GET READY, SET, GO: PSD2 is here.
PSD2 is coming. It’s coming fast, hitting members of the European Union first. It’s the GDPR situation all over again. What’s your part in this affair? Well, tune in and find out. But just to give you a spoiler, there’s no escaping it and it will be raining down with penalties for those who cannot comply, once the deadline, 14th of September, passes.
Now, we don’t mean to scare you. We’re simply laying down the obvious and hoping to clarify things a bit. As always, when a change of this magnitude surfaces, confusion is bound to take over. And confusion never leads to anything good. Since there isn’t that much time left, we’d best get on with our business and leave the artistic view aside so we can deal with the practical issues. What is PSD2 and what is expected of us?
PSD2: announced, signed and confirmed
14th September 2019. This date will go down in history (the banking history, at least) as the day that PSD2 was implemented. You’ve been down this road before. Remember last Spring? Remember GDPR? A lot of talks, a lot of queries, a lot of confusion. Somehow, though, the world pulled through. GDPR came into force and the world had to comply. So, why the fear for PSD2?
This is the second Payment Services Directive and the older we get, the more complicated and complex everything becomes. Payment makes no exception and neither does fraud. First brought to the table, back in 2015, PSD2 was created out of a pressing need for better fraud detection and enhanced security. The entire purpose of PSD2 is to improve and enrich the range of services part of the payment ecosystem, balancing the scales of power between financial institutions, payment technologies and third parties.
PSD2 KEY CHANGES
So far, so good. At this point, you might be wondering what in the world PSD2 has to do with your subscription business.
Apart from opening the doors to the payment industry and focusing on levelling up the competition, PSD2 is set on creating a safer online environment. This means large investments in innovative technologies to secure transactions and protect consumers.
One of the key changes brought by PSD2 is the implementation of SCA, Strong Customer Authentication, meant to enhance security and minimize fraud.
And this is where you, the merchant, as well as PSPs, come in.
What is SCA?
Strong Customer Authentication goes into effect on the 14th of September, and from this point on, to accept payments online, the checkout flow will need to include additional authentication. According to PSD2, all online payment transactions will require authentication by at least two of the three possible procedures:
The Purpose VS the Challenge
While the purpose of the two-step authentication is to reduce fraud and enhance security, we are faced with a great challenge, that of meeting the consumers’ requirements of enjoying a seamless, frictionless experience.
However, while the risk of scaring consumers exists, merchants need to be aware that as of 14th of September, banks will start declining payments without the two-step authentication.
3D Secure 2.0 – the silver lining behind PSD2
PSD2 needs to be implemented. Given that the 2.0 version is your only viable option, you need to comply. However, there is a silver lining behind every cloud and in this case, it’s 2.0 again. We’re not just saying this to lift your spirit. No. The 2.0 version comes to resolve various past issues, bringing forward better user experiences. In other words, customers are getting the best of both worlds, security and frictionless shopping.
So, let’s take them one by one.
3D Secure 1.0
At first, 3D Secure came as the knight in shining armour, but it didn’t stay in it for too long. Soon, certain challenges, big ones for that matter, starting popping out.
With 3D Secure, the entire payment process becomes instantly complicated, as another step is added. Yes, the experience may be more secure, but it is also a lot more inconvenient for the customer, as his journey is bluntly interrupted. This could lead to a decline in the conversion rate, which is something that no one wants. Also, in-app purchases are not supported, browser purchases are.
And let’s look into the security issue a bit because things aren’t always what they seem. Now, the whole point of using the 3D Secure 1.0 was to have a pop-up open and then have the customer redirected to a new page. In certain types of attacks, the ‘man-in-the-middle’ kind, data can be stolen by recreating the pop-up, being thus able to steal personal information from customers. Furthermore, the merchant has no control regarding both the look and feel of the interface. Thus, the user experience is greatly flawed.
3D Secure 2.0
As we’ve said, the good news is that there is the 2.0 version, which effectively responds to these challenges. And it’s not because we say so. It is PSD2 that demands change and improvement. Released in 2016, in Las Vegas by EMVCo, the 2.0 version is a real conversion saviour.
