The Biggest PSD2 and SCA Concerns. How They Can Impact Your Business

The deadline for meeting PSD2 regulations is fast approaching, but there are still more questions than answers. Here’s what you should know about the upcoming changes to prepare better.

New requirements based on PSD2 were introduced on 14 September 2019. Overall, the directive comes with putting all players under one unified regulatory framework and the banks need to provide access to their customers’ accounts via open APIs.

So, why is this important for your online business?

Learn more: Things you wanted to know about PSD2

Before digging into the challenges, let’s start with the objectives of PSD2. There’s no question that the directive was created for standardizing regulations for banks and payment providers, but it’s also about making payments safer (which leads to increasing customer protection), fostering innovation, and competition too.

Speaking of competition, the directive is also the answer to the current monopoly that banks have on payment services and customer accounts.

According to Tink’s report, modernizing IT systems is one of the major banking challenges for 36% of banks when it comes to PSD2. But, one of the major concerns is that online businesses may end up with complexity as every bank can offer different implementation. It’s also about the interface implemented by banks and financial institutions, as there’s a doubt about whether they will be ready at the beginning when PSD2 becomes mandatory.

The first months will verify the new challenges, but chaos is inevitable.

Another concern is that the strong customer authentication (SCA) could have a negative impact on customer experience because it will add an extra step to the payment process and force a cardholder to provide additional information to complete payment.

For the record, SCA is a PSD2 requirement for payment service providers to make online payments more secure and prevent financial fraud. So, payments need to go through multifactor authentication. The question is whether the SCA will damage the customer experience.

Today, the most common authentication method is 3D Secure and, based on the recommendation, the main method for authenticating online card payments will be the 3D Secure version 2 that is expected to improve user experience. This is why we advise merchants who work with SecurionPay to enable our non-invasive 3D Secure verification right away to add an extra security layer, minimize the chargeback ratio without hindering conversion, and get ready for version 3DS2.

Note that there can be exemptions from SCA defined for different use cases, for instance, based on the amount, transaction type, level of risk, etc. This is crucial, as one of the most challenging things will be providing smooth experience depending on the transaction type. But still, it’s the cardholder bank’s decision whether to accept an exemption.

For now, we can see that it can get more complex with recurring payments. Imagine how frustrating it would be for customers to authenticate each monthly payment. So, the goal is to keep recurring payments automated, but it’s up to the bank whether the transaction needs to be authenticated or not.

But, without having the authentication built into the checkout flow merchants may face severe consequences. This is why we advise you to choose a payment partner who is ready for the upcoming regulations to stay away from the implementation burden and focus on your core business. One that has proper knowledge in place and provides you with all the required tools, so that you can effectively address SCA and turn new regulations into an opportunity for both you and your clients.

The EMVCo first published 3DS 2.0 specification in 2016 and, as you may guess, the authentication solution as we knew it was improved, so the first version is no longer supported. There are several new functionalities, so you can expect much more than mobile device compatibility and biometric authentication.

What are the main changes?

In version 2.1 introduced in 2017 the major changes were driven by the need for better user experience and higher security of online payments.

This means that issuers receive much more data on each card transaction than in version 1 to provide a seamless payment flow for cardholders. It shortens transaction times and expands authorization rates which simplifies the customer experience and eliminates redirects.

The newest version 2.2 (released in December 2018) is extended with exemptions for low-value transactions (where no additional interaction with the end user is required) and whitelisting of merchants. 3D Secure 2.2 also includes improved communication between merchants and issuers and additional device compatibility.

Integration with mobile banking authentication and biometrics is much smoother, so there’s a higher number of options to authenticate. As 10-times more data are shared with issuers, they can provide better risk analysis and greater fraud prevention. Moreover, 3DS 2.2 enables 3DS Requestor Initiated (3RI) payments for some use cases (for instance, travel).

You can expect newer versions to focus on enhanced risk assessment and support for more devices.

And what about 3D Secure 1.0? It’s still effective in case something goes wrong with the 3D Secure 2 process, however merchants are obliged to embrace the latest version of 3D Secure (started in March 2020).

According to PSD2 requirements, merchants need to apply authentication on European payments by the end of 2020. Otherwise, they will face a significant risk of payment declines and a sharp drop in conversion. Not to mention the frictions that clients may face during payments. Think about how it will impact your bottom line.

There’s no question that PSD2 will open the market to new players, so payments in Europe will be more competitive. More choices mean better services that, in fact, might lead to faster and cheaper payments and financial services for the end customer.

Also remember that new regulations are for customers, not only for banks and businesses. They also need time to learn new habits and, even more importantly, trust new services.

Merchants that accept low risk transactions might expect some exemptions from Strong Customer Authentication to reduce friction during online payments. They are:

Note that even though there are exemptions from the SCA applicable to online transactions, it’s up to the issuing bank to accept an exemption request or require extra authentication of a transaction.

As SecurionPay is a PSD2-ready payment platform, we can assure you that we’ll do the heavy lifting for you, so you can rest assured that your payments are in good hands. If you’d like to know more, don’t hesitate to contact our support team. We’re here to help!