With online payment fraud rising every year, it is mandatory that technological advancements are adopted and strictly adhered to within the payments market.
Modern regulations have replaced older ones to ensure the evolution of payment security without compromising on the quality of customer experience.
We talk about one such regulatory improvement, the revised Payments Services Directive (PSD), and some of its stipulations that have greatly enhanced security in payment processing.
What does PSD2 stand for?
PSD2 refers to the revised Payment Services Directive, which defines the regulatory compliance rules for all eCommerce transactions in the European Economic Area (EEA).
All processed transactions where the merchant's payment provider and/or the customer's bank are located within the EEA are affected by Strong Customer Authentication (SCA) practices, a requirement under PSD2.
Payment service providers and banks are responsible for implementing protocols to comply with PSD2 SCA regulations as well as guiding their merchants on all the rules it sets out regarding electronic payments.
When was the original and revised payment services directive adopted?
PSD2 initially came into effect back in 2016, was adopted as law by as early as 2018, and over the next few years, it shaped up into what it is today. As of July 2024, the European regulation is under review again, and new improvements are being suggested to make the payments ecosystem even more secure. This will result in the establishment of the third iteration, aptly called PSD3.
What does SCA stand for, and why is it so important?
SCA stands for Strong Customer Authentication. But what is SCA, and how has it affected customer-initiated electronic payments such as credit card transactions and bank transfers?
As a primary aspect of PSD2, SCA has been designed to improve payment security in online transactions and protect customers and merchants against fraudulent and unauthorized transactions. Here’s what the SCA requirements entail.
In order to authenticate a payment, cardholders and customers must be asked to complete at least two of the three following elements of multi-factor authentication (MFA):
- Something the customer has in physical possession, such as a mobile phone or physical token
- Something the customer knows, such as a password or PIN
- Something the customer is, which includes biometrics such as a fingerprint or face recognition
This means, for instance, that entering the card number and CVV/CVC (card verification code) when shopping online is not enough anymore. Card issuers and merchant acquirers are now responsible for incorporating the elements of the latest PSD2 requirements and preparing their merchants by adding an extra customer security element in online credit card processing.
When was strong customer authentication enforced?
The start date for SCA adoption was September 14th, 2019. However, the European Banking Authority (EBA) issued an opinion to delay the deadline until December 31st, 2020, thus providing businesses with more time to prepare. This extension also accounted for the fact that businesses may need some grace period to resolve migration issues and such. In some regions, additional flexibility was granted due to the pandemic disrupting everyday commercial and financial operations.
How to authenticate a card payment with 3DS2
A widely used tool for authenticating card-not-present transactions is 3D Secure. This fraud prevention measure was originally launched back in 2001 to add an extra layer of security to card payments.
In the first version of 3DS, customers were asked via a web page by their issuing bank to enroll in 3DS1 by setting a static password as a security measure to authenticate the transaction. That practice caused online carts to be abandoned by consumers as the payment flow was interrupted and left online shoppers with an additional password to remember.
In 2019, 3D Secure 2.0 (3DS2) was introduced by Visa and Mastercard to improve the checkout experience for customers and thus decrease cart abandonment rates while also processing transactions in a secure environment.
The new version activates a secure, real-time pipeline filled with information that merchants can use to send a remarkable number of transaction attributes that the issuing bank can use for authenticating customers. Instead of asking for a set or one-time password, banks now enable customers to authenticate the payment with a fingerprint, face scanning, or even via the mobile banking application on their mobile phone.
Moreover, 3D Secure 2.0 has been designed with the web and mobile checkouts in mind, and full-page redirects are not required. When a customer initiates an authentication on your webpage, the 3D Secure prompt now appears by default in a modal on the checkout page (browser flow).
Customers now enjoy a smoother payment experience with less frustrations at the checkout. Transactions that are deemed low-risk are not asked for any manual authentication steps at all, ensuring a frictionless checkout. Transactions that raise some serious red flags are deemed high-risk and require an additional authentication step requiring action from the customer.
Transactions eligible for SCA exemption
Certain types of transactions might not require SCA compliance to be applied. In case transactions meet certain criteria, you, as a merchant, or your acquirer can request an SCA exemption by the issuer. SCA exemptions can be requested for the following scenarios.
Low-value transactions
Payments below €30 are exempt from strong customer authentication. However, if the customer makes five or more payments below €30 or multiple low-volume payments that total more than €100, then SCA might be required.
Recurring transactions
The exemption for recurring payments suggests that SCA will be applied only to the first payment in a series of recurrent transactions. If the amount is the same for upcoming payments, SCA will not be required for subsequent future transactions. This rule applies to other types of merchant-initiated transactions as well, such as instalment payments.
Low-risk transactions
Transactions evaluated as low-risk based on a transaction risk analysis (TRA) – a real-time assessment of whether a particular transaction is possible to be fraudulent – are not subject to SCA practices. Payment service providers can get a TRA exemption if their fraud rates and the transaction amounts are under certain thresholds.
Whitelisted merchants or trusted beneficiaries
Customers can assign trusted merchants to a list of ‘Trusted Beneficiaries'. This way there will be no need to authenticate themselves every time they make a payment to those businesses. The trusted beneficiary list is maintained and updated by the Account Servicing Payment Service Provider (ASPSP). The option of whitelisting merchants is also available through the second version of 3D Secure, which was launched in September 2019.
Corporate payments
Strong Customer Authentication is not required for corporate payments as long as dedicated payment processes or protocols are being followed and are only available to payers who are not consumers. In addition, it is expected that the dedicated corporate processes and protocols are sufficiently secure and satisfy the national competent authorities (NCAs).
How to get started with payabl.
payabl. is always at the forefront when it comes to supporting merchants in reducing fraud and making online payments more secure. Since the inception of the strict regulations, payabl. and its payment gateway have been ready to fully support SCA requirements, including the handling of exempt transactions in the online payment flow.
As a merchant, you can rest assured that our systems will help you navigate these regulatory changes around strengthening the authentication process for your customers. Get in touch with us to discuss any questions you might have about the SCA and 3DS2 readiness of our payment solutions.