PSD2 doesn't only affect banks but also online stores, among other things.
Strong Consumer Authentication (SCA) poses a challenge. It's the obligation to confirm transactions with at least two different elements, such as a password and a one-time code.
It's necessary to ensure that the new solution is available for your customers. However, there is a justified concern that SCA will negatively affect the conversion rate.
EPSM (European Association of Payment Service Providers for Merchants) has called for a 1.5-year extension of the deadline for strong authentication rules. The European organization that brings together companies from the payment industry noted that SCA, as a necessity for confirming transactions, could cause customers to abandon purchases.
EPSM also argued that online stores still aren't ready for such big changes, although let's remember that SCA applies to purchases that exceed 30 euros.
Did EPSM exaggerate the issue? Money 20/20 did a study on behalf of technology company Stripe that up to €57 billion from online sales will be at risk during the first year of PSD2.
Furthermore, the study shows that many companies aren't ready for upcoming changes. Other industry data indicate that as much as 25-30% of E-Commerce transactions can be rejected due to strong customer authentication.
Delays of PSD2 implementation
The British Financial Conduct Authority (FCA) has leaned in favor of the EPSM's appeal. FCA agreed to an 18-month delay in introducing SCA rules for E-Commerce transactions, whereas the deadline was September 14, 2019, when PSD2 was meant to come into force.
"While these measures [SCA - editor's note] will reduce fraud, we want to make sure that they won't cause material disruption to consumers themselves, so we have agreed on a phased plan for their timely introduction." Justifies the decision Jonathan Davidson, FCA's executive director.
Financial Conduct Authority notes inadequate preparation for fully implementing SCA rules for making payments, especially in E-Commerce.
Where does PSD2 make the most sense?
SCA makes the most sense in EU countries where E-Commerce is still relatively small. When you look at eMarketer data from May 2019, you will see that China leads in terms of online sales with $1,934.78 bn.
It is followed by the US ($586.92 bn), the UK ($141.93 bn), then Japan ($115.40 bn), and South Korea ($103.48 bn). Germany and France remain in the rear — $81.85 bn and $69.43 bn, respectively.
Not only the British FCA has spoken out on the SCA issue. The Polish Financial Supervision Authority has extended the deadline for financial institutions to implement PSD2. It is necessary to submit the need for such a solution to the FSA before September 14, 2019.
Migration plan
Subsequent steps include preparing a "migration plan" for full compliance with SCA, its agreement with the FSA, and then implementation. The European Banking Authority (EBA) has published a statement that EU countries' supervisory authorities can extend the implementation.
Other industry data indicate that as much as 25-30% of E-Commerce transactions can be rejected due to strong customer authentication.
"Polish Financial Supervision Authority declares that the solution proposed by the EBA for online payments using a debit/credit card and contactless payments made at payment terminals is considered acceptable" — the FSA informs in a press release.
PSD2 involves an important legal change — the need for banks and national payment institutions to obtain permission from the FSA to provide PIS (Payment Initiation Service). This is not insignificant.
On the one hand, the number of registered cyberattacks in 2018 affected 68% of Polish companies, which is 14% less compared to 2017.
On the other hand, 25% of companies argued that the number of cybercrime attempts had increased significantly, while only 8% say there has been a decrease — according to a February 2019 Norstat survey conducted on behalf of the consulting firm KPMG.
Meanwhile, more companies are boasting about their PSD2 implementation — for example, Zalando.de — the German clothing giant with a thriving presence in Europe.
Customers can see a tutorial video showing step-by-step the changed purchasing process. This is important because Zalando now offers new verification methods, including biometric authentication.
When Zalando's customer decides to pay with a credit card, the bank will notify them about additional payment authentication. After clicking on the notification, the user will be redirected to the bank's application, where they will be asked to confirm the transaction with, for example, a fingerprint.
Successful verification will mean that the order will be processed, and the consumer will again be taken to the Zalando website.
How will the authorization process work with PSD2?
You know that the authorization process during payment with a card will be different than before. The first part of the verification is "knowledge" (e.g., password), second — is "possession" (what users possess, e.g., phone with installed bank application).
The third one involves "customer's characteristic," e.g., fingerprint. It is enough to use two methods to make a purchase. The card-issuing banks will decide which authentication methods will be chosen.
In practice, the customer will first be asked to enter credit card data. When they do so, they will confirm the operation with the "Pay" button. The next step is the process of strong authentication.
For example, you will receive a push notification from a bank application that involves entering a personal PIN code or confirming identity with a fingerprint or other biometric data. The payment will be confirmed when the PIN code and one-time code in the form of a text message (or biometric data) are correct.
Although the premise is that every online transaction should be authorized using two elements, exceptions apply.
This applies to transactions of up to 30 euros for every sixth transaction, recurring payments (such as subscription fees), selected stores that have earned the trust of customers, as well as transactions with a low risk of fraud or secure corporate payments.
What should an E-Commerce owner do?
E-commerce websites must comply with the PSD2 directive by March 2020. However, let us emphasize that implementing the new version of the 3D Secure 2.0 protocol is the responsibility of the consumer's bank, not the online retailer.
The owner's role is to ensure that its store's payment module has been adapted to the new guidelines.
3D Secure 2.0 is based on an authentication process in which risk assessment is paramount. This solution uses additional transaction data that allows sellers and card issuers to determine whether the cardholder initiated a payment and whether it can be continued.
Let's also mention "Frictionless Flow," whose task is to identify low-risk transactions followed by the lack of need for identity confirmation.
What is important is that when the link (payment module) between the store and the bank follows the same procedure, it will be possible to guide the customer through the authentication process without additional steps. So it will not affect the course of purchase or the conversion rate.
The owner's role is to ensure that its store's payment module has been adapted to the new guidelines.
All online stores operating in the EU should consider implementing two-step verification independently. There are ready-made payment modules available on the market.
One of them is Stripe Payment Pro (SCA-ready), offered by the PrestaShop platform. The cost of such a module is 59.99 euros.
To sum up, online sellers need to work with payment service providers that will meet the requirements of PSD2, although that's not all.
PSD2 is not so scary. A plan of action
Finally, here's a plan of action for an online store owner who wants to cope with the changes that PSD2 introduces.
- Contact your settlement agent or payment service provider. Find out if your online store will be prepared for the legal changes and when it will offer a payment authentication service that complies with the EU directive.
- Don't leave your customers on their own. Inform them of the planned changes, highlighting the benefits they will bring, such as reducing the risk of fraud, among other things. Later, create, for example, a video to introduce them to the new buying process.
- If you want, install a ready-made payment module like Stripe Payment Pro (SCA-ready).
- Use payment methods such as Apple Pay, Google Pay, or PayPal, which already have two-step authentication built in.
- Look around for partners with extensive banking connections.
- Use monitoring to determine the most efficient payment processors.
- Ensure the best possible mobile solution: 3D Secure 2.0 is designed for smartphones and tablets.
Disclaimer
The sample prices presented in the article do not constitute a commercial offer within the meaning of the Polish Civil Code.
Hero shot: Flickr.com