Don't Let PSD2 Sneak Up On You
New payments legislation is coming to the EU, so make sure you're prepared for it.
Just as General Data Protection Regulation (GDPR) took Europe by storm in the summer of 2018, the second Payment Services Directive (PSD2) looks to similarly impact the security of your online transactions. Core to this legislation is the mandate of stronger security measures for any online transactions through the use of multi-factor authentication. While this will add another layer of security to digital payments and digital commerce, it has far-reaching implications for a wealth of organizations – both in Europe and beyond.
Diving Deeper into PSD2
If you aren’t familiar with Strong Customer Authentication (SCA) now, you need to be once PSD2 goes into effect. SCA is the new directive that mandates organizations employ multi-factor authentication following online transactions initiated by the consumer (more on transactions below). In simple terms, the consumer must confirm two of three measures to validate the transaction. The three measures are as follows:
- Something only the customer knows (e.g. password or PIN).
- Something only the customer has (e.g. code generated by mobile phone).
- Something only the customer is (e.g. fingerprint or facial recognition).
Come September 14, 2019, if two of these measures are not validated by the customer, transactions may be declined.
Exceptions to the Rule
As mentioned earlier, Strong Customer Authentication is required for “customer-initiated” transactions. Therefore, any online card payments and all bank transfers must go through this validation process...save for some exceptions. Examples of these exemptions include:
- For certain low-risk transactions, determined by the bank or payment provider in real time, SCA is not required. Thresholds are set based on fraud rate (0.13% to exempt transactions below €100; 0.06% to exempt transactions below €250; 0.01% to exempt transactions below €500) and applied to each individual transaction.
- Payments below €30 qualify for exemption, but could change depending on the frequency of these “low-value” transactions.
- Recurring payments or automatic bank transfers may require an initial authorization, but subsequent payments will be exempt.
Who’s at Risk?
PSD2 notes that only transactions made by consumers who bank in the EU purchasing from retailers that use EU payment processors are impacted. So which organizations need to be wary of this?
- Every European retailer must use SCA.
- Every international retailer selling locally in Europe must use SCA.
You now have less than two months to ensure that SCA is incorporated into your business’ digital commerce experience. More importantly, you have less than two months to ensure that SCA becomes a seamless part of the user experience for all users regardless of device, bank, and more. Even if you’re up and running already, achieving the necessary test coverage to deliver a quality experience is an ongoing challenge. Fortunately, Applause can help.
Testing Payments in the Wild
The biggest challenge to payment testing and validating SCA is gaining access to the right testers and devices in the right locations with the required payment methods. Particularly for U.S.-based retailers that sell in the EU, leveraging European testers is a significant challenge – even more so when you need to make real transactions and do so on short notice.
Custom Testing Teams
Applause gives retailers on-demand access to the Applause Community to test the payment flows that they need to validate. Testing teams are not only customizable by demographic, but also by attributes like which banks and devices they use. This allows for a far more localized experience with insight from those who represent your ideal customer profile.
Expanded Device Coverage
With every device providing its own experience and own unique SCA options (biometric support varies by device), having access to any of those options and the extra bandwidth to test a large majority of those options is invaluable. Everyone should experience the same flow without any friction, so the ability to cover a broader device base will make a big difference.
You can test your digital experience through simulated environments, but nothing can replicate the value of testing in the real world. Users provide perspective and critical feedback that are irreplaceable to the quality of the end user’s experience. Especially when consumer security and potential fines are at risk, it is imperative to understand exactly how your experience will work in the real world.
Strategic Testing Expertise
You don’t have all of the answers when it comes to SCA testing, but that shouldn’t keep you in the dark. We work closely with your development and payment teams to ensure you are set up for testing success. Everything from assessing your current status to building a comprehensive test plan to recruiting the in-market testers to execute on that plan can all be managed by Applause. When time is of the essence, having a team in place to help navigate your way forward is invaluable.
When it comes to the security of your customers’ money and data, there is no room for error. Ensure you don’t fall short of PSD2 mandates by rethinking your testing strategy. The more thorough you are today, the happier your customers will be tomorrow and beyond.