The most important objectives are to make payments more secure, to better protect consumers and to promote innovations and competition. But what does PSD2 entail exactly? What impact on e-commerce can we anticipate? And what must online retailers consider in the future?
The extended Payment Services Directive has been in force across the EU since 12/01/2018. But for many market participants, it is only now that there are any perceptible changes, which are mainly due to the increased requirements for credit card payments. From 14/09/2019, the rules will require what is called strong customer authentication (SCA) for money transfers. Brussels wants to increase the security of electronic payments and hinder fraudulent transactions. These regulations for payment processing in online trade entail a need for action not only for credit card partners but also numerous stores. The reason is that for credit card payments especially, many processes will be controlled by the e-commerce software used. For the relevant tasks in relation to PSD2, Arvato offers comprehensive support, and I would like to briefly summarise the points that are crucial for many store operators.
The challenge of strong customer authentication
Let’s first take a look at the technical and process aspect of a store. At the moment, many credit card payers are only authenticated with their credit card number and the CVV. If you enter these details correctly, the payment is approved. This simple authentication is relatively simple to intercept and is no longer sufficient for the future. Anyone ordering online needs to be better protected against fraud and PSD2, therefore, provides for an additional security level. This will be implemented in that shopping platforms will in future require two-factor authentication (2FA) for most transactions. For this purpose, the purchaser must use at least two of the following three options independently from each other:
- Something only they know: Password, PIN, security question …
- Something only they possess: Smartphone, chip card …
- Something only they are: Fingerprint, speech recognition …
In my experience, there is still work to be done here. Although some retailers already offer the 3D Secure 1.0 procedure, which enables 2FA, the existing media discontinuities resulted in an increase in canceled sales, and so the technology could not be extensively enforced. With the current 3D Secure 2.0, credit card service providers have improved this significantly, and I believe that the new procedure guarantees a customer-friendly payment process. However, this needs to be implemented in the processes of online retailers technically and contractually. Here, any store with the credit card payment method is required to promptly establish the corresponding conditions and introduce 3D Secure 2.0. Anyone already offering 3D Secure 1.0 including 2FA can retain the old procedure until January 2020. It is even allowed to introduce this as a transitional version. Regardless of which stage you are at, we will help you identify and implement the optimal solution for your store.
A few exceptions for SCA
Two-factor authentication is not prescribed for all money transfers and I would like you to know about these exceptions. These include, for example, small amounts of up to 30 Euro per transaction. However, the customer can pay no more than 100 Euro cumulatively since the last payment with SCA and not previously have more than four successive payments without SCA. The higher security level is also superfluous for recurring payments going to the same recipient or for the same amount. The customer can also put a retailer on a whitelist with their bank in order to avoid the procedure. This also does not require SCA if the risk is below a certain limit, which for most transactions is up to 500 Euro. The last exception concerns so-called MOTO transactions, i.e. certain payment solutions for shipping, telephone and fax orders. But overall, I believe store operators will not be able to avoid SCA in the long term.
Payment providers occasionally responsible
Until now, we have only spoken about credit card payments in connection with PSD2. I have made this restriction because although other payment methods also require SCA, these are largely the responsibility of the relevant payment service provider. For you as a retailer, you do not need to take any action in these cases, as ultimately end customers are forwarded to the relevant payment method to complete the payment. Service providers such as PayPal will make sure that the provisions of PSD2 are complied with. In summary, it must be said that the new regulations from Brussels require adjustments by a large part of online stores, and even by stores that are not even based here. This is because the rules state that only one party needs to be based in the EU. Thanks to our international expertise, we at Arvato Financial Solutions can also develop the appropriate strategies with you here.