How the PSD2 Impacts Fraud in the U.S.

When it comes to security in the world of electronic payments, Europe has been ahead of the United States in many ways for several years. The revised Payment Services Directive (PSD2), which sets stricter requirements for authenticating online payments, is another example of their innovation, at least regulatory-wise. While these mandates do not impact American banks, service providers and merchants from a legal standpoint, it is definitely causing a steady rise in fraud in the U.S.

In Europe, bank card and payments providers are required to meet the new authentication standards by December 31, 2020.

The PSD2 is important because it makes online payments safer through the use of multi-factor authentication. We'll get into more detail on this in a minute, but basically it means that multiple credentials are used to verify the user's identity.

While physical card transactions already use Strong Customer Authentication (SCA), such as with the use of chip cards and PINs, the opposite is true for e-Commerce transactions, and even more so, for contactless technology.

As the COVID-19 pandemic continues to place a strain on small businesses across the U.S., and PSD2 compliance ramps up across the ocean, online fraudsters have begun to migrate to places without such strict requirements. Needless to say, the United States has become a fertile hunting ground as fraudsters target the weakest link.

Let's break this down for a moment with some sobering statistics from 2018.

The worst part of all of this? How about the simple fact we have been through it all before.

The U.S. was incredibly slow to adopt EMV technology, and criminals quickly shifted their focus to our merchants as Europe became a more secure environment. Delayed adoption to EMV led to higher counterfeit fraud rates for card-present transactions in the U.S. Yet, unsurprisingly, as Visa reported in the infographic below, those rates plummeted once merchants upgraded to EMV-enabled devices.

Here we are again in 2020. As COVID moves more volume online and the popularity of contactless payments grows, fraudsters will find it harder to get away with online theft as they have to contend with more robust authentication standards. Card issuers and payment providers in Europe, as well as a few other nations, will be required to use SCA to authenticate online payments using at least two of the following three methods.

All of this seems perfectly logical from a security standpoint, but let's think back to the EMV adoption conversation. In September 2019, Visa reported that 80% of storefronts now accept chip cards. While this might sound like a high number, keep in mind that the EMV liability shift occurred in October 2015. It's taken the U.S. a long time to get to this point.

While it seems that business owners are concerned about fraud, reducing customer friction often takes precedence. This is because a declined transaction can lead to lost sales and, worse, customer attrition. While providing a seamless checkout experience is certainly important, so is making sure business owners are protected from the full effects of a data breach and card fraud.

Another interesting point to note is that while the credit card issuer is more likely to be liable for card-present transactions, the merchant has a much bigger chance of getting stuck with the cost for transactions that take place without a physical card. This includes using older swipe payment terminals without EMV readers, as well as all card-not-present transactions. In other words, online and contactless payments.

All of this adds up to accepting the challenge of providing a seamless customer experience while keeping fraud rates low. I predict that the U.S. won't be able to stay out of this fight for long. It's only a matter of time before banks, merchants and payment providers across the U.S. will need to turn to stronger authentication methods, such as biometrics and machine learning.

The research firm Gartner predicts that by the end of 2020, 90% of large enterprises and 60% of mid-sized companies will employ the rich analytics and adaptive authentication techniques needed to effectively fight fraud. Anyone who hasn't turned their attention to this by the end of 2021 will simply lose market share.

All of this is well and good, but what does this really mean to the players in the payments value chain? Simply put, it means that payments providers cannot afford to ignore the need to innovate PSD2 enhancements and wait for directives. The same is true for merchants, who should ideally become early adopters of this technology. It also means that education will be a key component as we seek to protect our neighbors and customers as we transition even further into this digital world.

If you have questions about the best way to protect your business from fraud, please don't hesitate to reach out. Our team would be more than happy to discuss the trends in fraud protection, and how Clearent's layered security approach can help protect your business and your customers.  

This information does not, and is not intended to, constitute legal advice and is provided for informational purposes only. Contact your attorney to obtain advice with respect to any particular legal matter.