Online payment fraud is on the rise, with the global total of ecommerce losses increasing from $17.5 billion in 2020 to $48bn in 2023, boosted by the opportunities created by the growth in online shopping during the pandemic.
In 2022 alone, US ecommerce merchants reported an average of 1,200 attacks per month, a 50% increase on the previous year. Although few of these fraud attacks were successful, the figure should serve as a warning to US businesses to be vigilant against the ever-present threat of cybercrime.
Luckily, you’re not in the fight alone. Regulations in the global payment industry, such as the EU’s PSD2, are helping to bolster the security of online transactions for merchants and their customers through Strong Customer Authentication (SCA) and other measures.
What does an EU-mandated directive have to do with US businesses? Well, if you do business, or have a presence, in the EU or European Economic Area (EEA), then you must comply with PSD2 and SCA requirements. Not only that, but there are concerns that PSD2 is increasing fraud in the US as criminals shift their focus to a less regulated market.
With that in mind, here’s everything you need to know about how PSD2 impacts US businesses, how you can comply with the regulations, and how they’re likely to be updated in the near future.
What is PSD2?
Implemented in 2019, the Payment Services Directive 2 (PSD2) is an updated version of the EU’s original 2007 directive.
PSD2 expands on its predecessor by creating a safer and more secure online payments environment for businesses and consumers, and improving customer rights. It also aims to challenge monopolies in the banking industry by creating a more level playing field for third-party service providers.
The main aspects of PSD2 are:
- Strong Customer Authentication - under the legislation, businesses and payment processors must utilize at least two-factor authentication to verify users, meaning a combination of PINs, biometrics, One Time Passwords (OTP), etc. Businesses should also be aware that there are some exemptions to SCA
- Customer rights - PSD2 improves customer rights in a number of ways. It mandates businesses to be more transparent about terms and conditions and currency conversion rates, to resolve complaints and disputes in a timely manner, to make funds available to customers as soon as possible, and prohibits them from applying surcharges to certain transactions
- Open API third-party access - under PSD2, merchants can access consumer data, with their permission, allowing for easier and more convenient payments
Does PSD2 apply to US businesses?
As it relates to American businesses, the SCA mandate applies to merchants doing business in the EEA. For now, SCA mandates are relevant to U.S. merchants that meet the following criteria:
US entity only but receiving EU traffic and customers
If a good portion of traffic is coming from Europe, merchants may want to consider setting up an EU entity. Setting up domestic processing with a provider like Checkout.com will minimize cross border costs and will ensure automatic SCA-compliance in Europe – saving costs and boosting authorization rates.
US businesses looking to expand into the EU
Thinking about expanding into the European market? Businesses will need to comply with PSD2 regulations and SCA. This will require building a different user flow from the U.S. flow. This makes it critical to put into place transition plans and find the right partners to account for design and user flow testing.
US headquartered but have entity(ies) in the EU
In this scenario, a company’s European entities must be SCA compliant. If transactions are not SCA ready, businesses may begin to see declines in authorization rates and may already be at risk of declined payments from the issuers. For enterprise merchants, dedicated payment teams should be working with a provider that is fully compliant
What is the impact of PSD2 on the US market?
As well as mandating US businesses to comply with SCA if they meet the above criteria, PSD2 is having a knock on effect in the US market in a number of other ways, including:
- Increased fraud - dissuaded from operating in the EU by PSD2’s more stringent security measures, cybercriminals may turn their attention to softer targets in the US. For example, common methods of fraud like card testing on merchants have been rendered almost impossible in the EU by SCA, meaning fraudsters will ramp up such activities in the US market
- 3DS2 - while also not currently mandated in the US, 3DS2, the payment industry’s updated authentication requirements are set to become a standardized security measure globally, and merchants should prepare to comply
- EU entities and customers - US businesses with EU entities or customers need to account for how PSD2 can affect their operations to guard against the possibility of declined or unauthorized payments that could have implications for revenue.
The history of 3DS adoption in the US
While 3D secure authentication measures have existed in the U.S. since 2001, adoption rates were exceptionally low for several reasons. It was not user-friendly and did not adequately predict the proliferation of mobile usage or the popularity of ecommerce, making it ineffective in protecting today’s consumers. For context, 3DS1 was developed before the first iPhone was launched in 2007 – by 2017, only 18% of US-based transactions leveraged 3DS.
One major attraction of 3DS2 is the liability shift for fraudulent chargebacks to card issuers. Each card scheme will have their own set of “rules” so be sure to check with your acquiring bank on where and how liability shifts will be applied.
What happens if merchants are not prepared to meet the regulations?
Now that PSD2 is in effect, any US business operating in, or accepting payment from, EU and EEA customers (or that plans to do so) must be prepared to meet SCA requirements.
