Companies unprepared for PSD2, stricter EU requirements will drive fraud to other regions
A new iovation report includes original research and analyzes the consequences for the global online payments market around the revised Payment Services Directive (PSD2). By September 2019 payment service providers in the European Economic Area (EEA) have to comply with the directive’s requirements for strong customer authentication (SCA) and third party access to bank accounts or risk getting their payment provider license revoked.
Measures to minimize conversion risk as a result of SCA. Source: Aite Group.
The report concludes the stricter requirements for fraud prevention in the EU will drive fraud to other regions such as the U.S. It also finds that most companies are unprepared for PSD2.
In fact, a recent study by Mastercard found that only 25 percent of European online merchants are aware of SCA requirements under PSD2, 14 percent already support SCA, 28 percent mentioned they will be SCA ready by September 2019 and 24 percent have no plans to support SCA. Since companies providing payment services in the EEA are subject to the regulation, even businesses with headquarters outside Europe might need to comply.
“The zeitgeist of regulations with extra territorial effect like GDPR continues with PSD2. This will have long-standing operational implications to companies wherever they are based,” said iovation Compliance Manager, Mark Weston. “The merchants that succeed post PSD2 will be those that make consumer authentication as effortless as possible through methods like ‘invisible’ device-based authentication and biometrics. And with the likes of Facebook and Google becoming payment processors, merchants are going to have to compete with an ever widening marketplace.”
PSD2 changes
Strong customer authentication: Payment service providers must apply two or more (multifactor) authentication methods for all electronic transactions unless such transactions qualify as “low risk.”
Third party access to payment accounts: Banks, card issuers and other financial institutions holding payment accounts must provide access to third-party payment service providers for the following services:
- Account information services like balance and transaction information
- Initiating payments directly from customer’s bank accounts
- Availability of funds check to see if there are sufficient funds on the cardholder’s bank account.
“PSD2 changes the rules of the game for the global payment industry and is based on some of the same principles that constituted GDPR, enforcing consumer protection and security requirements on companies operating in the EU,” said Aite Group Senior Analyst, Ron van Wezel. “Varying choices in the implementation of the SCA requirements on a country and individual bank level, differences in interpretation of the directive, and different timelines may create confusion that merchants have to navigate. Businesses should be sprinting to get their house in order.”