PSD2 and Strong Customer Authentication – What's in Store for Merchants?
With the final pieces of the Payment Services Directive (PSD2) puzzle coming together, payments businesses are highly focused on meeting their compliance obligations. But the forthcoming changes will affect everyone in the payments chain – and it’s important for merchants and PSPs to understand the practical implications for their businesses and customer relationships.
The directive is intended to drive greater choice and security for consumers, and one of its key elements is Strong Customer Authentication (SCA). This is designed to reduce fraud and ensure consumer credentials are properly validated for all electronic payments. While the EBA's latest opinion paper does grant national competent authorities some flexibility in applying the new rules to PSPs, effectively opening a welcome window for a deadline extension, the entire industry remains focused on correct interpretation of the complex legislation and meeting the September 14 deadline.
Strong Customer Authentication obliges card issuers will be obliged to perform an SCA check for every electronic payment transaction unless it qualifies for an exemption. This SCA check is essentially a two-factor authentication process – and it has important implications for merchants.
Out of merchant hands?
Merchants cannot fend off the SCA requirement for card payments – because their bank will no longer have a free choice on whether or not to perform SCA. In cases where the issuer is required to perform SCA, the merchant must also support it, or the issuer is likely to soft decline the authorization request.
There are some ways around the process, but these are not steps that merchants themselves can take. A cardholder can apply to have a particular merchant ‘whitelisted’ with their card issuer, but the decision will ultimately be the bank’s. Similarly, issuers and acquirers may exempt low-risk transactions under €500 provided they maintain sufficiently low levels of fraud. To do this, transaction risk analysis (TRA) has to be in place to prove that fraud is being kept below set thresholds. It makes sense that issuers will look to apply the TRA exemption as much as possible to reduce friction in the checkout process, but this remains outside the merchant’s direct control.
Merchants must also be wary of fraud liability risks. For transactions that are subject to SCA, liability rests with the issuer or acquirer (whoever applies the exemption) if the transaction turns out to be fraudulent. But, in some circumstances, where an exemption is applied, acquirers will likely pass liability back to the merchant.
Finally, although PSD2 requires that fraud rates are assessed at the issuer or acquirer level, it is still important for each merchant’s fraud rate to remain low, to avoid pushing the issuer or acquirer’s overall fraud rate over the threshold. If that happens, every eCommerce transaction, regardless of amount and regardless of individual merchant performance, will have SCA applied and exemptions will not be allowed. This means issuers and acquirers are likely to come down hard on individual merchants who allow their fraud rates to rise.
Merchants can still protect their interests
Merchants need to continue to manage fraud to secure SCA exemptions and deliver a fast, simple payments experience to loyal customers. By keeping a firm grasp on fraud rates and knowing when and how to request exemptions, merchants can protect their businesses and help to ensure that the new regulations are a benefit, and not an impediment, to genuine consumers. Here are a few guiding principles:
- Don’t neglect fraud screening
Fraud screening remains vital for merchants to ‘de-risk’ transactions and protect customer relationships. Merchants understand the business and behaviors of their own customers better than anyone else – arguably, they are best placed to protect those customers from fraud. It isn’t enough to rely on issuers and acquirers to carry out risk analysis, any more than it is enough to rely on 3D Secure when authenticated fraud remains an issue for many merchants.
- Cover off the contingencies
Achieving low fraud rates can help merchants avoid scheme fines and build good relationships with acquirers. Merchants should actively engage with their acquirers to discuss their authentication strategy, pushing for the exemptions they want and ensuring there is a back-up plan or fallback position if customer authentication fails. There may be situations in which a merchant does not wish an available exemption to be applied, so the exemption strategy should be jointly agreed between the merchant and acquirer.
- Establish acquirer flexibility
Finally, some merchants may wish to negotiate with acquirers to implement transaction risk analysis exemptions for themselves and – in the future – we could see savvy merchants ‘cherry picking’ the acquirers that offer the best conversion, SCA strategies and commercials. The ability to easily switch acquirers, route transactions to acquirers with the best fraud levels, and negotiate acquiring services (and prices) will be increasingly valuable in a PSD2 world.
