How Service Providers Can Ensure PSD2 & SCA Don’t Halt Their Sales

July 25, 2019
3 minutes read
Category: Security
Author: Harry Cheung

If you’ve clicked this article, you’ve definitely heard about the Second Payment Service Directive (PSD2), the game-changer for online payments in the European Union. 

Still, let’s briefly revisit this set of regulations. 

The EU passed PSD2 in 2015. What PSD2 aims to do is break down banks’ monopolies on user data, introduce new services that sit between the users and the banks, and, to tie it all together, introduce stronger authentication checks. 

Ultimately, this will make for safer, simpler financial systems and services capable of welcoming innovations in the field of mobile and online payments, a constantly increasing market. 

I’ve written about PSD2 in one of my recent blogs, but this time around I’ll be focusing more on the most important aspect of this directive from our point of view—stronger customer authentication. 

Don’t we already have strong two- and even multi-factor authentication processes in place?

Something similar, yes—but certainly not regulated by law and therefore, not as widely used. 

To be clear on what SCA actually is, let me take you through it. 

SCA is crucial for effective implementation of PSD2

PSD2 doesn’t make much sense on its own. Strong Customer Authentication as the first line of defense is what ties it all together.

It requires that at least two out of three authentication factors are used in combination. Something you know (a password, a PIN, etc), something you are (biometric authentication) or something you have (a hardware token, your smartphone, etc). 

At all times? No, PSD2 lists some exceptions to the SCA rule. 

Any transaction under €30 will be allowed to go through without SCA. BUT, the exact amount will also depend on the fraud rate of the certain bank and the issuer. Think credit scores. 

The less fraud the certain bank experiences, the more money its users can transfer without the second authentication factor. Moreover, the bank is the one that decides whether the second factor is needed or not, not the merchant. 

All that aside, every fifth transaction that’s under €30 will be challenged as well as when the combined value of your transactions exceeds €100. 

If you’re asking me, to some extent these exceptions are understandable. However, when seamless authentication solutions capable of continuously running in the background without distracting the users exist, your perception drastically changes. 

Now, although many services around the world already rely on MFA so as to provide security to their users, this is not always the case. Just like when GDPR first came into force, different challenges are expected to arise for service providers. 

Temporal and financial constraints of implementing SCA

To begin with, implementing SCA processes has temporal and financial implications. 

The deadline for complying with PSD2 requirements is September 2019 so it’s certain service providers have already spent valuable time working on this. 3DS 2, the next iteration of the multi-factor authentication process we use now is set to drop at the same time as PSD2. 

Right now, 3DS is used for credit card purchases where there is an identified risk of fraud, and you are asked to complete another authentication check.

However, 3DS 2 will draw on more contextual information to be able to assess risks with the hopes of removing “user friction” in online purchases. With its ability to detect any SIM card or device changes, IPification fits in perfectly here - except, we are already here!

In addition to time, these changes to their systems incur certain costs. 

While this type of “investment” was expected, it does add to the fear of business losses service providers have since these changes could potentially negatively affect the purchasing process by complicating the user experience.

Additional authentication steps may cause a drop in sales

I’ve been telling you about the value consumers assign to frictionless user experience, even when pitted directly against security, so you might be wondering whether adding these steps will increase the number of abandoned shopping carts. 

To illustrate how legit this fear is, I’ll briefly break down Stripe’s research on this issue. After talking to 500 businesses and 1,000 consumers, the results show that the EU’s digital economy is set to lose €57 billion (!) when PSD2 comes into force this September.

So, sales numbers are bound to drop?

The answer is yes, but just at first. Just think about it. I’ll say this at the risk of sounding like a cliche, but it’s not you. It’s going to be everyone. 

Although consumers might be against these methods at first, they will quickly adapt to this new standard. What actually matters here is how you differentiate yourself from your competitors with the solutions you decide to implement.

My guess is users will flock to the service provider who manages to implement an SCA-compliant option with the least user friction compared to the security levels.  

Therefore, the biggest challenge SCA brings to the table is the challenge authentication solution providers have been trying to overcome since forever. 

It’s the challenge of finding the right balance between security, privacy and user experience. 

Most often, businesses opt to sacrifice one for the others. However, here at IPification, we refused to compromise. IPification authentication was designed with all three in mind. 

By relying on already existing mobile operator infrastructure in this increasingly mobile world, IPification generates a unique mobile ID while still detecting any device or SIM card changes. Furthermore, to minimize any chance of breaches, actual data is never exchanged and the whole process happens within milliseconds in the background. 

On top of that, it’s a solution that’s already here and ready to be implemented within days

Now, all that says a lot, doesn’t it?