Ramesh Ramani, Head of Banking & Financial Services Europe, Cognizant
Since the introduction of the Secure Customer Authentication (SCA) legislation – part of the Second European Payment Services Directive (PSD2) – was announced nearly two years ago, affected businesses have been scrambling to get ready in time for the original deadline of 14th September 2019. But merchants and other organisations offering online payments services have now been granted extra time as the UK’s Financial Conduct Authority (FCA) has confirmed an 18-month extension to the deadline.
It is not suprising that this extension has been met with a temporary sigh of relief. The SCA requirement significantly changes the game for online businesses, stipulating stronger payment security standards for higher value cashless transactions based on multifactor authentication. The ultimate aim is to reduce the risk of online payment fraud, something that is desperately needed given that the FCA reported that cyber incidents at financial services firms increased by 1,000 per cent in 2018. A figure that is only set to rise as we make further headway towards becoming an entirely cashless society.
But preparing for the directive is no simple feat, and the delay to its implementation is expected to help prevent disruptions to online payment processes and facilitate a smooth transition to the new requirements. However, as is the nature of ‘extensions’, the new deadline remains just around the corner and will creep up on us sooner than we think. So how can the e-commerce industry and other affected businesses best use this extra time to prepare?
What does it mean to be PSD2 compliant?
PSD2 not only applies to the UK but the whole of the EU, including the European Economic Area (EEA). Its vision for all regions is to improve the protection and security of customer data when it comes to making payments over the internet and, once in place, only PSD2 compliant payment services will be able to accept online card payments.
Another important element of the directive is that businesses that accept payments online will have to demand a two-factor authentication, that is, customers will no longer be able to order with a simple click or by entering their credit card number. Instead, they will be required to confirm their purchase with two of three security features:
- Knowledge features – information held only by the customer, such as a password or PIN;
- Possession features – a physical entity that the customer has access to, such as a credit card, mobile phone or TAN generator (a device issued by banks for generating unique security codes);
- Inherence features – unique customer biometric features, such as voice, iris or fingerprint.
A future without the extension
As with any new legislation coming into force, businesses are at varying levels of readiness when it comes to being PSD2 compliant. A recent survey found that three quarters of businesses were still not ready for implementation – and that was only two months before the original deadline.
So whilst many banks and third-party providers like fintechs and challenger banks are already well prepared to become PSD2 compliant, merchants that are unprepared could face a significant number of abandoned transactions, resulting in lost revenue as well as disgruntled customers. In fact an EU-wide study by payment platform Stripe and 451 Research found that revenues would have fallen by €57 billion in the first year after the directive came into force. The extension will therefore provide regulators with more time to consult, engage and work with relevant market participants, industry representatives and financial institutions, as well as offer merchants the opportunity to prepare and educate customers on the new security measures.
Three tips for making the most of the PSD2 deadline extension
Despite the extension, there is no time for merchants to sit on their hands – they need to take advantage of the extra time starting now, and there are three key ways to do so:
1. Create a migration plan: all merchants will need to evaluate their current payment service provider and explore potential new ones, paying special attention to how the platforms accommodate for strong authentication features that will enable a smooth transition to PSD2. All businesses or their respective service providers should then also continue to – or begin working with – 3DSv2 technology, a new and improved approach to customer authtication for high risk transactions, as it will be eaistest to create a migration plan to PSD2 from here. Remaining dependent on standards such as one-time password (OTP) will make it harder to ensure a smooth customer experience and comply with the new directive.
2. Make appropriate exceptions: small transactions such as subscriptions could be exempt from a two-factor authentication. It is also possible to white list a trader as a ‘trusted trader’ with the company’s respective credit provider, and merchants should be making the most of these opportunities.
3. Find the opportunities within PSD2: as well as improving security, PSD2 is set to lower costs, increase flexibility and create a platform for more innovation. Businesses should be thinking about how they can best take advantage of these benefits and incorporate such considerations into any migration plan.
The UK’s deadline extension is a considerable one, but the gravity of the new legislation demands that businesses make the most of every second of extra time to become fully compliant. Creating seamless migration plans, and taking advantage of the opportunities offered by the new directive, is the best way to start. By embracing these, merchants can continue to offer a a great customer experience in the new era of payments security.