There has been a lot of talk around the changes contained in the Payment Services Directive 2 (PSD2), and the introduction of Strong Customer Authentication (SCA). One significant change for the industry is that in January 2018, the EU Payment Services Directive took effect and with it, introduced new laws aimed at reducing online fraud and protecting our consumer rights. Subsequently, an important element of PSD2 is the introduction of SCA on 14 September 2019 for in-store and online transactions.
Most of the focus has been on the impact of PSD2. The positives; through the introduction of Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) and the opportunities this creates. The negatives; around ecommerce transactions which now need to be authenticated. This drives up abandonment and declines. There has been very little coverage addressing the concerns and issues which will be associated with face-to-face and MOTO transactions (mail order and telephone order transactions).
This is an area which needs consideration for those looking to comply with these new requirements.
Acceptance of cards has seen many changes and advancements. The traditional acceptance models are practical but have not necessarily been optimised and may no longer be fit for purpose. PSD2 gives us the perfect opportunity to look at how we accept cards.
Chip and PIN is a perfect example of the benefits and adoption of SCA, such as the importance of where the card reader is placed. Many were placed out of reach of the cardholder, or behind stock or literature, creating confusion and leaving them unused.
I’m convinced similar lessons will be learned as the roll out matures, especially around the flow of check-out for ecommerce transactions. We need to think about the payment process from a cardholder view and of course, as best practice matures, we should continually review the cardholder experience.
The typical model of accepting cards in a retail environment isn’t really affected by the regulation, but there are subtle changes to the security technology that drives Contactless.
I think everyone is comfortable with the occasional need for Chip and PIN, when the limits have been reached on Contactless. This is changed by PSD2, which introduces lower thresholds and financial values than are current ones, meaning there may be more times where Chip and PIN transactions are needed.
Payment models which rely solely on Contactless, e.g. vending machines could be heavily impacted, due to more transactions requiring Chip and PIN. Development work will be needed on these models to support Chip and PIN and compliment the Contactless only approach.
To support PSD2 requirements, it looks like there is a need to move where the thresholder sits from the card to the issuer host system. This will mean the decision process changes and terminals will need to interpret a “soft decline” in the authorisation message. Then the transaction will need to be completed with Chip and PIN. There could be confusion and increased declines for any terminal not updated to recognise this new response code.
Earlier, I mentioned the opportunity to review and optimise how cards are accepted, and this is best demonstrated with MOTO transactions. Because this payment channel is out of scope of the SCA requirements, how the transaction is presented to the issuer has never been more important.
Transactions against stored card details (Credential on file transactions) really need to be thought of in a separate category to MOTO, and have a unique set of flagging requirements to complement this growing market. I would expect conversion rates to increase because of this.
From an issuer point of view, I’m sure they’ll be more comfortable approving a transaction that advises that the merchant has stored the card number, with the approval of the cardholder for future use, rather than a single, one off unsecure MOTO transaction.
We’re seeing the decline of magnetic stripe - a type of card capable of storing data (from a European perspective), and it looks like SCA will stop key entered transactions using a terminal. This is because key entered transactions sent for authorisation, showing they took place on a terminal, where Chip and PIN is available, could cause the issuer to wonder why Chip and PIN wasn’t used and ask for the transaction to be re-entered with Chip and PIN.
The allowance to make unattended transit fares and parking payments exempt from SCA is welcome. Other unattended solutions, like vending which doesn’t support Chip and PIN, really need to consider their solution before September 2019 arrives.
Finally, PSD2 looks to create competition through new payment types, and reduce fraud by increasing security. It also offers an excellent opportunity for businesses to review how they accept cards - something I think we should all take the time to address.
To learn more, download our latest whitepaper titled: 'The changing face of card payments'.