PSD2 and SCA
What is PSD2 and how does it affect my business?
The Payment Services Directive 2 (PSD2) is a directive from the European Commission that requires Strong Customer Authentication (SCA) to be applied for all electronic commerce (e-commerce/website) transactions.
It will affect all businesses based or serving customers in the European Economic Area (EEA) that accept card payments.
These laws introduce security measures called two-factor authentication to keep customers safer when making payment transactions online. This is an industry-wide change. Businesses must upgrade their payments infrastructure to support two-factor authentication. This provides all parties involved in the eco-system with enhanced data, leading to better quality authorisation decisions. You should make sure that your SCA solutions use the latest technology to enable real time risk analysis that can create a frictionless experience for your customers.
Failure to adopt PSD2 solutions will result in transactions being declined which is obviously bad news for the business and the likelihood is that customers with abandon the transaction to try elsewhere.
Failure to adopt PSD2 solutions will result in transactions being declined.
What is Strong Customer Authentication (SCA)?
Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure.
To accept payments and meet SCA requirements, you need to build additional authentication into your checkout flow. We recommend that you apply the latest version of EMV 3D Secure as soon as possible and suggest you engage with your payment gateway partners to implement the latest version EMV 3D Secure. SCA means that banks must confirm the cardholder as being the genuine owner of the payment card before they approve the transaction.
To prove that they are the genuine owner of the card, cardholders must provide at least two out of three possible authentication factors to their bank when requested.
What is EMV 3DS?
EMV 3D Secure is the standard protocol for SCA when accepting payments over the internet. It helps to reduce fraud and cart abandonment, whilst seamlessly supplementing existing data with additional information.
Upgrading to the latest version will allow you more flexibility as the merchant. As well as providing the traditional shift in liability expected when applying EMV 3D Secure.
Benefits of upgrading to the latest version of EMV 3D Secure
· Increased cardholder confidence when transacting with your business
· Reduced fraud and chargebacks – liability protection
· Prevention of unauthenticated transaction declines
· Improved risk-based decisions leading to higher approval rates
· Full support for all available exemption types and payment device types
How do you authenticate a transaction?
Currently, the most common way of authenticating an online card payment relies on 3D Secure—an authentication standard supported by the vast majority of European cards. Applying 3D Secure typically adds an extra step after the checkout where the cardholder is prompted by their bank to provide additional information to complete a payment (e.g., a one-time code sent to their phone or fingerprint authentication through their mobile banking app.
3D Secure2 - the new version of the authentication protocol rolling out in 2019/2020—will be the main method for authenticating online card payments and meeting the new SCA requirements. This new version introduces a better user experience that will help minimise some of the friction that authentication adds into the checkout flow.
Other card-based payment methods such as Apple Pay or Google Pay already support payment flows with a built-in layer of authentication (biometric or password). These can be a great way for businesses to offer a frictionless checkout experience while meeting the new requirements.
How does this affect my customers?
The increased levels of security and control will directly benefit customers. Increasing their trust and confidence while shopping online. However, if you fail to consider and adopt suitable solutions, it is likely that transactions will be declined, causing frustration for your customers.
We expect that card issuers may decide to ask for extra confirmation through the use of voice referrals or an immediate refusal of the transaction. The transaction types currently not supporting the SCA functionality that are most at risk are:
3DS1 transactions (where the issuer is only supporting 3DS2)
Keyed customer present transactions
Chip fall back
Deferred authorisations (non-Chip and PIN transactions)
Unauthenticated eCommerce transactions
How do I prepare my business for PSD2?
PSD2 was supposed to come into effect on the 14th September 2019, however the European Banking Authority recognised the complexity and challenges of implementing this directive within the payments environment and has extended its original deadline. This was then further complicated by the COVID-19 pandemic, therefore the new deadline for e-commerce compliance is 31 December 2020 in Europe.
In the UK, the Financial Conduct Authority has granted some flexibility until 14th September 2021 and UK Finance plan to provide further clarity on the revised roadmap including key milestones in due course.
When does PSD2 come into force?
Commence planning with your payment gateway provider to migrate to the latest version EMV 3D Secure as it becomes widely available during 2020. These upgrades will enable you to benefit from the maximum possible range of exemption types as they are released into the marketplace.
What are the exemptions to PSD2?
