Harder than keeping up with European credit card acronyms, the new European policies on data security require changes in how credit card issuers authenticate customers. New requirements for credit card authentication take hold in less than 120 days. As with some facets of the PSDs and GDPR, there are some ideas to watch for in the U.S. market.
Mercator Advisory Group did a deep dive on PSD2 and GDPR. Here is a quick summary, PSD and PSD2, the Payment Service Directives, laid the foundation for standardizing payments across the Eurozone, with general data security, consumer protection, and interoperability mandates. GDPR, General Data Protection Regulations, modernized data protection standards. While PSD is generally directed towards Europe, GDPR has global standards that are frequently considered a best case study.
Now comes SCA. According to the European Payments Council (EPC), Strong Customer Authentication, (SCA) “aims to make payments safer, increase consumers’ protection, foster innovation and competition while ensuring a level playing field for all actors, including new ones which were not regulated by the first version of the Payment Services Directive.”
SCA must be considered when any one of these three broad requirements occurs:
- When a customer individual or corporate – accesses their payment account online
- When making an electronic payment
- When carrying out any action through a remote channel which may imply a risk of payment fraud or other abuses
That is pretty broad. It applies to just about any transaction which is not face-to-face!
To achieve this, there must be customer validation and authentication. For validation:
- Something only the user knows (PIN, password…)
- Something only the user possesses (a card, a mobile phone…)
- Something the user is (biometric identification like fingerprint, iris or voice recognition…).
- A unique authentication code which dynamically links the transaction to a specific amount and a specific payee (for remote internet and mobile payments)
Europeans are starting to scramble towards the implementation date, which is less than 120 days away.
EmailMarketinig Daily points out:
- European marketers have barely adjusted to the GDPR. In September, they will have to cope with Strong Customer Authentication (SCA), an extra layer of security for credit card payments. Credit card payers will have to provide various forms of proof up to the level of fingerprints or biometric facial features.
- Marketers Brace For The EU’s New Credit Card Payment Rule
Though Asia’s Retail News points out that SCA may reduce transaction volumes because of the overhead.
- More than 300 million European consumers will need to confirm their identity for the majority of their online purchases
- Hundreds of thousands of online merchants in Europe —from retailers, to ridesharing companies, to crowdfunding services— will have to upgrade their payments set-up to prepare for the upcoming regulation. If they don’t, their transactions will be declined outright.
- When similar regulation was enforced in India in 2014, some businesses reported an overnight conversion drop of over 25%, due to the extra step in the payments experience.
The takeaway for U.S. credit card issuers: Although the mandates come from Europe, it will affect our market in two ways. If you are doing business in Europe, there is a direct connection. If you are not, expect to see evolution in the U.S., just as we have seen GDPR influence the U.S. market, spawning controls such as the California Consumer Privacy Act.
Overview by Brian Riley, Director, Credit Advisory Service at Mercator Advisory Group