The Payment Services Directive two (PSD2) has been designed to create better fraud protection for online purchases.
Card Not Present fraud (payment cards, remote banking and cheques), totalled £768.8m last year, +2% compared to the year before. This isn’t surprising given the growth of internet users (2016 was up 10% compared to 2015). Online spending now accounts for nearly a quarter of all retail purchases and has seen a 10% increase YoY.
At the same time, more than half of the world’s web traffic comes from a mobile phone. This growth in digital usage is contributing towards a huge rise in online purchases. And a rise in fraud. PSD2 is poised to help relieve this threat. But how does it influence the digital journey?
With 85% of applications conducted online not completed, and a fair proportion of shopping carts abandoned before confirming the transaction, many businesses are already finding converting sales a challenge.
Overlaying that with impending regulations such as PSD2, which is set to prescribe how businesses should undertake real time fraud assessments, and it creates a whole new framework that payment providers need to understand. And embrace.
What is PSD2?
PSD2 was introduced with a clear objective; protecting the customer. It also advocates innovation and security whilst encouraging competition.
PSD2 sets out that an organisation who is taking payments, without the person present, needs to follow a prescribed process to authorise the payment. This is known as strong customer authentication (SCA). Put simply, it means that a Payment Service Provider (PSP) should now be confident that the Payment Service User (PSU) is who they say they are.
To ensure that this happens, PSD2 has tightened up the rules around authentication.
The move from 3D secure to Strong Customer Authentication (SCA)
At present, many have adopted 3D secure. Moving forwards, PSD2 outlines that this isn’t robust enough and new processes that are much more embedded into the customer verification process will need to be used.
Payment authentication levels are governed by a range of factors. One of these is the value of a transaction. Outlined in the PSD2 criteria are a series of values that articulate when you need to proceed through additional layers of authentication [strong customer authentication], and when you don’t.
The criteria bandings are currently: €100, €250 and €500. Therefore any payment that is in excess of €100 needs to go through a process flow to assess the authentication level needed.
Let’s look at an example of an online purchase post PSD2. Someone, for the sake of explaining – named Ben, wants to purchase a bike, costing £800 (today this would be €970).
The value of the transaction means the payment provider needs to go through checks in order to authenticate, and initiate the payment. The ‘journey’ looks a bit like this:
The retailer sends the payment request to the payment provider (which we will use as a bank in this example), who would manage the process from there.
At this stage, Ben could be asked to log on to his bank account and confirm the transaction. But, to obtain the payment authorisation he needs to have two separate forms of verification. So, Ben needs to authenticate himself using two factors of authentication.
This is something he knows (e.g. a secure phrase such as a pin number), has (e.g. a security token), or is (e.g. a biometric like a fingerprint).
As the value also exceeds the outlined thresholds additional checks need to be undertaken – regardless of passing the authentication processes so far.
This includes validating against the organisations overall fraud ratio. If it exceeds a certain level, they are restrained on what value they can complete without strong factor authentication.
In addition, the bank will also need to check 5 external factors too. These include:
- Is this likely to be Ben’s phone? Has he made payments before, or are there any configuration concerns with that device?
- Is the Malware present on Ben’s device?
- Known fraud – are they on a fraud database, such as National Hunter and Cifas databases for example?
- Location – are there any concerns with the location of where the payment request is coming from?
- Fraud patterns – Again, using device monitoring to see if there any evident payment patterns that are indicative of fraud? Are they initiating multiple payments from a single device?
The difference between single sign on and integrated biometrics
If people are transacting online then giving a biometric authentication could pose a challenge. Many people currently use single sign on using their phone, but this isn’t deemed secure under the new legislation. As such, biometrics will need embedding into the bank validation process in order for them to store and verify against.
Last year Juniper predicted there would be five billion biometric-authenticated payment transactions by 2019, up from less than 130 million in 2015. According to new data from Visa, biometric adoption is certainly on the right track. As it is ‘always on you’, it can also be a convenient method of authentication for a customer. It has the potential to enhance the customer journey and not cause any unnecessary friction. The question will be how you do it.
On the other side, something you have: card readers were at large phased out a few years back – spurred by customers who opted for chip and pin and touch IDs. Will the new PSD2 regulation bring them back? What will this mean for the customer? Perhaps there is an opportunity here for phone companies to integrate technology into the device which does the same thing?
PSD2 and customer experience need to be integrated into the customer journey
There are so many elements of PSD2 that will influence the customer purchase journey.
Created to protect the customer, banks, payment providers and retailers need to consider the level of friction that could incur for their customers when transacting remotely. Considering what they can do to relieve this as much as possible.
People won’t tolerate disruption to their shopping experience, they will simply look for the easiest route. This is where a competitive threat becomes much more apparent as those who are able to create a frictionless, smooth journey will be the ones who reap the rewards of customer engagement.
Businesses need to consider how PSD2 and fraud monitoring will integrate into the customer journey without having any negative impact on the customer experience. How will you formulate all the prescribed criteria in order to make a decision on the transaction authentication level? These are all areas for exploration.
At the moment dynamic data sharing isn’t being used in a payment context. But, it is common to apply Cifas known fraud checks at the point of a payment transaction. Could this help businesses with better identification of fraud? If it were to be applied earlier?
Monitoring device will be important, and especially pertinent in the now mobile era. Understanding more about the patterns of device use can help identify any concerns or discrepancies which require further exploration.
Keeping overall fraud low will be equally essential – and could be the difference between needing strong customer authentication, and not. Therefore, whilst new methods and new steps need to be considered for payments, keeping on top of your overall fraud levels should remain a core focus.
Bring your customers with you. Help and guide them.
It is also important that you think about any customer education programme.
For the past 15-20 years a focus has been around educating customers on chip and pin – more recently contactless. PSD2 will require the same, if not more intense, education.
Research shows that the biggest barrier to giving data is their uncertainty of how it will be used. If they understand the reason is for their protection, they are more likely to embrace it and not perceive any change as cumbersome and fractious.
Considering the foundations you can develop in order to comply, whilst at the same time how you can best serve the needs of your customers, will be the key to PSD2. Protecting them, and you.