Security put on hold: The PSD2 delay

PSD2 has been on the cards for 4 years now and just when the world was getting closer to obtaining a secure online shopping environment, the delay came rushing through the door, sparing business owners of millions lost in abandoned shopping carts.

Word just got in that regarding the implementation of PSD2, well the implementation of SCA to be more precise, the UK has gained 18 more months, moving their deadline from the 14th of September to March, 2021. In truth, the UK’s Financial Conduct Authority (FCA) was the one delaying the implementation of SCA, but as it turns out, the idea was not bad at all. Following the UK’s example, more and more EU member states have started asking for more time to prepare for the PSD2 implementation. Once the wave of surprise starts fading away, we are left with more questions than answers. Is this good or bad news? Should we be rejoicing? (after all, we just won extra time to work on implementation) Will Europe be ready in time or will it be experiencing yet another missed, delayed deadline? What are the real reasons behind this decision to postpone? As we were saying, more questions than answers.

The true context of PSD2

Speeches around the world, regardless of authors, topic or industry, have one sentence in common. The world is changing at a rapid pace. But who is the world? Is it not made up of customers? Their expectations in terms of payment experiences change due to the growing need for innovation. And that innovation needs to work hand in hand with security. Otherwise, we’re just hosting a talent show for fraudsters. That’s when PSD2 appeared.

Customers are eager to try new payment instruments. They want to make use of innovation, but financial organizations aren’t all that sure that it’s such a good idea. How is the world supposed to shield itself from fraud when new, innovative payment methods are released and used, with no fraud-proof vest? PSD2 is setting the context. It is setting the ground rules for a successful collaboration between innovation in the shape of new payment instruments and security, urging fraud detection systems to rise to the challenge, hence SCA.

What does the delay hide?

When it comes to regulation deadlines, obtaining a bit of indulgence or even better, a delay is usually a good thing. In this case, postponing the implementation of SCA may be hiding a few issues we might not want to see.

Adapting to change: Delay in reaction

New demands, new payment instruments, new threats, everything is changing, except, it seems, for those part of the payment ecosystem. The challenge is not so much the technology used, but rather the speed with which financial institutions of different types are reacting. When novelty is brought to the table, we all need to react fast. The payment system should quickly incorporate new payment instruments as well as the new fraud detection technology should be able to adapt and properly respond to existing market needs. However, it is not the case.

Given that a great number of payment institutions and organizations are using legacy systems, performing all crucial payment operations, from implementing new measures to adapting to market demands, becomes a rather complicated process. Although highly necessary in the PSD2 context, migrating to newer, more scalable solutions that provide organizations with the possibility of adapting to change can be time-consuming. Hence, the delay in the actual implementation.

The fault belongs to the entire system, which is difficult to manage and not at all easily adaptable. So, because innovation is a permanent resident of our world, we need to change the system and improve the speed with which we can react to trends and market demands.

Security is more important, right?

Yes. Well, technically yes. Let’s put it differently. Security is a priority and if this were our sole consideration, then the implementation of PSD2 wouldn’t have been given a delay. The real elephant in the room is the cost of PSD2. By choosing security in the PSD2 form and completely giving up on customer experience, the online world would have been faced with €57 billion1 ($63.9 billion) in abandoned purchases. And this is a rather grim reality, profit-wise. A delay in the PSD2 implementation would provide payment organizations with the necessary time to innovate without enduring losses and thus, kill two birds with one stone.

But should we worry so much about security?

Now, this is a definite yes. As long as the world is set on bringing new players to the table, we are opening new payment channels. And each channel comes with its blind spots, unknown areas, which cannot be anticipated by the currently used technology. And here we go again. What may have been a trusty compass to fall back on will now become a faulty system, prone to mistakes.

The payment world, oblivious to unity

PSD2 is pretty clear. To make this work, to obtain an increased level of security, without compromising customer experiences, financial organizations need to collaborate. They need to display unity. Unity guarantees a framework. And analyzing customer behaviours and risk identification using a specific framework can lead to better fraud detection in its multiple stages.

By choosing to deny the importance of unity and continuing to have a distinct view and system to identify fraud, you are exposing yourself to greater threats. Different fraud detection views may lead to delayed reactions within departments and between financial organizations, which ultimately damage security.

Here is another interesting fact. The UK may have gained 18 months to implement the PSD2 changes, but in other countries, the deadline might be postponed with only 3 or 5 months. Deadlines vary, depending on the country and this disrupts unity. It is rather difficult to work as a team when faced with multiple deadlines.

The stakes are high. The expectations even higher.

In the end, one has to wonder. What exactly do we want to achieve? Freedom in innovation, backed by security. The hidden message, however, is improved technology, unity in reaction, systems and fraud detection framework. Simple in theory, obviously difficult in practice. But here is another question for you.

September 2019, March 2021, can it be done? Can PSD2 be finally implemented?

PayPro Global & PSD2

The answer to the previous question is yes.

Before the discussions regarding delays started surfacing, the deadline for the PSD2 implementation was the 14th of September and in our opinion, it still is. The new PSD2 deadline for the UK, as well as the other demands for more time coming from various states, create confusion and further complicate the implementation process. As we’ve mentioned earlier in the article, this confusion is what keeps us at distance from achieving the much-needed unity in reaction.

At PayPro Global, we believe that an enhanced level of security is beneficial for all those part of the online commerce, both merchants and consumers. Having the necessary technology to carefully and adequately implement all the changes set by PSD2, we are ready to honour the 14th September deadline and we have taken the necessary steps to ensure compliance.

Together with our partners, we are focused on softening the immediate impact these new set of regulations will have upon their businesses. Thus, we are collaborating with our partners to adequately pinpoint all the transactions that do not require SCA. This way, customers will continue shopping without any interruptions.

Furthermore, having strong relationships with numerous acquiring banks all over the world, we can ensure high conversion and authorization rates.

PayPro Global will continue analyzing the PSD2 requirements, making sure that all measures are implemented and a high level of security is achieved. Also, we will keep you updated on the PSD2 topic.

Note:
1 https://www.businessinsider.com/uk-delays-strong-customer-authentication-requirements-2019-8