PSD2 — the Change to Online Card Payments Happening in 2021
What is PSD2?
The 2007 Payment Services Directive was an initiative which aimed to establish a single payment market in the European Union to promote innovation, competition and efficiency in the EU that became a piece of pan-European legislation in 2009.
The Revised Payment Services Directive (PSD2) is an updated proposal accepted by the European Parliament in 2015. There are many parts to PSD2, but the bit that matters most to me, that I will focus on for this article, is Strong Customer Authentication (SCA).
What is Strong Customer Authentication?
In this context, Authentication refers to proving the actor claiming to be the cardholder is in fact, the rightful cardholder. They are authenticating their claim to use the card.
This is not to be confused with Authorisation, which is when the merchant obtains permission to take payment for a defined amount. This ring-fences that amount from the Customer’s card, but the debit is not committed until a request to Capture the funds is issued. (Depending on the services exposed by your Payment Services Provider, Authorisation and Capture may be requested in a single call).
You may already be familiar with Authentication — if you’ve ever had a 3D Secure challenge when you’ve tried to make an Online payment. And if you have, you’ll recognise that 3D Secure is unpleasant. It doesn’t have a native mobile App implementation — so mobile apps have to use webviews. The Issuer challenge pages were originally designed for desktop browsers, so rendered awfully on mobiles. But worst of all it adds friction into the Customer payment journey and is a cause of drop-out during checkout.
Strong Customer Authentication is defined by PSD2 as:
an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data;
And so 3D Secure v2 (aka EMV® 3-D Secure) was created to meet the need to create:
a new 3-D Secure specification that would support app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions
3D Secure v2 has a goal that Issuers should only challenge 5% of transactions, which should lead to a more frictionless checkout experience for the many.
The onus on eCommerce Merchants is to implement SCA into online card payment flows, otherwise authorisations will be declined once PSD2 comes into enforcement (September 2021). There is no “do nothing” option here.
What’s the catch?
If SCA provides better protection for the Customer, and less friction, what’s not to love?
Dynamic Linking is what’s not to love. Dynamic Linking is part of SCA2 that says the Authorisation amount cannot be more than the Authentication amount — i.e. that the actual charge cannot creep up above the amount seen by the customer at the point of SCA.
For most industries, that’s not really a problem but for Online Grocery industry there’s a unique scenario that weighs in here:
Bananas. Or more generally, weighed product lines. The problem here is that at the point of order, we know how much of a product the customer has requested — we don’t yet know how much of the product the customer will get.
For example, the customer has requested 500g of bananas. When it comes to picking the order it’s highly unlikely that the picked quantity will be exactly 500g. It’s not an option to split the product to make weight— nobody wants to get 3/4 of a banana in their weekly shop! So there could be some shift in the cost of the picked order vs the placed order. And for fresh foods, customers are often choosing their quantities based on planned meals, so under-picking doesn’t go down well, meaning the most likely outcome is a small upwards creep for the picked order cost.
An additional consideration is substitutions. If the items the customer selected are unavailable, standard practice is to substitute with a reasonably equivalent product. But the price of that substitute product may differ from the requested product. A Grocer isn’t likely to substitute a cheaper product as the Customer will either reject based on a perception of quality, or like the cheaper item and switch to it going forwards.
In both scenarios, there’s a risk of going against the principle of Dynamic Linking which is “thou shalt not increase the cost!”
What can an Online Grocer do?
Strategies for working with Dynamic Linking
Thankfully there are some options to hand:
- Upwards tolerance
- SCA exemptions
- Honour the placed order cost
- Adjust business processes to never increase cost at pick
- Authenticate for a higher amount
The European Central Bank is clear in its advice to Card Issuers that there is no upwards tolerance. That is, the Authorisation amount must not exceed the Authentication amount.
In the UK, however, UK Finance has taken a softer line, that a reasonable upwards tolerance is acceptable (with “reasonable” being in the eye of the Customer). Whilst “reasonable” tolerance has not been explicitly defined yet, the word on the street is that we can expect something between 10–20% as being acceptable. This would certainly provide a comfort zone for cost variance at pick.
There are a number of SCA exemptions provisioned for by PSD2 nicely summarised in this PSD2 Preparation document from Visa. The ones of interest for an Online Grocer are:
- Trusted Beneficiary — the customer declares the Merchant as trusted, and does not wish to be authenticated when shopping on their site. This is great for the customer because they have a frictionless experience, but the Merchant cannot influence (and indeed is unaware) whether the Customer makes them a Trusted Beneficiary.
- Low value — if the transaction amount is low (<€30) then Authentication may be skipped (subject to other velocity considerations). That’s not hugely useful to Grocery orders which typically have a minimum basket spend above that threshold.
- Acquirer Transaction Risk Analysis — where the Merchant has an effective risk analysis process in place, this exemption can be requested if the analysis suggests low risk. Again, there are controls in place to ensure this is not abused — the Merchant’s fraud rate must remain within a strict tolerance, and the Issuer can ignore the exemption request and insist on a challenge.
Honour the Placed Order Cost
This is a very simple solution to Dynamic Linking but it comes at the cost of margin as the Merchant is giving goods away for free when the picked cost goes above the placed order cost.
Adjust Business Processes to Never Increase Cost at Pick
Accepting that an Online Grocer will have cost variance at pick, there is the option to ensure that picked quantity/weight never exceeds that which the Customer ordered.
This is easier said than done though as it will require changes to the picking software and/or manual pick processes — for example, to remove 1 banana from the picked bunch. It also gets more complicated when you have products in different value bands. Say for example the Customer orders 4 cans of the value range chopped tomatoes, and during pick you’re out of stock. You could substitute a more expensive brand, but that would increase the cost. You could pick fewer of the substituted item to keep to the placed order cost, but how is the Customer going to react, when they don’t have enough chopped toms to make the meals that planned for the week?
Clearly, this isn’t a good option for the Grocer or the Customer.
Authenticate for a Higher Amount
Recall that Authentication is the process of verifying the Customer is actually the rightful cardholder. Authentication does not ring-fence nor take any funds from the Customer’s payment card. So why not Authenticate for a higher amount, but do the authorisation and capture for the actual (lower) picked order cost?
There are 2 downsides to this. The first is that the Issuer is evaluating risk in the 3D Secure v2 lookup check. A higher authentication amount will mean higher risk, which could lead to an increased challenge rate. This could be mitigated by setting the Authentication amount a reasonable step above the Customer-picked order amount rather than a blanket ceiling value.
The second downside is that Customers just don’t get it. In user testing a trial of this, it tanked! Customers saw an amount on-screen that wasn’t their basket total and that was enough confusion to halt progress. And that’s not surprising — there is no existing use case that I’m aware of where the Authentication would be artificially higher than the goods being purchased.
What is the Best Solution?
The simple answer is that what suits one Grocer may not suit another.
What is clear to me is that Upwards Tolerance should give enough wiggle room to allow cost variance due to weighed good and substitutions. Beyond that, every option has a trade-off.
I’d like to think that Higher Amount Authentication could work with the right User Experience design. Maybe it’s something that will take time to become accepted — in the same vein as 3D Secure’s first iteration.
One thing is for sure — come Winter 2021 SCA will be ubiquitous and all Online Merchants will need to be ready.