How Retailers Can Comply with PSD2 Leveraging 3D Secure 2.0
Just as the GDPR emerged as a regulatory revolution in 2018, the major disruption in European eCommerce this year – Second Payment Directives (PSD2), will be coming into full effect on September 14 2019. The race has begun for a total overhaul of payment systems and retailers, in particular, have to adapt quickly or get left behind.
Truth be told, PSD2 looks to remove the current restrictive model that gives banks unchallenged power over their customers’ data. With the implementation of the policy, retailers would have access to data from their customers’ banks and use the information to facilitate payments from these accounts. However, there is one condition: Retailers must explicitly get permission from the customer before retrieving their information. This necessitates that merchants set up tools that would confirm the identity of the customer and verify their authorization status.
Moreover, PSD2 will effectively initiate new payment limits for card transactions as well as protect customers from the increasingly disturbing frauds that have eroded the trust level in the eCommerce space. In summary, the newly imposed regulation would change the financial industry into a unified and integrated market where consumers, retailers, and banks work hand-in-hand to create an ecosystem that promotes competition and seamless services. Hence, retailers both in and outside of the EU region, willing to offer their services and products to EU shoppers must adhere to this regulation in order to run a legal business.
Where Strong Customer Authorization (SCA) fit into PSD2
SCA is the requirement under PSD2, which aims to transcend the rigid “password” authentication that had stood for years as the ultimate authentication model in the financial industry. The increasing sophistication of frauds over the years prompted the introduction of a new authentication model that would effectively frustrate fraud attempts effortlessly. SCA involves secondary levels of authentication when a card user attempts to make payments, and for total compliance with PSD2, these authentication processes follow three important authentication components.
“Something you know” is the first layer of authentication that might require passwords, pin, or previously submitted facts, and retailers can complement this with “Something you own” authentication layer, which requires the customer to have access to the data on their mobile device. The third component, “Something you are” requires the evaluation of biometric elements like fingerprints and voice recognition for authentication.
However, the rigorous levels of authentication mentioned would inadvertently have a disastrous impact on users’ experience, an important factor for any successful eCommerce business. This is where innovative payment solutions could be a viable option for merchants to find the balance between their regulatory requirements and the enjoyable experience they owe their customers.
How 3D Secure 2.0 Can Help Retailers Comply Seamlessly With SCA Mandates under PSD2
The new and improved checks under SCA will make it more difficult for cyber-criminals to impersonate the user. While that’s wonderful, the complicated authentication process will be adding more friction during the payment phase, which in turn, could lead to an increase in unprocessed checkout. The 3D Secure 2.0 (3DS2) protocol can help lessen any inconveniences caused by SCA. While 3DS2 is allowed under SCA, the “frictionless” aspect of the protocol makes it the main leverage with SCA being passed into law.
The first version of 3D secure relied on the static username and password authentication, which is no more suitable for EU-based retailers. In its place is a more sophisticated security system that facilitates 2FA, automatically increasing the retailers’ chances of staying compliant with the SCA mandates under PSD2.
More importantly, the security system comes with adaptive authentication and risk-based authentication that evaluates the risk score of every transaction and instantaneously assign different authentication level required. To achieve this, the card issuer will carry out a risk-based assessment for each transaction by comparing the data from the customer’s device with the historical data of both the customer and his/her associated devices. Hence, not all transactions would trigger secondary layers of authentication as the system meticulously exempts some customers from this hassle based on the threat level of their transaction as well as factors like their location, device, and general behavioural factors.
To simply put, 3D secure 2.0 is a lifeline for retailers that are serious about complying with the PSD2 and maintaining a premium customer experience. And since the March 14 deadline for merchants to have a test payment facility complying with this regulation in place is fast approaching, there is little time left to capitalize on the flexibility 3D secure 2.0 promises.
Written by Sadra Boutorabi, contributed on behalf of GPayments, a provider of cross-platform 3D Secure Authentication solutions to merchants, banks and payment gateways. To learn more, visit https://www.gpayments.com/.