Nets logo

Griežtas kliento autentiškumo patvirtinimas

The new European regulation, the Payment Services Directive (PSD2), dictates that Consumer-initiated electronic transactions require Strong Customer Authentication. For online Card payments, this means that transactions need to be authenticated via 3D Secure (or equivalent*). This regulation came into force on 14th September 2019.

(*) Please refer to platform specific information as different platforms and schemes may have different requirements and timelines for readiness.

Depending on how merchants manage their payments today, the new rules on SCA could have a noticeable impact on the way they process payments, but also the payment journey consumers will face. To be prepared, Merchants need to know the following:

  1. 3D Secure authentication (or equivalent) for online Card payments will be required. Nets eCommerce platforms are SCA-compliant, Issuers are responsible for SCA and may decline unauthenticated transactions in the future.
  2. For transactions that are either Merchant Initiated or Recurring; they will need to be flagged correctly in the Authorisation message. This may require updates to your PSP/Gateway APIs – you will be advised where required.

Card issuers are becoming better at streamlining consumer authentication and the move to a newer 3D Secure version will improve this further.

The exact implementation steps and options available to you as a merchant depends on which Nets platform you are using. It is important that you refer to PSP platform guidance material to ensure you’re set up for 3D Secure correctly.

NB: Nets eCommerce platforms are ready with 3D Secure to help you meet authentication requirements

We know that there is lots of confusing information around PSD2 and Strong Customer Authentication around, so we’ve removed the noise and provided for you below, what you actually need to know in a simple way.

Below are the details sitting behind PSD2, SCA and the points you need to know about 3D Secure and being ready.

What it is SCA and which transactions does it apply to?

Fraud in online payments is becoming more sophisticated and has been rising in recent years. To counter this, new rules on Strong Customer Authentication (SCA) was introduced in the EU Payment Services Directive II (PSD2).

Essentially, PSD2 states that all electronic transactions (i.e. Card and Bank Transfers) initiated by a Payer (i.e. Consumer) require SCA. Strong Customer Authentication as per PSD2 refers to the Consumer being requested to provide Two Factor Authentication (2FA) to identify themselves in the transaction process. The two factors must be independent of each other and should be from the following categories:

Knowledge: something only the Consumer knows = a password, pin code

Possession: something only the Consumer has = a secure token, a mobile device

Inherence: something only the Consumer is = biometric fingerprint, facial recognition

Today, when you buy online with your card by typing in the card number and being asked to authenticate yourself through 3D Secure with SMS password or similar.

The Consumer’s Bank is ultimately responsible for providing the means of SCA and ensuring SCA is carried out. But the efficient execution of SCA, also requires the involvement of Payment Service Providers (PSP) and Acquirers, in the case of card payments.

Not every single transaction is in-scope for SCA!

PSD2 rules state that transactions initiated by the Payer require SCA, therefore there are certain types of transactions that do not require 2FA:

  • Payee initiated (also known as merchant Initiated) transactions are not considered to be triggered by the Payer, therefore they are not available for SCA, are exempt from SCA. This is a complicated topic, so we have a separate section for this below
  • MOTO (Mail Order, Telephone Order) transactions are not considered to be electronic, therefore exempt from SCA
  • Cross border transactions where either the issuer or the acquirer is not based in Europe are exempt from SCA

What does online merchants need to do?

3D Secure must be enabled for card payments online

The requirement for Strong Customer Authentication (SCA) under PSD2 means that authentication of payers is no longer about opting-in. For in-scope transactions, SCA must be carried out. This means card transactions must be authenticated via 3D Secure (or equivalent for other non-Visa and Mastercard brands).

What is 3D Secure?

3D Secure is the security protocol developed to protect Cardholders online through additional security checks on payment transactions. 3D Secure is delivered by individual card schemes (e.g. Visa has Verified by Visa” and MasterCard has “SecureCode”) and is recognizable to consumers as these brands are shown on the 3D Secure page clicking “confirm”.

