Online payment fraud is on the rise, with the global total of ecommerce losses increasing from $17.5 billion in 2020 to $48bn in 2023, boosted by the opportunities created by the growth in online shopping during the pandemic.
In 2022 alone, US ecommerce merchants reported an average of 1,200 attacks per month, a 50% increase on the previous year. Although few of these fraud attacks were successful, the figure should serve as a warning to US businesses to be vigilant against the ever-present threat of cybercrime.
Luckily, you’re not in the fight alone. Regulations in the global payment industry, such as the EU’s PSD2, are helping to bolster the security of online transactions for merchants and their customers through Strong Customer Authentication (SCA) and other measures.
What does an EU-mandated directive have to do with US businesses? Well, if you do business, or have a presence, in the EU or European Economic Area (EEA), then you must comply with PSD2 and SCA requirements. Not only that, but there are concerns that PSD2 is increasing fraud in the US as criminals shift their focus to a less regulated market.
With that in mind, here’s everything you need to know about how PSD2 impacts US businesses, how you can comply with the regulations, and how they’re likely to be updated in the near future.
Implemented in 2019, the Payment Services Directive 2 (PSD2) is an updated version of the EU’s original 2007 directive.
PSD2 expands on its predecessor by creating a safer and more secure online payments environment for businesses and consumers, and improving customer rights. It also aims to challenge monopolies in the banking industry by creating a more level playing field for third-party service providers.
The main aspects of PSD2 are:
As it relates to American businesses, the SCA mandate applies to merchants doing business in the EEA. For now, SCA mandates are relevant to U.S. merchants that meet the following criteria:
If a good portion of traffic is coming from Europe, merchants may want to consider setting up an EU entity. Setting up domestic processing with a provider like Checkout.com will minimize cross border costs and will ensure automatic SCA-compliance in Europe – saving costs and boosting authorization rates.
Thinking about expanding into the European market? Businesses will need to comply with PSD2 regulations and SCA. This will require building a different user flow from the U.S. flow. This makes it critical to put into place transition plans and find the right partners to account for design and user flow testing.
In this scenario, a company’s European entities must be SCA compliant. If transactions are not SCA ready, businesses may begin to see declines in authorization rates and may already be at risk of declined payments from the issuers. For enterprise merchants, dedicated payment teams should be working with a provider that is fully compliant
As well as mandating US businesses to comply with SCA if they meet the above criteria, PSD2 is having a knock on effect in the US market in a number of other ways, including:
While 3D secure authentication measures have existed in the U.S. since 2001, adoption rates were exceptionally low for several reasons. It was not user-friendly and did not adequately predict the proliferation of mobile usage or the popularity of ecommerce, making it ineffective in protecting today’s consumers. For context, 3DS1 was developed before the first iPhone was launched in 2007 – by 2017, only 18% of US-based transactions leveraged 3DS.
One major attraction of 3DS2 is the liability shift for fraudulent chargebacks to card issuers. Each card scheme will have their own set of “rules” so be sure to check with your acquiring bank on where and how liability shifts will be applied.
Now that PSD2 is in effect, any US business operating in, or accepting payment from, EU and EEA customers (or that plans to do so) must be prepared to meet SCA requirements.
Failure to do so could seriously impact your authorization rates, as issuing banks will refuse to authorize any relevant transaction that doesn’t utilize multi-factor authentication. Ultimately, a drop in authorizations means a drop in revenue.
Businesses should also ensure their payment flows are suitable for customers in all PSD2-mandated countries. That means implementing a smooth checkout experience that routes customers to the necessary authentication procedures while reducing the risk of an abandoned purchase or a declined payment.
In May 2022, the EU Commission began consulting on how it could revise PSD2 in response to the rapid pace of change in the banking industry since its implementation, especially in light of the pandemic’s impact on the growth of digital payments.
PSD2 has proven to be effective in achieving its ambitions: SCA has successfully reduced fraud on card transactions and a more open payments ecosystem has seen increased collaboration between institutions and a growth in third-party providers.
As a result, the proposed PSD3 will not aim to completely revolutionize its predecessor, but to evolve it. Likely measures include an increased focus on security, consumer rights, and ways to improve the value of products and services in the payments industry.
In practice this could mean:
The Commission is set to bring forward its initial proposal for PSD3 legislation in June 2023, after which it will be scrutinized by various EU institutions. However, the next European Parliament elections - which will lead to the appointment of a new head of the Commission and team of commissioners - are in May 2024, meaning the legislative process for PSD3 is likely to spill into the next commission’s term.
On that timeline, it's unlikely that PSD3 will take effect before 2026 or later, depending on the implementation period agreed by the commission.
Affected US businesses should follow these steps to comply with PSD2:
US businesses should take full advantage of this lead time with research and implementation plans. One major item is to ensure that your payment service provider is SCA-compliant and has proper 3DS2 tools already in place.
If you have EU entities or take payments from EU customers, you must audit your EU operations to ensure they’re compliant with PSD2 mandates. This means implementing multi-factor authentication and ensuring your complaint response processes are in line with PSD2 requirements - i.e. resolving disputes in a timely manner.
Finally, you should ensure your US operations are prepared to handle the increased risk of fraud caused by PSD2 by implementing a robust fraud detection and prevention solution. You should also ensure you’re PCI compliant, which requires you to maintain rigorous security standards in order to protect cardholder data.
Checkout.com’s 3DS2 hosted solution complies with these regulations and is designed for easy set up for both US-based business and its European operations.
Merchants can also take advantage of Checkout.com’s Sandbox environment which offers a sophisticated platform simulation to test any 3DS2 authentication and related payment scenarios.
By understanding the requirements early, merchants will also be better prepared to apply and identify as many SCA exemptions as possible like low-value, low-risk, and trusted beneficiaries. By applying exemptions, businesses will benefit with higher approval rates and can preserve the user experience by reducing unnecessary stoppage points.
Checkout.com’s Unified Payments API tool also gives merchants a way to future-proof their payment infrastructure by facilitating the addition of more alternative payment methods to their checkout – without any additional development or integration work. With SCA-compliance already built into the API, merchants will automatically be ready once the regulation is fully enforced.
As an added bonus, using Checkout.com’s API will help minimize integration work down the road as SCA mandates roll out into other regions including Asia and Latin America next year, saving merchants additional resources and time if they operate or are planning to open entities in those regions.
To get set up with Checkout.com’s Unified Payments API or to learn more about our 3DS2 hosted solution get in touch with our sales team today.