PSD2 - New Rules for Strong Customer Authentication

Rather like Brexit, the Second Payment Services Directive (PSD2) is coming and whether you like it or not, it will bring important and sustained changes. In the case of PSD2 those changes will disrupt the way that payments work all around Europe.

So, what will the changes be? While much is uncertain, we can highlight some impacts which are almost guaranteed. In particular, those at the rock face of PSD2 agree on Strong Customer Authentication (SCA): Do whatever you can to avoid it.

There are good reasons for PSD2 uncertainty. Key parts of the directive aren’t fully documented. More importantly, because the programme has been designed to be open to interpretation, to be flexible, even when it is written down, there is a lot of space for interpretation.

And there are plenty of people who want to fill the gaps in to suit their own ambitions. Who will emerge as the successful AISPs and PISPS (Account Information Service Providers and Payment Initiation Service Providers)? Will they work together? Which countries will most strongly embrace the change? Will there be even more abbreviations and acronyms?

So why am I so sure about SCA?

Banks and others face an unappetising trade-off between securing accounts and annoying customers. SCA will help secure transactions, but fraud professionals have learned that customers bristle at being made to jump through extra hoops, and they’d like the flexibility to choose when to interrupt transaction flow and demand additional details from their customer. PSD2 threatens to take away that choice, codifying when authentication is required.

The rules now say that if you have good fraud controls you can hassle customers to log in and authenticate less often. If you have great fraud controls you can do it even less. The approach was added to some of the original PSD2 drafts after consultation – banks pushed hard to get the change.

The table below is crucial. That middle column is particularly important. The Reference Fraud Rate is calculated by dividing the total amount of fraud by the total amount of all transactions over a 90-day period. It sets hard and fast rules for how banks and merchants handle e-commerce payments. It sets the precise targets fraud managers will have to hit to avoid annoying consumers with extra authentication steps. If you can achieve a reference fraud rate of 0.01% - €1 of fraud for every €10,000 of transactions – then you will only be obliged to get your customers to authenticate themselves for transactions bigger than €500.

Source: European Banking Authority Final Report on Draft Regulatory Technical Standards on SCA and CSC

While Visa, MasterCard and others have been pushing guidance and rules for years, PSD2 will get written into European legislation. It will become law.

For e-commerce merchants – think of the big guys – it means they will have to reluctantly adopt the schemes broadly known as 3D Secure – VerifiedbyVisa, MasterCard SecureCode and American Express SafeKey. Without them, SCA doesn’t happen. I suspect that a lot of electrical items currently priced €505 magically get 5 euros cheaper!

For issuing banks, particularly those that have taken a sophisticated risk-based approach of their own design until now, it will add another layer of complexity. Most, if not all, will now be focussing on how to beat the 0.01% reference fraud rate, so that they can decide whether to ask a customer to authenticate themselves rather than having that decision taken for them by the PSD2 guidelines.

The good news is that modern fraud detection – using the latest machine learning and complex analytic techniques - is capable of quick and accurate fraud decisions which will enable banks to comfortably accomplish the required balancing act.

Join our webinar “Are Your Fraud Operations Ready for PSD2?” on November 2.