There’s a lot of excitement and apprehension regarding the Revised Payment Services Directive (PSD2). eCommerce vendors expect a host of changes because of the Strong Customer Authentication (SCA) requirements of the revised directives.
PSD2 was conceptualized and passed in 2015. Since September 14, 2019, it is in full effect and will act as the central framework for all payment service providers (PSPs) operating within the EU.
Since PSD1 didn’t envisage technologies like mobile payments, facial recognition, online wallets, the European Commission felt the need to address the legal uncertainties surrounding these new technologies. The main aims of PSD2 are –
- Improve digital security, making the European payments market secure, unified, and highly efficient for all parties involved.
- Boost competition amongst new payment service providers and well-established financial institutions.
- Prioritize consumer security, preserving their data from fraudsters.
- Encourage innovation amongst online sellers by compelling them to increase customer safety and convenience.
If PSD2 will benefit all parties, why is there so much concern about these directives? Because even well-intentioned regulations often expose massive gaps in payment processes. These gaps are viewed as ideal opportunities for fraudsters. They exploit the vendors who are using outdated fraud prevention tools that don’t incorporate PSD2 requirements. Old fraud prevention tools simply aren’t good enough to deal with modern-day cybersecurity threats.
The Cybersecurity Arms Race
Even though the PSD2 promises to reduce online fraud, organized crime rings are well-prepared to use automation, large amounts of stolen data, and other tricks to go past these security measures. So, an increase in fraud attempts is almost guaranteed. In the US, online vendors are experiencing 344 fraud attempts every month in 2020, compared to 277/month in 2019. PSD2-compliant vendors will be able to resist these attempts. Hence, fraudsters will shift their focus to vendors who aren’t equipped with PSD-compliant security tools.
Overall, the vendors are facing pressure from two areas –
- Fraudsters who are improving their efforts to take over accounts, carry out card not present fraud, opening new accounts to steal customer data, etc. Unprepared vendors and payment service providers will take a hit because of these hackers’ persistence.
- Secondly, online vendors are feeling the pressure to meet the expectations set by regulators. Well-informed consumers expect a lot in terms of safe and hassle-free customer experiences. If vendors don’t meet PSD2 Strong Customer Authentication requirements, they can experience unnecessary friction in their digital payment processes.
So, vendors will have to balance both of these sources of pressure using sophisticated fraud prevention tools. Thankfully, leading fraud prevention software manufacturers are readying themselves for these challenges by incorporating technologies like machine learning (ML), digital identity analytics, and customer behavior tracking to stay a step ahead of the fraudsters.
Strong Customer Authentication (SCA) and Its Impact on Vendors
SCA or 2FA (two-factor authentication) is an online payment security measure recommended by the European Commission. It was rolled out under PSD2 and asks payment service providers to carry out authentication processes that include at least two of these three elements –
- An element of the customer’s knowledge (e.g., password/secret answer)
- A customer’s possession (e.g., mobile phone, smart card, etc.)
- Biometrics (e.g., fingerprint, voice recognition)
PSD2 dictates that SCA must be applied to all customer-initiated digital payments within the EU (except for some exceptions). By compelling all vendors, financial institutions, and payment service providers to initiate two-factor authentication while processing online payments, SCA guarantees a much safer eCommerce environment. But, the implementation of SCA across the world has been extremely inconsistent. According to multiple reports, many national and central banks are yet to implement full-fledged SCA.
These delays are being caused by –
- Unprepared merchants.
- Inherent complications of SCA that makes it hard to integrate into old-school payment processing systems.
- In many parts of the EU, the SCA rollout has been poorly communicated; many vendors and PSPs do not receive accurate information regarding these guidelines.
- Poor consumer awareness about these changes across the EU.
Thankfully, regulators have given financial institutions, private PSPs, and vendors enough delays. These delay periods should be used to communicate these updates to consumers. If SCA is not implemented efficiently across all institutions, experts anticipate fraud losses from eCommerce to amount to $48 billion by 2023.
How Can Vendors Implement PSD2 and SCA?
To implement PSD2 and SCA most effectively, vendors must –
- Discuss the challenges and benefits of implementing PSD2 with their payment processors and banking institutions.
- Inform customers about 2FA and its importance. Launching a communications plan to inform customers about the measures being taken to stay compliant with SCA will help vendors come off as well-prepared and reliable.
- Minimize the impact of PSD2 implementation on customers by ensuring 2FA doesn’t impact their customer journeys.
- Invest in PSD2-compliant payment processing software. Investing in the latest fraud prevention software that meets PSD2’s SCA requirements is the best thing that online sellers can do.