September 14, 2019—the date on which the Strong Customer Authentication (SCA) requirements of the Payment Services Directive (PSD2) become legally applicable—is fast approaching. One of the technical requirements of SCA involves payment service providers (PSPs) enabling two-factor authorization (2FA) when consumers make online payments or transactions that occur within the EU. Reducing the fraud that impacts online payments is a key goal of PSD2/SCA. And 2FA, along with risk assessment tools, can help reduce online fraud. While businesses impacted by PSD2 have had several years to prepare for compliance, some are scrambling at the last minute to become compliant. And PSD2 technical processes, if implemented poorly, will increase friction for customers. Many customers will get frustrated if they have more hoops to jump through to verify their identities, online transactions load slowly, or payments are not processed quickly.
PSD2 Requires 2FA with Some Exceptions
When it comes to implementing 2FA, the responsibility falls primarily on PSPs. However, SCA includes exemptions that PSPs can request when appropriate. For example, SCA includes a Transaction Risk Analysis (TRA) exemption that applies to remote payments and includes three exemption thresholds. When an online merchant initiates a payment, the PSP initiates an SCA check and then will request an exemption if warranted. The merchant’s fraud level is included in the calculation for an exemption. If the exemption is approved, SCA will not be required for the transaction. Qualifying for a TRA exemption reduces friction at checkout because the customer is not required to go through 2FA. Qualifying for TRA exemptions also allows for the possibility of one-click payments at checkout. While PSD2 does not technically apply to merchants, merchants will need to maintain low fraud levels for transactions to quality for SCA exemptions.
PSD2 Processes Powered by Machine Learning
The PSD2 regulation means that risk decisioning systems will need to make decisions about risky transactions before payment authorization. And those decisions must be precise and made quickly—the window is typically 150 milliseconds. A more precise decisioning system reduces the number of good customers impacted by false positives. Increasing the speed and precision of risk decisioning systems requires machine learning. PSPs and merchants can use machine learning to reduce fraud levels significantly without adding a lot of friction. And merchants can use global identity data and machine learning models to create progressive sign-ups that allow more good customers onto the platform while preventing fraudsters from gaining access.
Adjusting to a Post-PSD2 World
While the onus to implement the technical standards of PSD2 falls largely on PSPs, merchants will need to adjust to a post-PSD2 world where processes to reduce fraud and ensure the security of online payments are crucial for business success. Reducing fraud does not have to lead to unnecessary friction and unhappy customers. With machine learning, many of the processes required by PSD2 can be automated and completed behind the scenes without users noticing. PSD2 processes, when implemented well, can provide customers good checkout experiences.