How does Europe’s PSD differ from the work being done in Australia to reduce CNP fraud?

By Lucy Anderson and Mel Gauci, AusPayNet - 20 June 2019

When commenting on upcoming EU-wide security regulations, Patrick Collison, Chief Executive of Stripe, said that for those who aren't prepared Europe’s Second Payment Services Directive (PSD2) is "going to have a huge negative effect on [online payment] conversion rates"[1].

While Europe has been implementing PSD2, AusPayNet has been working with the Australian e-commerce industry over the last 18 months to design a framework to reduce card-not-present (CNP) fraud. The consultation process has involved the entire payments ecosystem, including merchants and merchant advocacy groups, payment gateways, acquirers, card schemes, issuers, payment service providers, consumer advocacy groups and regulators.

So, what is PSD2 and how does it compare to the work we have been doing as an industry in Australia?

PSD applies to all remote payments and was passed by the EU in 2007, with the European Parliament passing the revised directive (PSD2) in October 2015. The scope of PSD is broader than payment fraud and SCA and was neatly summarised by UK’s Starling Bank as "the harmonisation of the payments landscape to level the playing field between countries and between payments providers, with the end goal of increasing competitiveness and thereby giving the consumer better value."[2]

Barclays describes PSD2 as building on the previous legislation in three key areas:[3]

  1. Increased consumer rights in areas including complaints handling, new rules on surcharging and currency conversion;
  2. Enablement of third-party access to account information, providing a framework for new payment and account services (this is addressed in Australia under Consumer Data Right); and,
  3. Enhanced security through SCA criteria.


Enhancing security through SCA requirements

The SCA mandate under PSD2 comes into effect in September 2019 and is, therefore, a particularly topical issue for EU payments participants. In May 2019, the European Payment Institutions Federation (EPIF) held a workshop in Brussels to discuss PSD2’s SCA requirements. Six key recommendations were agreed at this workshop and jointly supported by Ecommerce Europe, EuroCommerce, Visa and EPIF:[4]

  1. A phased implementation
  2. Consider the consumer journey and ensure this remains as smooth as possible
  3. SCA needs to be communicated and implemented in a harmonised way
  4. Consistent application of the exemption regime across the EU
  5. The SCA rules need to be delivered with an effective communication strategy
  6. Regulators and industry should assess and monitor the readiness of the infrastructure to comply with SCA

Online Shopping

Most of these recommendations have been incorporated into AusPayNet’s CNP Fraud Mitigation Framework as a result of consultation and collaboration with the e-commerce industry. The Framework parallels PSD2, in that both endorse SCA as best practice to authenticate transactions, however there are key differences:

  • While PSD2 mandates SCA for all transactions and considers certain exceptions, the Framework only requires SCA for those merchants and issuers whose fraud rate is consistently in breach of agreed thresholds.
  • The Framework’s thresholds were collaboratively set to ensure both a targeted approach to minimising fraud and minimising the impact on smaller merchants: SCA is only required for merchants operating above fraud thresholds of AUD $50,000 in fraud losses and a fraud-to-sales ratio of 0.2% for two consecutive quarters.

Combining this approach with a comprehensive communications strategy and phased lead times for implementation, the Framework provides a clear runway to readiness for the wider payments community for reducing fraud.

In discussing the Framework last week, Matt Neale, Chief Technology Officer at eStar, concluded: "The Framework is genuinely very good. It’s a pragmatic step, allowing the use of existing technologies and techniques in a completely vendor-agnostic manner, whilst leaving plenty of room for innovation and new technologies to emerge and fit within it."

AusPayNet is continuing to work with the e-commerce industry for implementation on 1 July 2019. For more information on our Framework, please see the summary or contact us.


[1] Financial Times Ecommerce Group Sounds alarm over EU security rules Tim Bradshaw June 4 2019