September 2019 might seem like an eternity away, but for many retailers from the U.K. and around Europe, it’s just around the corner. That’s because, come Sept. 14, PSD2 goes into effect. PSD2, which helps protect consumers and their PII, requires merchants and other companies to perform stronger identity checks when accepting online payments.
These stringent authentication checks, known as SCA, may protect merchants and their customers from digital fraud and cybercrime, but, according to Charles Damen, senior vice president of payment strategy at Worldpay, performing SCA checks presents new challenges for merchants.
“The analogy that I often use is that we’re moving from an opt-in model, where the merchant decides whether to authenticate a transaction, to an opt-out model, where every transaction needs that SCA,” Damen told PYMNTS in a recent interview, adding that changing from one model to another will require effort from both merchants and acquirers like Worldpay. “So, it’s really important to make sure merchants have a means to perform SCAs.”
Getting merchants prepared
The new authentication requirements brought on by PSD2 require merchants and acquirers alike to make major changes to their payment and authentication processes. Businesses have been adjusting these processes for more than two years, which has required companies to maneuver through a long list of changes and rules instituted by the new regulations.
“Two years ago, we started the process and have had a lot of conversations with merchants, working to keep them up to date on the changes to PSD2 and asking them for feedback. A lot of merchants have a very specific perspective, so it was important for us to work with them directly,” he said. “Then we started to focus more on the practical aspects.”
Those practical aspects included setting up and integrating infrastructure that will enable merchantsto comply with the new regulations. SCA requirements force many merchants to perform authentication checks that they otherwise would not complete, and because of this, merchants required new solutions and processes, rather than revamped operations.
Now, Damen said, companies are determining which solutions or authentication methods will best suit their needs. He pointed to 3-D Secure 2.0 (3DS 2.0) as a particularly effective solution for PSD2-related use cases, noting that many merchants have already adopted or plan to adopt 3DS 2.0.
“The biggest and most important element is the authentication method. All merchants need some kind of method to apply,” he said. “The best method would be 3DS, but they need some method of authenticating their customers.”
Getting mechants and acquirers on the same page
Part of the preparation process for PSD2 requires acquirers like Worldpay to be on the same page as the merchants they work with. For example, Damen said that merchants and acquirers need to make sure that they’re using the same versions of the sameauthentication methods. It doesn’t do merchants much good if they’ve adopted 3DS 2.0 only to learn that their payment partners use different authentication solutions, he noted.
On top of that, retailers and acquirers often have different priorities, which can further complicate the process. Merchants may only want to speed up buying and selling, while acquirers are more often concerned about preventing fraud and cybercrime.
“A lot of merchants want to do whatever they can to minimize friction in the entire payment process. We have to do a lot of work with our merchants to inform them and help them learn about fraud,” he said. “We also provide them with tools, so they can manage their fraud, but [note] that understanding is the most important part. A lot of them have been focusing on chargebacks rather than fraud, but now the requirements have changed and there’s more of a focus and need to understand fraud.”
To see what lies ahead
While acquirers and the merchants they serve still have plenty of work to do before they’re truly prepared for PSD2, SCA requirements won’t become effective until September, giving those who are preparing for it a bit more time to get their houses (or stores) in order. In the meantime, Damen expects there to be a “flood of information” before the deadline arrives, as companies scramble to make changes and ask questions regarding exact interpretations of various rules in the final minutes before SCA takes effect. He expects to see more information emerge regarding exemptions, for example, which allow merchants to skip SCA requirements for certain transactions.
“From now until September,” he predicted, “there will be further clarification and further alignment from the payment schemes on the interpretation and proper use of exemptions, which, of course, merchants are very keen on.”
There’s still plenty of time for things to shift, but for merchants that will be forced to comply with PSD2 in a matter of months, the clock is already ticking.