PSD2 and SCA box-ticking could erode customer experience

The second Payments Directive (PSD2)’s Strong Customer Authentication (SCA) protocol could be damaging customer experience, according to market participants speaking on the sidelines of Money 20/20 in Amsterdam last week.

“One of my major frustrations is that we as an industry spend too much time focusing on the regulation, rather than the opportunities that exist within it,” said Andrea Dunlop, CEO of merchant acquiring, Europe, at Paysafe Group. “We don’t have time to focus on the latter, though, because we’ve just been trying to meet that deadline. It can be frustrating.”

Jay Floyd, fraud strategy lead at ACI Worldwide, said banks are tempted to apply SCA to everything. “It’s the easy option and less of a headache, they say. But a massive consequence of that is a poor customer experience. There are other banks who are capitalising on that, realising that and aiming to adopt solutions that enable them to exempt when they need to increase consumer satisfaction.”

According to Smriti Vicari, vice president for fintech at Visa Europe, there needs to be a larger focus on the strategic side. “What’s the strategy for Open Banking and PSD2? How are you going to grow the user experience here? When there’s so many different players now that are integrating into your platform, how are you going to stay relevant?

“There’s a large amount of variety with respect to merchant readiness for PSD2 so I’m less concerned about the banking side and more thinking about what we can do to help our acquirers enable merchants to get ready.

“There’s everything from the basic awareness to what’s required under PSD2 to being able to enroll as a whitelisted merchant and what that entails, there are technical requirements they must adhere to and make sure they’re up to speed on security standards.

“The biggest thing is understanding the customer journey depending on the transaction type and whether or not its exempt from a basic authentication standpoint or not. They really need to take a look at their transactional mix and understand what the impact might be.”

According to a June report from Stripe, SCA could result in a loss of €57bn for European businesses in its first 12 months. 73% of customers surveyed in the report said that they were unaware of what the new requirements might be. A quarter of businesses surveyed by Stripe said that they unfamiliar with the second version of 3D Secure, which complies with SCA standards.

Black and white

For Paysafe’s Dunlop, the black and white nature of being compliant with the second version of 3D Secure is something to worry about. “I think it’s also hard for issuers to have built in that whole exception process. From an acquirer’s perspective we’ve all been hanging on to that and thinking that it will ease some of the challenges.”

Exemptions can be applied for by payment service providers (PSPs) to enable transactions with trusted beneficiaries to ignore the new requirements. According to guidelines produced by the UK’s Financial Conduct Authority (FCA), a payment risk assessment needs to be submitted at least three months before an exemption can be provided.

“The issuers are ready, but do we really want that very black and white approach?” added Dunlop. “Probably not, that would be detrimental to the industry. The regulators are doing the best they can on trying to be pragmatic around what is actually much more challenging to implement. Being realistic, there will likely be a 12- or 18-month window after the deadline to allow companies to get in line. I think that regulators will want to ensure that where companies haven’t enabled compliance, that they’re able to demonstrate a plan to getting there.”

For Jackie Barwell, director of fraud product management at ACI Worldwide, PSD2 is going to play a huge role in merchant fraud risk. “Under the regulation an acquirer could potentially cherry pick merchants based on how fraud prone they are. If they’re heavily fraud prone or don’t have a fraud prevention system in place it will contribute to the overall fraud performance levels of that acquirer. If that goes over a threshold they can no longer apply exemptions that PSD2 allows. If that happens then this acquirer will become one that issuers and merchants won’t want to do business with.

“An acquirer is going to want to know more about its merchants in the future than they’ve ever needed to it for that reason alone. We’ve heard also that some PSPs are looking to split their businesses into multiple layers so they could take the risk of taking a risky merchant. But they would then charge that merchant a lot more and then separate them out so that they’re in a different legal vehicle.”

Related reading