Initially introduced in January 2018, the Payment Services Directive 2 (PSD2) has by now taken effect in the entire European Union in the local legislation.
Although not all of its requirements are in effect yet, PSD2’s biggest changes relevant for European online sellers are related to:
- Securing payments done by European Union shoppers through the mandatory Strong Customer Authentication (SCA) mechanism;
- Access to account (XS2A) for account information and payment initiation services – allowing bank customers to give access to third party providers to retrieve data and initiate payments directly from their bank accounts;
- Recurring transactions treatment.
In 2007, against the backdrop of a continuously growing eCommerce market, the European Commission (EC) and the European Banking Authority (EBA) concluded that it was time consumers were offered a wider choice of secure payment services. Thus, the two regulatory bodies encouraged the rise of non-bank financial institutions that could provide the digital market with faster payment options, but at the same time ensure consumer protection and transaction transparency.
This is how the first Payment Services Directive (PSD) came into being. In 2015, in an eCommerce market dominated by increasing mobile usage and many new online payment methods, the EC decided to review and adjust the PSD to the current digital context, adding necessary improvements to ensure customer security. As a result, PSD2 came into effect on January 13, 2018, bringing clear changes and significant enhancements to payments industry regulations.
However, a new deadline is now looming for payment facilitators and online merchants – September 14, 2019, is the date on which they will have to be compliant with the Strong Customer Authentication (SCA) rules for fraud prevention and payments security. As we’ll see, this presents a significant challenge for all online businesses and could severely impact commerce in European Union countries.
What are the PSD2 requirements?
The PSD2 requirements are based on three pillars:
Pillar 1 addresses transparency in terms of pricing, extended customer rights, and stricter reporting standards for financial Institutes. The pricing for financial services must be nondiscriminatory, meaning that charges for account access and payments initiation must be the same for both end customers and third parties. Pillar 1 applies to transactions where at least one party (“one leg out”) is in the European Economic Area (EEA).
Pillar 2 concerns security and fraud prevention, including requirements for strong customer authentication (SCA). This impacts all parties involved in the eCommerce payments flow.
Pillar 3 sets out the technology requirements through which banks must allow payment institutes to use their infrastructures (Open Banking) to access account data and initiate payments on behalf of customers. Banks are required to provide a secure testing environment (sandbox) to PSPs to support the ongoing development of services that rely on the banks’ systems.
Compliance with PSD2 is to be implemented in two stages: Pillar 1 (transparency) became effective on January 13, 2018, while Pillars 2 and 3 must come into force on September 14, 2019.
What does Strong Customer Authentication (SCA) entail?
With digital commerce sales in Europe said to grow at a 17% CAGR until 2022 and digital fraud always evolving, the SCA requirements in the PSD2 are meant to bring new security and risk management to online payments via a 2-factor authentication (2FA) mechanism.
Strong Customer Authentication will apply to anyone “completing a payment in the EU.” It will be required for all customer-initiated online transactions (CIT) within Europe, which means most payment methods (contactless payments included) and bank transfers will be done with SCA. In the case of online payments, SCA will apply to transactions where both the business’ and the cardholder’s banks are located within the European Economic Area (EEA).
The implementation of SCA will be based on a 3-layer authentication method, of which at least two layers will be mandatory for customers:
- Knowledge (something the customer knows, like a password or PIN),
- Possession (something the customer has, such as a smartphone, application, token) and
- Inherence (something the customer is – fingerprint or face recognition).
For card-based payments, these requirements have led to the implementation of 3-D Secure version 2 – 3DS2 or EMV 3DS. The 3-D Secure method has been widely used by card issuers to secure online card transactions since 2001, but the new version has been developed to meet the PSD2 SCA requirements as well as minimize the negative impact of 2FA on the customer experience.
EMV 3DS is an evolutionary step from its predecessor and allows the card issuer (bank) to use a wider range of data-points from the transaction to run a risk-based analysis. For low-risk and low-value transactions (i.e. less than 30 EUR), the card issuer will not send any extra authentication requests to the cardholder. However, for all other customer-initiated transactions, the cardholder will be required to go through 2-factor authentication (2FA), whether via text (SMS), app push notifications, or biometric means (fingerprint, etc.).
3DS2 will be mobile-friendly, unlike its previous version, so it should display a responsive design easily adjustable to any mobile device. However, the implementation of all the user experience (UX) improvements to the authentication window will be up to the card issuing banks, so the front-end presented to card holders may vary depending on their bank.
Strong Customer Authentication requirements will also apply to alternative payment methods, but it’s important to note that many e-wallets or other mobile pay services already use multiple-step authentication.
