Small businesses face fraud and compliance challenges with PSD2 deadline looming
Small businesses are not ready for the looming PSD2 deadline, Accertify has heard from a number of different sources at industry events and in interactions with merchants, according to the company’s Product Manager James Pinborough. The EBA is due to begin enforcing the new PSD2 rules, which mandate strong customer authentication (SCA) and could drive demand for online biometrics, at the end of calendar 2020, with the UK following three months later.
Accertify has previously argued that the strong customer authentication requirements of PSD2 are the biggest hurdle the regulation poses for merchants.
Changed implementation deadlines and different grace periods may be leading to some confusion, Pinborough tells Biometric Update in an email interview, but the problem goes further.
“Some merchants also do not view PSD2 as their issue and they are relying on their acquirer to manage it,” Pinborough explains. “Whilst the merchant is not regulated by SCA, it is the merchant who will be most impacted by any lost sales. Despite the extension from the regulators merchants are finding it challenging to implement the authentication changes required to support SCA. Deployment of 3DS and enablement is proving slow. Merchants should actively work with their acquirers and not be left out to have their transactions declined by the enforcement dates.”
Asked if a shrinking field of easy targets for fraudsters as the implementation deadline approaches makes strong authentication a fraud security issue even before it becomes a compliance one, Pinborough notes that “fraudsters will always target the weakest link,” and merchants that delay 3DS implementation will be an easier target.
“That is not to say that 3DS will resolve all fraud issues but it does greatly increase the security of the payment. 3DS is a very valuable fraud prevention tool when it is deployed correctly and applied intelligently.”
Pinborough also notes that many retailers will be hoping for major increases in sales volumes towards the end of the year holidays and in post-holiday promotions, which makes it a poor time to launch a new payment strategy.
Accertify has some practical advice for SMB merchants acting quickly to protect their revenues, starting with an analysis of the business to see how they will be impacted by SCA.
“For example, what is their average ticket value?” Pinborough asks. “How does this compare with the SCA thresholds for Transaction Risk Analysis (TRA)? Does the merchant process a high amount of Merchant Initiated Transactions (MITs) which are out of scope? Do they have significant sales from outside the EEA? How are they going to identify these, etc.? Once they have completed this analysis, the next step is to reach out to their acquirer/processor and vendors (such as Accertify) in the market to see who is best placed to assist them. Finally, it is important for merchants to remember that acquirers will want to maintain a very low fraud rate, in order to extract maximum value from the SCA exemptions. This means that merchants with a low fraud rate may have a stronger position when speaking to their acquirer/processor.”
While U.S. businesses are not covered by the regulation just by serving customers in Europe, they are included if accepting cards issued in the European Economic Area at a merchant location, including a website, based in the region. With authentication standards around the world increasing gradually, if unevenly, the opportunity for biometrics providers has already arrived.