PSD2 and Strong Customer Authentication – What's in Store for Merchants?
With the final pieces of the Payment Services Directive (PSD2) puzzle coming together, payments businesses are highly focused on meeting their compliance obligations. But the forthcoming changes will affect everyone in the payments chain – and it’s important for merchants and PSPs to understand the practical implications for their businesses and customer relationships.
The directive is intended to drive greater choice and security for consumers, and one of its key elements is Strong Customer Authentication (SCA). This is designed to reduce fraud and ensure consumer credentials are properly validated for all electronic payments. While the EBA's latest opinion paper does grant national competent authorities some flexibility in applying the new rules to PSPs, effectively opening a welcome window for a deadline extension, the entire industry remains focused on correct interpretation of the complex legislation and meeting the September 14 deadline.
Strong Customer Authentication obliges card issuers will be obliged to perform an SCA check for every electronic payment transaction unless it qualifies for an exemption. This SCA check is essentially a two-factor authentication process – and it has important implications for merchants.
Out of merchant hands?
Merchants cannot fend off the SCA requirement for card payments – because their bank will no longer have a free choice on whether or not to perform SCA. In cases where the issuer is required to perform SCA, the merchant must also support it, or the issuer is likely to soft decline the authorization request.
There are some ways around the process, but these are not steps that merchants themselves can take. A cardholder can apply to have a particular merchant ‘whitelisted’ with their card issuer, but the decision will ultimately be the bank’s. Similarly, issuers and acquirers may exempt low-risk transactions under €500 provided they maintain sufficiently low levels of fraud. To do this, transaction risk analysis (TRA) has to be in place to prove that fraud is being kept below set thresholds. It makes sense that issuers will look to apply the TRA exemption as much as possible to reduce friction in the checkout process, but this remains outside the merchant’s direct control.
Merchants must also be wary of fraud liability risks. For transactions that are subject to SCA, liability rests with the issuer or acquirer (whoever applies the exemption) if the transaction turns out to be fraudulent. But, in some circumstances, where an exemption is applied, acquirers will likely pass liability back to the merchant.
Finally, although PSD2 requires that fraud rates are assessed at the issuer or acquirer level, it is still important for each merchant’s fraud rate to remain low, to avoid pushing the issuer or acquirer’s overall fraud rate over the threshold. If that happens, every eCommerce transaction, regardless of amount and regardless of individual merchant performance, will have SCA applied and exemptions will not be allowed. This means issuers and acquirers are likely to come down hard on individual merchants who allow their fraud rates to rise.
Merchants can still protect their interests
Merchants need to continue to manage fraud to secure SCA exemptions and deliver a fast, simple payments experience to loyal customers. By keeping a firm grasp on fraud rates and knowing when and how to request exemptions, merchants can protect their businesses and help to ensure that the new regulations are a benefit, and not an impediment, to genuine consumers. Here are a few guiding principles:
- Don’t neglect fraud screening
Fraud screening remains vital for merchants to ‘de-risk’ transactions and protect customer relationships. Merchants understand the business and behaviors of their own customers better than anyone else – arguably, they are best placed to protect those customers from fraud. It isn’t enough to rely on issuers and acquirers to carry out risk analysis, any more than it is enough to rely on 3D Secure when authenticated fraud remains an issue for many merchants.
- Cover off the contingencies
Achieving low fraud rates can help merchants avoid scheme fines and build good relationships with acquirers. Merchants should actively engage with their acquirers to discuss their authentication strategy, pushing for the exemptions they want and ensuring there is a back-up plan or fallback position if customer authentication fails. There may be situations in which a merchant does not wish an available exemption to be applied, so the exemption strategy should be jointly agreed between the merchant and acquirer.
- Establish acquirer flexibility
Finally, some merchants may wish to negotiate with acquirers to implement transaction risk analysis exemptions for themselves and – in the future – we could see savvy merchants ‘cherry picking’ the acquirers that offer the best conversion, SCA strategies and commercials. The ability to easily switch acquirers, route transactions to acquirers with the best fraud levels, and negotiate acquiring services (and prices) will be increasingly valuable in a PSD2 world.
