As touched upon in previous blog posts, the revision to the original Payment Services Directive – requiring stronger security for online payments – creates new business opportunities by opening up space for new players at the table and creating greater incentives for innovation. In doing so, PSD2 stirs up the ‘security versus simplicity’ debate, especially with regard to the two-factor authentication requirements.
The payment security section of PSD2 spells out a requirement for two-factor authentication – with some exceptions – which will cause tension in an industry focused on seamless payments. As a result, payment service providers, acquirers, and other players that can innovatively combine and balance strong authentication and seamless payments will be positioned to gain the most.
Payment security versus simplicity: strong authentication rubs up against market demand for seamless payments
The requirement for all online payments to be strongly authenticated is the most striking payment security provision in PSD2. It states that two-factor authentication is needed for all online payments, though there are certain exceptions. However payment services are trending strongly towards providing a more seamless consumer experience, and two-factor authentication makes this more difficult to achieve. Therefore the exceptions, and payment providers’ ability to exploit them, become important considerations.
Everyone in the payments ecosystem values security, but security must be balanced with convenience. The best merchants already control fraud well, and are focused on improving stubbornly low conversion rates, particularly for mobile. Mandating strong authentication for all transactions will reduce most merchants’ conversion rates and as a result they will welcome those payment service providers that provide alternatives such as card vaults or other tools that qualify as an exemption for the PSD2- required strong authentication.
Opportunity for payment service providers to develop solutions that combine convenience and strong authentication
New rules around authentication give payment service providers scope to differentiate their services and add value by offering creative and innovative checkout experiences.
One option is to innovate with new authentication methods. Biometric authentication, buoyed by booming smartphone penetration, is an example that could improve user experience. Smartphones will increasingly act as the second factor in two-factor authentication solutions, which in turn could accelerate the use of smartphones for purchases and payments.
An interesting development is the creation of generic authentication service providers and white label authentication solutions. These are services that can be used for all transactions that require authentication, not only payment services. Examples include the fingerprint authentication used in Apple Pay, MasterCard Identity Check, and the burgeoning ‘selfie pay’ solutions.
Exemptions offer competitive advantage
There are certain payment categories that could enjoy a competitive advantage as a result of exemptions to strong authentication provisions, such as digital wallets and pre-authorized merchants. Because two-factor authentication has a notoriously negative effect on conversion rates, savvy payment providers who are best able to enable wallet payments and pre-authorized merchant payments stand to increase their market share.
The PSD2 guidelines suggest that wallets could forego strong authentication for certain transactions, given that they adopt certain types of risk assessment. Wallets that store card credentials combine security with a smooth checkout experience for consumers, adhering to PSD2 and an optimized shopping experience. Pre-authorized merchants, similarly, already have the one time strong authentication that allows a faster checkout for returning shoppers.
The new white paper, Driving Change with PSD2 and the MIF Regulation: Creating Opportunities in Europe provides a fuller description of the MIF Regulation and PSD2, their impact upon the payments industry, and guidance for a proactive response. Read it today.