The revised Payment Services Directive (PSD2) Strong Customer Authentication (SCA) regulation rollout in the EU has been a little bit on the bumpy side so far.
It was supposed to go into effect on Sept. 14 of this year, and while PSD2 did, the SCA part of the regulation has been put on hold.
For how long? Well, that is where things get a little bit confusing, Arjun Kakkar, vice president of Strategy and Operations at Ekata, told PYMNTS in a recent interview.
The SCA part was delayed until the end of 2020, he explained, but the French, Danish and English had already extended the implementation of SCA by 18 months, and they have shared no further information about it.
“So, there is some confusion on the ground,” Kakkar said.
And if we’re being realistic, he said, there is really no end in sight to that confusion, at least in the immediate future, because there are so many nuances per region. The obvious ones are things like language, government and regulation — but there is also a massive number of smaller cultural nuances, so there is no such thing as a simple strategy in terms of dealing with the market.
The push to get to full PSD2 SCA compliance, he said, isn’t going to be an easy switch-on because, as is often the case in the European Economic Area (EEA), there are a lot of moving parts and a lot of details up in the air. Confusion is going to be the rule and not the exception for some time to come.
That is the bad news. The good news, he said, is that unlike even six months ago when nearly half of all EU merchants didn’t even know what SCA was, or what it would mean for them, today when Ekata talks directly with its merchant and acquirer colleagues, it’s clear the message is out.
“When we talk with merchants and acquirers in Europe, we are confident that everyone is preparing with the end of 2020 as the deadline in mind — and all that goes into preparing, like rebuilding their models and getting ready to fully comply with the latest 3D Secure protocol for customer authentication,” he said.
What will that compliance look like in the in the EEA and around the world? That, Kakkar told PYMNTS, depends very much on location and merchant type.
Why Bigger is Better in SCA Adoption
PSD2 SCA requires issuing banks to make decisions based on additional transaction risk data, and some issuing banks are more ready than others. What Ekata is hearing from merchants and acquirers, Kakkar said, is that the more sophisticated and multinational the enterprise, the more serious and prepared one is likely to find the banking environment.
That is probably to be expected. Less expected, he said, is how merchants of various size and sophistication are struggling with the change in different ways.
Every merchant and acquirer will have some struggle with this, he said, as large regulatory overhauls, particularly across individual economic areas like the EEA, are always going to be a challenge. But in the case of SCA, the challenge is particularly sharp because of how consumers have been trained to use mobile and digital commerce over the last decade. The common expectation is that the experience will be smooth, friction-free and tap-and-go. The two-factor authentication (2FA) requirements of SCA, he noted, are going to jam that experience.
And that is going to be a problem for consumers, according to Ekata’s survey of over 7,000 consumers across the EU and U.S., Kakkar said. When asked what is most important in an eCommerce transaction, consumers rank security slightly above convenience. But that stat, he noted, is a bit misleading.
“We found that customers care about both of them — trust as well as speed,” he said. “They want both, and they won’t go with just one or the other if they have the option of taking both. And that is what is happening with the larger players versus the smaller players — larger players are simply able to provide both trust and convenience.”
First of all, he said, larger merchants are more likely to meet the trusted beneficiary exemption criteria for the SCA rules. That allows consumers to mark particular merchants as already trusted with their issuing bank, which means they will be able to check out as normal with no pause to comply with SCA. That’s great for large marketplaces like Amazon where consumers congregate regularly. It’s less likely to be of great use to smaller merchants and marketplaces, who are much less likely to get that trusted beneficiary exemption.
And, he noted, they are also much less likely to get the benefit of the doubt from consumers.
“On a smaller marketplace when a customer is suddenly bumping against this 2FA requirement, they might just stop shopping and move on,” Kakkar said. “And access to capital is a huge resource in early innings because you can build out more and better work through the regulations.”
Smaller merchants will be able to catch up, he said, particularly as acquirers and PSPs are stepping in and filling the capability gap for smaller players. But, he added, particularly in the rapidly moving environment that is the changeover as of today, those early innings will be bumpy.
The Global Picture
They will be especially bumpy, he said, for merchants based in the U.S. and serving customers in Europe today — not so much the larger ones, which have been actively building changeover strategies for over a year, but smaller ones that are less aware of the EEA regulatory environment as a whole.
Six months ago, he said, more than half of all small European merchants and marketplaces had no idea that PSD2 was coming, what it was or what it might mean for them. The good news is since then, most have gotten fairly clear on all of those things. Even if they aren’t quite sure how to answer those questions, they are aware they have to.
“But you could easily expect the same thing to happen with small U.S. merchants six months before the end-of-2020 deadline,” Kakkar said. “There is an idea that these merchants, because they sell internationally, are going to be more sophisticated and more forward-thinking. But in our experience, that is not generally the case.”
A lot of those merchants, he said, could be facing a decrease in their checkout conversion rates in the EU — and not really understand why it is happening.
That means as 2019 is passing into 2020, and the clock starts ticking loudly when it comes to implementation, there is a lot to be done. And, Kakkar said, a lot more questions need answers than there are easy answers available. It’s not time to worry just yet because there is a good chance that payment service providers could really step up when it comes to implementation — they are both more focused and more proactive this time around than they have been in previous regulatory changeovers.
But it is time to take the one big unknown seriously: By this time next year, PSD2 SCA will more likely than not be going into full effect — and the retailers that aren’t ready to swim along with the changed current will likely be pulled under by it.