If you take donations online – and if you’re reading this, you almost certainly do – then big changes are afoot that you need to be aware of. Whether or not you need to actively do anything to be compliant, you’ll still likely be impacted.
How impacted is something of an open question. MasterCard predicts the changes will affect “up to 25% of payments”, while Barclaycard thinks it could be as many as 95%. But let’s back up a second: what’s changing and why?
What is PSD2?
Back in 2015, the European Commission published The Second Payment Services Directive (PSD2), a follow up to the first one, which was implemented six years earlier.
While PSD2 is live right now and has been since January 2018, another key date is rapidly approaching: 14 September 2019. That’s the day when the changes will become compulsory, and it may prove a shock to the system for charities as it goes from being occasionally implemented to universal.
So what’s new? Well, it should come as no surprise to hear that fraud is an enormous problem with online transactions, so PSD2 aims to make it harder, by enforcing a couple of layers of extra security.
From September, barring some exceptions which we’ll get onto in a minute, all customer-led card transactions of €30 or over will require Strong Customer Authentication. That means card providers will need to check the transaction is legit with any two of the following:
1. Something the customer knows
- This could be a PIN or password.
2. Something the customer has
- This is another term for two-factor authentication or 2FA. That could be in the form of an SMS code you have to enter into a pop-up box or even a hardware token.
3. Something the customer is
- Biometrics, in other words. Like a fingerprint or an iris scan.
If the customer can’t provide the requested authentication, the bank will decline the payment.
Does that impact all transactions?
No. Firstly, transactions of €30 and under are mainly waved through, in the same way they are with contactless payments now. I say “mainly” because every fifth transaction below €30 will still get challenged, just to ensure a fraudster isn’t making a series of payments to stay under the radar.
That €30 threshold can also be raised by some banks if they wish, as the requirements are less stringent for institutions with lower prevalences of fraud.
Recurring card payments are also mainly exempt barring an initial setup, but only if the cost remains static between payments. In other words, a flat rate regular payment will go unchallenged, but if the amount fluctuates for some reason, then Strong Customer Authentication (SCA) kicks in to confirm it’s all above board.
So what does this mean for charities?
Possibly very little from a technical point of view: it all depends on how you’ve implemented payment on your website. If you’ve embedded the forms on your site for a frictionless transaction process that blends in with your brand aesthetic, then you’ll need to modify it to include SCA or payments may stop working. If you use an external payment form, then you probably won’t need to do anything, but it doesn’t hurt to check with the provider well in advance of 14 September just in case.
But even if you’re in a position that you won’t have to do anything to be compliant, behaviorally you may notice some fluctuation in donation levels. While the changes have been known about for some time in the industry, on a consumer level things have so far been pretty quiet. So if an unsuspecting customer sees additional pop-ups on their payment to you, they may view it as a red flag, rather than the new normal.
Even when they’re used to the extra bits of security, it’s still a new layer of friction to get past before the donation is completed. There’s a reason Amazon has spent so much time reducing the number of steps between seeing a product and buying it: the fewer hurdles to clear, the less chance of a customer having a rethink and backing out.
There is a faint consolation here, though: the median charitable donation size in 2017 was £20 (~€22), which just creeps under the figure that automatically triggers a bank pop-up. Unfortunately, the mean figure is higher at £44 (~€49) and obviously, these payments are more valuable to your bottom line. Plus there’s still the one-in-five rule that means that 20% of all transactions under €30 will be flagged.
Have faith in your cause
In other words, there may be some mild turbulence ahead for fundraisers.
The good news is that it’s affecting every website equally, and online shopping being as prevalent as it is, it won’t be long before consumers factor in such extra security measures as just part of the process. Donors may even end up feeling more comfortable giving you money online, seeing the pop-ups as a sign of serious security on your part – after all, the average person won’t know who implemented the changes and why.
Still, the extra step makes it more important than ever that the donor believes in your cause and actively wants to donate to you. Even without the incoming PSD2 changes, it was advisable to ensure that your website is in tip-top shape with some serious optimisations and split testing. With them, it should be an absolute priority.