The 14th of September 2019 was the day when Strong Customer Authentication (SCA) requirements for online payments entered into force as a part of the second Payment Services Directive (PSD2). These regulations drive change in online retail and payment security.
This guide has all the information you need to understand the nuances of SCA requirements and properly comply with them in your business activities.
What Are PSD2 and SCA?
PSD2, or the Second Payment Services Directive, is an official instruction regulating transactions where at least one of the payment service providers (PSPs) is located in the EEA. It aims to develop a unified payment industry that follows standardized guidelines and promotes accountability and fair competition.
PSD2 came into force in 2016 and has been redefining online trade ever since by introducing such changes as:
- Payment provider licensing
- Open banking
- Secure Customer Authentication
SCA is a requirement of PSD2 that aims to make electronic and contactless offline payments more secure.
Traditional single-factor authentication requires a username and a password to perform a secure transaction online. However, this method is no longer enough, according to the SCA/PSD2 requirements - the purchases must now feature multi-factor authentication (MFA).
For the sake of fulfilling SCA requirements and accepting payments, you have to add extra authentication factors. They can be split into three categories:
- Knowledge - what the customer knows
- Possession - what the consumer owns
- Inherence - what the client has from birth
According to SCA’s regulatory technical standards (RTS), at least two out of these criteria should be present within a transaction. These factors must be independent of one another so that if a breach occurs in one of them, the other would not be compromised.
Who Needs to Be Compliant with SCA?
The Strong Customer Authentication requirements apply to online trade activities in which both the client’s and the merchant’s banks are located within the following locations:
- EEA countries
- San Marino
- United Kingdom
In other words, nowadays, all banks in the mentioned zones are required to verify the consumers’ identity before processing an online payment.
It is a must to update your payment processing system for an SCA-compliant one if all of the following criteria apply to your business:
- It is based in the EEA, or you deal with payments on behalf of connected accounts based in the EEA
- You interact with customers located in the EEA
- You accept credit or debit cards
Despite the European Banking Authority’s mandate for the SCA to be fully enforced by January 1, 2021, multiple countries negotiated their own timelines. Nevertheless, 15 of the EEA member countries managed to get PSPs and banks fully operational under these regulations before the beginning of 2021.
Now that the official Strong Customer Authentication PSD2 enforcement date has already passed, it is highly advisable to make sure your business complies with these requirements.
Is Strong Client Authentication Required for All Transactions?
The consumer’s bank will determine when to apply multi-factor authentication, depending on the following transaction characteristics:
- Risk level
- Amount of funds
- Payment channel
Therefore, additional authentication steps may not be required at all times. This is a way for PSPs to maintain a balance between payment convenience and fraud prevention. Let’s take a look at the types of payments that can be exempted from PSD2 SCA.
Possible SCA Exemptions
Here are some common examples when the need for SCA compliance can be alleviated for merchants and consumers:
Low Fraud Level
The providers of payment services can perform a Transaction Risk Analysis (TRA) to learn whether they must apply SCA to certain payments. This approach is only relevant in cases when both the payment provider and the bank have an overall fraud rate below the following levels:
- 0.13% for sums between €0 to €100
- 0.06% for sums between €100 to €250
- 0.01% for sums between €250 to €500
These thresholds are convertible to local equivalent sums.
However, if the cardholder bank’s fraud rate exceeds the limits mentioned while the payment provider’s rate is below them, strong customer authentication is most likely to be required.
Customers signed up for payment plans with fixed-amount recurring fees usually only have to pass the authentication process once during the initial financial transaction. However, if the billing sum changes, the consumers will be requested to confirm the payment again.
For guaranteed avoidance of having to go complete the authentication process multiple times, the consumers can mark these payments as MITs - more information on this below.
Transactions Under €30
Payments below €30 are typically exempt from the SCA regulation of the Payment Services Directive. However, issuing banks still monitor the number of payments conducted under this rule.
