Posted inPCI DSS compliance
Will your online sales nosedive when PSD2 and SCA hit home? The fears are real. But it's possible for merchants to prevent carts from getting abandoned — and even grow their business.
In a recent blog, we looked at the arrival of PSD2, the EU's second Payment Services Directive, and how its demand for Strong Consumer Authentication (SCA) will impact electronic payments.
Few retailers will be relishing the prospect of asking online customers to authenticate themselves with more than their passwords and payment cards. The use of devices such as token generators and biometrics is bound to cause some wobbles and frustration for consumers at the checkout.
The original implementation data was September 14 but the FCA has confirmed that there will be a phased introduction of SCA over the next year and half. So, in the near future ignoring SCA isn't an option as two-factor authentication will apply to most electronic transactions over €30. Practically, UK merchants will need to ensure that 3D Secure 2.0 (or a later version of this authentication protocol provided by the card networks to support SCA) is applied to their checkout page or hosted checkout.
However, on 21st June 2019, the European Banking Authority (EBA) published an opinion on SCA. This opinion allows the FCA to give some firms extra time to implement SCA.
The legal deadline for complying with the Regulatory Technical Standards on Strong Customer Authentication will be phased over the next eighteen months. However, the FCA recognises the challenges in meeting this deadline and has been working with the industry to develop a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible after this. What this means is that issuers need to be able to demonstrate that they have a plan in place to meet SCA but the enforcement could possibly be delayed until 2020.
So how can merchants embrace the changes — and even find ways to take advantage?
Here are seven steps to consider:
Step #1: Shift more customers towards card-on-file
Ahead of any implementation date, forward-thinking companies will be suggesting to customers that they save their card details on file for extra convenience. This means that SCA won't normally apply when they make subsequent purchases ... it will be a straight-through process. However, this 'grandfathering' approach is a temporary move as any changes to the customer's details later on could trigger the need for re-authentication. That said, at least it could lessen the impact of so many customers encountering SCA at same moment in mid-September.
Step #2: Give your customers the heads-up
Communicating the change is the Issuer’s responsibility. However, Merchants should inform their customers that the checkout process will be changing but there's nothing to be worried about. In fact, the EU change is about keeping them safer. This message may help to reduce drop-outs and show you're delivering great customer care. You can even provide tips and hints that will help them through the authentication process. You may wish to offer two-factor authentication as soon as possible — so many customers are already up and running comfortably by the deadline.
Step #3: Use Chat to support checkouts
Inevitably, some customers will struggle with the extra authentication and get confused or impatient and may give up. Having a chat window that pops up at just the right moment at the checkout could be enough to save valuable sales until customers get used to encountering SCA wherever they buy. That way, your agents can hand-hold customers through the authentication process or even invite them to purchase within the chat session window, so you can save the sale.
Step #4: Look for exemptions where it's wise
As we saw in our last blog, you can save some customers from having to jump through all the hoops created by SCA. The exemption process can involve discussions with customers and Issuers and the creation of a ‘trusted payee’ list. It's also possible to raise transaction limits from €30 to €500 in some instances. This will remove the hassle factor for some important customers.
Step #5: Understand liability around exemptions
Consider exemptions with care and caution. The general rule of thumb is ‘whoever applies the exemption takes the risk’. So, if an Issuer applies the exemption due to trusted payee then the liability belongs to the Issuer, but if the Merchant requests the exemption then they are liable for the fraud.
Step #6: Get strategic about risk
Merchants should be asking Acquirers where they stand on fraud risk and for their fraud rates. Merchants may consider changing Acquirer or striping Acquirers based on risk (eg. low risk to Acquirer A, high risk to Acquirer B). Acquirers may also split their customer bases to have high risk and low risk entities so they can manage fraud rates and exemptions.
Step #7: Think about the future
It’s unclear where fraud will move to next — so prepare yourself for more change ahead. Security requirements for voice assistants, such as Alexa or Google Home, could be coming down the tracks as well as possible regulations for Mail Order/Telephone Order (MOTO) transactions.
How can Eckoh help?
One of the simplest ways to address this and help keep your contact centre payments running smoothly is to use ChatGuard – Eckoh’s solution to securing payments within chat. As with CallGuard, which secures telephone payments, ChatGuard masks the sensitive card data so the agent doesn’t see, hear, store or record any data. The payment is therefore PCI DSS compliant and you don’t risk frustrating your customer by asking them to go to a different system or web page in order to make a payment.
As a specialist provider of secure payments for contact centres, we're on top of industry developments and growing trends. We're keeping our customers updated with PSD2 and SCA. But if you're worried about the upcoming deadline and you want a better way to secure your payment channels, then get in touch with our helpful team today. We've got a wide range of secure payment solutions to help merchants become more successful.
Latest Blog Items
Tuesday, 13 August 2019 Is your PCI DSS strategy killing your agility?Contact centres must protect customer card data — but the wrong PCI DSS strategy can hold back your business. Sometimes, only a security rethink will give you the freedom to thrive.
Tuesday, 30 July 2019 PCI DSS - are you playing whack-a-mole and losing badly?Is your contact centre protecting customer card data with expensive sticking plasters? If so, then don't be surprised if fraudsters tear through. You'll need a radical rethink to stop criminals.
Thursday, 11 July 2019 Contact centre safe from fraud? Think againContact centre crime is on the rise — but the big scandal is the time and money being wasted on tackling it the wrong way. Put simply, organisations need a new strategy, fast.