PSD2 Will Impact Online Merchants, Even Outside Europe
— August 23, 2019
After years of planning and negotiation, the revised Payment Services Directive—commonly known as PSD2—is now undergoing a gradual rollout in the EU. Lawmakers intended the legislation to be a new means of facilitating competition, bolstering consumer protections, and standardizing each party’s rights and responsibilities during a transaction.
Making a long story short: the ruleset requires banks to share consumer data. Now, account information service providers, or AISPs, and payment initiation service providers, or PISPs, can access users’ information (with the customer’s consent, of course). This opens the door for tech firms like Facebook and Google to establish a foothold in the payments industry.
Simultaneously, merchants are required to implement Strong Customer Authentication (SCA) standards to try and reduce fraud. It’s true that some facets of PSD2 have been pushed back, but we’re still moving forward regardless.
PSD2 presents opportunity for consumers to benefit from better authentication, and have more options in payment services and financial products. That said, there could be negative ramifications too, both for merchants and consumers.
Balancing Security & Friction
When we talk about “friction,” we refer to any point during the customer experience at which resistance can pop up. And, as has been pointed out, Strong Customer Authentication standards create friction for customers.
With the new rules, customers must verify their identities based on at least two of the following indicators: something customer knows, possesses, or inherently is. For example, a password and a biometric scan would suffice, as would a password and text verification.
Contemporary customers expect faster, easier interactions with less friction. As a merchant, it’s in your interest to deliver on that expectation. This is a problem, though, given that adopting the security measures demanded under PSD2 will, by definition, create more friction.
Don’t get me wrong; I’m not saying more security is bad. Rather, my point is to note that security is a delicate balancing act. We have the risk of negatively impacting the customer experience on one hand, and developing strong security standards to prevent fraud on the other. SCA standards essentially set the floor for much higher for the minimum amount of friction it’s possible to achieve in the transaction process. To compensate, you need to minimize friction in other areas, without removing other necessary barriers against fraud and abuse.
…it’s a tall order, to say the least.
What About Chargebacks?
If you’ve been in business long enough, you’ve probably experienced the odd chargeback here and there. These forced payment reversals are a right guaranteed under law in the US and abroad.
Most merchants probably aren’t huge fans of chargebacks. After all, they only come up when things go wrong and customers demand their money back. Chargebacks are also prone to widespread abuse in the forms of friendly fraud and cyber shoplifting. Regardless, chargebacks are still an important consumer protection mechanism, designed to protect buyers against fraud and abuse and ensure confidence in the market.
PSD2 throws another complication into the mix here, though, because it’s not clear how the chargeback process will work with a PISP.
The legislation opens the door for third-parties like Google, Apple, Facebook, or any number of other companies to serve as payments facilitators. The chargeback process, however, was built specifically with banks in mind. We don’t know how—or even if—customers will be able to file chargebacks with a PISP. An inability to recover one’s money in the event of abuse could shake consumer confidence.
PSD2 Impact Felt Beyond Europe’s Shores
“But wait,” you might say, “PSD2 only impacts EU merchants, right?” Unfortunately, that’s not really the case. Even if you’re here in the US, the new rules could still impact you.
Jonathan Dranko of Worldpay points out that some US merchants will be subject to SCA practices. “If your business operates globally and processes any payments locally in the EEA (European Economic Area), you may be subject to the directive,” he says. “If a merchant cannot authenticate or exempt a transaction based on the SCA criteria…then there is significant risk that issuers will decline the transaction, which could cause merchants to lose sales and revenue.”
Merchants in this situation find themselves with a choice: either comply with PSD2 and take on the added challenges and costs of compliance, or scale back business in the lucrative European market. Given that buyers in EU spent an estimated $ 678 billion online in 2018—significantly more than per-person spend in the US—the latter doesn’t really seem like an option.
As if that weren’t enough, throw in the new roles open for payment service providers. Facebook already unveiled their Libra digital currency, signaling that payments and fintech play a central role in the company’s vision for its future. Inviting these new parties into the cross-border payments space could prove lucrative for merchants. The problem: there’s just no way to be certain.
Online merchants are stuck between a rock a hard place on this issue. There’s no single solution that will work for everyone, and there’s too many variables to have many concrete answers. As the PSD2 rollout progresses, finding a path forward is going to involve some trial-and-error. It’s not ideal, but if merchants can account for that and be prepared, they can at least minimize the impact.