PSD2: The Perks and Pitfalls of Payment Services Directive in the Digital Payments Space

This is a guest article by David DeCorte from Chargebacks911

If you’re not dialed into EU legislation like your company’s life depended on it, you may not have heard much about the new Revised Payments Services Directive, commonly known as PSD2. As with everything, there’s the good news and the bad.

The ruleset presents considerable opportunity for consumers and merchants, both on the Continent and abroad. That said, there are a number of hazards to watch for as well. In terms of overall impact, PSD2 could best be described as a mixed bag.

Let’s take a close look at the new PSD2 legislation, specifically, the provision for Strong Customer Authentication (SCA) standards. We’ll see that – even when something seems like a no-brainer – there may still be negative consequences for the digital payments space.

What is PSD2?

Let’s address this basic question first.

To explain it simply, the Revised Payments Services Directive is a move to update the way payment service providers (PSPs) are categorized and regulated in the European Economic Area. The legislation replaces the original Payments Services Directive adopted back in 2007.

The general stated purpose of the original PSD was to facilitate competition and lay the legal groundwork for a pan-European payments ecosystem. Lawmakers expected the PSD to enable simple, fast, and secure cross-border payments. It would also standardize rights and responsibilities for merchants, consumers, and PSPs.

In a general sense, the original PSD did leave a positive impact in many of these areas. It provided for faster payments and more options for consumers and increased payment transparency. However, the digital payments space is fast-moving and prone to disruption. In the twelve years since the original Payments Services Directive became law, we’ve seen new payment methods hit the market, data regulations like GDPR implemented, and countless other changes. This necessitated a revision to the original PSD.

There are two key components to PSD2 that will impact merchants, banks, and cardholders:

1. Strong Customer Authentication (SCA): heightened standards for customer authentication during the checkout process.

2. Access to Accounts (XS2A): Opens up the consumer payments market to non-institutional players.

X2SA stipulates that financial institutions are required to share sensitive information with third parties (given the consumer’s permission, of course). This clears the way for actors like Google, Facebook, or Apple to expand their presence in the payments space. Much of this information is already covered in significant depth, so there’s no need to dig into the details of X2SA here. Instead, we’ll explore SCA and the ramifications of the new ruleset on conversion.

Mandating Strong Customer Authentication

PSD2 requires merchants to implement Strong Customer Authentication (SCA) principles during the transaction process. Although the legal deadline for compliance with this rule is set for September 14, some UK firms may be allowed additional time on a case-by-case basis. Merchants should consult their processor for more information on this point if applicable.

We’ve relied on tools like CVV verification and Address Verification Service (AVS) to verify customers’ identities in digital transactions. These are still useful tools to help prevent fraud, but they’re passive and far from conclusive. With SCA, though, merchants are now required to verify customers based on at least two of these three conditions:

Knowledge: Something the customer knows, like a password.

Possession: Something the customer has, a device, for example, that can be verified via text message.

Inherence: Something the customer is – a biometric reading like a fingerprint will work.

Adopting SCA principles will undeniably make criminal fraud more of a challenge to perpetrate. The question now is what impact it will have on conversion.

As of this writing, the rate of shopping cart abandonment in eCommerce stands at 69.6 percent. That means out of every ten consumers who initiate a transaction online, only three will ultimately complete the purchase. There are countless possible reasons why customers do this. Some initiate a purchase, then abandon it when their preferred payment option or shipping method is unavailable. Others may just add items to a cart to calculate their total for a future purchase.

In other cases, customers experience too much friction during their interaction. Bottlenecks, clunky site design, and other slowdowns can lead customers to decide it’s not worth the trouble. Transaction friction constitutes all those elements in the customer interaction that slow down or complicate processes…like asking customers to provide a password or biometric scan, for instance.

PSD2 does allow for reasonable exemptions. Recurring transactions, sales under €30, and sales involving “trusted beneficiaries” (merchants whitelisted by the customer), for example, are not subject to SCA requirements. That said, SCA will create friction in the checkout process, and some customers will, inevitably, abandon purchases as a result.

Other Problem Areas With PSD2

For now, suffice to say PSD2 puts more emphasis on data security than its predecessor did. But, that’s not to say it’s a total boon across the board. As mentioned above, the realities of the eCommerce marketplace create a need for optimized customer experience. Buyers are trained to expect smooth, fast transactions at any time, and with fast delivery. SCA flies in the face of this requirement, creating friction by definition. That’s not the only issue merchants – and the banks who work with them – should be aware of, though.

There are several other aspects of the law that could create challenges for merchants in the EU and abroad. Take chargeback policy and so-called “one leg out” transactions, for instance.