Low Value Transactions:
Remote transactions up to €30 (or equivalent in other currencies) and contactless transactions up to €50 (or equivalent in other currencies) do not require SCA up to a maximum of five consecutive transactions or a cumulative limit of €100 (€150 for contactless). If the cardholder initiates more than five consecutive low value payments, or if the total payments value exceed €100 (€150 for contactless), SCA will be required. Please note that currently, only Visa and Mastercard have released their requirements to support exemptions. The monitoring of the consecutive transactions and cumulative limits will be the responsibility of the card issuer.
Strong Customer Authentication applies to ‘customer-initiated’ online payments within Europe.
Some transaction types are initiated without the cardholder being present or involved in the process. These are often referred to as ‘merchant-initiated transactions’ (MIT). In these cases, SCA cannot be performed and there are exemptions designed to accommodate these flows. In the case of recurring transactions (same amount) or other customer initiated transactions (variable amount), the initial capture of card details for storing on file must be authenticated using SCA – this results in a unique identifier that is used in subsequent transactions within a series to indicate to issuers that SCA has already been performed. To ensure that these transactions are exempted from SCA step-up requests, customers and their service providers must ensure that the card scheme MIT guidelines are followed and that all transactions are appropriately flagged as recurring with reference to the original transaction via the trace/transaction ID value.
Transaction Risk Analysis (TRA):
Card Issuers and acquirers’ may use TRA on customer’s partners’ behalf to exempt transactions from the need to have SCA performed. This effectively means that the issuer/acquirer would analyse the transaction to determine the likelihood of it being genuinely performed by the cardholder and exempt it from 3DS. TRA will normally be available via two channels. It is expected that the acquirer will offer its own TRA service where they will analyse transactions to determine if the transaction can be exempted from cardholder authentication. In addition, TRA can be conducted by approved third parties.
The issuer however will always have the final say, so for example, where the acquirer were to apply the TRA exemption on their customers/merchants behalf, the issuer retains the right to require SCA (known as step-up). The rules around TRA exemptions are complex and the acquirer can only control how the transaction is handled up until the point that it is sent to the issuer. There are three threshold levels of exceptions – €100, €250 and €500.
With the latest versions of 3DS, cardholders will have the option to ‘whitelist’ a business they trust with their card issuer. This means that the cardholder can elect to make a business a ‘trusted payee’ and therefore transactions at a ‘whitelisted’ business are to be exempt from future SCA.
Whether a cardholder’s elected wishes are upheld is totally the decision of their issuer, as the card issuer may reject the initial request or subsequent exemption requests if it has cause to do so.
It should be noted that a business, payment gateway, or their acquirer cannot elect to be whitelisted themselves, this can only be done between the cardholder and their issuer.
MOTO (mail order/telephone order) payments:
Card details collected over the phone fall outside the scope of SCA and do not require authentication. This type of payment is sometimes referred to as “Mail Order and Telephone Orders” (MOTO). Similar to exempted payments, MOTO transactions need to be flagged as such, with the cardholder’s bank making the final decision to accept or reject the transaction.
In our opinion, whilst PSD2 secures the e-commerce channel, it will expose the MOTO channel as fraudsters will view it as the weakest link in the transaction journey. If your business processes telephone payments via a virtual terminal or physical card machine, then you should read our guide which explains how to best protect your business from fraud, chargebacks and compliance headaches.
This exemption may cover payments that are made with ‘lodged’cards (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers which are also used in the travel sector. As the transaction is initiated by business entities, not available to cardholders and already offer high levels of protection from fraud may be exempted from SCA, however you should speak to your acquirer for confirmation.
What is out of scope of PSD2?
Merchant Initiated Transactions:
Merchant Initiated Transactions are payments initiated by the customer without the interaction of
the cardholder, for example:
A single transaction, such as a cancellation fee.
Recurring payments for fixed or variable amounts such as a monthly membership subscription.
A series of transactions for a variable amount or at variable intervals – such as irregular payment installments for a holiday, or a regular but variable amount such as a utility bill.
These transactions must be governed by an agreement between the cardholder and merchant that, once agreed, allows the merchant to initiate subsequent payments without any direct involvement of the cardholder, However, SCA should be applied to the first transaction/action mandating the customer to initiate payment.
Due to their very nature, payments made through the use of anonymous payment instruments, such as anonymous prepaid, for example, gift cards, are not subject to the obligation of SCA.
Transport and Parking:
Any payment for transport fares or parking at unattended terminals (e.g. at an airport or train station) will not require SCA.
One Leg Out:
It may not be possible to apply SCA to a transaction where the Issuer is located outside the EEA1 and is therefore considered out of the scope of SCA. SCA should be applied to these transactions on a ‘best effort’ basis. These transactions are referred to as ‘One Leg Out’.