How will PSD2 SCA impact merchants and shoppers?
From September, to be able to accept payments from the world’s largest card networks (Visa, Mastercard, AmEx etc.), any acquiring bank or card issuer in the European Economic Area (EEA) will need to have implemented 3-D Secure version 2 for their online store. Payment Service Providers (PSP) and merchants may also be impacted, depending on how they have set up their payment mechanisms. EU-based merchants and their clients will be the first in the spotlight since under the current provisions SCA applies only to “two-leg” transactions – i.e. if both parties to the transaction are in the EEA.
Unfortunately, one study has shown that up to 75% of European merchants are not aware of the PSD2 SCA deadline and what they need to do to be compliant. Furthermore, 86% of them did not support multiple-step authentication at the time of the survey. That gives cause for concern since a lack of compliance will expose companies to various penalties as well as severely impact their authorization rates – payments will simply not be authorized if they are not secured with SCA.
Here’s the impact we expect if the Strong Customer Authentication requirements are in fact implemented properly across all online payments:
- Increased security of transactions, decreasing fraud cases, and minimizing chargeback requests.
- The customer experience will be affected, as the SCA will introduce new steps in the checkout flow that may impact conversion rates. Some are estimating that European businesses might lose up to $57 billion in economic activity in the first 12 months after the SCA comes into force, due to cart abandonment or other issues related to added friction at checkout. On the one hand, merchants need to communicate the changes as well as possible to their customers, and on the other hand adjust their checkout flows and partner with the most suitable payment facilitators to minimize disruption for shoppers.
- The UX for mobile payments will be improved, as 3DS2 has addressed the mobile and tablet issues of the previous version. The conversion rates of mobile visitors should grow.
- Competitive prices from banks and commerce providers as a result of an open market where banks share their data and allow usage by third parties.
- Safer and more secure payments, limiting their vulnerability to fraudsters.
- Lengthier checkout flows due to the two mandatory authentication layers when making a payment.
- Lower prices for payments, banking, and non-banking financial services, due to increased market competition, in the long term.
This technological upgrade in the financial ecosystem will most likely stimulate a growth of omnichannel commerce with a focus on mobile, but also increased subscriptions, given the transparency of the renewal process under the new rules (subscribers will be informed and asked to re-authenticate for payment at any change in the recurring billing amount or period).
How should online merchants prepare for SCA compliance?
If you sell online in Europe, this is what you should keep in mind to make sure you can offer the best experience to your customers and keep your business afloat after the September PSD2 deadline:
- Partnering with the right commerce or payments provider relieves you of the burden of keeping track of all the changing rules and guidelines. PSPs and Resellers work directly with all involved parties (banks, card associations, etc.) to reconcile them and look after the merchants’ best interest.
- Having the flexibility of multiple payment models and Intelligent Payment Routing (IPR) with several processors that support SCA can help you worry less about the conversions and authorization rates. Your commerce provider should be able to test the SCA’s impact on user experience by routing the transactions to different flows, managing SCA exemptions, and utilizing different combinations of authentication methods.
- Try to adopt alternative payment methods that already have SCA mechanisms built-in, like iDeal, Bancontact, Direct Debit, or mobile wallets. However, please note that not all mobile wallets will be compliant by default, as SCA requires that separate authentication be conducted in the wallet app and then for the transaction itself. Your focus should be on offering more choices to your customers and helping them complete the purchases without too much inconvenience.
- Invest in analytics, customization, and advanced ordering engines to understand and reduce customers’ checkout friction with proper communication or different flows (e.g. retry pages, change of payment method, abandons recovery, etc.).
All the above regulations are part of the PSD2 update that will change the way the whole online payments ecosystem functions, from card associations through issuing or acquiring banks to payment facilitators, merchants and finally shoppers. They are targeting increased security for online transactions and will primarily affect the way acquirers and issuing banks manage user authentication under 3-D Secure version 2. Alternative payment methods will also be affected by these changes, but due to their more secure nature, the implementation should be easier in those cases.
Merchants should prepare for the September 14, 2019 changes by planning for the least disruptive payment and authentication methods, so as to continue to provide a good customer experience and minimize order abandons or failed authorization requests.
If you want to learn more about PSD2 and what it means for merchants and payment facilitators, including a deep-dive into details like SCA exemptions, Transaction Risk Analysis (TRA), recurring billing requirements, and more, sign up for our upcoming webinar on August 28 – All you need to know about PSD2 and Strong Customer Authentication if you sell online. Get ready for PSD2 and SCA with 2Checkout!