As the mid-September deadline draws closer for a major transition of customer authentication rules for ecommerce transactions in Europe, a growing number of voices are seeking a pause to prevent what they fear could be a logistical nightmare for merchants, banks, payment processors and consumers.
The issue involves the transition to Secure Customer Authentication, a move by European regulators under what is called the second Payment Services Directive to lower the risk of fraud as more consumers make purchases through ecommerce channels.
Essentially future purchases will require all transactions to be authenticated using two of three authentication methods:
Something a customer knows, like a PIN code or password.Something a customer has, like a smartphone or token.Something that uniquely identifies the customer, like a fingerprint or facial recognition.
"There are numerous factors that have led to the possible extension of the PSD2 deadline," Nick Maynard, senior analyst at Juniper Research said via email. "Primarily, the lack of readiness amongst non-payment service providers is the most compelling of the factors.
He said of particular note is the lack of readiness among ecommerce merchants. The concerns of the merchant community have grown even louder in recent days, as just yesterday, the European Association of Payment Service Providers for Merchants called on an additional 18-month extension on the deadline and up to a 36-month extension for the more challenging cases.
Market compexity
"Clearly there have been concerns about the industry's preparedness and ability to comply with the requirements for SCA," Ron Van Wezel, a senior analyst with Aite Group, said via email. "These concerns apply in particular to ecommerce —many SMEs would not be ready by the 14 Sept. deadline and acquirers need more time to convert to SCA."
European regulators last month said they could not legally change the deadline but would allow additional room for national authorities to work with payment service providers, emerchants, consumers and other stakeholders who may need additional time to prepare. A spokesperson for the European Banking Authority also told Mobile Payments Today that legally the Sept. 14 deadline could not be changed, but the group acknowledged some of the difficulties that could lead to potential disruptions and were working to address them.
Eric Litch, president and COO of 2Checkout, said the rising use of ecommerce sites by consumers and recent industry upgrades to protect tradtional retail stores is leading hackers and other bad actors to change their approaches to cyber attack.
"As electronic commerce grows in volume, the attractiveness of attacking the transaction and buyers becomes greater," Litch said via email. "Also as more secure methods are applied to physical point of sale like chip-and-pin and other related methods, the fraudsters migrate to less secure channels."
Industry groups from ecommerce merchants to banks and digital security firms, however, said there were technical shortfalls and other issues that would make the September conversion deadline a serious problem and could lead to massive problems across the spectrum.
A report from Aite Group, authored by Wezel, indicated that only 25% of European online merchants were even aware of the Sept. 14 deadline for compliance.
Digital security
"The PSD2 directive has faced strong opposition in the market as the timeline to implement a solution with the complexity of the new Strong Customer Authentication rules for ecommerce transactions has always been seen as a challenge," Scott Edington, CEO of Deep Labs told Mobile Payments Today via email. "The two-step verification process, with many requirements within that new process, requires a high degree of technical and security knowledge and time to build and put into production that new process."
The San Francisco-based digital security firm has used artificial intelligence to develop solutions to meet the new PSD2 requirements. In March, for example, it launced "Deep Identity" to track transactional risk analysis, which leverages data signals and context aware machine-learning to help confirm risk levels.
Tink, a Sweden-based open banking platform, issued a statment last week asking European regulators to delay the conversion, citing the fact that only 69% of European banks had made their application programming interfaces available as directed by the June 14 deadline.
"Although we can't speak for all banks in Europe, one of the reasons may be that this is uncharted territory and little guidance for what a good environment should look like has been provided," Tomaz Prochazka, vice president of product at Tink, told Mobile Payments Today via email. "It's like they've been tasked with building a bridge, and whilst they've seen one, they are not engineers."