If you’re a merchant and would like to discuss the implications of PSD2 and SCA on your business, you can download a copy of our guide, or speak to one of our expert analysts for more advice: www.aciworldwide.com/strong-customer-authentication
Related Blog Posts
Strong Customer Authentication in Australia: Reducing CNP Fraud and Streamlining eCommerce Payments
Minimizing fraud without harming the customer experience can be done – using the right tools
In 2017-18, card-not-present (CNP) fraud cost Australian eCommerce AUD $478 million and accounted for some 85 percent of all fraud on Australian-issued cards1. In 2016, CNP fraud in Europe represented 70% of all card fraud2. Seriously uncomfortable numbers.
2020 Fraud Predictions: What to Expect Across the Globe as Cybercrime Evolves
As we near the end of 2019, our payment experts have begun to take stock of the trends over the last year, and make their predictions for where they see the industry heading in 2020.
I sat down with our own fraud experts, Marc Trepanier, principal fraud consultant for North America, and Giselle Lindley, principal fraud consultant for APAC, to get their thoughts on what we can expect in the year ahead around payments fraud.
Real-Time Payments Hits its Stride in the U.S.
The recent announcement of FedNow in the U.S., the launch of cross-border services like SWIFT gpi, and multiple real-time payment systems including The Clearing House’s (TCH) RTP system and Zelle underline the fact that real-time payments are here to stay. The need to deliver real-time payment services to customers has never been more pressing for banks, credit unions, processors, acquirers and fintechs. However, the U.S. payments ecosystem – and its infrastructure – must keep pace with global markets to remain competitive, and interoperability between real-time payment systems will be key.
Strong Customer Authentication under PSD2: Consumer Education Will Be Crucial to Success
The European Banking Authority (EBA) has finally provided the promised update on SCA supervisory flexibility timelines – with a new hard deadline for migration completion of December 31, 2020. According to the new guidelines, migration plans of PSPs – including the implementation and testing by merchants – should be completed by that date, otherwise all players could face serious penalties for non-compliance.
Deep Dive: Latin American Fintech Market (Part 2)
To support fintechs’ development and create a more inclusive financial system, governments across the Latin American region should adopt different regulations. Some good practices implemented in other countries, like the U.K. or Singapore, could also be adopted in Latin America, such as temporary exemptions on fintech authorizations on behalf of regulating entities, or the creation of temporary regulation sandboxes in which fintechs can operate, evaluate their business models and offer their innovative products in supervised environments.
Women in Payments: “Make Failure Your Fuel”
ACI’s Darcy Locke, new business development principal, was recently appointed Chair of the American Financial Services Association (AFSA), Business Partner Board. During her two-year term, Darcy will preside over the AFSA Business Partner Board meetings, and concurrently serve as a member of the AFSA Board of Directors and Chair of the AFSA Business Partner Task Force.
Deep Dive: Latin American Fintech Market (Part 1)
There is a gap between what financial institutions currently offer versus what today´s customers want in Latin America, and this is where fintechs are earning a reputation for customer-centricity, personalization, quick response and seamless delivery. The relationship between fintechs and traditional financial institutions in Latin America has evolved from competition to collaboration, with the aim of efficiently working together and effectively scaling innovation, while also driving financial inclusion for the underbanked.
From API to AI to I: Banking Tech Gets Personal
Tired feet. Running out of business cards. Countless LinkedIn connections – sound familiar? This time of the year is conference season; the annual SIBOS (SWIFT) and Money20/20 USA gatherings spanning the autumn give attendees plenty of hot topics and talking points. My American colleagues refer to this season as “the fall.” I trust this to be an observation on leaves and fruit rather than a sequitur on the state of the fintech industry. Either way, it’s a good time to harvest, to take stock and to work out what we should be doing with the apparent abundance of innovative produce.
India’s Unified Payments Interface: Breaking the Billion Barrier
September brought about quite a stir in the Indian payments ecosystem, with three years passing since the launch of UPI (Unified Payments Interface), and the realization that UPI is closing in on a significant milestone: one billion transactions per month. In September 2019, UPI clocked 955 million transactions, amounting to 1.61 trillion rupees (INR), demonstrating the extent to which Indian consumers have exuberantly welcomed real-time payments.
The Need for Financial Inclusion in Developing Countries
The payments ecosystem globally is changing – and the idea of financial inclusion is increasingly featuring as part of long-term strategy. At a glance, financial inclusion means that people and businesses have access to important financial products, services and data, such as transactions, credit cards, payments, savings and insurance, and that these are delivered in a sustainable way. The challenge for banks lies in being more inclusive and meeting social needs, while remaining profitable and increasing market share.