E-commerce merchants who will be ready for the PSD2’s September deadline are poised to gain business
E-commerce merchants who will be ready for the PSD2’s September deadline
are poised to gain business
Head Portfolio and Product Management - Omnichannel & Collecting
The deadline for the introduction of Strong Customer Authentication (SCA) as part of the PSD2 regulations is fast approaching. The new rules - which require an extra level of verification such as a PIN, token or fingerprint for most online payments (two factor authentication) - goes into effect on September 14th.
These rules were designed to reduce fraud but require substantial changes to processes and technology of merchants, issuers and acquirers. Many merchants, for instance, are not yet sufficiently prepared for these major changes. Some of them even hope that the introduction of SCA will be delayed, but gambling on a so-called grace period is a bad choice.
The reason that many finance stakeholders are not yet compliant is not only due to the complexity of the technical implementation of these new rules. Many of them are also searching for the right balance between security and user-friendliness. After all, it is not only important to comply with these new requirements, but also to keep the checkout process as simple as possible for customers. If they encounter too much friction while approving a transaction, there is a risk that they leave their full digital shopping basket behind. As a result, conversion rates will drop significantly, which can be disastrous for merchants.
Because of the large-scale changes in systems and the possible loss of customers due to friction, not everyone will implement the Regulatory Technical Standards (RTS) on SCA on time. That is why several stakeholders have called for a delay to the introduction of the SCA rules under the PSD2. In reality, it is difficult to introduce this grace period because it is not a central institution that decides. It is the national regulators, like the national banks of each European country, who determine whether a grace period should be introduced. This may vary from country to country.
In the meantime, Visa and MasterCard optimized the online security standard that protects customers against unauthorized use of their credit card and at the same time is as user-friendly as possible. Through this system, known as 3-D Secure, issuing banks ask their customers to authenticate themselves. The system is SCA-proof.
3-D Secure 1.0 has been on the market for some time now and was followed by 3-D Secure 2.0. The intention is that banks, acquirers and merchants will gradually support this newer version in 2019. Version 2.0 has a number of advantages, such as the fact that issuers and acquirers can apply for an SCA exemption on the basis of their own risk assessment. This means that the cardholder does not have to go through the entire authentication process which will lead to less drop-outs and more sales. Examples are low-value payments (under 30 Euros) or recurring transactions, such as a Netflix subscription. These payments are exempted from the second transaction onwards. In addition, 3-D Secure 2.0 is embedded in the payment process, which makes it easier and faster for customers to pay for their purchase, also via mobile.
At Worldline, we carried out the first live transactions via 3-D Secure 2.0 which makes us one of the first payment service providers in Europe to provide secure and consumer friendly payments via this method. As pioneers in this field of expertise, we know how important it is to be compliant on time without losing sales. My advice to merchants who process credit card or debit card transactions and are not using 3-D Secure is to take action. Contact your payment service provider and acquirer as soon as possible and find out how your infrastructure needs to be changed in order to be SCA-compliant on time.
Merchants might think that waiting for a grace period might be an option, but as mentioned before, the regulator in a country decides whether the SCA rules will enter into force on September 14th or later. This makes it possible that merchants with international customers who deal with cross border payments have to comply with two factor authentication in one country, but not in the other. If you do not want to miss out on any income, becoming completely compliant is the only way to go.
It may be a big challenge for merchants to finish on time, so if necessary, start on a basic level by implementing 3-D Secure 1.0. This version requires fewer changes to the infrastructure but it does meet the SCA requirements. On the other hand, it does not have the same usability as version 2.0. At a later stage, it will still be possible to migrate to this version.
Whether you choose version 1.0 or 2.0, one thing is certain: e-commerce merchants that depend on the grace period will lose business in the long run, as there may be a high percentage of issuers that will refuse transactions after September 14th if they do not meet the criteria. This is something you as a merchant want to avoid at all costs.
Safer payments made simple
A short introduction to Europe's new requirements for Strong Customer Authentication
On September 14, 2019 the face of e-commerce in Europe is set to change forever. Even if a transition period has been granted by most of the European local regulators, this period is only temporary and merchants, banks and payment service providers must be quickly compliant with the strong customer authentication requirements.
This position paper gives a brief introduction about the Regulatory Technical Standards on Strong Customer Authentication and the impacts to the merchants ecosystem. It also explains what will merchants need to do to take all the advantages of this regulation.