What the Bleep is Going on with SCA and PSD2? Takeaways from MRC Madrid 2019

News

October 15, 2019

With the Strong Customer Authentication (SCA) requirements being mandated on September 14, 2019, it is no surprise that PSD2 was at the forefront of discussion at MRC Madrid 2019, an eCommerce fraud and payments conference held on September 23-25.

SCA is the final implementation of PSD2 (Payment Services Directive 2), introduced by the European Commission to increase payment security and customer protection across Europe. SCA offers an additional layer of security, requiring customers to provide two identity verifications through 2-factor authentication for online card transactions.

Merchants, issuers, card schemes, and acquirers alike were asked to participate in panel discussions and breakout sessions surrounding PSD2, SCA, and EMV® 3DS for a variety of insights and perspectives from the stakeholders affected by the regulation.


Who is Educating Consumers about SCA?
The value of PSD2 was reinforced throughout MRC Madrid 2019, noting that the regulation will likely lower fraud and increase payment security significantly. PSD2 will also open the EU market to more payment service providers enabling them to initiate payments on behalf of the consumer, for user convenience and ease. [1]

Despite the benefits of PSD2, there still seems to be a few unknowns about the regulation, one of which was the confusion around communicating the new authentication process to consumers. There was uncertainty about who was responsible for customer education. Merchants were looking to issuers who were looking to card schemes and vice versa.

However, several merchants responded proactively, explaining they notified customers themselves. For example, Micheál Egan, Payments Manager at Ding, reported that despite the lack of clarity around PSD2 extensions, Ding took the initiative to notify customers in advance of the September 14 compliance deadline. The notification stated that in the interest of security they may be asked to complete an extra step of authentication by their bank during their next Ding transaction.

Other companies shared that they updated their FAQs, internal knowledge base, and customer service scripting to advise customers of the change.

Regardless of how the consumer is educated, transparency around the compliance guideline is crucial for customer retention and brand loyalty and trust.


SCA Compatible with the Travel Industry?
Two-factor authentication seems to be an especially big challenge for the travel industry. Shoppers who experience a long checkout process tend to abandon their cart. With an already tiresome checkout process, an additional layer of security threatens to increase the checkout time further.

Additionally, because customers are not privy to the process, merchants are worried there will be a rise in cart abandonment resulting in an anticipated 15-20% conversion decline, explained Alessandro Luchetti, Head of Payment Operations and Revenue Protection at lastminute.com Group.

With this in mind, will the merchants who are not yet compliant with SCA have a competitive advantage over the merchants who are? This remains to be seen.


Should merchants be worried if they are not yet compliant?
If your business has yet to make the transition, you are not alone. While it seems many large merchants like Microsoft have been compliant long before the SCA deadline, midsize to smaller merchants are still in the process of adoption. Not to worry though, it appears that there will be a grace period for full SCA compliance.


"Even though the deadline for strong authentication has come and gone, regulators are in discussion for a 12 to 18 month transition period for merchants to fully comply with regulations." - Greg Toussaint, Principal at Edgar, Dunn & Company


Unfortunately, the payments landscape was not created for merchant and issuer transparency and with technology innovation and regulation enforcement it has historically been difficult to share information and collaborate. So how do we move forward in this new era of regulations?


Opportunities Ahead

  • Exemptions -- Some merchants qualify for PSD2 exemptions, but ultimately it is up to the issuers, not regulators to make that decision. Some exemptions may apply to businesses offering recurring transactions, low-risk transactions, corporate card payments, and possibly others. [2] Do your research to see if you qualify and if it is right for your business.

  • EMV® 3DS -- If implemented properly, EMV® 3DS can optimize the user experience by sending over 100 data elements from the merchant to the issuer for invisible authentication and less friction. [3] Also, the good news for merchants is that in many cases EMV® 3DS shifts the chargebacks liability from your business to the customer's bank.

  • Open banking -- An especially hot topic right now, open banking stands to allow an account holder to safely share their transaction data with an authorized third party and enables the third party to send a payment from their account, explained Jonathan Dranko, Strategy Director at Worldpay. Open banking has a long way to go before it is fully realized, but is expected to grow exponentially over the next several years. The benefits of open banking are that funds are available instantly, it is highly secure, and it reduces costs associated with fees. Furthermore, the merchant has control over refunds, meaning no chargebacks from the consumer. However, with that in mind, there is concern of the customer not receiving the goods or services and therefore not being able to dispute the charges. Another cause for concern is that open banking is primarily only compatible with mobile devices because of the API interface and therefore currently restricts desktop purchasing.

Interested in learning more about PSD2, open banking, EMV® 3DS, SCA, and more associated with the payment landscape? MRC is a resource for eCommerce fraud, payments, and risk education. Look for upcoming complimentary webinars every Wednesday here or upcoming conferences and events here.

[1]European Commission

[2]Braintree

[3]Worldpay