The stance of PSD2 on the security vs. simplicity debate

The nature of business, regardless of industry or sector, is a constant state of change. Innovators bring new products or services to market, altering consumer behaviour almost overnight. Disruptors reimagine well-established practices and suddenly even the most entrenched incumbents must scramble to adapt. And government organizations devise and implement new laws and regulations, shifting the rules in the middle of the game.

This third reason—government intervention—has taken central stage with the promulgation of the European Commission’s revised directive on payment services (PSD2). Although long expected, PSD2’s impact upon the payments industry will be significant and sometimes unanticipated. As part of the Commission’s efforts to strengthen the internal EU market it has far-reaching implications for card issuers, acquirers, payment service providers, and merchants. The revised directive requires stronger security for online payments and creates new business opportunities through mandated ‘access to the account,’ opening up space for new players and creating even greater incentives for innovation.

PSD2 accelerates the ‘security versus simplicity’ debate

The ‘security versus simplicity’ debate is not new to the payments industry. Merchants have long been incentivized to remove friction for shoppers, to increase checkout conversion rates and in turn revenues. Security enhancements are frequently seen as conversion killers, which pits security and conversion on opposite sides of the field. For example, two-factor authentication, which is essentially a second layer of security for a purchase, can act as friction that dissuades some shoppers.

PSD2 jumped directly into the fray of this debate through a section that mandated two-factor authentication—with some exceptions—causing tension for merchants and payment providers focused on seamless payments. As a result, payment service providers, acquirers, and other players that can innovatively combine and balance strong authentication and seamless payments are best positioned to gain the most in the new PSD2 world.

PSD2 spells out the exemptions to the required two-factor authentication, including digital wallets and pre-authorized merchants, both of which act as one-factor authentication immediately. Due to PSPs’ and merchants’ desire for the most seamless shopping experience, these exemptions, and payment providers’ ability to utilize them efficiently, represent key considerations for any payments strategy.

Finding the balance between security and convenience

Security is highly valued throughout the entire payments ecosystem, but it must be balanced with convenience. The best merchants already control fraud effectively and focus more on improving stubbornly low conversion rates. The PSD2’s mandate for two-factor authentication threatens to damage merchants’ conversion rates. As a result, merchants will turn to payment service providers that provide alternatives such as card vaults, that qualify as an exemption for the PSD2-required strong authentication. Thus, PSD2 gives payment service providers scope to differentiate their services and add value through creative and innovative checkout experiences.

One option is to innovate with new authentication methods. For example, biometric authentication, buoyed by booming smartphone penetration, is an authentication method that could improve the user experience. Smartphones will increasingly act as the second factor in two-factor authentication solutions.

A related and interesting development is the creation of generic authentication service providers and white label authentication solutions. These services can be used for all transactions that require authentication, not only payment services. Examples include the fingerprint authentication used in Apple Pay, MasterCard Identity Check, and the burgeoning ‘selfie pay’ solutions.

The payment categories that should enjoy a competitive advantage as a result of exemptions to strong authentication provisions are digital wallets and merchants that can pre-authorize shoppers, typically through registered accounts or mobile apps. The PSD2 guidelines suggest that digital wallets can forego strong authentication for certain transactions. Digital wallets that store card credentials offer a powerful mix of security and smooth checkout for shoppers, simultaneously adhering to PSD2 and optimizing the shopping experience. Pre-authorized merchants, similarly, already have the onetime strong authentication that allows a faster checkout for returning shoppers.

The security versus simplicity debate is over

By drafting and promulgating PSD2, the European Commission effectively ended the debate surrounding security and simplicity, clearly favouring security. Yet the discussion continues, only in altered form. Now that the required level of security is known, it is up to savvy payment providers and merchants to harness the exemptions and other innovations to raise conversion rates while following the revised directive to the letter.

The whitepaper, “Driving Change with PSD2 and the MIF Regulation: Creating Opportunities in Europe,” provides a full description of PSD2, its impact upon the payments industry, and guidance for a proactive response. Read it today.

About Thomas Sieghart

Thomas is Principal Compliance Analyst at ACI Worldwide, bringing over 20 years of experience from leading roles in banking, card acquiring, and payments to his role. Before he joined ACI Thomas was responsible for RBS WorldPay’s business operations for the DACH region and head of cards and payments for net-m Privatbank 1891. Thomas is ACI´s banking regulatory expert with extensive PSD2 and PCI-DSS knowledge.

About ACI Worldwide

ACI Worldwide, the Universal Payments (UP) company, powers electronic payments for more than 5.100 organisations around the world. More than 1.000 of the largest financial institutions and intermediaries as well as thousands of global merchants rely on ACI to execute USD 14 trillion each day in payments. In addition, myriad organisations utilise our electronic bill presentment and payment services. Through our comprehensive suite of software and SaaS-based solutions, we deliver real-time, immediate payments capabilities and enable the industry’s most complete omni-channel payments experience. To learn more about ACI, please visit www.aciworldwide.com. You can also find us on Twitter @ACI_Worldwide.