PSD2: how new EU regulations will change the e-commerce game from September 2019

Nabeel Saeed, Twilio: balancing security and compliance with scale and user experience

From 14 September this year, all online retailers will have to ensure they’re compliant with the Payment Services Directive 2 (PSD2) legislation. The EU directive mandates that any online transaction over €30 requires improved authentication.

This will mean that anyone making an online purchase will be required to identify themselves through two-factor authentication (2FA).

In the past online retailers have been able to promote and push the convenience of click and collect and other comparable forms of “one-click” payment methods, but PSD2 will change this because, by its very nature, 2FA needs more than a one-click. Instead, it typically requires that customers supply a one-time code received via a text, email, or phone call to authenticate their payment.

While 2FA undoubtedly adds another layer of security for users, it also introduces an added level of complexity into the customer experience.

Yet, with online spending only continuing to rise (with online Black Friday sales in the UK last year reaching £1.49 billion, up over seven per cent year-on-year), web retailers need to consider how best to ensure PSD2 compliance. This needs to be done while also working to avoid any potential negative impact on the user experience and, consequently, overall sales (particularly during some of the busiest periods for UK retailers).

Figuring out how to balance security, scale, and user experience while conforming to PSD2 is vital challenge that should be on the radar of every payment service provider.

Who exactly does PSD2 apply to?

Within the language of the directive itself, this would be anyone “completing a payment in the EU” (over the value of €30).

This means that any business that processes a payment that is completed within the EU (where the payer OR the payee is in Europe at the time of purchase) must ensure they’re compliant with the directive by 14 September 2019 at the very latest.

This applies even if one party is not in the EU when the purchase takes place (or vice versa). If, for example, a business is based in the United States but the customer making the purchase is in the EU, then the transaction must follow the rules laid out by PSD2. The opposite also holds true – if an EU retailer is selling to customers elsewhere in the world, they too must follow PSD2’s rules.

What does stronger authentication actually look like?

As a minimum requirement, PSD2 calls for the implementation of 2FA. This will provide a better base-level of security for online transactions. After 14 September this year, this requirement will likely impact billions of transactions every day.

What will become of one-click shopping after this date?

PSD2 requires that all 2FA authentication codes are unique to a particular transaction. The amount and recipient must also be made clear to the payer at the point of authentication. This dynamic linking requirement is certainly another complex criteria around PSD2 that could spell trouble for one-click shopping as we know it.

There are, however, a number of available services designed to support retailers looking to implement 2FA into their businesses. With such tools, retailers can choose from a few options such as traditional SMS-based 2FA, which uses a one-time passcode sent via SMS message, and the more sophisticated (and secure) app-based push authentication, to name but a few choices.

Time-based one-time passcodes (TOTP) are another viable option, particularly because they allow for authentication without requiring internet or cellular connectivity. Regardless of the method, retailers must use one of these 2FA methods to meet new guidelines.

How will this ultimately impact the customer experience?

With rising costs of fraud for online financial transactions, 2FA’s enhanced security is unquestionably helpful. But, the extra steps it adds to the shopping experience can be viewed as a negative side effect.

For this reason, retailers should carefully consider authentication methods and should seek out one which will least disrupt the customer experience (while still making them PSD2 compliant).

In the financial space, where fraud and cyber-attacks have been front and centre for many years now, companies have already been looking at various authentication methods and have generally settled on app-based push-authentication as the best means of doing so. This is because, unlike other forms of 2FA, it only requires a single touch from the user to approve/deny a transaction and can be done in a company’s existing application.

In the future, the biggest opportunities around PSD2 may come in the form of new technologies that will help to simplify online payments. By helping to encourage innovation within the payment industry, PSD2 could revolutionise the payments industry, changing the way we pay online.

Proper compliance with PSD2 is critical to ensuring the continued growth of online and mobile commerce. The retailers that “win” in this respect will be the ones that preserve a seamless customer shopping experience via new technology that best balances security and compliance with scale and user experience.

By Nabeel Saeed, senior product marketing manager, Twilio