Ramesh Ramani, Head of Banking and Financial Services Europe, Cognizant, discusses the extension of the PSD2 deadline and why it isn’t being met. He talks about why merchants aren’t yet fully prepared for the directive and outlines some steps that businesses can take to ensure a seamless customer experience under PSD2.
The UK’s Financial Conduct Authority (FCA) has confirmed an 18-month deadline extension for the introduction of Secure Customer Authentication (SCA) regulations, in an attempt to give firms more time to prepare for the impending Second European Payment Services Directive (PSD2) deadline. With the new rules for cashless payments originally due to have come into force on September 14, 2019, this has given cause for a temporary sigh of relief among many in the e-commerce industry.
This is because, as part of PSD2, the SCA requirement stipulates stronger payment security standards for higher value transactions based on multifactor authentication, increasing the security of electronic payments. This comes as FCA data reported that cyber incidents at financial services firms increased by 1,000% in 2018 and this figure is only expected to rise with the growth in mobile payments.
The delay to the implementation of the directive is intended to prevent disruptions to online payment processes and facilitate the smooth transition to the new requirements put in place to make cashless payments safer. But why has the deadline been extended and what can businesses do to make sure they are ready for the revised implementation date?
What does it mean to be PSD2 compliant?
Applicable across the whole of the EU including the European Economic Area (EEA), the directive will provide better customer data protection and ensure that data transmission over the Internet is more secure. Simply put, only payment services that are PSD2-compliant can be used for online purchases using cards.
Another important element of the directive is that those who accept payments online will have to demand a two-factor authentication. Customers will no longer be able to order with just one click or by credit card number, but will instead have to confirm their purchase with two security features.
According to the directive, the security features must combine two out of the three following security criteria:
- Knowledge features – Information that only the customer knows such as a password or PIN
- Possession features – A physical entity that the customer has access to such as a credit card, mobile phone or TAN generator (the device issued by banks to enable customers to generate security codes when undertaking home banking)
- Inherence features – Biometrics coming from unique personal characteristics such as the customer’s voice, iris or fingerprint
This means that the traditional combination of a PIN and password is no longer sufficient, as both entries will come under the ‘knowledge features’ category.
Why has the deadline been extended?
While banks and third-party providers like FinTechs – such as Monzo and Revolut – are already well prepared to meet the deadline, many organisations that offer online payments and even entire markets are not. In fact, levels of readiness for implementing a PSD2-compliant process in time for September 14 were extremely varied. But as SCA comes into effect, all parties in the payments chain will need to be ready at the same time to avoid challenges. An extended deadline will therefore provide regulators with more time to consult, engage and work with relevant market participants, industry representatives and financial institutions. It will also provide the opportunity to educate customers of the impending security measures as many still remain blissfully unaware of the upcoming changes.
Without an extended deadline, a significant number of transactions could have been abandoned, resulting in a loss of revenue as well as disgruntled customers. According to an EU-wide study by the payment platform, Stripe, and 451 Research, revenues would have fallen by €57 billion in the first year after the directive came into force.
Needless to say, this could have impacted the retail industry and had an adverse effect in terms of what the EU wants to achieve with the new directive: more security and protection against fraud; more innovation by registered third parties; and, above all, a better, frictionless, convenient customer experience.
How to make the most of the additional time
This extension may now be in place, but it is not a time for retailers to rest on their laurels. It is time for them to act and take advantage of the increased time they have been given to prepare for PSD2. But how should they best use the time? Here are three of the most important considerations merchants should take into account:
- Start (or continue) with 3DSv2 and create a migration plan: Select a service provider for payment processes and pay particular attention to the extent to which it will enable the smoothest possible shopping experience with strong authentication. If the business and/or the service provider already relies on 3DS technology, then it would be best to continue working with them, rely on the upcoming version, 3DSv2, and create the migration path from there. If still dependent on standards such as one-time password (OTP), it is still advisable to switch to 3DSv2 as this is the best technology to ensure a smooth customer experience and comply with the new directive.
- Include exceptions to improve the customer experience: Small transactions could be exempt from a two-factor authentication. Subscription payments are a good example of this. It is also possible to whitelist a trader as a ‘trusted trader’ with the company’s respective credit provider, and merchants should be making the most of these opportunities.
- Become familiar with the opportunities brought by PSD2: The new directive aims to create benefits for all involved. This includes more security, lower costs, increased flexibility and more innovation. Businesses should be thinking about how these benefits can be best maximised and incorporating such considerations into any migration plan.
The 18-month deadline extension in the UK is considerable but as with anything, it will come around soon enough and the timetable that businesses which aren’t yet prepared to meet the directive will need to stick to will be tight. Merchants should therefore seize the opportunity offered by the extension and ensure they are offering customers a seamless experience as they make the transition to being PSD2-compliant.