The dawn of the PSD2 era has been called many things — most of them unpleasant. But, the new standards to open up banking and finance and protect merchants and consumers from online fraud is actually a brilliant opportunity. It is a chance for retailers to reassess their relationships with their customers and to recommit themselves to serving consumers with a seamless buying experience from beginning to end.
While the regulation, which took effect in September 2019, is broad and complex, online retailers have been focused on the portion of PSD2 that requires strong customer authentication (SCA) for online transactions.
It’s fair to say that the requirements caused considerable stress and confusion among merchants and others, primarily based on the belief that SCA would inevitably introduce more friction into the buying process and that more friction would lead to fewer sales. In fact, Visa estimated that as many as 30% of orders would be abandoned by frustrated consumers. Ecommerce industry heavyweights Stripe, Worldpay, and Amazon warned of significant financial losses – ‘catastrophic’ is the word a Worldpay executive used. Stripe conducted a study with 451 Research that concluded that SCA would cost European businesses EUR 57 billion in its first year.
PSD2 enforcement delayed due to lack of preparedness
The confusion and lack of readiness became so apparent that the European Banking Authority (EBA) in June issued an opinion that suggested the enforcement of SCA would be delayed in order to give banks, merchants, and consumers a chance to prepare for the new way of doing business.
So, where in all this is the brilliant opportunity? For retailers who embrace fearless commerce, PSD2 and its SCA requirement are a chance to deploy a holistic approach to customer authentication. Rather than spend energy — and resources — looking for a way around the requirement, by relying on exemptions or customer whitelists (which will be allowed in limited cases), merchants can turn to innovation to provide SCA without the friction that has worried so many until now.
First, let’s break down what SCA requires and why merchants were so concerned about being able to pull that off without losing sales and customers. Essentially, the new regulation says that retailers must authenticate online customers using two of three factors:
Retailers and others widely believed they could turn to 3-D Secure 2.0 to achieve the mandated review. Even that caused concern, given that 3-D Secure’s early version was notorious for slowing down checkout to the point that merchants would lose a significant number of sales.
Signifyd’s own testing showed that authentication systems that rely on 3-D Secure, with their communication among the merchant, gateway, at least two banks, the consumer, and often back around again, can take 15 seconds or more — an eternity on the web.
But in the same opinion that delayed SCA enforcement, the EBA made it clear that 3-D Secure 2.0 on its own was not the answer. As such, 3-D Secure 2.0 on its own would not be sufficient to meet the new SCA requirements.
3-D Secure 2.0 is not enough to meet SCA requirements
‘In addition’, the opinion noted, ‘communication protocols such as EMV 3-D Secure version 2.0 and newer would not currently appear to constitute inherence elements, as none of the data points, or their combination, exchanged through this communication tool appears to include information that relates to biological and behavioural biometrics.’
And while the announcement shook the merchant community, it also pointed the way to a better method of performing SCA without degrading customers’ experiences online.
We expect that the best customer experience under PSD2 will involve an SCA provider that uses machine learning to conduct dynamic fraud analysis and then passes that SCA decision down the 3-D Secure rails to eliminate approval delays, thereby minimising friction and maximising authorisation rates. A system designed that way and relying on a vast amount of transaction data provides just the right scrutiny for each order to protect consumers and retailers from fraudulent credit card transactions while avoiding the added friction brought on by a one-size-fits-all, legacy 3-D Secure-powered system.
The holistic approach means the data doesn’t have to be passed down to the issuing banks and back. The system should have the added advantage of shifting all liability away from the merchant, onto the issuing bank in the case of 3-D Secure-authorised transactions, or onto the SCA provider for any transaction that would require a step-up or be declined.
While the technical details of a holistic solution are important, it’s the underlying approach that is vital to executing a successful PSD2 strategy. It starts with embracing the new SCA requirements rather than wasting time trying to eliminate them by sorting through exemptions.
SCA exemptions are not the answer
In truth, the exemptions are only sometimes applicable for some small-value carts and ultimately depend on unrealistically low fraud rates for both the acquiring and issuing banks, neither of which are in control of the retailer. That’s all the more reason to come up with a robust system compliant with the new regulation without diminishing your customers’ experiences.
About Stefan Nandzik
Stefan is Signifyd’s vice president of corporate communications. His ‘what if’ approach to business problem-solving constantly challenges conventional wisdom and means that he is never afraid to upend the status quo to lead change.
About Signifyd
Signifyd empowers fearless commerce with an end-to-end commerce protection platform powered by more than 10,000 merchants selling to over 250 million consumers worldwide. Its advanced machine learning engine protects merchants from fraud, consumer abuse, and revenue loss caused by barriers and friction in the buying experience.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now