9 minute read

PSD2: Strong Customer Authentication for eCommerce

by: Conor Tweed
Monday, October 01, 2018

9 minute read

PSD2 - The revised Payment Services Directive is a comprehensive set of rules that the EU has put in place to help promote the development of a more efficient, secure and open payments landscape that encourages innovation while enhancing consumer rights and protection.

As part of this legislation there is now a new, stricter set of regulations around enforcing what is known as Strong Customer Authentication (SCA) for online payments within the European market.

A business person using a tablet in an office.While PSD2 officially came into effect on 13 January 2018, the regulations on SCA did not enter the Official Journal of the EU until 13 March 2018 and will not be enforced for a further 18 months after this date - coming into effect on 14 September 2019.

These new regulations are likely to impact almost all eCommerce merchants who conduct business in the European market and there could be some significant changes to your payments journey.

We at Global Payments are here to help support every one of our merchants in the task of navigating the upcoming changes and this guide aims to provide a starting point for you on this journey. With over 50 years of payment experience and a passion for innovation, we provide you with the tools and expertise needed to face these changes and to make your customer payment experience the best it can be so that you can maximise sales revenue.

What is SCA?

SCA, sometimes referred to as multi-factor or two-factor authentication, is the method of authenticating an individual based on at least two discrete elements of the following three categories.

POSSESSION - Something only you have
For example, your mobile device that has been registered with your issuing bank or a hardware token that has been issued to you.

INHERENCE - Something only you are
For example, your fingerprint, iris scan or other form of biometric that can uniquely identify you.

KNOWLEDGE - Something only you know
For example, a unique passphrase or identification number that is known only by you.

This form of authentication has become increasingly popular of late, with all the major internet services such as Google now supporting and promoting use of SCA to help keep user accounts safe. When deployed correctly, SCA offers an opportunity to reduce the incidence of online identity theft or account takeover.

What types of payments will require SCA?

SCA will be mandated to a significant portion of card not present (CNP) transactions but there is a limit to the scope. The mandate for SCA will only apply where each of the following criteria are met:

The European regulation on SCA mandates that all forms of electronic remote payment transactions, eCommerce, will need to be authenticated.

The regulation acknowledges that only transactions where both the payer’s payment service provider (the issuing bank for card payments) and the merchant’s payment service provider (the acquiring bank for card payments) are located within the European Economic Area (EEA) are mandated to be authenticated using SCA.

For transactions with one leg out of the EEA (e.g. where the card issuing bank is located in the USA), a best-effort attempt to authenticate is all that is required.

The regulation also stipulates that SCA is only necessary for payments that are considered as initiated by the payer/customer. This means that payments such as SEPA Direct Debits (which are initiated by the merchant) are out of scope and do not require SCA to be applied.

For card payments however, the opinion of the European Banking Authority (EBA) is that card payment transactions initiated through the payee/merchant (for example recurring subscription payments) should be considered as payer/customer initiated and should thus fall into scope of the regulation. This is contrary to the opinions previously expressed by the card schemes and it remains to be seen how this debate on interpretation will develop between now and the commencement date of 14 September 2019.

Are there exemptions?

Illustration of a mobile device and credit card with a global map in the backgroundThe regulation has been written to include explicit exemptions where a payment service provider can choose not to apply SCA. The idea behind these exemptions is to allow for the development of a user-friendly payment experience in circumstances where the risk is low.

It is important to be aware that it is the payer’s payment service provider (their issuing bank in the case of card payments) that has the final say as to whether an exemption can be used or whether SCA should be applied regardless.

Similar to the now-familiar amount limits for contactless card payments - above which a cardholder typically needs to authenticate the payment using the traditional PIN entry on the POS Terminal - there are amount limits below which an eCommerce transaction can be exempted from mandated SCA.

Transactions up to a maximum value of €30 can make use of this exemption. However, there are two methods of limiting consecutive use of the exemption as follows:

  1. The cumulative value of transactions initiated by the payer (independent of payee) since the last application of SCA must not exceed €100.
  2. The cumulative number of transactions initiated by the payer (independent of payee) since the last application of SCA must not exceed five consecutive transactions.

The payer’s payment service provider (issuing bank for card payments) must choose one of the above limit methods and apply it. Where the chosen condition is not met, the exemption may not be used.

Recurring payments where the transaction amount is the same and the payee/merchant is the same will be able to exempt subsequent transactions after the first transaction in the sequence has been authenticated using SCA.

