The 14th of September 2019 was the day when Strong Customer Authentication (SCA) requirements for online payments entered into force as a part of the second Payment Services Directive (PSD2). These regulations drive change in online retail and payment security.
This guide has all the information you need to understand the nuances of SCA requirements and properly comply with them in your business activities.
PSD2, or the Second Payment Services Directive, is an official instruction regulating transactions where at least one of the payment service providers (PSPs) is located in the EEA. It aims to develop a unified payment industry that follows standardized guidelines and promotes accountability and fair competition.
PSD2 came into force in 2016 and has been redefining online trade ever since by introducing such changes as:
SCA is a requirement of PSD2 that aims to make electronic and contactless offline payments more secure.
Traditional single-factor authentication requires a username and a password to perform a secure transaction online. However, this method is no longer enough, according to the SCA/PSD2 requirements - the purchases must now feature multi-factor authentication (MFA).
For the sake of fulfilling SCA requirements and accepting payments, you have to add extra authentication factors. They can be split into three categories:
According to SCA’s regulatory technical standards (RTS), at least two out of these criteria should be present within a transaction. These factors must be independent of one another so that if a breach occurs in one of them, the other would not be compromised.
The Strong Customer Authentication requirements apply to online trade activities in which both the client’s and the merchant’s banks are located within the following locations:
In other words, nowadays, all banks in the mentioned zones are required to verify the consumers’ identity before processing an online payment.
It is a must to update your payment processing system for an SCA-compliant one if all of the following criteria apply to your business:
Despite the European Banking Authority’s mandate for the SCA to be fully enforced by January 1, 2021, multiple countries negotiated their own timelines. Nevertheless, 15 of the EEA member countries managed to get PSPs and banks fully operational under these regulations before the beginning of 2021.
Now that the official Strong Customer Authentication PSD2 enforcement date has already passed, it is highly advisable to make sure your business complies with these requirements.
The consumer’s bank will determine when to apply multi-factor authentication, depending on the following transaction characteristics:
Therefore, additional authentication steps may not be required at all times. This is a way for PSPs to maintain a balance between payment convenience and fraud prevention.
However, even if your business is dealing with low-risk transactions that have the right to be exempt from the PSD2 authentication requirements, banks may still choose to request additional data for client identification. Thus, it is crucial that you update your integration so that your customers are able to complete the authentication process if such a situation occurs.
The way your business will adapt to the SCA requirements depends on what types of transactions it processes.
SCA is applicable to the majority of offline payments. While chip and PIN transactions are compliant, your clients may be asked to provide their PIN when performing contactless payments.
To be able to support these requirements, you might face the need to update your POS terminal.
When your clients are prompted to verify their identity during the checkout process using two-factor authentication, the 3D Secure technology will be helpful for your business. EMV 3DS, the latest mobile-friendly version of this tech, will ensure a smooth user experience throughout the payment process by reducing the chance of any extra authentication steps being requested.
Besides, there are e-commerce transactions that do not fall under the SCA regulations and those that could be exempt from it. Your bank or checkout provider may be able to “flag” the transactions that don’t require SCA compliance. This adds a code to some payments so that they can be authorized without any additional checks.
For business owners working on optimizing their payment processes to fulfill the SCA requirements, it may be confusing which widely-used methods are already compliant and which need alteration.
Read ahead for some examples of the commonly encountered elements that match the Strong Consumer Authentication PSD2 introduced.
The combination of two such elements fulfills SCA PSD2 minimum security requirements.
There is no way of avoiding the implementation of strong authentication that PSD2 introduced for the eligible payment service providers and banks. After all, it is a legal requirement, and those who fail to comply with it will suffer the consequences. Banks will be rejecting non-authenticated payments from online businesses that ignore the SCA regulation. Therefore, such service providers will experience the decline rates going up and the conversion rate falling.
The failure to adjust the business processes to SCA puts both the merchants and payment providers at risk of lower transaction volumes. Yet, the latter party will face more severe negative effects, such as fines and license revocation.
Are you still in search of an SCA solution to fulfill the new PSD2 requirements? Worry not - Payneteasy has got you covered. No matter if you focus on one-time or recurring payments, we have the perfect solution that will make your business SCA-compliant with minimum amendments required from your side.
Our checkout process is based on the new foundational payments API that uses the SCA logic to implement valid exemptions and apply 3D Secure when needed. Reach out to us for more details!