PSD3: Authentic reasons to be cheerful

Since their inception, the Payments Services Directives (PSD) have set out to support the secure and successful growth of digital payments, fintech, and e-commerce across the EU - acknowledging the clear direction of travel: the digital economy is in its ongoing ascendence.

PSD1, which was adopted in 2007, sought to harmonize the legal framework for the creation of an integrated payments market across the EU. PSD2, which largely became applicable 11 years later in 2018, sought to build upon the first directive while addressing new barriers to entry for payments providers, security challenges and customer protection concerns that had arisen as the digital economy had grown considerably in size and sophistication.

Multi-factor authentication shook the industry

Now PSD3 is on everybody’s lips and we expect the final rules to be published at the end of 2024 or the start of 2025. So I will caveat these reflections with a note of caution because the final rules are yet to be seen. Indeed, with PSD2 the industry was expecting some fairly modest adjustments….until the rather late stages of the finalization process that is. At which point the rules around Strong Customer Authentication (SCA) demanding multi-factor authentication (3D Secure) were introduced, albeit with an implementation period that was extended to September 2019. Nevertheless, it was a very significant adjustment which had a high impact on the payments and ecommerce industry. More specifically it deeply impacted the buyer-journey, creating considerable friction for consumers.

There is no doubt that PSD2’s SCA requirements, as important as they are in terms of the consumer protection they stand for, took their toll on shoppers and merchants. Increased friction has led to lost conversion and decreased acceptance rates. Payments performance decreased significantly across Europe between 2019 and 2022, impacting retail ecommerce businesses in the pocket.

Prioritizing performance alongside compliance

That’s why at Checkout.com we mobilized quickly to create authentication products that mitigated the impact of SCA. Because no two transactions are the same, our Authentication solution utilizes rule setting and machine learning to tackle transaction complexity head-on with smart optimizations that give our merchant the best chance of acceptance in the face of SCA and 3D Secure requirements. Avoiding SCA where possible and building in soft-decline retries have been a significant way in which we have been able to help save our customers significant revenue. 

Europe seeks to address the payments performance deficit

However, most PSPs don't have their own authentication solution and may not have benefited from
these savings. And it's a point very much not lost on the European Commission (EC). While the Commission considers PSD2 to have been a success when it comes to consumer protection and the reduction of fraud they are seeking to address challenges associated with the directive, while building upon its strengths. The EC spent all of 2022 reviewing the application and impacts of PSD2 - particularly as it pertains to SCA. PSD3  seeks to make improvements to the functioning of the rules laid out in 2018/2019. 

The upcoming PSD3 rules seek to enhance SCA by refining crucial definitions, specifying additional exemptions for low-risk transactions, and maintaining a delicate equilibrium between security measures and the advancement of convenient, innovative, and accessible payment methods.

And improve the customer journey - as well as customer protection

These new regulations will likely improve the online checkout experience for customers. They offer greater clarity to financial institutions, card networks, and payment service providers regarding the application of SCA exemptions, particularly for transactions deemed lower risk or recurring. This could also pave the way for additional exemptions based on transaction risk and technological advancements. It is imperative for businesses to continually optimize their SCA systems under these new regulations to achieve optimal authentication outcomes. We welcome the introduction of new risk-based approaches to SCA exemptions. Our machine learning Authentication products are built and trained to decision payments in response to real-time risk assessments with the use of vast data points.

Imaginative thinking

We welcome some imaginative thinking in the upcoming directive. It reflects people’s real lives and real challenges when it comes to authenticating online.

Specifically, we are glad to see that PSD3 seems to recognize the particular friction introduced with the PSD2 policy of authenticating with “something you own, something you know, and something you are”. By shifting so that a customer can use two of the same category at the same time we anticipate measurable revenue capture improvements for merchants. For example: Under PSD3 a customer could authenticate a payment using a device token and a device-captured fingerprint, or using two cards, or a fingerprint and face ID… and so on. This is going to reduce friction and means people shopping on their phones will not have to redirect to their mobile app which is a hugely painful friction point. We anticipate this will bring better conversion completion and acceptance rates for the industry and smoother journeys for consumers.There is also an important point in PSD3 around accessibility in SCA processes. The full range of opportunities for creating more accessible authentication methods has not yet been fully outlined but includes verification by SMS or telephone call to remove the dependence upon smart devices.We fully support this intention and look forward to the spur of imaginative approaches and technologies that will support a better and more accessible digital economy.

Be ready, but don’t be scared

I recently had the great pleasure of speaking about PSD3 alongside an esteemed panel at the Merchant Payments Ecosystem conference in Berlin. From the questions and talking points there was a clear apprehension about PSD3. New regulations are never the sexiest topics in town. And PSD2 had without doubt introduced significant and sometimes radical changes. But to this apprehension, I would say two things:

1. This is about a thriving digital economy, at the end of the day. The ultimate aims and objectives of the regulators and authorities behind all of the Payments Services Directive are laudable. And at Checkout.com we fully get behind these objectives. By acknowledging the trajectory of growth for digital payments and the digital economy these directives are ensuring a continually updated environment within which our digital economy can thrive and deliver for the European market at large. And while all regulations can be laborious to meet and may carry unintended consequences, placing consumer protection, strong competition and the mitigation of fraud at the heart of these directives is what the industry needs in order to flourish in the long term.
   
   
2. Now is not the time for another big shake-up and the authorities know that. Everything we hear from the EC and EBA indicates that PSD3 is designed as an evolution, not a revolution (where PSD2 might have been a bit of a revolution!). There is no appetite from the authorities to rock the boat right now. They recognize that fintechs and ecommerce businesses alike are a more vital piece of the economic puzzle than they were even 6 years ago and that in this high interest rate environment they need to focus on performance above all else. As such they have also made clear that PSD3 should not come with hefty implementation costs.

So I believe when we think of PSD3 we have plenty of reasons to be cheerful. Especially when it comes to authenticating your customers’ payments. That being said there will of course be things merchants need to prepare for, and it's good to start thinking about it before the mandates are final. Increasingly it's coming onto the radar in conversations I have with our European merchants. And it's an important conversation to have with your payments service provider. They should be able to give you expert advice and ensure your business is ready for the changes. They’ll likely have a seat at the table with schemes and regulators, like we do. We always strive to represent the voice of our customers and our scheme and regulatory partners see us as a powerful conduit for representing merchant views.

And perhaps even more importantly your PSP should have your back when it comes to achieving high payments performance no matter what the regulations throw at you. They should have the Authentication , Fraud tools and AI-powered acceptance rate boosters in place that are built to adapt to an ever changing regulatory landscape and ensure that security and performance never become an unnecessary trade-off for your business.