Why retailers shouldn’t bank on PSD2 for protection
On 14 September 2019, the second Payment Services Directive (PSD2) will come into effect, introducing Strong Customer Authentication (SCA) requirements and important ramifications for retailers.
Designed to boost consumer protection and reduce opportunities for fraud at the point of transaction, SCA will mandate merchants to apply multiple checks to authorise online payments. But this doesn’t mean it will eliminate fraud for retailers; SCA is actually likely to encourage criminals towards other vulnerabilities along the path to purchase.
Merchants can’t bank on PDS2 compliance to keep digital shoppers and revenues safe. Effectively preventing fraud calls for a more comprehensive approach that exceeds basic compliance, and secures every stage of the consumer journey.
SCA: An overview
The new SCA requirement is defined as the verification of customer identity involving at least two of the three following elements: knowledge, possession, and inherence. The additional regulations are designed to improve data security for online and mobile payments in an increasingly complex ecosystem. A verification check might include a PIN sent by text message or a biometric scan, such as fingerprint recognition.
What is the impact for merchants?
SCA primarily applies when individuals access online payment accounts or enter into a digital transaction within Europe. While there are some exemptions — including mobile payments under €30 and contactless buys of less than €50 — SCA comes into effect when repeat purchases are made, which total more than €100 or after five consecutive transactions are made.
Currently, most retailers rely on 3D-Secure (3DS) to provide authentication and this is likely to continue post-SCA. In fact, a new version of the protocol is available to aid compliance; complete with responsive payment pages and biometric identification support. But the 3DS upgrade fails to consider the wider user experience implications of SCA.
Firstly, the protection SCA does provide could negatively affect shopping experiences. By adding multi-factor authentication at checkout, businesses will introduce friction to the consumer journey, which may irritate customers, increase drop-off rates, and ultimately reduce revenue. This is an especially significant problem given that UK consumers are already prone to abandon carts: 41% left their online purchases between 2017 and 2018.
Secondly, SCA is not a holistic fraud prevention initiative. Focusing heavily on payment security, it does little to defend other stages of the consumer journey and could expose other points of vulnerability.
This could include account takeovers, where system weaknesses are exploited to unlawfully gain access to user accounts and make purchases or steal sensitive information. In fact, the volume of account takeovers has already risen by 45% since 2016. That’s not to mention the vulnerability of non-EU payments. For international retailers especially, other geographies will likely be exposed to greater risk, as they will not have the same SCA requirements in place.
And thirdly, integration can be complex if not approached correctly. If merchants have a number of different payment processors integrated, they’ll need to take steps for each one to ensure total PSD2 compliance.
Beyond compliance
The ability to distinguish real shoppers from malicious actors rests on a deeper understanding of customers and their habits. A successful defence against fraud attacks means going beyond baseline compliance. In addition to applying multi-faceted payment verification, merchants must assess behaviour throughout individual customer shopping journeys.
The most efficient means of obtaining this understanding is via automation; attempting to manually monitor all customer interactions, as well asmanually intervene, will create even greater friction and heighten the risk of false positives driven by human error. Using automated systems, retailers can evaluate vast stores of customer data at scale in real time, and minimise the effect of stringent authentication processes on the user experience.
Merchants should, however, select verification tools carefully. Optimal protection depends on accuracy and flexibility, meaning platforms must be capable of integrating with varied payment processors and take an advanced approach to identification. Those that follow the ‘know your customer’ model, for instance, can achieve superior insight into individual purchase paths. Data about previous customer activity can be drawn upon to evaluate behaviour and shopping patterns, highlight suspicious activity, and quickly address potential fraud risks.
Alongside the struggle to survive in a competitive environment, today’s merchants have to contend with increasing customer expectations and a tighter regulatory environment. As a result, survival means offering the highest quality experience: one that not only follows the standards dictated by legislation but also surpasses them to protect the whole customer journey and keep online shopping seamless.
By Michael Reitblat, Co-Founder and CEO, Forter
