2019 Retail Tech Trends: PSD2 in the EU

This Black Friday saw online spending reach almost £1.49 billion in the UK – up 7.3% from the same day last year. As online spending continues to rise, web retailers must be prepared for new EU regulation that’s expected in September 2019, which could impact next year’s holiday sales.

While online retailers have used the convenience of click & collect and one-click payments to conquer the consumer marketplace, the imminent Payment Services Directive 2 (PSD2) legislation will mandate that all online transactions more than €30 Euros require improved authentication of the payer. This means that individuals making a purchase will be required to identify themselves through a two-step process, often referred to as two-factor authentication (2FA). 2FA is usually a code that you receive via a text, email, or phone call and while it adds another layer of security, it’s also an added level of complexity to the customer experience.

One thing is for certain: unless merchants and payment services providers figure out how to balance security, scale, and user experience in conforming to PSD2, the growth of holiday sales online in 2019 might actually take a hit.

Does PSD2 apply to my business?

Before we get into the finer detail of what this new authentication requirement means, you are probably wondering if your business is impacted by this new regulation. What are the specifics of “completing a payment in the EU”?

If your business processes payments that are completed in the EU, i.e. either the payer or the payee of the transaction is in Europe at the time of the purchase, then you need to abide by PSD2 for transactions more than €30. This includes cases where only one party is in the EU and not the other. For example, if your business is in the United States but your customer is making a purchase from the EU, that transaction must abide by PSD2.The same applies for EU retailers selling to customers in the United States, Canada, or any other location.

Stronger authentication explained

To ensure better security for online transactions, PSD2 calls for Strong Customer Authentication (SCA), which at a minimum means implementing 2FA. Given the policy’s extensive reach, this requirement will impact billions of transactions daily.

What will happen to the beloved one-click shopping when users are required to enter an individual authentication code for each purchase?

What makes PSD2 particularly complex is its dynamic linking requirement. It states that an authentication code for each transaction must be unique, is specific to the transaction amount and recipient, and that both amount and recipient are made clear to the payer when authenticating.

Various services exist to help retailers implement 2FA services into their businesses. For example, the Twilio Authy API makes it simple to add 2FA to existing applications. Retailers can choose from a range of options including simple SMS-based 2FA, which uses a one-time passcode sent through an SMS message, and the more sophisticated (and secure) app-based push authentication, among many others. Time-based one-time passcodes (TOTP) should also be considered, since they allow for authentication without requiring either an internet or cellular connection. Regardless of the method, retailers will need to utilise one of these 2FA methods to meet new SCA guidelines.

The customer experience impact

What do PSD2 and SCA mean for your customers? While enhanced security is an important benefit amid the rising costs of fraud for online financial transactions, the extra steps required can hamper the shopping experience. Retailers should be careful in choosing an authentication flow that is least intrusive to the customer, while making sure it’s PSD2-compliant. For example, financial services companies have been using push authentication for 2FA, because it only requires a single touch from the user to approve or deny a transaction and can be done in a company’s existing application. Other methods, which require users to re-enter codes, can hamper the user purchasing experience and can take a user away from the application to read their SMS messages.

Looking forward, the biggest opportunities following PSD2 may come in the form of new technologies that aim to simplify online payments or transfers. By paving the way for new players to innovate in the payment industry, PSD2 could encourage a revolutionised payments industry, affecting everything from the way we pay online to what information we see when making a payment.

Proper compliance with PSD2 will be critical to ensure the continued growth of online and mobile commerce. The retailers that ‘win’ will be the ones that can maintain a seamless customer shopping journey by leveraging new technology that balances security and compliance with user experience and scale.