Payments Services Directive (PSD2) is a European directive to make payments more secure. PSD2 includes Strong Customer Authentication (SCA), which will be enforceable within the European Economic Area (EEA) at the end of the year and requires more robust fraud prevention checks for online transactions.
If your eCommerce company is not yet compliant with PSD2 Strong Customer Authentication measures there is still time. However, with the enforcement date fast approaching, there is no time to waste.
Payment providers, card issuers, and acquirers are subject to the new rules, and compulsory measures for online merchants will be enforced in most of Europe starting at the end of the year. Failure to become compliant by the deadline will result in significantly higher decline rates, lower conversions, and greater customer dissatisfaction.
The EU’s Strong Customer Authentication provisions mandate two-factor identification for non-exempt transactions to ensure a person accessing an account or ordering online is the correct owner. While online businesses are not ultimately responsible for authenticating customers, it is in their best interest to meet SCA requirements. Their customers will experience less friction and they will be able to exempt a larger percentage of their transactions if they integrate their system with payment service providers and card issuers.
Sharing data and enforcing PSD2 SCA protocols to help issuers and acquirers manage fraud will mitigate the potentially negative impacts of SCA on security and customer experience. Both priorities are key for online retailers to achieve and maintain PSD2 Strong Customer Authentication.
While the PSD2 Strong Customer Authentication process introduces a second user verification step into account access and checkout, it does not need to disrupt most account activities. To assure it does not, eCommerce companies should communicate with customers about what to expect and how they can expedite the process. Some mobile payments may not be affected because smartphones already authenticate users through both biometrics and passwords. However, other credit and debit card purchases will be subject to greater scrutiny because an additional security layer is invoked after checkout. At this point, the cardholder must provide supplemental information before their bank will authenticate the purchase. The industry-standard EMV® 3DS or another authentication engine compatible with most European-issued cards can facilitate this step.
PSD2 Strong Customer Authentication regulations mandate that fraud liability risks be assumed by the entities that request the exemptions. For instance, if an SCA transaction turns out to be fraudulent, the merchant – not the card issuer or the acquiring bank – will be responsible for issuing chargebacks. In addition, eCommerce companies will find it in their best interest to keep their partners’ fraud incidents as low as possible. When an acquirer’s fraud rate crosses a certain threshold, PSD2 stipulates that all future transactions acquired by that bank be subject to EU Strong Customer Authentication. This means no more exemptions, based on fraud rate, will be permitted. The rule applies to all transactions – regardless of the amount of money and which merchant originates it. Naturally, banks will not be happy with any eCommerce partner that sends too many fraudulent transactions its way, as this will mean its fraud rate will be deteriorated.
The more questionable logins and transaction requests you allow, the greater the chance an exemption will be granted in error. Merchants should continue to vet their own customers using known behaviours to determine if activities warrant identity challenges before they request an exemption.
As the deadline for PSD2 Strong Customer Authentication implementation approaches, you need to make sure you are on track:
- Assess your typical transaction type, value, and workflow. Consider your average ticket values and determine under which SCA Transaction Risk Analysis (TRA) thresholds they fall. If many of your transactions fall outside PSD2 scope, a large percentage of transactions are initiated by you – the merchant – or if a significant number of customers reside outside the European Economic Area, you need to be able to identify and separate them from the 3DS2 workflow.
- Evaluate potential fraud-screening vendor partners to determine which one can provide the platforms, advice, and technology options that best suit your needs. Accertify has developed a PSD2 Strong Customer Authentication solution, SCA Optimisation, that enables compliance while requiring minimal merchant website development work. The Accertify solution maximises TRA exemptions and allows you to challenge dubious transactions before they reach the 3DS2 engine.
- Negotiate with PSPs and acquiring banks to ensure desired exemptions will be granted. This is where partnering with a respected fraud-prevention service pays dividends. By investing in stringent third-party technology and analytics, you can make better security decisions, reduce fraud rate, and request non-SCA approvals only for valid transactions. Your attractive fraud rate gives you leverage to get the service you need.
Accertify’s SCA Optimisation process features a powerful real-time decision engine that allows you to provide your customers with a pleasant online shopping experience by offering multiple authentication processes and friction-free checkout. The Accertify platform stands guard over your business 24/7 by leveraging available machine learning capabilities that quickly recognize and respond to emerging fraud trends. It also delivers a strict, scheme-agnostic 3DS2 authentication solution to streamline SCA and enable regulatory compliance while helping you take full advantage of exemptions.
Be confident your eCommerce site is positioned to thrive when PSD2 compliance becomes mandatory. Request a consultation today to request a demonstration of our PSD2 SCA Optimisation solution.