchant does not wish an available exemption to be applied, so the exemption strategy should be jointly agreed between the merchant and acquirer.
- Establish acquirer flexibility
Finally, some merchants may wish to negotiate with acquirers to implement transaction risk analysis exemptions for themselves and – in the future – we could see savvy merchants ‘cherry picking’ the acquirers that offer the best conversion, SCA strategies and commercials. The ability to easily switch acquirers, route transactions to acquirers with the best fraud levels, and negotiate acquiring services (and prices) will be increasingly valuable in a PSD2 world.
If you’re a merchant and would like to discuss the implications of PSD2 and SCA on your business, you can download a copy of our guide, or speak to one of our expert analysts for more advice: www.aciworldwide.com/strong-customer-authentication
Related Blog Posts
How Italian Banks and Processors Can Capitalize on Digital Transformation
The European payments landscape is in an era of significant change thanks to PSD2 and other macro factors, but there is more than one way to deliver real-time and open payments to meet PSD2 requirements and its technical standards. Banks and processors must manage this alongside their own set of domestic challenges and opportunities.
SWIFT gpi: Leveraging Cross-Border Payments for the Real-Time World
SWIFT gpi represents the evolution of business done over the SWIFT network, bringing correspondent banking into the digital era.
I’ve covered this topic before, but with gpi now reaching the two-year milestone, it’s a good chance to reassess the progress that has been made – and what is needed to drive further adoption.
Instant Payments in Italy – And Beyond: Lessons from Il Salone dei Pagamenti
ACI was invited back to Il Salone dei Pagamenti – Italy’s premier payments event organized by the Italian Banking Association (ABI) – to participate in a panel, “SEPA Inst – the Future.” As expected, the session was packed with stats and advice for a more efficient roll out of instant payments – in Italy and beyond.
Dedicated Followers of Fintech: Why Transaction Banking Never Goes Out of Fashion
Taking part in a panel at a recent corporate treasury conference, I was introduced as a ‘consumer payments expert’ – not an obvious qualification for sharing stage-time with serious corporate liquidity and cash management folk, but as the talk track was on mobile wallets and Open Banking, I had some reasonably safe and relevant content on which to fall back.
Sibos Preview: The Five Trends Transforming Real-Time Payments
Real-time is now a reality, with more than 30 schemes live around the world. And real-time is in the spotlight as banks and financial service providers make their way to Sydney for Sibos 2018. What better time to look ahead at the key trends that are going to shape the ongoing development of real-time payments.
API Management: The Reason Digital Open Banking Can Fly
When it comes to thinking about the different roles that an API Manager can play for an organization, I personally think that an airport provides the perfect analogy. The customer is the passenger, the third-party organizations using a bank’s APIs are the airlines and the airport itself is the bank. I also think this analogy helps to visualize the variety of API management capabilities – including the role of an API gateway.
Can Corporate Banking be as Easy as Ordering Pizza?
ACI recently hosted Greenwich Associates on a webinar to discuss corporate banking. While not a topic that would usually make attendees salivate, the discussion turned toward ordering pizza (maybe, because it was close to lunchtime) and Greenwich highlighted how corporate banking should be as easy as ordering pizza.
Modernizing Cross-Border Transfers with SWIFT gpi
The customer experience for domestic payments – retail and corporate – has recently undergone a complete transformation. There’s still plenty more that could be achieved, but the advent of real-time payments in combination with open APIs has seen the launch of Request for Payment services and direct eCommerce instant payments in the UK and Europe. And it’s not just the PSD2 push in Europe that’s driving change – in the U.S., Zelle is moving beyond standalone P2P payments to become an integrated part of the retail banking app experience, as well as being included in new kinds of corporate disbursements.
Instant + Open Payments = A Winning Combination
I recently joined a panel discussion at EBAday 2018, alongside representatives from across the payments ecosystem, and the clear consensus was that real-time payments will be the new normal. This was evidenced by some of the interactive polls carried out.
Maintain Vs. Invest: What the Digital Era Ushers in for Banks
Taking place this week in Brussels, the European Credit Research Institute (ECRI) will host a high-level debate on how policymakers can build on the process of digitalisation of banks to raise competitiveness in light of increased competition from fintech start-ups and tech giants.