J.Bennett, VP, Operations and Corporate Development, Signifyd
Most of the noise around PSD2 and its online security requirements has focused on the broader financial sector and the changes applicable to banking and increased scrutiny on fintech. PSD2 is expected to increase competition by opening up the payments infrastructure to third-party providers, so they can rely on APIs to arrange payments for consumers and provide financial instruments.
That primary focus is likely correct. Banks hold a special place in our consciousness and collectively they hold trillions of our dollars. Innovation and security will prepare the European Economic Area (EEA) for the future of payments.
Relatively less attention has been paid to another key sector of the economy that will need to adapt to PSD2: online retail, which relies, obviously, on the card-not-present payments transactions that PSD2 endeavors to make safer for consumers.
In fact, so little of the PSD2 discussion has revolved around retail that some merchants are still unaware that the regulation will apply to them, while others wonder just what the new rules will mean for their online operations.
So, let’s be clear: ignoring PSD2 will not make it go away. Neither will relying on the talk of delays for all or parts of the regulation beyond the regulation’s Sept. 14 deadline — though there will be delays and frameworks for compliance in the UK, as recently announced by the Financial Conduct Authority (FCA), and we expect that more jurisdictions will follow.
There is a sense of deja vu in European retailers’ reaction to PSD2. Remember businesses’ response to GDPR as its consumer-privacy requirements were barrelling toward them? It’s not that unfair to characterise some retailers’ GDPR strategy at the time as, “Let’s ignore it and hope it goes away.”
However, it didn’t and PSD2 won’t either. But just as forward-thinking enterprises embraced GDPR and turned implementation of the consumer protections into a competitive advantage, smart retailers have the opportunity to do the same with PSD2.
In order to turn PSD2 requirements into a competitive advantage, retailers need to find a way to provide seamless customer experiences while still measuring Strong Customer Authentication’s (SCA) three elements of possession, inherence and knowledge, ideally without ever prompting their customers to take additional checkout steps or turning over the checkout flow to the card brands.
The infrastructure that will tell the issuing banks that SCA has been completed — think 3D Secure — will be upgraded and improved, but the substance of the regulation and its requirements will be with us going forward.
Counting on the regulation’s burden to be eased by the EBA’s recent opinion, is not a winning strategy. Neither is looking for loopholes through exemptions, whitelists or convoluted payment paths that will move issuers or acquirers out of the EEA (the so-called “one leg out exemption”).
In fact, those aren’t strategies at all, if for no other reason than the fact that none of the exceptions provided will help even the likes of Stripe, Amazon or Worldpay prevent conversion drop off.
A winning PSD2 strategy requires rethinking what PSD2 is all about. PSD2 is a long-term consumer protection initiative that requires innovation to make it seamless. It is not a problem looking for a quick fix. Workarounds that seek to be clever — relying on loopholes and half-measures — won’t make life easier for merchants or their customers. In fact, they will lead to more misery for both.
Fortunately, the technology to build a successful and sustainable PSD2 solution, fully compliant with the requirements for SCA, is available today. Instead of banking on exceptions, retailers should fix the problems that don’t protect their customers’ payment information. Let’s break down an optimal system into its pieces.
SCA and its three elements of measuring possession, inherence and knowledge are at the core of the regulation applicable to retailers. It is also the focus of much of the anxiety around PSD2, because, for most retailers, SCA was considered to be part and parcel with 3D Secure, a safeguard that historically has led to cart abandonment and customer dissatisfaction.
The truth is, leveraging the three elements of SCA is an effective safeguard against fraud. SCA is powerful. It works. Requiring authentication based on something the consumer is (biometrics or behavior, for instance), something the consumer alone knows (a password from before the transaction, for instance) and something the consumer possesses (a digital device as evidenced by a token, for instance), is a robust and secure method. Even if a fraudster breaches one of the three identifiers, that breach doesn’t compromise the other two identifiers.
The key development for retailers to keep in mind here is the EBA’s June opinion that rightly stated that implementing 3D Secure 2.0 is not the same as implementing SCA. (The protocol doesn’t even have the ability to pass information regarding the inherence element of SCA.)
The EBA stated plainly in its June 21 memo that, “communication protocols such as EMV 3-D Secure version 2.0 and newer would not currently appear to constitute inherence elements, as none of the data points, or their combination, exchanged through this communication tool appears to include information that relates to biological and behavioral biometrics.”
The EBA went on to say that SCA purposefully allows for multiple “authentication approaches in the industry, in order to ensure that the regulatory technical standards remain technology-neutral and future-proof.”
We’ve looked at what’s in place and tested the existing protocol and its infrastructure. Authentication systems that rely on 3D Secure, with their communication among the merchant, gateway, at least two banks, the consumer and often back around again can take an eternity on the web — think 15 seconds or more.
And, of course, we know what an eternity on the web does to conversions — slow and cumbersome checkout processes are a conversion killer. Nearly 48 percent of consumers told polling firm Survata, in a Signifyd customer experience survey, that they felt frustrated by checkout experiences that redirect them to another site for credit card verification, a feature of 3D Secure. The Baymard Institute found that 28 percent of consumers abandoned their carts because checkout took too long or was too complex.
The way to completely sidestep the problems with 3D Secure as a protocol is to take ownership of SCA by building or buying a holistic approach to meeting PSD2 obligations. We expect that the best customer experience under PSD2 will involve a machine-learning-based SCA provider conducting dynamic fraud analysis for online retailers, then passing the SCA decision down the 3D Secure rails to eliminate delays in approval, minimise customer friction, and maximise authorisation rates.
Such a system, relying on a vast amount of transaction data, provides the right degree of scrutiny for each order to protect consumers and retailers from fraudulent credit card transactions while avoiding the added friction brought on by a one-size-fits-all, legacy 3D-Secure-powered system.
The holistic approach allows for nearly instantaneous SCA review and more accurate decisions based on the significantly more data processed by the system’s learning machines, as opposed to passing down that data all the way to the issuing banks and back. The system should have the added advantage of shifting all liability away from the merchant, onto the issuing bank in the case of 3D-Secure-authorised transactions, or onto the SCA provider for any transaction that would require a step-up or be declined.
While the details of this innovative approach to PSD2 are important, it’s the underlying approach that is vital to executing a successful PSD2 strategy. It starts with embracing the new SCA requirements rather than trying to avoid them through a pretzel of exemptions.
The exemptions are only sometimes applicable for some small value carts, and ultimately are actually dependent on unrealistically low fraud rates for both the acquiring and issuing banks, neither of which are in control of the retailer.
All the more reason for retailers to embrace PSD2 and commit to coming up with a robust system that is designed to achieve the noble goals of the regulation without breaking the customer experience they’ve worked so hard to foster.
Because in the end, PSD2 isn’t just about banks and fintech companies. It applies to retailers and, in fact, provides them with an attainable opportunity to build a competitive advantage.