As of Sept. 14, the legal deadline for the strong customer authentication (SCA) requirement of the Second Payment Services Directive (PSD2) came and went. However, as is often the case when big ecosystems attempt wide and systemic changes, things have not gone quite according to plan.
Only 75 percent of issuers said they were prepared to make the jump as of the deadline. Furthermore, according to the latest edition of PYMNTS’ PSD2 Tracker, only 40 percent of merchants operating in the European Union that are aware of SCA reported being ready as of that date.
In light of the widespread lack of preparedness across the European Economic Area (EEA), Mari Anne Bayliss, director of EMEA solutions management and strategy at CyberSource, felt it was not surprising that — as of the Sept. 14 deadline — regulators in the majority of EEA countries formally confirmed that they would not be enforcing it, and would instead support a phased rollout of SCA.
On the one hand, this is good news, Bayliss told PYMNTS in a recent interview, because a phased supervisory period presents an opportunity for all the stakeholders in the payments and commerce ecosystem to make sure they are technologically and operationally prepared to roll out the best possible version of technology that supports SCA. In talking to CyberSource’s merchant clients, the response to the delay, and the move to a more phased rollout, has been popular.
“This is a big change, and it is all going to take time — and merchants see that,” Bayliss said. “There is an understanding that if we implement SCA too quickly, it could cause some disruption. If we use this supervisory period, where there is some flexibility about implementation, we can take the time to get it right.”
The benefits could be quite significant in terms of providing additional security and, ultimately, a better consumer experience. Yet, Bayliss noted, there is also risk — particularly if the SCA rollout process becomes overly fragmented. There is a lot of movement and change in the environment on a daily basis. The challenge for CyberSource and others is helping their merchant partners build a holistic process in an environment where change is diffuse.
Clarifying The State Of The Transition
Across the EEA right now, said Bayliss, a majority of industry players agree on the need for a transition period. However, as of yet, there is no formal harmonization of migration across the EEA, which means different markets may be doing different things.
The U.K. and France, for example, have both released a detailed framework dependent on an 18-month rollout of SCA. Within that window, both have laid out specific deadlines for various industry players to reach full compliance by the end of the migration period. Hungary, by comparison, has announced a shorter time frame than the U.K. or France: Industry players have only 12 months to get SCA on board.
However, Hungary has not yet laid out a detailed migration plan alongside its timeline. Many regulators, added Bayliss, have not yet come forward with a timeline or migration plan. There is still a lot of uncertainty in the environment, which is why it is all the more important that, as an industry, “we work together to create a harmonized approach to the migration,” she said.
The starting point for SCA compliance is with the issuing banks, Bayliss pointed out. Yet, it doesn’t end there — there are all kinds of tasks for acquirers, payment gateways, merchants and other parts of the payments ecosystem in Europe.
For merchants, Bayliss noted, that means getting an early read on the regulatory requirements in the regions where they plan to operate, and developing a plan with their acquirers and payment gateways on managing the emerging landscape.
The goal is for merchants to think about how they will manage the SCA transition, and to develop a fraud and exemption strategy. That might mean working with existing fraud tools, or building additional tools like the Visa Transaction Advisor. It’s a lot for merchants to think about and take on, Bayliss said. Ultimately, if managed right, she believes it could be a challenge well worth meeting in terms of the dividends it could pay.
The Big Change That Needs To Happen
At the end of the day, the big challenge is to make sure merchants have taken all the necessary steps to be certain they can provide seamless payment experiences within all their markets in a post-SCA enforcement world.
The good news, said Bayliss, is that the entire industry will have more time to work with new technologies, and push them through a reasonable testing and implementation phase. There will also be more time to experiment with SCA solutions that are not only secure, but provide an improved customer experience.
The end goal should be to create a benefit, Bayliss noted. That might mean implementing more seamless security techniques that don’t create friction for the consumer. The idea is not to sacrifice consumer convenience on the altar of consumer security. SCA done right and properly, harmonized across stakeholders, is about technologically providing for both in a way that is mutually supportive.
“The shared goal of the entire ecosystem is to make sure payments are protected, and that when a transaction comes through, it is from a legitimate cardholder and not a fraudster,” said Bayliss.