2019 is a challenging year for banks and other players in the card payment ecosystem. At the beginning of the year, issuing banks had to fit in 3-D Secure 2.0 to protect customers against unauthorized use of their credit card. The technical implementation of this online security standard is much more complex than its predecessor 3-D Secure 1.0, so we can rightly call this a major challenge for issuers. That is not all, because the final PSD2 regulations will come into effect very soon. On September 14th, the same issuers will have to comply with the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA), which requires an extra level of complexity.
These rules are intended to combat fraud, but at the same time they have put the issuers to work because the implementation of both 3-D Secure and the PSD2 require major changes to the banks’ processes and infrastructures. As a result, a lot of issuers and also acquirers and merchants will not be ready in September with the implementation of both 3-D Secure 2.0 and the rules for the PSD2’s RTS on SCA.
Leave the digital shopping basket
Why is 3-D Secure 2.0 so important in the context of the introduction of the PSD2? Let me explain. According to the SCA regulation, customers who buy a product online have to verify themselves using not one, but two authentication factors out of the three. These three factors are something the customer knows, something he or she is and something the customer owns. In practice, for example, this would be done by means of a PIN code, token or fingerprint.
Although this is a lot safer for the customer, too much hassle will leave the customer experiencing friction and abandoning his shopping basket. This can lead to higher drop-out rates and fewer sales, which all parties in the chain want to avoid at all costs.
Via 3-D Secure 2.0, issuers and acquirers can apply for an SCA exemption on the basis of their own risk assessment. For example, a cardholder does not have to go through the entire authentication process when the purchase is below thirty euros with conditions on last transactions or when it involves a recurring transaction, such as an Amazon Prime Video subscription. The Transaction Risk Analysis (TRA) exemption may be carried out under certain levels of fraud and transaction amounts, based on the concept of Risk Based Authentication (RBA). RBA is a process whereby the issuer (or acquirer) evaluates a transaction’s risk of fraud. SCA is not needed if the analysis indicates that the risk is low. The use of RBA is recommended because it can lead to a smooth shopping experience and satisfied customers.
The added value of 3-D Secure 2.0 and SCA exemptions is generally recognized by issuers, but in practice it appears to be difficult to comply with the requirements. In a survey at the beginning of 2019, Visa predicted that just over half of the issuing banks will support 3-D Secure 2.0 in September and exactly half of the issuers will be able to use RBA. Besides that, 15 to 35% of consumers do not have a smartphone compatible with SCA authentication methods on mobile.
In short, the ecosystem is far from ready for the introduction of the PSD2 and SCA. It is not surprising that the call for a grace period is getting louder and louder now that it has become clear that the industry is not prepared for the PSD2 and will not be fully compliant with SCA at the time of the deadline. The European Banking Authority (EBA) has already stated that it accepts that National Competent Authorities (NCAs) may give certain payment service providers and relevant stakeholders limited additional time to avoid unintended negative consequences, such as fines or losses.
Consequences for cross border payments
NCAs can determine in their own country whether they introduce a grace period or not. You could say that flexibility is good in many cases, but in this case the consequences for cross border payments are enormous. Imagine merchants with international customers having to comply with SCA in one country but not in another. This would lead to chaos and loss of revenue. That is why it is important for national authorities to get around the table quickly, overcome cultural differences and establish a pan-European grace period. After all, harmonization can create order now that the SCA rules will be in force starting from September. There is no time to lose.