By Sept 14th 2019, all businesses will have to be PSD2 compliant. PSD2 follows on from the original Payment Services Directive (PSD), which was adopted by the EU in 2007. The new directive aims to change the way customers interface with their bank accounts online. From September’s deadline, by law, banks will have to permit their customers to use third-party providers to manage their finances. As a result, consumers will be able to pay for goods and services through Facebook or Google, or utilise P2P to make transfers and track spending.
SCA stands for Strong Customer Authentication. This is the protocol which will introduce additional security authentication requirements for online card transactions over €30. Once implemented, customers will no longer be able to checkout online using just their credit or debit card details. In some cases, even if a transaction is less than €30, SCA may still apply with additional verification required. This is known as ‘two factor authentication’ (2FA) and refers to where the Issuer needs two independent sources of validation out of three possible categories.
Traditionally, two factor verification refers to those situations where inputting the username and password aren’t considered secure enough, so additional steps are required – e.g. answering questions like “What is your favourite pet?” or “What is your mother’s maiden name?” One major change of 3DS 2.0 is that it will offer the ability to authenticate a transaction using a biometric method, something that many mobile phones offer these days as standard.
Protecting Payments: Account Data Security
To help tackle online payment fraud, the directive will call on providers to put in place extra steps when verifying online payments, Wi-Fi connected card readers notwithstanding. In 2016, nearly £309 million was lost to credit card fraud in ecommerce transactions in the United Kingdom, as compared to just £13.6m in 1998. The new PSD2 rules aim to reduce this number at least part way back to these early levels. Finger prints and facial recognition will help reduce the amount of fraud, while increasing convenience for consumers. In addition, with the new regulations in place, the troublesome payment window will be discarded with and 3DS 2.0 will also allow mobile and digital wallet payment methods.
Although SCA methods will almost certainly reduce fraud, it is likely they will also impact the speed and convenience of online shopping. However, this need not necessarily drive down ecommerce sales. The new regulations are predicted to drive acquirers and in the payment processing ecosystem to improve their own fraud rate as that would mean they could offer frictionless flow at higher thresholds. Conversely merchants may start seeking out financial service providers with a good record of fraud prevention, as this would allow them to offer more convenient payment options to their consumers with fewer challenge presentments.
Open Banking: Creating a Level Playing Field
The second part of the initiative permits third-party companies to provide services which, in the past, were exclusively controlled by banks. Under the new rules, non banks can use banks’ APIs to enter a lucrative financial market without the heavy compliance and infrastructure which banks must themselves must adhere to.
As an example, Apple and Goldman Sachs have recently teamed up to provide Apple Card, a consumer credit card. This produces a completely new ‘found money’ ecosystem based on Open Banking. It works like this: when the consumer uses the card to make a payment, they receive a percentage cashback that goes straight onto their Apple Pay card. As with previous cashback payment cards, Apple receives cashback from the merchant, which is passed to the card holder. Apple in turn earns income from the ‘interchange’, the part of the merchant fee that the card issuer, while Goldman Sachs collects from the merchant.
Ultimately, it will be critical for payment service providers and online merchants to use payments technology to their advantage and optimise their procedures in a safe and secure way. Because PSD2 requires stronger identity checks of users paying online, it is also essential for merchants to implement these checks as efficiently as possible – creating a seamless shopping experience, whether on mobile or desktop, thereby ensuring sales are not lost to shopping cart abandonment. If done right, companies that build AI into their ecommerce offering should further benefit by helping to instil consumer confidence.
What Steps do I Need to Carry Out to be Compliant?
In order to be ready for the changes that come in on Sept 14th 2019 you need to ensure all your onsite payments are ready for authentication. Online businesses who don’t fulfil the SCA requirements will start seeing their rates decline and conversion rate fall as customer banks reject non authenticated payments.
Using 3D Secure V1 or V2, you can make sure your site is ready for the changes. 3DS V2 offers more flexible ways to authenticate that suit the customer, such as facial scanning and one time passwords. If you are on Version 1, you will need to ask your developer or agency to upgrade. Alternatively, if you’ve not used 3D secure before, this will require a complete installation: ask your web developer for advice.
In addition, other parts of your ecommerce site may have to be amended to bring your business under compliance: for checkout flows on devices where biometric data can be collected, the browser will need to be redirected to a banking app so that the biometric data can be passed on, whether via mobile or desktop. This is essential for making sure there is no downtime or lag in your service when the changes come into effect. There will be many benefits to enjoy when the regulations come in, not to mention future innovations, but to capitalise on these effectively, it is crucial to make sure your website is setup to accommodate the coming changes.
Need Some Help in Getting Up to Date?
At 247 Commerce we have a long history of setting up payment processing on ecommerce sites,. Having worked with companies from across a range of sectors including heritage, retail, automotive and e-learning, we have fully comprehensive experience in setting up checkouts and payment APIs across all devices and operating systems.
To get in touch, either email us at: firstname.lastname@example.org or call us on: +44 208 940 7011