Jackie Barwell, Director of Fraud Product Management at ACI Worldwide
The final pieces of the Payment Services Directive (PSD2) puzzle are coming together, and we can see that payments businesses’ main focus is now ensuring they are compliant. However, the forthcoming changes are going to affect everyone in the payments chain, it is therefore crucial for merchants and Payment Service Providers (PSPs) to understand the practical implications it will have on their businesses and customer relationships.
PSD2 is intended to drive increased choice and security for consumers and one of its key elements is Strong Customer Authentication (SCA). SCA is designed to reduce fraud and ensure consumer identifications are properly validated for all electronic payments. The EBA’s opinion paper published on 21st June offered national competent authorities (NCAs) some flexibility in applying the new rules, but we are already seeing that individual NCAs are applying different levels of flexibility – with some providing an 18 months reprieve, and some not providing any at all. What this ultimately means is that the entire industry still needs to focus on correctly interpreting the complex legislation and meeting the 14th September 2019 deadline, or consumers will suffer the consequences of an inconsistent application of SCA across Europe.
If the industry as a whole believe they need more time to get this right – then the EBA must instruct all NCAs to grant the same flexibility across the board – or eCommerce will be at risk of losing momentum and growth as consumer confidence falters.
The requirement means card issuers will be obliged to perform an SCA check for every electronic payment transaction, unless it qualifies for an exemption. This check fundamentally acts as a two-factor authentication process – and it has important implications for merchants.
Out of the merchant’s hands?
Merchants will not be able to avoid the SCA requirement for electronic payments, as their bank will enforce the SCA rules within PSD2. In situations where the issuer is required to perform SCA, the merchant has to support it, because if it does not, the issuer will likely soft decline the authorisation request.
There are, however, some proactive approaches that will ease the way to avoiding customer dissatisfaction. Firstly, there is a clear requirement for a coordinated and consistent messaging strategy to educate consumers. This, in part, falls into the merchant’s hands to ensure their shoppers are aware that new payment rules include an intermittent need for additional validation at check-out, such as biometrics, but the new rules are necessary to ensure that online shopping can become one of the most secure purchasing methods around. Once consumers have a better understanding of this, they will be more likely to accept the new rules, even if that means ‘one click shopping’ may become yesterday’s news.
Additionally, a consumer is able to apply to have a particular merchant ‘whitelisted’ with their card issuer, but the decision on whether to grant or reject this request lies with the bank. Similarly, issuers and acquirers may exempt low-risk transactions under €500 as long as the fraud levels across that payment chain (merchant/payment service providers/acquirers and issuers) are sufficiently low. To do this, merchants and payment service providers, including acquirers, must put transaction risk analysis (TRA) in place to both ensure and to prove that fraud is being kept below a set threshold. Although issuers will look to apply the TRA exemption as much as possible to reduce friction in the checkout process, this remains outside of the merchant’s direct control.
Merchants must also be cautious of fraud liability risks. For transactions that are subject to SCA, liability rests with the issuer or acquirer (whoever applies the exemption) if the transaction ends up being fraudulent. However, in some circumstances, once an exemption is applied, acquirers may pass liability back to the merchant.
Although PSD2 involves assessing fraud rates at either the issuer or acquirer level, it remains essential for each merchant to retain a low fraud rate. This is key to avoid raising the issuer or acquirer’s overall fraud rate over the threshold. If this occurs, every eCommerce transaction, irrespective of amount and regardless of individual merchant’s performance, will have SCA applied and exemptions will not be allowed. Following this, issuers and acquirers are likely to come down hard on individual merchants who allow their fraud rates to increase.
Merchants can protect their interests
Merchants are required to continue managing fraud to secure SCA exemptions, and also deliver a fast and simple payments experience to their loyal customers. Keeping fraud rates low and understanding when and how to request exemptions means merchants can protect their business; and offer support to ensure that the new regulations benefit instead of hinder genuine consumers. There are three main guiding principles to how merchants can achieve this.
For merchants, fraud screening remains key to the identification of low-risk transactions and protecting their relationships with customers. More than anyone else, merchants understand the business and behaviours of their own customers, putting them in the best place to protect them from fraud. It is not enough to rely on issuers and acquirers to carry out risk analysis, especially if one of the aims is to identify the truly low-risk transactions, any more than it is enough to rely on 3D Secure when authenticated fraud remains an issue for many merchants.
Achieving fraud rates below the threshold can help merchants build better relationships with acquirers as well as staying clear of scheme fines. It is useful for merchants to actively engage with their acquirers to discuss their authentication strategy, but also push for the exemptions they want and ensure there is a back-up plan in place if customer authentication fails.
Finally, some merchants may be keen to negotiate with acquirers to implement transaction risk analysis exemptions for themselves. The future could see savvy merchants picking and choosing the acquirers that offer them the best conversion, SCA strategies and commercials. The ability to easily change acquirers, route transactions to acquirers with the most optimum fraud levels, and negotiate acquiring services (and prices) will be highly valuable in a PSD2 world.
With the SCA deadline looming, it is key that merchants and PSPs continue to manage their fraud rates, in part to maximise the number of transactions for which they can secure SCA exemptions. Doing so will help them to continue delivering a fast, simple customer experience.