In-app purchases are supported on mobile & other devices, which is great news, given that in-app purchases are a big part of ensuring satisfying customer experiences.
In the 2.0 version, the risk analysis is done in the background. The screening of the purchase is done by the ACS server. If the risk is low, ACS will authenticate the customer. This is done quietly, without bothering the customer any further. The process in itself is frictionless, as the customer is not aware of it. Once he is authenticated, he is immediately redirected to the purchase confirmation screen.
Also, it allows the authentication process to be integrated into the checkout experience. This particular improvement is highly promising, because it gives great flexibility, apart from security. Basically, the extra step in the 1.0 version, which was, in fact, responsible for the decline in the conversion rate is replaced not with one option, but three: the passive option ( the exchange of information is done without bothering the customer), the 2 step verification (a numerical code is provided to the customer via SMS or email) and biometrical (face recognition or fingerprint).
This is flexibility and it will only get better because banks are given the freedom to innovate, being able to make the authentication process even simpler in the future. And security is not compromised.
Because the need to complete the authentication process is no longer required to take place on a different screen, the risk of facing ‘man-in-the-middle’ attacks is considerably diminished. So, yes, security is no way compromised.
Given that PSD2 is a regulation supporting new trends and changes within the payment ecosystem, Apple Pay or Google Pay will be receiving recognition, as these payment methods have one layer of authentication already implemented (password or face/fingerprint recognition). So, you’ve already made it halfway through in terms of meeting new requirements.
Also, the 2.0 version enables issuing banks to determine whether or not additional authentication is necessary, of course as a result of the risk-based analysis. This smoothens the path and improves the payment flow.
Challenges overcome, mission accomplished
3D secure 2.0 is not only mandatory, but it is also highly beneficial. It brings forward great advantages, both in terms of security and customer experience. Smoother, clearer and frictionless checkout experiences, supporting both web-based and in-app purchases, no more customer confusion and increased security, this is what 3D Secure 2.0 is all about.
The lucky ones: SCA Exemptions
Like any regulation, PSD2 comes with its own set of exemptions. There are certain cases in which SCA does not apply and these contribute greatly to improving customer experiences.
Payments under €30 are considered low-value transactions and in these cases, SCA may not be applied. If this exemption has been used 5 times since the last authorization or if the sum of the last 5 transactions exceeds €100, banks will need to ask for authorization.
In the case of subscriptions or recurring payments, the authorization will be required only for the first transactions. Indeed, this situation may bring forward a new challenge, as, within the world of subscriptions, recurring payments may vary. The good news is that these fall under the merchant initiated transactions, being thus regarded as an exception to SCA.
Merchant initiated transfers
Payments made with cards that have been previously saved in the system might not be subject to SCA. However, banks will have the final say in this matter, as they will be the ones eventually deciding if authentication is needed for a transaction or not. Merchant-initiated transactions also include variable amount subscriptions as well as add-ons purchases.
For a payment to fall under the merchant initiated transaction category, authentication will be requested when the card is being saved or when the first payment is made.
Certain transactions can go through without authentication, as customers have the option to whitelist businesses they trust. Future purchases coming from those businesses will not require authentication. Banks, merchants and payment providers will have to communicate this issue in the context of payment processing. However, banks will have the final say in this matter.
Corporate or B2B transactions, made between two corporations, are exempt from SCA as long as dedicated payment instruments are used. All corporate expenses should be paid with a corporate card, used only in specific purposes. However, it is relevant to mention that this exemption relies heavily on banks.
Given the many innovations taking place within the eCommerce market, it was only a matter of time before new security technologies would be required. PSD2 is set on changing how electronic payments take place. The customer remains a top priority, both in terms of security, as well as experience. Eliminating any existing threat is equally important to offering seamless, frictionless shopping experiences.
With a deadline soon to arrive, PSD2 and its implementation ought to be merchants’ main concern.
Stay tuned for more announcements about what PayPro Global is doing to ensure PSD2 compliance.