Posted inPCI DSS Compliance
Will your online sales nosedive when PSD2 and SCA hit home from September 14? The fears are real. But it's possible for merchants to prevent carts from getting abandoned — and even grow their business.
In a recent blog, we looked at the arrival of PSD2, the EU's second Payment Services Directive, and how its demand for Strong Consumer Authentication (SCA) will impact electronic payments.
Few retailers will be relishing the prospect of asking online customers to authenticate themselves with more than their passwords and payment cards. The use of devices such as token generators and biometrics is bound to cause some wobbles and frustration for consumers at the checkout.
But from September 14, ignoring SCA isn't an option as two-factor authentication will apply to most electronic transactions over €30. Practically, UK merchants will need to ensure that 3D Secure 2.0 (or a later version of this authentication protocol provided by the card networks to support SCA) is applied to their checkout page or hosted checkout.
However, on June 21, 2019, the European Banking Authority (EBA) published an opinion on SCA. This opinion allows the FCA to give some first extra time to implement SCA.
The legal deadline for complying with the Regulatory Technical Standards on Strong Customer Authentication remains September 14, 2019. However, the FCA recognizes the challenges in meeting this deadline and has been working with the industry to develop a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible after this. What this means is that issuers need to be able to demonstrate that they have a plan in place to meet SCA but the enforcement could possibly be delayed until 2020.
So how can merchants embrace the changes — and even find ways to take advantage?
Here are seven steps to consider:
Step #1: Shift more customers towards card-on-file
Ahead of September 14, forward-thinking companies will be suggesting to customers that they save their card details on file for extra convenience. This means that SCA won't normally apply when they make subsequent purchases ... it will be a straight-through process. However, this 'grandfathering' approach is a temporary move as any changes to the customer's details later on could trigger the need for re-authentication. That said, at least it could lessen the impact of so many customers encountering SCA at same moment in mid-September.
Step #2: Give your customers the heads-up
Communicating the change is the Issuer’s responsibility. However, Merchants should inform their customers that the checkout process will be changing but there's nothing to be worried about. In fact, the EU change is about keeping them safer. This message may help to reduce drop-outs and show you're delivering great customer care. You can even provide tips and hints that will help them through the authentication process. You may wish to offer two-factor authentication as soon as possible — so many customers are already up and running comfortably by September 14.
Step #3: Use Chat to support checkouts
Inevitably, some customers will struggle with the extra authentication and get confused or impatient and may give up. Having a chat window that pops up at just the right moment at the checkout could be enough to save valuable sales until customers get used to encountering SCA wherever they buy. That way, your agents can hand-hold customers through the authentication process or even invite them to purchase within the chat session window, so you can save the sale.
Step #4: Look for exemptions where it's wise
As we saw in our last blog, you can save some customers from having to jump through all the hoops created by SCA. The exemption process can involve discussions with customers and Issuers and the creation of a ‘trusted payee’ list. It's also possible to raise transaction limits from €30 to €500 in some instances. This will remove the hassle factor for some important customers.
Step #5: Understand liability around exemptions
Consider exemptions with care and caution. The general rule of thumb is ‘whoever applies the exemption takes the risk’. So, if an Issuer applies the exemption due to trusted payee then the liability belongs to the Issuer, but if the Merchant requests the exemption then they are liable for the fraud.
Step #6: Get strategic about risk
Merchants should be asking Acquirers where they stand on fraud risk and for their fraud rates. Merchants may consider changing Acquirer or striping Acquirers based on risk (eg. low risk to Acquirer A, high risk to Acquirer B). Acquirers may also split their customer bases to have high risk and low risk entities so they can manage fraud rates and exemptions.
Step #7: Think about the future
It’s unclear where fraud will move to next — so prepare yourself for more change ahead. Security requirements for voice assistants, such as Alexa or Google Home, could be coming down the tracks as well as possible regulations for Mail Order/Telephone Order (MOTO) transactions.
How can Eckoh help?
One of the simplest ways to address this and help keep your contact center payments running smoothly is to use ChatGuard – Eckoh’s solution to securing payments within chat. As with CallGuard, which secures telephone payments, ChatGuard masks the sensitive card data so the agent doesn’t see, hear, store or record any data. The payment is therefore PCI DSS compliant and you don’t risk frustrating your customer by asking them to go to a different system or web page in order to make a payment.
As a specialist provider of secure payments for contact centers, we're on top of industry developments and growing trends. We're keeping our customers updated with PSD2 and SCA. But if you're worried about the upcoming deadline and you want a better way to secure your payment channels, then get in touch with our helpful team today. We've got a wide range of secure payment solutions to help merchants become more successful.