How to prepare for the Payment Services Directive 2 (PSD2)

Any business which buys and sells via non-cash payments such as debit and credit cards needs to be aware of Payment Services Directive 2 (PSD2). This is a new EU regulation which came into force on 31st December 2020, and will apply in the UK from 14th September 2021.

The regulations were created, according to the EU, with the intention of “making international payments (within the EU) as easy, efficient and secure as payments within a single country.” Here at NOIRE, we’re experts when it comes to helping clients to navigate fraud risk management.

The rise in ecommerce was turbo charged by the lockdown restrictions triggered by the pandemic. According to McKinsey, the ecommerce sector in the US saw as much growth during the first quarter of 2020 as it had experienced for the previous 10 years. At the same time, ecommerce sales hit an all-time high of 16.4% of total global retail sales, while, according to Shopify, 84% of all consumers have so far shopped online during the pandemic.

This shift, which is set to be permanent for many (particularly when the closure of high street presences like Debenhams is taken into account) brings with it a combination of opportunities and challenges. Many of the challenges revolve around the twin axes of regulatory compliance and dealing with ecommerce fraud.

Data for 2019, showed that payment card fraud across Europe hit €1.55bn, with 45% of that fraud taking place within the UK. It also found that 76% of the fraud which took place across Europe involved ‘card-not-present’ purchases, and the incredible rise in online shopping which took place in 2020, will have added to fraud activity and the percentage involving ‘card-not-present’ transactions.

Secure Customer Authentication

It is this kind of risk which PSD2 has been designed to combat, with the emphasis being placed firmly on Secure Customer Authentication (SCA). The aim of SCA is to reduce fraud at the same time as increasing authorization rates and making it easier for new entrants to move into the payment provision market, providing more choice for consumers and merchants alike.          

Although the deadline for the UK has been shifted, any merchant wishing to conduct business in the EU (something which is already being disrupted for UK merchants by the early impact of Brexit) has to have been compliant with SCA by the end of 2020.

Being compliant with SCA means being able to present customers with a 3D Secure (3DS) process when they make an online purchase. In simple terms, this means authenticating their identity and confirming that they are the valid holder of the payment card in question before the purchase is completed. This authentication needs to be built into the checkout process of a merchant for them to be able to continue processing transactions. From 31st December 2020, card issuers have been able to decline payments which require SCA, but which haven’t been authenticated using 3DS.

SCA works by using two out of the following three elements:

– Something which the customer knows, such as a password or a PIN

– Something which the customer has, such as their smartphone

– Something which the customer is – i.e. confirmation of their identity using technology such as facial or fingerprint recognition

SCA will be needed for all online payments within Europe which are initiated by the customer – this means the majority of card payments and all bank transfers. Recurring direct debits, in contrast, are regarded as being ‘merchant initiated’ and therefore don’t need SCA. In person payments, other than contactless payments, also remain unaffected by the new regulations.  

Prior to PSD2, online payment authentication relied on 3D Secure, which applied an extra step to the payment process. This step took place after the checkout and involved the bank asking for additional information, such as a one-time code sent to a phone or fingerprint recognition via a mobile banking app.

The new version is known as 3D Secure 2 and has been designed to minimize friction and create a better user experience for the customer. The main innovation offered by 3DS2 is that far more data is shared with the bank when the transaction is being processed. The bank can use this extra data to decide what level of risk the transaction represents, and with more data available it is likely that more transactions will be regarded as low risk and will be processed without further authentication.

If authentication is needed, 3DS2 has been designed with the rise of ecommerce and the smartphone in mind. The rise of ecommerce means that the ‘challenge flow’ – the name given to the process whereby customers are asked for more authentication – can be embedded within the checkout of an ecommerce site, removing the need for the customer to be redirected to a bank’s page. The widespread use of smartphones means that, in the majority of cases, any extra authentication needed can be provided via the facial or fingerprint recognition feature of a mobile banking app. 

You can trust us at NOIRE

Although changes of this kind will be a challenge to merchants, they also present an opportunity to future-proof payment methods and guard against attempted fraud in the most effective manner possible.

Here at NOIRE, we take great pride in always being aware of the latest compliance requirements, and shaping our processes in order to make it as simple as possible for our clients to meet the latest regulations. We can advise on any changes which you need to make to the way in which payments are processed, as well as working to ensure that these changes are kept to the absolute minimum. We understand that you want to give your customers as seamless an experience as possible, and we work to make sure that this is what we provide for you.    

If you need a helping hand, get in touch with us today – we would be very happy to help you.