More than a decade in the making, the Revised Payment Services Directive (PSD2) is set to finally take effect throughout Europe in the coming months. It is a massive piece of regulation, and its full implementation was delayed due to challenges in adopting and enforcing Strong Customer Authentication (SCA). Much virtual ink has been spilled on the topic of how the PSD2 and SCA will affect the banking sector. By contrast, the Directive’s effects on consumers have been woefully under-examined.
PSD2: Regulating payments for the Digital Age
The first Payment Services Directive (PSD) was promulgated in 2007 and was replaced by the PSD2 in 2015. Execution and enforcement have been part of a piecemeal process ever since that is finally set to reach completion in all of Europe before the end of 2021.
Aside from SCA, the PSD2 includes several other mandates that are more directly related to consumer protection. Among these are:
- the reduction of a consumer’s maximum theoretical liability for an unauthorized transaction from €150 to €50;
- the unconditional right to a refund of any direct debit transaction for a period of eight weeks within the Single Euro Payments Area (SEPA);
- the abolition of surcharges on most consumer-credit and debit-card transactions.1
SCA: Taming the Wild West
Strong Customer Authentication (SCA) is part of a constellation of several distinct but related terms. To be specific:
- Two-factor authentication (2FA)/ Multi-factor authentication (MFA): This is a general term for any secure method for logging into online accounts, including payments, email, health services and much more. As opposed to old-fashioned online security that simply relied on passwords, MFA is based on independent factors whereby if one is compromised, the rest are unaffected. Logging in requires using at least two of the following factors:
- Knowledge: something you know, such as a password;
- Possession: something you have, such as your smartphone;
- Inherence: something you are, such as your fingerprint or iris scan.
- 3D Secure 2.0 (3DS): a 2FA system that was originally designed for Visa but is now used by many payment systems.
- Strong Customer Authentication (SCA): the term used by the European Union (EU) in the PSD2 mandating the use of MFA systems, such as 3DS for many payments.
Among the stated objectives of SCA are the related concepts of fraud reduction, improved security and consumer protection. While all of these are undoubtedly admirable goals, it is worth taking a closer look at how and for whom mandated SCA is particularly useful and/or desirable.
Mandating SCA: Cui bono?
Requiring all banks and merchants to adopt SCA in order to reduce fraud helps whom exactly?
- The consumers?
- Fraud costs are borne primarily by merchants and not consumers. Existing regulations and card network rules already absolve customers from responsibility for most unauthorized transactions. At the same time, the increased friction and aggravation of multi-factor authentication may be a barrier to making purchases. This is especially true for some of the most vulnerable populations, such as seniors with limited technological access and skills and immigrants who may face language barriers.
- The merchants?
- Each merchant can already measure the costs (including technology adoption, customer avoidance and customer purchase abandonment) versus the benefits (reduced fraud cost) of implementing SCA, and many already implement it voluntarily. In the event a merchant has made an informed business decision—based on factors understood best by them—to absorb the costs of fraud in exchange for more frictionless customer experiences, forcing that merchant to implement SCA may cause irreparable financial damage.
- The banks?
- Some banks may welcome the increased stability and predictability of lower fraud levels and more uniform sets of expectations, even given the possibility of additional work and costs and at the expense of harming some of their own customers and merchants.
- The authentication providers?
- Currently, there are several SCA solutions from which to choose. The PSD2, while not explicitly mandating one over another, nevertheless creates a climate of compliance anxiety that may lead to herd adoption of a single solution. It may not be surprising if, in a few years, SCA is effectively synonymous with 3D Secure 2.0. Such a market contraction would effectively kill competition, reduce innovation and increase costs.
Acquiring banks: Mercy for the merchant
Those merchants that have thus far resisted adopting multi-factor authentication may have done so for good reason. Therefore, it is not unreasonable to predict that many of them will suffer considerable hardship, at least through the first six months to a year following adoption.
Businesses operating on the tightest margins may not survive. It is important to remember that the transition to SCA will not be identical for every merchant. It can be far more challenging for some based on factors such as industry, size, business model, population segment served and many others. For an oversimplified example, consider that a business retailing hearing aids may find the switchover to SCA somewhat rockier than a gaming-app store.
To be sure, banks will need to take an individualized approach when formulating expectations and processes in the coming months, if they haven’t done so already. Such approaches should take into consideration the capabilities and flexibility of various merchants, in addition to the needs and room for flexibility on the bank’s part.
Issuing banks: Consider the consumer
SCA was designed first and foremost to combat fraud. However, it is intended to also shift liability for unauthorized transactions as a means of discouraging friendly fraud. Both are, without a doubt, laudable goals. Also known as chargeback fraud, friendly fraud occurs when the legitimate cardholder disputes a transaction despite receiving the goods or services. It costs merchants tens of billions of dollars per year; in fact, it consumes a full 28 percent of all ecommerce revenue today2.
What the PSD2 and SCA fail to address is cardholder disputes of authorized transactions. Worse yet, they threaten to exacerbate and further normalize the common but mistaken correlation of chargebacks with fraud. The reality is that the very changes in purchasing habits that spurred the development of the PSD2 have also led to increases in the types of complex payment disputes.
Today, online transactions are the norm. COVID-19 and resulting stay-at-home policies have further accelerated the spread of ecommerce even more. Ecommerce-purchase volume rose globally by 15 percent over the first half of 2020 compared to the same period of the previous year3.
Predictably, more card-not-present (CNP) transactions mean more disputes. The fraud and friendly fraud aspects have been well covered. However, even with the best intentions, when purchases are made online, with less opportunity to examine the purchase closely or discuss it with the seller, the chances of dissatisfaction go up. In fact, the world is seeing an unprecedented increase in authorized-payment disputes, with December 2020 values more than 25 percent higher than a year earlier4.
Specifically, in the EU, the European Central Bank (ECB) recorded a 66-percent increase in CNP fraud between 2011 and 2016, which was the main reason why fraud overall increased by 35 percent. Online fraud now makes up 73 percent of fraud in Europe, and this is steadily rising. In fact, CNP fraud was the only type that saw any increase at all5.
First and foremost, banks’ management teams need to clearly communicate to dispute departments and all customer-facing staff that authorized disputes play an important part in a bank’s ability to serve customers. It is critical that this message be accompanied by adequate training in identifying and resolving these disputes. Where possible, staffing levels should be increased as well, as dispute numbers are unlikely to level off any time soon.
Second, and hardly less essential, bank dispute departments need to make customers feel valued and understood in the event of non-fraud chargebacks. They feel forgotten when claims take an unreasonable amount of time to process. They feel unvalued when the message they receive—explicitly or implicitly—is that the only real chargeback is a fraud-related one. They feel unheard when their valid disputes are denied due to a lack of attention or training on the part of the banker.
Banks that can successfully navigate these challenges will be positioned to better serve customers in this transitional period. The rewards will be well worth the effort.
2“Friendly Fraud Hurts Merchants, Issuers and Cardholders: Here’s How”, Steve Durney, February 7, 2019, Card Not Present
3“ACI Worldwide Research Reveals Increase in June eCommerce Sales – Largest Since the Start of COVID-19 Pandemic Restrictions”, July 14, 2020, Businesswire
5“Fifth report on card fraud, September 2018: Executive Summary”, European Central Bank