PSD2, which became effective January 13, 2018, was designed by European Union countries to create safer online payments through open banking — letting third-party merchants retrieve customers’ banking data with their permission — and by improving the security of cross-border European payments.
These sweeping changes are poised to dramatically alter the payments industry, changing everything from how (and with whom) customers make payments to where customers view their bank accounts.
With the implementation of PSD2, banks no longer have a monopoly on customers’ data and business, and that opens the industry up to competition by third-party merchants. No longer will banks be competing against other banks. Now, they’ll also be competing against anyone offering financial services — and that includes merchants like Amazon and Facebook.
By attempting to enforce data protection and liability rules, PSD2 will transform banking; even so, PSD2 isn’t without risk. Even businesses who are watching the implementation from afar should understand the far-reaching implications the directive has on e-commerce merchants and the payment industry — not to mention fraud and customer confidence.
How Fraud Will Be Reported Under PSD2
Historically, payment fraud data in the E.U. has been, at best, difficult to obtain; at worst, it’s been unreliable and inconsistent. Because the industry doesn’t have an agreed-upon definition of “fraud” — and because many fraud cases go unreported — it’s impossible to know how pervasive the E.U.’s fraud problem actually is.
But it’s clear that what fraud is being reported is a big problem: card-not-present (CNP) fraud is growing 21% yearly in Europe, while e-commerce growth is increasing just 13% yearly.
PSD2 intends to improve online payment safety by implementing new requirements for fraud reporting, which should make the fraud data waters a little less murky. Under the new initiative, payment initiation service providers (PISPs) — service providers initiating a payment on behalf of the user — must now report these three types of attempted and executed fraud payments:
- Unauthorized payment transactions that are the result of the loss, theft or misuse of a payment instrument or payment data.
- Transactions made and authorized by a payer who misrepresented the transaction or acted dishonestly.
- Transactions resulting from the manipulation of the payer.
Note: Account information service providers (AISPs) will be exempt from these requirements, to eliminate any double-counting of fraud.
These new reporting requirements will help the financial industry objectively classify and evaluate instances of fraud, generating reliable, comparable data for all European Union countries. The financial industry can then use this data to prevent the financial and reputational effects of fraudsters’ attacks and data breaches.
How the Fraud Risk Changes With PSD2
Despite its best efforts, it’s possible the new PSD2 guidelines and the API-driven open market could unintentionally and temporarily increase fraud risk, for two reasons:
- The increased number of transactions and payment channels resulting from opening the industry to third-party payment providers. Historically, where there are more transactions, there’s more risk for fraud. Banks will find themselves facing increased pressure to secure data while also authorizing a higher volume of payments.
- The proliferation of new payment options creates weaknesses and vulnerabilities that fraudsters love to exploit. For example, fraudsters may impersonate genuine customers to harvest sensitive data and commit identity fraud; they may also pose as legitimate third-party providers and launch malware attacks, if strong authentication and fraud prevention systems aren’t used.
Why Strong Consumer Authentication Is Needed
Despite the new open market, banks will still ultimately be responsible for the legitimacy of any third party accessing secure customer data, which means banks must shore up their fraud protection and customer authentication solutions — without a corresponding increase in customer friction.
Because these PISP payments are push payments by the consumer — meaning no sensitive customer data is shared with recipients — they’re already inherently safer than traditional CNP payments.
But “safer” doesn’t equal “risk-free,” so PSD2 requires banks to implement Strong Customer Authentication (SCA) and confirm a user’s identity through two of these three factors:
- Something they know (e.g., user names and passwords)
- Something they own (e.g., tokens)
- Something they are (biometric identifiers, like fingerprints or facial recognition)
Although this extra level of security adds some friction to the customer experience, banks can use their discretion on when to require SCA. If the bank’s risk management system analyzes the available transaction data (historical shopping patterns, IP address, etc.) and known risk factors (e.g., malware, emerging fraud threats) and finds the transaction to be risky, the bank can either decline the transaction or require one of the above step-up authentication factors. If the transaction is considered safe, the bank won’t require the step up, will process the transaction and provide a seamless shopping experience for the customer.
Balancing Security With PSD2 Compliance
Customers have become increasingly frustrated with the traditional banking system, and they’ve also become more comfortable working with nonbanks like PayPal to complete financial tasks. Currently, 20% of Europeans would even be willing to use financial products by companies like Google and Amazon. PSD2 opens the doors for this to happen.
But this directive puts European banks in a tough spot. They must comply with PSD2 and open up their account data to third parties, but they must also follow GDPR regulations, which obligates them to protect that customer data more securely. It’s a fine line to walk.
The challenge for merchants now is to evaluate their current fraud prevention systems and determine if they support new PSD2 requirements and are robust enough to protect against emerging fraud threats.
But these concerns aren’t unique to the European Union. Businesses around the world must be prepared to comply with emerging regulations while also improving the customer experience.
That’s why businesses trust the ClearSale Fraud Protection Solution, which uses advanced artificial intelligence and expert staff to keep on top of the latest fraud trends and prevention strategies to protect you and your customers. Contact us today to learn how we can tailor our approach to fit your needs and your budget.