Since the
European Banking Authority (EBA) published its Opinion in June on the strong customer authentication (SCA) requirements of the revised Payment Services Directive (PSD2), I've been thinking and talking about it with colleagues, peers and — especially —
with merchants.
In particular, we've been discussing the opportunity given to national regulators to provide for a transition period, giving relevant stakeholders more time to get ready for SCA.
So What Happens Now?
In the months since the Opinion, national regulators have been making announcements about their transition periods. But the merchants (and others) that I've spoken to are worried that the result may be a number of substantially different national plans,
which could result in an inconsistent customer experience in the EEA.
Put yourself in the shoes of a small UK eCommerce merchant with limited resources to understand and implement the changes that will support frictionless SCA. In a positive move for this merchant (and for the UK eCommerce and payment industries overall),
the UK regulator has announced an 18-month transition period, judging that it's a reasonable amount of time for the UK industry to get ready. Let's assume that the merchant we're thinking of will only be ready towards the end of the 18-month period.
So what's the problem? Well, small as this UK merchant is, it still has important customers in other countries in Europe. If some of those countries are planning to transition to full SCA enforcement in, say, 12 months, then the merchant's customers from
those countries are potentially in for six months of a poor customer experience (as the merchant may not be ready for their issuers' attempts to invoke SCA).
I think we can all agree that this kind of scenario would be a backwards step for eCommerce. Any effort to add security to the payments ecosystem must be delivered in a way that still allows merchants to sell and consumers to buy – quickly, and easily. If
not, it could not only impact commerce and the economy, but might also drive consumers towards less safe methods in search of convenience.
It is not only small merchants who might be impacted by a variety of different SCA timelines. SCA readiness is complex enough for all of them, without having to worry about their SCA plans affecting customers from different countries in different ways. Multinational
merchants could also find themselves in a situation where their acquirers in different countries are working towards different SCA deadlines, which again can only make their own SCA plans more complex.
Let's Get Together
So, on behalf of merchants everywhere and their European customers, I really hope the payment industry can come together to agree on a unified transition plan.
Ideally, we'd find agreement not just on overall timelines, but on the phases that get us there. The UK and French regulators, for example, have worked with industry stakeholders to agree broadly similar 18-month plans. If we look at the UK's
managed rollout plan as an example, it has several phases defined, allowing for step-by-step progress to full SCA enforcement by issuers, with time for awareness-building among small merchants. It includes specific industry actions such as an EU-wide card
scheme mandate by September 2020 to incentivise merchant adoption of 3-D Secure (3DS) 2.
This is the kind of plan we need to get behind as an industry across the EEA, if we want to continue to put a seamless experience for customers at the heart of decisions about SCA.
Advice for Merchants
Whatever happens, it's still imperative for merchants to continue working with their payment service providers and acquirers on an SCA strategy, and to become SCA-ready as soon as they can.
The surest way to avoid potential adverse impacts of SCA, such as poor user experience on mobiles or issuer declines, is to implement 3DS 2 as soon as possible. This should be done in line with acquirer and payment gateway readiness for 3DS 2, since it's
not just merchants that need to make 3DS 2-related process and system changes, but acquirers and payment gateways too.
If you have any comments or questions about anything relating to PSD2, SCA or 3DS, do comment below.