What is the Right Response to the Extended PSD2 Deadline?

The 14 September 2019 should have been the deadline day for merchants across Europe to introduce the Strong Customer Authentication (SCA) requirement of the Second Payment Services Directive (PSD2).

Instead, retailers in the UK have been granted an 18-month extension for SCA compliance, delaying implementation to March 2021.

Just because the regulation has been delayed, it doesn’t mean cyber-criminals will be so obliging. These criminals will instead take advantage of a continued lack of government-enforced protection from online fraud over the next 18 months; add to this the confusion surrounding the disparate implementation of PSD2 across Europe.

A confusing 18 months ahead 
The failure of retailers to fully prepare for PDS2’s SCA requirements leaves them vulnerable to the types of basic payment fraud attacks that can be easily averted.

A further concern for multi-national retailers should be that SCA will be coming into effect across the EU in stages rather than in one go. This means retailers will need to be compliant with different regulations in different countries at different times. 

The geographic variation is about more than just compliance. Whether or not the regulation is in place will determine the type of fraud attack to which retailers are most likely to be subjected. For example, PSD2 legislation mandates SCA to be applied only at the point of payment.

However, cyber-criminals have been expanding their methods of attack, enabling them to target a variety of points within the customer journey beyond the transaction alone. 

One method of fraud which criminals favor is policy abuse, which sees cyber-criminals overusing refer-a-friend schemes or creating multiple accounts to cheat retailers with coupons and discount codes.

An alternative method sees fraudsters taking advantage of peoples’ personal details leaked by data breaches, which are happening more frequently and at a larger scale, than ever before. These stolen personal details are then used to hack into social media and online retailer accounts to make purchases that the owners had no intention of making. This particular type - known as Account Takeovers  – has increased significantly in recent years; up 45% from 2017 to 2018. In the face of these advanced, and well-coordinated, attacks on vulnerable points throughout the customer journey, retailers have to be even more prepared in the countries where SCA is in effect.

What to do when time is already up 
Retailers need to consider the impact of the lack of regulation over the next 18 months and beyond, and they need to act now to bolster their fraud defenses. The best course of action is for retailers to adopt a holistic approach to fraud prevention, defending against attacks at every stage of the customer journey, with advanced technologies to match the sophisticated techniques deployed by cyber-criminals.

By acting now with a comprehensive, PSD2-compliant solution, retailers can rest easy knowing they are as protected as possible across all markets.

Presented with these varied fraud threats and complex compliance concerns across country borders, it may seem like retailers are consigned to failure. However, comprehensive anti-fraud technologies mapped to user behaviors and wider networked activity are available right now to ensure retailers don’t have to spend the next 18 months – or days after implementation goes into effect – being vulnerable to fraud attacks. 

What’s Hot on Infosecurity Magazine?