PSD2 Could Drive Online Payment Fraud

The revised Payment Services Directive (PSD2) mandates that payment service providers in the European Economic Area (EEA), by September, must comply with stricter requirements for strong customer authentication (SCA) and third-party access to bank accounts.

A new report finds that most organizations aren’t prepared to meet the deadline. But when enough organizations do go live, the effect is predicted to drive online payment fraud to the U.S. and other regions outside of the EEA.

A surge in online payment fraud, however, is not the only impact organizations outside of the EEA can expect.

Iovation’s Mark Weston

“The zeitgeist of regulations with extra territorial effect like GDPR continues with PSD2. This will have longstanding operational implications to companies wherever they are based,” said Iovation compliance manager Mark Weston. Iovation is a TransUnion company and it developed the report with the research and advisory firm Aite Group.

“The merchants that succeed post PSD2 will be those that make consumer authentication as effortless as possible through methods like ‘invisible’ device-based authentication and biometrics. And with the likes of Facebook and Google becoming payment processors, merchants are going to have to compete with an ever-widening marketplace,” Weston added.

Not all companies, however, see PSD2 as a quagmire to drown in. And a few see it as a way to make partners more secure, which in turn makes everyone involved safer. For example, Mastercard uses its newly built Decision Intelligence and Automatic Billing Updater, both powered by artificial intelligence, to help its partners comply with the new PSD2 legislation and improve customer experience at checkout. Mastercard Identity Check uses biometric identifiers – such as fingerprint, iris and facial recognition – on mobile devices to verify customer or user identity. It’s now available in 37 countries and counting.

Similarly, MSSPs too can look for ways to help their clients neutralize some third-party supplier threats and comply with PSD2 by building tools meant for an entire ecosystem to use in unison — particularly since PSD2 has a lot of punch when it comes to third-party access to payment accounts.

Specifically, the Iovation report says PSD2 forces two major changes:

1. Strong customer authentication: Payment service providers must apply two or more (multifactor) authentication methods for all electronic transactions unless such transactions qualify as “low risk.”

2. Third-party access to payment accounts: Banks, card issuers and other financial institutions holding payment accounts must provide access to third-party payment service providers for the following services:

• Account information services like balance and transaction information.
• Initiating payments directly from customers’ bank accounts.
• Availability of funds check to see if there are sufficient funds on the cardholder’s bank account.

“PSD2 changes the rules of the game for the global payment industry and is based on some of the same principles that constituted GDPR, enforcing consumer protection and security requirements on companies operating in the EU,” said Ron van Wezel, Aite Group senior analyst.

“Varying choices in the implementation of the SCA requirements on a country and individual bank level, differences in interpretation of the directive, and different timelines may create confusion that merchants have to navigate. Businesses should be sprinting to get their house in order.”