U.S. providers should be “on alert” for an increase in payments fraud experts warn. The European Union’s (EU’s) new Payment Services Directive (PSD2) raises the bar for security and may cause cybercriminals to focus on targets in this country.
The revised Payment Services Directive (PSD2) is scheduled to go into effect in September 2019*, requiring payment service providers (PSPs) operating in Europe to implement more secure customer authentication and third-party access to bank accounts–or run the risk stiff fines and getting their payment-provider license revoked.
New research by TransUnion’s fraud prevention company, iovation, suggests that the PSD2 and privacy laws like the General Data Protection Regulation (GDPR) might put U.S. consumers in the cross hairs.
In a new report, “PSD2: Advent of the new payments market in Europe,” researchers consider the consequences for the global online payments market when compliance with the PSD2 becomes mandatory later this year. Their conclusion? There is historical precedence that shows that “fraudsters tend to move to the easiest target,” which means the United States–and its lack of these stronger consumer protections against fraud–will now be in criminals’ sites, said Mark Weston, iovation compliance manager.
“We saw the same thing happen with the adoption of EMV chips,” he told Security Ledger, referring to microprocessors implemented on cards to protect user data. “When Europe implemented EMV chips you saw an uptick in fraud in the U.S., and then when the U.S. adopted EMV chips you saw fraud move from point of sale (POS) to card not present (CNP) fraud.”
EU leading the way
Indeed, the U.S. has consistently lagged behind Europe in implementing new consumer protections, Weston said. The same is true with the latest requirements protecting online data and consumer payments, respectively– although U.S. companies experience de facto compliance when they do business with companies in Europe, he said.
“I think as U.S. (payment providers) operating in the EU have to comply with SCA (strong customer authentication) requirements, you’ll see wider mandatory adoption by businesses,” Weston said.
Indeed, researchers expect PSD2 will change the rules of the game for the global payment industry just as GDPR is changing how companies handle consumer online data and privacy.
Years in the making, the GDPR, which went into effect last May in Europe, is aimed at protecting citizens’ data privacy and enforcing corporate accountability for that privacy in an unprecedented way by imposing heavy fines on companies that don’t inform people of serious data breaches very soon after they happen.
In a similar spirit, PSD2 brings about two major changes to the payment industry to help protect consumer payments against fraudulent activity such as card not present fraud; account takeover payment manipulation and unauthorized payment transactions; loss, theft and/or misappropriation, Weston said.
First, it mandates that banks have to provide open APIs to third party providers. Second, it strengthens security requirements for payment services in the form of strong customer authentication.
Despite their best intentions, EU payment providers will have an uphill battle to meet PSD2 requirements, as they are “both large tasks” that will require companies to reconsider customer strategies, Weston said. But the payoff for those will be evident for both the company and its customers alike, he said.
“The winners post PSD2 are going to be those that consider the entire buyer’s journey to bring down their overall fraud rate, maximize their exemptions based on reference fraud rate, and minimize friction for those transactions that are subject to SCA,” Weston said.
U.S. Providers ‘on alert’
Even though the EU may have a tough time implementing widespread consumer payment protections immediately after the PSD2 goes into effect, the United States still should consider tougher protections for online payments, researchers said.
At the very least, U.S. companies doing business in the EU need to be aware of the new payment requirements, just as U.S. companies also had to comply with the GDPR if they operate in Europe–or face the consequences.
“Now any PSP providing payment services in the EU will be required to have a payment license and must comply with the directive,” Weston said.
U.S. payment providers should be on higher alert to detect such activity, researchers said. U.S. policy makers also might consider implementing tougher privacy protections for consumers doing business and sharing data online, something Weston said they are gradually coming around to.
Correction: an earlier version of this story misstated the year in which the revised Payment Services Directive (PSD2) will go into effect. The story has been corrected. – PFR March 14, 2019