Why PSD2 gives merchants the upper hand around strong customer authentication

This article was originally published in Payments Card and Mobile.

The Second Payment Services Directive (PSD2) certainly covers a lot of ground, but one important and largely overlooked aspect is the requirement that:

"strong customer authentication […] should be applied each time a payer […] initiates an electronic payment transaction"

Prima facie, this means that all online card payments initiated by European Customers in Europe now need to use 3D Secure - a technology so notoriously poor for conversion that most sophisticated merchants today deploy it selectively for only the riskiest of transactions.

When this requirement was first floated by the European Banking Association (EBA), they got more than they bargained for when the Payments Industry strenuously objected to this regressive and unnecessary stance.

The outcry prompted a concession from the regulators: Exemptions.

Exemptions from Strong Customer Authentication (SCA)

There are three primary exemptions from SCA relevant to online card payments: Low Value Transactions, Merchant Initiated Transactions and, most importantly "Low Risk Transactions".

If you're able to determine that a transaction is Low Risk by using Transaction Risk Analysis (TRA), and your aggregate fraud rate is low, you may request an exemption from SCA.

That headline requirement should now read:

"strong customer authentication should be applied each time a payer directly initiates a […] non-low value electronic payment transaction […] unless you're very good at Fraud Detection"

Regulated Entities

Under PSD2, transaction fraud liability resides with the entity that triggers the exemption. For our purposes, the entities here are 'regulated payment service providers' which in online card payments means Issuing and Acquiring Banks.

Since it's the Issuing Bank performing the SCA, it's usually the Acquiring Bank that will request the exemptions from SCA and assume liability for any resulting fraud.

What this means for Acquirers

Only Acquirers with low fraud rates across their entire portfolio, and compliant transaction risk monitoring technology, are eligible to use Transaction Risk Analysis (TRA) exemptions from SCA.

The ability to use these exemptions will become a key differentiator between Acquirers, with merchants moving their volumes away from players who force them to use 3D Secure.

Acquirers will have to work hard to attract and retain low risk merchants in their portfolio, and may even contemplate splitting their entity into two cohorts; low and high risk; with all the legal and operational burden that that entails, in order to remain competitive and attractive to demanding merchants.

Put another way; Acquirers who operate a high risk portfolio or are unable to perform Transaction Risk Analysis will only able to compete on price. This might suit some Acquirers but not those with an eye on margin, profit and longevity.

What this means for Merchants

A key part of any online payment strategy is optimising for high payment acceptance and conversion, where a smooth user experience is at the core of both. Since blanket use of 3D Secure is so unappealing to sophisticated merchants, the ability to avoid it wherever possible is a key requirement for any Acquirer the merchant may choose to use.

Merchants with historically low and well managed fraud rates and high or growing volumes will be in increasingly high demand by Acquirers seeking to maintain the low risk portfolio they'll need to offer SCA exemptions to their merchants.

All this gives the upper hand to merchants in contract and relationship negotiations in this brave new world.

Learn more about PSD2 and SCA here.