PSD2 is a European regulation for payment services that aims to make payments more secure and help financial services innovate within the space.
Galit Michel is VP of Payments at Forter a provider of e-commerce fraud prevention. With over 15 years of experience in various leadership roles around Operation, Payments, FraudRisk, Regulations, Compliance and Product, Galit here shares her thoughts on the top five misconceptions merchants have about PSD2.
Galit Michel, VP of Payments, Forter
Before the revised Payment Services Directive (PSD2) went into effect, there were a lot of questions, concerns, and misconceptions about how the new regulation would change online payments.
Much of the discussion around PSD2 has centered around the transparency of banks and the friction on consumers. As a result, the entire ecosystem is concerned about the impact on revenue generation and profitability.
Merchants must recognize that PSD2 is just part of the new payment revolution; once they do that, it will be possible to leverage this new directive into a stronger payment solution that will benefit their customers and their bottom line.
In my conversations with top eCommerce leaders, I discovered that several misconceptions are shared by merchants, and want to help explain them.
“PSD2 will protect my business from fraud”
This is one of the most common misconceptions about the new directive and one of the most detrimental ones to merchants.
Many merchants believe that PSD2 will protect their business from fraud because they will perform 3D-Secure authentication on all transactions, and as a result, chargeback liability will be passed to the banks and they no longer have to worry about it. However, that is wildly incorrect.
While part of the goal of PSD2 was to make online payments safer for consumers, the directive never intended to replace fraud prevention solutions.
PSD2 did not take into consideration the sophistication of fraudsters. As more consumers turn to online shopping worldwide, fraudsters constantly develop new ways to manipulate and deceive online payment systems and bypass the multi-factor strong customer authentication (SCA) methods required under PSD2.
Ultimately, the most important thing to remember is that PSD2 is not a fraud solution. What PSD2 does, however, is harm conversion rates. Merchants who do not have a fraud protection solution in place will, as a result, suffer from higher fraud rates, increased chargebacks, and reduced conversion.
“Under PSD2, 3D-Secure (3DS) must be applied to my entire payment portfolio”
Many merchants believe that under PSD2, they will have to apply 3DS to their entire payment portfolio; however, doing so is not only unnecessary, but it will almost certainly impact their profitability and negatively impact customer experiences. I recently spoke to a merchant in Spain that applied 3DS to all his transactions in an effort to be completely PSD2 compliant. The result was a 25% decrease in revenue. This merchant failed to understand the reason for declines, not realizing the complication that 3DS causes both from the payment ecosystems perspective and from the consumers’ side.
The 3DS authentication process introduces significant friction and often leads to user abandonment or failure to complete the 3DS challenge. This can occur due to confusion over the process, technical issues such as users not receiving the SMS with the code to complete the purchase, or simply because consumers have more time to second guess their purchase and decide not to complete it.
Even consumers that do complete 3DS authentication may not be authorised. This is because 3DS authorisation sometimes has a higher decline rate due to the fact that acquirers do not want to take chargeback liability upon themselves.
Under PSD2, merchants can request 3DS exemptions for relevant transactions, with the most important type of exemption being Transaction Risk Analysis (TRA) exemption.
For a merchant to be granted a TRA exemption and to leverage PSD2 exemptions to their benefit, merchants should have a payment optimisation and fraud solution in place that includes a powerful exemption engine, as well as ensure they have an accurate and comprehensive overview of their payment ecosystem to understand how prepared their ecosystem is for the new directive.
“PSD2 is a legal issue, so only the legal department needs to deal with it”
PSD2 is much more than a legal and compliance issue; it is a far-reaching directive that directly impacts profitability and revenue generation.
While the responsibility for ensuring compliance is the role of legal departments, mitigating its impact is a company-wide endeavour. PSD2 requires infrastructural changes that necessitate IT/technology departments’ involvement, especially if a merchant wants to enable payment optimisation and request SCA exemptions.
Customer satisfaction and experience departments also need to be concerned about the impact of PSD2 because of the friction it creates for consumers. By increasing the touchpoints that consumers encounter and complicating the checkout process, the entire user experience is negatively impacted by the new regulation. This is particularly critical for merchants who will solely rely on 3DS to process transactions and will not seek to integrate dynamic 3DS or non-3DS transactions into their payment offering.
Operations and eCommerce teams who monitor revenue generation also need to care about PSD2 because of its impact on declines. Paying closer attention to the decline and abandoned rates within the 3DS authentication phase will provide critical insight regarding the number of consumers that are lost during the 3DS checkout process, as well as the inclination of acquirers to accept exemptions and their preferences for 3DS over non-3DS transactions and vice versa.
“More declines are inevitable, and merchants just have to deal with it”
While declines may rise, there are many things merchants can do to reduce their impact, specifically leverage exemption requests to reduce the need to use 3DS on all transactions.
Under PSD2, merchants can apply for exemptions for eligible transactions including low-value transactions and low-risk ones. However, acquiring banks may reject exemptions and non-3DS transactions if they deem them too high risk.
Merchants that want to take advantage of the most common exemption, Transaction Risk Analysis (TRA) need a powerful fraud prevention solution and exemption engine in place. When merchants apply for TRA exemptions and have a fraud prevention solution, that will increase their chance of the exemption being granted. In addition, fraud prevention solutions often take chargeback liability upon themselves, allowing the merchant to avoid liability as well as3DS while maintaining PSD2 compliance.
Declines can also be from the issuer’s side. Issuers may not be able to process 3DS2 and, as a result, may rely on 3DS1 which has higher abandonment rates. Issuers may also opt to use stand-in-processing (STIP) to complete 3DS. When using STIP, another processor, namely Visa or MasterCard, evaluates the risk and decides whether to take chargeback liability. If there is a low-risk, the liability then shifts back to the issuer, who may choose to decline the transaction simply to avoid the risk, even if it is a low risk.
Knowing where the declines come from can provide merchants with the ability to adapt their operations accordingly, ultimately reducing the number of declines they experience and increasing their revenue generation and profitability levels.
“PSD2 will never go into effect in the UK! I’m American – I don’t even care about Europe”
While the rollout of PSD2 has been pushed back more times than the regulators would like to admit, it would be prudent to think that PSD2 will never go into effect or that it will not impact the operations of those who are based overseas.
In the UK, PSD2 has already been written into law, and as a result, its implementation is inevitable, despite the fact that Brexit has many thinking otherwise. Other countries in Europe have already altered their operations to enforce the new regulation, and the rollout is expected to continue.
Merchants that do not have to comply with the directive may find themselves losing opportunities in countries where PSD2 is mandated due to their failure to acknowledge the regulation and adapt their checkout process for the European market.
Merchants should also remember that what happens in Europe doesn’t always stay in Europe. Other regulations that were initially implemented in the EU later were adapted and implemented in the United States, Australia, and more.
Now is the time for merchants to recognise that the global payment environment is changing, and they have to change with it. Staying behind and not integrating innovative solutions, protecting their operations with fraud prevention solutions, and shifting their operations to be customer checkout experience-focused will ultimately cost them customers – and that is the last thing merchants want to sacrifice.