It has been less than a year since the GDPR came into effect in the EU, and once again online merchants are having to think through questions of compliance. This time it’s PSD2 — the revised Payment Services Directive that will be taking over from the original PSD, which will need to be implemented by September 2019. The precise impact of PSD2 is hard to predict at this stage (not least because penalties are left up to the EU’s individual member countries), but its impact on customer conversion is not.
Strong Authentication Means More Barriers
PSD2 has opened up access to customer accounts, trying to create a more level and competitive playing field for payments companies. However, to ensure that consumer financial data is adequately protected, PSD2 also requires PSPs to introduce Strong Customer Authentication (SCA) when a user accesses their payment account online or initiates a payment transaction. And SCA applies to all electronic payments where both the customer and merchant are within the EU, except those that qualify for a specific exemption.
So what is SCA? It’s a form of multi-factor authentication. The customer proves that they are who they say they are based on possession of two out of three of the following:
- Something they know (for example, a password)
- Something they have (for example, a mobile phone)
- Something they are (for example, a fingerprint or face recognition)
That’s a good basis from a security perspective, but it’s not ideal for customer experience.
3D Secure and Customer Experience
The easiest way for merchants to comply with PSD2 is to rely on 3-D Secure (3DS) for affected transactions. That’s programs like Verified by Visa or SecureCode. Merchants have long avoided 3DS wherever possible due to its noticeable, negative impact on conversion rates. 3-D Secure 2.0 (3DS2), an updated protocol to 3DS, has been designed to be less intrusive for customers than its predecessor, but there is no doubt that it introduces significant friction into the shopping journey. but there’s no doubt that the kind of authentication process described above won’t make conversion smoother.
Twenty six percent of customers will abandon their purchase if the checkout process is too long or too complicated. You’ve probably done this yourself from time to time when shopping online. The more steps a retailer adds in, the more likely it is that shoppers will drop-off. And 3DS adds in extra steps.
Can you just stick your head in the sand and ignore it all, avoiding implementing 3DS? You could, but if a merchant doesn't authenticate a transaction under the scope of PSD2, issuers can decline them at their discretion. From their perspective, if you’re not taking steps to limit risk, they’ll have to do so.
Mitigating the ImpactSo how can your site comply with PSD2 without cutting conversions and annoying customers?
- Consider all your options. Merchants can explore the possibility of having customers designate them as “trusted beneficiaries” with their issuing banks which enables the option of frictionless flow. In some ways it’s similar to the way many companies dealt with the GDPR communication requirement; by reaching out to all customers in their database to ask them to opt-in to data sharing and effectively designate the company as an organization trusted to deal with their data. Except, in this case, the decision of whether to exempt ultimately lies with the issuer. Similarly, consider the possibilities in the payments landscape and decide which has the best overall package when you take PSD2 into account.
- Use exemptions where possible. There’s the Transaction Risk Analysis (TRA) exemption, which is especially valuable for low value transactions. When a transaction is below €30, SCA is not required. However, if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100, authentication will be required. Conversely it’s unhelpful for merchants who have high-priced goods, as SCA is mandated above €500. In between, it depends on the PSP’s fraud rate, so merchants should start questioning their PSP on this now, and considering switching if necessary. In tandem, merchants should do their bit by putting effort into ensuring that their own fraud rate remains low. Merchants will also want to work with fraud protection providers who are able to help them make the most of TRA.
- Work with a fraud prevention provider that optimizes for conversion. If your “EU to EU” transactions will be affected by PSD2, do everything possible to ensure your non-EU transactions are friction-free. Legacy fraud solutions add considerable friction all by themselves, without any directives adding to the problem. Make sure your fraud solution is invisible to the consumer where possible. Merchants will want a provider able to make the process as smooth as possible for one-leg-out EU transactions as well, while still showing compliance best effort.
Watch This Space
There’s still time before PSD2 kicks in officially in the EU. Keep your eyes peeled for creative solutions from PSPs, issuers and fraud prevention providers like Forter to help reduce the impact of PSD2 on your bottom line.
If you’re aware of the evolving discussion and keep a look out for fresh solutions, you might even be able to turn your approach to PSD2 into a competitive advantage.