The new European regulation, the Payment Services Directive (PSD2), dictates that Consumer-initiated electronic transactions require Strong Customer Authentication. For online Card payments, this means that transactions need to be authenticated via 3D Secure (or equivalent*). This regulation came into force on 14th September 2019.
(*) Please refer to platform specific information as different platforms and schemes may have different requirements and timelines for readiness.
Depending on how merchants manage their payments today, the new rules on SCA could have a noticeable impact on the way they process payments, but also the payment journey consumers will face. To be prepared, Merchants need to know the following:
Card issuers are becoming better at streamlining consumer authentication and the move to a newer 3D Secure version will improve this further.
The exact implementation steps and options available to you as a merchant depends on which Nets platform you are using. It is important that you refer to PSP platform guidance material to ensure you’re set up for 3D Secure correctly.
NB: Nets eCommerce platforms are ready with 3D Secure to help you meet authentication requirements
We know that there is lots of confusing information around PSD2 and Strong Customer Authentication around, so we’ve removed the noise and provided for you below, what you actually need to know in a simple way.
Below are the details sitting behind PSD2, SCA and the points you need to know about 3D Secure and being ready.
Fraud in online payments is becoming more sophisticated and has been rising in recent years. To counter this, new rules on Strong Customer Authentication (SCA) was introduced in the EU Payment Services Directive II (PSD2).
Essentially, PSD2 states that all electronic transactions (i.e. Card and Bank Transfers) initiated by a Payer (i.e. Consumer) require SCA. Strong Customer Authentication as per PSD2 refers to the Consumer being requested to provide Two Factor Authentication (2FA) to identify themselves in the transaction process. The two factors must be independent of each other and should be from the following categories:
Knowledge: something only the Consumer knows = a password, pin code
Possession: something only the Consumer has = a secure token, a mobile device
Inherence: something only the Consumer is = biometric fingerprint, facial recognition
Today, when you buy online with your card by typing in the card number and being asked to authenticate yourself through 3D Secure with SMS password or similar.
The Consumer’s Bank is ultimately responsible for providing the means of SCA and ensuring SCA is carried out. But the efficient execution of SCA, also requires the involvement of Payment Service Providers (PSP) and Acquirers, in the case of card payments.
PSD2 rules state that transactions initiated by the Payer require SCA, therefore there are certain types of transactions that do not require 2FA:
The requirement for Strong Customer Authentication (SCA) under PSD2 means that authentication of payers is no longer about opting-in. For in-scope transactions, SCA must be carried out. This means card transactions must be authenticated via 3D Secure (or equivalent for other non-Visa and Mastercard brands).
3D Secure is the security protocol developed to protect Cardholders online through additional security checks on payment transactions. 3D Secure is delivered by individual card schemes (e.g. Visa has Verified by Visa” and MasterCard has “SecureCode”) and is recognizable to consumers as these brands are shown on the 3D Secure page clicking “confirm”.
SCA via 3D Secure usually requires a step-up challenge, i.e. an action required from the consumer to confirm that they are in fact making the payment. The step-up challenge today, is usually in the form of using a mobile application provided by the issuer or SMS One Time Password (OTP) to the consumer’s phone containing a code that they type into the browser to complete the transaction. The exact step-up challenge method is selected by the card issuer.
An important point to note with the use of 3D Secure for Visa and Mastercard, is that merchants are protected from chargeback liability related to fraud, i.e. there is a liability shift from merchants to Issuers. This liability protection can differ for other local and international card schemes.
Across Europe today, merchants generally decide on whether they would like to apply 3D Secure to their Consumers’ transactions. However, due to SCA regulation, 3D Secure will become required for online card transactions, except for a few scenarios (we will cover these shortly). If we recall, issuers are in control of SCA, and they will not authorize payments that do not receive SCA via 3D Secure.
In addition to not complying with the PSD2 regulation, without the use of 3D Secure, the risk of declined transactions increases significantly for merchants as card Issuers are also required to comply with the PSD2 SCA requirements.
The good news is that Payment Service Providers (PSPs) and acquirers do most of the 3D Secure enablement on behalf of you business. If Nets is your PSP we will help you throught the requirements for SCA.
“Card on file” is where a consumer’s card details are stored by the Merchant for convenience the next time they shop. A Consumer is usually prompted when checking out to store their 16-digit card number, expiry date and three-digit CVC/CVV code, so that they can skip this step next time they come back.
The fact that these details are stored makes no difference to the classification of the transaction, if it is a consumer-initiated one-off transaction (i.e. where a Consumer must first select items to basket and then checkout), then it remains a single one-off transaction for the purposes of SCA.
So, where “Card on File” today is used with single consumer-initiated purchases, then these would need to go through 3D Secure (or equivalent).
MITs have these key characteristics:
Examples of MITs: Music or streaming subscriptions, mobile phone bills
In short no, there is a rule in place, meaning existing agreements for Recurring and MITs do not need a new SCA. However, an acquirer must be able to reference previous transactions (through Transaction IDs) in the chain to validate the status of Recurring/MIT.
Understandably, there are concerns that SCA will cause friction to the consumer shopping journey and reduce conversion for merchants. However, whilst PSD2 sets rules on when SCA is required, it also has defined cases where exemptions to the SCA requirement apply to those transactions that fall within its scope.
It should be noted again at this stage that the consumer’s bank (or issuer) holds the ultimate responsibility for SCA and therefore also the exemptions to SCA. The exemptions to SCA are not binding on banks, and they can decide themselves on whether they would like to offer exemptions.
Here are a few of the exemptions to SCA, described under PSD2:
This is a new practice under PSD2, and hence we expect some time before SCA exemptions become widely implemented. However, issuers can continue to carry our Risk-Based Authentication (i.e. TRA) on the current 3D Secure solution, which also allows passive authentication of the consumer.