The coronavirus health crisis has shaken up the timetable for the application of the DSP2 component concerning strong authentication. But companies and banks have a new deadline: December 31, 2020 …
The new version of the Payment Services Directive (DSP2) aims to further harmonize payment regulations. It introduces new security requirements for initiation, the processing of electronic payments and the protection of consumers’ financial data.
Strong customer authentication (SCA), i.e. at least two identifying factors (code, password, device available, biometric data, etc.), will be mandatory for online payments above 30 euros. It also means that the code sent by conventional SMS (OTP) will no longer be accepted by 2022.
In addition, it recognizes and regulates third-party payment service providers (third-party PSPs) who are authorized to access accounts, aggregate their data and initiate payment services.
National regulators and individual banks must therefore develop solutions or rely on competent partners to manage, among other things, this complexity.
Companies must therefore:
- Equip yourself with a dynamic and intelligent anti-fraud solution;
- Migrate to the right 3DS protocol;
- Set up an exemption management strategy and reduce friction.
But the pandemic has impacted the schedule, which had already been changed. The deadline had already been extended by six months in France, i.e. December 31, 2020.
In Europe and France, the EBA and the Banque de France, running-in tests must be implemented, followed by a gradual ramp-up. Since March 31, the “soft decline” in France has allowed a gradual increase in the volume of conforming transaction volumes for transactions that remain on a simple VAD (authorization only).
Issuing banks can gradually reject any online transaction made on an e-commerce site if it has not authenticated its client (SCA). However, the “soft decline” today represents minus 0.05% of the total volume of transactions due to the health crisis.
But in January 2021, there will be a systematic rejection of unauthenticated transactions (excluding exemption). Note that in the United Kingdom, the local regulatory authority, the FCA, has decided to postpone the generalization of strong authentication to all e-merchants by 6 months to September 14, 2021.
Companies must therefore anticipate the “soft decline”. “Merchants who have not sufficiently anticipated the implementation of soft decline will be exposed to additional losses. In fact, if they are not able to interpret the bank’s response and direct their customers towards strong authentication, the baskets cannot be finalized. Direct loss of income for the merchant, but also very bad sales experience for the consumer … “, indicates Nicolas Engel, Director, CyberSource Global Services, an anti-fraud payment platform.