Eight months can seem like an eternity – all the time in the world to get things done, to plan, to implement, to do the heavy lifting for preparing for new tech initiatives – but not when it comes to the European Union’s PSD2.
Spencer McLain, director, global risk solutions at Whitepages Pro told PYMNTS in an interview that September 2019 – when PSD2’s deadline looms on Friday the 13th – is coming much more quickly than some stakeholders might realize.
“Very few of the participants in the payment ecosystem are remotely ready,” he said, “and that goes for the card brands and the payment service providers.”
Delving into SCA
The headlines surrounding PSD2 trumpet the arrival of open banking – where customers and companies have access to data in one place and can share it with third parties through APIs – but there is also the need for strong customer authentication (SCA).
SCA, as it is commonly called, mandates multifactor authentication that ties together 1) ownership (where transactions come from devices recognized as belonging to a consumer), 2) knowledge and 3) consumer-specific traits, such as fingerprints, verified through biometrics.
According to McLain, PSD2 has strong principles in place, yet the specifics are a bit nebulous, at least for now. Stakeholders are trying to figure out measures to satisfy the requirements, while at present there is no real roadmap about what non-compliance might mean for firms, or how they can balance the demands of SCA with the desire to have as frictionless an experience as possible in place for the consumer.
To get there, he said, PSPs and the card schemes can help guide merchants through new compliance territory.
Looking for Exemptions
McLain told PYMNTS that the guidelines the card schemes or PSPs offer to merchants can assist with the technical heavy lifting that can help balance security and commerce. The guidelines could help a merchant capitalize on the maximum number of exemptions that are available as part of PSD2.
That’s critical, especially as PSD2 mandates that online transactions above 30 euros undergo the SCA processes.
The ambition of PSD2 is to apply to pretty much all online transactions – but, as McLain noted, there are exemptions that can be requested by merchants and PSPs due to low fraud rates. Exemptions are part of the regulatory technical standards for PSD2 that were released 11 months ago. Exemption threshold values allow merchants to sidestep SCA (and ostensibly provide the most friction-free process for consumers). For example, transactions under 30 euros are exempt, while merchants with fraud rates between one basis point and six basis points of fraud rates for remote, card-based payments are exempt.
Beyond the exemptions, and as with any authentication efforts, data makes all the difference, said McLain. PSPs have been steadily gathering more information from merchants. “When it comes to PSD2, the merchants are incentivized to share more,” said McLain, adding that “what some of the card schemes are working on is the idea of collaborating with merchants to generate some type of reputation score for the transaction.”
Sharing data down to the issuer level, said McLain – noting, for example, that a consumer has used the same device hundreds of times across all manner of online transactions – can satisfy authentication requirements while boosting transaction rates.
Passing down data has long-term benefits, he said – especially when enlisting the aid of service providers (including Whitepages Pro, said McLain) to help connect the dots with technology such as machine learning when encountering an unknown identity.
As for what merchants should look for as they aim to automate some of these processes, he noted that the question of technology becomes “more complicated if the merchant hosts their own data center than if they use a cloud services provider.” In the latter case, he said the cloud services provider will do “a lot of the grunt work to ensure compliance from an encryption standpoint.”
But, as McLain noted, “at the end of the day, there is no silver bullet to become compliant – PSD2 compliance is going to require either bringing in strong in-house expertise, hiring an information security officer who has some experience with this admittedly new regulation or the ability to dive right into the regulation to ensure that the merchant becomes as compliant as they can be – and as soon as possible.”