PSD 2.0 and the need for Strong Customer Authentication
What does PSD 2.0 stand for?
PSD 2.0 refers to the revised Payment Services Directive which affects e-commerce transactions in the European Economic Area (EEA). All transactions performed where the merchant’s payment service provider and the cardholder’s bank are located within the EEA, are affected by Strong Customer Authentication (SCA) practices, a requirement under PSD 2.0.
Payment service providers and banks are responsible to implement protocols to comply with PSD 2.0 SCA regulations and guide their merchants on the change.
What is SCA?
What does sca stand for and why is it so crucial in today’s online payment landscape?
Put simply, SCA stands for Strong Customer Authentication. With online credit card fraud rising every year, it is mandatory that technological advancements are applied within the payments market. So what is SCA and how will it affect digital card-based payments? As one aspect of PSD 2.0, SCA has been designed to improve payment security in online transactions and protect cardholders and merchants against fraudulent and unauthorized transactions.
But what do these SCA requirements entail? In order to authenticate a payment, cardholders will be asked to complete at least two of the three following elements:
- Something the cardholder has, such as a mobile phone or token
- Something the cardholder knows, such as a password or PIN
- Something the cardholder is, which includes biometrics such as a fingerprint or face recognition
This means that entering the card number and CVV/CVC verification code when shopping online is not enough anymore. Card Issuers and Acquirers are now responsible for incorporating the elements of the latest PSD 2.0 requirements and preparing their merchants by adding an extra security element in online credit card processing.
When does SCA come into force?
The start date of SCA was September the 14th, 2019. However, the European Banking Authority (EBA) issued an opinion to delay the deadline until December 31st, 2020, thus providing businesses with more time to prepare. It is stated by the EBA that the opinion:
‘also recommends national competent authorities (NCAs) to take a consistent approach toward the SCA migration period across the EU and to require their respective payment service providers (PSPs) to carry out the actions set out in the Opinion.’
How to Authorize a Payment
A widely used tool for authenticating card-not-present transactions is 3D Secure. The fraud prevention measure was originally launched back in 2001 to add an extra layer of security in card payments. In regards to the first version of 3DS, customers were asked via a web page by their issuing bank, to enroll in 3DS 1.0 by setting a static password as a security measure to authenticate the transaction. That practice caused online carts to be abandoned by consumers as the payment flow was interrupted and left online shoppers with an additional password to remember.
In 2019, 3D Secure 2.0 (3DS2) was introduced by Visa and Mastercard to improve the customer experience and decrease cart abandonment rates, while also processing transactions in a secure environment. The new version activates a secure, real-time pipeline filled with information that merchants can use to send a remarkable number of transaction attributes that the issuing bank can use for authenticating customers. Instead of asking for a set or One-Time password, banks now enable customers to authenticate the payment with a fingerprint, face scanning, or even via the mobile banking application on their mobile phone. Moreover, 3D Secure 2.0 has been designed with the web and mobile checkouts in mind and full-page redirects are not required. When a customer initiates an authentication on your webpage, the 3D Secure prompt now appears by default in a modal on the checkout page (browser flow). Customers will now enjoy a smoother payment experience with less frustrations at the checkout.
The SCA Exemptions
Certain types of transactions might not require SCA to be applied. In case transactions meet certain criteria, you as a merchant or your acquirer can request an exemption by the issuer. SCA exemptions can be requested for the following:
- Low-Value Transactions – payments below 30€ are exempt from strong customer authentication. However, if the cardholder makes five or more payments below 30€ or multiple low volume payments that total more than 100€, then SCA might be required.
- Recurring Card Transactions – the exemption of the recurring payment suggests that SCA will be applied only to the first payment. If the amount is the same for upcoming payments, SCA will not be required for future transactions.
- Low-Risk Transactions – transactions evaluated as low-risk based on a transaction risk analysis (TRA) - a real-time assessment of whether a particular transaction is possible to be fraudulent - are not subject to SCA practices. Payment service providers can get a TRA exemption if their fraud rates and the transaction amounts are under certain thresholds.
- Whitelisted Merchants/ Trusted Beneficiaries – customers can assign trusted merchants to a list of ‘Trusted Beneficiaries’. This way there will be no need to authenticate themselves every time they make a payment to those businesses. The trusted beneficiary list is maintained and updated by the Account Servicing Payment Service Provider (ASPSP). The option of whitelisting merchants is also available through the 2nd version of 3D Secure that was launched in September 2019.
- Corporate Payments – Strong Customer Authentication is not required for corporate payments as long as dedicated payment processed or protocols are used and are only available to payers who are not consumers. In addition, is expected that the dedicated corporate processes and protocols are sufficiently secure and satisfy the national competent authorities.
How to get started with Powercash21
Powercash21 is always at the forefront when it comes to supporting merchants in reducing fraud and making online payments more secure. Although the new regulation is now expected to be in full force by December 31st, 2020, Powercash21 and its gateway have been ready and fully support the new SCA requirements. This includes handling of transactions that fall within the exemptions guidelines, in the online payment flow. As a merchant, you can rest assured that our systems will help you navigate these regulatory changes around strengthening the authentication process for your customers. Get in touch with us to discuss any questions you might have about the 3DS2 readiness of our payment solutions.