When the sum of such transactions exceeds €100 or its local equivalent, authentication will be requested for security reasons. The same may happen when there are five such payments charged from the account.
A money transfer from one corporate account to another can be exempt from PSD2 SCA. Note that this is only the case when the payment method used is a tool dedicated specifically to B2B payments.
The consumers can whitelist some merchants in their bank account to avoid additional security steps.
However, even if your business is dealing with low-risk transactions that have the right to be exempt from the PSD2 authentication requirements, banks may still choose to request additional data for client identification. Thus, it is crucial that you update your integration so that your customers are able to complete the authentication process if such a situation occurs.
Transactions Out of SCA’s Scope
Apart from the transactions that have a chance of being exempt from SCA, there are some payments that are guaranteed to be out of its scope. We have compiled the information on the most common ones, namely:
- One leg transactions. These are cross-border financial transfers in which either the acquirer or the issuer are based outside of EEA, UK, or Monaco. Thus, European merchants don’t have to follow SCA to accept payments from non-European clients.
- MITs. Merchant Initiated Transactions don’t involve the consumers directly and instead have the payment withdrawn according to their prior consent. The account owner should authenticate the first transfer and flag it as an MIT.
- MOTO transactions. Mail Order Telephone Order doesn’t fall under the category of electronic payment services and thus are not required to comply with SCA.
How to Comply with SCA Requirements?
The way your business will adapt to the SCA requirements depends on what types of transactions it processes.
SCA is applicable to the majority of offline payments. While chip and PIN transactions are compliant, your clients may be asked to provide their PIN when performing contactless payments.
To be able to support these requirements, you might face the need to update your POS terminal.
When your clients are prompted to verify their identity during the checkout process using two-factor authentication, the 3D Secure technology will be helpful for your business. EMV 3DS, the latest mobile-friendly version of this tech, will ensure a smooth user experience throughout the payment process by reducing the chance of any extra authentication steps being requested.
Besides, there are e-commerce transactions that do not fall under the SCA regulations and those that could be exempt from it. Your bank or checkout provider may be able to “flag” the transactions that don’t require SCA compliance. This adds a code to some payments so that they can be authorized without any additional checks.
Which Authentication Methods Are SCA-Compliant?
For business owners working on optimizing their payment processes to fulfill the SCA requirements, it may be confusing which widely-used methods are already compliant and which need alteration.
Read ahead for some examples of the commonly encountered elements that match the Strong Consumer Authentication PSD2 introduced.
- Knowledge-based security question
- Memorized swiping path
- Possession of a device evidenced by a signature generated by hard or soft tokens
- Card evidenced by a card reader
- Device evidenced through a QR code scanned from another device
- Card with possession evidenced by a dynamic card security code
- Voice recognition
- Keystroke dynamics
- Fingerprint scanning
- Hand and face geometry
The combination of two such elements fulfills SCA PSD2 minimum security requirements.
There is no way of avoiding the implementation of strong authentication that PSD2 introduced for the eligible payment service providers and banks. After all, it is a legal requirement, and those who fail to comply with it will suffer the consequences. Banks will be rejecting non-authenticated payments from online businesses that ignore the SCA regulation. Therefore, such service providers will experience the decline rates going up and the conversion rate falling.
The failure to adjust the business processes to SCA puts both the merchants and payment providers at risk of lower transaction volumes. Yet, the latter party will face more severe negative effects, such as fines and license revocation. That’s why it is essential to know all the compliance information and have the right technical solutions at hand.
How Payneteasy Can Help You Comply with PSD2 / SCA Requirements
Are you still in search of an SCA solution to fulfill the new PSD2 requirements? Worry not - Payneteasy has got you covered. No matter if you focus on one-time or recurring payments, we have the perfect solution that will make your business SCA-compliant with minimum amendments required from your side.
Our checkout process is based on the new foundational payments API that uses the SCA logic to implement valid exemptions and apply 3D Secure when needed. Reach out to us for more details!