Companies now have until the end of 2020 to start using SCA in its entirety, leaving everyone in a better position to prepare and implement these authentication standards without undue haste.
The second revision of the Payment Services Directive (PSD2) went into effect on September 14 of last year — but the deadline for implementation of Strong Customer Authentication (SCA) has been extended.
If you haven’t already started working on full PSD2 compliance, now is the right moment to get motivated.
In this blog post, we will go through the implications of the newest changes the PSD2 brings to businesses and end-users alike, and offer a solution that aligns with rules and regulations while providing a marvelous UX at the same time. It turns out that you can (and should) have it all!
Keep reading to learn the secret.
What do the PSD2 and SCA mean for end-users?
The PSD2 offers end-users a far better insight into their payment transparency and who gets access to their data, as well as improving payment flexibility across EU countries and lowering overall payment costs.
All of this comes with higher security standards that use SCA to decrease the possibility of fraud and breaches.
Increased safety
The main purpose of the PSD2 where consumers are concerned is to enhance payment security and decrease fraud vulnerability through SCA (the rules apply to card payments and credit transfers from a bank account).
This means that the authentication process will employ a combination of different authentication factors, thereby decreasing the probability of a security breach. The authentication process will include at least two of the following methods:
- A physical device (token, card, key, phone, wearable device)
- A piece of biometric data (fingerprint, facial or voice recognition, iris scan)
- A piece of confidential information known only by the end-user (PIN, password, answer to a security question, signature)
Even in the case of unauthorized payment (if the credit card is stolen, for example), end-user liability is limited to €50 — and they are not to be responsible for any unauthorized payments and actions that take place after they have informed the bank of the loss of the card. Additionally, if the bank or a service provider doesn’t provide SCA, end-users are not liable for unauthorized payments of any amount.
Cost-effectiveness
While making the payment process safer and more flexible, this directive also works to increase customer satisfaction by making the electronic payments cheaper. Some of the financial benefits for customers include:
- If the card is issued in the EU, merchants can no longer charge extra fees
- Every EU resident has a right to own at least a basic payment account for a reasonable fee, or free of charge
- Cross-border payments in euros will cost the same as domestic payments in the end user’s national currency
Decreased UX
Unfortunately, implementing the PSD2 and SCA integration will make payment less streamlined and negatively affect user experience — which means that certain online shoppers will abandon their carts.
Users prioritize fast and simple methods ahead of higher security and are quick to switch to another merchant if the first one doesn’t have a frictionless checkout process (52% of them, to be exact).
Will SCA implementation cause sales to deteriorate?
According to the 451 Research report, European businesses are about to lose €57 billion in the first year after SCA takes effect, due to the reduction in conversion rates.
Larger merchants are in a far better position to implement SCA and meet the criteria for SCA exemption (which we’ll address a bit later). The complexity of SCA will heavily impact small businesses, as some technical aspects of implementation demands are costly.
There are some good consequences of SCA implementation, though, and it can help businesses a lot in the long run. Companies that get on board early show that they are putting their customers’ safety first, which nurtures customer trust and improves overall brand image.
How does the PSD2 affect banking and fintech?
Thanks to PSD2 enforcement, banks no longer have exclusive rights over user data, and their monopoly is broken by allowing access to third-party providers. Also, they will need to be more transparent about the usage and sharing of their clients’ transaction data — by employing third-party services, through APIs, or by finding another platform for the solution.
Financial institutions will have to innovate, as the PSD2 creates a more dynamic market with increased competition for fintech companies.
Additionally, among the biggest struggles banks face is the modernization of IT systems. And that is exactly the challenge of SCA — complexity of integration and the cost of implementation.
Banks still get to decide whether to require SCA on a transaction or to accept SCA exemption requests.
Good resources:
What about crypto?
The PSD2 is enforced only when credit cards are involved.
Just as with any other online transaction, consumers will have to enter extra security information in order to purchase cryptocurrencies with their credit cards.
The counter-argument for the additional friction this creates is the increased confidence customers will have with stronger authentication. This will further strengthen the trust people have in using cryptocurrency.
Note that the PSD2 does not affect crypto-crypto transactions, so in such cases, SCA doesn’t need to be implemented!
Possible exemptions for SCA
In some cases, companies can apply for an SCA exemption:
- Low-value transactions: applies to transactions up to €30. However, issuing bank must keep an eye on the number of transactions as well as their sum; if the customer’s card exceeds the set number, the bank will require SCA
- Low-risk transactions: for payments perceived as secure enough by the issuing bank; risk level is based on the average fraud rate of the card issuer or the POS processing the transaction
- Recurring transactions: payments with a regular cadence and for regular amounts or to the same business (for example, subscriptions)
- Whitelisted merchants: after the authenticated payment, customers can add the merchant to a whitelist. The issuing bank must support whitelisting, though.
You can read everything there is about legal requirements for the SCA exemption here.
Should you try and avoid SCA implementation?
As we mentioned earlier, SCA will cause some friction for shoppers and slightly decrease UX. Applying for an SCA exemption can help small businesses selling inexpensive products that decrease their cart abandonment rate.
Nonetheless, this is a huge risk and exposes non-compliant companies to security breaches. For businesses that rely on returning customers, this is a no-go: not only will they never come back after they’ve been robbed once, but your brand image will deteriorate.
The stats support this view:
- According to ShiftProcessing, credit card fraud was the type of identity fraud most often reported; in 2018, it increased by 18.4% — and it continued to grow in 2019
- Card-not-present frauds are 81% more likely than POS frauds
- The American Express Digital Payments Survey (2019) reports that 27% of sales end up being fraudulent transactions
That is why we strongly recommend you bite the bullet and comply with the PSD2. To prevent sudden UX impairment wherever you can, only file for SCA exemption for cheaper goods and services, and try to get approved for the whitelisting option until you bounce back from these changes.
Is it possible to have it all?
When it comes to the integration of convenience with security, people are asking the wrong question.
We know that users won’t give up UX for improved security standards and that cybercriminals will continue to find new ways of breaking into classified data.
The question is how to enable both seamless and secure authentication at the same time — not whether to choose UX or security.
The answer lies in a highly optimized authentication process that offers head-to-toe protection with a single click.
This is just the kind of solution IPification has developed, and it enables users to sail through the authentication process nearly in real-time.
