Payment gateways: Why PSD2 could be the biggest change to the eCommerce sector in a decade

Sometime in the late 1990s one of the world’s most important economic innovations was rolled out, the payment gateway. As you’ll know – whether you’re an online retail merchant, a bank, a payment gateway provider or a retail addict (or moderately restrained remote/anonymous purchase enthusiast) – this heralded the launch of one of history’s most incredible commercial success stories, eCommerce.  

Being a part of this sector is still something that fills me with pride because in almost every year since its inception it has achieved double-figure growth, quickly outstripping High-Street sales, gobbling up Ad Revenue, shifting cash-based retail to card transactions, creating jobs for many and becoming a significant and vital contribution to the GDP of many countries around the world.  

There are few other sectors that have so rapidly evolved to so greatly impact all of our lives. But could this all now be in jeopardy and why are both the platforms and online retailers so worried about PSD2? 

A $3 trillion sector on the brink of change 

First, there was the world wide web, and shortly after that maverick retailers recognised the potential of this new marketing tool. However, in the beginning, there was a problem with confidence, mainly on the customer’s side because who were these faceless online retailers, would they take my money and run, and even if they were legitimate could someone just steal my credit card details and go on a spending spree?  

Secure payment gateways and a social acceptance of eCommerce saw a sector worth just a few billion dollars 20-years ago grow into a worldwide phenomenon worth around $8.1 trillion in sales today.  

While the problem with confidence in online retailing may have faded, the problem with cybercriminals has grown. Over the decades they have been getting ever more sophisticated at finding ways to defraud the digital retailer and today over £300m a year is lost to fraud in the UK alone.  

In an attempt to counter this rising challenge for the industry, and to further deepen protection for consumers, the EU has launched PSD2. Have you heard of it? Are your chosen platforms ready? Are you ready? And importantly how will your clients (the online retailers) respond when their customers either cannot or will not transact? 

Why has PSD2 got the platforms scared? 

I’m sure you’ll know already, but just in case there are one or two of you who don’t, PSD2 stands for the second iteration of the Payment Services Directive, the European Union legislation that looks to enforce a set of rules to create a safer, more secure digital environment for retailers and customers alike. 

The most critical element of PSD2 for the eCommerce sector is Strong Customer Authentication (SCA), the legislation’s requirement on banks to only accept payments from payment gateways that have gathered at least 2 out of 3 forms of ID from a purchaser in a merchant’s checkout process. Much like GDPR we’ve already seen a delay in the enforcement of the PSD2 legislation (the legislation is now in place). 

The regulations provide examples of the ‘acceptable’ forms of ID that a customer can provide to prove that they are who they say they are in order to minimise the chance of fraud taking place. It could be a biometric password via fingerprint or face recognition, or a pin number and a push notification to their smartphone, or two of a number of options that fall under three general categories: –  

1. something you know (pin number, password or question); 

1. something you have (a code they can send to your phone); and  

3. something you are (fingerprint or face recognition). 

The practical issues this creates for you as a payment gateway and your merchant clients are: 

1. Merchants will expect you to change your interface to handle these forms of ID authentication and they’ll probably wish to have some autonomy on the decision as to which to incorporate into their website’s checkout process. So, the more you can incorporate and offer as options the better. As SCA is a requirement of most transactions online going forward, if you do not adapt or offer enough choice, then you will find clients moving away from your firm. 

2. As there are exceptions to the SCA requirement you need to be prepared to have a detailed conversation with your clients to determine the blueprint for their exception’s requirements/preferences. Once this blueprint has been approved there will need to be an automated way of determining whether a transaction falls into any of these pre-determined scenarios which would mean that in the transaction process the stronger authentication can be bypassed. Though it’s important to remember that the paying bank has final authority on whether to accept your definition of an exception before a payment is authorised. 

3. Merchants may well need to make changes to their websites to accommodate your changes and to inform their customers of the new, slightly lengthier, checkout process and why it now exists.  
   There is a trade-off here, to make the transaction process safer for all it will be longer and, as we all know, the longer the process the fewer the sales, so that’s why understanding the SCA exceptions and creating a checkout process that’s as swift and seamless as possible is vital to counter any issues raised by PSD2. 

4. Merchants may well call you in a bit of a panic as banks start to reject their customer’s payments in increasing numbers. 

Ignore this problem at your peril 

Yes, this is EU legislation, but no Brexit will not save us from it. All indications are that the UK will continue to abide by the PSD2 legislation whether we leave the EU or not, so please do not sit back and think that Brexit will solve the problem for you, it won’t. 

The practical reality is that as banks across the EEA (European Economic Area) adapt to the new norm and adopt PSD2 requirements, your clients (online retailers), at least the ones that have ignored the problem, will start to see more and more of their transactions failing. Worse still, if payment gateways ignore the problem, this could mean an exodus of clients almost overnight. 

To give you an idea of the scale of the issue. The Financial Conduct Authority (FCA) expects approximately 1,821 businesses to be affected by the proposals contained within PSD2.  

“It is expected that 1,552 payment service providers (these include banks, building societies PIs and EMIs), 200 businesses that operate under limited network exclusion, 10 businesses that operate under electronic communications network exclusions and 59 credit unions and deposit takers will be affected.”

Don’t panic! Yet 

Those irate calls from your merchant clients will increase in numbers because PSD2 came into force in September, yes, the deadline has already passed. However, it’s not time to panic, well, not yet at least. The UK, and a few other countries, much like GDPR, have been granted a delay to enforcement. 

The FCA has confirmed that enforcement will not come into effect until 14 March 2021 to enable everyone time to adapt to the new norm. 

How can we help? 

Should you or your clients (online retailers) require any assistance in getting ready for this very deadline, we’re here to help.  

Inspire, are specialists in the eCommerce sector – LAMP (Linux, Apache, MySQL and PHP) software engineers with the will and the wisdom to update PHP based e-commerce platforms and to formulate solutions to ensure all are compliant with PSD2 in good time for that deadline. If you’d like to discuss your specific wishlist of adaptations do give us a call today and our Developer SOS team will jump into action for you.