Ai Editorial: Assessing the impact of PSD2 on e-commerce payments

19th April, 2019

Ai Editorial: The PSD2 introduces strict security requirements for the initiation and processing of electronic payments, which apply to all payment service providers, writes Ai’s Ritesh Gupta

 

The impact of PSD2 on e-commerce payments is being probed. This payment services directive in Europe is being associated with a major change in payments and data protection.

Merchants and other stakeholders are evaluating a number of issues. One of the key requirements of PSD2 relates to Strong Customer Authentication (SCA) that will be required on all electronic transactions in the European Union from September this year.

Also a critical area from a consumer’s perspective is how their shopping experience is going to be impacted.

The PSD2 introduces strict security requirements for the initiation and processing of electronic payments, which apply to all payment service providers. Stakeholders are evaluating many areas: What exactly are SCA requirements under PSD2? How are acquirers and PSPs gearing up to respond? How can digital merchants, such as travel e-commerce players, deal with stepped-up authentication requests as a result of SCA? How transaction costs are going to evolve?

Impact on CX

For any merchant it isn’t easy to implement any move that results in friction in shopping. For instance, many fraud prevention methods introduce dilemmas between maximising revenue and minimising fraud – e.g. with more rules, implementation of 2FA or multi-factor authentication fraud rates can be lowered, yet more genuine customers will be blocked; on the other hand, with less rules and lax authentication to maximize revenue, merchants will be more vulnerable to fraud attacks. And now with PSD2, the SCA requirements will result in additional friction to the e-commerce payment process. A major question here is – how to cut down on cart abandonment? “Merchants have to be proactive in understanding implications. For instance, evaluate the efficacy of direct debits – understand the scope of the SCA requirements, in which cases it is needed, and what the associated credit risk is?” recommended a source.

Payment specialists also need to assess scenarios where exemption to SCA is permitted.

SCA will require shoppers to validate themselves with at least two out of the following three methods:

  • Something they know  
  • Something they possess  
  • Something they are  

As explained by Worldpay, there’s no need to go through SCA for:

  • Trusted beneficiaries: merchants that are whitelisted by consumers
  • Recurring transactions: regular payments of the same amount to the same business
  • Low-value transactions: payments less than €30
  • Low-risk transactions: payments that have been assessed as low-risk in real-time

CardinalCommerce explains that the SCA requirement “is for transactions between cardholders whose payment cards have been issued in the EEA and merchants located in the EEA. To clarify, if a cardholder with a card issued in the U.S. buys from a merchant located in the EEA, SCA is not required (though an authentication solution is recommended). Conversely, if a cardholder’s payment card has been issued in the EEA and they make a purchase from a U.S. merchant, SCA is not required. These transactions are labeled “one-leg-out” and are out of scope for PSD2-SCA.” Another important aspect – the European Banking Authority “recommends exemptions for payment service providers (PSPs) that adopt risk-based requirements in lieu of strong customer authentication, which ensures the safety of the payment service user’s funds and personal data”.

Another area to assess is 3DSecure 2.0

From the industry’s perspective, 3-D Secure 2.0 will pave way for a real-time, protected, details-sharing channel that merchants can avail to send an unmatched number of transaction attributes that the issuer can use without looking for a static password. Overall, enhanced messaging with additional information for better decisions on authentication. As highlighted by specialists, enabling 3DS 2.0 is way to meet the SCA-related requirements. A payments integration that supports 3DS 2.0 is an industry standard approach to comply with the new EU laws.

The transaction risk analysis could be done in a couple of places: after the credentials have been supplied (to work out whether authentication was sufficient for the payment) or before prompting the user for credentials.

For shoppers, in many cases device information is enough to authenticate without an extra step for the customer. However, some transactions that have higher risk or regulations such as PSD2 require active approval. Specialists like Adyen have indicated that their respective 3D Secure SDKs help companies to set up build these flows and there are three primary types to consider: Passive (The SDK and servers exchange all necessary information in the background. The customer sees nothing); Two-Factor (the user is asked to provide a two-factor authentication code sent via email or SMS); Biometric (an app-switch to an issuing-bank app is facilitated by the SDK. The user can use their fingerprint or face in the issuing bank app).  

As for its implications - 3DS 2.0 has put a lot of pressure on issuers. According to Emailage, the advent of 3-D Secure 2 globally and SCA in the EU will stop online merchants paying for most card frauds. Card issuers will be challenged to authenticate their clients using new transaction data to which they have previously not had access.

 

Hear from senior executives about PSD2 at the upcoming ATPS (21st Century Customer Experience for Payments & Fraud - Airline & Travel Payments Summit) to be held in London (Brighton), UK  (7-9 May, 2019).

For more information, click here

Follow Ai on Twitter: @Ai_Connects_Us