Meeting PSD2 Requirements for eCommerce Merchants with FIDO2.0 Strong Customer Authentication
E-commerce has grown significantly over the years, with more people utilizing digital shopping platforms as a more convenient means of acquiring goods and services.
According to Statista, global e-commerce sales are projected to almost double to 6.5 trillion US dollars in 2022 from 3.5 trillion US dollars in 2019. The number of worldwide digital buyers in 2021 is also on the rise with more than 2 billion people, representing more than 65% of internet users, expected to buy goods and services online in 2021. In addition, the COVID-19 quarantine protocols requiring people to stay at home contributed to a surge in online shopping in 2020.
With this strong increase in eCommerce activities, fraud also continues to rise. In Europe, fraud losses stemming from online payments are forecasted to grow by 52% in 2024, with costs amounting to more than $25 billion.
Because of the proliferating threats from eCommerce fraud, online merchants in Europe must comply with the revised Payments Services Directive or PSD2, passed by the European Banking Authority in 2015.
What is the Payment Services Directive 2?
The European Banking Authority (EBA) created the Payment Services Directive 2 (PSD2) to improve security with financial transactions and to protect eCommerce merchants and consumers from online fraud.
Under PSD2, eCommerce merchants receiving or processing payments in the EU are obligated to comply by January 2021 with the new Strong Customer Authentication (SCA) regulations, and for those in the UK by September 2021. Under PSD2, strong customer authentication is required on all payer-initiated transactions when both the customer’s credit card issuer and the merchant’s payment acquirer are within the European Economic Area (EEA). This mandate aims to reduce fraud in digital transactions, ensuring that businesses interact only with legitimate customers and that all electronic payments are validated by the legitimate account holder.
PSD2 mandates that EU online businesses ensure that their shopping cart, payment gateway, and other eCommerce technology components satisfy the PSD2 SCA requirements by implementing multi-factor authentication (MFA). The MFA solution must utilize two or more of the following independent elements: knowledge factors (something you know: such as passwords, PINS, knowledge-based security questions, etc.), possession factors (something you own: such as security keys, security cards, etc.), and/or inherence factors (something you: such as biometrics, fingerprints, voice recognition, etc.).
Impacts of PSD2 Strong Customer Authentication to eCommerce Merchants
While PSD2 aims to enhance the security of online transactions, eCommerce merchants are concerned with the direct impact SCA will have on their businesses. Upgrading and transitioning to alternate SCA-compliant technology providers, and the potential disruption of valued customer relationships are among online sellers’ concerns regarding PSD2’s SCA requirements.
Online sellers constantly worry about the possible consequences of added friction in payment processing. Oftentimes, customers feel inconvenienced when their transactions take too long or when the checkout process is too complicated. Baymard Institute reveals that 27% of online shoppers abandon their carts because of complex checkout procedures. Also, cart abandonment rates can increase up to 75% with slow-loading sites, while customer loyalty can decrease by 50%.
To ease the burden on eCommerce sellers, the EBA identified transaction exemptions to SCA, including payments under €30, recurring billing and subscriptions, low-risk transactions, and transactions with merchants whitelisted by customers.
While some sellers might think of dodging compliance, this will likely yield more adverse effects. Online merchants might experience a rise in decline rates from payment processors on non-validated transactions, with a resulting decrease in customer conversion rates. Penalties and license revocation will also be imposed for non-compliance.
Online businesses are therefore challenged to identify and possibly convert to SCA compliant technology providers that offer both high-level security and low-friction customer solutions.
Solutions to Meet PSD2 Challenges
Although PSD2 includes knowledge factors in its list of compliant authentication elements, passwords might not be a strong enough barrier against fraudulent attempts as they can be easily obtained by someone else. Verizon’s Data Breach Investigations Report shows that about 81% of hacking-related data breaches transpired because of stolen passwords.
Moreover, Microsoft states that MFA can deter up to 99.9% of account compromise attacks if a robust combination of authentication factors is used. Inherence factors and possession factors are the ideal login credentials as they are not easily susceptible to theft and other means of circumvention.
By leveraging FIDO2 authentication, eCommerce merchants can meet PSD2 Requirements with the highest certainty without sacrificing customer experience. FIDO2 authentication utilizes cryptographic security that limits account services to a user’s registered device and requires a secondary factor such as a PIN or on-device fingerprint or facial biometrics to unlock the cryptographic keys. Today, most mobile phones and tablets as well as recent desktop computers enable seamless FIDO2 authentication.
The EBA’s goals for PSD2 included efforts to make online payments safer and protect customers from fraud.
Under PSD2, strong customer authentication is required on all payer-initiated transactions when both the card issuer and acquirer are within the EEA. PSD2 mandates that eCommerce platforms based in Europe and the UK employ Strong Customer Authentication (SCA) to combat fraud and protect consumer data. Businesses must utilize robust authentication credentials for MFA to enable seamless transaction authentication measures to ensure consent to the transaction is provided by the legitimate customer.
Verified™ by authID delivers trusted FIDO2 strong authentication online transactions, tied to a trusted identity. At the point of registration, Verified harnesses authID‘s seamless biometric identity proofing service to scan an identity document and biometrically match a user’s selfie to their document photo, thereby establishing a digital chain of trust between individuals, their accounts, and their devices. With Verified, businesses can meet PSD2 challenges for payment authentication, while providing customers protection and convenience with each transaction.
Schedule a Demo with authID
authID.ai is a provider of an Identity Authentication platform that delivers a suite of secure, biometric identity solutions, available to any vertical, anywhere. authID‘s products enable financial institutions to meet the challenges of PSD2 to provide customers a more secure and streamlined online transaction experience. Contact authID today at 1 (516) 778-5639 or visit authid.ai/demo to schedule a demo.