How retailers can use PSD2 as a force for good in online payments

The introduction of new regulatory standards contained within the Second Payment Services Directive (PSD2) will, despite the revised deadline for compliance, represent a welcome layer of protection for online shoppers. However, the increased security measures being enforced will also introduce friction to the online shopping process - which is detrimental for retailers and shoppers alike. In fact, in the lead up to the original September 2019 compliance deadline date, several key bodies and organisations issued challenges and warnings about the potential impact of PSD2 on both merchants and consumers. But there are ways that retailers can meet these challenges to minimise PSD2’s negative effects, while still providing a safer shopping experience for customers. Taking advantage of exemptions Now that there’s been a delay to PSD2’s enforcement, the retail community has been given a window of opportunity to address its lack of preparedness. This is much needed, especially as Riskified research recently revealed that a fifth (22%) of European retailers are yet to take any steps to minimise the negative impact of PSD2 on their online revenues. Merchants can now use the time to build a suitable strategy to mitigate any additional friction stemming from the mandated identity verification (Strong Customer Authentication – SCA). Luckily, there are steps they can take. One way retailers can reduce customer friction is by taking advantage of the available exemptions, particularly the ‘low risk’ exemption, which allows transactions between €30 and €500 to go through friction-free Transaction Risk Analysis (TRA), instead of SCA. This exemption is integral to a frictionless shopping flow, and merchants should be requesting it whenever possible. Although it should be noted that in order to push for these exemptions, acquirers must meet certain fraud thresholds (and fraud rates are aggregated across merchants). To help acquirers keep their rates down and increase merchants’ chances of receiving exemptions once PSD2 is being enforced, it’s important that businesses maintain low fraud rates throughout the coming year. Fraud won’t just go away Strong authentication under PSD2 may be effective in reducing Card-Not-Present (CNP) fraud in Europe, but it won’t solve the problem altogether. Fraudsters have proven themselves to be resourceful and adaptive. They’ll be looking for every possible gap to exploit. This means that fraud is likely to expand to markets and channels outside of PSD2’s scope. Moreover, fraudsters can commit account takeover (ATO) attacks before SCA even enters the flow at checkout. And with Account Takeover Attacks (ATO) in particular, we’re seeing fraudsters become increasingly sophisticated - having observed losses from this type of attack more than double year over year. PSD2 will make some types of ATOs harder to pull off - but will encourage fraudsters to exploit other weak links related to stored payment methods, white-listing, in-app wallets and more. So, while PSD2 will hopefully increase online security, it won’t protect retailers from these more sophisticated fraud challenges. Therefore, merchants need to think more broadly about their long-term strategy for e-commerce fraud prevention. Customer discontent to security measures is already well documented There is no doubt that the extra layers of security mandated by PSD2 could mean millions in lost revenue, with our research showing that one-third (32%) of European consumers would rather cancel their online purchase than go through the verification measures. Despite this, some merchants may still choose to take no action and let the regulation dictate the course of their business. As already discussed, we believe it’s crucial that merchants have a strategy to capitalise on the exemptions available. This will maximise top line revenue by keeping customer friction to a minimum. At the same time, retailers need to protect their business and bottom line from constantly evolving, increasingly sophisticated fraud attacks. Focusing on just one of these aspects will inevitably negatively impact the other. Engaging with a trusted partner who has a potent blend of technological capabilities, domain expertise, and regulatory understanding will help ensure that retailers are ready for the challenges ahead. Oded Weinreb, VP Product, Riskified