For recurring payments of variable amounts, such as utility bills, this exemption will not apply. As discussed in the previous section there is a debate as to whether subsequent recurring card payments should be exempt as merchant initiated but if this is not the case then alternative exemptions such as the trusted beneficiaries exemption may be the best option - otherwise SCA will still be required.

The regulation grants an exemption for transactions where the payee has been included on the payer’s list of trusted beneficiaries. No other limitations exist and there is no limit to the number of times this exemption can be utilised or the value of transactions that can be exempted in this way.

This list, created by the payer/customer and maintained by their payment service provider, acts as a whitelist of payees that the payer trusts. For card payments, it is only the issuing bank that can maintain the whitelist and the merchant will only be able to request for the option to be offered to the customer.

A transaction may also be exempt from SCA where transaction risk analysis (TRA) has been carried out by either the payee’s payment service provider or the payer’s payment service provider (e.g. the card issuer).

Transactional risk analysis is a real-time assessment of the transaction data, behaviour of the customer, previous spending habits and location to determine if a transaction should be treated as low-risk.

This exemption is limited to transactions up to a certain € value, dependent on the payment provider’s overall fraud levels. The maximum transaction value that can be exempted from SCA in this way is €500.

How will SCA impact the customer journey

The first thing to be aware of is that this move towards SCA and the use of TRA across almost all European eCommerce traffic will almost certainly see a large decrease in online payment fraud. This is the driving force behind the SCA requirements and for both merchants and consumers this can only be seen as a good thing.

The second thing to remember is that these changes will impact all online merchants, regardless of their vertical or industry. Working with your payment provider to ensure you’re utilising all of the exemptions you can and keeping your customer journey as frictionless as possible will be a key way that you can stay ahead of your competitors - and Global Payments is here to help with this.

One more thing to be mindful of is that these changes will also impact on almost all customers. While SCA threatens to add serious friction to the customer journey - at a time when many issuers, particularly in markets such as the UK, have been moving more and more towards TRA as a way to avoid any customer authentication friction - it is an experience that will be near universal, across all of there online payment activity. As a result, while there is likely to be initial teething problems, if implemented correctly SCA will soon become routine for the majority of customers.

How will Global Payments help you be ready for SCA?

A consumer using a credit card with a laptop.Regulation on SCA is going to have a dramatic effect on the online payment landscape and it will be important that merchants are well prepared for the challenge at hand. It is in this respect that Global Payments will be able to offer a guiding light.

For merchants processing card payments, the cardholder authentication service 3D Secure is likely to become the de facto solution for SCA.

A new version of the 3D Secure protocol - 3D Secure 2 - is in development by the Card Scheme group EMVCo (made of six member organisations - American Express, Discover, JCB, Mastercard, UnionPay and Visa). This new version tackles many of the perceived shortcomings of the original 3D Secure solution such as improved support for mobile and other devices, larger range of authentication methods such as biometrics, and authentication of non-payment activities to support integration with digital wallets. Additionally it is actively being tweaked to address the needs of the European market to meet the regulatory requirements on SCA including support for exemption flagging and whitelisting.

This new version is still being refined, and timelines for when full scheme, issuer and acquirer support will be available remain fluid. Global Payments fully supports the existing 3D Secure protocol and are actively working on our 3D Secure 2 solution which will be delivered in line with scheme and regulatory timelines.

For merchants who want to excel in the European and cross border market, an extensive and tailored range of payment methods is vital for ensuring a high conversion rate. Payment preferences vary by country across the EU and the globe, and as the popularity of alternative payment methods rise – forecast to even surpass the use of credit and debit cards – businesses need to adapt by offering the payment methods their customers know and trust.

Global Payments offer over 140+ alternative payment methods (APM), including all major European APM, such as iDeal, Sofort & Trustly, that today already rely on multi-factor authentication using one-time passwords with their login credentials. Since they’re already utilising SCA as part of their standard transaction flows, there are no significant changes or added friction needed for these payment methods in order to meet the needs of the new regulation.

Our diverse payment methods offering enables businesses and organisations – from online retailers to education providers – to accept local and alternative digital payment methods and reach key EU markets while being reassured that their customers payment journeys are safe and secure.

Stay up to date

While many of the details and impacts are clear there are still many open questions left to be answered. Global Payments maintains strong and direct working relationships with the major card schemes, issuing banks and regulatory bodies throughout the European payment landscape and are working closely with these stakeholders to ensure we’re ready to support all our merchants with providing the best SCA solutions for all their customers.

We will continue to publish information and guidelines on how best to react to these changes throughout 2018 and into 2019.

For further information on 3D Secure and our APM offering, or if you have any feedback or queries please reach out to us at [email protected].