Compliance with new European Union (EU) rules governing the authentication of online transactions and payments is now set to become mandatory for European banks, payment service providers and e-commerce merchants at the end of 2020. The Payments Services Directive 2.0 (PSD2) demands additional layers of security and fraud protection, applied through strong consumer authentication (SCA) tools which are designed to verify the identity of the estimated 300m European consumers as they undertake e-commerce purchases or bank online.
A type of two-factor authentication (2FA) SCA will be required on all payer-initiated transactions when both the credit/debit card issuer funding the payment and the acquirer receiving it are within the European Economic Area (EEA – it is not needed if one or the other is based beyond the borders of the 31 member states). SCA will be applied in several scenarios, most pertinently for online electronic payments but also when a consumer logs on to their online payment account or carries out another potentially high-risk transaction online, like changing their telephone number.
Exemptions for online payments include transactions below the value of €30 that do not number more than five transactions or exceed €100 of cumulative spend value. Contactless payments below €50 that do not number more than five transactions or exceed an aggregate spend value of €150 are similarly exempt. In all other cases, the buyer will need to submit two out of three additional forms of identification on top of their credit/debit card information. That can be “something you know” (e.g. a password, swipe path or pin number); “something you have (e.g. a credit/debit card or smartphone); or “something you are” (e.g. a biometric marker like a fingerprint).
Interestingly the last category, dubbed the inherence element, goes beyond fingerprint scanning. It would include a raft of different biometric authentication measures, including voice and vein recognition, hand and face geometry, retina and iris scanning, keystroke dynamics and even heart rate or other body movement patterns collected from wearable and mobile devices like smartwatches.
There are other exemptions designed to smooth the process without negatively impacting the customer experience. These cover payments made at unattended terminals used for transport and parking for example, as well as recurring payments (e.g. video on demand service subscriptions and organisation membership fees), as well as transactions between trusted beneficiaries, or those previously added to whitelist after the first authentication is completed.
Compliance delayed over interoperability/compatibility concerns
At its heart, the PSD2 was designed to provide additional fraud protection through new payment security processes which are not sufficiently onerous to deter or disrupt people from making online purchases. But the European Banking Authority (EBA) behind it also wants to encourage the use of standardised technology amongst online payment providers and foster greater standardisation amongst merchants and other seller organisations.
While the PSD2 was originally due to come into force in September 2019, its implementation has been consecutively delayed for various reasons. There remains widespread lack of preparation for the new rules across the financial services, e-commerce and online payment industries. That is partly due to the disruption caused by the COVID-19 pandemic, which has hampered banks and third-party payment service providers making necessary changes to their systems. Many organisations are still unable to process payments authenticated using biometric technology, for example, while not all consumers have biometric-enabled smartphones or other mobile devices. In recognition of those issues, the European Commission decided in April to extend the deadline for PSD2 SCA compliance to 31st December 2020 in mainland Europe and 14th September 2021 in the UK.
Ongoing concerns over a lack of interoperability across different platforms have also been raised, with some of the functions needed to be compliant are reported to be missing from the application programming interfaces (APIs) being made available by various stakeholders. Common API standards are instrumental in creating the Open Banking systems the EC is looking to establish. In part because they allow merchants, banks and payment providers to share specific data on consumer spending habits to help them build transaction risk analysis models which help them spot fraudulent activity more easily.
There’s little doubt that implementing the systems and processes needed to ensure PSD2 SCA compliance is complex and time consuming for European banks, payment providers and merchants alike. But while many providers are still at an early stage of their journey, some are much further down the road.
Agile managed payment service providers can take the strain
Leading providers such Stripe demonstrate how e-commerce merchants can do much to offload responsibility for PSD2 SCA compliance to managed third party payment providers which are also able to handle the necessary integration with banks, credit card companies and other financial services institutions. Ease of use is as critical for merchants as it is for consumers, and higher volumes of secure but frictionless online transactions are precisely what the EC is looking to encourage with PSD2 SCA.
There remain widespread concerns that the extra security steps involved will discourage some consumers and lead to an increased in failed payments, however. When India made 3DS1 security mandatory in 2014 for example, some businesses reported a 25% drop in sales overnight due to the additional security step required.
But nor is it optional for EEA businesses to implement PSD2 – payment providers and banks will be legally required to enforce it. Online businesses that do not comply will inevitably start to see payment decline and transaction abandonment rates to up as customer banks reject non-authenticated payments. And EEA national regulators also have the power to impose fines and even revoke a payment providers licenses in extreme cases.
What is more, the PSD2 SCA requirements will be mandatory only in the EEA in the short term – other countries like Brazil, Mexico and Australia are reported to be considering the introduction of similar regulations soon. As such, it will almost certainly be advantageous for all payment providers to update their systems now regardless of whether they are handling EEA transactions or not. And for merchants confused by the new regulations, or struggling to deal with the technical complexity of upgrading their payment systems and processes to satisfy them, trusting a managed payment service provider to do the legwork on their behalf ahead of the compliance deadline starts to look like a very good idea indeed.