PSD2 and Strong Customer Authentication – What's in Store for Merchants?
With the final pieces of the Payment Services Directive (PSD2) puzzle coming together, payments businesses are highly focused on meeting their compliance obligations. But the forthcoming changes will affect everyone in the payments chain – and it’s important for merchants and PSPs to understand the practical implications for their businesses and customer relationships.
The directive is intended to drive greater choice and security for consumers, and one of its key elements is Strong Customer Authentication (SCA). This is designed to reduce fraud and ensure consumer credentials are properly validated for all electronic payments. While the EBA's latest opinion paper does grant national competent authorities some flexibility in applying the new rules to PSPs, effectively opening a welcome window for a deadline extension, the entire industry remains focused on correct interpretation of the complex legislation and meeting the September 14 deadline.
Strong Customer Authentication obliges card issuers will be obliged to perform an SCA check for every electronic payment transaction unless it qualifies for an exemption. This SCA check is essentially a two-factor authentication process – and it has important implications for merchants.
Out of merchant hands?
Merchants cannot fend off the SCA requirement for card payments – because their bank will no longer have a free choice on whether or not to perform SCA. In cases where the issuer is required to perform SCA, the merchant must also support it, or the issuer is likely to soft decline the authorization request.
There are some ways around the process, but these are not steps that merchants themselves can take. A cardholder can apply to have a particular merchant ‘whitelisted’ with their card issuer, but the decision will ultimately be the bank’s. Similarly, issuers and acquirers may exempt low-risk transactions under €500 provided they maintain sufficiently low levels of fraud. To do this, transaction risk analysis (TRA) has to be in place to prove that fraud is being kept below set thresholds. It makes sense that issuers will look to apply the TRA exemption as much as possible to reduce friction in the checkout process, but this remains outside the merchant’s direct control.
Merchants must also be wary of fraud liability risks. For transactions that are subject to SCA, liability rests with the issuer or acquirer (whoever applies the exemption) if the transaction turns out to be fraudulent. But, in some circumstances, where an exemption is applied, acquirers will likely pass liability back to the merchant.
Finally, although PSD2 requires that fraud rates are assessed at the issuer or acquirer level, it is still important for each merchant’s fraud rate to remain low, to avoid pushing the issuer or acquirer’s overall fraud rate over the threshold. If that happens, every eCommerce transaction, regardless of amount and regardless of individual merchant performance, will have SCA applied and exemptions will not be allowed. This means issuers and acquirers are likely to come down hard on individual merchants who allow their fraud rates to rise.
Merchants can still protect their interests
Merchants need to continue to manage fraud to secure SCA exemptions and deliver a fast, simple payments experience to loyal customers. By keeping a firm grasp on fraud rates and knowing when and how to request exemptions, merchants can protect their businesses and help to ensure that the new regulations are a benefit, and not an impediment, to genuine consumers. Here are a few guiding principles:
- Don’t neglect fraud screening
Fraud screening remains vital for merchants to ‘de-risk’ transactions and protect customer relationships. Merchants understand the business and behaviors of their own customers better than anyone else – arguably, they are best placed to protect those customers from fraud. It isn’t enough to rely on issuers and acquirers to carry out risk analysis, any more than it is enough to rely on 3D Secure when authenticated fraud remains an issue for many merchants.
- Cover off the contingencies
Achieving low fraud rates can help merchants avoid scheme fines and build good relationships with acquirers. Merchants should actively engage with their acquirers to discuss their authentication strategy, pushing for the exemptions they want and ensuring there is a back-up plan or fallback position if customer authentication fails. There may be situations in which a merchant does not wish an available exemption to be applied, so the exemption strategy should be jointly agreed between the merchant and acquirer.
- Establish acquirer flexibility
Finally, some merchants may wish to negotiate with acquirers to implement transaction risk analysis exemptions for themselves and – in the future – we could see savvy merchants ‘cherry picking’ the acquirers that offer the best conversion, SCA strategies and commercials. The ability to easily switch acquirers, route transactions to acquirers with the best fraud levels, and negotiate acquiring services (and prices) will be increasingly valuable in a PSD2 world.
