Will PSD2’s Strong Authentication Requirements Kill Today’s Frictionless Checkout?


Navigator Edition: October 2016
By: Jip de Lange

The revised Payment Services Directive (now commonly referred to as PSD2) has become the centerpiece of European payments law. The European Banking Authority (EBA) published the highly anticipated draft of the Regulatory and Technical Standards (RTS), a document that provides further detail to the directive, in August 2016. While the ruling will not be finalized until early 2017, the draft document provides first insights into the intent of the regulators. It is still unclear how the regulations will apply specifically to card payments, but our early takeaway is that the requirements for strong authentication could have significant implications for e-commerce merchants.

The Requirement for Strong Authentication

A mandate for ‘strong authentication’ for remote (not face-to-face) payments over € 10 is a critical component of the new regulation. The mandate requires two factor authentication for almost all remote transactions. Examples of strong authentication include 3DS, where payers use tokens or text messages to sign transactions.

While intended to counter rising fraud levels associated with distant commerce (remote purchases accounted for 70% of all fraud losses in the U.K. in 2015), the ramifications for e-commerce are potentially severe given that few e-commerce or mobile commerce transactions that are strongly authenticated today. Merchant card vaults in particular, which enable many ‘one-click’ checkout processes, are likely to be non-compliant with the new requirements and those popular solutions will no longer be viable in the market.

Potential Exemptions & Workarounds

Introducing friction at the point of purchase is a heavy burden for e-commerce merchants: Ecommerce Europe reports that payment authentication drives 25% of shopping cart abandonments. For merchants striving for frictionless checkout, the exemption from strong authentication for ‘trusted beneficiaries’ will likely prove to be important.

Whether and how this exemption will apply to card transactions is uncertain, as the draft RTS language focuses on bank transfers (see boxed text). If it does apply to card payments, however, there are several ways in which merchants might seek—directly or indirectly—to qualify as trusted beneficiaries. This suggests that merchants should somehow be registered and linked to payers within the issuer domain. It’s probably too soon to go into detail on how this could work exactly, but tokenization could be a starting point for realizing this as it essentially pairs payers and payees.

Article 8, 2 of the RTS in the EBA’s last consultation paper (EBA-CP-2016-11)
The application of strong customer authentication in accordance with Article 97(2) of Directive (EU) 2015/ 2366 is exempted where:
(a) the payer initiates online a credit transfer where the payee is included in a list of trusted beneficiaries previously created by the payer with its account servicing payment services provider.
[…]

Merchants as Trusted Beneficiary

Under the trusted beneficiary exemption, merchants could work with card issuers (or other types of account servicers) to establish and register trusted relationships. This registration could be enabled in a variety of ways, including:

  1. In-line with the transaction request itself, passing through the card schemes to the card issuers, and allowing follow-on transactions to avoid strong authentication.
  2. Via a registration service offered by the banks directly to consumers, such that consumers can log into their internet banking or similar web site and add trusted merchants.
  3. Via a commercial arrangement between a merchant and a bank to establish a framework for trust among their shared customer bases.

None of these options is perfect, and all involve a significant effort to replicate today’s penetration of card vaults; in each of these scenarios, strong authentication is still required as the first step in the process of establishing a trusted relationship.

PSPs as Merchants of Record

Instead of establishing a trusted beneficiary relationship directly, some merchants—particularly smaller merchants—may look to a payment service provider (PSP) to aggregate their exemption status by acting as the merchant of record, similar to the merchant facilitation model employed by many PSPs (e.g., Stripe or Adyen) today (see Figure 1). Under this scenario, a consumer could establish Stripe as the trusted beneficiary and Stripe could then apply the exemption to all of the merchants for which it facilitates payments.

Figure 1: PSPs as the Merchant of Record

figure-1_-psps-as-the-merchant-of-recordSources: First Annapolis Consulting research & analysis.

The challenge is that layers of aggregation are proliferating across the marketplace, spurred by a more complex digital commerce value chain, and could cloud ownership and liability between the parties.

De-coupled Checkout and Payment

Another potential scenario is that merchants, or their service providers, might decouple the checkout and payment processes. Rather than initiating a payment for each transaction, merchants could collect a single payment at month end, extending credit in order to simplify payments. Klarna, for example, already offers this type of checkout service, where they aggregate any number of merchant purchase transactions into a single payment transaction at a later date.

This option would have negative consequences for bank issuers and card schemes, insofar as it reduces the number of card or bank payments.

Conclusion

Card payments account for the majority of retail payments in Europe, and further clarity is needed regarding how they will be treated under the new strong authentication regulations—and whether the trusted beneficiary exemption will apply.

Assuming cards are subject to the strong authentication mandate, there is potential for significant damage to e-commerce, and we expect that the merchant community will lobby hard to alter the current draft rules. Absent further changes, however, merchants will need to explore alternatives for enabling frictionless checkout.

While there are instances in which a strong authentication is highly appropriate, for many merchants that maintain intimate relationships with customers and operate sophisticated fraud management, the regulation creates significant challenges to sales conversion. We expect that smart use of exemptions and workarounds will be important elements of merchants’ and PSP’s response to the regulation, in an effort to reduce friction and preserve their customer experience. Some of these options may create consequences unintended by the regulators.

For more information, please contact Jip de Lange, Senior Consultant, jip.delange@firstannapolis.com, specializing in European Initiatives.

Share: Tweet about this on TwitterShare on LinkedIn

To read the rest of this article, please subscribe to

The Navigator Newsletter