FCA gives 18 months grace for PSD2 - merchants still need to prepare.
The Financial Conduct Authority has given payments and e-commerce firms an extra 18 months to meet the European Union (EU)-wide Strong Customer Authentication (SCA) rules.
SCA, which is due to come into effect next month, is part of the EU’s Payment Services Directive 2 (PSD2). It means that any online payments worth over €30 would require two methods of authentication from the person making the payment, such as a password, biometic authentication such as a fingerprint, or having a phone that can identify them.
The FCA’s decision to extend the deadline comes after the European Banking Authority said more time was needed to implement SCA given the “complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers”.
We’ve looked at what’s in place and tested the existing protocol and its infrastructure. Authentication systems that rely on 3D Secure, with their communication among the merchant, gateway, at least two banks, the consumer and often back around again can take an eternity on the web — think 15 seconds or more.
And, of course, we know what an eternity on the web does to conversions — slow and cumbersome checkout processes are a conversion killer. Nearly 48 percent of consumers told polling firm Survata, in a Signifyd customer experience survey, that they felt frustrated by checkout experiences that redirect them to another site for credit card verification, a feature of 3D Secure. The Baymard Institute found that 28 percent of consumers abandoned their carts because checkout took too long or was too complex.
The way to completely sidestep the problems with 3D Secure as a protocol is to take ownership of SCA by building or buying a holistic approach to meeting PSD2 obligations. We expect that the best customer experience under PSD2 will involve a machine-learning-based SCA provider conducting dynamic fraud analysis for online retailers, then passing the SCA decision down the 3D Secure rails to eliminate delays in approval, minimise customer friction, and maximise authorisation rates.
Such a system, relying on a vast amount of transaction data, provides the right degree of scrutiny for each order to protect consumers and retailers from fraudulent credit card transactions while avoiding the added friction brought on by a one-size-fits-all, legacy 3D-Secure-powered system.
The holistic approach allows for nearly instantaneous SCA review and more accurate decisions based on the significantly more data processed by the system’s learning machines, as opposed to passing down that data all the way to the issuing banks and back. The system should have the added advantage of shifting all liability away from the merchant, onto the issuing bank in the case of 3D-Secure-authorised transactions, or onto the SCA provider for any transaction that would require a step-up or be declined.
While the details of this innovative approach to PSD2 are important, it’s the underlying approach that is vital to executing a successful PSD2 strategy. It starts with embracing the new SCA requirements rather than trying to avoid them through a pretzel of exemptions.
The exemptions are only sometimes applicable for some small value carts, and ultimately are actually dependent on unrealistically low fraud rates for both the acquiring and issuing banks, neither of which are in control of the retailer.
All the more reason for retailers to embrace PSD2 and commit to coming up with a robust system that is designed to achieve the noble goals of the regulation without breaking the customer experience they’ve worked so hard to foster.
Because in the end, PSD2 isn’t just about banks and fintech companies. It applies to retailers and, in fact, provides them with an attainable opportunity to build a competitive advantage.