SCA via 3D Secure usually requires a step-up challenge, i.e. an action required from the consumer to confirm that they are in fact making the payment. The step-up challenge today, is usually in the form of using a mobile application provided by the issuer or SMS One Time Password (OTP) to the consumer’s phone containing a code that they type into the browser to complete the transaction. The exact step-up challenge method is selected by the card issuer.

An important point to note with the use of 3D Secure for Visa and Mastercard, is that merchants are protected from chargeback liability related to fraud, i.e. there is a liability shift from merchants to Issuers. This liability protection can differ for other local and international card schemes.

3D Secure will no longer be optional…

Across Europe today, merchants generally decide on whether they would like to apply 3D Secure to their Consumers’ transactions. However, due to SCA regulation, 3D Secure will become required for online card transactions, except for a few scenarios (we will cover these shortly). If we recall, issuers are in control of SCA, and they will not authorize payments that do not receive SCA via 3D Secure.

In addition to not complying with the PSD2 regulation, without the use of 3D Secure, the risk of declined transactions increases significantly for merchants as card Issuers are also required to comply with the PSD2 SCA requirements.

The good news is that Payment Service Providers (PSPs) and acquirers do most of the 3D Secure enablement on behalf of you business. If Nets is your PSP we will help you throught the requirements for SCA.

Key use cases

Are transactions where consumer’s card details are stored in scope for SCA?

“Card on file” is where a consumer’s card details are stored by the Merchant for convenience the next time they shop. A Consumer is usually prompted when checking out to store their 16-digit card number, expiry date and three-digit CVC/CVV code, so that they can skip this step next time they come back.

The fact that these details are stored makes no difference to the classification of the transaction, if it is a consumer-initiated one-off transaction (i.e. where a Consumer must first select items to basket and then checkout), then it remains a single one-off transaction for the purposes of SCA.

So, where “Card on File” today is used with single consumer-initiated purchases, then these would need to go through 3D Secure (or equivalent).

What is a Merchant Initiated Transaction (MIT)?

MITs have these key characteristics:

  • Based on a mandate/agreement between merchant and consumer for the delivery of goods/services over time
  • Payment is based on the mandate, and is in a sequence/chain of requested payments from the merchant
  • The transactions initiated by the merchant do not need to be preceded by a “specific action of the payer”
  • The mandate must be signed using SCA, thereafter no SCA is required

Examples of MITs: Music or streaming subscriptions, mobile phone bills

Do I have to re-authenticate all my existing agreements?

In short no, there is a rule in place, meaning existing agreements for Recurring and MITs do not need a new SCA. However, an acquirer must be able to reference previous transactions (through Transaction IDs) in the chain to validate the status of Recurring/MIT.

Strong Customer Authentication (SCA) exemptions

Understandably, there are concerns that SCA will cause friction to the consumer shopping journey and reduce conversion for merchants. However, whilst PSD2 sets rules on when SCA is required, it also has defined cases where exemptions to the SCA requirement apply to those transactions that fall within its scope.

It should be noted again at this stage that the consumer’s bank (or issuer) holds the ultimate responsibility for SCA and therefore also the exemptions to SCA. The exemptions to SCA are not binding on banks, and they can decide themselves on whether they would like to offer exemptions.

Here are a few of the exemptions to SCA, described under PSD2:

  • Low Value payments: Where a consumer makes a remote/online electronic transaction up to 30 EUR, that transaction may be carried out without SCA. SCA must be applied again at either 100 EUR of cumulative spending or on the 5th transaction
  • Transaction Risk Analysis (TRA): Where the issuer or acquirer carries out TRA and assesses a transaction to have a low risk of fraud, they may exempt the transaction from SCA.
  • Trusted Beneficiary (aka white-listing): Where a consumer has identified Beneficiaries (merchants) they shop with and trust, and provided the identification of the beneficiary takes place with SCA, the subsequent transactions with that merchant will not require SCA.

This is a new practice under PSD2, and hence we expect some time before SCA exemptions become widely implemented. However, issuers can continue to carry our Risk-Based Authentication (i.e. TRA) on the current 3D Secure solution, which also allows passive authentication of the consumer.