Updated Technical Standards for PSD2 and The E-Commerce System

Updated Technical Standards for PSD2 and The E-Commerce System
12.01.2017 07:45 am

Updated Technical Standards for PSD2 and The E-Commerce System

Compliance

The European Banking Authority recently drafted the latest technical standards for the Payment Services Directive II (PSD2), which serves as the legal foundation for a new cross-EU payments market. In 2016, European e-commerce sales are expected to increase 17% to €183 billion and the use of payment service providers (PSPs) is increasing significantly. Couple this with the changing attitudes around Internet banking and online payments, it is no surprise that the directive is coming out at this time, as the payments market is changing at such a rapid pace.

 

A new standard is being defined for the market. But does PSD2 take Card Not Present (CNP) payments in the right direction? Within the latest draft, one of the key elements is the requirement for strong customer authentication for all transactions except those under a certain monetary threshold. However, strong customer authentication is most often to the detriment of the convenience for customers.

The inclusion of CNP transactions

The original password-based 3D Secure protocol (v1.x) added too much friction into the transaction and consequently suffered from a lack of user adoption. This, plus the prevalence of new payment methods like mobile and eWallet, have led the industry to call for an updated protocol.  Led by EMVCo, industry leaders and security vendors came together to develop the long-awaited, and recently released 3D Secure 2.0 protocol which eliminates static passwords and recommends a risk-based approach for card-not-present transactions (and several other new enhancements).

With a risk-based approach, every transaction is still evaluated to ascertain if it should be flagged as suspicious or potentially fraudulent. For most issuers, a typical fraud rate is <1-2%, so it is imperative to be able to identify only the highest risk transactions to challenge for further authentication.

The impact of customer authentication for card issuers

A major UK bank, found that when it moved away from mandatory password-based authentication for all transactions, it realised a 4% increase in transaction success rate as a result of improved customer experience. This translates to a 4% growth in transaction volumes, not only for issuers, but also for the merchants, the card schemes and the acquirers, and most importantly the customers. However, if friction to the end user experience is added, it’s possible to lose 4% of sales. That is not a figure any provider in the e-commerce ecosystem wants to be reporting to their key stakeholders.

Experience from the field

What about the increased fraud? We’ve found that risk-based authentication can improve fraud detection rates when compared to 100% authentication. Issuers, merchants, acquirers, card schemes and, especially, cardholders benefit tremendously from a risk-based approach. Less fraud and less friction is a win-win combination.

Despite the successes from this approach, there’s always room for even higher fraud prevention rates with improved omni-channel visibility. For example, when looking at card-issuing banks in the UK, the bank’s view of a digital footprint starts at application for the new card account, and is reinforced through every interaction the customer has with them. This includes every time a user logs into online banking and every time a CNP transaction is carried out online. In isolation, an expensive watch being purchased online may look like a high-risk transaction. However, when cross-referenced, the bank will see it’s the same device from the same location that was used to open the credit-card account giving them much greater confidence that the transaction is being performed by the legitimate cardholder. Is it necessary for the user to get up and go find the hardware token to authorize a low risk transaction?

What the future holds

The EBA is being overwhelmed by the amount of responses to the technical standards consultation. The industry is saying that the proposed technical standards are counterproductive to the goals of the PSD2 and even the 3D Secure 2.0 protocol – to provide strong customer authentication and a friction-less customer experience. In the card not present space it took more than ten years, but issuers and merchants learned that a challenge all approach did not work and thus a major change was necessary.

Such is the nature of the technology required to address the ever-changing fraud threat, organisations must incorporate layered fraud prevention using a number of technologies. Vendors will need to do much more to provide components that fit neatly into the organisation’s architecture to address a specific problem.

To challenge the EBA, it’s necessary to look at the bigger picture, and not just the transaction in isolation. Of course, they will cite the fact that not all PSPs are equipped with the resources and the data available to big banks. This may be true, but the directive needs to be flexible enough to adapt to that. Don’t penalise the issuers, the merchants, the card schemes, the acquirers – and most importantly, customers – by introducing unnecessary friction that won’t do anything to improve the fraud prevention rate.

The European Banking Authority recently drafted the latest technical standards for the Payment Services Directive II (PSD2), which serves as the legal foundation for a new cross-EU payments market. In 2016, European e-commerce sales are

expected to increase 17% to €183 billion and the use of payment service providers (PSPs) is increasing significantly. Couple this with the changing attitudes around Internet banking and online payments, it is no surprise that the directive is coming out at

this time, as the payments market is changing at such a rapid pace.

 

 

 

 

 

A new standard is being defined for the market. But does PSD2 take Card Not Present (CNP) payments in the right direction? Within the latest draft, one of the key elements is the requirement for strong customer authentication for all transactions

except those under a certain monetary threshold. However, strong customer authentication is most often to the detriment of the convenience for customers.

Related News

W2 looking to support all industries during challenging times ahead

W2, the leading provider of real-time digital solutions for global regulatory compliance, has announced today its help to regulated industries faced with challenges during the... Read more »

ACA Compliance Group becomes sponsoring partner of AIMA

ACA Compliance Group (ACA), a leading provider of governance, risk, and compliance (GRC) advisory services and technology solutions, today announced that it has become a global... Read more »

b-next provides compliance solution to major Russian bank

The German developer of specialised software b-next has concluded the past fiscal year with an important business deal. A major Moscow-based bank has decided to monitor... Read more »

Leading French banking group engages AxiomSL’s comprehensive Global Shareholding Disclosure (GSD) solution

AxiomSL, the industry’s leading provider of risk and regulatory reporting solutions, announces an agreement with a global... Read more »

Queensland-based DayTek Capital Hires Christoph Flefel as Chief Risk and Compliance Officer

DayTek Capital is pleased to announce the appointment of Christoph Flefel, as its new Chief Risk and Compliance Officer.

Mr Flefel is a highly experienced and well-... Read more »

Goldman Sachs to Put the Brakes on Marcus Expansion in UK

Goldman Sachs is planning to slow down the growth of its online retail banking brand Marcus in the UK.

This is to avoid surpassing $25 billion in deposits which would... Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel