Against a backdrop of high fraud, you’d be forgiven for thinking that, for merchants, PSD2’s Secure Customer Authentication (SCA) couldn’t come soon enough. In reality, however, the European Economic Area’s Dec. 30, 2020 deadline has had Europe’s suppliers in a tailspin, and many remain so even though the cut-off has passed. In the U.K., the extended deadline of September 30, 2021 still feels ambitious, particularly now, as merchant productivity is strained under the pressure of lockdown and remote working.
Fraud is high. According to the European Central Bank, 79% of all card fraud in 2018 occurred online from Card Not Present (CNP) transactions. In cash terms, this equates to $1.9 billion in fraud losses and represents a whopping 17% increase on the previous year.
None are feeling the pinch of SCA compliance more than B2B merchants. Unlike B2C e-commerce firms, those in the supply chain routinely support multiple legacy transaction systems (POs and invoice systems, 30-day payment terms, BACS transfers, postal checks) as well as card payments, making SCA just one of a whole host of payment-related challenges to contend with throughout the Covid-19 storm.
The complexity of B2B payments throws more fuel on the fire. Supplier and buyer contracts commonly specify nuanced and flexible payment programs linked to stock availability, throughput and forecasted demand for goods. How should these order and payment models, many of which are settled with corporate purchasing cards, be considered under SCA? Manufacturers, for example, can take card payment details from a buyer at the point they place an order, so they can secure, but not yet take, their payment.
But when that order takes weeks to fulfill, when should the SCA procedures take place? At the start? Or when the order is shipped? What about when a buyer’s corporate card details are taken over the phone, via post or email, and then entered by the supplier into their own web-hosted payment system?
The PSD2 Regulatory Technical Standards (RTS) does specify certain SCA "exemptions." One example is when a supplier accepts a corporate card payment via a "secure environment," such a buyer logging in to a merchant’s trade portal. Problems arise here, however, since the RTS puts the onus on the issuer to specify what constitutes "secure." And since merchants are routinely forced by customers to accept payments from a variety of issuers and networks, they then need to navigate through all the nuances that occur between these issuers before they can call themselves compliant.
Then there are other exceptions. Here, merchants can prove to their acquiring bank (which is overseen by the local Competent Authority) that they are performing Merchant Initiated Transactions (MIT) and/or adequate Transaction Risk Analysis (TRA). Satisfy these requirements and the merchant can be granted an exception. Again, however, these processes are hamstrung by complexity. An MIT payment can only be made if it is based on a prior agreement with a customer before it is initiated. Can that be a verbal agreement given over the phone? Does it need to be in writing? In a contract, even? How many local builders' merchants, for example, connect with their trade customers in writing, let alone hold contracts?
For many B2B firms, this is the root of the problem: clearly understanding what changes need to be made to their payments acceptance process and in what circumstances they should be applied. Then comes the job of upgrading their systems. Corporate card programs from different schemes and issuers have varying parameters for implementation, making an across-the-board change in response to regulation impossible. Instead, it spirals into complexity and becomes a costly drain on resources. Increasingly, these upgrades need specialist experience which, frankly, no modestly resourced supply chain business should reasonably expect to develop internally, let alone in the middle of what must be one of the worst-hit trading years on record.
B2B merchants urgently need to think differently about how they manage their payments.
The current furor is actually a big opportunity. If merchants can nail SCA now and start utilizing the new generation of compliant card payment facilities like 3-D Secure, tokenized card on file or even EMV Secure Remote Commerce / Click-to-Pay, all of which enhance both security and buyer confidence, they can use this storm to position favorably to the market and increase business.
