Finance Monthly August 2019 Edition

the EEA (the so-called ‘one leg out exemption’). In fact, those aren’t strategies at all, if, for no other reason than the fact that none of the exceptions provided will help even the likes of Stripe, Amazon or Worldpay prevent conversion drop off. A winning PSD2 strategy requires rethinking what PSD2 is all about. PSD2 is a long-term consumer protection initiative that requires innovation to make it seamless. It is not a problem looking for a quick fix. Workarounds that seek to be clever — relying on loopholes and half-measures — won’t make life easier for merchants or their customers. In fact, they will lead to more misery for both. Fortunately, the technology to build a successful and sustainable PSD2 solution, fully compliant with the requirements for SCA, is available today. Instead of banking on exceptions, retailers should fix the problems that don’t protect their customers’ payment information. Let’s break down an optimal system into its pieces. SCAand its three elements of measuring possession, inherence and knowledge are at the core of the regulation applicable to retailers. It is also the focus of much of the anxiety around PSD2, because, for most retailers, SCA was considered to be part and parcel with 3D Secure, a safeguard that historically has led to cart abandonment and customer dissatisfaction. The truth is, leveraging the three elements of SCA is an effective safeguard against fraud. SCA is powerful. It works. Requiring authentication based on something the consumer is (biometrics or behaviour, for instance), something the consumer alone knows (a password from before the transaction, for instance) and something the consumer possesses (a digital device as evidenced by a token, for instance), is a robust and secure method. Even if a fraudster breaches one of the three identifiers, that breach doesn’t compromise the other two identifiers. The key development for retailers to keep in mind here is the EBA’s June opinion that rightly stated that implementing 3D Secure 2.0 is not the same as implementing SCA. (The protocol doesn’t even have the ability to pass information regarding the inherence element of SCA.) The EBA stated plainly in its 21 June memo that: “communication protocols such as EMV 3-D Secure version 2.0 and newer would not currently appear to constitute inherence elements, as none of the data points, or their combination, exchanged through this communication tool appears to include information that relates to biological and behavioural biometrics”. The EBA went on to say that SCA purposefully allows for multiple “authentication approaches in the industry, in order to ensure that the regulatory technical standards remain technology-neutral and future-proof”. We’ve looked at what’s in place and tested the existing protocol and its infrastructure. Authentication systems that rely on 3D Secure, with their communication among the merchant, gateway, at least two banks, the consumer and often back around again can take an eternity on the web — think 15 seconds or more. And, of course, we know what an eternity on the web does to conversions — slow and cumbersome checkout processes are a conversion killer. Nearly 48% of consumers told polling firm Survata, in a Signifyd customer experience survey, that they felt frustrated by checkout experiences that redirect them to another site for credit card verification, a feature of 3D Secure. The Baymard Institute found that 28% of consumers abandoned their carts because checkout took too long or was too complex. The way to completely sidestep the problems with 3D Secure as a protocol is to take ownership of SCA by building or buying a holistic approach to meeting PSD2 obligations. We expect that the best customer experience under PSD2 will involve a machine-learning-based SCA provider conducting dynamic fraud analysis for online retailers, then passing the SCA decision down the 3D Secure rails to eliminate delays in approval, minimise customer friction, and maximise authorisation rates. “ “ A winning PSD2 strategy requires rethinking what PSD2 is all about. 20 www.finance-monthly.com FINANCE & BUSINESS - PSD2