PSD2 & Chargeback Policy

Here in the US, the consumer’s right to recover their funds in the event of fraud or other abuse is guaranteed under the Fair Credit Billing Act (FCBA) of 1974. Similar legislation, such as Section 75 of the Consumer Credit Act in the UK, guarantee those rights to consumers in Europe as well. However, the FCBA applies specifically to companies that brand or issue payment cards. With third-party PSPs, it’s not clear how – or even if – the chargeback process will work.

I’m sure very few merchants are shedding tears over the prospect of fewer chargebacks. We can’t be that cavalier about it, though. Despite the fact that they’re widely-abused by bad actors or customers who don’t understand industry policy, chargebacks are still an important consumer protection mechanism. Having chargebacks as an option ensures consumers won’t be the ones who pay for fraud.

Without clarification on the chargeback issue, we could be facing a sudden surge in customers though hit by fraud can’t recover their money. This would shake consumer confidence to the core, potentially alienating customers from online channels.

PSD2 & Non-EU Merchants

Merchants outside the EU might look at all that’s happening with PSD2 and simply shrug it off. After all, if you’re outside the EU, it doesn’t really affect you…right? Well, Strong Customer Authentication rules apply to all financial institutions based and licensed in the EU. So, if a merchant is working with a bank based in Europe…then PSD2 applies.

US merchants need to be prepared to abide by the rules if they want to work with EU-based customers. And, given that EU citizens spent roughly 50% more online compared to their US counterparts in 2017 – a total of $720 billion – that’s probably not a market merchants want to give up.

Similarly, it wouldn’t make much sense for EU-based businesses to impose separate verification requirements based on geolocation. That means US consumers will probably be exposed to SCA principles, too.

Going Forward With SCA Under PSD2

The law’s express purposes are to increase security, improve customer trust and convenience, and prevent fraud. PSD2 also introduces an interesting new variable, essentially breaking up the banking sector’s hegemony over consumer banking services. The law strengthens some protections, but the vagueness of certain elements leaves some questions unanswered.

The main question we’re left to ask is: “will it be enough?” On its own, the answer has to be no.

PSD2’s Strong Customer Authentication standards improve on many of the shortcomings identified after the original Payment Services Directive. It’s a step in the right direction. As we’ve identified, though, it’s not nearly enough to address ongoing problems in the eCommerce market. Add to that the ever-changing nature of the online marketplace, we see constant disruption with new technologies and behaviors, which makes further tweaking of the law almost certain.

We need clarification on PSD2. We need lawmakers to define how chargeback policy will be carried out under the regulation. We need a plan to enact better standards for customer authentication without drastically impacting merchants’ conversion rates.

…that’s a lot of needs. When – or if – we get the solutions to address them is still up in the air, though. In the meantime, merchants and the banks who work with them should adhere closely to best practices to try and mitigate risk without alienating customers.

Separating Good & Bad Friction

We tend to talk about transaction friction like it’s a monolithic idea. Instead, it’s better to think in terms of “positive” versus “negative” friction. The former creates reasonable barriers against fraud while having little or no impact on the customer experience. The latter slows down transactions and encourages shopping cart abandonment with little real impact on fraud.

Examples of positive friction that merchants should implement into their transaction process include:
  • Making account creation an option, as opposed to mandatory account creation.
  • Offering 3-D Secure verification for participating cardholders.
  • Directing users to a screen to verify orders before submitting them.
  • Using back-end fraud screening tools like geolocation, IP address verification, and fraud scoring and fraud detection software.
  • Requiring complex passwords for user accounts.
  • Embracing alternative payment options like Apple Pay, which employs biometric (thumbprint) verification.
  • In contrast, here are some examples of negative transaction friction:
  • Slow, broken, inconsistent, or complicated site navigation.
  • Unnecessary or redundant information fields during the checkout process.
  • Limited payment options.
  • Not displaying cart totals or shipping information while browsing.
Yes, the SCA requirements imposed under PSD2 add friction to the checkout process. But, with the careful deployment of practices aimed at fostering positive friction, merchants can remain compliant without driving buyers away.

For a more detailed look at PSD2 and how it pertains to chargebacks and other merchant risks, check out the free digital guide, PSD2: What It Is, Why It Matters, and What Merchants Need to Know, now available from Chargebacks911®.

david deconteDavid DeCorte is the editor and content manager at Chargebacks911, an industry-leading chargeback mitigation service. He writes extensively on subjects including business, eCommerce, payments and fraud prevention. David is also a contributor at several pop culture publications and educational blogs.

Want to write an article for our blog? Read our requirements and guidelines to become a contributor.