How PSD2 may ripple across the sea
PSD2, Europe’s new set of online payment security rules, was supposed to have a ripple effect on U.S.-based merchants when it took effect in September 2019. However, a delay in full enforcement of the new standards until the end of 2020 has given US companies more time to figure out whether they’re required to comply and if so, how to do so. Here’s what U.S.-based merchants who sell into the EU need to know now.
Implications for merchants
PSD2 (Payment Services Directive 2) applies to the European Economic Area (the EU countries plus Norway, Iceland and Liechtenstein). Like GDPR and EMV, PSD2 may affect players outside the area where it’s implemented, although in the case of PSD2, the exact impacts and requirements for merchants outside the EEA are not yet clear.
One of PSD2’s provisions of is a requirement that CNP transactions use Strong Customer Authentication (SCA). SCA is like two-factor authentication because it requires extra proof of identification during an order. For example, a customer making a CNP purchase from a site using SCA might have to provide a PIN or password plus either a fingerprint or face scan and a validated card or mobile device.
So a customer who enters the CVV for their credit card might also have to enter a code provided by their bank app, to prove it’s not a fraudster paying with stolen card data. To further protect cardholders, the authentication code would become invalid if either the payee or the order amount changed before the order was submitted.
As with EMV adoption in the U.S., some merchants and banks in the EEA were unable to update their systems in time to comply with the original September 2019 deadline. Officials hope the extra time will allow most banks and merchants to complete the transition at a similar pace, to avoid creating a situation in which some payees are protected by SCA while others remain vulnerable to the types of fraud it’s intended to prevent.
US merchants and compliance
The enforcement delay in Europe also gives merchants outside the EEA time to review PSD2 and see if they’re required to comply, and think about whether they want to adopt SCA even if it’s not required. It’s possible that some US-based companies that sell into the EEA will also be subject to the rule, especially those whose customers are using cards issued in the EEA.
Why the uncertainty? The PSD2 allows some exemptions to the SCA requirement for CNP transactions, and one of those exemptions is when either the card issuer or the merchant in a transaction is based outside the EEA. However, PSD2 also gives card issuers final say in whether to exempt a transaction from SCA requirements.
So it’s possible to envision a situation in which a customer inside the EEA places an order using a card issued by a bank inside the EEA to make a purchase on a U.S.-based merchant’s website. If that merchant doesn’t require SCA and the card issuer doesn’t grant the exemption, the merchant will lose the sale.
Besides the risk to merchants of losing orders for not using SCA, it’s possible that there will be other impacts on merchants, too. The first is cart abandonment. Rates may rise if customers balk at the additional steps required to check out.
There’s no question that the extra customer authentication requirements will make CNP transactions more secure. But added steps make it more likely that customers will simply give up. “Too long/complicated checkout process” was the third most common reason U.S. consumers gave Baymard Institute researchers who were studying cart abandonment. If SCA becomes a standard requirement for all CNP transactions, then consumers will adapt. However, inconsistent SCA requirements could drive shoppers toward sites with less secure but faster checkouts.
Another risk related to PSD2 is the potential for more CNP fraud attacks against merchants in markets where PSD2’s SCA requirements are not in effect, such as the U.S. Just as fraudsters focused heavily on CNP fraud after EMV adoption made point-of-sale card fraud much more difficult, organized criminals will likely seek out less protected targets once PSD2’s SCA rules are fully enforced in 2021. Again, the solution here seems to be widespread adoption of SCA or an equally robust alternative.
EMV 3D Secure (and other similar security protocols) meets SCA standards. It does so by sharing customer data with the cardholder’s bank so the bank can score the order’s risk level and ask the customer for more information if needed. Merchants can also use a payment service provider that complies with SCA requirements, because PSPs are the parties responsible for SCA implementation.
US-based merchants who sell into Europe, or who plan to in the next few years, should use this year to understand how PSD2 may affect their specific business. Depending on their current checkout security protocols and whether their PSP supports SCA, they may not need to do anything new. But if they need to make changes to become more secure for the European market, now is the time to begin.
Original article at: https://www.mobilepaymentstoday.com/blogs/how-psd2-may-ripple-across-the-sea/