The Payment Services Directive (PSD2) has been designed to create better fraud protection for online purchases.
What is PSD2?
PSD2 was introduced with a clear objective: protecting the customer. It also advocates innovation and security whilst encouraging competition.
PSD2 sets out that an organisation which is taking payments, without the person present, needs to follow a prescribed process to authorise the payment. This is known as strong customer authentication (SCA). Put simply, it means that a payment service provider (PSP) should now be confident that the payment service user (PSU) is who they say they are.
To ensure that this happens, PSD2 has tightened up the rules around authentication.
The move from 3D secure to Strong Customer Authentication (SCA)
At present, many have adopted 3D secure. Moving forwards, PSD2 outlines that this isn’t robust enough and new processes that are much more embedded into the customer verification process will need to be used.
Payment authentication levels are governed by a range of factors. One of these is the value of a transaction. Outlined in the PSD2 criteria are a series of values that articulate when you need to proceed through additional layers of authentication (strong customer authentication), and when you don’t.
The criteria bandings are currently: €100, €250 and €500. Therefore any payment that is in excess of €100 needs to go through a process flow to assess the authentication level needed.
The difference between single sign-on and integrated biometrics
If people are transacting online, then giving a biometric authentication could pose a challenge. Many people currently use single sign-on using their phone, but this isn’t deemed secure under the new legislation. As such, biometrics will need embedding into the bank validation process in order for them to store and verify against.
Last year Juniper predicted there would be five billion biometric-authenticated payment transactions by 2019, up from less than 130 million in 2015. According to new data from Visa, biometric adoption is certainly on the right track. As it is “always on you”, it can also be a convenient method of authentication for a customer. It has the potential to enhance the customer journey and not cause any unnecessary friction. The question will be how you do it.
On the other side, card readers were at large phased out a few years back – spurred by customers who opted for chip and pin and touch IDs. Will the new PSD2 regulation bring them back? What will this mean for the customer? Perhaps there is an opportunity here for phone companies to integrate technology into the device which does the same thing?
PSD2 and customer experience need to be integrated into the customer journey
There are so many elements of PSD2 that will influence the customer purchase journey.
Created to protect the customer, banks, payment providers and retailers need to consider the level of friction that could incur for their customers when transacting remotely, and what they can do .
People won’t tolerate disruption to their shopping experience, they will simply look for the easiest route. This is where a competitive threat becomes much more apparent as those that are able to create a frictionless, smooth journey will be the ones that reap the rewards of customer engagement.
Businesses need to consider how PSD2 and fraud monitoring will integrate into the customer journey without having any negative impact on the customer experience. How will you formulate all the prescribed criteria in order to make a decision on the transaction authentication level? These are all areas for exploration.
At the moment dynamic data sharing isn’t being used in a payment context. But it is, however, common to apply CIFAS known fraud checks at the point of a payment transaction. Could this help businesses with better identification of fraud? If it were to be applied earlier?
Monitoring devices will be important, and especially pertinent in the now mobile era. Understanding more about the patterns of device use can help identify any concerns or discrepancies which require further exploration.
Keeping overall fraud low will be equally essential – and could be the difference between needing strong customer authentication, and not. Therefore, whilst new methods and new steps need to be considered for payments, keeping on top of your overall fraud levels should remain a core focus.
Bring your customers with you. Help and guide them.
It is also important that you think about any customer education programming.
For the past 15-20 years, a focus has been around educating customers on chip and pin – and more recently, contactless. PSD2 will require the same, if not more intense, education.
Research shows that the biggest barrier to giving data is the uncertainty of how it will be used. If customers understand the reason is for their protection, they are more likely to embrace it and not perceive any change as cumbersome and fractious.
Considering the foundations you can develop in order to comply, whilst at the same time how you can best serve the needs of your customers, will be the key to PSD2. Protecting them, and you.