January 2018 will see a significant change in the entire European payments landscape with the final adoption of PSD2.
Otherwise known as the Second Payment Services Directive, PSD2 is a manifestation of the European Union’s mission to open-up payments to new entrants, properly regulate the industry and make sure that it is secure for businesses and consumers alike.
There are two key elements to this Directive:
- It will introduce opportunities for account information service providers (AISPs) and payment initiation service providers (PISPs) who can bring new products to market.
- Merchants won’t be able to implement customized fraud prevention tools based on personal risk assessment as two-factor consumer authentication will be mandatory.
What effect, though, will this have on chargebacks? We believe it has considerable potential to make an already costly situation worse.
PISPs allow consumers to make payments direct from bank accounts. It will be welcomed by consumers as it gives more choice and it will be welcomed by merchants as an alternative to card schemes.
Card schemes are, of course, dominated by a few multinationals and opening up the market to more competition should drive down costs and improve service.
However, card schemes themselves offer protection to consumers through chargeback services. As we know, these services are all too often taken advantage of, leading to the friendly fraud that we help fight against.
Yet this should not detract from the fact that chargebacks are an important tool in consumer rights and confidence. What will happen in the case of PISPs? Will smaller entrants have the same scope as large schemes to manage chargebacks and disputes? If not, it is reasonable to assume that merchants and consumers could both suffer.
The other element, the two-factor consumer authentication, is another area of potential concern. The European Banking Authority (EBA) has produced its final draft regulatory technical standards (RTS) and these are now with the European Commission and then European Parliament for approval.
The EBA has said that the RTS should be taken as “law” as they are now for how the mandated “strong consumer authentication” should be implemented. Yet the final RTS will not appear until November 2018, some 11 months after PSD2 has been implemented. There are industry concerns that this gap will cause confusion from merchants and payments providers as to how to properly secure transactions during this period.
Fraudsters thrive on uncertainty and this gap between PSD2 and the final RTS for the security it mandates could be a perfect opportunity for criminals.
PSD2 has the power to transform payments in Europe for the better, making them easier, more cost effective and more secure. However, with any new initiative on this scale, such as the EMV liability shift that took place in October 2015 in the US, there will always be areas where things could possibly go wrong and it is right to point them out.
Finally, it is worth remembering that PSD2 covers one-leg transactions too, i.e. those transactions where only one part of it is in the EU. So merchants across the globe who want to trade with EU member states need to understand the opportunities and risks of PSD2.