Most companies are not prepared for the fraud prevention rules going into effect in Europe by September, according to a report from Iovation and research and advisory firm Aite Group.
This suggests we may be looking at a replay of the lack of preparedness companies showed with last year’s implementation of the General Data Protection Regulation (GDPR), which forced companies to implement new privacy protections in Europe.
The new report, entitled “PSD2: Advent of the new payments market in Europe,” includes original research and analyzes the consequences for the global online payments market around the revised Payment Services Directive (PSD2).
By September 2019, payment service providers in the European Economic Area (EEA) will have to comply with the directive’s requirements for strong customer authentication (SCA) and third-party access to bank accounts or risk getting their payment provider license revoked.
The report concludes that the stricter requirements for fraud prevention in the European Union will drive fraud to other regions, such as the U.S. It also finds that most companies are unprepared for PSD2.
In fact, a recent study by Mastercard found that only 25 percent of European online merchants are aware of SCA requirements under PSD2, 14 percent already support SCA, 28 percent mentioned they will be SCA-ready by September 2019, and 24 percent have no plans to support SCA. Since companies providing payment services in Europe are subject to the regulation, even businesses with headquarters outside Europe may need to comply.
“The zeitgeist of regulations with extra territorial effect, like GDPR, continues with PSD2. This will have long-standing operational implications to companies wherever they are based,” said Iovation compliance manager Mark Weston in a statement. “The merchants that succeed post-PSD2 will be those that make consumer authentication as effortless as possible through methods like ‘invisible’ device-based authentication and biometrics. And with the likes of Facebook and Google becoming payment processors, merchants are going to have to compete with an ever-widening marketplace.”
PSD2 will bring two major changes:
- Strong Customer Authentication: Payment service providers must apply two or more (multifactor) authentication methods for all electronic transactions, unless such transactions qualify as “low risk.”
- Third-party access to payment accounts: Banks, card issuers, and other financial institutions holding payment accounts must provide access to third-party payment service providers for various services.
Those services include account information services, like balance and transaction information; initiating payments directly from a customer’s bank account; and the availability of a funds check to see if there are sufficient funds in the cardholder’s bank account.
“PSD2 changes the rules of the game for the global payment industry and is based on some of the same principles that constituted GDPR, enforcing consumer protection and security requirements on companies operating in the EU,” said Aite Group senior analyst Ron van Wezel in a statement. “Varying choices in the implementation of the SCA requirements on a country and individual bank level, differences in interpretation of the directive, and different timelines may create confusion that merchants have to navigate. Businesses should be sprinting to get their house in order.”
The report is a joint Aite and Iovation analysis of hundreds of pieces of secondary research, coupled with about two dozen extensive interviews. Aite conducted those interviews between November 2018 and January 2019 with payment executives from banks and other payment providers. Iovation is a division of TransUnion.