As already mentioned above, MOTO transactions are not in scope for SCA, as the customer is not in the flow. However, there is a growing trend of fraud and chargebacks on MOTO transactions, and we strongly recommend that you consider using technology such as our multi-award winning SOTpay solution to protect your business from fraud, chargebacks and compliance headaches.
MOTO should only be used where the cardholder details have been provided via mail or phone and are not intended to cover customer present interactions via eCommerce or keyed transactions.
How can Gala Technology help your business get ready for PSD2?
As mentioned above, the introduction of PSD2 and SCA is designed to secure the e-commerce channel, similar to how chip and pin secured face to face transactions.
We believe that this will funnel fraudulent attempts and transactions down the telephone and MOTO channel. A view that some of the card schemes have already concurred with.
This is where are multi-award winning solutions can support your business:
How does our innovation help?
Our cloud-based technology does not require any additional hardware or amendments to existing telephony ornetwork set up and is Acquirer and Payment gateway agnostic. Totally eliminating the need for capital expenditure, SOTpay can support businesses of all shapes and sizes in any sector.
SOTpay eliminates the risk of fraud related chargebacks for businesses, by authenticating MOTO andOmni channel CNP transactions and processes the payment in a PCI compliant manner, converting a risky ‘non-secure’ transaction into a ‘secure, authenticated, compliant’transaction in the eyes of the acquiring partner, the merchant can see significant savings in theirMerchant Service Charge's. We have seen businesses save in excess of £40,000 per annum,following the deployment of SOTpay.
SOTpay enables you to send out an electronic payment request in real time, via email, SMS, web chat or electronic invoices.
The flexibility of the SOTpay technology enables the merchant to accept secure and compliant transactions across numerous channels, boosting business by allowing cardholders to complete transactions in their desired channel of engagement. For example, if someone is engaging with the business on Facebook, SOTpay allows the business to take payment within the Facebook Messenger environment.
By preventing cardholder data in its entirety from entering the merchant environment, SOTpay makes achieving andmaintaining PCI DSS compliance easier and more manageable for your business. With liability for fraud related chargebacks eliminated the merchant can also deliver to an alternative delivery address, instead of just to the registered cardholder’s address.
As a disruptive payment technology, the PCI SSC updated their Global ‘Protecting Telephone Payments’ guidelines to include our innovative approach, which gave us tremendous credibility within the acquiring industry. We have subsequently become partners to some of the largest payment organisations in the world, helping to protect and support their merchants against the challenges that business face.
SOTpay+ Payment Gateway
WHETHER YOU ARE NEW TO CARD PAYMENTS OR LOOKING TO SWITCH PROVIDERS, OUR PCI DSS LEVEL 1 CERTIFIED CLOUD PAYMENT PLATFORM ALLOWS CONSUMERS TO PAY MERCHANTS FOR GOODS AND SERVICES ONLINE, ON-MOBILE AND OVER THE TELEPHONE WITHIN THE MOST SECURE ENVIRONMENT.
Our Payment gateway will use the latest version of 3DS to ensure PSD2 and SCA can be adhered to when the mandate is introduced.
With record levels of fraud occurring within card not present channels, it is essential that you look to protect your business.
At Gala Technology, we'll take care of security allowing you to focus on growing your business.
Our payment gateway is PCI DSS Level 1 registered, as an approved service provider by Visa and Mastercard, providing the perfect platform for your customer to complete secure e-commerce transactions.
Our cloud environment is protected by DDoS mitigation tools. Within the gateway you can control built-in security options including AVS, CV2 checks, 3D Secure and velocity checking.
Secure Online Payments
The Virtual Terminal is a web based portal and can be easily accessed through a desktop, tablet or mobile device. Designed for merchants to use with ease when taking mail order or telephone payments and allows a user to process credit and debit card payments, as well as refund transactions, all in real time.
Users are able to operate the system under different permissions providing ideal solution for call centres, sales clerks and larger organisations who wish to restrict the ability to view transaction information or process refunds.
Our payment gateways enables you to store the cardholders data in a PCI DSS compliant manner.
This is perfect for companies who have recurring customers. With the cardholders permission, you can take subsequent payments with a few simple clicks, without them needing to do anything.
Card on File & Tokenisation
Recurring & Subscription Transactions
By using our PCI DSS compliant card storage facility, our gateway allows you to create bespoke recurring payment plans, giving you the flexibility you need.
You can determine how much, how often and how long you would like to set up payment plans for, making the solution perfect for subscription or membership payments.
If you are currently considering a payment gateway partner, then you may be interested in our guide by clicking here