If you’re a merchant and would like to discuss the implications of PSD2 and SCA on your business, you can download a copy of our guide, or speak to one of our expert analysts for more advice: www.aciworldwide.com/strong-customer-authentication
Related Blog Posts
Multi-layered Fraud Strategies are Crucial to Win the Battle against Authorized Push Payment Fraud
This blog was co-authored by ACI’s Jay Floyd and Iain Swaine, head of Cyber Strategy for BioCatch in the EMEA region
Have you ever received a text from your bank asking you to confirm a transaction by replying Yes or No? You then realise you don’t recognize the transaction, reply No, and receive another text instructing you to call a telephone number to discuss this unknown payment further. Suddenly you’re hit with the fear that someone has hacked into your bank account. But, do you ever consider that the text you received was, in fact, a scam?
How to be a Payments Trailblazer – The Seven Habits of Highly Innovative Organizations
The new Culture of Innovation Index from Ovum and ACI identified segments—from banks to intermediaries to merchants to corporates—at the cutting edge (of innovation) across the payments ecosystem. But what is most notable about those segments that have reached ‘trailblazing’ status is the apparent lack of commonality between them. No one segment, nor one region fosters better innovation. In fact, what’s driving these segments/organizations to be best of breed is their own culture of excellence. The only thing they have in common is their attitude.
How will SWIFT gpi Impact Latin America?
As the world continues to transition toward real-time, and technology continues to evolve, new challengers are disrupting the market with value propositions including real-time cross- border payments. The competition has inspired SWIFT to work with the industry and challengers to create the Global Payments Innovation (GPI) program, which radically changes the way banks interact with their correspondents and offers improved transparency and customer service to their customers.
Get Customers to Race Through Your Payments Funnel
No matter how good the products, how nice the website and how slick the flow, there are so many reasons why an eager prospective customer does not convert into a paying customer even after they have filled their basket. The buying decision has been made, but so often customers don’t complete the transaction.
The Middle Eastern payments revolution: Getting Real-Time Ready
The Middle East is developing quickly and considerably. The population has surpassed 410 million and a number of nations, such as Saudi Arabia and the United Arab Emirates (UAE), represent some of the world's most innovative economies. The region has become synonymous with the rise of large infrastructure developments and technological innovation, while tourism continues to grow - 1.4 billion people visited in 2018 alone.
Women in Payments: Don't Be Afraid to Ask Questions
Today, we have the pleasure of speaking with Google's head of Retail and Payments Activation for Southeast Asia, Anna Maria Maurieta. Anna works closely with retailers and e-wallet partners across the region's complex and sometimes highly-regulated market—including countries such as Indonesia, Thailand, Malaysia and Vietnam—making it easier for Google Play users to make payments on Play.
Are Subscription Payments the Way Forward for Gaming?
With consumers spending more time and money than ever on games, the opportunity for gaming companies is vast. But monetizing digital games and creating sustained customer loyalty are complex issues. Subscription models are a key area now being explored by gaming companies, but the industry is still working on how to make these models compelling and profitable.
Customer Innovation: Erste Bank [Q&A]
The global banking sector is becoming both more strategically focused and technologically advanced, responding to rising consumer expectations while trying to defend market share against an increasing array of competitors. A great deal of emphasis is being placed on digitizing core business processes, and reassessing organizational structures and internal talent to be better prepared for the future of banking.
Turning U.S. Players into Payers: Driving Conversions in a $30 Billion Market
It’s no secret that Americans love their games. In 2018, it was estimated that 178.7 million players spent more than USD $30.4 billion on games, a $5 billion increase over 2017. That $30 billion represents almost a quarter of the global gaming market, making the U.S. an invaluable target for game developers.
Helping Merchants Protect Themselves: Cybersecurity Tips from a Former White House CIO
In a world full of open technology, the devices that make our lives easier also leave us vulnerable to being hacked, according to Theresa Payton, former White House CIO and star of the CBS series Hunted. Payton recently joined me for an exclusive ACI cybersecurity webinar, sharing expert insights into how merchants can enable growth, enhance the customer experience and prevent greater instances of fraud.