Posted: 2nd July 2019
Last week, we called attention to the upcoming, EEA-wide implementation of the new Regulatory Technical Standards (RTS) – a core component of the Revised Payment Service Directive (PSD2) – and how it could impact on the retail experience.
But it’s not only customers who will be affected by the tightening of security. Firms across the payments value chain – from merchants all the way to card issuers – will have to pay close attention to developments within this space and make the appropriate arrangements if they are to stay on the right side of the regulator (and their customer-base).
The potential fallout for customers
With little more than three months left to go until every business accepting or facilitating payments will have to abide by the new authentication rules, it would seem that time is running out to achieve full compliance. Many retailers are struggling to come to terms with the new systems needed – and the possibility of more declined transactions and heightened confusion at checkout.
We have already mentioned the fact that education will be key to moving forward, and that this education (so far, at least) has not been reaching its intended audience. Consumers have varying levels of tech-literacy and accessibility needs, meaning that firms will have to proactively and effectively reach out to the customers that they believe may not be receiving online information.
There remains a high risk that vulnerable customers may be left exposed in this evolutionary security project. Stakeholders need to deploy a wide range of authentication methods in order to provide maximum accessibility, all while minimising the potential for fraud. As an example, one-time passwords received via SMS are technically compliant, but with mobile network coverage patchy in rural areas and the threat of SIM swap fraud not likely to diassapear anytime soon, it’s clear that we need to go beyond basic compliance.
Perhaps the most pressing issue for consumers and their firms is managing expectations around the potential increase in declined payments. Nervous issuers not wanting to fall foul of new rules will have no choice but to decline more transactions than they are presently. For this reason, the FCA is considering a delay in enforcing any sanctions (even with the RTS implementation date being written into law).
The industry will surely be collaborating on a phased approach, over at least 18 months, to deliver certain elements of the RTS in the most organised manner possible. However, while card payments may get a reprieve, there is no time for firms to become complacent. The SCA implementation date for accessing payment accounts will not change.
Merchants will have to be prepared
With transactions about to be challenged more regularly and declines set to rise, all merchants will need to take a look at their systems and ask:
• Are tills / terminals / online payment gateways appropriate to support the new standards?
• Are staff trained and knowledgeable enough to answer customer queries?
• Whether additional signage / messaging / staff at tills will be needed
New versions of 3D Secure, the current standard for online transaction security, being mandated by card schemes will impact online merchants. These merchants will need to work closely with the company (or companies) providing their card services and determine:
• What technical changes need to be made to support the various versions of 3D Secure
• How they enrol onto the new 3D Secure scheme
• Whether they can make use of any exemptions to SCA
• If the additional data needing to be collected be compliant with the GDPR
Online shops using marketplaces, deferred, split or recurring billing agreements, integrated loyalty programs or other specialist models will all be impacted in different ways, made all the more complex by the digitally-expanded customer journey. In other words, for any online transaction that isn’t as simple as a one-off purchase, merchants will need to assess the complete customer journey and determine how SCA will be implemented at each and every touch point. Hardly a simple task.
Preparing ‘behind the scenes’
Acquirers, issuers, payment processors, other technical service providers and card schemes have all been preparing (anxiously) for the arrival of the RTS.
The evolving digital agenda that many organisations will be embarking upon will need to align to the changes brought about by PSD2 and the RTS. This alignment is critical to ensuring the correct propositions and customer journey models are developed.
Acquirers will, of course, need to ensure that their merchants are appropriately enrolled into 3D Secure, providing guidance on how best to manage varied transaction types, such as split billing. This will require the acquirers to have the in-house expertise or, alternatively, look outside at industry professionals for consultancy.
The card issuing community – the one’s holding the right to final response to any payment transaction – will also be engaging their technical service providers to ensure they have the correct solution in place. This is crucial for both retail payments and for online payment account access.
‘Behind the scenes’ we can also find many teams studying the impact of SCA on the customer journey, call centre expectations and anti-fraud activities. Firms of all stripes need to be following their lead and preparing for eventualities that could be relatively simple to respond to or as impactful as “broken” customer journeys.
Preparing for a more secure payments world
Though these changes may seem daunting, there’s nothing that can’t be accomplished without the aid of specialist consultants (who can guide change) and expertly-trained human resource (who can make the mandated changes a reality).
Naturally, there’s never going to be a ‘one-size-fits-all’ solution to SCA compliance but, thankfully, payments specialists like Huntswood can provide the guidance needed to continue acting within the parameters of regulation – and delivering good customer outcomes at the same time.
An undeniable truth, however, is that we all need to work together to ensure that customers receive the best protection, and the best experience, possible.
Once you have figured out just how SCA will impact your firm and your customers, you will have a clear path to enhanced security and better customer outcomes.