Back in October 2015, the European Parliament introduced the revised Payment Services Directive, or PSD2. This wide-ranging proposal overhauled the existing regulations governing payment services, essentially reconfiguring the entire payments environment. One of the key components of PSD2, though, was the adoption of so-called strong customer authentication (SCA) standards.
SCA establishes guidelines and expectations for verifying customers’ identities in the e-commerce environment. Verification for any online transaction must be based on at least two of three factors: something the buyer possesses, something the buyer knows or something the buyer inherently “is.” For instance, one could verify a user’s identity with a card number (possession) and PIN code (knowledge). Alternately, one may use a card number and a fingerprint scan (inherence) to authenticate a buyer.
These rules were originally intended to take effect on September 14, 2019. However, adapting to these guidelines proved more difficult for businesses throughout Europe than anticipated. In response to these challenges, the European Banking Authority (EBA) issued an opinion on October 16 advising a new approach throughout the region.
SCA Rules Delayed Until Late 2020
In the opinion piece, the EBA sets December 31, 2020, as the new deadline for SCA compliance. The organization also recommends that national competent authorities — the entities responsible for ensuring compliance — prioritize consistency in the migration process.
I wholeheartedly agree with the latter sentiment. Taking a consistent approach to regulation is a vital step, and it will be necessary for any successful implementation. If allowing extra time for implementation is what it takes to make that possible, then I’m all for it. With that in mind, though, I’m concerned that an extra year might not be enough to get the job done at the current pace.
Plenty of merchants, both in the European Economic Area (EEA) and outside, are resistant to these new standards. As they see it, they’re contending with greater restrictions without any added slack in other areas. Consumers expect more reliable security and an increasingly streamlined experience with minimal friction. That makes compliance a hard sell for many retailers.
Merchants are understandably reluctant to place additional barriers between themselves and their customers. As is, consumers abandon roughly 7 out of 10 transactions without completing their purchase. Making the checkout process longer and more restrictive will very likely cause that number to rise.
Also, while a merchant may be compliant, they may not have enough transparency from third-party contractors to ensure their entire payments environment follows suit. Plus, there are gray areas in the regulation, and that could make it difficult to determine compliance. Many transactions are free from SCA requirements; for instance, merchant-initiated transactions, sales totaling less than €30 and travel card transactions are all exempt. However, segmenting these exemptions will be complicated.
SCA To Impact Global Merchants
While the PSD2 is a piece of European legislation, strong customer authentication requirements will still impact merchants outside the EU.
As Worldpay’s Jonathan Dranko asserts, “If your business operates globally and processes any payments locally in the EEA, you may be subject to the directive. If a merchant cannot authenticate or exempt a transaction based on the SCA criteria … then there is significant risk that issuers will decline the transaction, which could cause merchants to lose sales and revenue.” Even the PSD2 notwithstanding, the California Consumer Privacy Act (CCPA) will bring many of the same requirements to the U.S. market anyway.
Strong customer authentication means greater security — but also greater friction. By definition, you’re making it harder for buyers to complete purchases. But as e-commerce matures, we can’t realistically persist with the same “Wild West” approach. The market needs structure and standardization to ensure long-term success. Europe has consistently led the U.S. on this front. For instance, at a time when 82% of e-commerce transactions in Belgium were processed using 3-D Secure technology, only 18% of transactions in the U.S. used 3-D Secure. We saw the same phenomenon with the adoption of EMV chip technology, too.
Trying to resist the tide of change in the market is a futile exercise. The question we need to begin asking is not whether we should adopt these rules, but rather what impact will these rules have and how we should respond.
As Friction Baseline Rises, Optimization Is Key
With strong customer authentication requirements, the goal isn’t to punish merchants. Instead, the purpose is to both prevent fraud and to train all parties — merchants, consumers and institutions — to understand the value of diligence and compliance with best practices. That said, some level of friction is going to be unavoidable as the SCA rollout progresses.
Friction is the result of customers encountering a pain point that slows or complicates the buyer experience. Adding steps to the checkout process, as SCA standards demand, means adding friction, thus increasing the likelihood that customers will abandon their shopping carts. Merchants can offset this risk, though, by minimizing friction in other areas.
Merchants must first understand where their customers’ pain points lie. Developing buyer personas and engaging in social listening are both useful strategies to help identify the pain points that are turning customers away. Then, once sellers manage to identify friction in their customer experience, they can deploy the necessary solutions to correct the problem.
Is slow or awkward site design turning away customers? Merchants can address this problem by overhauling their design to create a cleaner, more functional experience. Are product descriptions confusing buyers? Providing straightforward, detailed descriptions, complete with high-resolution images showcasing goods from multiple angles, will help clear up any misunderstandings.
Adopting these and other practices can also have additional benefits beyond boosting conversion. For example, many of the practices that can optimize the customer experience will help minimize merchant chargebacks, too. It will also foster brand affinity, giving potential customers a more favorable impression of the business.
Despite the delay in SCA implementation, the fact remains that change is inevitable. Merchants who manage to adapt sooner will be better positioned to both weather the regulatory changes and optimize other facets of their business.