The Retailer's Guide to PSD2

By Will Gillingham

The Second (or Revised) Payment Services Directive (otherwise known as PSD2) is an EU mandate which, when fully enacted, will change the way online payments are handled at the checkout. Until very recently, it was set to be fully launched on 14th September 2019. As its impacts will be felt by online retailers (when it is finally enforced), IMRG have conducted some research and pulled together a grab-and-go guide for those looking for clarity on the subject.

One of the most important things to note straight out of the gate is that compulsory Strong Factor Authentication (SCA), the element of PSD2 expected to impact retailers the most, is possibly being delayed by 18 months. However, this shouldn't alter your sense of urgency on the matter, as advised by J.P. Morgan: 'While some EEA regulators have announced their intention to delay enforcement of Strong Customer Authentication (SCA), a consensus has yet to be reached by all. Due to this uncertainty, J.P. Morgan’s recommendation is for merchants to be SCA-ready by 14 September 2019. This is the safest way to protect against transaction declines by individual countries and issuers that proceed with the original SCA date of 14 September.'

If all this is reading a little like TV static, don’t worry: we’ll explain everything in simple terms below, so you can navigate away from this article equipped with everything you need to know about PSD2 and how it might affect you. To get a rounded sense of the legislation from those who are already well-versed in it, we approached payments experts in our community for their insight. Let’s get to it.

What is PSD2?

PSD2 is an EU initiative with three key aims: to increase customer rights when it comes to payments, to clamp down on online fraud, and to improve online banking by allowing third-party access to bank accounts.

The section of PSD2 which concerns improving customer rights became law on 13th January 2018, and if you’re interested in knowing more, Barclaycard have written an insightful piece on how exactly customer rights have been improved, as well as how third-party access to bank accounts could change how people conduct their finances.

However, the stipulation which most affects retail specifically is that which aims to improve online payment security, otherwise known as Strong Customer Authentication (SCA). Now being enforced in the UK and Ireland in March 2021, it’s this which retailers need to be fully aware of, particularly for retailers selling cross-border: not all EU markets have agreed to delay SCA, and could enforce checks from 14 September.


What is SCA?

Strong Customer Authentication adds an extra security element to the payment process by requiring shoppers to prove their identity in two ways, rather than one. For example, as well as typing in their password, the customer may also need to verify who they are with a code sent to their phone.

As is adroitly explained by Brian Gaynor, Executive Director for European Product Solutions, J.P. Morgan in this article, two-factor authentication (2FA) requires customers to prove who they are in two of a possible three manners: Two-factor authentication is based on the use of two or more elements categorised as knowledge (i.e., something only the user knows), possession (i.e., something only the user possesses), and inherence (i.e., something the user is).’

Now, while this sounds a lot like bottlenecking the checkout (and perhaps driving away custom), retailers don’t need to fret too much. As Gaynor states clearly, transactions below €30 will not need to be challenged. And there are also ways for shoppers to ‘whitelist’ certain companies to allow for easier payments, as Jackie Barwell, Director of Fraud Product Management at ACI Worldwide mentions in this article.

There also exists a new piece of payments software called 3-D Secure 2.0 (or 3DS 2.0), also explained by Brian Gaynor. He says: ‘A major implication of 3DS 2.0 is that when a customer makes a purchase, the merchant will have the option of agreeing to ‘frictionless flow’ – where the payment is authorised without additional security measures.’ This means that retailers can abide by SCA without congesting the checkout.


It’s this which leads Joe Farrell, VP International Operations at PFS, to extend a word of reassurance to retailers: European consumers are already much more adapted to two-factor authentication than their US counterparts, therefore we anticipate a smooth adaptation of PSD2. While there is still some interruption of the consumer experience caused by two-factor authentication, newer versions such as 3DS 2.0 include improved functionality that is less intrusive of the checkout experience. Still, it will be important to ensure a quality consumer experience throughout checkout so the added security measure does not become a nuisance to consumers.’

Similarly, David Wise, Director Channel Sales EMEA at Magento, an Adobe company, notes that the security perks of SCA may well reel in customers, mentioning that apps could hold the key to thriving in a functioning PSD2 world: ‘Research shows that 36% of shoppers abandon their carts due to payment security concerns – so a checkout page that feels safer due to heightened protection may in fact encourage customers to buy. All of these elements play a part in the overall customer experience — so the best bet is to implement easy and intuitive authentication methods that preserve the seamlessness of the transaction, in order to balance safety and customer experience. In-app based push notifications and SMS-shared codes are some of the best options.’

