The reaction among retailers to the European Union’s coming PSD2 requirements has been understandable and predictable: How do I get out of this thing?
Quick answer: You don’t. PSD2 and its mandate for strong customer authentication are coming, and none of the exceptions provided will help even the likes of Stripe, Amazon or Worldpay from preventing conversion drop off. As announced by the European Banking Authority (EBA) last month, it might not be fully implemented by its original Sept. 14 deadline, but it undoubtedly will arrive in the near future.
The longer answer is that retailers really shouldn’t want to get out of having to put in place the consumer protections that PSD2 calls for, commonly referred to as Strong Customer Authentication (SCA). Instead, they should embrace the change and go about modifying and organising their payment and authentication processes for the long haul.
The date to fixate on isn’t Sept. 14, or early next year. The date to be getting the ecommerce payments layer ready for is 2021 or 2025 for that matter — the point being that the core of PSD2 is here to stay.
Retailers need to find a way to provide seamless customer experiences while still measuring possession, inherence and knowledge, ideally without ever prompting their customers or turning over the checkout flow to the card brands. The infrastructure that will tell the issuing banks that SCA has been completed — think 3D Secure — will be upgraded and improved, but the substance of the regulation and its requirements will be with us going forward.
Hoping the regulation is delayed or never happens is not a winning strategy. Neither is looking for loopholes through exemptions, whitelists or convoluted payment paths that will move issuers or acquirers out of the European Economic Area (the so-called “one leg out exemption”).
In fact, those aren’t strategies at all.
A winning PSD2 strategy requires reframing the issue. PSD2 is a long-term consumer protection initiative that requires innovation to make it seamless. It is not a problem looking for a quick fix. Clever workarounds that rely on loopholes and half-measures aimed at salvaging the systems in place will lead to more misery ahead for retailers and their customers.
Fortunately, the technology to build a successful and sustainable PSD2 solution, fully compliant with the requirements for SCA, is available today. Instead of banking on exceptions, retailers should fix the problems that don’t protect their customers’ payment information. Let’s break down an optimal system into its pieces.
SCA and its three elements of measuring possession, inherence and knowledge are at the core of the regulation applicable to retailers. It is also the focus of much of the anxiety around PSD2, because, for most retailers, SCA was considered to be part and parcel with 3D Secure, a safeguard that historically has led to cart abandonment and customer dissatisfaction.
The truth is, measuring the three elements of SCA is a powerful and effective safeguard against fraud. It works. Requiring authentication based on something the consumer is (biometrics or behaviour, for instance), something the consumer alone knows (a password from before the transaction, for instance) and something the consumer possesses (a digital device as evidenced by a token, for instance), is a robust and secure method, because a fraudster’s breach of one of the three identifiers does not compromise the other two.
But the EBA’s recent opinion rightly noted that implementing 3D Secure 2.0 is not implementing SCA. (The protocol doesn’t even have the ability to pass information regarding the inherence element of SCA.)
The EBA stated plainly in its June 21 memo that, “communication protocols such as EMV 3-D Secure version 2.0 and newer would not currently appear to constitute inherence elements, as none of the data points, or their combination, exchanged through this communication tool appears to include information that relates to biological and behavioural biometrics.”
The EBA went on to say that SCA purposefully allows for multiple “authentication approaches in the industry, in order to ensure that the regulatory technical standards remain technology-neutral and future-proof.”
We’ve looked at what’s in place and tested the existing protocol and its infrastructure. Authentication systems that rely on 3D Secure, with their communication among the merchant, gateway, at least two banks, the consumer and often back around again can take 15 seconds or more — an eternity on the web.
And there is no mystery in what that delay does to conversions. Slow and complicated checkout processes are a conversion killer. Nearly 48 percent of consumers told polling firm Survata, in a Signifyd customer experience survey, that they felt frustrated by checkout experiences that redirect them to another site for credit card verification, a feature of 3D Secure. The Baymard Institute found that 28 percent of consumers abandoned their carts because checkout took too long or was too complex.
The way to completely sidestep the problems with 3D Secure as a protocol is to take ownership of SCA by building or buying a holistic approach to meeting PSD2 obligations. We expect that the best customer experience under PSD2 will involve a machine-learning-based SCA provider conducting dynamic fraud analysis for online retailers, then passing the SCA decision down the 3D Secure rails to eliminate delays in approval, minimise customer friction, and maximise authorisation rates.
Such a system, relying on a vast amount of transaction data, provides just the right scrutiny for each order to protect consumers and retailers from fraudulent credit card transactions while avoiding the added friction brought on by a one-size-fits-all, legacy 3D-Secure-powered system.
The holistic approach allows for nearly instantaneous SCA review and more accurate decisions based on the significantly more data processed by the system’s learning machines, as opposed to passing down that data all the way to the issuing banks and back. The system should have the added advantage of shifting all liability away from the merchant, onto the issuing bank in the case of 3D-Secure-authorised transactions, or onto the SCA provider for any transaction that would require a step-up or be declined.
While the details of this innovative approach to PSD2 are important, it’s the underlying approach that is vital to executing a successful PSD2 strategy. It starts with embracing the new SCA requirements rather than trying to avoid them through a pretzel of exemptions.
The exemptions are only sometimes applicable for some small value carts, and ultimately are actually dependent on unrealistically low fraud rates for both the acquiring and issuing banks, neither of which are in control of the retailer.
All the more reason to embrace PSD2 and commit to coming up with a robust system that is designed to achieve the noble goals of the regulation without breaking the customer experience you’ve worked so hard to foster.