The revised Payments Services Directive (PSD2) is getting shifted out by six months in the U.K., while the rest of Europe has been grappling with the challenges of making online purchases more secure.
Entersekt Country Manager for the U.K. and Ireland Frans Labuschagne told PYMNTS that whether we’re ready or not depends in part on where you look. Against that backdrop, with the acceleration of digital initiatives, the timeline of expectations for strong customer authentication (SCA) is shifting.
SCA has been mandated by PSD2 and requires multifactor authentication (MFA). Labuschagne said at a high level, the U.K. pushout “answers the question in terms of real readiness” to embrace SCA within the eCommerce ecosystem. And the state of readiness depends on whether you talk to the issuer side or the merchant side of the equation. In a nutshell, it’s a mixed bag.
But nonetheless, we’re in what Labuschagne termed a “perfect storm” amid the pandemic, with an increase in transactions, particularly a massive increase in digital transactions. The great digital shift has spotlighted the fact that with so many touchpoints, a consistent, smooth omnichannel experience has been lacking.
Demanding Easy Access
“Consumers demand easy access wherever they are, whenever they make a transaction,” Labuschagne said. “And, of course, the regulatory requirements around that should be easy and seamless.”
We’re not there yet, especially when banks are involved. Labuschagne noted that from Entersekt’s point of view, many companies state they are PSD2-compliant and have SCA in place, but putting it all into practice has proved to be challenging. Open banking frameworks, which are also part of the PSD2/SCA requirements, pose challenges, too.
“The tier one or the traditional banks [are getting to a point where they have] to decide what they want to be,” he said.
As the traditional players have been playing catch-up with the digital-first and digital-only players, many of them have also been burdened by the legacy infrastructure that in some cases can stretch back across decades. On the flip side, they do enjoy the advantage of consumer trust, which can help them keep growing their customer base.
Drilling down into the merchant side of the equation, the new protocols feature delegated authentication, which means the burden of authentication is placed on merchants instead of issuers and acquirers. Labuschagne stated that the U.K. PSD2 extension shows the lack of readiness here, and he added that in some cases, like in France and Spain, merchants are losing millions of dollars as a result of failed conversions.
“There are lots of discussions about new flows and doing things in a different way through the delegation protocols,” he said. “But it’s got a long way to go.”
Broadly speaking, Labuschagne added, despite the pain points, moving away from one-time passwords is a worthy goal. FIDO (Fast IDentity Online) standards can help smooth the user journey, too, he said, pointing to consortiums and models as one key way to share information across all stakeholders in a bid to consistently refine and improve eCommerce.
“Standards-based deployments are the way to go, and that is what we are proposing,” he said, adding that “sometimes you have to step up and introduce a little bit of friction, but if you [apply what we call intelligent friction] — utilizing advanced technologies like machine learning, artificial intelligence and risk-based authentication protocols — you will be able to resolve the problem of friction in a consistent and effective way.”