Finally, Richard Mathias, Senior Technology Architect, LiveArea EMEA, notes that PSD2 could lead to a boom in innovative fintech companies, which retailers should keep tabs on.

Mathias: ‘Retailers should ensure their online stores accept payments through updated technical solutions put in place by existing payment service providers. Expect all current payment service providers to develop new solutions in time for PSD2. Visa and Mastercard, for instance, are rolling out new security solutions for 3D secure payments in time for PSD2.

‘It’s worth keeping a look out for additional, innovative payment service providers that are likely to be launched before or around the deadline. This is an opportunity for fintechs, larger retailers and banks to think beyond compliance, embrace new business models, and provide new services. Merchants should be agile in adapting to changes in the space.’

If handled correctly, PSD2 will usher payments into a new era of security and flexibility, and significantly reduce the £309mn+ black hole currently being caused by fraudulent transactions. So, what to retailers need to do to be ready?

Laptop colour

What do retailers need to do?

It's urgent that all retailers become SCA-ready. Not doing so could prevent payments from being processed, which in turn may lead to basket abandonment. This is highlighted by Ralf Gladis, CEO at Computop: ‘What can retailers do now? The good news is that because SCA and 2FA are primarily the responsibility of payment schemes like Visa, MasterCard, PayPal, etc, retailers just need to ensure that their checkout system is using the latest API for all payment methods. Credit card payments, however, require 3D Secure, and without this and SCA they will no longer be compliant, and payments could be declined. If retailers already use 3DS 1.0, their credit card payments will still work after Sept. 14th, although customers will be required to do 2FA for each and every transaction, which might be a barrier to purchase.

‘For those using 3DS 2.0, there will be a need to upgrade their credit card payment interface and transmit more data points with each payment such as addresses, basket data, customer data, IP-address etc. Banks will use that data to run transaction risk analysis and avoid 2FA if the risk is low, and this will lead to better conversion and turnover.

‘If retailers are concerned that customers will be confused by the 2FA procedures, they could offer several alternative payment methods like PayPal, iDEAL or guaranteed invoice payments.’

Further to ensuring the correct mechanisms are in place to abide by SCA, David Jones, Vice President of Market Strategy at Mastercard, recommends informing customers of the upcoming legislation so that they, too, are prepared for any changes to the checkout process.

Jones: As SCA is mandatory under the Payment Service Directive 2 (PSD2), retailers will need to be able to accept the two-factor authentication process at checkout. As retailers it is important to get in contact with your acquirer or payment service provider to ensure your business is ready and enrolled for Mastercard’s ‘Identity Check’ and educate your customers. Let them know you will be making changes to their payment experience highlighting the benefits for them (no need to remember passwords and a likely reduction in fraud).

‘Biometric solutions for cardholders use a fingerprint and facial recognition to verify their identity using a mobile device during online shopping and banking activities. With this approach, the digital checkout time is dramatically shortened, security is improved, and basket abandonment rates are reduced.’

At the most fundamental level, what’s now required from retailers is an integration of SCA-viable payment processes at the checkout. Research the legislation and speak to payments providers so that when it’s eventually enforced in March 2021, you’re all set to weather the storm.

Open sign

In Summary

PSD2 is a mandatory EU legislation designed to improve shopper flexibility and security. SCA, when it eventually launches, is likely to shake up the checkout process of many brands, as well as the payments space as a whole.

However, retailers don't need to go it alone: payments providers are on-hand to facilitate the move to SCA to ensure the checkout remains streamlined, and for those who have yet to optimise for SCA, now is the time to act. For further reading, check out J.P. Morgan's six key focus areas of PSD2.

If implemented correctly, SCA will significantly minimise fraud payments, eliminate the need to remember passwords, and give rise to a boom in fintech. So, put March 2021 in your calendar: it could indicate the beginning of a vibrant new payments sector.

Will Gillingham, Content Manager, IMRG

IMRG Retail membership banner

Join thousands of other Online Retail professionals

Get unique insights straight to your inbox for free, and improve your understanding of online retail. Subscribe to Online Retail Weekly now.

Webinar Scroll Banner
Join thousands of other Online Retail professionals

Get unique insights straight to your inbox for free, and improve your understanding of online retail. Subscribe to Online Retail Weekly now.

Webinar Scroll Banner