If you’re a merchant and would like to discuss the implications of PSD2 and SCA on your business, you can download a copy of our guide, or speak to one of our expert analysts for more advice: www.aciworldwide.com/strong-customer-authentication
Related Blog Posts
Taking a Holistic View of ISO 20022 Migration and Payments Modernization in the Pacific
Today’s payments modernization efforts, most notably real-time payments, not only work to satisfy changing consumer preferences and behaviors, they also serve to future-proof national economies throughout the world. But for real-time payments to deliver maximum value, consumers and financial institutions must be able to exchange meaningful and actionable information — hence the development of ISO 20022, a standard for electronic data interchange that facilitates the fast, standardized and secure exchange of financial messages across borders.
How ISO 20022 Represents Both a Challenge and an Opportunity for Southeast Asia’s Payments Landscape
Governments across Southeast Asia (SEA) are increasingly recognizing the vital role that payments play in the engines of their economies, which has resulted in a number of payments modernization initiatives such as those in Vietnam and Malaysia (PayNet). Yet there is one particular area in which SEA’s financial institutions might still be lagging behind their global counterparts: the adoption of ISO 20022, which has become the global standard for high-value payments and immediate payments (IP) when it comes to cross-border payments.
Ready or Not, The Time Is Now for Real-Time Payments
Research from ACI and GlobalData confirms that demand for real-time payments is only going in one direction: up. The root cause of this increasing demand is rising customer expectations and behaviors; clunky and opaque payment experiences are becoming less tolerable in a world where customers can buy, watch and listen to almost anything with a swipe, tap or click.
When It Comes to Payments, COVID-19 Crisis Could Lead to Long-Term Shifts in Consumer Behavior [Q&A]
ACI Worldwide and GlobalData recently launched Prime Time for Real-Time, a new global report tracking and analyzing real-time payments volumes, growth and dynamics across 30 global markets. According to the global research, an industry first, more than half a trillion real-time payments transactions will be processed over the next five years. I discussed what the findings mean, and how the COVID-19 pandemic might be a further catalyst for behavioral change, with ACI’s global head of real-time payments, Craig Ramsey.
TCH RTP and FedNow: What’s Next for U.S. Immediate Payments?
It has taken some time, but immediate payments (IP) are on the move in the United States. Although the speed of adoption has been slightly behind the curve of regions like India, the Nordics and the U.K., the U.S. has seen significant year-on-year IP growth of 69 percent.
Social, Mobile and Instant Payments: How Digital Payment Overlay Services Will Power Up P27
For some years now, the Nordics region has been a global-standard bearer for payments and financial services innovation. Sweden has for many years been a leader in the progressive move towards cashlessness, championing the range of efficiencies that it brings. Major payments innovators like Klarna, FundedByMe and iZettle are based in the region, rubber-stamping Stockholm as a genuine fintech hub. Analysts and insight leaders also regularly single the Nordics out as a genuine leader, in particular praising the collaboration between governments, regulators, financial institutions and businesses that has led to such fertile ground for financial modernization initiatives.
How to Meet ISO 20022 Migration Deadlines for Fedwire and SWIFT
Over the next decade, we will undoubtedly see huge shifts in how financial institutions throughout North America transact, whether domestically or across international borders. This will be driven not just by changing technologies, but also by regulatory events – such as the widespread adoption of financial messaging standards like ISO 20022.
How Can European Banks Meet the ISO 20022 Migration Deadlines for TARGET2 and SWIFT?
First published in 2004 – and already broadly used in some quarters – ISO 20022 is rapidly set to become the de facto standard for financial messaging around the world, replacing MT messages.
The Pathway to Global Real-Time Payments: What Will Be the Impact of SWIFT and ISO 20022?
The whole world is moving toward the ISO 20022 standard, and almost in unison. Globally, most major currencies are planning to shift to the new data-rich standard for either high-value payments or immediate payments (high value being global messaging via the SWIFT network or an RTGS scheme).
Digital Payments Overlay Services: Accelerating Real-Time Payments Growth
The global real-time payments landscape is transforming every day, as the world moves toward payments that offer a multitude of digital payment overlay services that drive consumer experience and adoption. But what are digital payment overlay services? They are ancillary services that often ride the real-time payments rails, and can be flexible, nimble drivers of innovation. These digital services – piggy-backing on the standard real-time payments rails – not only add value to core payments, but also bring about convenience and ease of use for all participants in the payments ecosystem.