The 14th of September 2019 was the day when Strong Customer Authentication (SCA) requirements for online payments entered into force as a part of the second Payment Services Directive (PSD2). These regulations drive change in online retail and payment security.
This guide has all the information you need to understand the nuances of SCA requirements and properly comply with them in your business activities.
PSD2, or the Second Payment Services Directive, is an official instruction regulating transactions where at least one of the payment service providers (PSPs) is located in the EEA. It aims to develop a unified payment industry that follows standardized guidelines and promotes accountability and fair competition.
PSD2 came into force in 2016 and has been redefining online trade ever since by introducing such changes as:
SCA is a requirement of PSD2 that aims to make electronic and contactless offline payments more secure.
Traditional single-factor authentication requires a username and a password to perform a secure transaction online. However, this method is no longer enough, according to the SCA/PSD2 requirements - the purchases must now feature multi-factor authentication (MFA).
For the sake of fulfilling SCA requirements and accepting payments, you have to add extra authentication factors. They can be split into three categories:
According to SCA’s regulatory technical standards (RTS), at least two out of these criteria should be present within a transaction. These factors must be independent of one another so that if a breach occurs in one of them, the other would not be compromised.
The Strong Customer Authentication requirements apply to online trade activities in which both the client’s and the merchant’s banks are located within the following locations:
In other words, nowadays, all banks in the mentioned zones are required to verify the consumers’ identity before processing an online payment.
It is a must to update your payment processing system for an SCA-compliant one if all of the following criteria apply to your business:
Despite the European Banking Authority’s mandate for the SCA to be fully enforced by January 1, 2021, multiple countries negotiated their own timelines. Nevertheless, 15 of the EEA member countries managed to get PSPs and banks fully operational under these regulations before the beginning of 2021.
Now that the official Strong Customer Authentication PSD2 enforcement date has already passed, it is highly advisable to make sure your business complies with these requirements.
The consumer’s bank will determine when to apply multi-factor authentication, depending on the following transaction characteristics:
Therefore, additional authentication steps may not be required at all times. This is a way for PSPs to maintain a balance between payment convenience and fraud prevention. Let’s take a look at the types of payments that can be exempted from PSD2 SCA.
Here are some common examples when the need for SCA compliance can be alleviated for merchants and consumers:
Low Fraud Level
The providers of payment services can perform a Transaction Risk Analysis (TRA) to learn whether they must apply SCA to certain payments. This approach is only relevant in cases when both the payment provider and the bank have an overall fraud rate below the following levels:
These thresholds are convertible to local equivalent sums.
However, if the cardholder bank’s fraud rate exceeds the limits mentioned while the payment provider’s rate is below them, strong customer authentication is most likely to be required.
Recurring Billing
Customers signed up for payment plans with fixed-amount recurring fees usually only have to pass the authentication process once during the initial financial transaction. However, if the billing sum changes, the consumers will be requested to confirm the payment again.
For guaranteed avoidance of having to go complete the authentication process multiple times, the consumers can mark these payments as MITs - more information on this below.
Transactions Under €30
Payments below €30 are typically exempt from the SCA regulation of the Payment Services Directive. However, issuing banks still monitor the number of payments conducted under this rule.
When the sum of such transactions exceeds €100 or its local equivalent, authentication will be requested for security reasons. The same may happen when there are five such payments charged from the account.
B2B Payments
A money transfer from one corporate account to another can be exempt from PSD2 SCA. Note that this is only the case when the payment method used is a tool dedicated specifically to B2B payments.
Trusted Beneficiaries
The consumers can whitelist some merchants in their bank account to avoid additional security steps.
However, even if your business is dealing with low-risk transactions that have the right to be exempt from the PSD2 authentication requirements, banks may still choose to request additional data for client identification. Thus, it is crucial that you update your integration so that your customers are able to complete the authentication process if such a situation occurs.
Apart from the transactions that have a chance of being exempt from SCA, there are some payments that are guaranteed to be out of its scope. We have compiled the information on the most common ones, namely:
The way your business will adapt to the SCA requirements depends on what types of transactions it processes.
Face-to-Face Payments
SCA is applicable to the majority of offline payments. While chip and PIN transactions are compliant, your clients may be asked to provide their PIN when performing contactless payments.
To be able to support these requirements, you might face the need to update your POS terminal.
Online Payments
When your clients are prompted to verify their identity during the checkout process using two-factor authentication, the 3D Secure technology will be helpful for your business. EMV 3DS, the latest mobile-friendly version of this tech, will ensure a smooth user experience throughout the payment process by reducing the chance of any extra authentication steps being requested.
Besides, there are e-commerce transactions that do not fall under the SCA regulations and those that could be exempt from it. Your bank or checkout provider may be able to “flag” the transactions that don’t require SCA compliance. This adds a code to some payments so that they can be authorized without any additional checks.
For business owners working on optimizing their payment processes to fulfill the SCA requirements, it may be confusing which widely-used methods are already compliant and which need alteration.
Read ahead for some examples of the commonly encountered elements that match the Strong Consumer Authentication PSD2 introduced.
Knowledge:
Possession:
Inherence:
The combination of two such elements fulfills SCA PSD2 minimum security requirements.
Non-Compliance Consequences
There is no way of avoiding the implementation of strong authentication that PSD2 introduced for the eligible payment service providers and banks. After all, it is a legal requirement, and those who fail to comply with it will suffer the consequences. Banks will be rejecting non-authenticated payments from online businesses that ignore the SCA regulation. Therefore, such service providers will experience the decline rates going up and the conversion rate falling.
The failure to adjust the business processes to SCA puts both the merchants and payment providers at risk of lower transaction volumes. Yet, the latter party will face more severe negative effects, such as fines and license revocation. That’s why it is essential to know all the compliance information and have the right technical solutions at hand.
Are you still in search of an SCA solution to fulfill the new PSD2 requirements? Worry not - Payneteasy has got you covered. No matter if you focus on one-time or recurring payments, we have the perfect solution that will make your business SCA-compliant with minimum amendments required from your side.
Our checkout process is based on the new foundational payments API that uses the SCA logic to implement valid exemptions and apply 3D Secure when needed. Reach out to us for more details!
Thank you for reaching us. Your request has been sent successfully. We will get back to you as soon as possible.
Message was not sent
Commentaries 4
Brian P
I’m from America and run a business online. Do I need to follow that PSD2 thingy, or is it unnecessary for me?
Hello, thank you for your question!
Legally you don’t — this PSD2 directive is obligatory in the European Economic Area only. But…
First, if you ever plan to expand your enterprise and go overseas, European market is among the blooming ones. And if you want to accept payments from the Old World, your payment service needs to be in compliance with PSD2.
Besides, many experts believe this directive will impact America as well. One of its great benefits is the third-party access. In simple terms, it allows your e-store to access the customer’s bank data. (If they allow you to, of course).
So, basically, I can sell nothing in europe unless I enable this standard? Also, I’m not quite getting the “Inherence” part — is it like fingerprints? Cheers
Thank you for reading!
And yes, all payment services and merchants that operate withing the EEA should comply with the directive PSD2. It’s a legal requirement and there’s no workaround, basically.
As for security matters, customer authentication is really tight with the directive PSD2. And the inherence principle is one of the success components.
Yes, it may require a scan of your fingerprint. Or a sample of your voice, retina scan, photo of your face — biometric authentication is diverse these days.
But don’t worry, no third-party entities will access your biometrics. At the same time, the second payment will be even easier and faster with PSD2.