As the shopping experience increasingly shifts online, organizations across the payment space are under greater pressure than ever to reduce fraud while making sure transactions remain as easy as possible. A new European Union initiative – the Second Payment Services Directive (PSD2) – is designed specifically for this purpose and lays out a framework so that companies can both protect customers, whilst also providing the best possible shopping experience.
As a result, PSD2 has included a specific mandate that focuses on strong customer authentication (SCA) as a way to tighten security. One example of SCA is two-factor authentication – a security system that, as its name suggests, relies on two stages, not just the password alone. However, the implementation of two-factor authentication risks disrupting the buying experience: when customers are shopping online, they want a quick, frictionless process. Having to halt this to answer a number of security questions could lead to shoppers abandoning the purchase.(1) Consequently, PSD2 has included a number of provisions that allow merchants to offer ‘frictionless flow’ for certain transactions, meaning these can be passed through to the issuer without the need for SCA.
This is a positive development, but there are a number of areas concerning SCA and frictionless flow that remain open to interpretation. One example is payee-initiated payments, such as magazine subscriptions or mobile phone bills, which are paid on a recurring basis. A compromise has now been reached whereby SCA will be applied when the payment agreement is first set up and authorized. After this, SCA should not be applied to any subsequent transactions initiated by the payee.
There are also discussions around the potential creation of a whitelist of trusted beneficiaries – companies that would not be required to use SCA because consumers trust them and are happy to forego the extra layer of security. But at present, there isn’t an agreed, standard mechanism as to how the merchant can be flagged as a trusted beneficiary.
Another option exists for merchants who wish to limit the amount of SCA requests from customers. If a merchant’s bank has a sufficiently good fraud rate, they can use transaction risk analysis (TRA) instead of SCA. This involves examining a variety of factors – such as geo-location or previous patterns of expenditure – and determining whether a transaction is fraudulent. TRA should allow merchants to provide a better buying experience. However, there’s no common ground on how all the stakeholders will respond, as different issuers have varying levels of acceptable TRA.
The key with all interpretations of SCA is to find the right balance between protecting the consumer, without damaging the functioning of the ecommerce market. What is clear is that it will take close co-operation between the many different stakeholders in the payment sector to make the regulation a success both for the industry and consumers.
Source:
1. European Banking Authority. ‘Consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2.’ Available at: https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2?p_p_auth=JWETWh5R&p_p_id=169&p_p_lifecycle=0&p_p_state=maximized&p_p_col_id=column-2&p_p_col_pos=1&p_p_col_count=2&_169_struts_action=%2Fdynamic_data_list_display%2Fview_record&_169_recordId=1617934. Accessed February 2018.
Chase Paymentech Europe Limited, trading as J.P. Morgan, is regulated by the Central Bank of Ireland.
The information herein does not take into account individual client circumstances, objectives or needs and is not intended as a recommendation of a particular product or strategy to particular clients and any recipient of this document shall make its own independent decision. This document and the information provided herein may not be copied, published, or used, in whole or in part, for any purpose other than expressly authorized by Chase Paymentech Europe Limited.
© 2018, JPMorgan Chase & Co. All rights reserved.
