What is PSD2 – and why is the world of e-commerce so worried about it?
by David Dwyer on 26/09/2019 1244 Reads
Is your business ready for the new EU regulation on card payment authorisation?
Do you know your PSD2 from your SCA, when they’ll become relevant, when they’ll be enforced and why it’s so vital that your e-commerce business is compliant?
Online transaction authentication can be a minefield at the best of times and it’s about to get just that little bit more complicated, with a new set of rules from the European Union aimed at increasing payment security.
So, as it pays to be prepared, we’ve put together a little light reading for you, a ‘brief’ guide to the whys and wherefores of the new EU regulation that all e-commerce business owners should know back to front and back again, if they want to continue taking payments from their customers.
It’s just another EU regulation, it can’t be that important…can it?
Let me put it this way, it’s only important if you were hoping to continue running a business. If so, you may need to clear some space in your diary and take action right now – to discover all you can about PSD2 and to make sure that your site and your payment providers are aligned to this new directive.
What if you woke up tomorrow to find that many of your customer’s payments had failed, and what if that number increased day after day, week after week? You’d probably prefer to get ahead of that particular wave, or should I say tsunami, to find out how to avoid the commercial devastation it would cause.
Because, if you take card payments on your website, whether for one-off purchases or ongoing subscriptions, you’ll need to ensure that your payment process is compliant with PSD2 or you’ll find your customer’s banks starting to decline payments with increasing frequency.
Just in case you’re thinking that Brexit will come to your aid, think again because all indications are that even if and when we’re out of the EU this legislation will continue to govern the way transactions are required to be carried out on your site.
What on earth is this PSD2?
Ten years ago the EU introduced the Payment Services Directive, a set of rules to make transactions across the EEA (European Economic Area) safer and more secure. PSD2 is the latest evolution of this directive, an update to keep up with the seismic shifts in the world of payment gateways, banking and transactions in general over the years.
The idea of such legislation is to increase customer confidence when buying things online – something that started out in very short supply in the early years of the internet, that has been hard-won, and today is something that nobody wants to see diminished.
However, there is an ever-present black cloud over the e-commerce sector, the malevolence of rampant transaction fraud, and this was certainly one of the primary reasons for the creation of PSD2.
In a report by UK Finance(5) (a trade association for the UK banking and financial services sector) titled ‘Fraud the facts 2018 – the definitive overview of payment industry fraud’ we’re told that the e-commerce sector is a long-suffering victim, with just over £310m lost to fraud in 2017 in the UK alone – a figure that has grown almost every year and has literally doubled in scale since 2009.
Research from the European Central Bank(6) has this figure at €1.8bn in fraudulent transactions carried out with cards issued in the Single Euro Payments Area (SEPA).
So, on 19 September 2019 the stronger, wider-reaching, second Payment Services Directive will come into force and as a result you may start to notice an increase in payment declines as your customer’s banks come on-board with the new level of security in payment services that you may not yet have incorporated into your checkout process.
So, what’s SCA then?
To avoid fraudulent transactions many payment transacting websites have always incorporated some form of authentication in their payment process.
Strong Customer Authentication (SCA) – the most important part of the new PSD2 legislation for those in the e-commerce world – beefs this up. What it says is that most online transactions will now need the customer to go through even more scrutiny to evidence that they are who they say they are.
You are therefore now required to have at least two levels of authentication in your checkout process from a set of three options.
These options require customers to prove their identity through:
While more secure payments are of course a good thing and anything that curbs the blight of fraud should be applauded, the potential downside of this is a hit to consumer confidence. Also with Black Friday and Cyber Monday not that far away can you really afford to take any chances.
I know, I did mention previously that PSD2 was introduced to shore-up consumer confidence by combating fraud, but the simple fact of the matter is that there is a delicate balancing act between security and simplicity in the e-commerce sector.
The more security you employ the longer the checkout process becomes, the more ‘clunky’ it feels to the customer and therefore fewer will complete it, hitting business owners in their pockets. Of course, the less security you have the simpler the checkout process but also the simpler it is to defraud the business, hitting the business owners in their pockets.
The balancing act usually cautiously falls on the side of security, where necessary. It’s lucky therefore that not all transactions are subject to SCA.
What online transactions require SCA compliance?
If your customer’s bank and your e-commerce business are both based in the European Economic Area (EEA), even if the customer lives elsewhere, then most ‘customer-initiated’ online transactions fall into the SCA arena.
However, there are a number of exceptions to this rule, exceptions that e-commerce businesses would do well to exploit to ensure a simpler more streamlined checkout in the right circumstances (if the transaction is exempt you don’t need the additional authentication process which means a shorter checkout which should reduce cart abandonment)
Exemptions to SCA
However, these exemptions are reliant on the acceptance of the customer’s bank.
What do I need to do?
Most e-commerce stores have a payment provider plug-in and many of these use 3D Secure (a card industry authentication protocol). It’s a step in the checkout which takes the customer to a separate page asking them for additional information – usually a code or fingerprint authentication. This year this is getting an upgrade too, with the launch of 3D Secure2 which meets all SCA requirements.
If you are using another payment provider it’s vital that you contact them to find out whether they are ready for PSD2 and SCA and if their payment gateway plug-ins are fully compliant. If you’re with Apple Pay or Google Pay, then you’ll be glad to know that they are already compliant and many more will no doubt follow.
Do not assume that your payment provider will do it all for you, check, or you’ll find an increase in unhappy customers and a drop-off in completed transactions. It’s also vitally important to check that there are no coding issues on your site that could hinder the rollout of the newly compliant checkout process. Through our Developer SOS service, we’ve already seen clients suffer from this issue and it’s relatively simple to check for and rectify if you know what you’re looking for.
What happens if I’m not SCA compliant?
Well, while it is likely to take some time for banks to fully adopt SCA and react to non-compliance, some banks will have already started to decline payments and as time goes on more will join them. SCA enforcement has been delayed in some countries and in the UK this will start in earnest in March 2021.
What now? The SCA Compliance checklist
Cyber Security, Cyber Security Vulnerabilities, e-commerce, E-commerce logistics, e-tailers, Financial Conduct Authority (FCA), Online Fraud, Online Stores, Payment Services Directive, PSD2, Security, Strong Customer Authentication (SCA), Technology Innovation, The Evolving Web, Web Design, Website Vulnerabilities