The Payment Services Directive 2 (PSD2) is a directive from the European Commission that requires Strong Customer Authentication (SCA) to be applied for all electronic commerce (e-commerce/website) transactions. It will affect all businesses based or serving customers in the European Economic Area (EEA) that accept card payments.
These laws introduce security measures called two-factor authentication to keep customers safer when making payment transactions online. This is an industry-wide change. Businesses must upgrade their payments infrastructure to support two-factor authentication. This provides all parties involved in the eco-system with enhanced data, leading to better quality authorisation decisions. You should make sure that your SCA solutions use the latest technology to enable real time risk analysis that can create a frictionless experience for your customers.
Failure to adopt PSD2 solutions will result in transactions being declined which is obviously bad news for the business and the likelihood is that customers with abandon the transaction to try elsewhere.
Failure to adopt PSD2 solutions will result in transactions being declined.
Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure.
To accept payments and meet SCA requirements, you need to build additional authentication into your checkout flow. We recommend that you apply the latest version of EMV 3D Secure as soon as possible and suggest you engage with your payment gateway partners to implement the latest version EMV 3D Secure. SCA means that banks must confirm the cardholder as being the genuine owner of the payment card before they approve the transaction.
To prove that they are the genuine owner of the card, cardholders must provide at least two out of three possible authentication factors to their bank when requested.
EMV 3D Secure is the standard protocol for SCA when accepting payments over the internet. It helps to reduce fraud and cart abandonment, whilst seamlessly supplementing existing data with additional information.
Upgrading to the latest version will allow you more flexibility as the merchant. As well as providing the traditional shift in liability expected when applying EMV 3D Secure.
Benefits of upgrading to the latest version of EMV 3D Secure:
Low Value Transactions:Remote transactions up to €30 (or equivalent in other currencies) and contactless transactions up to €50 (or equivalent in other currencies) do not require SCA up to a maximum of five consecutive transactions or a cumulative limit of €100 (€150 for contactless). If the cardholder initiates more than five consecutive low value payments, or if the total payments value exceed €100 (€150 for contactless), SCA will be required. Please note that currently, only Visa and Mastercard have released their requirements to support exemptions. The monitoring of the consecutive transactions and cumulative limits will be the responsibility of the card issuer.
Recurring Payments:Strong Customer Authentication applies to ‘customer-initiated’ online payments within Europe. Some transaction types are initiated without the cardholder being present or involved in the process. These are often referred to as ‘merchant-initiated transactions’ (MIT). In these cases, SCA cannot be performed and there are exemptions designed to accommodate these flows. In the case of recurring transactions (same amount) or other customer initiated transactions (variable amount), the initial capture of card details for storing on file must be authenticated using SCA – this results in a unique identifier that is used in subsequent transactions within a series to indicate to issuers that SCA has already been performed. To ensure that these transactions are exempted from SCA step-up requests, customers and their service providers must ensure that the card scheme MIT guidelines are followed and that all transactions are appropriately flagged as recurring with reference to the original transaction via the trace/transaction ID value.
Transaction Risk Analysis (TRA):Card Issuers and acquirers’ may use TRA on customer’s partners’ behalf to exempt transactions from the need to have SCA performed. This effectively means that the issuer/acquirer would analyse the transaction to determine the likelihood of it being genuinely performed by the cardholder and exempt it from 3DS. TRA will normally be available via two channels. It is expected that the acquirer will offer its own TRA service where they will analyse transactions to determine if the transaction can be exempted from cardholder authentication. In addition, TRA can be conducted by approved third parties.
Whitelisting/Trusted Payee:With the latest versions of 3DS, cardholders will have the option to ‘whitelist’ a business they trust with their card issuer. This means that the cardholder can elect to make a business a ‘trusted payee’ and therefore transactions at a ‘whitelisted’ business are to be exempt from future SCA.
MOTO (mail order/telephone order) payments:Card details collected over the phone fall outside the scope of SCA and do not require authentication. This type of payment is sometimes referred to as “Mail Order and Telephone Orders” (MOTO). Similar to exempted payments, MOTO transactions need to be flagged as such, with the cardholder’s bank making the final decision to accept or reject the transaction.
Corporate Payments:This exemption may cover payments that are made with ‘lodged’cards (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers which are also used in the travel sector. As the transaction is initiated by business entities, not available to cardholders and already offer high levels of protection from fraud may be exempted from SCA, however you should speak to your Acquirer for confirmation.
Merchant Initiated Transactions:Merchant Initiated Transactions are payments initiated by the customer without the interaction of the cardholder, for example:
Anonymous Payments:Due to their very nature, payments made through the use of anonymous payment instruments, such as anonymous prepaid, for example, gift cards, are not subject to the obligation of SCA.
Transport and Parking:Any payment for transport fares or parking at unattended terminals (e.g. at an airport or train station) will not require SCA.
One Leg Out:It may not be possible to apply SCA to a transaction where the Issuer is located outside the EEA1 and is therefore considered out of the scope of SCA. SCA should be applied to these transactions on a ‘best effort’ basis. These transactions are referred to as ‘One Leg Out’.
MOTO Transactions:As already mentioned above, MOTO transactions are not in scope for SCA, as the customer is not in the flow. However, there is a growing trend of fraud and chargebacks on MOTO transactions, and we strongly recommend that you consider using technology such as our multi-award winning SOTpay solution to protect your business from fraud, chargebacks and compliance headaches.
How can Gala Technology help your business get ready for PSD2?As mentioned above, the introduction of PSD2 and SCA is designed to secure the e-commerce channel, similar to how chip and pin secured face to face transactions.