Failure to do so could seriously impact your authorization rates, as issuing banks will refuse to authorize any relevant transaction that doesn’t utilize multi-factor authentication. Ultimately, a drop in authorizations means a drop in revenue.
Businesses should also ensure their payment flows are suitable for customers in all PSD2-mandated countries. That means implementing a smooth checkout experience that routes customers to the necessary authentication procedures while reducing the risk of an abandoned purchase or a declined payment.
What is PSD3 and will it replace PSD2?
In May 2022, the EU Commission began consulting on how it could revise PSD2 in response to the rapid pace of change in the banking industry since its implementation, especially in light of the pandemic’s impact on the growth of digital payments.
PSD2 has proven to be effective in achieving its ambitions: SCA has successfully reduced fraud on card transactions and a more open payments ecosystem has seen increased collaboration between institutions and a growth in third-party providers.
As a result, the proposed PSD3 will not aim to completely revolutionize its predecessor, but to evolve it. Likely measures include an increased focus on security, consumer rights, and ways to improve the value of products and services in the payments industry.
In practice this could mean:
- Improving fraud prevention by enabling the sharing of fraud-related data between banks and developing measures to tackle a growth in new types of fraud since PDS2
- Better implementation and enforcement of PSD2 across Europe, including making rules directly applicable in all member states rather than leaving states to interpret the rules in their own laws. More consistent application of rules should make it easier for fintechs to expand across the EU
- The e-money directive could also be merged into PDS2 in order to provide a more coherent framework for e-money and other innovations, while e-money and payment institutions could also be granted direct access to payment systems. Rather than having to rely on banks as gateways, this would make it easier for non-bank PSPs to build innovative new solutions on banking payment rails
- Making it easier for new players to apply for a bank account by reducing ‘de-risking’ - the phenomenon of banks avoiding relationships with particular clients or categories of clients deemed risky
- Increased scrutiny and supervision over Account Information Services (AISs) and Payment Initiation Services (PISs), types of third-party providers that are crucial to Open Banking and more consumer-focused finance solutions. Currently, there are technical obstacles that are limiting the growth and adoption of such services. The Commission is also working on a separate but related ‘open finance’ framework that will give consumers the ability to share financial products data beyond just payment accounts, which could also help to supercharge the growth of new fintechs.
When will PSD3 come into effect?
The Commission is set to bring forward its initial proposal for PSD3 legislation in June 2023, after which it will be scrutinized by various EU institutions. However, the next European Parliament elections - which will lead to the appointment of a new head of the Commission and team of commissioners - are in May 2024, meaning the legislative process for PSD3 is likely to spill into the next commission’s term.
On that timeline, it's unlikely that PSD3 will take effect before 2026 or later, depending on the implementation period agreed by the commission.
How should merchants in the US prepare?
Affected US businesses should follow these steps to comply with PSD2:
Ensure SCA compliance
US businesses should take full advantage of this lead time with research and implementation plans. One major item is to ensure that your payment service provider is SCA-compliant and has proper 3DS2 tools already in place.
Audit your EU operations
If you have EU entities or take payments from EU customers, you must audit your EU operations to ensure they’re compliant with PSD2 mandates. This means implementing multi-factor authentication and ensuring your complaint response processes are in line with PSD2 requirements - i.e. resolving disputes in a timely manner.
Enhance your security
Finally, you should ensure your US operations are prepared to handle the increased risk of fraud caused by PSD2 by implementing a robust fraud detection and prevention solution. You should also ensure you’re PCI compliant, which requires you to maintain rigorous security standards in order to protect cardholder data.
Become compliant with Checkout.com
Checkout.com’s 3DS2 hosted solution complies with these regulations and is designed for easy set up for both US-based business and its European operations.
Merchants can also take advantage of Checkout.com’s Sandbox environment which offers a sophisticated platform simulation to test any 3DS2 authentication and related payment scenarios.
By understanding the requirements early, merchants will also be better prepared to apply and identify as many SCA exemptions as possible like low-value, low-risk, and trusted beneficiaries. By applying exemptions, businesses will benefit with higher approval rates and can preserve the user experience by reducing unnecessary stoppage points.
Checkout.com’s Unified Payments API tool also gives merchants a way to future-proof their payment infrastructure by facilitating the addition of more alternative payment methods to their checkout – without any additional development or integration work. With SCA-compliance already built into the API, merchants will automatically be ready once the regulation is fully enforced.
As an added bonus, using Checkout.com’s API will help minimize integration work down the road as SCA mandates roll out into other regions including Asia and Latin America next year, saving merchants additional resources and time if they operate or are planning to open entities in those regions.
To get set up with Checkout.com’s Unified Payments API or to learn more about our 3DS2 hosted solution get in touch with our sales team today.