Is compliance to PSD2’s SCA a bridge too far for B2B merchants?
January 2021 by Pat Bermingham, CEO, Adflex
According to the European Central Bank, 79% of all card fraud in 2018 occurred online from Card Not Present (CNP) transactions. In cash terms, this equates to €1.43bn in fraud losses and represents a whopping 17% increase on the previous year.
Against this backdrop you’d be forgiven for thinking that, for merchants, PSD2’s Secure Customer Authentication (SCA) couldn’t come soon enough. In reality, however, the European Economic Area’s 30th December deadline has had Europe’s suppliers in a tailspin, and many remain so even though the cut-off has passed. In the UK, the extended deadline of 31st September 2021 still feels ambitious, particularly now, as merchant productivity is strained under the pressure of lockdown and remote working.
SCA for B2B payments
None are feeling the pinch more than B2B merchants. Unlike B2C e-commerce firms, those in the supply chain routinely support multiple legacy transaction systems (POs and invoice systems, 30 day payment terms, BACS transfers, postal cheques) as well as card payments, making SCA just one of a whole host of payment-related challenges to contend with throughout the Covid-19 storm.
The complexity of B2B payments throws more fuel on the fire. Supplier and buyer contracts commonly specify nuanced and flexible payment programmes linked to stock availability, throughput and forecasted demand for goods. How should these order and payment models, many of which are settled with corporate purchasing cards, be catered for under SCA? Manufacturers, for example, can take card payment details from a buyer at the point they place an order, so they can secure - but not yet take - their payment. But when that order takes weeks to fulfil, when should the SCA procedures take place? At the start? Or when the order is shipped? What about when a buyer’s corporate card details that are taken over the phone, via post or email, and then entered by the supplier into their own web-hosted payment system?
SCA: B2B exemptions and exceptions
The PSD2 Regulatory Technical Standards (RTS) does specify SCA ‘exemptions’. One example is when a supplier accepts a corporate card payment via a ‘secure environment’, such as when the buyer logs in to a merchant’s trade portal. Problems arise here, however, since the RTS puts the onus on the issuer to specify what constitutes ‘secure’. And since merchants are routinely forced by customers to accept payments from a variety of issuers and networks, they then need to navigate through all the nuances that occur between these issuers before they can call themselves compliant. Then there are ‘exceptions’. Here, merchants can evidence to their acquiring bank (which is overseen by the local Competent Authority) that they are performing Merchant Initiated Transactions (MIT) and/or adequate Transaction Risk Analysis (TRA). Satisfy these requirements and the merchant can be granted an exception. Again, however, these processes are hamstrung by complexity. An MIT payment can only be made if it is based on a prior agreement with a customer before it is initiated. Can that be a verbal agreement given over the phone? Does it need to be in writing? In a contract, even? How many local builder’s merchants, for example, liaise with their trade customers in writing, let alone hold contracts?
Getting clarity on B2B SCA changes
For many B2B firms, this is the root of the problem: clearly understanding what changes need to be made to their payments acceptance process and in what circumstances they should be applied. Then comes the job of upgrading their systems. Corporate card programmes from different schemes and issuers have varying parameters for implementation, making an across-the-board change in response to regulation impossible. Instead, it spirals into complexity and becomes a costly drain on resources. Increasingly, these upgrades need specialist experience which, frankly, no modestly resourced supply chain business should reasonably expect to develop inhouse, let alone in the middle of what must be one of the worst-hit trading years on record.
B2B merchants urgently need to think differently about how they manage their payments. The current furore is actually a big opportunity. If merchants can nail SCA now and start utilising the new generation of compliant card payment facilities like 3D-Secure, tokenized Card on File or even EMV® Secure Remote Commerce / Click-to-Pay, all of which enhance both security and buyer confidence, they can use this storm to position favourably to the market and increase business.
The case for offloading these challenges to a specialist B2B payments platform provider has never been stronger. Not only will such a partner take the SCA compliance pressure off now, it will continue to do so for every future regulatory or systems upgrade required in the future, whether that’s coming from a card scheme, a regulator or, indeed, a new a customer.